View Full Version : Threat Prevention and Traditional Anti-Virus

2015-11-10, 13:41
Hi all,

I'm looking to get some clarification on the apparently two different anti-virus options offered by Check Point. Threat Prevention has its own tab and policy to craft what you would like it to do and then Traditional Anti-Virus is a subsection within that. In the notes it says you can not activate both on the same gateway. But, in the case of the so-called zero hour malware protections and mail anti-virus are you not actually scanning email on the anti-spam blade unless traditional is enabled? Or is it just a matter of making sure the check box next to mail is selected within the profile settings under threat prevention? Are they both the same thing and Threat Prevention is more advanced?


2015-11-10, 18:58
Anti-Virus (the newer option) is using indicators of compromise to determine if a file is potentially malicious.
This includes the URL of the file and file hashes which are queried to ThreatCloud to determine if they are malicious.
Local SandBlast/Threat Emulation appliances can also supplement this information.
This method of AV is pretty lightweight and is meant to be used in conjunction with the other Threat Prevention blades.
Traditional AV uses a traditional heuristic scan with traditional AV signatures.

To clarify: The Zero-Hour Protection comes from the newer AV option, not Traditional AV.

2015-11-12, 10:00
Thanks for that. We are using the Threat Prevention blade in conjunction with IPS, DLP, Anti-Spam, and application control/URL filtering/https. The odd thing about the zero day malware is that it is nested under traditional anti-virus in both tracker and the anti-spam tab.

2015-11-12, 13:52
I see what you're saying in Tracker (which is ultimately being replaced in R80) but not sure I see what you're saying in Anti-Spam (at least in R77.30).

2015-11-12, 15:38
Hopefully I attached this correctly.

2015-11-12, 15:52
That suggests to me that even with Traditional AV, you can leverage the zero-day malware signatures (which may be true).
If you're not using Traditional AV, you configure zero-day malware in the Threat Prevention policy.