Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Admin
Admin

How do I verify Threat Emulation is working?

We offer a test you can access from behind your Security Gateway where Threat Emulation is enabled to ensure it is working:

  • Threat Emulation Test -- A link to a DOC with an exploit that will not harm your computer. Will show as Exploited Document in logs.

Related:

  • Anti-Virus Test -- Downloads the standard EICAR AV test file
  • Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs.
14 Replies

Thanks for the test tip, Dameon!

Also CP's CheckMe is a good option for this http://www.cpcheckme.com/checkme/

Regards,

Admin
Admin

Also a good test.
Contributor

Hello,

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade  as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?

 

Regards,

 

Miguel

0 Kudos
Reply

@miguel 

I think that the explanation is on the behavior analytic engine of Sandblast, same happens with antivirus such as Cylance: EICAR is not being detected because it actually does nothing on your system. In other words it doesn't trigger any indicator of compromise.

I would recommend you try these solutins with real malware from The Zoo Project (https://github.com/ytisf/theZoo) if you want to go beyond you can even modify the binaries so the hash is new.

Handle with care since it's real malwre 🙂

Hope it helps 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Reply
Contributor

Hi,

Thanks you for reply,

 

Ha yes I understood, in the threat emulation, the document is emulated in various OS systems to check if there are abnormal behaviors. Effectively ICAR doesn't do anything it's a simply signature...so it's detected by the anti-virus signature.

 

Thank you for the link.

0 Kudos
Reply
Contributor

Hi,
The link to the Threat Emulation test file is now working. Was the path changed?
http://poc-files.threat-cloud.com/demo/demo.doc
0 Kudos
Reply
Admin
Admin

Looks like the same path I provided above?
0 Kudos
Reply
Contributor

Yes, it's exactly the one you provided. But it seems it doesn't work as i'm getting an "internal server error" when i click on it. Is there another link?
0 Kudos
Reply
Admin
Admin

Not as far as I know.
I checked the link and it appears to be working for me.
0 Kudos
Reply
Contributor

When I tried, i get the following message: "Sorry, the page you are looking for is currently unavailable.
Please try again later.
If you are the system administrator of this resource then you should check the error log for
details.
Faithfully yours, nginx."
0 Kudos
Reply
Admin
Admin

Hm... you're right.
I see that when I try from a system that isn't connected to our VPN that it fails.
I've reported it internally...should get fixed soon.

Is it compulsory to enable https inspection and MTA for Threat emulation blade? If I enable threat emulation like inline mode than does it scan files downloaded from websites?

0 Kudos
Reply
Admin
Admin

It's not necessarily compulsory, but it's highly recommended.
With the majority of traffic being HTTPS and the browser manufacturers continuing to force the issue, without it, you'll be blind to more and more threats.
Threat Emulation can work inline--Threat Extraction can as well from R80.30.
For email, TLS is becoming more prevalent and the only way to scan email for threats is to run in MTA mode.
0 Kudos
Reply

Thanks.

0 Kudos
Reply