Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion
Champion

Event handling on ThreatEmulation detecting malicious files?

How does Check Point notify me if I download an executable that is subsequently detected as malicious by ThreatEmulation?

Note:

Check Point ThreatPrevention uses the Optimized profile "by default, because it gives excellent security with good gateway performance."
The default handling mode of this profile is Rapid Delivery (formerly known as Background Mode).

image.png

This means the connection is allowed and the file goes to the destination even if the emulation is not finished, i.e. the gateway sends the original file to the user (even if it turns out eventually that the file is malicious).

When using Threat Extraction together with Threat Emulation it's best practice to switch to Maximum Protection (formerly known as Hold Mode). However, the Optimized profile does not automatically check and adjust accordingly.

So when Check Point delivered a file to the end user and later detects that the file was malicious.. what happens?

  • Will I receive an immdiate notification about this? This is critical as a malicious file was successfully downloaded.
  • Is an event being generated? How do I know about this?
  • Which SmartEvent view would allow me to check how many times such situations occured within the last 30 days?

Thanks for replying!

2 Replies
This widget could not be displayed.