Check Pointadvanced

How to Configure Attachment Sandboxing (Threat Emulation) in Harmony Email

Step-by-step guide to configure Threat Emulation sandboxing and Threat Extraction for email attachments in Check Point Harmony Email.

14 min readUpdated January 2025

Want us to handle this for you?

Get expert help →

Check Point Harmony Email & Collaboration includes advanced attachment protection through Threat Emulation (sandboxing) and Threat Extraction (Content Disarm and Reconstruction). This guide covers configuring these technologies to protect your organization from zero-day malware and advanced persistent threats delivered via email attachments.

Prerequisites

Before configuring attachment sandboxing, ensure you have:

  • Harmony Email & Collaboration connected to Microsoft 365 or Google Workspace
  • Administrator access to the Check Point Infinity Portal
  • Complete Protect license (Threat Emulation requires this tier)
  • Understanding of your security requirements and user productivity needs

Understanding Attachment Protection Technologies

Harmony Email provides two complementary attachment protection methods:

Threat Emulation (Sandboxing)

FeatureDescription
TechnologyCPU-level sandbox analysis
DetectionZero-day malware, evasive threats, APTs
ProcessOpens file in isolated VM, monitors behavior
Analysis Time30 seconds to 3 minutes
OutputVerdict: Clean, Malicious, or Suspicious

Threat Extraction (CDR)

FeatureDescription
TechnologyContent Disarm and Reconstruction
ProtectionRemoves potentially dangerous content
ProcessStrips macros, active content, embedded objects
Delivery TimeImmediate (no waiting)
OutputSanitized file safe for use
ScenarioThreat EmulationThreat ExtractionUser Experience
Maximum SecurityEnabledEnabledReceive clean file immediately, original after emulation
BalancedEnabledDisabledWait for emulation, receive original if clean
Productivity FirstBackground onlyEnabledClean file immediately, emulation for reporting

Step 1: Access Anti-Malware Configuration

  1. Sign in to https://portal.checkpoint.com
  2. Navigate to Harmony > Email & Collaboration
  3. Go to Security Settings in the left menu
  4. Click Security Engines
  5. Locate Anti-Malware and click Configure

Step 2: Verify Engine Availability

Check which protection engines are available with your license:

View Enabled Engines

  1. In the Anti-Malware configuration, locate Engines Enabled

  2. Verify available engines:

    • Anti-Virus: Signature-based malware detection (all licenses)
    • Threat Emulation & Anti-Virus: Advanced sandbox (Complete Protect)

  3. If only Anti-Virus is shown, you may need to upgrade your license

Engine Capabilities

EngineDetection MethodZero-Day ProtectionSpeed
Anti-VirusSignature matchingNoInstant
Threat EmulationBehavioral analysisYes30s-3min
CombinedBoth methodsYesBest of both

Step 3: Configure Threat Emulation Settings

Enable Threat Emulation

  1. In Anti-Malware configuration, scroll to Threat Emulation
  2. Enable Threat Emulation inspection
  3. Configure emulation scope:
SettingDescriptionRecommendation
All filesEmulate every attachmentMaximum security
Suspicious files onlyEmulate files flagged by AVBalanced
Unknown files onlyEmulate files without known reputationEfficient
  1. Select Suspicious files only for balanced protection
  2. Click Save

Configure File Size Limits

  1. Locate File Size Settings
  2. Configure maximum file size for emulation:
    • Default: 50 MB
    • Recommended: 50 MB (maximum supported)
  3. Files exceeding this limit are scanned by Anti-Virus only
  4. Click Save

Configure Analysis Settings

  1. Scroll to Emulation Settings
  2. Configure options:
SettingDescriptionRecommendation
TimeoutMaximum analysis time120 seconds
OS VersionsWindows versions to testMultiple versions
Fail ActionAction if emulation failsQuarantine
  1. Click Save

Step 4: Configure Threat Extraction (CDR)

Set up Content Disarm and Reconstruction for immediate safe delivery.

Enable Threat Extraction

  1. In Anti-Malware configuration, scroll to Threat Extraction
  2. Enable Clean Files (Threat Extraction)
  3. Configure cleaning method:
MethodDescriptionFile Type
CleanRemove dangerous content, preserve file typeOffice, PDF
Convert to PDFConvert to sanitized PDF formatAll supported
  1. Select Clean for best user experience
  2. Click Save

Configure What Gets Cleaned

Threat Extraction removes the following content:

Content TypeDefaultConfigurable
MacrosRemovedYes
Active ScriptsRemovedYes
Embedded ObjectsRemovedYes
Hyperlinks in TextRemovedYes
External LinksRemovedYes
JavaScript in PDFRemovedYes
MetadataPreservedYes

To customize cleaning behavior:

  1. Contact Check Point Support for advanced configuration
  2. Some settings require support intervention to modify

Configure Cleaned File Naming

  1. Navigate to Security Settings > SaaS Applications
  2. Click Configure for Office 365 Mail or Gmail
  3. Click Advanced
  4. Scroll to Threat extracted attachment name template
  5. Configure naming:
    • Default: threat_extracted_{filename}
    • Custom: Set your preferred prefix or suffix
  6. Click Save

Step 5: Configure Anti-Malware Policy

Create policies that define how attachment protection works.

Create Malware Protection Policy

  1. Navigate to Policy in the left menu
  2. Click Add a New Policy Rule
  3. Under Choose SaaS, select your email platform
  4. Under Choose Security, select Malware
  5. Click Next

Configure Policy Settings

  1. Rule Name: Enter descriptive name (e.g., "Attachment Protection - All Users")
  2. Email Direction: Select scope:
    • Inbound: Scan incoming attachments (primary use case)
    • Outbound: Scan outgoing attachments
    • Internal: Scan internal email attachments
  3. Apply to: Select users or groups
  4. Click Next

Configure Protection Actions

  1. Policy Protection Mode: Choose mode:
    • Monitor: Scan and log without blocking (testing)
    • Detect and Remediate: Scan and take action (production)
  2. Select Detect and Remediate for protection
  3. Click Next

Configure Threat Actions

  1. When malware is detected:
ActionDescriptionRecommendation
QuarantineHold email for reviewRecommended
DeletePermanently remove emailHigh security
Alert OnlyDeliver with notificationTesting only
  1. Select Quarantine for most environments
  2. Click Next

Enable Threat Extraction in Policy

  1. Scroll to Alerts section
  2. Enable Clean Files (Threat Extraction) checkbox
  3. Configure delivery behavior:
    • Deliver cleaned immediately: Users get safe version right away
    • Wait for emulation: Deliver original only after cleared
  4. Click Save and Apply

Step 6: Configure Original File Restore

Allow users to retrieve original files after emulation completes.

Enable User Self-Service Restore

  1. Go to Security Settings > User Interaction
  2. Click Attachment Restore
  3. Configure restore options:
OptionDescriptionRecommendation
Auto-restoreOriginal delivered automatically after clean emulationConvenient
User requestUser must request originalMore control
Admin approvalAdmin must approve restoreMaximum security
  1. Select based on your security requirements
  2. Click Save

Configure Restore Notifications

  1. In Attachment Restore settings, configure notifications:

    • Notify user when cleaned file delivered: Yes
    • Notify user when original available: Yes
    • Notify admin on restore request: Optional

  2. Click Save

Step 7: Configure File Type Handling

Customize how different file types are processed.

View Supported File Types

Threat Emulation supports:

CategoryFile Types
Office Documents.doc, .docx, .xls, .xlsx, .ppt, .pptx, .rtf
PDF.pdf
Executables.exe, .dll, .scr, .bat, .cmd, .ps1
Archives.zip, .rar, .7z, .tar, .gz
Scripts.js, .vbs, .wsf, .hta
Images with MacrosVarious (OCR + macro detection)

Configure Blocked File Types

Block dangerous file types outright:

  1. Go to Security Settings > Security Engines > Anti-Malware
  2. Locate Blocked File Types
  3. Review and configure blocked extensions:
    • .exe: Executables (recommended to block)
    • .scr: Screen savers (often malware)
    • .bat/.cmd: Batch files
    • .ps1: PowerShell scripts
  4. Click Save

Configure Encrypted File Handling

  1. Locate Encrypted Files settings

  2. Configure handling:

    • Quarantine: Hold password-protected files for review
    • Alert: Allow delivery but notify admin
    • Allow: Deliver without scanning (not recommended)

  3. Recommended: Quarantine for encrypted files that can't be scanned

Step 8: Test Attachment Protection

Verify your configuration is working correctly.

Use EICAR Test File

The EICAR test file safely tests anti-malware without real threats:

  1. Download EICAR test file from eicar.org
  2. Send email with EICAR attachment to a test user
  3. Verify:
    • Email is quarantined or attachment removed
    • Event logged in Harmony Email console
    • Admin notification received (if configured)

Test Threat Extraction

  1. Create a Word document with a macro
  2. Send to test user
  3. Verify:
    • Cleaned version delivered (macro removed)
    • Original file name modified (threat_extracted prefix)
    • User can request original after emulation

Verify Event Logging

  1. Go to Events > Malware
  2. Filter for recent activity
  3. Review test events:
    • Detection engine (AV or Threat Emulation)
    • File details and hash
    • Action taken
    • User affected

Step 9: Configure Administrator Alerts

Set up notifications for malware detections.

Enable Malware Alerts

  1. Go to Security Settings > Alerts
  2. Configure notification triggers:
    • Malware detected: Alert for any malware detection
    • Zero-day detected: Alert for Threat Emulation catches
    • High-volume attack: Alert for malware campaigns
  3. Enter administrator email addresses
  4. Select alert frequency:
    • Immediate: Critical events
    • Daily digest: Summary report
  5. Click Save

Step 10: Monitor Threat Emulation Performance

Track attachment protection effectiveness.

View Emulation Statistics

  1. Navigate to Reports > Anti-Malware
  2. View key metrics:
    • Total files scanned
    • Malware detected (AV vs Threat Emulation)
    • Zero-day catches (Threat Emulation unique)
    • Files cleaned (Threat Extraction)

Track Zero-Day Detections

Zero-day detections are files caught by Threat Emulation but missed by signature-based AV:

  1. Filter events by Detection Engine: Threat Emulation
  2. Review files caught only by behavioral analysis
  3. This metric demonstrates the value of sandboxing

Troubleshooting Common Issues

Attachments Not Being Scanned

Symptoms: Attachments aren't showing scan events.

Solutions:

  1. Verify Anti-Malware engine is enabled
  2. Check policy applies to affected users
  3. Confirm file type is supported for scanning
  4. Verify file size is within limits (50 MB)

Threat Extraction Not Working

Symptoms: Cleaned files not being delivered.

Solutions:

  1. Verify Threat Extraction is enabled in policy
  2. Check that file type supports cleaning (Office, PDF)
  3. Verify policy protection mode is "Detect and Remediate"
  4. Check for conflicting policies

Slow Delivery of Attachments

Symptoms: Emails with attachments are delayed.

Solutions:

  1. Check if waiting for emulation (expected behavior)
  2. Enable Threat Extraction for immediate cleaned delivery
  3. Reduce emulation timeout if acceptable
  4. Consider emulating only suspicious files

False Positives

Symptoms: Legitimate files flagged as malicious.

Solutions:

  1. Review file details in event log
  2. Submit false positive to Check Point
  3. Check if file contains legitimate macros (consider allow-listing)
  4. Create exception for specific file hash (use caution)

Best Practices

  1. Use both technologies: Enable Threat Emulation and Threat Extraction together
  2. Deliver cleaned immediately: Don't make users wait for emulation
  3. Block executables: Prevent .exe and script files via email
  4. Monitor zero-day catches: Track Threat Emulation value
  5. Test quarterly: Verify protection with EICAR and test macros
  6. Review events weekly: Check for attack patterns and trends
  7. Train users: Educate about attachment risks and clean file process

Next Steps

After configuring attachment sandboxing:

  1. Configure anti-phishing: Set up phishing detection policies
  2. Enable URL protection: Configure click-time protection
  3. Set up DLP: Protect sensitive data in attachments
  4. Review security reports: Monitor malware trends and zero-day catches

Additional Resources

Need help implementing attachment sandboxing? Inventive HQ specializes in advanced email security solutions. Contact us for expert deployment assistance.

Frequently Asked Questions

Find answers to common questions

Threat Emulation is sandboxing technology that opens suspicious files in an isolated virtual environment to detect malicious behavior. Threat Extraction (CDR - Content Disarm and Reconstruction) removes potentially dangerous content like macros and embedded objects from files, delivering a sanitized version immediately. You can use both together for layered protection.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk AssessmentExplore vCISO Services

Related Articles

How to Configure Firewall Rules in Check Point SmartConsole

Learn how to create and manage firewall rules in Check Point SmartConsole. Step-by-step guide covering access control policies, services, and best practices.

Read More →

How to Configure Anti-Phishing Policies in Harmony Email

Step-by-step guide to configure anti-phishing protection, confidence thresholds, and exception lists in Check Point Harmony Email.

Read More →

How to Configure DLP in Harmony Email & Collaboration

Learn to configure Data Loss Prevention (DLP) policies in Check Point Harmony Email to protect sensitive data in emails and attachments.

Read More →
Back to Check Point