Professional Documents
Culture Documents
ATRG - Threat Emulation
ATRG - Threat Emulation
Solution ID sk114806
Technical Level
Product Threat Emulation, Quantum Appliances, Quantum Security Gateways, Quantum Scalable Chassis
Version R77.20, R80.10 (EOL), R80.20, R80.30, R80.40, R81, R81.10
OS Gaia
Platform / Model Threat Emulation, 2000, 3000, 4000, 5000, 12000, 13000, 15000, 21000, 23000, 41000, 44000, 61000, 64000, X-Series (EOL), Intel/PC
Date Created 03-Sep-2017
Solution
Table of Contents:
To challenge today's malware landscape, Check Point's comprehensive Threat Prevention solution offers a multi-layered, pre-infection and post-infection defense ap
consolidated platform that enables enterprise security to deal with modern malware:
GW mode - R76SP.40 (in the cloud, or on local appliance) for further emulation and analysis
VSX mode - R76SP.40 C. Emulating the suspicious files in various OS environments
Works by:
Each Threat Prevention Software Blade gives unique network protections and they can be combined to supply a strong malware solution.
Data from malicious attacks are shared between the Threat Prevention Software Blades and help keep your network safe.
For example, the signature from threat that is identified by the Threat Emulation is added to the Anti-Virus database.
The Threat Prevention Software Blades use a separate policy installation to minimize risk and operational impact.
They are also integrated with other Software Blades on the Security Gateway to detect and stop threats.
A. SandBlast Threat Emulation (Sandboxing) can protect your network against new malware, zero-day vulnerabilities and targeted attacks.
Threat Emulation gives networks the necessary protection against unknown threats in files that are downloaded from the Internet or attached to e-mails.
The file is opened on more than one virtual computer with different operating system environments.
The virtual computers are closely monitored for unusual and malicious behavior, such as an attempt to change registry keys or run an unauthorized proc
Any malicious behavior is immediately logged and you can use Prevent mode to block the file from the internal network.
The cryptographic hash of a new malicious file is saved to a database and the internal network is protected from that malware.
Information about malicious files and malware is shared with the Check Point ThreatCloud (administrator can disable this) and helps protect all ThreatCl
Inspect all incoming files to an organization and send them to a safe virtual environment
Open the files in the virtual environment to see what would happen if someone inside of the organization would open this file
Prevent the malicious files from entering the organization
Sandboxing Type Description Works by
CPU-Level Emulation New leading edge technology unique to Check Point Monitoring CPU buffer
Next generation of sandboxing to catch more malware
Finding exploits
No guesswork required, detection is definitive Preventing malware before it executes
Not based on heuristics or statistics
Resistant to evasions
Fast and effective
Refer to sk107333 - Support for CPU Level sandboxing on
in your network)
Security Gateway / Cluster
Proxy Server) must be configured in the object of
appliance
Important Notes:
On R77.30 Security Management Server / Multi-Domain Security Management Server, the R77.30 Add-On must be installed and enabled.
Local emulation
Remote emulation:
Local emulation
Remote emulation:
Cluster
Threat Emulation local cache is not synchronized.
UserCheck
When processing a file received over HTTP, UserCheck can not send messages to the browser after the dow
started
New malicious files need UserCheck agent to display the UserCheck message
For known (by Threat Emulation) malicious files, a UserCheck message can be displayed in the brows
UserCheck agent is supported only if a client uses SMTP to send an e-mail to the SMTP server
UserCheck message via e-mail is not supported for any of the Threat Prevention blades - only for DLP
To provide a user-friendly notification, Security Gateway must be configured as a Mail Transfer Agent
the malicious attachment will be replaced with a text file
Web Portals
Threat Emulation uses port 8080 and requires that it is free and available. No portal is allowed to use port 80
Threat Emulation blade is enabled, including WebUI.
This is relevant only for Sandblast Appliances or Firewall that is performing local emulation.
Output of TE debug:
Note: Starting from R81 the following appliances are no longer supported:
Smart-1 205/210, 2200, 4200, 4400, 4600, 4800, 12200, 12400, 12600, 13500, 13800, 21400, 21600, 21700, 21800.
(5) File emulation location - ThreatCloud vs Local / Remote Threat Emulation Appliance
Cloud Emulation:
Local Emulation:
Remote Emulation:
Example topology:
Example topology:
Example topology:
Available policy actions "Prevent" and "Detect". "Prevent" and "Detect". "Prevent" and "Detect".
Machine resources
Impact is similar to AV/Deep Scan High usage of CPU And RAM for running the Impact is similar to AV/Deep Scan
(CPU, RAM, HDD) sandboxing environment.
ThreatCloud License Required to send files for emulation. For Depends on configuration see sk119133 Required to send files for emulation
more details see: sk119133 details see: sk119133
Custom OS images Not possible. Possible but not recommended. The Possible but not recommended. The
recommended configuration provide recommended configuration provide
significant performance and detection significant performance and detecti
superiority due to the nature of the sandbox to superiority due to the nature of the
provide a good host for the malware. provide a good host for the malware
Data samples Huge data sample set. Your appliance knows your files best,
Your appliance knows your files bes
but has smaller data sample set. but has smaller data sample set.
update must be scheduled to not disrupt update must be scheduled to not dis
scanning. scanning.
Shared threat database Real-time data. Takes time until data is updated. Takes time until data is updated.
Multi-Site deployment ThreatCloud can work with Security Depending on the amount of emulated files, a Depending on the amount of emulat
Gateway of any "size".
local appliance might be required.
local appliance might be required.
Does not require additional hardware. Threat Emulation Appliances for all business Threat Emulation Appliances for all
sizes can be offered.
sizes can be offered.
Threat Emulation can be load balanced. Threat Emulation can be load balan
Note: Refer to sk93598 - Threat Emulation Sizing Mode: how to measure the required inspections at an organization.
Note: All the deployment options require an additional NGTX license (also see sk119133).
Inline
Monitor (SPAN / TAP)
Remote (recommended)
Deployment
Description
option
Inline
Background:
Allows to use "Prevent" action and "Ask" action (with UserCheck) in the Threat Prevention policy
A. The ThreatCloud or Emulation appliance gets a file from the Security Gateway.
B. Emulation is run on the file.
The file is safe, and it is sent to the computer in the internal network.
If the file contains malware, it is quarantined and logged.
Other existing Security Gateway perform FireWall, NAT and other functions.
Example topology:
Related solutions:
A Proxy / ICAP Server collects files and sends then via ICAP to SandBlast TE Appliance for emulation.
Note: Sandblast TE Appliance can act as MTA to emulate e-mail traffic at the same time.
Example topology:
Monitor
Background:
(SPAN / TAP)
Allows to use only the "Detect" action in the Threat Prevention policy.
SPAN / TAP / Monitor Port configuration is used to duplicate the network traffic.
The files are sent directly to Threat Emulation and to the computer in the internal network.
If Threat Emulation discovers that a file contains malware, the corresponding log is generated.
Example topology:
A. The ThreatCloud or Threat Emulation appliance receives a copy of a file from the Security Gateway.
Notes:
The default behavior of Threat Emulation blade in this deployment option is to inspect all traffic,
also for SPAN / TAP / Monitor Port and use the Topology configured in the Threat Emulation Gateway object:
To set the desired value for this kernel parameter on-the-fly (does not survive reboot):
Follow sk26202 - Changing the kernel global parameters for Check Point Security Gateway.
[Expert@HostName:0]# vi $FWDIR/boot/modules/fwkern.conf<
C. Add the following line (spaces and comments are not allowed):
te_handle_span_port_interfaces_according_to_topology=1
Not defining the Topology in the Threat Emulation Gateway object may cause:
The following features are not supported in Monitor (SPAN / TAP) deployment:
HTTPS Inspection
SMTPS over TLS inspection
"Prevent" action
SPAN ports tend to lose packets, according to the switch capabilities and the actual network throughput.
This can cause Threat Emulation (and the rest of the blades) not to inspect some traffic.
Take this into consideration - if some files are not shown in logs, make sure (e.g., using tcpdump)
The SPAN port must be configured to support the combined overall throughput of the uplink and downlink seen.
For example, 100Mbps span port can not span a 60Mbps sync connection - as it needs to pass 120Mbps to the device.
Make sure the SPAN port can handle the traffic load.
This deployment option does not require a Software Subscription on the SandBlast TE Appliance.
Remote
Background:
(recommended)
Security Gateway sends files to the remote Threat Emulation Private Cloud Appliance(s) on the network.
Allows to use "Prevent" action and "Ask" action (with UserCheck) in the Threat Prevention policy
How to configure:
Refer to sk102309 - Threat Emulation support for Multiple Private Cloud Appliances.
(7) Emulation Workflow
The process begins with traffic arriving to the protocol parsers, and Threat Emulation File aggregation kernel part decides that file needs to be scanned (accord
policy).
If this file needs to be scanned (and Threat Emulation is not in the Bypass mode), then the file part will be sent to the Threat Emulation Daemon ('TED') process
send it to the correlating 'DLPU' process instance.
The DLPU process instance will handle the actual file reassembly.
DLPU process instance (per the allowed number of CPU cores) reassembles files from parsers in CoreXL FW Instances
Receives the complete file and processes it through file type checks to understand if emulation is needed (due to advanced features).
Checks Threat Emulation local cache if the file was already emulated.
Checks system resources (CPU/Memory) to create an emulation queue if needed.
Performs static analysis.
Executes emulation according to policy settings.
Collects forensics details from the VM activity agent.
Collects statistics of the emulation environment.
Performs local logging/reporting and shares data with ThreatCloud.
Malicious files are stored in a repository on the Threat Emulation Appliance in the /var/log/mal_files/ directory (applies to all emulation deployments).
Malicious files are stored in a repository on the Security Gateway in /var/log/mal_files/ directory.
If a file detected as malicious in Anti-Virus blade, and the rule contains the "Prevent" action, then file will always generate a Threat Emulation "Detect" log.
Inspection Flow:
Streaming MTA
Parser in CoreXL FW Instance -> DLPU -> TED: Parser in CoreXL FW Instance -> Postfix -> in.emaild.mta -> TED ->
in.emaild.mta -> Postfix:
$FWDIR/tmp/te/dlpu_tmp_files_<X-Y>/
$FWDIR/tmp/email_tmp/
3. Customer's Security Gateway encrypts the file and sends (over an SSL connection) to the ThreatCloud.
4. Frontend servers at the ThreatCloud Pod perform Support Contract verification against Check Point User Center.
Each Security Gateway has its own UUID (identifier), which is used to identify the Security Gateway in ThreatCloud (th
derived from the MAC Address of the Mgmt interface).
5. ThreatCloud Pod transfers the file (over an SSL connection) to a Check Point Emulator located on a dedicated protec
Point site.
6. Check Point Emulators decrypts the file and runs emulation on the file.
7. Check Point Emulator sends a report (over an SSL connection) to a ThreatCloud Pod, which saves it in the shared da
8. ThreatCloud Pod sends a report (over an SSL connection) to the customer's Security Gateway for the applicable actio
Geo Restriction:
Geo DNS is used to refer the Security Gateway to the closest ThreatCloud Pod:
Security Gateway queries the DNS "SRV" record of the te.checkpoint.com to find the available ThreatCloud Pod:
Priority of locations depends on the Geo location of the DNS server performing the recursive lookup.
Using an upstream DNS forwarder located in a different region can result in using an emulation centre in the "wrong
In some cases, due to regulations, it might be necessary to use a ThreatCloud Pod in specific region.
Refer to sk97877 - Cloud Geo Restriction support in Threat Emulation Cloud mode.
|Country |State
----------------|----------
|Germany |allowed
|Israel |allowed
|USA |allowed
|Country |State
----------------|----------
|Germany |forbidden
|Israel |forbidden
|USA |allowed
2. The Local Emulation appliance compares the cryptographic hash of the file with the database.
Appliance installed
on your network The file is already in the database, no more emulation is necessary.
If the file is not in the database, the virtual computers in the Emulation appliance run full emulation on the file
3. The file is inspected in Threat Emulation engine, including static analysis, resource checking on the appliance to see
appliance can accommodate the scanning, checking the metadata of the file for intelligence and then emulating the
sandbox environment.
The file is emulated according to policy on the relevant OS. During the emulation, there are behaviour indicators that
Threat Emulation to determine whether the file is malicious or benign. When the investigation ends, a verdict is retu
sending Security Gateway.
2. The Remote Emulation appliance compares the cryptographic hash of the file with the database.
Private Cloud Appliance
installed on your network The file is already in the database, no more emulation is necessary.
If the file is not in the database, the virtual computers in the Emulation appliance run full emulation on the file
3. The file is inspected in Threat Emulation engine, including static analysis, resource checking on the appliance to see
appliance can accommodate the scanning, checking the metadata of the file for intelligence and then emulating the
sandbox environment.
The file is emulated according to policy on the relevant OS. During the emulation, there are behaviour indicators that
Threat Emulation to determine whether the file is malicious or benign. When the investigation ends, a verdict is retu
sending Security Gateway.
In MTA mode, a PostFix server is receiving and handling the e-mails. E-mails are forwarded to the in.emaild.mta daemon, which parses the e-mails (e.g., Base64 deco
passes them to TED process if needed (based on the configuration of supported file types).
Background
This is mode is configured by default.
The connection over HTTP / SMTP is allowed and the file is sent to the destination even if the Threat Emulation analysis is not finished.
Note: If the "Prevent" action is used in the Threat Prevention policy, then a file that Threat Emulation has already identified as malware in
blocked. File is not sent to the destination even in the "Background" mode.
It is important to monitor the "Detect" events to catch the first downloads that probably caused the user's machine to get infected (not aut
notified!)
Hold
A connection over HTTP / SMTP that must have emulation is blocked and Threat Emulation holds the file until the Threat Emulation analysi
finished (default minimum is 60 sec; configurable).
For configurations that use the "Hold" mode for SMTP traffic, to decrease the delay in receiving the e-mails, it is recommended to use a Ma
Agent (MTA) deployment, which also supports SMTP/TLS.
Note: This mode can create a time-delay for users to receive e-mails and files.
Custom Allows configuration of "Background" and "Hold" modes independently for HTTP and SMTP protocols.
Description
ted Threat Emulation daemon engine - responsible for emulating files and communication with the cloud.
Receives the complete file and processes it through file type checks to understand if emulation is needed (due to adva
features)
Checks Threat Emulation local cache if the file was already emulated
Checks system resources (CPU / RAM) to create an emulation queue if needed
Executes emulation according to policy settings
Collects forensic details from the VM activity agent
Collects statistics of the emulation environment
Local logging/reporting and shares data with ThreatCloud
Path $FWDIR/teCurrentPack/temain
$FWDIR/log/te_file_downloader.elg
$FWDIR/log/te_engine_log_file.elg
$FWDIR/log/te_image_prep_util.elg
Debug "tecli debug" - refer to the "(10) The tecli command (Threat Emulation Command Line Tool)" section and to the Threat Preve
Administration Guide (R77.X, R80, R80.10)
Debug
Refer to sk73660:
1. Start debug:
$FWDIR/log/dlpu.elg*
Description Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserChec
usrchkd
Portal.
Path $FWDIR/bin/usrchkd
Configuration file
$FWDIR/conf/usrchkd.conf
$FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
$FWDIR/conf/fwauthd.conf
Notes
This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
This daemon is spawned by the FWD daemon
Debug
Note: It might also be required to collect the relevant kernel debug.
1. Start debug:
$FWDIR/log/usrchkd.elg*
Description The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
usrchk
Path $FWDIR/bin/usrchk
Description When enabling the Mail Transfer Agent (MTA) on the Security Gateway, this E-Mail Security Server receives e-mails sent by
in.emaild.mta
sends them to their destinations.
Path $FWDIR/bin/fwssd
/var/log/maillog
1. Start debug:
$FWDIR/log/emaild.mta.elg*
Important Notes:
Run the tecli command to see the commands that exist in your version of Threat Emulation Engine.
Some commands are intended only for Check Point internal use.
Syntax:
[Expert@HostName:0]# tecli [show ...] [control ...] [set ...] [advanced ...] [cache ...] [debug ...]
Notes:
Where:
tecli show emulator emulations = information about the current status of the emulation queue (pending emulating requests, running virtual mach
number of emulated files)
tecli show emulator vm synopsis = summary of the VMs (pending emulating requests, average request wait time, running emulation vms)
tecli show emulator vm id <ID> = detailed information for the VM with this ID
tecli show throughput minute = how many files completed emulation for each minute
tecli show throughput hour = how many files completed emulation for each hour
tecli show throughput day = how many files completed emulation for each day
tecli show throughput month = how many files completed emulation for each month
tecli show statistics = displays Threat Emulation current statistics (threat emulation engine version, scanned files, resend files, malicious files, ave
process time, etc.)
tecli show unit ... = displays information on the threat emulation system units - all the parts of file emulation
tecli show unit all = the chain of units that process a file emulation (shows the number of files for each task in the emulation part)
tecli show downloads images = download status of operating system images for VMs
tecli show downloads dr = download status of malware detection rules (white lists for documents, etc.)
tecli show downloads sa = download status of static analysis rules (pre-processing Python rules for PDF and Office documents)
tecli show downloads raw = download status of general (raw) Threat Emulation files (engine binary updates)
tecli show downloads types = mapping of detected file types to real extension used in Windows OS
tecli show downloads scanengine = shows status of scan engine package files
tecli show cloud ... = displays data and statistics about your ThreatCloud account
tecli show cloud identity = data about how this gateway connects to the ThreatCloud
tecli show cloud quota = data about your ThreatCloud monthly emulation quota
tecli show affinity = displays current Threat Emulation CPU affinity (number of CoreXL FW instances and of CPU cores for TED / TEMAIN daemon)
tecli show remote ... = displays information about emulation on Remote Threat Emulation appliance
tecli show remote queue = information about emulation queue on Remote Threat Emulation appliance
Note: The "tecli show ..." commands display various statuses of Virtual Machines:
Status Explanation
tecli control sizing ... = modifies sizing mode - see sk93598 for more details
tecli control sizing status = displays the current status of the sizing mode
tecli advanced analyzer ... = Threat Emulation File Analyzer in R77.30 and above (refer to sk112312)
tecli advanced analyzer show = displays analyzer state and configured values of its attributes
tecli advanced analyzer enable <1|0> = enables (1) or disables (0) analyzer investigator
tecli advanced analyzer max_embedded_files_limit <value> = sets maximal limit for number of embedded files
tecli advanced analyzer max_embedded_links_limit <value> = sets maximal limit for number of embedded links
tecli advanced analyzer prohibited sensitive = blocks documents that contain sensitive links (links to local or network path)
tecli advanced analyzer prohibited macro = blocks documents that contain macros and code
tecli advanced analyzer prohibited word = blocks documents with embedded MS Word file type
tecli advanced analyzer prohibited excel = blocks documents with embedded MS Excel file type
tecli advanced analyzer prohibited power_point = blocks documents with embedded MS Power Point file type
tecli advanced analyzer prohibited executable = blocks documents with embedded executable file type
tecli advanced analyzer prohibited zip_em = blocks documents with embedded ZIP file type
tecli advanced analyzer prohibited flash = blocks documents with embedded Flash file type
tecli advanced analyzer prohibited pdf = blocks documents with embedded PDF file type
tecli advanced analyzer prohibited js = blocks documents with embedded JavaScript file type
tecli advanced engine revert = reverts to the original (out of the box) version
tecli advanced downloads update ... = initiates Threat Emulation engine update
tecli advanced downloads update all = Threat Emulation engine update of all components
tecli advanced downloads update rules = Threat Emulation engine update of malware detection and static analysis rules (sk117672)
tecli advanced downloads update file types map = mapping of file types to real extension used in Windows OS
tecli advanced downloads update raw = Threat Emulation engine update of raw files (engine binary updates)
tecli advanced forensics clean <UID> = cleans the forensics data of a given UID
tecli advanced forensics limit stat = prints the status of forensics limit activities
tecli advanced forensics limit set <1|0> = enables (1) / disables (0) the forensics limit activities mode
tecli advanced archive extract ... = controls file types that are extracted from archive files (e.g., refer to sk108373)
tecli advanced archive extract all ... = displays the current status and enables / disables extraction of all file types from archive files
tecli advanced archive extract all stat = displays the current status (enabled / disabled) of extraction of all file types from archive files
tecli advanced archive extract all enable = enables extraction of all file types from archive files
tecli advanced archive extract all disable = disables extraction of all file types from archive files
tecli advanced cloud geo ... = cloud geo restrictions (control which ThreatCloud Pods are allowed / forbidden) - refer to sk97877
tecli advanced cloud geo default = sets automatic Cloud Geographic location (all ThreatCloud Pods are allowed)
tecli advanced cloud geo restrict <Germany|Israel|USA> = restricts to a specific location (only that specific ThreatCloud Pod is allowed)
tecli advanced cloud request ... = shows and sets maximal number of objects in cloud request
tecli advanced cloud request show = shows maximal number of objects in cloud request
tecli advanced cloud request set <value> = sets maximal number of objects in cloud request
tecli advanced cloud timeout ... = shows and sets timeout of file processing time (hours)
tecli advanced cloud timeout show = shows timeout of file processing time (hours)
tecli advanced cloud timeout set <value> = sets timeout of file processing time (hours)
tecli advanced cloud connectivity ... = displays the current status and enables / disables cloud connectivity
tecli advanced cloud connectivity stat = displays the current ThreatCloud connectivity status
tecli advanced cloud connectivity allow = allows the access to ThreatCloud, if needed
tecli advanced cloud connectivity deny = denies any access to ThreatCloud (sk109854)
tecli advanced attributes ... = special attributes (should be changed only if instructed by Check Point)
tecli advanced attributes show = displays special attributes and their values
tecli advanced attributes set ... = sets special attributes and their values
tecli advanced attributes set static_cloud <1|0> = enables (1) or disables (0) static analysis on cloud server
tecli advanced attributes set trusted_source <1|0> = enables (1) or disables (0) trusted source domains
tecli advanced attributes set reclassifier <1|0> = enables (1) or disables (0) files reclassification (refer to "(16) File Reclassifier" section)
tecli advanced attributes set file_type_logs <1|0> = enables (1) or disables (0) monitoring logs per file type
tecli advanced attributes set archive_timeout <value> = sets archive tool timeout (in seconds)
tecli advanced attributes set archive_max_size <value> = sets archive tool maximum inflate size (in MB)
tecli advanced attributes set prohibited_file_types <file_type1>,<file_type2>,... = configures file types that are prohibited in arch
(sk123140)
tecli advanced attributes set prohibited_file_types - = resets all file types prohibited in archives
tecli advanced attributes set wait_queue_max_size <value> = sets the maximum size of Cloud Error Handling wait queue (default is 5000)
tecli advanced attributes set wait_queue_timeout <value> = sets timeout (in minutes) for retrying to send a file to the ThreatCloud after an
(default is 360)
tecli advanced attributes set save_all_files <1|0> = enables (1) or disables (0) saving all the files processed by TED
tecli advanced attributes set cloud_dns_name <hostname> = overrides the default hostname te.checkpoint.com with specified hostname (req
installation of Threat Prevention policy)
tecli advanced attributes set cloud_dns_name - = restores the default hostname te.checkpoint.com (requires installation of Threat Preventio
policy)
tecli advanced attributes set emulation_upload_chunk_size <value> = configures emulation upload chunk size
tecli advanced attributes set emulation_enable_upload_split <1|0> = enables (1) or disables (0) emulation upload split
tecli advanced attributes set whitening_mode <1|0> = enables (1) or disables (0) whitening mode
tecli advanced attributes set max_size_per_log_file <size_in_bytes> = sets maximal size per log file (requires restart of TED daemon; d
is 10 MB)
tecli advanced attributes set number_of_log_files <number> = sets number of log files (requires restart of TED daemon; default is 10 files)
tecli advanced attributes set http_failure_until_dns_failover <value> = sets number of HTTP failures until DNS failover (default is 3)
tecli advanced attributes set false_positive_guard_file_types <all|executables> = sets false-positive guard file types (requires
installation of Threat Prevention policy)
tecli advanced attributes set domains_threshold_enabled <1|0> = enables (1) or disables (0) the domains threshold
tecli advanced attributes set domains_threshold_time_frame_in_minutes <value> = sets time frame in minutes for domains threshold
(requires restart of TED daemon)
tecli advanced attributes set domains_threshold_max_consuming_files_in_frame <value> = sets maximal number of files in frame for
domains threshold (requires restart of TED daemon)
tecli advanced attributes set api_log_path </path_to/> = sets path to API logs
tecli advanced attributes set api_log_path - = restores the path to API logs to its default /var/log/huntress_api_logs
tecli advanced attributes set db_purge_interval <value> = sets interval (in minutes) for purging the database
tecli advanced attributes set db_purge_max_records <value> = sets maximal number of purged records
tecli advanced attributes set calc_sha256 <1|0> = enables (1) or disables (0) calculation of SHA256 hash for files
tecli advanced attributes set disable_monitoring <1|0> = enables (1) or disables (0) VM documents monitoring - effective only if prior to th
command, you ran the "tecli advanced instrumentation off ; tecli advanced download reinitialize" commands
tecli advanced attributes set monitored_events_limit <value> = sets limit for number of monitored events
tecli advanced attributes set memory_dump <1|0> = enables (1) or disables (0) memory dump (requires restart of TED daemon)
tecli advanced attributes set pcap_enable <1|0> = enables (1) or disables (0) traffic capture from logs (will save only when report is created)
tecli advanced attributes set pcap_number_of_packets <value> = sets number of packets to be captured from logs
tecli advanced attributes set enable_cpu_level_detection <1|0> = enables (1) or disables (0) CPU-Level Detection (refer to sk107333)
tecli advanced attributes set screen_dumps <1|0> = enables (1) or disables (0) the Screen Dumps
tecli advanced attributes set emulation_mode <legacy|experimental|aggressive|balanced> = sets the Emulation Mode
tecli advanced attributes set appready_verify <1|0> = enables (1) or disables (0) App-Ready Verification
tecli advanced attributes set appready_optimization <1|0> = enables (1) or disables (0) App-Ready Optimization
tecli advanced attributes set wem_verify <1|0> = enables (1) or disables (0) the Web Emulation (WEM) images verification
tecli advanced attributes set sha1_collision_attack_detection <1|0> = enables (1) or disables (0) the SHA-1 Collision Attack detection
(sk116141)
tecli advanced attributes set max_vm <number> = sets the maximal number of concurrently running VMs
tecli advanced attributes set max_create <value> = sets the maximal number of VMs that can be created concurrently
tecli advanced attributes set disable_ted_pnote <1|0> = enables (1) or disables (0) notifications from the Critical Device "ted" in ClusterXL
(sk107542)
tecli advanced attributes set fake_html_response_timeout <value> = sets timeout (in seconds) for fake HTML response
tecli advanced attributes set max_scratch_file_size <value> = sets maximal size (in MB) for scratch file
tecli advanced attributes set classifier_second_emulation <1|0> = enables (1) or disables (0) second emulation after re-classification
tecli advanced attributes set icon_similarity_status <1|0> = enables (1) or disables (0) icon similarity status
tecli advanced attributes set enable_hps_retry <1|0> = enables (1) or disables (0) HPS retry
tecli advanced attributes set tc_advisory_num_consumers <value> = sets TC advisory number of consumers
tecli advanced attributes set file_uploader_num_consumers <value> = sets file uploader number of consumers
tecli advanced attributes set static_macro_analyzer_status <1|0> = enables (1) or disables (0) Static Macro Analyzer
tecli advanced attributes set reports_version_number <1|2> = sets the reports version number - default (1) or new reports (2) - refer to
sk120357
tecli advanced remote ... = configures the Security Gateway to use multiple remote Threat Emulation Private Cloud Appliances (sk102309)
tecli advanced remote show = shows the list of configured remote Threat Emulation Private Cloud Appliances
tecli advanced remote activate = activates the support for multiple remote Threat Emulation Private Cloud Appliances
tecli advanced remote deactivate = deactivates (default) the support for multiple remote Threat Emulation Private Cloud Appliances
tecli advanced remote add <IP Address of Appliance> = adds the specified remote Threat Emulation Private Cloud Appliance
tecli advanced remote remove <Appliance ID> = removes the specified remote Threat Emulation Private Cloud Appliance
tecli advanced remote add_ssl = adds new Private Cloud Appliance for emulation using SSL
tecli advanced remote emulator ... = controls actions with remote Threat Emulation Private Cloud Appliance
tecli advanced remote emulator logs ... = controls logs for remote Threat Emulation Private Cloud Appliance
tecli advanced remote emulator logs status = shows logs status for remote emulator
tecli advanced remote emulator logs enable = enables logs for remote emulator
tecli advanced remote emulator logs disable = disables (default) logs for remote emulator
tecli advanced persistency set enable <1|0> = enables (1; default) or disables (0) persistency mode feature
tecli advanced persistency set inject_interval <value> = sets interval (in seconds; default is 10) for injection of event profile to TED daemo
tecli advanced persistency set file_for_fetch <value> = sets the number of files to fetch from the database for recovery (default is 50,000)
tecli advanced persistency set file_for_working_batch <value> = sets the number of files of working batch from the database for recovery
(default is 360)
tecli advanced persistency set max_retries <value> = sets the number of maximum retries for recovery (default is 3)
tecli advanced persistency set retries_interval <value> = sets the maximal number of minutes allowed for recovery retries (default is 120
tecli advanced persistency set try_again <value> = sets the number of minutes for trying the recovery mechanism again after a failure (defa
1440)
tecli advanced persistency set clean_period <value> = sets the time period (in minutes) between database cleanup checks (default is 10)
tecli advanced persistency set max_keep <value> = sets how old (in minutes) the files should be kept in the database (default is 720)
tecli advanced persistency clear = deletes all the records from the persistency table
tecli advanced part_response ... = configures the Threat Emulation Early Verdict for Prevent (sk117168)
tecli advanced part_response local ... = manages local partial response configuration
tecli advanced part_response local stat = shows the current status of the local partial response
tecli advanced part_response local enable = activates the local partial response
tecli advanced part_response local disable = deactivates the local partial response
tecli advanced part_response remote ... = manages remote partial response configuration on the sender side
tecli advanced part_response remote stat = shows the current status of the remote partial response on the sender side
tecli advanced part_response remote enable = activates the remote partial response on the sender side
tecli advanced part_response remote disable = deactivates the remote partial response on the sender side
tecli advanced part_response cloud ... = manages cloud partial response configuration on the sender side
tecli advanced part_response cloud stat = shows the current status of the cloud partial response on the sender side
tecli advanced part_response cloud enable = activates the cloud partial response on the sender side
tecli advanced part_response cloud disable = deactivates the cloud partial response on the sender side
tecli advanced multiplier ... = shows and sets images clock multiplier
tecli advanced multiplier set <Image_UID> <value> = sets images clock multiplier
tecli advanced dropped ... = configures actions for dropped files (files created by the emulation file)
tecli advanced dropped max_files <value> = sets maximal number of dropped files to download from QEMU
tecli advanced dropped remove_dropped <1|0> = enables (1) or disables (0) removal of dropped files directory (requires installation of Threat
Prevention policy)
tecli advanced url show = displays URL Reputation current configuration values
tecli advanced url default = resets URL Reputation parameters to their default values
tecli advanced url cache size = counts all the URL Reputation cache records
tecli advanced url cache clean = deletes all the URL Reputation cache records
tecli advanced url set ... = configures URL Reputation cache parameters
tecli advanced url set cache_purge_interval <value> = sets the interval (in minutes, from 10 to 60) to purge the URL Reputation cache
tecli advanced url set max_request_size <value> = sets the number (from 50 to 1000) of maximum URLs per cloud request
tecli advanced url set cloud_scan_interval <value> = sets the interval (in seconds, from 5 to 10) to scan URLs at cloud
tecli advanced url set cloud_num_consumers <value> = sets the number (from 3 to 10) of cloud message queue consumers (required restart o
daemon)
tecli advanced url set cloud_request_timeout <value> = sets the timeout (in seconds, from 60 to 300) for cloud request
tecli advanced urls ... = displays information about and configures URL requests tecli advanced urls show = displays information about URL
requests queue, counters, URLs cache TTL, timout and concurrent requests number
tecli advanced urls concurrent_requests <value> = sets concurrent requests limit (default is 5)
tecli advanced urls cache = lists all the records in the URLs cache
tecli advanced urls ttl <value> = sets TTL for URLs cache entries (default is 1440 minutes)
tecli advanced urls timeout <value> = sets maximal time (in seconds) to wait while downloading file by link from e-mail (default is 120 seconds)
tecli advanced av_mode set status <1|0> = enables (1) or disables (0) Anti-Virus mode (requires installation of Threat Prevention policy; might im
performance)
tecli advanced scanengine ... = shows and sets scan engine options
tecli advanced scanengine restart = restarts scan engine process tecli advanced scanengine set ... = sets scan engine configuration
tecli advanced scanengine set debugs <1|0> = enables (1) or disables (0) full debugs - effective after scan engine restart
tecli advanced scanengine set heuristics <shallow|medium|detail|maximum> = sets heuristics level for scan engine - effective after scan
engine restart
tecli advanced scanengine set updates <value> = sets interval in minutes for updates (requires restart of TED daemon)
tecli advanced scanengine set suspicious_behaviour <1|0> = treats suspicious files as clean (1) or as malicious (0) (requires restart of TED
daemon)
tecli advanced wem config enable <1|0> = enables (1) or disables (0) Web Emulation
tecli advanced wem config domain_thrsh <true|false> = enables (true) or disables (false) domain threshold with Web Emulation (default is 'fa
tecli advanced wem config scan_time_ms = sets Web Emulation scan time (default is 5000 millisec)
tecli advanced wem config skip_phase1 <true|false> = skips (true) or does not skip (0) Web Emulation Phase1 to go directly to Phase2 (defau
'false')
tecli advanced wem config strict_embedded_mode <true|false> = enables (true) or disables (false) Web Emulation strict embedded mode (de
is 'false')
tecli advanced vmres show = show running state (memory limit, memory usage, number of running VMs)
Note: In cluster environment, the Threat Emulation local cache is not synchronized between cluster members.
tecli cache enable = enables (1) or disables (0) the Local Cache
tecli cache size = displays the number of all records in Local Cache
tecli cache clean = deletes all the records in the Local Cache
Note: Do not clear the whole cache - this will have a negative impact on performance!
tecli cache sha1 <sha1_string> = shows records with specific SHA1 hash
tecli cache remove sha1 <sha1_string> = removes records based on a specific hash
tecli cache remove filename </path_to/file> = removes records based on a specific file path
tecli cache remove extension <extension> = removes records of a specific file extension
tecli cache dump archives ... = lists all the records about archive files
tecli cache dump archives table = lists all archive records in the Local Cache in a table format
tecli cache dump archives csv = lists all archive records the in Local Cache in a CSV format
tecli cache dump settings ... = controls results for Local Cache dump commands
tecli cache dump settings limited ... = controls number of dump commands results
tecli cache dump settings limited display = displays the status of Local Cache dump limit mode
tecli cache dump settings limited set <1|0> = enables (1) or disables (0) the Local Cache dump limit mode
tecli cache dump settings max-records ... = controls records limit for each dump command
tecli cache dump settings max-records display = shows the maximal number of rows retrieved for each dump command
tecli cache dump settings max-records <value> = sets the maximal number of rows retrieved for each dump command (default is 20)
tecli cache ttl ... = controls the files' TTL in the Local Cache
tecli cache ttl default = sets the TTL to default (168 hrs, i.e., 7 days)
tecli cache ttl set <hours> = sets the TTL to specified number of hours
tecli debug set <TOPIC1> <SEVERITY1> <TOPIC2> <SEVERITY2> ... = sets specific debug topic with specified severity
Note: Currently, only the "tecli debug set TE all" command should be used.
tecli debug unset <TOPIC> = unsets a specific debug topic (currently, only the "tecli debug defaults" command should be used)
tecli debug on = turns on debug (first, the debug topics have to be set)
tecli debug reset = resets all debug topics (currently, only the "tecli debug defaults" command should be used)
tecli debug defaults = resets all debug topics to their default values
tecli debug rotate = rotates the current TED daemon's log file $FWDIR/log/ted.elg (moves the current file to $FWDIR/log/ted.elg.<N> and open
new one)
tecli debug spaces <N> = sets number of spaces in identical logs [0..5] - indentation for each level
tecli debug scan local stat = shows the status of local connections scanning
tecli debug scan local enable = enables the scan of local connections
tecli debug scan local disable = disables the scan of local connections
tecli debug clean = cleans all TED daemon's log files ($FWDIR/log/ted.elg)
tecli debug partreq ... = counter of partial file request (HTTP 206)
tecli debug partreq get = gets the value of kernel parameter g_ci_av_te_http_206_file_request
tecli debug partreq set <value> = sets the value of kernel parameter g_ci_av_te_http_206_file_request (up to 232-1)
tecli debug partreq init = initializes the value of kernel parameter g_ci_av_te_http_206_file_request
tecli debug incfile get = gets the value of kernel parameter g_ci_av_te_file_cut
tecli debug incfile set <value> = sets the value of kernel parameter g_ci_av_te_file_cut (up to 232-1)
tecli debug incfile init = initializes the value of kernel parameter g_ci_av_te_file_cut
The cpstat command displays various counters and statistical information about Check Point Software Blades.
For Threat Emulation blade, you can run either the "cpstat threat-emulation -f <flag>" command, or the "cpstat -f <flag> threat-emulation" command
Displayed information:
Status: <N>
Example:
Status: 2
Status long description: Threat Emulation update failed, cannot download Raw Files. Failed running download process.
.1.3.6.1.4.1.2620.1.49.29
.1.3.6.1.4.1.2620.1.49.30
.1.3.6.1.4.1.2620.1.49.101
.1.3.6.1.4.1.2620.1.49.102
.1.3.6.1.4.1.2620.1.49.103
Displayed information:
Example:
.1.3.6.1.4.1.2620.1.49.19
.1.3.6.1.4.1.2620.1.49.20
.1.3.6.1.4.1.2620.1.49.21
.1.3.6.1.4.1.2620.1.49.22
.1.3.6.1.4.1.2620.1.49.23
.1.3.6.1.4.1.2620.1.49.24
.1.3.6.1.4.1.2620.1.49.25
.1.3.6.1.4.1.2620.1.49.26
.1.3.6.1.4.1.2620.1.49.27
.1.3.6.1.4.1.2620.1.49.28
.1.3.6.1.4.1.2620.1.49.31
.1.3.6.1.4.1.2620.1.49.32
.1.3.6.1.4.1.2620.1.49.33
.1.3.6.1.4.1.2620.1.49.34
.1.3.6.1.4.1.2620.1.49.35
.1.3.6.1.4.1.2620.1.49.37
.1.3.6.1.4.1.2620.1.49.38
.1.3.6.1.4.1.2620.1.49.39
.1.3.6.1.4.1.2620.1.49.40
.1.3.6.1.4.1.2620.1.49.41
Displayed information:
Example 1:
Example 2:
Example 3:
TE Update Description: Threat Emulation update failed, cannot download Raw Files. Failed running download process.
.1.3.6.1.4.1.2620.1.49.16
.1.3.6.1.4.1.2620.1.49.17
Displayed information:
.1.3.6.1.4.1.2620.1.49.12
.1.3.6.1.4.1.2620.1.49.13
.1.3.6.1.4.1.2620.1.49.14
.1.3.6.1.4.1.2620.1.49.15
.1.3.6.1.4.1.2620.1.49.36
Displayed information:
.1.3.6.1.4.1.2620.1.49.5.1
.1.3.6.1.4.1.2620.1.49.5.2
.1.3.6.1.4.1.2620.1.49.5.3
.1.3.6.1.4.1.2620.1.49.5.4
Displayed information:
.1.3.6.1.4.1.2620.1.49.7.1
.1.3.6.1.4.1.2620.1.49.7.2
.1.3.6.1.4.1.2620.1.49.7.3
.1.3.6.1.4.1.2620.1.49.7.4
Displayed information:
.1.3.6.1.4.1.2620.1.49.10.1
.1.3.6.1.4.1.2620.1.49.10.2
.1.3.6.1.4.1.2620.1.49.10.3
.1.3.6.1.4.1.2620.1.49.10.4
Displayed information:
-----------------------------------------------------------------
-----------------------------------------------------------------
... ...
-----------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.1.1.1.2
.1.3.6.1.4.1.2620.1.49.1.1.1.3
.1.3.6.1.4.1.2620.1.49.1.1.1.4
.1.3.6.1.4.1.2620.1.49.1.1.1.5
.1.3.6.1.4.1.2620.1.49.1.1.1.6
.1.3.6.1.4.1.2620.1.49.1.1.1.7
.1.3.6.1.4.1.2620.1.49.4.1
.1.3.6.1.4.1.2620.1.49.4.2
.1.3.6.1.4.1.2620.1.49.4.3
.1.3.6.1.4.1.2620.1.49.4.4
Displayed information:
.1.3.6.1.4.1.2620.1.49.6.1
.1.3.6.1.4.1.2620.1.49.6.2
.1.3.6.1.4.1.2620.1.49.6.3
.1.3.6.1.4.1.2620.1.49.6.4
Displayed information:
.1.3.6.1.4.1.2620.1.49.11.1
.1.3.6.1.4.1.2620.1.49.11.2
.1.3.6.1.4.1.2620.1.49.11.3
.1.3.6.1.4.1.2620.1.49.11.4
Displayed information:
.1.3.6.1.4.1.2620.1.49.8.1
.1.3.6.1.4.1.2620.1.49.8.2
.1.3.6.1.4.1.2620.1.49.8.3
.1.3.6.1.4.1.2620.1.49.8.4
Displayed information:
---------------------------------------------------------------------------------------------------------------------
|Type|Downloading File Revision|Downloading File Size|Downloading File Down Start Time|Downloading File Down Percent|
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.2.1.2
.1.3.6.1.4.1.2620.1.49.2.1.9
.1.3.6.1.4.1.2620.1.49.2.1.10
.1.3.6.1.4.1.2620.1.49.2.1.11
.1.3.6.1.4.1.2620.1.49.2.1.12
.1.3.6.1.4.1.2620.1.49.3
Displayed information:
-----------------------------------------------------------
-----------------------------------------------------------
... ...
-----------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.2.1.2
.1.3.6.1.4.1.2620.1.49.2.1.3
.1.3.6.1.4.1.2620.1.49.2.1.4
.1.3.6.1.4.1.2620.1.49.2.1.5
.1.3.6.1.4.1.2620.1.49.2.1.6
.1.3.6.1.4.1.2620.1.49.2.1.7
.1.3.6.1.4.1.2620.1.49.2.1.8
.1.3.6.1.4.1.2620.1.49.3
Displayed information:
.1.3.6.1.4.1.2620.1.49.9.1
.1.3.6.1.4.1.2620.1.49.9.2
.1.3.6.1.4.1.2620.1.49.9.3
.1.3.6.1.4.1.2620.1.49.9.4
Displayed information:
Threat Emulation counters for cache hit rate per file type.
Example:
-----------------------------------------------------------------------------------------------------
|File Type|Cache Hit Rate|Cache Hit Rate Last Day|Cache Hit Rate Last Week|Cache Hit Rate Last Month|
-----------------------------------------------------------------------------------------------------
|doc | 0| 0| 0| 0|
|docx | 0| 0| 0| 0|
|pdf | 0| 0| 0| 0|
|ppt | 0| 0| 0| 0|
|pptx | 0| 0| 0| 0|
|xls | 0| 0| 0| 0|
|xlsx | 0| 0| 0| 0|
-----------------------------------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.18.1.1.2
.1.3.6.1.4.1.2620.1.49.18.1.1.23
.1.3.6.1.4.1.2620.1.49.18.1.1.24
.1.3.6.1.4.1.2620.1.49.18.1.1.25
.1.3.6.1.4.1.2620.1.49.18.1.1.26
Displayed information:
Threat Emulation counters for files scanned on ThreatCloud and detected as containing malware per file type:
Example:
---------------------------------------------------------------------------------------------------------------------------------
|File Type|Scanned|Threatcloud Malware|Threatcloud Malware Last Day|Threatcloud Malware Last Week|Threatcloud Malware Last Month|
---------------------------------------------------------------------------------------------------------------------------------
|doc | 0| 0| 0| 0| 0|
|docx | 0| 0| 0| 0| 0|
|pdf | 0| 0| 0| 0| 0|
|ppt | 0| 0| 0| 0| 0|
|pptx | 0| 0| 0| 0| 0|
|xls | 0| 0| 0| 0| 0|
|xlsx | 0| 0| 0| 0| 0|
---------------------------------------------------------------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.18.1.1.2
.1.3.6.1.4.1.2620.1.49.18.1.1.3
.1.3.6.1.4.1.2620.1.49.18.1.1.15
.1.3.6.1.4.1.2620.1.49.18.1.1.16
.1.3.6.1.4.1.2620.1.49.18.1.1.17
.1.3.6.1.4.1.2620.1.49.18.1.1.18
Displayed information:
Threat Emulation counters for files scanned on ThreatCloud per file type.
Example:
-------------------------------------------------------------------------------------------------------------------------
|File Type|Threatcloud Scanned|Threatcloud Scanned Last Day|Threatcloud Scanned Last Week|Threatcloud Scanned Last Month|
-------------------------------------------------------------------------------------------------------------------------
|doc | 0| 0| 0| 0|
|docx | 0| 0| 0| 0|
|pdf | 0| 0| 0| 0|
|ppt | 0| 0| 0| 0|
|pptx | 0| 0| 0| 0|
|xls | 0| 0| 0| 0|
|xlsx | 0| 0| 0| 0|
-------------------------------------------------------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.18.1.1.11
.1.3.6.1.4.1.2620.1.49.18.1.1.12
.1.3.6.1.4.1.2620.1.49.18.1.1.13
.1.3.6.1.4.1.2620.1.49.18.1.1.14
Displayed information:
Example:
-----------------------------------------------------------------------------------------
|File Type|Error Count|Error Count Last Day|Error Count Last Week|Error Count Last Month|
-----------------------------------------------------------------------------------------
|doc | 0| 0| 0| 0|
|docx | 0| 0| 0| 0|
|pdf | 0| 0| 0| 0|
|ppt | 0| 0| 0| 0|
|pptx | 0| 0| 0| 0|
|xls | 0| 0| 0| 0|
|xlsx | 0| 0| 0| 0|
-----------------------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.18.1.1.2
.1.3.6.1.4.1.2620.1.49.18.1.1.27
.1.3.6.1.4.1.2620.1.49.18.1.1.28
.1.3.6.1.4.1.2620.1.49.18.1.1.29
.1.3.6.1.4.1.2620.1.49.18.1.1.30
Displayed information:
Example:
-------------------------------------------------------------------------
-------------------------------------------------------------------------
|doc | 0| 0| 0| 0|
|docx | 0| 0| 0| 0|
|pdf | 0| 0| 0| 0|
|ppt | 0| 0| 0| 0|
|pptx | 0| 0| 0| 0|
|xls | 0| 0| 0| 0|
|xlsx | 0| 0| 0| 0|
-------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.18.1.1.2
.1.3.6.1.4.1.2620.1.49.18.1.1.3
.1.3.6.1.4.1.2620.1.49.18.1.1.4
.1.3.6.1.4.1.2620.1.49.18.1.1.5
.1.3.6.1.4.1.2620.1.49.18.1.1.6
Displayed information:
Threat Emulation counters for files filtered by static analysis per file type.
Example:
---------------------------------------------------------------------------------------------------------------------
|File Type|Filter By Analysis|Filter By Analysis Last Day|Filter By Analysis Last Week|Filter By Analysis Last Month|
---------------------------------------------------------------------------------------------------------------------
|doc | 0| 0| 0| 0|
|docx | 0| 0| 0| 0|
|pdf | 0| 0| 0| 0|
|ppt | 0| 0| 0| 0|
|pptx | 0| 0| 0| 0|
|xls | 0| 0| 0| 0|
|xlsx | 0| 0| 0| 0|
---------------------------------------------------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.18.1.1.2
.1.3.6.1.4.1.2620.1.49.18.1.1.19
.1.3.6.1.4.1.2620.1.49.18.1.1.20
.1.3.6.1.4.1.2620.1.49.18.1.1.21
.1.3.6.1.4.1.2620.1.49.18.1.1.22
Displayed information:
Threat Emulation counters for files detected as containing malware per file type.
Example:
-------------------------------------------------------------------------------------------------------------
|File Type|Malware Detected|Malware Detected Last Day|Malware Detected Last Week|Malware Detected Last Month|
-------------------------------------------------------------------------------------------------------------
|doc | 0| 0| 0| 0|
|docx | 0| 0| 0| 0|
|pdf | 0| 0| 0| 0|
|ppt | 0| 0| 0| 0|
|pptx | 0| 0| 0| 0|
|xls | 0| 0| 0| 0|
|xlsx | 0| 0| 0| 0|
-------------------------------------------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.18.1.1.2
.1.3.6.1.4.1.2620.1.49.18.1.1.7
.1.3.6.1.4.1.2620.1.49.18.1.1.8
.1.3.6.1.4.1.2620.1.49.18.1.1.9
.1.3.6.1.4.1.2620.1.49.18.1.1.10
Displayed information:
Threat Emulation counters for files filtered by static analysis without resource count per file type.
Example:
-----------------------------------------------------------------------------------------------------------------
|File Type|No Resource Count|No Resource Count Last Day|No Resource Count Last Week|No Resource Count Last Month|
-----------------------------------------------------------------------------------------------------------------
|doc | 0| 0| 0| 0|
|docx | 0| 0| 0| 0|
|pdf | 0| 0| 0| 0|
|ppt | 0| 0| 0| 0|
|pptx | 0| 0| 0| 0|
|xls | 0| 0| 0| 0|
|xlsx | 0| 0| 0| 0|
-----------------------------------------------------------------------------------------------------------------
.1.3.6.1.4.1.2620.1.49.18.1.1.2
.1.3.6.1.4.1.2620.1.49.18.1.1.31
.1.3.6.1.4.1.2620.1.49.18.1.1.32
.1.3.6.1.4.1.2620.1.49.18.1.1.33
.1.3.6.1.4.1.2620.1.49.18.1.1.34
Displayed information:
Example:
--------------------------
|Low|Medium|High|Critical|
--------------------------
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
--------------------------
--------------------------
|Low|Medium|High|Critical|
--------------------------
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
--------------------------
--------------------------
|Low|Medium|High|Critical|
--------------------------
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
--------------------------
--------------------------
|Low|Medium|High|Critical|
--------------------------
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
--------------------------
.1.3.6.1.4.1.2620.1.47.1.7.1.10
.1.3.6.1.4.1.2620.1.47.1.7.1.11
.1.3.6.1.4.1.2620.1.47.1.7.1.12
.1.3.6.1.4.1.2620.1.47.1.7.1.13
.1.3.6.1.4.1.2620.1.47.1.8.1.10
.1.3.6.1.4.1.2620.1.47.1.8.1.11
.1.3.6.1.4.1.2620.1.47.1.8.1.12
.1.3.6.1.4.1.2620.1.47.1.8.1.13
.1.3.6.1.4.1.2620.1.47.1.9.1.10
.1.3.6.1.4.1.2620.1.47.1.9.1.11
.1.3.6.1.4.1.2620.1.47.1.9.1.12
.1.3.6.1.4.1.2620.1.47.1.9.1.13
.1.3.6.1.4.1.2620.1.47.1.10.1.10
.1.3.6.1.4.1.2620.1.47.1.10.1.11
.1.3.6.1.4.1.2620.1.47.1.10.1.12
.1.3.6.1.4.1.2620.1.47.1.10.1.13
Displayed information:
Example:
--------------------------
|Low|Medium|High|Critical|
--------------------------
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
--------------------------
--------------------------
|Low|Medium|High|Critical|
--------------------------
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
--------------------------
--------------------------
|Low|Medium|High|Critical|
--------------------------
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
--------------------------
--------------------------
|Low|Medium|High|Critical|
--------------------------
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
| 0| 0| 0| 0|
--------------------------
.1.3.6.1.4.1.2620.1.47.1.1.1.10
.1.3.6.1.4.1.2620.1.47.1.1.1.11
.1.3.6.1.4.1.2620.1.47.1.1.1.12
.1.3.6.1.4.1.2620.1.47.1.1.1.13
.1.3.6.1.4.1.2620.1.47.1.2.1.10
.1.3.6.1.4.1.2620.1.47.1.2.1.11
.1.3.6.1.4.1.2620.1.47.1.2.1.12
.1.3.6.1.4.1.2620.1.47.1.2.1.13
.1.3.6.1.4.1.2620.1.47.1.3.1.10
.1.3.6.1.4.1.2620.1.47.1.3.1.11
.1.3.6.1.4.1.2620.1.47.1.3.1.12
.1.3.6.1.4.1.2620.1.47.1.3.1.13
.1.3.6.1.4.1.2620.1.47.1.4.1.10
.1.3.6.1.4.1.2620.1.47.1.4.1.11
.1.3.6.1.4.1.2620.1.47.1.4.1.12
.1.3.6.1.4.1.2620.1.47.1.4.1.13
(12) Factors that limit the number of Virtual Machines that can be started
The number of Virtual Machines that can be started is bound by the installed license, the CPU load and the RAM utilization.
License
The installed license limits the number of allowed VMs:
Run the "cpstat threat-emulation -f contract" command and refer to the counter "TE Maximal VMs Number:".
RAM utilization
When Local Emulation is configured, by default, up to 70% of the RAM will be used by VMs.
Recommendations:
You can increase the memory allocation limit, if Security Gateway serves as "emulation only" TE appliance.
You should decrease the memory allocation limit, if the memory is needed for other purposes.
Example:
E. Click on OK.
CPU load
By default, if the CPU cores allocated for emulation are more than 90% busy, no more VMs will start until the CPU load drops below t
A. Connect with SmartDashboard R77.X to Security Management Server / Domain Management Server.
Note: Database Revision Control is not supported for VSX objects (sk65420).
C. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Ser
D. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
(e.g., TESettings_2AC82C3A-073F-4F9D-9A85-FA8FAE751BD9).
The UID of Security Gateway / StandAlone object can be found in the $FWDIR/conf/objects_5_0.C file on the Security Manag
Server / Domain Management Server:
: (Name_of_GW_or_StandAlone_Object
:AdminInfo (
:ClassName (gateway_ckp)
Example:
: (R77-30-SA
:AdminInfo (
:chkpf_uid ("{EF4AB4D2-4D16-5849-91F2-DB52B740EC8E}")
:ClassName (gateway_ckp)
G. In the lower pane, right-click on the busy_cpu_threshold - select Edit... - delete the current value - enter the new value - click
J. Connect with SmartDashboard R77.X to Security Management Server / Domain Management Server.
Enabling SMT (HyperThreading) Feature will improve emulation performance on the SandBlast TE Appliances.
The TE250X / TE1000X / TE2000X appliances are already shipped with enabled SMT feature in the BIOS.
It is only required to enable the SMT feature in the 'cpconfig' menu as described in the sk93000 - SMT (HyperThreading) Feature Gu
Files range from very simple (e.g., plain text files) to ultra complex (e.g., Office documents with embedded files).
Usually, the risk factor of a file varies according to the number of advanced features it utilizes (e.g., JavaScript in PDF file).
The pre-emulation static analysis allows skipping files that contain only safe features.
Notes:
Tests show that Static Analysis allows to filter ~70-80% of the received files (depending on the environment and on file types):
run the "tecli show statistics" command and refer to the counter "Files filtered by static analysis"
run the "cpstat threat-emulation -f file_type_stat_filter_by_analysis" command
Static Analysis is relatively "heavy" in terms of Input/Output (yet "cheaper" than full emulation).
Disabling it should be done only under extreme circumstance with explicit instructions from Check Point Support.
Important Note: If you disable this setting, it can significantly impact the network performance because every file will be sent to emulation.
D. Expand the Threat Emulation Settings section, click on the Advanced pane.
E. In the Engine Settings section, check the box Disable static analysis for filtering files:
F. Click on OK.
Each OS image has a list of regular expressions representing events that its applications generate and that are considered as normal actions
(using "whitelist" method - it is easier to define what is allowed, than what is forbidden).
Note: This whitelist is dynamically updated from the ThreatCloud.
These white events are filtered during execution of the document/applet (the matching/parsing engine is similar to IPS/Anti-Bot engines).
All events that were not filtered by the detection (whitelist) rules are considered malicious:
Detection Rules are image-specific, but are updated separately from the OS images.
Related solutions:
Each entry in the archive file is scanned and emulated (if necessary).
The archive file's verdict is determined according to the verdict of its entries.
Once a single malicious file is found inside an archive file, a log is generated,
Related solutions:
sk108373 - Threat Emulation blade sends unsupported file types from an archive for emulation
File type is determined based on the file "magic number" (header/footer), stream parsing (content type) and more indicators that assist Threat Emulation decide what
type of the file being sent.
It is important to understand that Threat Emulation is not signature-based detection engine. Therefore, a file that will not trigger in the Host OS can be considered a fu
attempt. That being said, the classifier will still try to re-classify the file to allow it to "detonate" in the sandbox.
Before injecting the file into the VM, file extension is changed to the correct extension.
It is possible to disable / enable the File Reclassifier with the "tecli advanced attributes set reclassifier <value>" command.
1. On the first run - files of the same format are emulated together in the same VM
2. On second run - each file from the previous step is emulated on its own in a different "clean" VM
Related solutions:
(18) Emulation of multiple files of the same type on the same virtual machine
In order to boost performance, multiple files of the same type (e.g., PDF) are sent to the same virtual machine for emulation
For each file that is sent to the virtual machine for emulation, a new instance of the emulated program (e.g. Adobe Reader) is executed
In case a file was flagged as malicious during multiple file execution, it will be emulated again at a dedicated instance and the current instance will be reverted
Multiple File Execution is not supported with executable files, or CPU-Level images
To see the effectiveness of multiple file execution, run the "tecli show emulator vm synopsis" command and refer to the columns "Cur Files" and "Tota
Examples:
Output of the
View of QEMU virtual machine
The Threat Emulation RESTful API is available on any Check Point appliance with enabled Threat Emulation blade and in the ThreatCloud.
Refer to Threat Prevention API Reference Guide and R80 Check Point API Reference Guide
sk93598 - Threat Emulation Sizing Mode: how to measure the required inspections at an organization
sk88160 - The Check Point Performance Sizing Utility
Protected Scope
Limit the "Protected Scope" in the Threat Prevention policy (do not use "Any").
Limit the "Protected Scope", "Protocol" and "File Types" in the Threat Prevention profile.
Threat Emulation Cache
Normally, there is no need for tuning the cache.
C. Scroll to the bottom - in the Threat Emulation Settings section, click on the Configure settings... button.
Maximum file size for emulation - Files that are larger than this value are not sent for emulation (because large
reduce network performance)
Maximum emulation time - The maximal time that Threat Emulation does analysis on a file (used only for a Local Em
Maximum file time in queue - The maximal time that a file waits for Threat Emulation analysis
Number of file hashes to save in local cache - Number of file hashes that are stored in the Threat Emulatio
cache
E. Click on OK.
Static Analysis
Files range from very simple (e.g., plain text files) to ultra complex (e.g., Office documents with embedded files).
Usually, the risk factor of a file varies according to the number of advanced features it utilizes (e.g., JavaScript in PDF file).
The pre-emulation static analysis allows skipping files that contain only safe features.
Static Analysis is relatively heavy in terms of Input/Output (yet cheaper than full emulation).
Disabling it should be done only under extreme circumstance with direction from Check Point Support.
Important Note: If you disable this setting, it can significantly impact the network performance because every file will be sent to em
D. Expand the Threat Emulation Settings section, click on the Advanced pane.
E. In the Engine Settings section, check the box Disable static analysis for filtering files:
F. Click on OK.
CPU
By default, if the CPU cores allocated for emulation are more than 90% busy, no more VMs will start until the CPU load drops below
A. Connect with SmartDashboard R77.X to Security Management Server / Domain Management Server.
Note: Database Revision Control is not supported for VSX objects (sk65420).
C. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Se
D. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
F. In the upper right pane, select the relevant Threat Emulation profile - TESettings_<GW_UID>
(e.g., TESettings_2AC82C3A-073F-4F9D-9A85-FA8FAE751BD9).
G. In the lower pane, right-click on the busy_cpu_threshold - select Edit... - delete the current value - enter the new value - clic
J. Connect with SmartDashboard R77.X to Security Management Server / Domain Management Server.
RAM
Additional RAM might be required on Security Gateway with enabled Threat Emulation (depending on the amount of emulated files
for emulation).
When Local Emulation is configured, by default, up to 70% of the RAM will be used by VMs.
You can increase the memory allocation limit, if this Security Gateway serves as "emulation only" TE appliance.
You should decrease the memory allocation limit, if the memory is needed for other purposes.
Example:
E. Click on OK.
Hyper-Threading Enabling Hyper-Threading will improve emulation performance on the Check Point appliances.
Clustering of Threat
Clustering of Threat Emulation appliances is supported, but not recommended.
Emulation appliances Refer to the "(21) Configuring multiple Threat Emulation Appliances for redundancy and load sharing" section.
Anti-Virus blade If Anti-Virus blade is also enabled, then there is an expected degradation in Threat Emulation performance of ~5-10% (because mo
work is already done by the Anti-Virus)
StandAlone Running the Local Threat Emulation appliance as a StandAlone (both Security Management Server and Security Gateway are instal
same machine) is supported, but not recommended.
Such configuration may lead to a case where the Threat Emulation appliance becomes slower and emulation could fail.
If StandAlone configuration is necessary, then lower the amount of RAM assigned for Threat Emulation (can be approximately 20-4
will limit the number of VMs in use (calculate 500 MB RAM per VM).
Logging To forward Mail Transfer Agent (MTA) logs from Security Gateway into SmartView Tracker / SmartLog, follow the instructions in
sk102995 - How to export syslog messages from Security Gateway on Gaia OS to a Log Server and view them in SmartView Tracker
A. The parsers (Web, Mail), which deeply inspect the connections for traffic
B. The DLPK (DLP Kernel module), which transfers the file parts to the DLPU daemon (1 such daemon per CoreXL FW instance)
C. DLPU daemon writes the file parts to $FWDIR/tmp/te and passes the reassembled file to TED daemon
The cache is very lightweight, but has an enormous positive effect on the performance
From the initial configuration and policy installation, it takes several days for the cache to build up
Run the "tecli show statistics" command and refer to the counter "Files filtered by local cache"
C. Static Analysis
The pre-emulation static analysis allows skipping files that contain only safe features
Static Analysis is relatively heavy in terms of Input/Output (yet cheaper than full emulation)
Run the "tecli show statistics" command and refer to the counter "Files filtered by static analysis"
Run the "cpstat threat-emulation -f file_type_stat_filter_by_analysis" command
D. File emulation
Example:
Run the "tecli show emulator vm synopsis" command and refer to the counter "Pending emulating requests"
To see the effectiveness of multiple file execution, run the "tecli show emulator vm synopsis" command and refer to the columns "Cur Files" and
Files"
Example:
Run the "tecli show statistics" command and refer to the counter "Average process time for emulated files"
(21) Configuring multiple Threat Emulation Appliances for redundancy and load sharing
It is possible to install multiple Threat Emulation Private Cloud Appliances on your network (for redundancy and load sharing), and configure each Security Gateway (w
Threat Emulation blade) that sends files for a Remote Emulation to use multiple Threat Emulation Private Cloud Appliances.
Note: SmartDashboard R77.X allows selecting only a single Remote Threat Emulation Private Cloud Appliance.
Example:
Follow sk102309 - Threat Emulation support for Multiple Private Cloud Appliances to configure each relevant Security Gateway ("traffic collector" / "harvester"):
1. Connect to the command line on the Security Gateway that sends files for a Remote Emulation.
To activate the support for multiple Threat Emulation Private Cloud Appliances:
Additional commands:
To deactivate the support for multiple Threat Emulation Private Cloud Appliances:
Notes:
Security Gateway makes the decision to which remote Threat Emulation Private Cloud Appliance
the file should be sent for emulation based on the file's hash:
[Appliance ID] = [SHA1 of the file] modulo [number of configured remote Threat Emulation Private Cloud Appliance]
If the selected remote Threat Emulation Private Cloud Appliance is down, then the file will be sent to the next on the list ("tecli advanced remote show").
First hop should be customer's Anti-Spam solution (to solve Backscatter/RBL First hop should be customer's Anti-Spam solution (to solve Backsca
problem) problem)
MTA is running on Threat Emulation Gateways, so we can control SMTP MTA is running on Threat Emulation Gateways, so we can control SMT
connections to the MTA via the Check Point cluster's security rules connections to the MTA via the Check Point cluster's security rules
First hop uses, e.g., DNS to round-robin e-mails to Threat Emulation Gateway The Check Point cluster is running the MTA
Perimeter Check Point cluster runs all Threat Prevention blades and can offload Perimeter Check Point cluster runs all Threat Prevention blades and
HTTP/HTTPS emulation to Threat Emulation Gateway(s) if needed can offload HTTP/HTTPS emulation to Threat Emulation Gateway(s) if
After emulation, Threat Emulation Gateway's MTA forwards the e-mails to the Threat Emulation Gateways have internal IP addresses.
internal Mail Server After emulation, Check Point cluster's MTA forwards the e-mails to th
Mail Server
Notes:
Such deployment is needed if Check Point cluster sends files for emu
ThreatCloud (there is no on-premise Threat Emulation Appliance)
Such deployment is needed if MTA should be used with ThreatCloud e
Such deployment requires manual editing of implied rules to be able
configure security rules to control traffic to the MTA on a Check Point
Related solutions:
sk107093 - E-mails do not reach the client after selecting Cluster Virt
Interface(s) in MTA "Advanced Settings"
sk109198 - E-mail client receives timeout error, e-mails do not reach
destinations, and SmartView Tracker shows duplicated Threat Emula
from a cluster
(23) Monitoring
Check the Threat Emulation counters using the tecli command and the cpstat threat-emulation command - refer to these sections:
Object OID
Threat Emulation Downloading Files Table - Current File Download Start Time .1.3.6.1.4.1.2620.1.49.2.7
Threat Emulation Downloading Files Table - Current File Download Percent .1.3.6.1.4.1.2620.1.49.2.8
Threat Emulation Downloading Files Table - Downloading File Download Start Time .1.3.6.1.4.1.2620.1.49.2.11
Threat Emulation Downloading Files Table - Downloading File Download Percent .1.3.6.1.4.1.2620.1.49.2.12
Threat Emulation Contract Cloud Monthly Quota Usage for This GW .1.3.6.1.4.1.2620.1.49.34
Threat Emulation Contract Cloud Hourly Quota Usage for this GW .1.3.6.1.4.1.2620.1.49.35
Threat Emulation Contract Cloud Monthly Quota Usage for Quota ID .1.3.6.1.4.1.2620.1.49.37
Threat Emulation Contract Cloud Hourly Quota Usage for Quota ID .1.3.6.1.4.1.2620.1.49.38
Threat Emulation Contract Cloud Last Quota Update GMT Time .1.3.6.1.4.1.2620.1.49.41
sk90860 - How to configure SNMP on Gaia OS - section "(IV-6) Advanced SNMP configuration - Extend SNMP with shell script"):
#!/bin/bash
echo $RESPONSE
echo $RESPONSE
else
RESPONSE=error
fi
#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh
#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh
tecli show emulator emulations | grep "Running virtual machines" | awk '{print $4}'
Postfix queue:
(24) Troubleshooting
Emulation Scenario What to check
3. Check that the Date and Time are set correctly on the Security Gateway.
4. Check that the DNS Server(s) are defined on the Security Gateway.
5. Check that the Proxy Server is defined in the Security Gateway object in SmartDashboard R77.X.
6. Check that the Proxy Server is defined in the Global Properties in SmartDashboard R77.X.
8. Check the Threat Emulation configuration in the Security Gateway object in SmartDashboard R77.X.
10. Check the logs from Threat Emulation blade in SmartView Tracker / SmartLog / SmartEvent.
11. Check that the Security Gateway is able to resolve the ThreatCloud Pod addresses:
12. Check on the Security Gateway which ThreatCloud Pods are allowed:
13. Check on the Security Gateway that the Threat Emulation Quota is not reached:
14. Check the logs of relevant processes on the Security Gateway (refer to the "(9) User Space" section).
15. Collect the relevant debugs (of processes and of kernel) on the Security Gateway - refer to the "(25) Debug" section a
Check Point Support.
2. Check that all required processes on the Threat Emulation Appliance are up and running
Private Cloud Appliance
3. Check that the Date and Time are set correctly on the Security Gateway.
4. Check that the DNS Server(s) are defined on the Security Gateway.
5. Check that the Proxy Server is defined in the Security Gateway object in SmartDashboard R77.X.
6. Check that the Proxy Server is defined in the Global Properties in SmartDashboard R77.X.
7. Check that the Threat Emulation Appliance is able to connect to the Internet.
8. Check that the Threat Emulation Appliance is able to connect to Check Point update servers:
9. Check the Threat Emulation configuration (including the Resource Allocation) in the Threat Emulation Appliance obje
SmartDashboard R77.X.
10. Install the Security policy and the Threat Prevention policy.
11. Check the logs from Threat Emulation blade in SmartView Tracker / SmartLog / SmartEvent.
12. Check on the Threat Emulation Appliance how the emulation works:
13. Check that the Threat Emulation Appliance has the latest OS images, detection rules, and engine revisions:
14. Check the logs of relevant processes on the Threat Emulation Appliance (refer to the "(9) User Space" section).
15. Collect the relevant debugs (of processes and of kernel) on the Threat Emulation Appliance - refer to the "(25) Debug
and consult Check Point Support.
2. Check that all required processes on the Security Gateway and on the Remote Threat Emulation Private Cloud Applia
Private Cloud Appliance
and running
installed on your network
[Expert@HostName:0]# cpwd_admin list
3. Check that the Date and Time are set correctly on the Security Gateway and on the Remote Threat Emulation Private
Appliance.
4. Check that the DNS Server(s) are defined on the Security Gateway.
5. Check that the Proxy Server is defined in the Security Gateway object and in the Remote Threat Emulation Private Cl
Appliance object in SmartDashboard R77.X.
6. Check that the Proxy Server is defined in the Global Properties in SmartDashboard R77.X.
7. Check that the Remote Threat Emulation Private Cloud Appliance is able to connect to the Internet.
8. Check the Threat Emulation configuration in the Security Gateway object and in the Remote Threat Emulation Privat
Appliance (including the Resource Allocation) object in SmartDashboard R77.X.
10. Check the logs from Threat Emulation blade in SmartView Tracker / SmartLog / SmartEvent.
11. Check on the Security Gateway how the emulation works:
12. Check the logs of relevant processes on the Security Gateway and on the Remote Threat Emulation Private Cloud Ap
(refer to the "(9) User Space" section).
13. Collect the relevant debugs (of processes and of kernel) on the Security Gateway and on the Remote Threat Emulatio
Cloud Appliance - refer to the "(25) Debug" section and consult Check Point Support.
To resolve problems for the upstream MTA delivering e-mails to Check Point Security Gateway configured as MTA,
disable the TCP timestamps on Check Point MTA per sk62700 - How to disable TCP timestamps (RFC 1323).
Note: This change will be applied only to local connections (connections where the source or destination is the Security Gateway).
Restart postfix:
(25) Debug
Important Note: Since the required debugs are quite extensive, it is necessary to schedule a maintenance window (to minimize the impact on the Security Gateway).
Note: In cluster environment, this procedure must be performed on all members of the cluster.
Example flow:
Important Note: Consult Check Point Support to minimize the CPU load on the Security Gateway caused by this debug.
[Expert@HostName:0]# fw ctl debug -m fw + conn drop malware te ioctl mail cmi vm tcpstr
Make sure the issue was replicated - save all the relevant outputs, take all the relevant screenshots.
$FWDIR/log/dlpu.elg*
$FWDIR/log/ted.elg*
/var/log/kernel_debug.txt
/var/log/messages*
all the relevant outputs
all the relevant screenshots
CPinfo file
In addition, collect the CPinfo file from the Security Management Server / Domain Management Server that manages this Security Gateway
Example flow:
1. Rotate the $FWDIR/log/ted.elg files:
Important Note: Consult Check Point Support to minimize the CPU load on the Security Gateway caused by this debug.
[Expert@HostName:0]# fw ctl debug -m fw + conn drop malware te ioctl mail cmi vm tcpstr
Make sure the issue was replicated - save all the relevant outputs, take all the relevant screenshots.
/var/log/maillog
$FWDIR/log/emaild.mta.elg*
$FWDIR/log/ted.elg*
/var/log/kernel_debug.txt
/var/log/messages*
all the relevant outputs
all the relevant screenshots
CPinfo file
In addition, collect the CPinfo file from the Security Management Server / Domain Management Server that manages this Security Gateway
Related documentation:
Related solutions:
General sk106210 - Threat Emulation Appliances: TE100X, TE250X, TE1000X, TE2000X (SandBlast)
sk95235 - Threat Emulation Engine Update - What's New
sk92509 - Offline updates for Threat Emulation images and engine
sk117672 - How to update the Threat Emulation malware detection rules
sk112721 - How to monitor the status of Check Point Threat Emulation Cloud Service
sk112312 - Threat Emulation File Analyzer
sk115376 - Threat Emulation support for "Push Forward" emulation
sk93598 - Threat Emulation Sizing Mode: how to measure the required inspections at an organization
sk110394 - Check Point Private ThreatCloud
sk109045 - Software Blades / Features and supported Operating Systems
sk79700 - VSX supported features on R75.40VS and above
sk106496 - Software Blades updates on VSX R75.40VS and above - FAQ
sk97638 - Check Point Processes and Daemons
Configuration sk119133 - New Threat Emulation license mechanism starting from Threat Emulation update 6.8
sk108074 - SandBlast Parallel Extraction Hotfix
sk108695 - Check Point SandBlast Agent for Browsers
sk106123 - File types supported by SandBlast Threat Emulation
sk117168 - Threat Emulation Early Verdict for Prevent
sk102309 - Threat Emulation support for Multiple Private Cloud Appliances
sk97877 - Cloud Geo Restriction support in Threat Emulation Cloud mode
sk107333 - Support for CPU Level sandboxing on Threat Emulation appliances TE100X, TE250X, TE1000X, TE2000X
sk111405: 60000 / 40000 Appliances - How to enable Threat Emulation blade on R76SP.40 and R76SP.50
sk93530 - How to configure User Authentication proxy in Threat Emulation
sk101870 - How to change Postfix configuration for Threat Emulation MTA
sk123140 - How to configure Threat Emulation blade to block files according to file types
sk93505 - Changing the default size of the /var/log/maillog file when using Mail Transfer Agent (MTA)
sk101606 - How to enable inspection of SMB/CIFS traffic by Anti-Virus blade or Threat Emulation blade
sk109699 - ATRG: MTA
sk110369 - How to configure load balancing / high availability based on the DNS configuration for Mail Transfer Agent (MTA)
sk111306 - Check Point support for Internet Content Adaptation Protocol (ICAP) server
sk93000 - SMT (HyperThreading) Feature Guide
sk92374 - Intel Virtualization Technology (VT) support compliance on Check Point appliances
sk111080 - How to configure Check Point software to upload data to Check Point / download data from Check Point
sk94508 - Recommended Internet Access Settings for Automatic Downloads
sk94509 - Recommended Internet Access Settings for Uploading Data
Troubleshooting sk83520 - How to verify that Security Gateway and/or Security Management Server can access Check Point servers?
sk106119 - Threat Emulation blade generates a "Detect" log instead of "Prevent" log
sk115252 - Threat Emulation logs show "Detect" for e-mail attachments instead of "Prevent" when Threat Extraction blade is also ena
sk106120 - Threat Emulation does not emulate a file
sk105737 - How to create Threat Emulation Forensics Report for benign files
sk106739 - 'File is pending emulation. Threat scan failed' log in SmartView Tracker, SmartLog
sk103752 - "There are (N) files in the remote emulation queue that have failed to send for more than (X) minutes" log in SmartView Tra
sk105164 - Threat Emulation issues caused by non-ASCII characters
sk107093 - E-mails do not reach the client after selecting Cluster Virtual Interface(s) in MTA "Advanced Settings"
sk109198 - E-mail client receives timeout error, e-mails do not reach their destinations, and SmartView Tracker shows duplicated Thr
Emulation logs from a cluster
sk108878 - E-mails are delayed for several hours when Threat Emulation blade and Mail Transfer Agent (MTA) are enabled
sk117634 - Security Gateway configured as MTA and/or with enabled Threat Extraction blade is not able to parse any e-mail
sk106392 - Threat Emulation action is shown differently in SmartEvent and in SmartView Tracker
sk108373 - Threat Emulation blade sends unsupported file types from an archive for emulation
sk117275 - Threat Emulation "Excluded Mail Addresses" feature does not work correctly when using wildcard '*' to exclude all e-mail
sk108492 - Threat Emulation events are missing in SmartEvent R77.x
sk116813 - Status of Threat Emulation downloaded images changes from "Ready" to "Initialize" for ~30-40 minutes during the Threat
Update
sk114898 - "Threat Emulation Cloud Subscription Status" section in SmartView Monitor shows wrong values
sk62700 - How to disable TCP timestamps (RFC 1323)
sk98348 - Best Practices - Security Gateway Performance
sk100633 - Best Practices - threats investigation using Threat Prevention Software Blades
Product Links
Overview
Threat Emulation Documents
Downloads
Overview
Threat Extraction Documents
Downloads
Overview
Threat Prevention Documents
Downloads
Overview
Anti-Bot Documents
Downloads
Overview
Anti-Virus Documents
Downloads
SandBlast Agent
SandBlast Agent
SandBlast Agent datasheet
Microsoft Control-flow Enforcement Technology (CET) Intel Spot On with Microsoft Control-flow Enforcement Technology (CET)