Create a Post
Showing results for 
Search instead for 
Did you mean: 

Too few file types are inspected by default by SandBlast

While configuring various settings in my locally-managed 1430 appliance (Firmware R77.20.60), I was surprised to find the following Threat Prevention Engine default Settings:

Anti-Virus Blade scans HTTP, FTP, Mail (SMTP and POP3 but not IMAP).
 File types policy: Process file types known to contain malware.

Threat Emulation Blade (SandBlast) - does not scan FTP. Scans HTTP and Mail SMTP only.
 File types default policy:

Inspect .doc, .docx, .pdf, .ppt, .pptx, .xls, .xlsx, only.
Bypass all other file extensions/types, including .exe, .rar. .zip etc.

So it seems Check-Point experts consider Threat Emulation (SandBlast) as redundant, and rely more strongly on Anti-Virus scanning most file types capable of containing malware.

Please recommend whether I should add several file extensions/types to the very limited group that are scanned by default by the Threat Emulation Blade.

0 Kudos
2 Replies

This is more of an‌ question.

My guess is the defaults chosen for the 1400 Series appliances are related to the limited resources available on these appliances.

The more file types you choose to scan, the more connections that will potentially need to be held while files are emulated.

0 Kudos

The SMB appliance uses the same deafults as in R80.10 smart console. You can add easily additional file types. 

Which addtional file types do you want to see by default?

In R77.20.70 you can configure SSL inspection and to have all threat prevention blades incluing threat emulation over HTTPS protocol.

In the upcoming releases, POP3 and more email protocols will be supported.