Security Engines - Anti-Malware

The Anti-Malware engine determines if an email attachment or a shared file contains malware. It detects files containing known malware (Anti-Virus) and Avanan’s advanced sandbox (Threat Emulation) to detect the evasive zero-day malware.

Engines Enabled

Under Engines Enabled, you can see the security engines available based on the license.

It could include Anti-Virus (known malware detection) or Threat Emulation & Antivirus (advanced sandbox).

To see the Engines Enabled for your tenant, navigate to Security Settings > Security Engines and click Configure for Anti-Malware.

Malware Emulation Operating Systems

Sandboxing attachments and shared files is crucial for detecting advanced zero-day unknown malware hidden in them.

By default, Check Point runs the virtual machines with the recommended operating systems, which provide the highest detection rates, to emulate and inspect the files.

Note - A dedicated team in Avanan continuously monitors and optimizes the detection efficacy of the sandbox and selects the optimal operating systems to be used in the virtual machines of the sandbox.
Based on their decisions, the recommended operating systems may change and the change will take effect in Avanan automatically.

To override the Check Point recommended operating systems:

  1. Go to Security Settings > Security Engines.
  2. Click Configure for Anti-Malware.
  3. Under Emulation Operating Systems, select the required options.
    • To override the recommended operating systems, select the Override Check Point defaults (select up to 3) checkbox.
    • Select the required operating systems.

      Note - You can select only up to three operating systems.

  4. Click Save.

Anti-Malware Inspection - File Size Limit

The Anti-Malware security engine inspects files attached to an email or shared via supported file sharing/messaging applications for malware only if it is less than 50 MB.

Anti-Malware Exceptions

See Anti-Malware Exceptions.

Reviewing Malware Events

The Anti-Malware engine is responsible for detecting malicious files.  It comprises of matching the file against a database of known malicious files (Anti-Virus) and running it through an advanced sandbox (Threat Emulation).

To review the event details, open the attachment profile page for the malicious event. In the Anti-Malware section under Security Stack, you can do these.

  • To view the sandbox report with a detailed explanation about why the file was deemed malicious, click View Report.
    • To download the malicious file from the report to your local computer, click Actions > Download File.
      Warning - You should use the downloaded file with care as the malware can cause significant damage to computers, networks, and corporate data.
      • To help you not run the malicious file accidentally on your local computer, the malicious file gets downloaded in the compressed tar.gz format as a password-protected file.
      • Use infected_te_report as the password to extract the malicious file.
  • To view the confidence level of the detection by the sandbox or the signature used by the static engines used to detect the malware, click More Info.

Acting on Malware Events

  • To quarantine an email, click Quarantine Email from the email profile.
  • To release an email from quarantine, click Restore Email if the email is already in quarantine.
  • To exclude a file that you believe was falsely detected as containing malware, add the file to Allow-List.

For more details about adding Anti-Malware Allow-List rule, see Anti-Malware Allow-List.