This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PhoneBoy
Admin
Admin
‎2019-03-21 08:06 PM

How do I verify Threat Emulation is working?

We offer a test you can access from behind your Security Gateway where Threat Emulation is enabled to ensure it is working:

  • Threat Emulation Test -- A link to a DOC with an exploit that will not harm your computer. Will show as Exploited Document in logs.

Related:

  • Anti-Virus Test -- Downloads the standard EICAR AV test file
  • Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs.
14 Replies
KennyManrique
Advisor
‎2019-03-22 06:06 AM

Thanks for the test tip, Dameon!

Also CP's CheckMe is a good option for this http://www.cpcheckme.com/checkme/

Regards,

PhoneBoy
Admin
Admin
‎2019-03-22 06:19 AM
In response to KennyManrique

Also a good test.
chico
Contributor
‎2019-09-27 02:33 AM

Hello,

I' m checking the checkpoint ICAP server on my lab and if I upload a eicar document, the checkpoint accept the eicar file.

I configured a ICAP profil ont the threat prevention layer with this options.

- If the threat emulation is activate ont the ICAP profil, the eicar test file is accept by checkpoint

-If I the threat emulation is not activate on the ICAP profil the eicar test document is prevent by the anti-virus blade  as shown as the attached picture.

I don't underand how it's works..

If someone can explain me the difference ?

 

Regards,

 

Miguel

Preview file
14 KB
0 Kudos
FedericoMeiners
Advisor
‎2019-09-27 05:22 AM
In response to chico

@miguel 

I think that the explanation is on the behavior analytic engine of Sandblast, same happens with antivirus such as Cylance: EICAR is not being detected because it actually does nothing on your system. In other words it doesn't trigger any indicator of compromise.

I would recommend you try these solutins with real malware from The Zoo Project (https://github.com/ytisf/theZoo) if you want to go beyond you can even modify the binaries so the hash is new.

Handle with care since it's real malwre 🙂

Hope it helps 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
chico
Contributor
‎2019-09-27 06:34 AM
In response to FedericoMeiners

Hi,

Thanks you for reply,

 

Ha yes I understood, in the threat emulation, the document is emulated in various OS systems to check if there are abnormal behaviors. Effectively ICAR doesn't do anything it's a simply signature...so it's detected by the anti-virus signature.

 

Thank you for the link.

0 Kudos
Herold
Contributor
‎2020-02-20 08:35 AM

Hi,
The link to the Threat Emulation test file is now working. Was the path changed?
http://poc-files.threat-cloud.com/demo/demo.doc
0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-20 12:32 PM
In response to Herold

Looks like the same path I provided above?
0 Kudos
Herold
Contributor
‎2020-02-20 03:14 PM
In response to PhoneBoy

Yes, it's exactly the one you provided. But it seems it doesn't work as i'm getting an "internal server error" when i click on it. Is there another link?
0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-20 05:47 PM
In response to Herold

Not as far as I know.
I checked the link and it appears to be working for me.
0 Kudos
Herold
Contributor
‎2020-02-21 09:06 AM
In response to PhoneBoy

When I tried, i get the following message: "Sorry, the page you are looking for is currently unavailable.
Please try again later.
If you are the system administrator of this resource then you should check the error log for
details.
Faithfully yours, nginx."
0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-21 10:53 AM
In response to Herold

Hm... you're right.
I see that when I try from a system that isn't connected to our VPN that it fails.
I've reported it internally...should get fixed soon.
Gaurav_Pandya
MVP
MVP
‎2020-02-28 03:50 AM
In response to PhoneBoy

Is it compulsory to enable https inspection and MTA for Threat emulation blade? If I enable threat emulation like inline mode than does it scan files downloaded from websites?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-28 10:48 AM
In response to Gaurav_Pandya

It's not necessarily compulsory, but it's highly recommended.
With the majority of traffic being HTTPS and the browser manufacturers continuing to force the issue, without it, you'll be blind to more and more threats.
Threat Emulation can work inline--Threat Extraction can as well from R80.30.
For email, TLS is becoming more prevalent and the only way to scan email for threats is to run in MTA mode.
0 Kudos
Gaurav_Pandya
MVP
MVP
‎2020-03-02 06:31 AM
In response to PhoneBoy

Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events