SANDBLAST NETWORK LAB

R80.10 Training
(revised: September 14, 2018)

©2017 Check Point Software Technologies Ltd. 1

 New threat variants are released daily.
Your organization needs a layer of
protection that will eliminate the
vulnerability gap that exists between
when an infection occurs and the time
a new detection signature becomes
available.

Hackers constantly modify their

strategies and techniques to evade
detection and reach corporate
resources. Check Point SandBlast
Zero-Day Protection, with evasion-
resistant malware detection, provides
comprehensive protection from even
the most dangerous attacks while
ensuring quick delivery of safe content
to your users.
©2017 Check Point Software Technologies Ltd. 2
 Gateway IP: 192.168.103.1
Internal Client
Win-Victim
IP: 192.168.101.100
User: jroberts/Cpwins1!
Default Gtwy: 192.168.101.254
DNS: 192.168.102.2 Internal Network
DNS: 8.8.8.8 IP: 192.168.101.x
VMware:
suspend
Endpoint
Endpoint
Management
EndpointServer
Default Gtwy: 192.168.103.2
IP: 192.168.101.165
User: admin/Cpwins1!
Default Gtwy: 192.168.101.254
DNS: 192.168.102.2
DNS: 8.8.8.8
©2017 Check Point Software Technologies Ltd.
External Network
IP: 192.168.103.x VMware:
suspend
Kali
Pen Test Tool
Kali
IP: 192.168.103.100
User: root/Cpwins1!
Default Gtwy: 192.168.103.254
DMZ Network
IP: 192.168.102.x
Management
&
Gateway
R80
Eth0: 192.168.101.254
Active Directory
Eth1: 192.168.102.254 Web Server
Eth2: 192.168.103.254
User: admin / Cpwins1!
GUI : admin / Cpwins1! Ubuntu Win-DC
DNS: 8.8.8.8 IP: 192.168.102.5 IP: 192.168.102.2
User: admin/Cpwins1! User: Administrator /Cpwins1!
Default Gtwy: 192.168.102.254 Domain: LAB.TEST
Default Gtwy: 192.168.102.254
DNS: 127.0.1.1
DNS: 192.168.103.2
DNS: 8.8.8.8
3
 SandBlast Threat Prevention Lab
Enable SandBlast
• Edit the Gateway object.  The First Time Activation wizard
launches.
• Enable Threat Emulation.

©2017 Check Point Software Technologies Ltd. 4

 SandBlast Threat Prevention Lab
Enable SandBlast
• Select the different options • Select ThreatCloud Emulation
and compare the differences. Service and select Next.

Note: If there is a connection issue, click next.

• Click Finish to exit the Activation wizard.

©2017 Check Point Software Technologies Ltd. 5

 Check Point Threat Emulation

Review Questions

• Name one advantage of doing the emulation using the

Cloud Emulation Service.

• Name one advantage of doing emulation locally on a

dedicated Threat Emulation appliance.

©2017 Check Point Software Technologies Ltd. 6

 SandBlast Threat Prevention Lab
Enable SandBlast
• In our SandBlast testing
some samples will be caught
by IPS.
• Select IPS and ensure the
activation mode is set to
Detect only.
• In General Properties enable
Threat Extraction.
• This launches the MTA
configuration wizard.

©2017 Check Point Software Technologies Ltd. 7

 SandBlast Threat Prevention Lab
Enable SandBlast
• In Domain enter “*” to
forward all emails.
• Select Win-DC as the Next
Hop mail server.
• Click Next and it checks the
connection to the mail server
on win-dc.
• Click Finish.
• To simplify our tests, we’ll
first test with Threat
Extraction disabled. Uncheck
Note: Enabling a Check Point gateway as an MTA
Threat Extraction. requires some infrastructure changes, either to
DNS MX records or to your existing mail server.
• Install the policy.
©2017 Check Point Software Technologies Ltd. 8
 SandBlast Threat Prevention Lab
Enable SandBlast
• Edit the R80 object.

• Select Threat Emulation.

• Notice the settings are according to policy.

©2017 Check Point Software Technologies Ltd. 9

 SandBlast Threat Prevention Lab
Enable SandBlast
• Select Mail Transfer Agent.
• Select Configure Settings.
• Notice after a maximum,
then the default action is
Allow.
• Click OK to close the MTA
Advanced Settings, and OK
to close the Gateway object.

©2017 Check Point Software Technologies Ltd. 10

 SandBlast Threat Prevention Lab
Enable SandBlast
• In the GATEWAYS & SERVERS tab, select the Gateway object, click on
Monitor and then select the “Devices & License Information…” from the
Summary below

Threat Emulation

Note: Prior to
running the lab,
ensure the Threat
Emulation Gateway
is up to date.
©2017 Check Point Software Technologies Ltd. 11
 SandBlast Threat Prevention Lab
Enable SandBlast

• Go to SECURITY POLICY ->

Threat Prevention and click on
Profiles and double click to open
the My_Strict profile.
• Select Threat Emulation.
• The default processes all enabled
file types. To understand what
these are select the highlighted (x File types
out of x).
• Click Cancel to accept the
defaults.

©2017 Check Point Software Technologies Ltd. 12

 SandBlast Threat Prevention Lab
Enable SandBlast
• Select Threat Emulation ->
Emulation Environments.
• To understand emulation
environments select Use the
following emulation environments.
• Change back to use
recommended.

©2017 Check Point Software Technologies Ltd. 13

 SandBlast Threat Prevention Lab
Enable SandBlast
• Select Threat Emulation ->
Advanced.

• Notice the default is to allow the

connection and do emulation in
the background. Emulation
takes time.

• Select Custom.

• For SMTP we’ll change this to

Hold. Since the user is unaware
of any latency for SMTP
connections due to the MTA,
we can safely do this.

©2017 Check Point Software Technologies Ltd. 14

 SandBlast Threat Prevention Lab
Enable SandBlast

• Select Threat Extraction.

• Notice the default is Extract
files from potential malicious
parts.
• Click Configure to review what
this means.
• For this lab we’ll set the
Extraction method to Convert
to PDF.
• Click OK.
• Install the Policy.

©2017 Check Point Software Technologies Ltd. 15

 SandBlast Threat Prevention Lab
Enable SandBlast
• Common Threat
Prevention settings that
all Profiles share are
configured in MANAGE
& SETTINGS -> Blades
-> Threat Prevention
(Advanced Settings…).
• Here you can configure
File Type Support,
check it out.
• This is also where
Maximum files size for
emulation is set, up to
15,000 KB (~15 MB).
• Click Cancel.

©2017 Check Point Software Technologies Ltd. 16

 SandBlast Threat Prevention Lab
Test SandBlast
• To test Threat Emulation we’ll upload sample files from win-victim to the
web server.

• The web server is configured to include the file as an attachment in

sample phishing emails. All of the files will be renamed to resume.doc.

• The web server sends the emails to the gateway which is now configured
as an Mail Transfer Agent (MTA).

• The gateway inspects the emails. When it has a verdict it sends the emails
to the mail server on win-dc.

• On win-victim we check the emails with an Outlook client.

• Win-victim also includes utilities to change the MD5 signature of the

sample files.

©2017 Check Point Software Technologies Ltd. 17

 SandBlast Threat Prevention Lab
Test SandBlast
Threat Emulation and Threat Extraction Test

• Log into the win-victim VM.

• Launch the Chrome browser.

• One tab is to the Ubuntu web server hosting the Unknown 300 page.

• Select the UPLOAD tab.

• Select Choose File and select resume.doc in C:\MaliciousFiles.

• Select Email Attachment.

• Send the file.

©2017 Check Point Software Technologies Ltd. 18

 SandBlast Threat Prevention Lab
Test SandBlast
If the test is successful you should see a SUCCESS message along
with a unique number included in the email subject.

Note: If you don’t see the success message, see slide 27 below to create a variant.

©2017 Check Point Software Technologies Ltd. 19

 SandBlast Threat Prevention Lab
Test SandBlast
• In SmartConsole navigate to LOGS and select the Threat
Prevention All query.

• Enable AutoScroll.

Auto scroll

Threat Prevention All

©2017 Check Point Software Technologies Ltd. 20

 SandBlast Threat Prevention Lab
Test SandBlast
• Emulation takes time. The ubuntu server sends an email to the R80
gateway. The R80 gateway sends the file to the cloud for emulation.
When a verdict is returned the file is sent to the mail server on win-dc.

• Using the Gaia Web UI Terminal or putty, log into the R80 VM as
admin and then expert.

• To watch the cloud queue, enter

# watch tecli show cloud queue

• While you’re waiting launch the outlook client on the win-victim VM.

• How long does it take to process the file?

©2017 Check Point Software Technologies Ltd. 21

 SandBlast Threat Prevention Lab
Test SandBlast
• Check the outlook client for the email.

• When malware is detected, the attachment is removed. Notice the

attachment is not resume.doc. It should be a message saying the file was
malicious.

• Would an average user been tricked into opening the attachment?

©2017 Check Point Software Technologies Ltd. 22

 SandBlast Threat Prevention Lab
Test SandBlast
• Check the LOGS &
MONITOR Logs
tab for Threat
Emulation events.
• Click on View
Report to view a
detailed analysis.

©2017 Check Point Software Technologies Ltd. 23

 SandBlast Threat Prevention Lab
Test SandBlast
• Send the same
resume.doc file
again.

• How long does it take

to receive the email?

• It should be fairly
quick because it now
has a hash of the file.

• Check the LOGS &

MONITOR Logs tab
for Threat Emulation
events.

©2017 Check Point Software Technologies Ltd. 24

 SandBlast Threat Prevention Lab
Test SandBlast
• Threat Extraction
enables us to remove
active content from
files and only send
safe content while
the emulation
happens in the
background.

• Edit the R80 object.

• Enable Threat
Extraction.

• Install the threat

prevention policy.

©2017 Check Point Software Technologies Ltd. 25

 SandBlast Threat Prevention Lab
Test SandBlast
• What would happen when a safe document is sent?

• Send the clean.doc file, followed by the resume.doc file.

• How long does it take to receive the email?

• Notice the Word document is converted to PDF.

• If you trust the source click on the link to the original attachment.

• In the UserCheck message enter a reason to access the Word doc.

©2017 Check Point Software Technologies Ltd. 26

 SandBlast Threat Prevention Lab
Test SandBlast
• It is easy to create a variant of known malware.

• In the win-victim system tray click on the DOS icon.

• This launches a batch file to change the md5 of the resume.doc file.

• Type resume.doc to select it.

• Enter some random characters and press enter.

• Notice the md5 changes the document.

• Send the file again.

• How long does the emulation take?

©2017 Check Point Software Technologies Ltd. 27

 SandBlast Threat Prevention Lab
Test SandBlast
• To test access over HTTP click on the unknown300 download tab.
This includes links to download files used in the earlier tests.

©2017 Check Point Software Technologies Ltd. 28

 Check Point Threat Emulation

Review Questions

HTTP emulation is set to background meaning the file

will be delivered to the user. In the background the
emulation happens.

Remember emulation takes time. If we want to set

HTTP to hold we need a user agent to keep the user
informed while the emulation happens.

• Does Check Point have a user agent to solve this

problem?

©2017 Check Point Software Technologies Ltd. 29

 SandBlast Threat Prevention Lab
Prep for Threat Prevention Labs
• To prepare for the endpoint labs, we’ll disable our network security
protections. Navigate to the Access Control policy and select
My_Policy.

• Change the cleanup rule action to Accept.

• Right click to Edit the policy. Ensure Threat Prevention is disabled.

Remove the Web Control Layer. Click OK.

©2017 Check Point Software Technologies Ltd. 30

 SandBlast Threat Prevention Lab
Prep for Endpoint SandBlast Labs
• Edit the R80 object, go to the HTTPS Inspection branch and
disable HTTPS Inspection in Step 3.

• Install My_Policy.

• Verify that you still have Internet access.

• Browse to www.eicar.org.

©2017 Check Point Software Technologies Ltd. 31

 End of Lab

©2017 Check Point Software Technologies Ltd. 32