This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
18568
Collaborator
‎2018-11-29 10:03 AM
Jump to solution

HPS Emulation

When a file is sent for remote emulation to our Sandblast Appliance (100X), one file is emulated twice on the same Platform, but one of the VM with the status description "HPS emulation must be exclusive".

For example below the same file on same platform Win7, Office 2013, Adobe 11:

The only mention of HPS I can find in all documentation is the following command:

tecli advanced attributes set enable_hps_retry <1|0> = enables (1) or disables (0) HPS retry

Could you please clarify what HPS is?

On a TE100X we can run only 4 VMs, we chose 3 platforms thinking it should be able to run at least all VMs for one file at a time but it is not the case with 2 VMs per platform so the emulation of one file takes quite longer.

1 Solution

Accepted Solutions
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-12-05 01:28 AM
In response to Norbert_Bohusch
Jump to solution

HPS refers to "Hyperwise" which was the company name that invented CPUL and which Check Point bought years ago.

So these are the CPU Level emulation instances and yes they count against the maximum number of VMs you can run on an appliance. 

So in case you run a PDF this will be emulated on a traditional VM´s image (e.g. Win7) and the CPUL VM image.

CPUL emulation is always done "exclusively" which means it cannot leverage the multiple file emulation in one VM run which we can do on traditional emulations.

In case a SandBlast appliance is experiencing an emulation queue another feature kicks in which is called "Emulation Mode". It can be set via tecli:

[Expert@R8020SA:0]# tecli adv attr set emulation_mode
Command: root->advanced->attributes->set->emulation_mode
error: command missing the value ("legacy", "experimental", "aggressive", "balanced" or "balancedallsupported")

Default is Balanced which means in case of emulation queue that documents will only be run in CPUL instance and other files only on traditiional instance. "Aggressive" would mean more load by using the default behavior of emulating all files in both instances (remember CPUL is currently only supported for documents; we are working on EXE support).

You could also switch of CPUL emulations completely by:

[Expert@R8020SA:0]# tecli adv attr set enable_cpu_level_detection
Command: root->advanced->attributes->set->enable_cpu_level_detection
error: command missing the enable / disable value (1 / 0)

Regards Thomas

View solution in original post

6 Replies
18568
Collaborator
‎2018-12-04 05:26 AM
Jump to solution

Nobody knows? 

Dameon Welch-Abernathy‌ or Valeri Loukine would you maybe know about this or know the right person to answer?

Thanks

0 Kudos
_Val_
Admin
Admin
‎2018-12-04 05:53 AM
In response to 18568
Jump to solution

We have asked R&D to answer, please stand by

0 Kudos
18568
Collaborator
‎2018-12-04 06:00 AM
In response to _Val_
Jump to solution

Thanks!

0 Kudos
_Val_
Admin
Admin
‎2018-12-04 06:20 AM
In response to 18568
Jump to solution

No problem. As far as I understand, HPS is one of the in-depth emulation methods, and it requires exclusive access to CPUs and cannot be performed in parallel with other tasks. Hence that simulation is pending competition of other tasks, as far as I understand.

I still hope R&D can contribute more. 🙂 

Norbert_Bohusch
Advisor
‎2018-12-04 10:55 AM
Jump to solution

If I remember correctly this are the CPU-level VMs. Thomas Werner should be able to confirm.

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2018-12-05 01:28 AM
In response to Norbert_Bohusch
Jump to solution

HPS refers to "Hyperwise" which was the company name that invented CPUL and which Check Point bought years ago.

So these are the CPU Level emulation instances and yes they count against the maximum number of VMs you can run on an appliance. 

So in case you run a PDF this will be emulated on a traditional VM´s image (e.g. Win7) and the CPUL VM image.

CPUL emulation is always done "exclusively" which means it cannot leverage the multiple file emulation in one VM run which we can do on traditional emulations.

In case a SandBlast appliance is experiencing an emulation queue another feature kicks in which is called "Emulation Mode". It can be set via tecli:

[Expert@R8020SA:0]# tecli adv attr set emulation_mode
Command: root->advanced->attributes->set->emulation_mode
error: command missing the value ("legacy", "experimental", "aggressive", "balanced" or "balancedallsupported")

Default is Balanced which means in case of emulation queue that documents will only be run in CPUL instance and other files only on traditiional instance. "Aggressive" would mean more load by using the default behavior of emulating all files in both instances (remember CPUL is currently only supported for documents; we are working on EXE support).

You could also switch of CPUL emulations completely by:

[Expert@R8020SA:0]# tecli adv attr set enable_cpu_level_detection
Command: root->advanced->attributes->set->enable_cpu_level_detection
error: command missing the enable / disable value (1 / 0)

Regards Thomas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top