PDA

View Full Version : Threat Prevention and Traditional Anti-Virus



aweldon
2015-11-10, 13:41
Hi all,

I'm looking to get some clarification on the apparently two different anti-virus options offered by Check Point. Threat Prevention has its own tab and policy to craft what you would like it to do and then Traditional Anti-Virus is a subsection within that. In the notes it says you can not activate both on the same gateway. But, in the case of the so-called zero hour malware protections and mail anti-virus are you not actually scanning email on the anti-spam blade unless traditional is enabled? Or is it just a matter of making sure the check box next to mail is selected within the profile settings under threat prevention? Are they both the same thing and Threat Prevention is more advanced?

Thanks

PhoneBoy
2015-11-10, 18:58
Anti-Virus (the newer option) is using indicators of compromise to determine if a file is potentially malicious.
This includes the URL of the file and file hashes which are queried to ThreatCloud to determine if they are malicious.
Local SandBlast/Threat Emulation appliances can also supplement this information.
This method of AV is pretty lightweight and is meant to be used in conjunction with the other Threat Prevention blades.
Traditional AV uses a traditional heuristic scan with traditional AV signatures.

To clarify: The Zero-Hour Protection comes from the newer AV option, not Traditional AV.

aweldon
2015-11-12, 10:00
Thanks for that. We are using the Threat Prevention blade in conjunction with IPS, DLP, Anti-Spam, and application control/URL filtering/https. The odd thing about the zero day malware is that it is nested under traditional anti-virus in both tracker and the anti-spam tab.

PhoneBoy
2015-11-12, 13:52
I see what you're saying in Tracker (which is ultimately being replaced in R80) but not sure I see what you're saying in Anti-Spam (at least in R77.30).
Screenshot?

aweldon
2015-11-12, 15:38
Hopefully I attached this correctly.
1025

PhoneBoy
2015-11-12, 15:52
That suggests to me that even with Traditional AV, you can leverage the zero-day malware signatures (which may be true).
If you're not using Traditional AV, you configure zero-day malware in the Threat Prevention policy.