Hi Andre,
you can control this feature via:
[Expert@Gateway:0]# tecli advanced analyzer
Command: root->advanced->analyzer
Available options:
show - display analyzer attributes values
enable - enable or disable analyzer investigator
max_embedded_files_limit - Set maximum embedded files limit
max_embedded_links_limit - Set maximum embedded links limit
prohibited - prohibited objects menu
[Expert@Gateway:0]# tecli advanced analyzer show
File Analyzer: ON
Maximum embedded files limit: 10
Maximum embedded links limit: 20
Block encrypted documents: OFF
Block documents that contain sensitive links (links to local or network path): OFF
Block documents that contain macros and code: OFF
Block documents with embedded word file type: OFF
Block documents with embedded excel file type: OFF
Block documents with embedded power point file type: OFF
Block documents with embedded executable file type: OFF
Block documents with embedded zip file type: OFF
Block documents with embedded flash file type: OFF
Block documents with embedded pdf file type: OFF
Block documents with embedded js file type: OFF
Reporting possible FPs to Check Point is valuable because it remediates also possible future FPs.
In many cases we can change "Detection rules" which is not simple file hash whitelisting. In such cases multiple FPs will be gone in a single effort if the behavioral detection behind the FP is the same. Detection rules are updated automatically.
Always remember that during opening a FP case we will check if the file is really malicious. There were cases in the past that first looked like a FP but during analysts investigation were proofed to be malicious.
Regards Thomas