Free Demo Contact Us Support Center Blo

PRODUCTS SOLUTION SUPPORT & SERVICES PARTNERS RESOURCES

Support Center > Search Results > SecureKnowledge Details

Search Support Center

ATRG: Threat Emulation Technical Level

Rate This My Favorites Email

Solution ID sk114806

Technical Level

Product Threat Emulation, Quantum Appliances, Quantum Security Gateways, Quantum Scalable Chassis
Version R77.20, R80.10 (EOL), R80.20, R80.30, R80.40, R81, R81.10
OS Gaia
Platform / Model Threat Emulation, 2000, 3000, 4000, 5000, 12000, 13000, 15000, 21000, 23000, 41000, 44000, 61000, 64000, X-Series (EOL), Intel/PC
Date Created 03-Sep-2017

Solution
Table of Contents:

1. Introduction to Threat Prevention

2. Introduction to Threat Emulation solution
3. Supported Configuration and Requirements
4. Limitations and current design
5. File emulation location - ThreatCloud vs Local / Remote Threat Emulation Appliance
6. Deployment options
7. Emulation Workflow
8. Emulation Connection Handling Mode
9. User Space
10. The tecli command (Threat Emulation Command Line Tool)
tecli show ... commands
tecli control ... commands
tecli set ... commands
tecli advanced ... commands
tecli cache ... commands
tecli debug ... commands
11. The cpstat threat-emulation command
12. Factors that limit the number of Virtual Machines that can be started
13. Static Analysis
14. Detection Rules
15. Scanning of Archives
16. File Reclassifier
17. Detection of a malicious file
18. Emulation of multiple files of the same type on the same virtual machine
19. Threat Emulation API
20. Performance considerations and Best practices
21. Configuring multiple Threat Emulation Appliances for redundancy and load sharing
22. Mail Transfer Agent (MTA) redundancy
23. Monitoring
24. Troubleshooting
25. Debug
26. Related resources
27. Revision History

(1) Introduction to Threat Prevention

To challenge today's malware landscape, Check Point's comprehensive Threat Prevention solution offers a multi-layered, pre-infection and post-infection defense ap
consolidated platform that enables enterprise security to deal with modern malware:

Software Blade Introduced in Description Reference

Threat Emulation Described in this article

All other platforms: Stops unknown malware, targeted attacks, and zero-day attacks.

GW mode - R77 Works by:

 VSX mode - R77.20 A. Identifying files in e-mail attachments (SMTP & SMTP/TLS) and

downloads over the web (HTTP & HTTPS)

60000 / 40000 appliances:
B. Uploading the suspicious files to virtual sandbox

GW mode - R76SP.40 (in the cloud, or on local appliance) for further emulation and analysis
VSX mode - R76SP.40 C. Emulating the suspicious files in various OS environments

by opening the files and monitoring abnormal behavior (related to

file system, system registry, network connections, system processes,

etc.)
D. Stopping the malicious files, and prevent the from getting to the end
user
E. Sharing data (in real-time) about the detected malicious files with
ThreatCloud

Threat Extraction Pro-actively cleans potential threats from incoming files  

GW mode - R77.30
VSX mode - R80.10

Anti-Bot sk92264 - ATRG: Anti-Bot and

GW mode - R75.40 Post-infection bot detection, prevention, and threat visibility
VSX mode - R77.40VS
Works by:

Identifying Bot-infected devices (based on reputation, patterns, etc.)

Stopping traffic to remote operators

Anti-Virus sk92264 - ATRG: Anti-Bot and

NG AI R57 Pre-infection blocking of known viruses and file transfers.

Works by:

Looking for specific patterns

Enforcing compliance of protocols to standards
Detecting variations from the protocols

Each Threat Prevention Software Blade gives unique network protections and they can be combined to supply a strong malware solution.

Data from malicious attacks are shared between the Threat Prevention Software Blades and help keep your network safe.

For example, the signature from threat that is identified by the Threat Emulation is added to the Anti-Virus database.

The Threat Prevention Software Blades use a separate policy installation to minimize risk and operational impact.

They are also integrated with other Software Blades on the Security Gateway to detect and stop threats.

(2) Introduction to Threat Emulation solution

A. SandBlast Threat Emulation (Sandboxing) can protect your network against new malware, zero-day vulnerabilities and targeted attacks.

Threat Emulation gives networks the necessary protection against unknown threats in files that are downloaded from the Internet or attached to e-mails.

When emulation is done on a file:

The file is opened on more than one virtual computer with different operating system environments.
The virtual computers are closely monitored for unusual and malicious behavior, such as an attempt to change registry keys or run an unauthorized proc
Any malicious behavior is immediately logged and you can use Prevent mode to block the file from the internal network.
The cryptographic hash of a new malicious file is saved to a database and the internal network is protected from that malware.
Information about malicious files and malware is shared with the Check Point ThreatCloud (administrator can disable this) and helps protect all ThreatCl

B. The goal of sandboxing:

Inspect all incoming files to an organization and send them to a safe virtual environment
Open the files in the virtual environment to see what would happen if someone inside of the organization would open this file
Prevent the malicious files from entering the organization
Sandboxing Type Description Works by

CPU-Level Emulation New leading edge technology unique to Check Point Monitoring CPU buffer
Next generation of sandboxing to catch more malware
Finding exploits
No guesswork required, detection is definitive Preventing malware before it executes
Not based on heuristics or statistics
Resistant to evasions
Fast and effective
Refer to sk107333 - Support for CPU Level sandboxing on

Threat Emulation appliances TE100X, TE250X, TE1000X, TE2000X

OS-Level Emulation Traditional sandboxing technology Monitoring System Registry

Will give a very good emulation report Monitoring Network Connections
Most times effective, but are susceptible to evasions Monitoring File System Activity
The longer you emulate the file, the better catch rate you will get Monitoring System Processes
 C. Anyone can submit files for Check Point Threat Emulation and receive a detailed report:

Send an e-mail with attached file to threats@threats.checkpoint.com

Submit the file on https://threatemulation.checkpoint.com/teb/upload.jsp
Related solution: sk120357 - New Threat Emulation reports.

(3) Supported Configuration and Requirements

Emulation Location Gateway mode VSX mode (sk79700)

ThreatCloud emulation R77 and above R77.20 and above

R76SP.40 and above R76SP.40 and above
(on Check Point cloud)
Only Gaia OS / SecurePlatform OS / X-Series XOS Only Gaia OS / X-Series XOS
DNS Server(s) must be configured in the object of
Threat Emulation blade is enabled only

Security Gateway / Cluster in the object of Virtual System

Proxy Server) must be configured in the object of
DNS Server(s) must be configured in the object of

Security Gateway / Cluster VSX Gateway / VSX Cluster

Proxy Server) must be configured in the object of

VSX Gateway / VSX Cluster

Local emulation R77 and above Not supported at all

R76SP.40 and above
(on the local

Only Gaia OS 64-bit

Threat Emulation

Only on Threat Emulation Private Cloud Appliance

appliance

DNS Server(s) must be configured in the object of

in your network)
Security Gateway / Cluster
Proxy Server) must be configured in the object of

Security Gateway / Cluster

Remote emulation R77 and above R77.20 and above

R76SP.40 and above R76SP.40 and above
(on the remote

Only Gaia OS / SecurePlatform OS Only Gaia OS

Threat Emulation

DNS Server(s) must be configured in the object of

Threat Emulation blade is enabled only

appliance

Security Gateway / Cluster in the object of Virtual System

in your network)
Proxy Server) must be configured in the object of
DNS Server(s) must be configured in the object of

Security Gateway / Cluster VSX Gateway / VSX Cluster

Proxy Server) must be configured in the object of

VSX Gateway / VSX Cluster

Important Notes:

On R77.30 Security Management Server / Multi-Domain Security Management Server, the R77.30 Add-On must be installed and enabled.

Otherwise, some relevant settings will not be available in SmartDashboard R77.30.

Refer to sk111080 - How to configure Check Point software to upload data to Check Point / download data from Check Point
Refer to sk94508 - Recommended Internet Access Settings for Automatic Downloads
Refer to sk94509 - Recommended Internet Access Settings for Uploading Data
Refer to sk106123 - File types supported by SandBlast Threat Emulation
Refer to sk111405: 60000 / 40000 Appliances - How to enable Threat Emulation blade on R76SP.40 and R76SP.50

(4) Limitations and current design

Blade / Feature / Configuration Limitation / Current Design

Security Gateway in Gateway mode

ThreatCloud emulation

Only Gaia OS / SecurePlatform OS / X-Series XOS are supported

Local emulation

Only Gaia OS running kernel 64-bit is supported

Remote emulation:

Only Gaia OS and SecurePlatform OS are supported

Security Gateway in VSX mode

ThreatCloud emulation:

Mail Transfer Agent (MTA) is supported in R80.10 and above

Not supported on Virtual Systems in Bridge Mode as it has no IP address
 In R81 and higher versions there is an option to define a regular Virtual System (not in Bridge M
add bridge interfaces to it. Refer to R81 VSX Administration Guide > Adding a Bridge Interface t
System.
Virtual System Load Sharing clusters with more than two members are supported in R80.10 and abov

Local emulation

Threat Emulation is not supported at all

Remote emulation:

X-Series XOS is not supported

Mail Transfer Agent (MTA) is supported in R80.10 and above
Not supported on Virtual Systems in Bridge Mode as it has no IP address
In R81 and higher versions there is an option to define a regular Virtual System (not in Bridge M
add bridge interfaces to it. Refer to R81 VSX Administration Guide > Adding a Bridge Interface t
System.
Virtual System Load Sharing clusters with more than two members are supported in R80.10 and abov

Cluster
Threat Emulation local cache is not synchronized.

UserCheck
When processing a file received over HTTP, UserCheck can not send messages to the browser after the dow
started

New malicious files need UserCheck agent to display the UserCheck message
For known (by Threat Emulation) malicious files, a UserCheck message can be displayed in the brows

SMTP has no interface to display the UserCheck message

UserCheck agent is supported only if a client uses SMTP to send an e-mail to the SMTP server
UserCheck message via e-mail is not supported for any of the Threat Prevention blades - only for DLP
To provide a user-friendly notification, Security Gateway must be configured as a Mail Transfer Agent
the malicious attachment will be replaced with a text file

Web Portals
Threat Emulation uses port 8080 and requires that it is free and available. No portal is allowed to use port 80
Threat Emulation blade is enabled, including WebUI.
This is relevant only for Sandblast Appliances or Firewall that is performing local emulation.

Output of TE debug:

[TE (TD::Surprise)] te::NetworkEventParser::_parse_data: NetworkEventParser Error: coul

parse first line. data: 'Traceback (most recent call last): File "FakeServer.py", line
<module>
File "FakeServer.py", line 486, in run_servers

File "/etc/fw/Python/lib/python2.7/SocketServer.py", line 419, in server_bind

File "/etc/fw/Python/lib/python2.7/socket.py", line 224, in meth

socket.error: [Errno 98] Address already in use

Monitor (SPAN / TAP) deployment

"Prevent" action in the Threat Prevention policy is not supported
HTTPS Inspection is not supported
SMTPS over TLS inspection is not supported

SMB Appliances on Gaia Embedded OS

Cloud mode and Private cloud mode are supported in the R77.20.51 firmware.

For more details, see sk114815.

Note: It is not supported to upgrade from the R77.20.51 firmware.

Security Gateway on IPSO OS

Threat Emulation is not supported at all

Security Gateway on Windows OS

Threat Emulation is not supported at all

Note:  Starting from R81 the following appliances are no longer supported:

Smart-1 205/210, 2200, 4200, 4400, 4600, 4800, 12200, 12400, 12600, 13500, 13800, 21400, 21600, 21700, 21800.

(5) File emulation location - ThreatCloud vs Local / Remote Threat Emulation Appliance
Cloud Emulation:
Local Emulation:
Remote Emulation:

Item Check Point ThreatCloud

Threat Emulation
Threat Emulation

(Public) Private Cloud Appliance Appliance

Where files are emulated

 In Check Point ThreatCloud On the local Threat Emulation
On the remote Threat Emulation

appliance in your network appliance in your network

Example topology:
Example topology:
Example topology:

Available policy actions "Prevent" and "Detect". "Prevent" and "Detect". "Prevent" and "Detect".

Machine resources
Impact is similar to AV/Deep Scan High usage of CPU And RAM for running the Impact is similar to AV/Deep Scan
(CPU, RAM, HDD) sandboxing environment.

ThreatCloud License Required to send files for emulation. For Depends on configuration see sk119133 Required to send files for emulation
more details see: sk119133 details see: sk119133

Custom OS images
Not possible. Possible but not recommended. The
recommended configuration provide
significant performance and detection
superiority due to the nature of the sandbox to
provide a good host for the malware.
Possible but not recommended. The
recommended configuration provide
significant performance and detecti
superiority due to the nature of the
provide a good host for the malware

Alternative OS images Possible, with licensing. Not possible. Not possible.

Data samples Huge data sample set. Your appliance knows your files best,
Your appliance knows your files bes
but has smaller data sample set. but has smaller data sample set.

Latency Can be noticeable. Low. Can be noticeable.

Privacy Files must be shared. Files are kept on-site,

Files are kept on-site,

control what is shared. control what is shared.

Update of OS images Automatic and Transparent. Images must be downloaded, and

Images must be downloaded, and

update must be scheduled to not disrupt update must be scheduled to not dis
scanning. scanning.

Shared threat database Real-time data. Takes time until data is updated. Takes time until data is updated.

Multi-Site deployment ThreatCloud can work with Security Depending on the amount of emulated files, a Depending on the amount of emulat
Gateway of any "size".
local appliance might be required.
local appliance might be required.

Does not require additional hardware. Threat Emulation Appliances for all business Threat Emulation Appliances for all
sizes can be offered.
sizes can be offered.

Threat Emulation can be load balanced. Threat Emulation can be load balan

Note: Refer to sk93598 - Threat Emulation Sizing Mode: how to measure the required inspections at an organization.

(6) Deployment options

Note: All the deployment options require an additional NGTX license (also see sk119133).

Deployment options are:

Inline
Monitor (SPAN / TAP)
Remote (recommended)

Deployment

Description
option

Inline
Background:

Allows to use "Prevent" action and "Ask" action (with UserCheck) in the Threat Prevention policy

to block traffic before it goes to the internal computer.

Basic Emulation Workflow:

A. The ThreatCloud or Emulation appliance gets a file from the Security Gateway.
B. Emulation is run on the file.

The file is safe, and it is sent to the computer in the internal network.
If the file contains malware, it is quarantined and logged.

Deployment with a Mail Transfer Agent (MTA):

Mail Transfer Agent (MTA) is needed:

If you need to inspect SMTP over TLS traffic

 If you need to use the "Prevent" action for SMTP over TLS traffic
If you need to perform Threat Extraction on SMTP traffic

Deployment in Bridge Mode:

SandBlast TE Appliance is connected in Bridge Mode performs emulation.

Other existing Security Gateway perform FireWall, NAT and other functions.

Example topology:

Related solutions:

sk101371 - Bridge Mode on Gaia OS and SecurePlatform OS

Deployment with Proxy / ICAP Server:

A Proxy / ICAP Server collects files and sends then via ICAP to SandBlast TE Appliance for emulation.

Note: Sandblast TE Appliance can act as MTA to emulate e-mail traffic at the same time.

Example topology:

Software Subscription requirement:

This deployment option requires a Software Subscription on the SandBlast TE Appliance.

Monitor

Background:
(SPAN / TAP)
Allows to use only the "Detect" action in the Threat Prevention policy.

SPAN / TAP / Monitor Port configuration is used to duplicate the network traffic.

The files are sent directly to Threat Emulation and to the computer in the internal network.

If Threat Emulation discovers that a file contains malware, the corresponding log is generated.

Example topology:

Basic Emulation Workflow:

A. The ThreatCloud or Threat Emulation appliance receives a copy of a file from the Security Gateway.

The original file goes to the computer in the internal network.

B. Emulation is run on the file.

The file is safe, no other action is done.

If the file is identified as malware, it is logged according to the "Track" action of the Threat Prevention rule.

Notes:

The default behavior of Threat Emulation blade in this deployment option is to inspect all traffic,

even if the Topology is configured in the Threat Emulation Gateway.

 A kernel parameter can be enabled to configure the Threat Emulation Gateway to use
the "Protected Scope" settings (from the Threat Prevention Profile - "Threat Emulation Settings" pane)

also for SPAN / TAP / Monitor Port and use the Topology configured in the Threat Emulation Gateway object:

To check the current value of this kernel parameter:

[Expert@HostName:0]# fw ctl get int te_handle_span_port_interfaces_according_to_topology

To set the desired value for this kernel parameter on-the-fly (does not survive reboot):

[Expert@HostName:0]# fw ctl set int te_handle_span_port_interfaces_according_to_topology 1

To set the desired value for this kernel parameter permanently:

Follow sk26202 - Changing the kernel global parameters for Check Point Security Gateway.

A. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

[Expert@HostName:0]# touch $FWDIR/boot/modules/fwkern.conf

B. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

[Expert@HostName:0]# vi $FWDIR/boot/modules/fwkern.conf<

C. Add the following line (spaces and comments are not allowed):

te_handle_span_port_interfaces_according_to_topology=1

D. Save the changes and exit from Vi editor.

E. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

[Expert@HostName:0]# cat $FWDIR/boot/modules/fwkern.conf

F. Reboot the Security Gateway.

G. Verify that the new value was set:

[Expert@HostName:0]# fw ctl get int te_handle_span_port_interfaces_according_to_topology

Not defining the Topology in the Threat Emulation Gateway object may cause:

Internal files being sent to the cloud

ThreatCloud Quota overuse
Impact on performance since more files are emulated

The following features are not supported in Monitor (SPAN / TAP) deployment:

HTTPS Inspection
SMTPS over TLS inspection
"Prevent" action

SPAN ports tend to lose packets, according to the switch capabilities and the actual network throughput.

This can cause Threat Emulation (and the rest of the blades) not to inspect some traffic.

Take this into consideration - if some files are not shown in logs, make sure (e.g., using tcpdump)

that all of the packets indeed arrived correctly.

The SPAN port must be configured to support the combined overall throughput of the uplink and downlink seen.

For example, 100Mbps span port can not span a 60Mbps sync connection - as it needs to pass 120Mbps to the device.

Make sure the SPAN port can handle the traffic load.

Prefer TAP deployment if possible.

Software Subscription requirement:

This deployment option does not require a Software Subscription on the SandBlast TE Appliance.

Remote

Background:
(recommended)
Security Gateway sends files to the remote Threat Emulation Private Cloud Appliance(s) on the network.

Allows to use "Prevent" action and "Ask" action (with UserCheck) in the Threat Prevention policy

to block traffic before it goes to the internal computer.

How to configure:

Refer to sk102309 - Threat Emulation support for Multiple Private Cloud Appliances.

 
(7) Emulation Workflow

The process begins with traffic arriving to the protocol parsers, and Threat Emulation File aggregation kernel part decides that file needs to be scanned (accord
policy).

If this file needs to be scanned (and Threat Emulation is not in the Bypass mode), then the file part will be sent to the Threat Emulation Daemon ('TED') process
send it to the correlating 'DLPU' process instance.

The DLPU process instance will handle the actual file reassembly.

DLPU process instance (per the allowed number of CPU cores) reassembles files from parsers in CoreXL FW Instances

Temporary file parts are kept in $FWDIR/tmp/te/dlpu_tmp_files_X-Y/{zzz} directories.

Threat Emulation Daemon (TED) process on Local Emulation Appliance:

Receives the complete file and processes it through file type checks to understand if emulation is needed (due to advanced features).
Checks Threat Emulation local cache if the file was already emulated.
Checks system resources (CPU/Memory) to create an emulation queue if needed.
Performs static analysis.
Executes emulation according to policy settings.
Collects forensics details from the VM activity agent.
Collects statistics of the emulation environment.
Performs local logging/reporting and shares data with ThreatCloud.

Flow on Local Emulation Appliance:

A. File arrives at the CoreXL FW instance.

B. Decision is made whether to scan it or not (according to the policy).
C. The file is sent by the TED process to the correlating DLPU process instance in the user space.

The DLPU process handles the file reassembly.

Temporary file parts are kept in $FWDIR/tmp/te/dlpu_tmp_files_<X-Y>/ directories.

D. Once DLPU process finishes file reassembly, it sends the file back to the TED process.

Malicious files are stored in a repository on the Threat Emulation Appliance in the /var/log/mal_files/ directory (applies to all emulation deployments).

Malicious files are stored in a repository on the Security Gateway in /var/log/mal_files/ directory.

If a file detected as malicious in Anti-Virus blade, and the rule contains the "Prevent" action, then file will always generate a Threat Emulation "Detect" log.

Inspection Flow:

Streaming MTA

Parser in CoreXL FW Instance -> DLPU -> TED: Parser in CoreXL FW Instance -> Postfix -> in.emaild.mta -> TED ->
in.emaild.mta -> Postfix:

Temp file parts are kept in these directories:

$FWDIR/tmp/te/dlpu_tmp_files_<X-Y>/

Temp file parts are kept in this directory:

$FWDIR/tmp/email_tmp/

Emulation Workflow per Emulation Scenario:

Emulation Scenario Emulation Workflow

When sending files to

1. Customer's Security Gateway detects that a file was received from the Internet or an external network.
the Check Point ThreatCloud
2. The Security Gateway compares the cryptographic hash of the file with the database.

If the file is already in the database, no additional emulation is necessary

If the file is not in the database, it is necessary to send it to the ThreatCloud

3. Customer's Security Gateway encrypts the file and sends (over an SSL connection) to the ThreatCloud.

4. Frontend servers at the ThreatCloud Pod perform Support Contract verification against Check Point User Center.

Each Security Gateway has its own UUID (identifier), which is used to identify the Security Gateway in ThreatCloud (th
derived from the MAC Address of the Mgmt interface).

5. ThreatCloud Pod transfers the file (over an SSL connection) to a Check Point Emulator located on a dedicated protec
Point site.

6. Check Point Emulators decrypts the file and runs emulation on the file.
 7. Check Point Emulator sends a report (over an SSL connection) to a ThreatCloud Pod, which saves it in the shared da

8. ThreatCloud Pod sends a report (over an SSL connection) to the customer's Security Gateway for the applicable actio

Geo Restriction:

Geo DNS is used to refer the Security Gateway to the closest ThreatCloud Pod:

Security Gateway queries the DNS "SRV" record of the te.checkpoint.com to find the available ThreatCloud Pod:

te01.checkpoint.com - located in Germany

te02.checkpoint.com - located in Israel
te03.checkpoint.com - located in USA

Priority of locations depends on the Geo location of the DNS server performing the recursive lookup.

Using an upstream DNS forwarder located in a different region can result in using an emulation centre in the "wrong

When in doubt, run the following command:

nslookup -query=SRV te.checkpoint.com

In some cases, due to regulations, it might be necessary to use a ThreatCloud Pod in specific region.

Refer to sk97877 - Cloud Geo Restriction support in Threat Emulation Cloud mode.

A. By default, all the sites are allowed:

[Expert@HostName:0]# tecli advanced cloud geo status

|Country |State

----------------|----------

|Germany |allowed

|Israel |allowed

|USA |allowed

B. To restrict the use of a ThreatCloud Pod to the specific region only:

Note: Either all, or only one location can be selected.

[Expert@HostName:0]# tecli advanced cloud geo restrict <Germany|Israel|USA>

Example - use ThreatCloud Pod only in the USA:

[Expert@HostName:0]# tecli advanced cloud geo restrict USA

Cloud Geo Restriction will be enforced for USA location.

|Country |State

----------------|----------

|Germany |forbidden

|Israel |forbidden

|USA |allowed

Note: This configuration is saved in the $FWDIR/conf/te_cloud_geo_restrict.conf file.

C. Restart the TED daemon to reload the modified settings:

[Expert@HostName:0]# fw kill ted

When emulating files on

1. The Local Emulation appliance receives the files for emulation.
the Local Threat Emulation

2. The Local Emulation appliance compares the cryptographic hash of the file with the database.
Appliance installed

on your network The file is already in the database, no more emulation is necessary.
If the file is not in the database, the virtual computers in the Emulation appliance run full emulation on the file

3. The file is inspected in Threat Emulation engine, including static analysis, resource checking on the appliance to see
appliance can accommodate the scanning, checking the metadata of the file for intelligence and then emulating the
sandbox environment.

The file is emulated according to policy on the relevant OS. During the emulation, there are behaviour indicators that
Threat Emulation to determine whether the file is malicious or benign. When the investigation ends, a verdict is retu
sending Security Gateway.

When sending files to

1. The Remote Emulation appliance receives the files for emulation.
a Remote Threat Emulation

2. The Remote Emulation appliance compares the cryptographic hash of the file with the database.
Private Cloud Appliance

installed on your network The file is already in the database, no more emulation is necessary.
If the file is not in the database, the virtual computers in the Emulation appliance run full emulation on the file

3. The file is inspected in Threat Emulation engine, including static analysis, resource checking on the appliance to see
appliance can accommodate the scanning, checking the metadata of the file for intelligence and then emulating the
 sandbox environment.

The file is emulated according to policy on the relevant OS. During the emulation, there are behaviour indicators that
Threat Emulation to determine whether the file is malicious or benign. When the investigation ends, a verdict is retu
sending Security Gateway.

In MTA mode, a PostFix server is receiving and handling the e-mails. E-mails are forwarded to the in.emaild.mta daemon, which parses the e-mails (e.g., Base64 deco
passes them to TED process if needed (based on the configuration of supported file types).

(8) Emulation Connection Handling Mode

While Threat Emulation processes the file,

it can apply the following handling modes:

A. In SmartDashboard R77.X, go to Threat Prevention

tab
B. In the left tree, click on Profiles
C. Edit the relevant profile
D. Expand the Threat Emulation Settings
E. Click on the Advanced pane

Handling Mode Description

Background
This is mode is configured by default.

The connection over HTTP / SMTP is allowed and the file is sent to the destination even if the Threat Emulation analysis is not finished.

Note: If the "Prevent" action is used in the Threat Prevention policy, then a file that Threat Emulation has already identified as malware in
blocked. File is not sent to the destination even in the "Background" mode.

It is important to monitor the "Detect" events to catch the first downloads that probably caused the user's machine to get infected (not aut
notified!)

Hold
A connection over HTTP / SMTP that must have emulation is blocked and Threat Emulation holds the file until the Threat Emulation analysi
finished (default minimum is 60 sec; configurable).

For configurations that use the "Hold" mode for SMTP traffic, to decrease the delay in receiving the e-mails, it is recommended to use a Ma
Agent (MTA) deployment, which also supports SMTP/TLS.

Note: This mode can create a time-delay for users to receive e-mails and files.

Custom Allows configuration of "Background" and "Hold" modes independently for HTTP and SMTP protocols.

(9) User Space

Daemon Section Description / Paths / Notes / Stop and Start Commands / Debug

Description
ted Threat Emulation daemon engine - responsible for emulating files and communication with the cloud.

Receives the complete file and processes it through file type checks to understand if emulation is needed (due to adva
features)
Checks Threat Emulation local cache if the file was already emulated
Checks system resources (CPU / RAM) to create an emulation queue if needed
Executes emulation according to policy settings
Collects forensic details from the VM activity agent
Collects statistics of the emulation environment
Local logging/reporting and shares data with ThreatCloud

Path $FWDIR/teCurrentPack/temain

Log file $FWDIR/log/ted.elg

$FWDIR/log/te_file_downloader.elg

$FWDIR/log/te_engine_log_file.elg

$FWDIR/log/te_image_prep_util.elg

Configuration file $FWDIR/conf/cloud_connector.conf

To Restart [Expert@HostName:0]# fw kill ted

 To Stop [Expert@HostName:0]# cpstop

To Start [Expert@HostName:0]# cpstart

Debug "tecli debug" - refer to the "(10) The tecli command (Threat Emulation Command Line Tool)" section and to the Threat Preve
Administration Guide (R77.X, R80, R80.10)

Description DLP process - receives data from Check Point kernel.

dlpu
Path $FWDIR/bin/dlpu

Log file $FWDIR/log/dlpu.elg

Notes "cpwd_admin list" command shows the process as "DLPU_<N>".

To Stop [Expert@HostName:0]# cpstop

To Start [Expert@HostName:0]# cpstart

Debug
Refer to sk73660:

1. Start debug:

fw debug dlpu on TDERROR_ALL_ALL=5

2. Replicate the issue
3. Stop debug:

fw debug dlpu off TDERROR_ALL_ALL=0

4. Analyze:

$FWDIR/log/dlpu.elg*

Description Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserChec
usrchkd
Portal.

Path $FWDIR/bin/usrchkd

Log file $FWDIR/log/usrchkd.elg

Configuration file
$FWDIR/conf/usrchkd.conf
$FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
$FWDIR/conf/fwauthd.conf

Notes
This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
This daemon is spawned by the FWD daemon

To Restart [Expert@HostName:0]# killall usrchkd

To Stop [Expert@HostName:0]# cpstop

To Start [Expert@HostName:0]# cpstart

Debug
Note: It might also be required to collect the relevant kernel debug.

1. Start debug:

usrchk debug set all all

2. Verify:

usrchk debug stat

3. Replicate the issue.
4. Stop debug:

usrchk debug off

5. Analyze:

$FWDIR/log/usrchkd.elg*

Description The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
usrchk
Path $FWDIR/bin/usrchk

Log file $FWDIR/log/usrchk.elg

Description When enabling the Mail Transfer Agent (MTA) on the Security Gateway, this E-Mail Security Server receives e-mails sent by
in.emaild.mta
sends them to their destinations.

Path $FWDIR/bin/fwssd

Log file $FWDIR/log/emaild.mta.elg

/var/log/maillog

To Stop [Expert@HostName:0]# cpstop

To Start [Expert@HostName:0]# cpstart

 Debug Refer to sk60387:

1. Start debug:

fw debug in.emaild.mta on TDERROR_ALL_ALL=5

2. Replicate the issue
3. Stop debug:

fw debug in.emaild.mta off TDERROR_ALL_ALL=0

4. Analyze:

$FWDIR/log/emaild.mta.elg*

(10) The tecli command (Threat Emulation Command Line Tool)

Important Notes:

The commands listed below are for general reference only.

These commands are updated from time to time (via Engine Update).
Therefore, the commands on your Security Gateway might not match the commands documented below.

Run the tecli command to see the commands that exist in your version of Threat Emulation Engine.
Some commands are intended only for Check Point internal use.

Use the tecli commands to:

Show information about the Threat Emulation system

Show status of emulation downloads, statistics and processes
Control Threat Emulation local cache
Set Threat Emulation advanced options
Configure affinity for TED (Threat Emulation Daemon)

Syntax:

[Expert@HostName:0]# tecli [show ...] [control ...] [set ...] [advanced ...] [cache ...] [debug ...]

Notes:

The tecli command does not support the [Tab] key.

Shortened unique sub-commands can be used (e.g., "tecli s s" for "tecli show statistics").

Where:

tecli show ... commands

These commands display information about the threat emulation system.

The available sub-commands are (for engine version 54.990001309):

tecli show emulator ... = displays information about the emulator

  tecli show emulator emulations = information about the current status of the emulation queue (pending emulating requests, running virtual mach
number of emulated files)

  tecli show emulator queue = information about emulator's queue

  tecli show emulator vm ... = information about the VMs

    tecli show emulator vm synopsis = summary of the VMs (pending emulating requests, average request wait time, running emulation vms)

    tecli show emulator vm detailed = detailed information about the VMs

    tecli show emulator vm id <ID> = detailed information for the VM with this ID

tecli show throughput ... = displays Threat Emulation current throughput

  tecli show throughput minute = how many files completed emulation for each minute

  tecli show throughput hour = how many files completed emulation for each hour

  tecli show throughput day = how many files completed emulation for each day

  tecli show throughput month = how many files completed emulation for each month

tecli show statistics = displays Threat Emulation current statistics (threat emulation engine version, scanned files, resend files, malicious files, ave
process time, etc.)

tecli show unit ... = displays information on the threat emulation system units - all the parts of file emulation

  tecli show unit all = the chain of units that process a file emulation (shows the number of files for each task in the emulation part)

tecli show downloads ... = displays statistics about downloads

  tecli show downloads all = status of all downloads

  tecli show downloads images = download status of operating system images for VMs

  tecli show downloads dr = download status of malware detection rules (white lists for documents, etc.)

  tecli show downloads sa = download status of static analysis rules (pre-processing Python rules for PDF and Office documents)

  tecli show downloads raw = download status of general (raw) Threat Emulation files (engine binary updates)

  tecli show downloads types = mapping of detected file types to real extension used in Windows OS

  tecli show downloads ea = download status of analyzer executables

  tecli show downloads java = download status of Java

   tecli show downloads gu = shows gradual update group id

  tecli show downloads dump = shows dump of statuses of downloads files

  tecli show downloads fakefiles = shows status of fake server files

  tecli show downloads scanengine = shows status of scan engine package files

tecli show cloud ... = displays data and statistics about your ThreatCloud account

  tecli show cloud identity = data about how this gateway connects to the ThreatCloud

  tecli show cloud quota = data about your ThreatCloud monthly emulation quota

  tecli show cloud queue = information about ThreatCloud emulation queue

tecli show affinity = displays current Threat Emulation CPU affinity (number of CoreXL FW instances and of CPU cores for TED / TEMAIN daemon)

tecli show remote ... = displays information about emulation on Remote Threat Emulation appliance

  tecli show remote queue = information about emulation queue on Remote Threat Emulation appliance

Note: The "tecli show ..." commands display various statuses of Virtual Machines:

Status Explanation

Uninitialized VM was allocated

Creation In Process VM is being created (uploading signature files)

Initialized VM was initialized

Configured VM was configured

Ready for Emulation VM is ready to emulate a file

Asked for Execution VM was asked to execute a file

Emulating VM is currently emulating a file

Emulating + Locked VM is locked with a reason

Emulating + Digesting File is being uploaded to the VM

Emulating + Ready VM is ready to receive files

Done Emulation is done

Terminating Emulation stopped without any errors

Terminating with Error Emulation stopped with errors

tecli control ... commands

These commands control the state of threat emulation system.

The available sub-commands are (for engine version 54.990001309):

tecli control suspend = suspends threat emulation system

tecli control resume = resumes threat emulation system

tecli control status = retrieves status of threat emulation system

tecli control sizing ... = modifies sizing mode - see sk93598 for more details

  tecli control sizing status = displays the current status of the sizing mode

  tecli control sizing enable = enables the sizing mode

  tecli control sizing disable = disables the sizing mode

tecli set ... commands

These commands set parameters of threat emulation system.

The available sub-commands are (for engine version 54.990001309):

tecli set affinity ... = sets Threat Emulation CPU affinity

  tecli set affinity <number_of_CoreXL_FW_instances> <number_of_CPUs_for_TED_daemon>

  tecli set affinity <number_of_CoreXL_FW_instances> <number_of_CPUs_for_TEMAIN_daemon>

Related solution - sk109818.

tecli advanced ... commands

These commands controls advanced parameters.

The available sub-commands are (for engine version 54.990001309):

tecli advanced analyzer ... = Threat Emulation File Analyzer in R77.30 and above (refer to sk112312)

  tecli advanced analyzer show = displays analyzer state and configured values of its attributes

  tecli advanced analyzer enable <1|0> = enables (1) or disables (0) analyzer investigator

  tecli advanced analyzer max_embedded_files_limit <value> = sets maximal limit for number of embedded files

  tecli advanced analyzer max_embedded_links_limit <value> = sets maximal limit for number of embedded links

  tecli advanced analyzer prohibited = prohibited objects menu

    tecli advanced analyzer prohibited encrypted = blocks encrypted documents

    tecli advanced analyzer prohibited sensitive = blocks documents that contain sensitive links (links to local or network path)

    tecli advanced analyzer prohibited macro = blocks documents that contain macros and code

    tecli advanced analyzer prohibited word = blocks documents with embedded MS Word file type

    tecli advanced analyzer prohibited excel = blocks documents with embedded MS Excel file type

    tecli advanced analyzer prohibited power_point = blocks documents with embedded MS Power Point file type

    tecli advanced analyzer prohibited executable = blocks documents with embedded executable file type

    tecli advanced analyzer prohibited zip_em = blocks documents with embedded ZIP file type

    tecli advanced analyzer prohibited flash = blocks documents with embedded Flash file type

    tecli advanced analyzer prohibited pdf = blocks documents with embedded PDF file type

    tecli advanced analyzer prohibited js = blocks documents with embedded JavaScript file type

tecli advanced clear = resets the Threat Emulation statistics

tecli advanced engine ... = Threat Emulation Engine Update actions

  tecli advanced engine version = displays the engine version

  tecli advanced engine revert = reverts to the original (out of the box) version

  tecli advanced engine retry = retries the engine update

tecli advanced schema ... = displays schema attributes

  tecli advanced schema all = displays all schema attributes

  tecli advanced schema general = displays schema general attributes

  tecli advanced schema emulation = displays schema emulation attributes

  tecli advanced schema cloud = displays cloud emulation attributes

  tecli advanced schema profiles = displays profiles emulation attributes

tecli advanced downloads ... = downloads actions

  tecli advanced downloads update ... = initiates Threat Emulation engine update

    tecli advanced downloads update all = Threat Emulation engine update of all components

    tecli advanced downloads update images = Threat Emulation update of images

    tecli advanced downloads update rules = Threat Emulation engine update of malware detection and static analysis rules (sk117672)

    tecli advanced downloads update file types map = mapping of file types to real extension used in Windows OS

    tecli advanced downloads update raw = Threat Emulation engine update of raw files (engine binary updates)

tecli advanced forensics ... = Threat Emulation forensics data actions

  tecli advanced forensics clean <UID> = cleans the forensics data of a given UID

  tecli advanced forensics limit stat = prints the status of forensics limit activities

  tecli advanced forensics limit set <1|0> = enables (1) / disables (0) the forensics limit activities mode

tecli advanced archive extract ... = controls file types that are extracted from archive files (e.g., refer to sk108373)

  tecli advanced archive extract all ... = displays the current status and enables / disables extraction of all file types from archive files

    tecli advanced archive extract all stat = displays the current status (enabled / disabled) of extraction of all file types from archive files

    tecli advanced archive extract all enable = enables extraction of all file types from archive files

    tecli advanced archive extract all disable = disables extraction of all file types from archive files 

tecli advanced instrumentation ... = controls VM instrumentation

  tecli advanced instrumentation on = turns on instrumentation

  tecli advanced instrumentation off = turns off instrumentation

tecli advanced cloud ... = controls actions with ThreatCloud

  tecli advanced cloud geo ... = cloud geo restrictions (control which ThreatCloud Pods are allowed / forbidden) - refer to sk97877

    tecli advanced cloud geo status = shows current restriction status

    tecli advanced cloud geo default = sets automatic Cloud Geographic location (all ThreatCloud Pods are allowed)

    tecli advanced cloud geo restrict <Germany|Israel|USA> = restricts to a specific location (only that specific ThreatCloud Pod is allowed)

  tecli advanced cloud request ... = shows and sets maximal number of objects in cloud request

    tecli advanced cloud request show = shows maximal number of objects in cloud request

    tecli advanced cloud request set <value> = sets maximal number of objects in cloud request

  tecli advanced cloud timeout ... = shows and sets timeout of file processing time (hours)

    tecli advanced cloud timeout show = shows timeout of file processing time (hours)

    tecli advanced cloud timeout set <value> = sets timeout of file processing time (hours)

  tecli advanced cloud connectivity ... = displays the current status and enables / disables cloud connectivity

    tecli advanced cloud connectivity stat = displays the current ThreatCloud connectivity status

    tecli advanced cloud connectivity allow = allows the access to ThreatCloud, if needed

    tecli advanced cloud connectivity deny = denies any access to ThreatCloud (sk109854)

tecli advanced attributes ... = special attributes (should be changed only if instructed by Check Point)

  tecli advanced attributes show = displays special attributes and their values

  tecli advanced attributes set ... = sets special attributes and their values

    tecli advanced attributes set static_cloud <1|0> = enables (1) or disables (0) static analysis on cloud server

    tecli advanced attributes set trusted_source <1|0> = enables (1) or disables (0) trusted source domains

    tecli advanced attributes set reclassifier <1|0> = enables (1) or disables (0) files reclassification (refer to "(16) File Reclassifier" section)

    tecli advanced attributes set file_type_logs <1|0> = enables (1) or disables (0) monitoring logs per file type

    tecli advanced attributes set archive_timeout <value> = sets archive tool timeout (in seconds)

    tecli advanced attributes set archive_max_size <value> = sets archive tool maximum inflate size (in MB)

    tecli advanced attributes set prohibited_file_types <file_type1>,<file_type2>,... = configures file types that are prohibited in arch
(sk123140)

    tecli advanced attributes set prohibited_file_types - = resets all file types prohibited in archives

    tecli advanced attributes set wait_queue_max_size <value> = sets the maximum size of Cloud Error Handling wait queue (default is 5000)

    tecli advanced attributes set wait_queue_timeout <value> = sets timeout (in minutes) for retrying to send a file to the ThreatCloud after an
(default is 360)

    tecli advanced attributes set save_all_files <1|0> = enables (1) or disables (0) saving all the files processed by TED

    tecli advanced attributes set cloud_dns_name <hostname> = overrides the default hostname te.checkpoint.com with specified hostname (req
installation of Threat Prevention policy)

    tecli advanced attributes set cloud_dns_name - = restores the default hostname te.checkpoint.com (requires installation of Threat Preventio
policy)

    tecli advanced attributes set emulation_upload_chunk_size <value> = configures emulation upload chunk size

    tecli advanced attributes set emulation_enable_upload_split <1|0> = enables (1) or disables (0) emulation upload split

    tecli advanced attributes set whitening_mode <1|0> = enables (1) or disables (0) whitening mode

    tecli advanced attributes set max_size_per_log_file <size_in_bytes> = sets maximal size per log file (requires restart of TED daemon; d
is 10 MB)

    tecli advanced attributes set number_of_log_files <number> = sets number of log files (requires restart of TED daemon; default is 10 files)
    tecli advanced attributes set http_failure_until_dns_failover <value> = sets number of HTTP failures until DNS failover (default is 3)

    tecli advanced attributes set false_positive_guard_file_types <all|executables> = sets false-positive guard file types (requires
installation of Threat Prevention policy)

    tecli advanced attributes set domains_threshold_enabled <1|0> = enables (1) or disables (0) the domains threshold

    tecli advanced attributes set domains_threshold_time_frame_in_minutes <value> = sets time frame in minutes for domains threshold
(requires restart of TED daemon)

    tecli advanced attributes set domains_threshold_max_consuming_files_in_frame <value> = sets maximal number of files in frame for
domains threshold (requires restart of TED daemon)

    tecli advanced attributes set api_log_path </path_to/> = sets path to API logs

    tecli advanced attributes set api_log_path - = restores the path to API logs to its default /var/log/huntress_api_logs

    tecli advanced attributes set db_purge_interval <value> = sets interval (in minutes) for purging the database

    tecli advanced attributes set db_purge_max_records <value> = sets maximal number of purged records

    tecli advanced attributes set calc_sha256 <1|0> = enables (1) or disables (0) calculation of SHA256 hash for files

    tecli advanced attributes set disable_monitoring <1|0> = enables (1) or disables (0) VM documents monitoring - effective only if prior to th
command, you ran the "tecli advanced instrumentation off ; tecli advanced download reinitialize" commands

    tecli advanced attributes set monitored_events_limit <value> = sets limit for number of monitored events

    tecli advanced attributes set memory_dump <1|0> = enables (1) or disables (0) memory dump (requires restart of TED daemon)

    tecli advanced attributes set pcap_enable <1|0> = enables (1) or disables (0) traffic capture from logs (will save only when report is created)
    tecli advanced attributes set pcap_number_of_packets <value> = sets number of packets to be captured from logs

    tecli advanced attributes set enable_cpu_level_detection <1|0> = enables (1) or disables (0) CPU-Level Detection (refer to sk107333)

    tecli advanced attributes set screen_dumps <1|0> = enables (1) or disables (0) the Screen Dumps

    tecli advanced attributes set emulation_mode <legacy|experimental|aggressive|balanced> = sets the Emulation Mode

    tecli advanced attributes set appready_verify <1|0> = enables (1) or disables (0) App-Ready Verification

    tecli advanced attributes set appready_optimization <1|0> = enables (1) or disables (0) App-Ready Optimization

    tecli advanced attributes set wem_verify <1|0> = enables (1) or disables (0) the Web Emulation (WEM) images verification

    tecli advanced attributes set sha1_collision_attack_detection <1|0> = enables (1) or disables (0) the SHA-1 Collision Attack detection
(sk116141)

    tecli advanced attributes set max_vm <number> = sets the maximal number of concurrently running VMs
    tecli advanced attributes set max_create <value> = sets the maximal number of VMs that can be created concurrently

    tecli advanced attributes set disable_ted_pnote <1|0> = enables (1) or disables (0) notifications from the Critical Device "ted" in ClusterXL
(sk107542)

    tecli advanced attributes set fake_html_response_timeout <value> = sets timeout (in seconds) for fake HTML response

    tecli advanced attributes set max_scratch_file_size <value> = sets maximal size (in MB) for scratch file

    tecli advanced attributes set classifier_second_emulation <1|0> = enables (1) or disables (0) second emulation after re-classification

    tecli advanced attributes set icon_similarity_status <1|0> = enables (1) or disables (0) icon similarity status

    tecli advanced attributes set enable_hps_retry <1|0> = enables (1) or disables (0) HPS retry

    tecli advanced attributes set tc_advisory_num_consumers <value> = sets TC advisory number of consumers

    tecli advanced attributes set file_uploader_num_consumers <value> = sets file uploader number of consumers

    tecli advanced attributes set static_macro_analyzer_status <1|0> = enables (1) or disables (0) Static Macro Analyzer

    tecli advanced attributes set reports_version_number <1|2> = sets the reports version number - default (1) or new reports (2) - refer to
sk120357

tecli advanced remote ... = configures the Security Gateway to use multiple remote Threat Emulation Private Cloud Appliances (sk102309)

  tecli advanced remote show = shows the list of configured remote Threat Emulation Private Cloud Appliances

  tecli advanced remote activate = activates the support for multiple remote Threat Emulation Private Cloud Appliances

  tecli advanced remote deactivate = deactivates (default) the support for multiple remote Threat Emulation Private Cloud Appliances

  tecli advanced remote add <IP Address of Appliance> = adds the specified remote Threat Emulation Private Cloud Appliance

  tecli advanced remote remove <Appliance ID> = removes the specified remote Threat Emulation Private Cloud Appliance

  tecli advanced remote add_ssl = adds new Private Cloud Appliance for emulation using SSL

  tecli advanced remote emulator ... = controls actions with remote Threat Emulation Private Cloud Appliance

    tecli advanced remote emulator logs ... = controls logs for remote Threat Emulation Private Cloud Appliance

      tecli advanced remote emulator logs status = shows logs status for remote emulator

      tecli advanced remote emulator logs enable = enables logs for remote emulator

      tecli advanced remote emulator logs disable = disables (default) logs for remote emulator

tecli advanced persistency ... = configures persistency mode

  tecli advanced persistency queue_size = shows persistency queue size

  tecli advanced persistency show = shows current configured values

  tecli advanced persistency default = resets persistency parameters to default

  tecli advanced persistency set ... = sets persistency configuration

    tecli advanced persistency set enable <1|0> = enables (1; default) or disables (0) persistency mode feature

    tecli advanced persistency set inject_interval <value> = sets interval (in seconds; default is 10) for injection of event profile to TED daemo
    tecli advanced persistency set file_for_fetch <value> = sets the number of files to fetch from the database for recovery (default is 50,000)

    tecli advanced persistency set file_for_working_batch <value> = sets the number of files of working batch from the database for recovery
(default is 360)

    tecli advanced persistency set max_retries <value> = sets the number of maximum retries for recovery (default is 3)

    tecli advanced persistency set retries_interval <value> = sets the maximal number of minutes allowed for recovery retries (default is 120
    tecli advanced persistency set try_again <value> = sets the number of minutes for trying the recovery mechanism again after a failure (defa
1440)

    tecli advanced persistency set clean_period <value> = sets the time period (in minutes) between database cleanup checks (default is 10)

    tecli advanced persistency set max_keep <value> = sets how old (in minutes) the files should be kept in the database (default is 720)

  tecli advanced persistency clear = deletes all the records from the persistency table

tecli advanced part_response ... = configures the Threat Emulation Early Verdict for Prevent (sk117168)

  tecli advanced part_response local ... = manages local partial response configuration

    tecli advanced part_response local stat = shows the current status of the local partial response

    tecli advanced part_response local enable = activates the local partial response

    tecli advanced part_response local disable = deactivates the local partial response
  tecli advanced part_response remote ... = manages remote partial response configuration on the sender side

    tecli advanced part_response remote stat = shows the current status of the remote partial response on the sender side

    tecli advanced part_response remote enable = activates the remote partial response on the sender side

    tecli advanced part_response remote disable = deactivates the remote partial response on the sender side

  tecli advanced part_response cloud ... = manages cloud partial response configuration on the sender side

    tecli advanced part_response cloud stat = shows the current status of the cloud partial response on the sender side

    tecli advanced part_response cloud enable = activates the cloud partial response on the sender side

    tecli advanced part_response cloud disable = deactivates the cloud partial response on the sender side

tecli advanced multiplier ... = shows and sets images clock multiplier

  tecli advanced multiplier show = shows images clock multiplier

  tecli advanced multiplier set <Image_UID> <value> = sets images clock multiplier

tecli advanced dropped ... = configures actions for dropped files (files created by the emulation file)

  tecli advanced dropped max_files <value> = sets maximal number of dropped files to download from QEMU

  tecli advanced dropped remove_dropped <1|0> = enables (1) or disables (0) removal of dropped files directory (requires installation of Threat
Prevention policy)

tecli advanced url ... = controls URL Reputation actions

  tecli advanced url show = displays URL Reputation current configuration values

  tecli advanced url default = resets URL Reputation parameters to their default values

  tecli advanced url cache ... = control URL Reputation cache

    tecli advanced url cache size = counts all the URL Reputation cache records
    tecli advanced url cache clean = deletes all the URL Reputation cache records

  tecli advanced url set ... = configures URL Reputation cache parameters

    tecli advanced url set cache_purge_interval <value> = sets the interval (in minutes, from 10 to 60) to purge the URL Reputation cache

    tecli advanced url set max_request_size <value> = sets the number (from 50 to 1000) of maximum URLs per cloud request

    tecli advanced url set cloud_scan_interval <value> = sets the interval (in seconds, from 5 to 10) to scan URLs at cloud

    tecli advanced url set cloud_num_consumers <value> = sets the number (from 3 to 10) of cloud message queue consumers (required restart o
daemon)

    tecli advanced url set cloud_request_timeout <value> = sets the timeout (in seconds, from 60 to 300) for cloud request

tecli advanced urls ... = displays information about and configures URL requests   tecli advanced urls show = displays information about URL
requests queue, counters, URLs cache TTL, timout and concurrent requests number

  tecli advanced urls concurrent_requests <value> = sets concurrent requests limit (default is 5)

  tecli advanced urls reset = resets URLs counters

  tecli advanced urls cache = lists all the records in the URLs cache

  tecli advanced urls ttl <value> = sets TTL for URLs cache entries (default is 1440 minutes)

  tecli advanced urls timeout <value> = sets maximal time (in seconds) to wait while downloading file by link from e-mail (default is 120 seconds)

tecli advanced av_mode ... = configures Anti-Virus mode parameters

  tecli advanced av_mode show = shows current configuration values

  tecli advanced av_mode set status <1|0> = enables (1) or disables (0) Anti-Virus mode (requires installation of Threat Prevention policy; might im
performance)

tecli advanced scanengine ... = shows and sets scan engine options

  tecli advanced scanengine show = show scan engine configuration

  tecli advanced scanengine restart = restarts scan engine process   tecli advanced scanengine set ... = sets scan engine configuration

     tecli advanced scanengine set debugs <1|0> = enables (1) or disables (0) full debugs - effective after scan engine restart

    tecli advanced scanengine set heuristics <shallow|medium|detail|maximum> = sets heuristics level for scan engine - effective after scan
engine restart

    tecli advanced scanengine set updates <value> = sets interval in minutes for updates (requires restart of TED daemon)

    tecli advanced scanengine set suspicious_behaviour <1|0> = treats suspicious files as clean (1) or as malicious (0) (requires restart of TED
daemon)

tecli advanced wem ... = manages Web Emulation

  tecli advanced wem status = show current status

  tecli advanced wem show-config = shows all configuration variables

  tecli advanced wem config ... = configures Web Emulation parameters

    tecli advanced wem config enable <1|0> = enables (1) or disables (0) Web Emulation

    tecli advanced wem config domain_thrsh <true|false> = enables (true) or disables (false) domain threshold with Web Emulation (default is 'fa
    tecli advanced wem config scan_time_ms = sets Web Emulation scan time (default is 5000 millisec)

    tecli advanced wem config skip_phase1 <true|false> = skips (true) or does not skip (0) Web Emulation Phase1 to go directly to Phase2 (defau
'false')

    tecli advanced wem config strict_embedded_mode <true|false> = enables (true) or disables (false) Web Emulation strict embedded mode (de
is 'false')

tecli advanced vmres ... = manages VM Resources

  tecli advanced vmres show = show running state (memory limit, memory usage, number of running VMs)

  tecli advanced vmres adptive_delay_util_thrsh = internal

  tecli advanced vmres delay_factor = internal

  tecli advanced vmres ht_factor = internal

  tecli advanced vmres mhz_req_per_vm = internal

  tecli advanced vmres max_ram_util = internal

tecli cache ... commands

These commands control Threat Emulation Local Cache.

Note: In cluster environment, the Threat Emulation local cache is not synchronized between cluster members.

The available sub-commands are (for engine version 54.990001309):

tecli cache enable = enables (1) or disables (0) the Local Cache

tecli cache size = displays the number of all records in Local Cache

tecli cache clean = deletes all the records in the Local Cache

  Note: Do not clear the whole cache - this will have a negative impact on performance!

tecli cache sha1 <sha1_string> = shows records with specific SHA1 hash

tecli cache filename </path_to/file> = shows records for specific file

tecli cache remove ... = removes files from Local Cache

  tecli cache remove sha1 <sha1_string> = removes records based on a specific hash

  tecli cache remove filename </path_to/file> = removes records based on a specific file path

  tecli cache remove extension <extension> = removes records of a specific file extension

  tecli cache remove benign = removes specific benign records

  tecli cache remove malicious = removes specific malicious records

tecli cache dump ... = dumps Local Cache contents

  tecli cache dump all = lists all the records

  tecli cache dump benign = lists all the benign records

  tecli cache dump malicious = lists all the malicious records

  tecli cache dump archives ... = lists all the records about archive files

    tecli cache dump archives table = lists all archive records in the Local Cache in a table format

    tecli cache dump archives csv = lists all archive records the in Local Cache in a CSV format

  tecli cache dump settings ... = controls results for Local Cache dump commands

    tecli cache dump settings limited ... = controls number of dump commands results

      tecli cache dump settings limited display = displays the status of Local Cache dump limit mode

      tecli cache dump settings limited set <1|0> = enables (1) or disables (0) the Local Cache dump limit mode

    tecli cache dump settings max-records ... = controls records limit for each dump command

      tecli cache dump settings max-records display = shows the maximal number of rows retrieved for each dump command

      tecli cache dump settings max-records <value> = sets the maximal number of rows retrieved for each dump command (default is 20)

tecli cache ttl ... = controls the files' TTL in the Local Cache

  tecli cache ttl display = displays the current TTL

  tecli cache ttl default = sets the TTL to default (168 hrs, i.e., 7 days)

  tecli cache ttl set <hours> = sets the TTL to specified number of hours

tecli debug ... commands

These commands controls debug parameters.

 The available sub-commands are (for engine version 54.990001309):

tecli debug set <TOPIC1> <SEVERITY1> <TOPIC2> <SEVERITY2> ... = sets specific debug topic with specified severity

  Note: Currently, only the "tecli debug set TE all" command should be used.

tecli debug unset <TOPIC> = unsets a specific debug topic (currently, only the "tecli debug defaults" command should be used)

tecli debug on = turns on debug (first, the debug topics have to be set)

tecli debug off = turns off debug

tecli debug reset = resets all debug topics (currently, only the "tecli debug defaults" command should be used)

tecli debug defaults = resets all debug topics to their default values

tecli debug stat = shows current debug status

tecli debug rotate = rotates the current TED daemon's log file $FWDIR/log/ted.elg (moves the current file to $FWDIR/log/ted.elg.<N> and open
new one)

tecli debug memory = displays the memory consumption by Threat Emulation

tecli debug spaces <N> = sets number of spaces in identical logs [0..5] - indentation for each level

tecli debug scan ... = connections scanning debug options

  tecli debug scan local stat = shows the status of local connections scanning

  tecli debug scan local enable = enables the scan of local connections

  tecli debug scan local disable = disables the scan of local connections

tecli debug clean = cleans all TED daemon's log files ($FWDIR/log/ted.elg)

tecli debug partreq ... = counter of partial file request (HTTP 206)

  tecli debug partreq get = gets the value of kernel parameter g_ci_av_te_http_206_file_request

  tecli debug partreq set <value> = sets the value of kernel parameter g_ci_av_te_http_206_file_request (up to 232-1)

  tecli debug partreq init = initializes the value of kernel parameter g_ci_av_te_http_206_file_request

tecli debug incfile ... = counter of incomplete files

  tecli debug incfile get = gets the value of kernel parameter g_ci_av_te_file_cut

  tecli debug incfile set <value> = sets the value of kernel parameter g_ci_av_te_file_cut (up to 232-1)

  tecli debug incfile init = initializes the value of kernel parameter g_ci_av_te_file_cut

tecli debug sptrack = displays the SmartPtr Bookkeeping information

tecli debug dep = dumps bookkeeping of event profile

(11) The cpstat threat-emulation command

The cpstat command displays various counters and statistical information about Check Point Software Blades.

For Threat Emulation blade, you can run either the "cpstat threat-emulation -f <flag>" command, or the "cpstat -f <flag> threat-emulation" command

cpstat threat-emulation -f default

Displayed information:

Current Threat Emulation status and Engine versions:

Status: <N>

Status short description: <XXXXXX>

Status long description: <XXXXXX>

Engine Major Version: <N>

Engine Minor Version: <N>

Example:

Status: 2

Status short description: error

Status long description: Threat Emulation update failed, cannot download Raw Files. Failed running download process.

Engine Major Version: 54

Engine Minor Version: 990001309

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.29

.1.3.6.1.4.1.2620.1.49.30

.1.3.6.1.4.1.2620.1.49.101

.1.3.6.1.4.1.2620.1.49.102

.1.3.6.1.4.1.2620.1.49.103

cpstat threat-emulation -f contract

Displayed information:

Threat Emulation Contract and Quota:

 TE Contract Name: <XXXXXX>

TE Subscription Expire Date: <XXXXXX>

TE Cloud Hourly Quota: <N>

TE Cloud Monthly Quota: <N>

TE Cloud Remaining Quota: <N>

TE Maximal VMs Number: <N>

TE Subscription Status: <XXXXXX>

TE Cloud Quota Status: <XXXXXX>

TE Subscription Description: <XXXXXX>

TE Cloud Quota Description: <XXXXXX>

TE Cloud Quota Identifier: <XXXXXX>

TE Cloud Monthly Quota Period Start: <XXXXXX>

TE Cloud Monthly Quota Period End: <XXXXXX>

TE Cloud Monthly Quota Usage for This GW: <N>

TE Cloud Hourly Quota Usage for this GW: <N>

TE Cloud Monthly Quota Usage for Quota ID: <N>

TE Cloud Hourly Quota Usage for Quota ID: <N>

TE Cloud Monthly Quota Exceeded: <N>

TE Cloud Hourly Quota Exceeded: <N>

TE Cloud Last Quota Update GMT Time: <XXXXXX>

Example:

TE Contract Name: temu_local

TE Subscription Expire Date: 1533190420

TE Cloud Hourly Quota: 0

TE Cloud Monthly Quota: 0

TE Cloud Remaining Quota: 0

TE Maximal VMs Number: 4294967295

TE Subscription Status: valid

TE Cloud Quota Status: ok

TE Subscription Description: Subscription is up to date

TE Cloud Quota Description: Cloud emulation is not used

TE Cloud Quota Identifier: N/A

TE Cloud Monthly Quota Period Start: 0

TE Cloud Monthly Quota Period End: 0

TE Cloud Monthly Quota Usage for This GW: 0

TE Cloud Hourly Quota Usage for this GW: 0

TE Cloud Monthly Quota Usage for Quota ID: 0

TE Cloud Hourly Quota Usage for Quota ID: 0

TE Cloud Monthly Quota Exceeded: 0

TE Cloud Hourly Quota Exceeded: 0

TE Cloud Last Quota Update GMT Time: 0

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.19

.1.3.6.1.4.1.2620.1.49.20

.1.3.6.1.4.1.2620.1.49.21

.1.3.6.1.4.1.2620.1.49.22

.1.3.6.1.4.1.2620.1.49.23

.1.3.6.1.4.1.2620.1.49.24

.1.3.6.1.4.1.2620.1.49.25

.1.3.6.1.4.1.2620.1.49.26

.1.3.6.1.4.1.2620.1.49.27

.1.3.6.1.4.1.2620.1.49.28

.1.3.6.1.4.1.2620.1.49.31

.1.3.6.1.4.1.2620.1.49.32

.1.3.6.1.4.1.2620.1.49.33

.1.3.6.1.4.1.2620.1.49.34

.1.3.6.1.4.1.2620.1.49.35

.1.3.6.1.4.1.2620.1.49.37

.1.3.6.1.4.1.2620.1.49.38

.1.3.6.1.4.1.2620.1.49.39

.1.3.6.1.4.1.2620.1.49.40

.1.3.6.1.4.1.2620.1.49.41

cpstat threat-emulation -f update_status

Displayed information:

Threat Emulation update status:

Example 1:

TE Update Status: up-to-date

TE Update Description: Initializing

Example 2:

TE Update Status: downloading

TE Update Description: Download started at Sun Sep 3 16:35:57 2017

Example 3:

TE Update Status: failed

TE Update Description: Threat Emulation update failed, cannot download Raw Files. Failed running download process.

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.16

.1.3.6.1.4.1.2620.1.49.17

cpstat threat-emulation -f general_statuses

Displayed information:

Threat Emulation general counters:

 TE Email Scanned: <N>

TE Downloaded Files Scanned: <N>

TE Files In Queue: <N>

TE Number Of Emulation Environments: <N>

TE Is First Download: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.12

.1.3.6.1.4.1.2620.1.49.13

.1.3.6.1.4.1.2620.1.49.14

.1.3.6.1.4.1.2620.1.49.15

.1.3.6.1.4.1.2620.1.49.36

cpstat threat-emulation -f malware_detected

Displayed information:

Threat Emulation counters of detected malware on this appliance:

TE Malware Detected: <N>

TE Malware Detected Last Day: <N>

TE Malware Detected Last Week: <N>

TE Malware Detected Last Month: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.5.1

.1.3.6.1.4.1.2620.1.49.5.2

.1.3.6.1.4.1.2620.1.49.5.3

.1.3.6.1.4.1.2620.1.49.5.4

cpstat threat-emulation -f malware_on_cloud

Displayed information:

Threat Emulation counters of detected malware on ThreatCloud:

TE Malware Detected On Threat Cloud: <N>

TE Malware Detected On Threat Cloud Last Day: <N>

TE Malware Detected On Threat Cloud Last Week: <N>

TE Malware Detected On Threat Cloud Last Month: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.7.1

.1.3.6.1.4.1.2620.1.49.7.2

.1.3.6.1.4.1.2620.1.49.7.3

.1.3.6.1.4.1.2620.1.49.7.4

cpstat threat-emulation -f queue_size

Displayed information:

Threat Emulation counters for queue size:

TE Queue Size: <N>

TE Queue Size Last Day: <N>

TE Queue Size Last Week: <N>

TE Queue Size Last Month: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.10.1

.1.3.6.1.4.1.2620.1.49.10.2

.1.3.6.1.4.1.2620.1.49.10.3

.1.3.6.1.4.1.2620.1.49.10.4

cpstat threat-emulation -f queue_table

Displayed information:

Threat Emulation queue:

Threat-Emulation Queue Files Table

-----------------------------------------------------------------

|File Name|Time In Queue|Analyzed On|Image|File Size|File Source|

-----------------------------------------------------------------

... ...

-----------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.1.1.1.2

.1.3.6.1.4.1.2620.1.49.1.1.1.3

.1.3.6.1.4.1.2620.1.49.1.1.1.4

.1.3.6.1.4.1.2620.1.49.1.1.1.5

.1.3.6.1.4.1.2620.1.49.1.1.1.6

.1.3.6.1.4.1.2620.1.49.1.1.1.7

cpstat threat-emulation -f scanned_files

 Displayed information:

Threat Emulation counters of scanned files on this appliance:

TE Scanned Files: <N>

TE Scanned Files Last Day: <N>

TE Scanned Files Last Week: <N>

TE Scanned Files Last Month: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.4.1

.1.3.6.1.4.1.2620.1.49.4.2

.1.3.6.1.4.1.2620.1.49.4.3

.1.3.6.1.4.1.2620.1.49.4.4

cpstat threat-emulation -f scanned_on_cloud

Displayed information:

Threat Emulation counters of scanned files on ThreatCloud:

TE Scanned Files On Threat Cloud: <N>

TE Scanned Files On Threat Cloud Last Day: <N>

TE Scanned Files On Threat Cloud Last Week: <N>

TE Scanned Files On Threat Cloud Last Month: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.6.1

.1.3.6.1.4.1.2620.1.49.6.2

.1.3.6.1.4.1.2620.1.49.6.3

.1.3.6.1.4.1.2620.1.49.6.4

cpstat threat-emulation -f peak_size

Displayed information:

Threat Emulation counters for peak size of the queue:

TE Peak Size: <N>

TE Peak Size Last Day: <N>

TE Peak Size Last Week: <N>

TE Peak Size Last Month: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.11.1

.1.3.6.1.4.1.2620.1.49.11.2

.1.3.6.1.4.1.2620.1.49.11.3

.1.3.6.1.4.1.2620.1.49.11.4

cpstat threat-emulation -f average_process_time

Displayed information:

Threat Emulation counters for average emulation time:

TE Average Process Time: <N>

TE Average Process Time Last Day: <N>

TE Average Process Time Last Week: <N>

TE Average Process Time Last Month: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.8.1

.1.3.6.1.4.1.2620.1.49.8.2

.1.3.6.1.4.1.2620.1.49.8.3

.1.3.6.1.4.1.2620.1.49.8.4

cpstat threat-emulation -f downloading_file_information

Displayed information:

Threat Emulation information about file download:

Average Download Percentage: - <N>

Threat-Emulation Downloading Files Table

---------------------------------------------------------------------------------------------------------------------

|Type|Downloading File Revision|Downloading File Size|Downloading File Down Start Time|Downloading File Down Percent|

---------------------------------------------------------------------------------------------------------------------

... ... ...

---------------------------------------------------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.2.1.2

.1.3.6.1.4.1.2620.1.49.2.1.9

.1.3.6.1.4.1.2620.1.49.2.1.10

.1.3.6.1.4.1.2620.1.49.2.1.11

.1.3.6.1.4.1.2620.1.49.2.1.12

.1.3.6.1.4.1.2620.1.49.3

cpstat threat-emulation -f downloads_information_current

Displayed information:

Threat Emulation information about current file download:

Average Download Percentage: - <N>

Threat-Emulation Current Files Table

-----------------------------------------------------------

|Type|UUID|Name|Revision|Size|Start Down Time|Down Percent|

-----------------------------------------------------------

... ...

-----------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.2.1.2

.1.3.6.1.4.1.2620.1.49.2.1.3

.1.3.6.1.4.1.2620.1.49.2.1.4

.1.3.6.1.4.1.2620.1.49.2.1.5

.1.3.6.1.4.1.2620.1.49.2.1.6

.1.3.6.1.4.1.2620.1.49.2.1.7

.1.3.6.1.4.1.2620.1.49.2.1.8

.1.3.6.1.4.1.2620.1.49.3

cpstat threat-emulation -f emulated_file_size

Displayed information:

Threat Emulation counters of emulated files size:

TE Emulated File Size: <N>

TE Emulated File Size Last Day: <N>

TE Emulated File Size Last Week: <N>

TE Emulated File Size Last Month: <N>

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.9.1

.1.3.6.1.4.1.2620.1.49.9.2

.1.3.6.1.4.1.2620.1.49.9.3

.1.3.6.1.4.1.2620.1.49.9.4

cpstat threat-emulation -f file_type_stat_cache_hit_rate

Displayed information:

Threat Emulation counters for cache hit rate per file type.

Example:

Threat-Emulation Statistics, Cache Hit Rate

-----------------------------------------------------------------------------------------------------

|File Type|Cache Hit Rate|Cache Hit Rate Last Day|Cache Hit Rate Last Week|Cache Hit Rate Last Month|

-----------------------------------------------------------------------------------------------------

|doc | 0| 0| 0| 0|

|docx | 0| 0| 0| 0|

|pdf | 0| 0| 0| 0|

|ppt | 0| 0| 0| 0|

|pptx | 0| 0| 0| 0|

|xls | 0| 0| 0| 0|

|xlsx | 0| 0| 0| 0|

-----------------------------------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.18.1.1.2

.1.3.6.1.4.1.2620.1.49.18.1.1.23

.1.3.6.1.4.1.2620.1.49.18.1.1.24

.1.3.6.1.4.1.2620.1.49.18.1.1.25

.1.3.6.1.4.1.2620.1.49.18.1.1.26

cpstat threat-emulation -f file_type_stat_cloud_malware_scanned

Displayed information:

Threat Emulation counters for files scanned on ThreatCloud and detected as containing malware per file type:

Example:

Threat-Emulation Statistics, Threatcloud Malware Scanned

---------------------------------------------------------------------------------------------------------------------------------

|File Type|Scanned|Threatcloud Malware|Threatcloud Malware Last Day|Threatcloud Malware Last Week|Threatcloud Malware Last Month|

---------------------------------------------------------------------------------------------------------------------------------

|doc | 0| 0| 0| 0| 0|

|docx | 0| 0| 0| 0| 0|

|pdf | 0| 0| 0| 0| 0|

|ppt | 0| 0| 0| 0| 0|

|pptx | 0| 0| 0| 0| 0|

|xls | 0| 0| 0| 0| 0|

|xlsx | 0| 0| 0| 0| 0|

---------------------------------------------------------------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.18.1.1.2

.1.3.6.1.4.1.2620.1.49.18.1.1.3

 .1.3.6.1.4.1.2620.1.49.18.1.1.15

.1.3.6.1.4.1.2620.1.49.18.1.1.16

.1.3.6.1.4.1.2620.1.49.18.1.1.17

.1.3.6.1.4.1.2620.1.49.18.1.1.18

cpstat threat-emulation -f file_type_stat_cloud_scanned

Displayed information:

Threat Emulation counters for files scanned on ThreatCloud per file type.

Example:

Threat-Emulation Statistics, Threatcloud Scanned

-------------------------------------------------------------------------------------------------------------------------

|File Type|Threatcloud Scanned|Threatcloud Scanned Last Day|Threatcloud Scanned Last Week|Threatcloud Scanned Last Month|

-------------------------------------------------------------------------------------------------------------------------

|doc | 0| 0| 0| 0|

|docx | 0| 0| 0| 0|

|pdf | 0| 0| 0| 0|

|ppt | 0| 0| 0| 0|

|pptx | 0| 0| 0| 0|

|xls | 0| 0| 0| 0|

|xlsx | 0| 0| 0| 0|

-------------------------------------------------------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.18.1.1.11

.1.3.6.1.4.1.2620.1.49.18.1.1.12

.1.3.6.1.4.1.2620.1.49.18.1.1.13

.1.3.6.1.4.1.2620.1.49.18.1.1.14

cpstat threat-emulation -f file_type_stat_error_count

Displayed information:

Threat Emulation counters for emulation errors per file type.

Example:

Threat-Emulation Statistics, Error Count

-----------------------------------------------------------------------------------------

|File Type|Error Count|Error Count Last Day|Error Count Last Week|Error Count Last Month|

-----------------------------------------------------------------------------------------

|doc | 0| 0| 0| 0|

|docx | 0| 0| 0| 0|

|pdf | 0| 0| 0| 0|

|ppt | 0| 0| 0| 0|

|pptx | 0| 0| 0| 0|

|xls | 0| 0| 0| 0|

|xlsx | 0| 0| 0| 0|

-----------------------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.18.1.1.2

.1.3.6.1.4.1.2620.1.49.18.1.1.27

.1.3.6.1.4.1.2620.1.49.18.1.1.28

.1.3.6.1.4.1.2620.1.49.18.1.1.29

.1.3.6.1.4.1.2620.1.49.18.1.1.30

cpstat threat-emulation -f file_type_stat_file_scanned

Displayed information:

Threat Emulation counters for scanned files per file type.

Example:

Threat-Emulation Statistics, Scanned Files

-------------------------------------------------------------------------

|File Type|Scanned|Scanned Last Day|Scanned Last Week|Scanned Last Month|

-------------------------------------------------------------------------

|doc | 0| 0| 0| 0|

|docx | 0| 0| 0| 0|

|pdf | 0| 0| 0| 0|

|ppt | 0| 0| 0| 0|

|pptx | 0| 0| 0| 0|

|xls | 0| 0| 0| 0|

|xlsx | 0| 0| 0| 0|

-------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.18.1.1.2

.1.3.6.1.4.1.2620.1.49.18.1.1.3

.1.3.6.1.4.1.2620.1.49.18.1.1.4

.1.3.6.1.4.1.2620.1.49.18.1.1.5

.1.3.6.1.4.1.2620.1.49.18.1.1.6

cpstat threat-emulation -f file_type_stat_filter_by_analysis

Displayed information:

Threat Emulation counters for files filtered by static analysis per file type.

Example:

Threat-Emulation Statistics, Filter By Analysis

---------------------------------------------------------------------------------------------------------------------

|File Type|Filter By Analysis|Filter By Analysis Last Day|Filter By Analysis Last Week|Filter By Analysis Last Month|

---------------------------------------------------------------------------------------------------------------------

 |doc | 0| 0| 0| 0|

|docx | 0| 0| 0| 0|

|pdf | 0| 0| 0| 0|

|ppt | 0| 0| 0| 0|

|pptx | 0| 0| 0| 0|

|xls | 0| 0| 0| 0|

|xlsx | 0| 0| 0| 0|

---------------------------------------------------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.18.1.1.2

.1.3.6.1.4.1.2620.1.49.18.1.1.19

.1.3.6.1.4.1.2620.1.49.18.1.1.20

.1.3.6.1.4.1.2620.1.49.18.1.1.21

.1.3.6.1.4.1.2620.1.49.18.1.1.22

cpstat threat-emulation -f file_type_stat_malware_detected

Displayed information:

Threat Emulation counters for files detected as containing malware per file type.

Example:

Threat-Emulation Statistics, Malware Detected

-------------------------------------------------------------------------------------------------------------

|File Type|Malware Detected|Malware Detected Last Day|Malware Detected Last Week|Malware Detected Last Month|

-------------------------------------------------------------------------------------------------------------

|doc | 0| 0| 0| 0|

|docx | 0| 0| 0| 0|

|pdf | 0| 0| 0| 0|

|ppt | 0| 0| 0| 0|

|pptx | 0| 0| 0| 0|

|xls | 0| 0| 0| 0|

|xlsx | 0| 0| 0| 0|

-------------------------------------------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.18.1.1.2

.1.3.6.1.4.1.2620.1.49.18.1.1.7

.1.3.6.1.4.1.2620.1.49.18.1.1.8

.1.3.6.1.4.1.2620.1.49.18.1.1.9

.1.3.6.1.4.1.2620.1.49.18.1.1.10

cpstat threat-emulation -f file_type_stat_no_resource_count

Displayed information:

Threat Emulation counters for files filtered by static analysis without resource count per file type.

Example:

Threat-Emulation Statistics, No Resource Count

-----------------------------------------------------------------------------------------------------------------

|File Type|No Resource Count|No Resource Count Last Day|No Resource Count Last Week|No Resource Count Last Month|

-----------------------------------------------------------------------------------------------------------------

|doc | 0| 0| 0| 0|

|docx | 0| 0| 0| 0|

|pdf | 0| 0| 0| 0|

|ppt | 0| 0| 0| 0|

|pptx | 0| 0| 0| 0|

|xls | 0| 0| 0| 0|

|xlsx | 0| 0| 0| 0|

-----------------------------------------------------------------------------------------------------------------

Which Threat Emulation SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.49.18.1.1.2

.1.3.6.1.4.1.2620.1.49.18.1.1.31

.1.3.6.1.4.1.2620.1.49.18.1.1.32

.1.3.6.1.4.1.2620.1.49.18.1.1.33

.1.3.6.1.4.1.2620.1.49.18.1.1.34

cpstat threat-emulation -f history_te_comp_hosts

Displayed information:

Threat Emulation counters for compromised hosts.

Example:

Threat-Emulation Compromised hosts (last hour in 10 minutes resolution)

--------------------------

|Low|Medium|High|Critical|

--------------------------

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

--------------------------

Threat-Emulation Compromised hosts (last day in 4 hours resolution)

--------------------------

|Low|Medium|High|Critical|

--------------------------

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

--------------------------

Threat-Emulation Compromised hosts (last week in 1 day resolution)

 --------------------------

|Low|Medium|High|Critical|

--------------------------

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

--------------------------

Threat-Emulation Compromised hosts (last month in 5 days resolution)

--------------------------

|Low|Medium|High|Critical|

--------------------------

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

--------------------------

Which SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.47.1.7.1.10

.1.3.6.1.4.1.2620.1.47.1.7.1.11

.1.3.6.1.4.1.2620.1.47.1.7.1.12

.1.3.6.1.4.1.2620.1.47.1.7.1.13

.1.3.6.1.4.1.2620.1.47.1.8.1.10

.1.3.6.1.4.1.2620.1.47.1.8.1.11

.1.3.6.1.4.1.2620.1.47.1.8.1.12

.1.3.6.1.4.1.2620.1.47.1.8.1.13

.1.3.6.1.4.1.2620.1.47.1.9.1.10

.1.3.6.1.4.1.2620.1.47.1.9.1.11

.1.3.6.1.4.1.2620.1.47.1.9.1.12

.1.3.6.1.4.1.2620.1.47.1.9.1.13

.1.3.6.1.4.1.2620.1.47.1.10.1.10

.1.3.6.1.4.1.2620.1.47.1.10.1.11

.1.3.6.1.4.1.2620.1.47.1.10.1.12

.1.3.6.1.4.1.2620.1.47.1.10.1.13

cpstat threat-emulation -f history_te_incidents

Displayed information:

Threat Emulation counters for incidents.

Example:

Threat-Emulation Incidents (last hour in 10 minutes resolution)

--------------------------

|Low|Medium|High|Critical|

--------------------------

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

--------------------------

Threat-Emulation Incidents (last day in 4 hours resolution)

--------------------------

|Low|Medium|High|Critical|

--------------------------

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

--------------------------

Threat-Emulation Incidents (last week in 1 day resolution)

--------------------------

|Low|Medium|High|Critical|

--------------------------

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

--------------------------

Threat-Emulation Incidents (last month in 5 days resolution)

--------------------------

|Low|Medium|High|Critical|

--------------------------

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

| 0| 0| 0| 0|

--------------------------

Which SNMP OIDs are queried?

.1.3.6.1.4.1.2620.1.47.1.1.1.10

.1.3.6.1.4.1.2620.1.47.1.1.1.11

.1.3.6.1.4.1.2620.1.47.1.1.1.12

.1.3.6.1.4.1.2620.1.47.1.1.1.13

.1.3.6.1.4.1.2620.1.47.1.2.1.10

.1.3.6.1.4.1.2620.1.47.1.2.1.11

.1.3.6.1.4.1.2620.1.47.1.2.1.12

.1.3.6.1.4.1.2620.1.47.1.2.1.13

.1.3.6.1.4.1.2620.1.47.1.3.1.10

.1.3.6.1.4.1.2620.1.47.1.3.1.11

 .1.3.6.1.4.1.2620.1.47.1.3.1.12

.1.3.6.1.4.1.2620.1.47.1.3.1.13

.1.3.6.1.4.1.2620.1.47.1.4.1.10

.1.3.6.1.4.1.2620.1.47.1.4.1.11

.1.3.6.1.4.1.2620.1.47.1.4.1.12

.1.3.6.1.4.1.2620.1.47.1.4.1.13

(12) Factors that limit the number of Virtual Machines that can be started

The number of Virtual Machines that can be started is bound by the installed license, the CPU load and the RAM utilization.

Bounding factor Explanation

License
The installed license limits the number of allowed VMs:

4 VMs on TE100X appliance

8 VMs on TE250X appliance
28 VMs on TE1000X appliance
40 VMs on TE2000X appliance
56 VMs on TE2000X HPP appliance
Unlimited number (232-1=4294967295) of VMs with Evaluation license

Run the "cpstat threat-emulation -f contract" command and refer to the counter "TE Maximal VMs Number:".

Note: This license includes Microsoft Windows and Office license.

RAM utilization
When Local Emulation is configured, by default, up to 70% of the RAM will be used by VMs.

Recommendations:

You can increase the memory allocation limit, if Security Gateway serves as "emulation only" TE appliance.
You should decrease the memory allocation limit, if the memory is needed for other purposes.

Follow these steps to configure this limit:

A. In SmartDashboard R77.X, open the object of the Threat Emulation Gateway.

B. Expand the Threat Emulation pane - click on Advanced pane.

C. In the Resource Allocation section, click on the Configure... button.

D. Configure the limit for memory usage.

Example:

E. Click on OK.

F. Install the Security policy and the Threat Prevention policy.

CPU load
By default, if the CPU cores allocated for emulation are more than 90% busy, no more VMs will start until the CPU load drops below t

Follow these steps:

A. Connect with SmartDashboard R77.X to Security Management Server / Domain Management Server.

B. Go to File menu - click on Database Revision Control... - create a revision snapshot.

Note: Database Revision Control is not supported for VSX objects (sk65420).

In addition, refer to:

sk108902 - Best Practices - Backup on Gaia OS

sk91400 - System Backup and Restore feature in Gaia
sk54100 - How to back up your system on SecurePlatform
sk98153 - How to take a snapshot of Endpoint Security Management Server database

C. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Ser

D. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

E. In the upper left pane, go to Table - Anti-Malware - antimalware_misc.

 F. In the upper right pane, select the relevant Threat Emulation profile - TESettings_<GW_UID>

(e.g., TESettings_2AC82C3A-073F-4F9D-9A85-FA8FAE751BD9).

The UID of Security Gateway / StandAlone object can be found in the $FWDIR/conf/objects_5_0.C file on the Security Manag
Server / Domain Management Server:

: (Name_of_GW_or_StandAlone_Object

:AdminInfo (

:chkpf_uid ("{This is the UID}")

:ClassName (gateway_ckp)

Example:

: (R77-30-SA

:AdminInfo (

:chkpf_uid ("{EF4AB4D2-4D16-5849-91F2-DB52B740EC8E}")

:ClassName (gateway_ckp)

G. In the lower pane, right-click on the busy_cpu_threshold - select Edit... - delete the current value - enter the new value - click

H. Save the changes: go to File menu - click on Save All.

I. Close the GuiDBedit Tool.

J. Connect with SmartDashboard R77.X to Security Management Server / Domain Management Server.

K. Install the Security policy and the Threat Prevention policy.

Enabling SMT (HyperThreading) Feature will improve emulation performance on the SandBlast TE Appliances.

The TE250X / TE1000X / TE2000X appliances are already shipped with enabled SMT feature in the BIOS.

It is only required to enable the SMT feature in the 'cpconfig' menu as described in the sk93000 - SMT (HyperThreading) Feature Gu

(13) Static Analysis

Files range from very simple (e.g., plain text files) to ultra complex (e.g., Office documents with embedded files).

Usually, the risk factor of a file varies according to the number of advanced features it utilizes (e.g., JavaScript in PDF file).

The pre-emulation static analysis allows skipping files that contain only safe features.

Notes:

Static Analysis Filters are constantly updated.

Tests show that Static Analysis allows to filter ~70-80% of the received files (depending on the environment and on file types):

run the "tecli show statistics" command and refer to the counter "Files filtered by static analysis"
run the "cpstat threat-emulation -f file_type_stat_filter_by_analysis" command

Static Analysis is relatively "heavy" in terms of Input/Output (yet "cheaper" than full emulation).

It is not recommended to disable the Static Analysis.

Disabling it should be done only under extreme circumstance with explicit instructions from Check Point Support.

Important Note: If you disable this setting, it can significantly impact the network performance because every file will be sent to emulation.

A. Go to Threat Prevention tab.

B. In the left tree, click on Profiles.

C. Edit the relevant profile.

D. Expand the Threat Emulation Settings section, click on the Advanced pane.

E. In the Engine Settings section, check the box Disable static analysis for filtering files:

F. Click on OK.

G. Install the Threat Prevention policy.

(14) Detection Rules

Each OS image has a list of regular expressions representing events that its applications generate and that are considered as normal actions

(using "whitelist" method - it is easier to define what is allowed, than what is forbidden).
 Note: This whitelist is dynamically updated from the ThreatCloud.

These white events are filtered during execution of the document/applet (the matching/parsing engine is similar to IPS/Anti-Bot engines).

All events that were not filtered by the detection (whitelist) rules are considered malicious:

This applies to documents

Machine Learning is used for executable files

Detection Rules are image-specific, but are updated separately from the OS images.

Detection Rules are located in the /var/log/files_repository/images/<Image_ID>/detection_rules/ directories.

Related solutions:

sk117672 - How to update the Threat Emulation malware detection rules

(15) Scanning of Archives

Each entry in the archive file is scanned and emulated (if necessary).

The archive file's verdict is determined according to the verdict of its entries.

Once a single malicious file is found inside an archive file, a log is generated,

and the entire archive file is marked as malicious.

Related solutions:

sk108373 - Threat Emulation blade sends unsupported file types from an archive for emulation

(16) File Reclassifier

File type is determined based on the file "magic number" (header/footer), stream parsing (content type) and more indicators that assist Threat Emulation decide what
type of the file being sent.

The purpose of the File Classifier is two-fold:

try to detect whether the file is malicious

mimic as much as possible the behavior the user will experience when the file is executed / opened on Windows OS.

It is important to understand that Threat Emulation is not signature-based detection engine. Therefore, a file that will not trigger in the Host OS can be considered a fu
attempt. That being said, the classifier will still try to re-classify the file to allow it to "detonate" in the sandbox.

Before injecting the file into the VM, file extension is changed to the correct extension.

Then the file is emulated based on that extension.

It is possible to disable / enable the File Reclassifier with the "tecli advanced attributes set reclassifier <value>" command.

Examples of renamed malicious files:

[Expert@HostName:0]# file test_file.doc

test_file.doc: MS-DOS executable PE for MS Windows (console) Intel 80386 32-bit

[Expert@HostName:0]# file test_file.exe

test_file.exe: Microsoft Office Document

(17) Detection of a malicious file

A file could be emulated up to 3 times.

1. On the first run - files of the same format are emulated together in the same VM

If NOT detected as malicious, then emulation will stop

No further emulation takes place

All files will be considered benign
If detected as malicious, then emulation will be run once more

2. On second run - each file from the previous step is emulated on its own in a different "clean" VM

If detected as malicious, then it is considered malicious (emulation will stop)

No further emulation takes place

Screenshots / Forensics are gathered during this emulation run
If NOT detected as malicious, then emulation will run once more

3. On the third run - file is emulated on its own in another "clean" VM

If detected as malicious, then it is considered as malicious (emulation will stop)

No further emulation takes place
 Screenshots / Forensics are gathered during this emulation run
If the file is NOT detected as malicious, then it is NOT considered as malicious (emulation will stop)

No further emulation takes place

Related solutions:

sk115418 - Threat Emulation support for Malicious Macro detection

(18) Emulation of multiple files of the same type on the same virtual machine

In order to boost performance, multiple files of the same type (e.g., PDF) are sent to the same virtual machine for emulation

For each file that is sent to the virtual machine for emulation, a new instance of the emulated program (e.g. Adobe Reader) is executed

In case a file was flagged as malicious during multiple file execution, it will be emulated again at a dedicated instance and the current instance will be reverted

Multiple File Execution is not supported with executable files, or CPU-Level images

To see the effectiveness of multiple file execution, run the "tecli show emulator vm synopsis" command and refer to the columns "Cur Files" and "Tota

Examples:

Output of the
View of QEMU virtual machine

"tecli show emulator vm synopsis" command (connected with a VNC client)

(19) Threat Emulation API

The Threat Emulation RESTful API is available on any Check Point appliance with enabled Threat Emulation blade and in the ThreatCloud.

The Threat Emulation RESTful API allows you to:

Query for emulation results

Download reports
Upload files for emulation/extraction

Refer to Threat Prevention API Reference Guide and R80 Check Point API Reference Guide

(20) Performance considerations and Best practices

Factor / Configuration Recommendations / Guidelines

Threat Emulation Sizing

Refer to:

sk93598 - Threat Emulation Sizing Mode: how to measure the required inspections at an organization
sk88160 - The Check Point Performance Sizing Utility

Protected Scope
Limit the "Protected Scope" in the Threat Prevention policy (do not use "Any").

Limit the "Protected Scope", "Protocol" and "File Types" in the Threat Prevention profile.
Threat Emulation Cache
Normally, there is no need for tuning the cache.

To change the relevant settings:

A. Go to Threat Prevention tab.

B. In the left tree, expand the Advanced - click on Engine Settings.

C. Scroll to the bottom - in the Threat Emulation Settings section, click on the Configure settings... button.

D. Set the desired limits:

Maximum file size for emulation - Files that are larger than this value are not sent for emulation (because large
reduce network performance)
Maximum emulation time - The maximal time that Threat Emulation does analysis on a file (used only for a Local Em
Maximum file time in queue - The maximal time that a file waits for Threat Emulation analysis
Number of file hashes to save in local cache - Number of file hashes that are stored in the Threat Emulatio
cache

E. Click on OK.

F. Install the Threat Prevention policy.

Static Analysis
Files range from very simple (e.g., plain text files) to ultra complex (e.g., Office documents with embedded files).

Usually, the risk factor of a file varies according to the number of advanced features it utilizes (e.g., JavaScript in PDF file).

The pre-emulation static analysis allows skipping files that contain only safe features.

Static Analysis is relatively heavy in terms of Input/Output (yet cheaper than full emulation).

It is not recommended to disable the Static Analysis.

Disabling it should be done only under extreme circumstance with direction from Check Point Support.

Important Note: If you disable this setting, it can significantly impact the network performance because every file will be sent to em

A. Go to Threat Prevention tab.

B. In the left tree, click on Profiles.

C. Edit the relevant profile.

D. Expand the Threat Emulation Settings section, click on the Advanced pane.

E. In the Engine Settings section, check the box Disable static analysis for filtering files:

F. Click on OK.

G. Install the Threat Prevention policy.

CPU
By default, if the CPU cores allocated for emulation are more than 90% busy, no more VMs will start until the CPU load drops below

Follow these steps:

A. Connect with SmartDashboard R77.X to Security Management Server / Domain Management Server.

B. Go to File menu - click on Database Revision Control... - create a revision snapshot.

Note: Database Revision Control is not supported for VSX objects (sk65420).

In addition, refer to:

sk108902 - Best Practices - Backup on Gaia OS

sk91400 - System Backup and Restore feature in Gaia
 sk54100 - How to back up your system on SecurePlatform
sk98153 - How to take a snapshot of Endpoint Security Management Server database

C. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Se

D. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

E. In the upper left pane, go to Table - Anti-Malware - antimalware_misc.

F. In the upper right pane, select the relevant Threat Emulation profile - TESettings_<GW_UID>

(e.g., TESettings_2AC82C3A-073F-4F9D-9A85-FA8FAE751BD9).

G. In the lower pane, right-click on the busy_cpu_threshold - select Edit... - delete the current value - enter the new value - clic

H. Save the changes: go to File menu - click on Save All.

I. Close the GuiDBedit Tool.

J. Connect with SmartDashboard R77.X to Security Management Server / Domain Management Server.

K. Install the Security policy and the Threat Prevention policy.

RAM
Additional RAM might be required on Security Gateway with enabled Threat Emulation (depending on the amount of emulated files
for emulation).

When Local Emulation is configured, by default, up to 70% of the RAM will be used by VMs.

You can increase the memory allocation limit, if this Security Gateway serves as "emulation only" TE appliance.
You should decrease the memory allocation limit, if the memory is needed for other purposes.

Follow these steps to configure this limit:

A. In SmartDashboard R77.X, open the object of the Threat Emulation Gateway.

B. Expand the Threat Emulation pane - click on Advanced pane.

C. In the Resource Allocation section, click on the Configure... button.

D. Configure the limit for memory usage:

Example:

E. Click on OK.

F. Install the Security policy and the Threat Prevention policy.

Hyper-Threading Enabling Hyper-Threading will improve emulation performance on the Check Point appliances.

Follow sk93000 - SMT (HyperThreading) Feature Guide.

Clustering of Threat
Clustering of Threat Emulation appliances is supported, but not recommended.

Emulation appliances Refer to the "(21) Configuring multiple Threat Emulation Appliances for redundancy and load sharing" section.

Anti-Virus blade If Anti-Virus blade is also enabled, then there is an expected degradation in Threat Emulation performance of ~5-10% (because mo
work is already done by the Anti-Virus)

StandAlone Running the Local Threat Emulation appliance as a StandAlone (both Security Management Server and Security Gateway are instal
same machine) is supported, but not recommended.

Such configuration may lead to a case where the Threat Emulation appliance becomes slower and emulation could fail.

If StandAlone configuration is necessary, then lower the amount of RAM assigned for Threat Emulation (can be approximately 20-4
will limit the number of VMs in use (calculate 500 MB RAM per VM).

Refer to the "RAM" consideration above for instructions.

Logging To forward Mail Transfer Agent (MTA) logs from Security Gateway into SmartView Tracker / SmartLog, follow the instructions in

sk102995 - How to export syslog messages from Security Gateway on Gaia OS to a Log Server and view them in SmartView Tracker

Threat Emulation resource intensive processes:

A. File Aggregation (kernel, dlpu):

A. The parsers (Web, Mail), which deeply inspect the connections for traffic
B. The DLPK (DLP Kernel module), which transfers the file parts to the DLPU daemon (1 such daemon per CoreXL FW instance)
 C. DLPU daemon writes the file parts to $FWDIR/tmp/te and passes the reassembled file to TED daemon

B. Threat Emulation Cache

The cache is very lightweight, but has an enormous positive effect on the performance
From the initial configuration and policy installation, it takes several days for the cache to build up
Run the "tecli show statistics" command and refer to the counter "Files filtered by local cache"

C. Static Analysis

The pre-emulation static analysis allows skipping files that contain only safe features
Static Analysis is relatively heavy in terms of Input/Output (yet cheaper than full emulation)
Run the "tecli show statistics" command and refer to the counter "Files filtered by static analysis"
Run the "cpstat threat-emulation -f file_type_stat_filter_by_analysis" command

D. File emulation

The emulation is the most resource intensive process in the system

Run the "top" command and refer to processes "qemu-system-x86"

Example:

Run the "tecli show emulator vm synopsis" command and refer to the counter "Pending emulating requests"
To see the effectiveness of multiple file execution, run the "tecli show emulator vm synopsis" command and refer to the columns "Cur Files" and
Files"

Example:

Run the "tecli show statistics" command and refer to the counter "Average process time for emulated files"

Large values indicate an overloaded emulation unit

(21) Configuring multiple Threat Emulation Appliances for redundancy and load sharing

It is possible to install multiple Threat Emulation Private Cloud Appliances on your network (for redundancy and load sharing), and configure each Security Gateway (w
Threat Emulation blade) that sends files for a Remote Emulation to use multiple Threat Emulation Private Cloud Appliances.

Note: SmartDashboard R77.X allows selecting only a single Remote Threat Emulation Private Cloud Appliance.

Example:

Follow sk102309 - Threat Emulation support for Multiple Private Cloud Appliances to configure each relevant Security Gateway ("traffic collector" / "harvester"):

1. Connect to the command line on the Security Gateway that sends files for a Remote Emulation.

2. Log in to the Expert mode.

3. Run the "tecli advanced remote ..." commands:

To show the list of configured Threat Emulation Private Cloud Appliances:

[Expert@HostName:0]# tecli advanced remote show

To activate the support for multiple Threat Emulation Private Cloud Appliances:

[Expert@HostName:0]# tecli advanced remote activate

 To add new Threat Emulation Private Cloud Appliance:

[Expert@HostName:0]# tecli advanced remote add <IP Address>

Additional commands:

To removes the configured Threat Emulation Private Cloud Appliance:

[Expert@HostName:0]# tecli advanced remote remove <Appliance ID>

To deactivate the support for multiple Threat Emulation Private Cloud Appliances:

[Expert@HostName:0]# tecli advanced remote deactivate

4. Install the Threat Emulation policy.

Notes:

Security Gateway makes the decision to which remote Threat Emulation Private Cloud Appliance

the file should be sent for emulation based on the file's hash:

[Appliance ID] = [SHA1 of the file] modulo [number of configured remote Threat Emulation Private Cloud Appliance]

If the selected remote Threat Emulation Private Cloud Appliance is down, then the file will be sent to the next on the list ("tecli advanced remote show").

(22) Mail Transfer Agent (MTA) redundancy

MTA on Threat Emulation Gateways

MTA on Check Point cluster

(recommended)

Example topology: Example topology:

First hop should be customer's Anti-Spam solution (to solve Backscatter/RBL
problem)
MTA is running on Threat Emulation Gateways, so we can control SMTP
connections to the MTA via the Check Point cluster's security rules
First hop uses, e.g., DNS to round-robin e-mails to Threat Emulation Gateway
Perimeter Check Point cluster runs all Threat Prevention blades and can offload
HTTP/HTTPS emulation to Threat Emulation Gateway(s) if needed
After emulation, Threat Emulation Gateway's MTA forwards the e-mails to the
internal Mail Server
First hop should be customer's Anti-Spam solution (to solve Backsca
problem)
MTA is running on Threat Emulation Gateways, so we can control SMT
connections to the MTA via the Check Point cluster's security rules
The Check Point cluster is running the MTA
Perimeter Check Point cluster runs all Threat Prevention blades and
can offload HTTP/HTTPS emulation to Threat Emulation Gateway(s) if
Threat Emulation Gateways have internal IP addresses.
After emulation, Check Point cluster's MTA forwards the e-mails to th
Mail Server

Notes:

Such deployment is needed if Check Point cluster sends files for emu
ThreatCloud (there is no on-premise Threat Emulation Appliance)
Such deployment is needed if MTA should be used with ThreatCloud e
Such deployment requires manual editing of implied rules to be able
configure security rules to control traffic to the MTA on a Check Point

Related solutions:

sk107093 - E-mails do not reach the client after selecting Cluster Virt
Interface(s) in MTA "Advanced Settings"
sk109198 - E-mail client receives timeout error, e-mails do not reach
destinations, and SmartView Tracker shows duplicated Threat Emula
from a cluster

(23) Monitoring

Check the Threat Emulation counters using the tecli command and the cpstat threat-emulation command - refer to these sections:

"(10) The tecli command (Threat Emulation Command Line Tool)"

"(11) The cpstat threat-emulation command"

Monitor the Threat Emulation counters over SNMP:

The Check Point OID tree .1.3.6.1.4.1.2620.1.49 (.iso.org.dod.internet.private.enterprises.checkpoint.products.te) contains the Threat Emulation

Object OID

Threat Emulation Queue Files Table .1.3.6.1.4.1.2620.1.49.1

    Threat Emulation Queue Files Table - Index     .1.3.6.1.4.1.2620.1.49.1.1

    Threat Emulation Queue Files Table - File Name     .1.3.6.1.4.1.2620.1.49.1.2

    Threat Emulation Queue Files Table - Time In Queue     .1.3.6.1.4.1.2620.1.49.1.3

    Threat Emulation Queue Files Table - Analyzed On     .1.3.6.1.4.1.2620.1.49.1.4

    Threat Emulation Queue Files Table - Image     .1.3.6.1.4.1.2620.1.49.1.5

    Threat Emulation Queue Files Table - File Size     .1.3.6.1.4.1.2620.1.49.1.6

    Threat Emulation Queue Files Table - File Source     .1.3.6.1.4.1.2620.1.49.1.7

Threat Emulation Downloading Files Table .1.3.6.1.4.1.2620.1.49.2

    Threat Emulation Downloading Files Table - Index     .1.3.6.1.4.1.2620.1.49.2.1

    Threat Emulation Downloading Files Table - File Type     .1.3.6.1.4.1.2620.1.49.2.2

    Threat Emulation Downloading Files Table - File UUID     .1.3.6.1.4.1.2620.1.49.2.3

    Threat Emulation Downloading Files Table - File Name     .1.3.6.1.4.1.2620.1.49.2.4

    Threat Emulation Downloading Files Table - Current File Revision     .1.3.6.1.4.1.2620.1.49.2.5

    Threat Emulation Downloading Files Table - Current File Size     .1.3.6.1.4.1.2620.1.49.2.6

    Threat Emulation Downloading Files Table - Current File Download Start Time     .1.3.6.1.4.1.2620.1.49.2.7

    Threat Emulation Downloading Files Table - Current File Download Percent     .1.3.6.1.4.1.2620.1.49.2.8

    Threat Emulation Downloading Files Table - Downloading File Revision     .1.3.6.1.4.1.2620.1.49.2.9

    Threat Emulation Downloading Files Table - Downloading File Size     .1.3.6.1.4.1.2620.1.49.2.10

    Threat Emulation Downloading Files Table - Downloading File Download Start Time     .1.3.6.1.4.1.2620.1.49.2.11

    Threat Emulation Downloading Files Table - Downloading File Download Percent     .1.3.6.1.4.1.2620.1.49.2.12

Threat Emulation Average Download Percentage .1.3.6.1.4.1.2620.1.49.3

Threat Emulation Scanned Files (Quantity) .1.3.6.1.4.1.2620.1.49.4

    Threat Emulation Scanned Files Total Count     .1.3.6.1.4.1.2620.1.49.4.1

    Threat Emulation Scanned Files Count Last Day     .1.3.6.1.4.1.2620.1.49.4.2

    Threat Emulation Scanned Files Count Last Week     .1.3.6.1.4.1.2620.1.49.4.3

    Threat Emulation Scanned Files Count Last Month     .1.3.6.1.4.1.2620.1.49.4.4

Threat Emulation Malware Detected (Quantity) .1.3.6.1.4.1.2620.1.49.5

    Threat Emulation Malware Detected Total Count     .1.3.6.1.4.1.2620.1.49.5.1

    Threat Emulation Malware Detected Count Last Day     .1.3.6.1.4.1.2620.1.49.5.2

    Threat Emulation Malware Detected Count Last Week     .1.3.6.1.4.1.2620.1.49.5.3

    Threat Emulation Malware Detected Count Last Month     .1.3.6.1.4.1.2620.1.49.5.4

Threat Emulation Scanned Files On Threat Cloud (Quantity) .1.3.6.1.4.1.2620.1.49.6

    Threat Emulation Scanned Files On Threat Cloud Total Count     .1.3.6.1.4.1.2620.1.49.6.1

    Threat Emulation Scanned Files On Threat Cloud Last Day     .1.3.6.1.4.1.2620.1.49.6.2

    Threat Emulation Scanned Files On Threat Cloud Last Week     .1.3.6.1.4.1.2620.1.49.6.3

    Threat Emulation Scanned Files On Threat Cloud Last Month     .1.3.6.1.4.1.2620.1.49.6.4

Threat Emulation Malware Detected On ThreatCloud (Quantity) .1.3.6.1.4.1.2620.1.49.7

    Threat Emulation Malware Detected On ThreatCloud Total Count     .1.3.6.1.4.1.2620.1.49.7.1

    Threat Emulation Malware Detected On ThreatCloud Last Day     .1.3.6.1.4.1.2620.1.49.7.2

    Threat Emulation Malware Detected On ThreatCloud Last Week     .1.3.6.1.4.1.2620.1.49.7.3

    Threat Emulation Malware Detected On ThreatCloud Last Month     .1.3.6.1.4.1.2620.1.49.7.4

Threat Emulation Average Process Time (Quantity) .1.3.6.1.4.1.2620.1.49.8

    Threat Emulation Average Process Time Total Count     .1.3.6.1.4.1.2620.1.49.8.1

    Threat Emulation Average Process Time Last Day     .1.3.6.1.4.1.2620.1.49.8.2

    Threat Emulation Average Process Time Last Week     .1.3.6.1.4.1.2620.1.49.8.3

    Threat Emulation Average Process Time Last Month     .1.3.6.1.4.1.2620.1.49.8.4

Threat Emulation Emulated File Size (in Bytes) .1.3.6.1.4.1.2620.1.49.9

    Threat Emulation Emulated File Size Total     .1.3.6.1.4.1.2620.1.49.9.1

    Threat Emulation Emulated File Size Last Day     .1.3.6.1.4.1.2620.1.49.9.2

    Threat Emulation Emulated File Size Last Week     .1.3.6.1.4.1.2620.1.49.9.3

    Threat Emulation Emulated File Size Last Month     .1.3.6.1.4.1.2620.1.49.9.4

Threat Emulation Queue Size (Quantity) .1.3.6.1.4.1.2620.1.49.10

    Threat Emulation Queue Size Total Count     .1.3.6.1.4.1.2620.1.49.10.1

    Threat Emulation Queue Size Last Day     .1.3.6.1.4.1.2620.1.49.10.2

    Threat Emulation Queue Size Last Week     .1.3.6.1.4.1.2620.1.49.10.3

    Threat Emulation Queue Size Last Month     .1.3.6.1.4.1.2620.1.49.10.4

Threat Emulation Peak Size (Quantity) .1.3.6.1.4.1.2620.1.49.11

    Threat Emulation Peak Size Total Count     .1.3.6.1.4.1.2620.1.49.11.1

    Threat Emulation Peak Size Last Day     .1.3.6.1.4.1.2620.1.49.11.2

    Threat Emulation Peak Size Last Week     .1.3.6.1.4.1.2620.1.49.11.3

    Threat Emulation Peak Size Last Month     .1.3.6.1.4.1.2620.1.49.11.4

Threat Emulation Emails Scanned .1.3.6.1.4.1.2620.1.49.12

Threat Emulation Downloaded Files Scanned .1.3.6.1.4.1.2620.1.49.13

Threat Emulation Files In Queue .1.3.6.1.4.1.2620.1.49.14

Threat Emulation Number Of Emulation Environments .1.3.6.1.4.1.2620.1.49.15

Threat Emulation Update Status .1.3.6.1.4.1.2620.1.49.16

Threat Emulation Update Status Description .1.3.6.1.4.1.2620.1.49.17

Threat Emulation Statistics, Scanned Files .1.3.6.1.4.1.2620.1.49.18

    Threat Emulation Statistics - Index     .1.3.6.1.4.1.2620.1.49.18.1

    Threat Emulation Statistics - File Type     .1.3.6.1.4.1.2620.1.49.18.2

    Threat Emulation Statistics - Total Files Scanned     .1.3.6.1.4.1.2620.1.49.18.3

    Threat Emulation Statistics - Total Files Scanned Last Day     .1.3.6.1.4.1.2620.1.49.18.4

    Threat Emulation Statistics - Total Files Scanned Last Week     .1.3.6.1.4.1.2620.1.49.18.5

    Threat Emulation Statistics - Total Files Scanned Last Month     .1.3.6.1.4.1.2620.1.49.18.6

    Threat Emulation Statistics - Total Malware Detected     .1.3.6.1.4.1.2620.1.49.18.7

    Threat Emulation Statistics - Total Malware Detected Last Day     .1.3.6.1.4.1.2620.1.49.18.8

    Threat Emulation Statistics - Total Malware Detected Last Week     .1.3.6.1.4.1.2620.1.49.18.9

    Threat Emulation Statistics - Total Malware Detected Last Month     .1.3.6.1.4.1.2620.1.49.18.10

    Threat Emulation Statistics - Threatcloud Scanned     .1.3.6.1.4.1.2620.1.49.18.11

    Threat Emulation Statistics - Threatcloud Scanned Last Day     .1.3.6.1.4.1.2620.1.49.18.12

    Threat Emulation Statistics - Threatcloud Scanned Last Week     .1.3.6.1.4.1.2620.1.49.18.13

    Threat Emulation Statistics - Threatcloud Scanned Last Month     .1.3.6.1.4.1.2620.1.49.18.14

    Threat Emulation Statistics - Threatcloud Malware     .1.3.6.1.4.1.2620.1.49.18.15

    Threat Emulation Statistics - Threatcloud Malware Last Day     .1.3.6.1.4.1.2620.1.49.18.16

    Threat Emulation Statistics - Threatcloud Malware Last Week     .1.3.6.1.4.1.2620.1.49.18.17

    Threat Emulation Statistics - Threatcloud Malware Last Month     .1.3.6.1.4.1.2620.1.49.18.18

    Threat Emulation Statistics - Filter By Analysis     .1.3.6.1.4.1.2620.1.49.18.19

    Threat Emulation Statistics - Filter By Analysis Last Day     .1.3.6.1.4.1.2620.1.49.18.20

    Threat Emulation Statistics - Filter By Analysis Last Week     .1.3.6.1.4.1.2620.1.49.18.21

    Threat Emulation Statistics - Filter By Analysis Last Month     .1.3.6.1.4.1.2620.1.49.18.22

    Threat Emulation Statistics - Cache Hit Rate     .1.3.6.1.4.1.2620.1.49.18.23

    Threat Emulation Statistics - Cache Hit Rate Last Day     .1.3.6.1.4.1.2620.1.49.18.24

    Threat Emulation Statistics - Cache Hit Rate Last Week     .1.3.6.1.4.1.2620.1.49.18.25

    Threat Emulation Statistics - Cache Hit Rate Last Month     .1.3.6.1.4.1.2620.1.49.18.26

    Threat Emulation Statistics - Error Count     .1.3.6.1.4.1.2620.1.49.18.27

     Threat Emulation Statistics - Error Count Last Day     .1.3.6.1.4.1.2620.1.49.18.28

    Threat Emulation Statistics - Error Count Last Week     .1.3.6.1.4.1.2620.1.49.18.29

    Threat Emulation Statistics - Error Count Last Month     .1.3.6.1.4.1.2620.1.49.18.30

    Threat Emulation Statistics - No Resource Count     .1.3.6.1.4.1.2620.1.49.18.31

    Threat Emulation Statistics - No Resource Count Last Day     .1.3.6.1.4.1.2620.1.49.18.32

    Threat Emulation Statistics - No Resource Count Last Week     .1.3.6.1.4.1.2620.1.49.18.33

    Threat Emulation Statistics - No Resource Count Last Month     .1.3.6.1.4.1.2620.1.49.18.34

Threat Emulation Contract Name .1.3.6.1.4.1.2620.1.49.19

Threat Emulation Contract Cloud Subscription Expiration Date .1.3.6.1.4.1.2620.1.49.20

Threat Emulation Contract Cloud Hourly Quota .1.3.6.1.4.1.2620.1.49.21

Threat Emulation Contract Cloud Monthly Quota .1.3.6.1.4.1.2620.1.49.22

Threat Emulation Contract Cloud Remaining Quota .1.3.6.1.4.1.2620.1.49.23

Threat Emulation Contract Maximal VMs Number .1.3.6.1.4.1.2620.1.49.24

Threat Emulation Contract Subscription Status .1.3.6.1.4.1.2620.1.49.25

Threat Emulation Contract Cloud Quota Status .1.3.6.1.4.1.2620.1.49.26

Threat Emulation Contract Subscription Description .1.3.6.1.4.1.2620.1.49.27

Threat Emulation Contract Cloud Quota Description .1.3.6.1.4.1.2620.1.49.28

Threat Emulation Engine Major Version .1.3.6.1.4.1.2620.1.49.29

Threat Emulation Engine Minor Version .1.3.6.1.4.1.2620.1.49.30

Threat Emulation Contract Cloud Quota Identifier .1.3.6.1.4.1.2620.1.49.31

Threat Emulation Contract Cloud Monthly Quota Period Start .1.3.6.1.4.1.2620.1.49.32

Threat Emulation Contract Cloud Monthly Quota Period End .1.3.6.1.4.1.2620.1.49.33

Threat Emulation Contract Cloud Monthly Quota Usage for This GW .1.3.6.1.4.1.2620.1.49.34

Threat Emulation Contract Cloud Hourly Quota Usage for this GW .1.3.6.1.4.1.2620.1.49.35

Threat Emulation Is First Download .1.3.6.1.4.1.2620.1.49.36

Threat Emulation Contract Cloud Monthly Quota Usage for Quota ID .1.3.6.1.4.1.2620.1.49.37

Threat Emulation Contract Cloud Hourly Quota Usage for Quota ID .1.3.6.1.4.1.2620.1.49.38

Threat Emulation Contract Cloud Monthly Quota Exceeded .1.3.6.1.4.1.2620.1.49.39

Threat Emulation Contract Cloud Hourly Quota Exceeded .1.3.6.1.4.1.2620.1.49.40

Threat Emulation Contract Cloud Last Quota Update GMT Time .1.3.6.1.4.1.2620.1.49.41

Threat Emulation Status .1.3.6.1.4.1.2620.1.49.101

Threat Emulation Status - Short Description .1.3.6.1.4.1.2620.1.49.102

Threat Emulation Status - Long Description .1.3.6.1.4.1.2620.1.49.103

Monitor the MTA queue on Gaia OS over SNMP:

Follow the following action plan (for detailed instructions, refer to

sk90860 - How to configure SNMP on Gaia OS - section "(IV-6) Advanced SNMP configuration - Extend SNMP with shell script"):

A. Create the following shell script - /home/admin/mailqueue.sh:

#!/bin/bash

# Extract Postfix queue size value

MAILQ=$(/opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p | egrep '^--.*Request|^Mail.*empty')

if [[ $MAILQ =~ "empty" ]] ; then

RESPONSE=0

echo $RESPONSE

elif [[ $MAILQ =~ "Request" ]] ; then

RESPONSE=$(echo $MAILQ|awk '{print $5}')

echo $RESPONSE

else

RESPONSE=error

fi

B. Create the following shell script - /home/admin/emaild_tmpdir.sh:

#!/bin/bash

# Extract emaild temp file queue amount

. /opt/CPshared/5.0/tmp/.CPprofile.sh

ls -l $FWDIR/tmp/email_tmp/ |grep emailtemp | wc -l

C. Create the following shell script - /home/admin/running_vm.sh:

 # Extract amount of running VM Instances

#!/bin/bash

. /opt/CPshared/5.0/tmp/.CPprofile.sh

tecli show emulator emulations | grep "Running virtual machines" | awk '{print $4}'

D. Select free OIDs - e.g., .1.3.6.1.4.1.2620.1.25x.y

E. Disable the SNMP Agent

F. Add the following lines to the /etc/snmp/userDefinedSettings.conf file:

extend .1.3.6.1.4.1.2620.1.250.1 postfix_queue /bin/sh /home/admin/mailqueue.sh

extend .1.3.6.1.4.1.2620.1.250.2 emaild_queue /bin/sh /home/admin/emaild_tmpdir.sh

extend .1.3.6.1.4.1.2620.1.250.3 vm /bin/sh /home/admin/running_vm.sh

G. Enable the SNMP Agent

H. Save the changes in Gaia Database

I. Test the new OIDs:

Postfix queue:

snmpwalk -v 2c -c <community> localhost .1.3.6.1.4.1.2620.1.250.1

in.emaild.mta queue:

snmpwalk -v 2c -c <community> localhost .1.3.6.1.4.1.2620.1.250.2

Number of running virtual machines:

snmpwalk -v 2c -c <community> localhost .1.3.6.1.4.1.2620.1.250.3

(24) Troubleshooting
Emulation Scenario What to check

When sending files to

1. Check that Security Gateway is up and running.
the Check Point ThreatCloud
2. Check that all required processes on the Security Gateway are up and running

[Expert@HostName:0]# cpwd_admin list

3. Check that the Date and Time are set correctly on the Security Gateway.

4. Check that the DNS Server(s) are defined on the Security Gateway.

5. Check that the Proxy Server is defined in the Security Gateway object in SmartDashboard R77.X.

6. Check that the Proxy Server is defined in the Global Properties in SmartDashboard R77.X.

7. Check that the Security Gateway is able to connect to the Internet.

8. Check the Threat Emulation configuration in the Security Gateway object in SmartDashboard R77.X.

9. Install the Security policy and the Threat Prevention policy.

10. Check the logs from Threat Emulation blade in SmartView Tracker / SmartLog / SmartEvent.

11. Check that the Security Gateway is able to resolve the ThreatCloud Pod addresses:

[Expert@HostName:0]# nslookup -quert=SRV te.checkpoint.com

12. Check on the Security Gateway which ThreatCloud Pods are allowed:

[Expert@HostName:0]# tecli advanced cloud geo status

13. Check on the Security Gateway that the Threat Emulation Quota is not reached:

[Expert@HostName:0]# tecli show cloud quota

14. Check the logs of relevant processes on the Security Gateway (refer to the "(9) User Space" section).

15. Collect the relevant debugs (of processes and of kernel) on the Security Gateway - refer to the "(25) Debug" section a
Check Point Support.

When emulating files on

1. Check that Threat Emulation Appliance is up and running.
the Local Threat Emulation

2. Check that all required processes on the Threat Emulation Appliance are up and running
Private Cloud Appliance

installed on your network [Expert@HostName:0]# cpwd_admin list

3. Check that the Date and Time are set correctly on the Security Gateway.

4. Check that the DNS Server(s) are defined on the Security Gateway.

5. Check that the Proxy Server is defined in the Security Gateway object in SmartDashboard R77.X.
 6. Check that the Proxy Server is defined in the Global Properties in SmartDashboard R77.X.

7. Check that the Threat Emulation Appliance is able to connect to the Internet.

8. Check that the Threat Emulation Appliance is able to connect to Check Point update servers:

[Expert@HostName:0]# curl_cli [--proxy <IP_or_HostName:Port>] –vk http://te.checkpoint.com

9. Check the Threat Emulation configuration (including the Resource Allocation) in the Threat Emulation Appliance obje
SmartDashboard R77.X.

10. Install the Security policy and the Threat Prevention policy.

11. Check the logs from Threat Emulation blade in SmartView Tracker / SmartLog / SmartEvent.

12. Check on the Threat Emulation Appliance how the emulation works:

A. [Expert@HostName:0]# tecli show statistics

Do the emulation work?

How many files do you see?
Do you have any hits by cache?
What is the average processing time?

B. [Expert@HostName:0]# tecli cache dump all

Do you have files with verdicts?

C. [Expert@HostName:0]# tecli show emulator emulations

Are emulations happening at this moment?

13. Check that the Threat Emulation Appliance has the latest OS images, detection rules, and engine revisions:

[Expert@HostName:0]# tecli show downloads all

[Expert@HostName:0]# tecli advanced engine version

Are the OS images in "Ready" state?

Does the Threat Emulation Appliance have the latest revisions (per sk92509 and sk95235)?
If the components are not up-to-date, or the OS images are not in the "Ready" state, then:

A. Delete the old images:

[Expert@HostName:0]# rm -rf /var/log/files_repository/images

B. Kill the TED daemon:

[Expert@HostName:0]# fw kill ted

C. Update all the components:

[Expert@HostName:0]# tecli advanced downloads update all

D. Check again:

[Expert@HostName:0]# tecli show downloads all

[Expert@HostName:0]# tecli advanced engine version

14. Check the logs of relevant processes on the Threat Emulation Appliance (refer to the "(9) User Space" section).

15. Collect the relevant debugs (of processes and of kernel) on the Threat Emulation Appliance - refer to the "(25) Debug
and consult Check Point Support.

When sending files to

1. Check that Security Gateway and the Remote Threat Emulation Private Cloud Appliance are up and running.
a Remote Threat Emulation

2. Check that all required processes on the Security Gateway and on the Remote Threat Emulation Private Cloud Applia
Private Cloud Appliance

and running
installed on your network
[Expert@HostName:0]# cpwd_admin list

3. Check that the Date and Time are set correctly on the Security Gateway and on the Remote Threat Emulation Private
Appliance.

4. Check that the DNS Server(s) are defined on the Security Gateway.

5. Check that the Proxy Server is defined in the Security Gateway object and in the Remote Threat Emulation Private Cl
Appliance object in SmartDashboard R77.X.

6. Check that the Proxy Server is defined in the Global Properties in SmartDashboard R77.X.

7. Check that the Remote Threat Emulation Private Cloud Appliance is able to connect to the Internet.

8. Check the Threat Emulation configuration in the Security Gateway object and in the Remote Threat Emulation Privat
Appliance (including the Resource Allocation) object in SmartDashboard R77.X.

9. Install the Security policy and the Threat Prevention policy.

10. Check the logs from Threat Emulation blade in SmartView Tracker / SmartLog / SmartEvent.
 11. Check on the Security Gateway how the emulation works:

A. [Expert@HostName:0]# tecli show statistics

Do the emulation work?

How many files do you see?
Do you have any hits by cache?
What is the average processing time?

B. [Expert@HostName:0]# tecli cache dump all

Do you have files with verdicts?

12. Check the logs of relevant processes on the Security Gateway and on the Remote Threat Emulation Private Cloud Ap
(refer to the "(9) User Space" section).

13. Collect the relevant debugs (of processes and of kernel) on the Security Gateway and on the Remote Threat Emulatio
Cloud Appliance - refer to the "(25) Debug" section and consult Check Point Support.

Additional Troubleshooting steps:

To resolve problems for the upstream MTA delivering e-mails to Check Point Security Gateway configured as MTA,

disable the TCP timestamps on Check Point MTA per sk62700 - How to disable TCP timestamps (RFC 1323).

Note: This change will be applied only to local connections (connections where the source or destination is the Security Gateway).

Useful MTA/Postfix commands:

Refer to http://www.postfix.org and http://www.postfix.org/postqueue.1.html.

Restart postfix:

[Expert@HostName:0]# /opt/postfix/usr/sbin/postfix -c /opt/postfix/etc/postfix reload

Stop postfix:

[Expert@HostName:0]# /opt/postfix/usr/sbin/postfix -c /opt/postfix/etc/postfix stop

Show current queue:

[Expert@HostName:0]# /opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p

Show one mail from queue (e.g., with Queue ID 5632E28B0044):

[Expert@HostName:0]# /opt/postfix/usr/sbin/postcat -c /opt/postfix/etc/postfix/ -q 5632E28B0044 | less

Attempt immediate delivery of queue content:

[Expert@HostName:0]# /opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -f

Delete one message from queue (e.g., with Queue ID 5632E28B0044):

[Expert@HostName:0]# /opt/postfix/usr/sbin/postsuper -c /opt/postfix/etc/postfix/ -d 5632E28B0044

Delete all messages from queue:

[Expert@HostName:0]# /opt/postfix/usr/sbin/postsuper -c /opt/postfix/etc/postfix/ -d ALL

Show postfix configuration:

[Expert@HostName:0]# /opt/postfix/usr/sbin/postconf -c /opt/postfix/etc/postfix/

Pipe text (" ThisIsAMaillogEntry") into /var/log/maillog:

[Expert@HostName:0]# /opt/postfix/usr/sbin/postlog -c /opt/postfix/etc/postfix/ ThisIsAMaillogEntry

Get postfix version:

[Expert@HostName:0]# /opt/postfix/usr/sbin/postconf -c /opt/postfix/etc/postfix/ | grep mail_version

(25) Debug

Important Note: Since the required debugs are quite extensive, it is necessary to schedule a maintenance window (to minimize the impact on the Security Gateway).

Note: In cluster environment, this procedure must be performed on all members of the cluster.

If Mail Transfer Agent (MTA) is not used:

Example flow:

1. Rotate the $FWDIR/log/ted.elg files:

[Expert@HostName:0]# tecli debug rotate

2. Add a mark to the log files:

[Expert@HostName:0]# echo "==debug_start==" >> $FWDIR/log/dlpu.elg

[Expert@HostName:0]# echo "==debug_start==" >> $FWDIR/log/ted.elg

3. Start the debug of the DLPU process:

 [Expert@HostName:0]# fw debug dlpu on TDERROR_ALL_ALL=5

4. Set the TED debug options:

[Expert@HostName:0]# tecli debug set TE all

5. Enable the debug of the TED process:

[Expert@HostName:0]# tecli debug on

6. Check the debug status of the TED process:

[Expert@HostName:0]# tecli debug stat

7. Prepare the kernel debug:

Important Note: Consult Check Point Support to minimize the CPU load on the Security Gateway caused by this debug.

[Expert@HostName:0]# fw ctl debug 0

[Expert@HostName:0]# fw ctl debug -buf 320000

[Expert@HostName:0]# fw ctl debug -m fw + conn drop malware te ioctl mail cmi vm tcpstr

[Expert@HostName:0]# fw ctl debug -m dlpk all

[Expert@HostName:0]# fw ctl debug -m cmi_loader all

[Expert@HostName:0]# fw ctl debug -m WS all

[Expert@HostName:0]# fw ctl debug -m CI all

8. Verify the kernel debug:

[Expert@HostName:0]# fw ctl debug -m fw

[Expert@HostName:0]# fw ctl debug -m dlpk

[Expert@HostName:0]# fw ctl debug -m cmi_loader

[Expert@HostName:0]# fw ctl debug -m WS

[Expert@HostName:0]# fw ctl debug -m CI

9. Start the kernel debug:

[Expert@HostName:0]# fw ctl kdebug -f -T > /var/log/kernel_debug.txt

10. Replicate the issue.

Make sure the issue was replicated - save all the relevant outputs, take all the relevant screenshots.

11. Stop the kernel debug:

Press CTRL+C, and run

[Expert@HostName:0]# fw ctl debug 0

12. Disable the debug of the TED process:

[Expert@HostName:0]# tecli debug off

13. Reset the TED debug options to their defaults:

[Expert@HostName:0]# tecli debug defaults

14. Check the debug status of the TED process:

[Expert@HostName:0]# tecli debug stat

15. Stop the debug of the DLPU process:

[Expert@HostName:0]# fw debug dlpu off TDERROR_ALL_ALL=0

16. Add a mark to the log files:

[Expert@HostName:0]# echo "==debug_stop==" >> $FWDIR/log/dlpu.elg

[Expert@HostName:0]# echo "==debug_stop==" >> $FWDIR/log/ted.elg

17. Collect these files from the Security Gateway:

$FWDIR/log/dlpu.elg*
$FWDIR/log/ted.elg*
/var/log/kernel_debug.txt
/var/log/messages*
all the relevant outputs
all the relevant screenshots
CPinfo file
In addition, collect the CPinfo file from the Security Management Server / Domain Management Server that manages this Security Gateway

If Mail Transfer Agent (MTA) is configured:

Example flow:
 1. Rotate the $FWDIR/log/ted.elg files:

[Expert@HostName:0]# tecli debug rotate

2. Add a mark to the log files:

[Expert@HostName:0]# echo "==debug_start==" >> $FWDIR/log/emaild.mta.elg

[Expert@HostName:0]# echo "==debug_start==" >> $FWDIR/log/ted.elg

3. Start the debug of the IN.EMAILD.MTA process:

[Expert@HostName:0]# fw debug in.emaild.mta on TDERROR_ALL_ALL=5

4. Set the TED debug options:

[Expert@HostName:0]# tecli debug set TE all

5. Enable the debug of the TED process:

[Expert@HostName:0]# tecli debug on

6. Check the debug status of the TED process:

[Expert@HostName:0]# tecli debug stat

7. Prepare the kernel debug:

Important Note: Consult Check Point Support to minimize the CPU load on the Security Gateway caused by this debug.

[Expert@HostName:0]# fw ctl debug 0

[Expert@HostName:0]# fw ctl debug -buf 320000

[Expert@HostName:0]# fw ctl debug -m fw + conn drop malware te ioctl mail cmi vm tcpstr

[Expert@HostName:0]# fw ctl debug -m dlpk all

[Expert@HostName:0]# fw ctl debug -m cmi_loader all

[Expert@HostName:0]# fw ctl debug -m WS all

[Expert@HostName:0]# fw ctl debug -m CI all

8. Verify the kernel debug:

[Expert@HostName:0]# fw ctl debug -m fw

[Expert@HostName:0]# fw ctl debug -m dlpk

[Expert@HostName:0]# fw ctl debug -m cmi_loader

[Expert@HostName:0]# fw ctl debug -m WS

[Expert@HostName:0]# fw ctl debug -m CI

9. Start the kernel debug:

[Expert@HostName:0]# fw ctl kdebug -f -T > /var/log/kernel_debug.txt

10. Replicate the issue.

Make sure the issue was replicated - save all the relevant outputs, take all the relevant screenshots.

11. Stop the kernel debug:

Press CTRL+C, and run

[Expert@HostName:0]# fw ctl debug 0

12. Disable the debug of the TED process:

[Expert@HostName:0]# tecli debug off

13. Reset the TED debug options to their defaults:

[Expert@HostName:0]# tecli debug defaults

14. Check the debug status of the TED process:

[Expert@HostName:0]# tecli debug stat

15. Stop the debug of the IN.EMAILD.MTA process:

[Expert@HostName:0]# fw debug in.emaild.mta off TDERROR_ALL_ALL=0

 16. Add a mark to the log files:

[Expert@HostName:0]# echo "==debug_stop==" >> $FWDIR/log/emaild.mta.elg

[Expert@HostName:0]# echo "==debug_stop==" >> $FWDIR/log/ted.elg

17. Collect these files from the Security Gateway:

/var/log/maillog
$FWDIR/log/emaild.mta.elg*
$FWDIR/log/ted.elg*
/var/log/kernel_debug.txt
/var/log/messages*
all the relevant outputs
all the relevant screenshots
CPinfo file
In addition, collect the CPinfo file from the Security Management Server / Domain Management Server that manages this Security Gateway

(26) Related resources

Related documentation:

Threat Prevention Administration Guide (R77.X, R80, R80.10)

Threat Prevention API Reference Guide (R77.X, R80.X)
Gaia Administration Guide (R77.X, R80.10)
Kernel Debug flags (R77.30, R80.10)
SecureXL Debug Flags - FWAccel (R77.30, R80.10)
SecureXL Debug Flags - SIM (R77.30, R80.10)
sk96246 - Documentation For Check Point Appliances
Technical Reference Guides (ATRGs)

Related solutions:

General sk106210 - Threat Emulation Appliances: TE100X, TE250X, TE1000X, TE2000X (SandBlast)
sk95235 - Threat Emulation Engine Update - What's New
sk92509 - Offline updates for Threat Emulation images and engine
sk117672 - How to update the Threat Emulation malware detection rules
sk112721 - How to monitor the status of Check Point Threat Emulation Cloud Service
sk112312 - Threat Emulation File Analyzer
sk115376 - Threat Emulation support for "Push Forward" emulation
sk93598 - Threat Emulation Sizing Mode: how to measure the required inspections at an organization
sk110394 - Check Point Private ThreatCloud
sk109045 - Software Blades / Features and supported Operating Systems
sk79700 - VSX supported features on R75.40VS and above
sk106496 - Software Blades updates on VSX R75.40VS and above - FAQ
sk97638 - Check Point Processes and Daemons

Configuration sk119133 - New Threat Emulation license mechanism starting from Threat Emulation update 6.8
sk108074 - SandBlast Parallel Extraction Hotfix
sk108695 - Check Point SandBlast Agent for Browsers
sk106123 - File types supported by SandBlast Threat Emulation
sk117168 - Threat Emulation Early Verdict for Prevent
sk102309 - Threat Emulation support for Multiple Private Cloud Appliances
sk97877 - Cloud Geo Restriction support in Threat Emulation Cloud mode
sk107333 - Support for CPU Level sandboxing on Threat Emulation appliances TE100X, TE250X, TE1000X, TE2000X
sk111405: 60000 / 40000 Appliances - How to enable Threat Emulation blade on R76SP.40 and R76SP.50
sk93530 - How to configure User Authentication proxy in Threat Emulation
sk101870 - How to change Postfix configuration for Threat Emulation MTA
sk123140 - How to configure Threat Emulation blade to block files according to file types
sk93505 - Changing the default size of the /var/log/maillog file when using Mail Transfer Agent (MTA)
sk101606 - How to enable inspection of SMB/CIFS traffic by Anti-Virus blade or Threat Emulation blade
sk109699 - ATRG: MTA
sk110369 - How to configure load balancing / high availability based on the DNS configuration for Mail Transfer Agent (MTA)
sk111306 - Check Point support for Internet Content Adaptation Protocol (ICAP) server
sk93000 - SMT (HyperThreading) Feature Guide
sk92374 - Intel Virtualization Technology (VT) support compliance on Check Point appliances
sk111080 - How to configure Check Point software to upload data to Check Point / download data from Check Point
sk94508 - Recommended Internet Access Settings for Automatic Downloads
sk94509 - Recommended Internet Access Settings for Uploading Data

Troubleshooting sk83520 - How to verify that Security Gateway and/or Security Management Server can access Check Point servers?
sk106119 - Threat Emulation blade generates a "Detect" log instead of "Prevent" log
sk115252 - Threat Emulation logs show "Detect" for e-mail attachments instead of "Prevent" when Threat Extraction blade is also ena
sk106120 - Threat Emulation does not emulate a file
 sk105737 - How to create Threat Emulation Forensics Report for benign files
sk106739 - 'File is pending emulation. Threat scan failed' log in SmartView Tracker, SmartLog
sk103752 - "There are (N) files in the remote emulation queue that have failed to send for more than (X) minutes" log in SmartView Tra
sk105164 - Threat Emulation issues caused by non-ASCII characters
sk107093 - E-mails do not reach the client after selecting Cluster Virtual Interface(s) in MTA "Advanced Settings"
sk109198 - E-mail client receives timeout error, e-mails do not reach their destinations, and SmartView Tracker shows duplicated Thr
Emulation logs from a cluster
sk108878 - E-mails are delayed for several hours when Threat Emulation blade and Mail Transfer Agent (MTA) are enabled
sk117634 - Security Gateway configured as MTA and/or with enabled Threat Extraction blade is not able to parse any e-mail
sk106392 - Threat Emulation action is shown differently in SmartEvent and in SmartView Tracker
sk108373 - Threat Emulation blade sends unsupported file types from an archive for emulation
sk117275 - Threat Emulation "Excluded Mail Addresses" feature does not work correctly when using wildcard '*' to exclude all e-mail
sk108492 - Threat Emulation events are missing in SmartEvent R77.x
sk116813 - Status of Threat Emulation downloaded images changes from "Ready" to "Initialize" for ~30-40 minutes during the Threat
Update
sk114898 - "Threat Emulation Cloud Subscription Status" section in SmartView Monitor shows wrong values
sk62700 - How to disable TCP timestamps (RFC 1323)
sk98348 - Best Practices - Security Gateway Performance
sk100633 - Best Practices - threats investigation using Threat Prevention Software Blades

Product pages on Support Center:

Product Links

Overview
Threat Emulation Documents
Downloads

Overview
Threat Extraction Documents
Downloads

Overview
Threat Prevention Documents
Downloads

Overview
Anti-Bot Documents
Downloads

Overview
Anti-Virus Documents
Downloads

Check Point Products and Solutions:

Product / Solution Links

SandBlast Zero-Day Attack Protection SandBlast Zero-Day Attack Protection

SandBlast Threat Emulation (Sandboxing) SandBlast Threat Emulation (Sandboxing)

SandBlast Threat Extraction SandBlast Threat Extraction Blade

Threat Prevention Appliances & Software

Threat Prevention Appliances & Software
SandBlast TE100X, TE250X, TE1000X, TE2000X Appliances datasheet

Anti-Bot Anti-Bot Software Blade

Anti-Virus Anti-Virus Software Blade

NGTX and NGTP Next Generation Threat Prevention Software Bundles

SandBlast Network Security

SandBlast Network Security
SandBlast Network Datasheet datasheet

SandBlast Agent
SandBlast Agent
SandBlast Agent datasheet

SandBlast Cloud - Office 365 Email Security

SandBlast Cloud
SandBlast Cloud datasheet

Microsoft Control-flow Enforcement Technology (CET) Intel Spot On with Microsoft Control-flow Enforcement Technology (CET)

(27) Revision History

Show / Hide the revision history

Give us Feedback Please rate this document [1=Worst,5=Best]

 Enter your comment here
Comment 

SECURE YOUR EVERYTHING ™ Follow Us    

©1994-2022 Check Point Software Technologies Ltd. All rights reserved.

Copyright | Privacy Policy