How do I verify Threat Emulation is working?

PhoneBoy · ‎2019-03-21

We offer a test you can access from behind your Security Gateway where Threat Emulation is enabled to ensure it is working:

Threat Emulation Test -- A link to a DOC with an exploit that will not harm your computer. Will show as Exploited Document in logs.

Anti-Virus Test -- Downloads the standard EICAR AV test file
Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs.

KennyManrique · ‎2019-03-22

Thanks for the test tip, Dameon!

Also CP's CheckMe is a good option for this http://www.cpcheckme.com/checkme/

Regards,

PhoneBoy · ‎2019-03-22

Also a good test.

chico · ‎2019-09-27

Hello,

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?

Regards,

Miguel

FedericoMeiners · ‎2019-09-27

@miguel

I think that the explanation is on the behavior analytic engine of Sandblast, same happens with antivirus such as Cylance: EICAR is not being detected because it actually does nothing on your system. In other words it doesn't trigger any indicator of compromise.

I would recommend you try these solutins with real malware from The Zoo Project (https://github.com/ytisf/theZoo) if you want to go beyond you can even modify the binaries so the hash is new.

Handle with care since it's real malwre 🙂

Hope it helps

____________
https://www.linkedin.com/in/federicomeiners/

chico · ‎2019-09-27

Hi,

Thanks you for reply,

Ha yes I understood, in the threat emulation, the document is emulated in various OS systems to check if there are abnormal behaviors. Effectively ICAR doesn't do anything it's a simply signature...so it's detected by the anti-virus signature.

Thank you for the link.

Herold · ‎2020-02-20

Hi,
The link to the Threat Emulation test file is now working. Was the path changed?
http://poc-files.threat-cloud.com/demo/demo.doc

PhoneBoy · ‎2020-02-20

Looks like the same path I provided above?

Herold · ‎2020-02-20

Yes, it's exactly the one you provided. But it seems it doesn't work as i'm getting an "internal server error" when i click on it. Is there another link?

PhoneBoy · ‎2020-02-20

Not as far as I know.
I checked the link and it appears to be working for me.

Herold · ‎2020-02-21

When I tried, i get the following message: "Sorry, the page you are looking for is currently unavailable.
Please try again later.
If you are the system administrator of this resource then you should check the error log for
details.
Faithfully yours, nginx."

PhoneBoy · ‎2020-02-21

Hm... you're right.
I see that when I try from a system that isn't connected to our VPN that it fails.
I've reported it internally...should get fixed soon.

Gaurav_Pandya · ‎2020-02-28

Is it compulsory to enable https inspection and MTA for Threat emulation blade? If I enable threat emulation like inline mode than does it scan files downloaded from websites?

PhoneBoy · ‎2020-02-28

It's not necessarily compulsory, but it's highly recommended.
With the majority of traffic being HTTPS and the browser manufacturers continuing to force the issue, without it, you'll be blind to more and more threats.
Threat Emulation can work inline--Threat Extraction can as well from R80.30.
For email, TLS is becoming more prevalent and the only way to scan email for threats is to run in MTA mode.

Gaurav_Pandya · ‎2020-03-02

Thanks.