Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

sandblast emulation optimzation

Hi,

Is there a way to optimize Sandblast emulation for a single file when not in queue on a remote appliance? Like only emulate files once even if its not in queue or run both emulations paralell.

Right now we have a Checkpoint GW and TE appliance. Without queue it takes around 2.5 minutes to get a file (500Kb docx, with macro), which causes the server to timeout. Around 30 seconds to get to the appliance, then 60 seconds for first emulation than 60 seconds for second emulation. 

 

Ive checked through the sandblast SKs first i can no longer find any info on how many times TE emulates files, not even in the atrg. I could have sworn I've seen it before where it says it emulates it once together with others than it emulates it again in its own VM and then it emulates it again if its found malicious on the second emulation. right now i cant find that info at all.

 

So is there something that can minimize emulations or some other advanced attributes that can speed up the emulations?

 

Regards

 

0 Kudos
4 Replies

You may need to define some Threat Emulation exceptions to reduce the emulation load or configure it to drop certain files without emulating them at all, see sk123140: How to configure Threat Emulation blade to block files according to file types

Also see this section from my book concerning this:

 

Spoiler

While emulation of suspect executables can potentially be performed somewhere other than the Check Point ThreatCloud, it can cause highly variable emulation performance to occur without careful tuning. If you choose to perform emulation locally, there are some limitations to be aware of:

1. By default if the CPU cores allocated for emulation are more than 90% busy, no more emulation VMs will start until the CPU load drops below that value, thus potentially causing a large backlog of emulation requests.
2. Do NOT check the “Disable static analysis” checkbox shown on the following page’s screenshot. Doing so will cause every single file encountered to be sent for emulation (even if it has been emulated previously), and should only be enabled in a lab environment or under the guidance of Check Point TAC.
3. By default the emulation VM processes may not consume more than 70% of the system’s RAM. If there is not enough RAM available, startup of new emulation sessions will be delayed. A runaway memory leak in an unrelated process on the emulation system can potentially delay or bring emulation to a complete halt.

The Check Point ThreatCloud is most commonly employed for emulation services; dedicated Threat Emulation appliances are also available for purchase from Check Point.

emu.jpg
Figure 9-21: Threat Emulation Handling Mode


Emulating files can cause a long delay that will be noticeable for users. The default value for “Emulation Connection Handling Mode” shown above is typically Background which is appropriate for most environments, especially when combined with the use of the Threat Extraction feature to quickly deliver a sanitized copy of the documents to end users while file emulation is still processing.

 

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted

Hi Timothy,

Thank you for your answer but we want to speed up the time it takes for a single file that uses emulation. And we really want to do emulation on the files in holding mode and not background.

When checking the logs it seems it waits for the first traditional emulation to finish before it starts the second HPS emulation. Is this because the single VM takes up more CPU/RAM which makes it so it can't run a total of 2 VMS, or is this by design that it waits? 

Is it possible to do these emulations parallel so both HPS and traditional emulation at the same time in 2 different VMS started up? this would cut this down to 1,5 min. 

 

We are not so concerned with the time it takes during load or queue we want to lower the minimum time it can take to emulate but even with zero load on the firewall it takes 2,5 min which seem to high, preferably we would want it to take about 1-1,5 minute for a file with zero load. 

According the post "HPS emulation" the emulation mode "balanced" will only emulate files once during load. Can this be done even with zero load? This would also cut down the time to 1,5 min.

 

 

0 Kudos
Highlighted
Admin
Admin

Have you enabled Aggressive Mode by chance? This is done via the CLI on the TE appliance.

 tecli advanced attributes set emulation_mode <legacy|experimental|aggressive|balanced> = sets the Emulation Mode

0 Kudos
Highlighted

Hi,

 

Emulation mode is balanced. If I understand correctly aggresive will emulate files twice with no load and twice during queue while balanced will emulate twice during no load and once during queue.

I did see some files now that seem to run simultaneuously the HPS emulation and the regular emulation when looking at tecli show emu emu, i have not checked this in ted debug logs however. If i can learn if its designed to wait for the first emulation before running HPS emulation by design or if there was some issue causing them to not run simulataneuously i can investigate it accordingly.

Can the HPS emulation and traditional emulation run parallel on the same file in "normal" balanced mode?

 

0 Kudos