Next Generation Threat Emulation and Extraction

Zero-day attack prevention through threat emulation and extraction

Zero-day and advanced persistent threats use the element of surprise to bypass traditional security, making these threats difficult to protect against—and very popular with hackers. Traditional sandboxing was designed to help with these types of threats, but cybercriminals have evolved their techniques, creating evasive malware that can avoid detection by many sandbox solutions. As a result, many organizations find themselves taking reactive steps to counteract infection, rather than preventing it in the first place.

To get ahead, enterprises need a multi-faceted prevention strategy that combines proactive protection that eliminates threats before they reach users, and state-of-the-art CPU-level exploit detection to expose even the most highly camouflaged threats.
level of inspection so you can prevent more malware and zero-day attacks, while ensuring quick delivery of safe content to your users.

Threat Emulation (Sandboxing)

Preventing today’s sophisticated attacks requires innovation. As part of the Check Point SandBlast Zero-Day Protection solution, the Threat Emulation engine picks up malware at the exploit phase, even before hackers can apply evasion techniques attempting to bypass the sandbox. Files are quickly quarantined and inspected, running in a virtual sandbox to discover malicious behavior before it enters your network. This innovative solution combines CPU-level inspection and OS-level sandboxing to prevent infection from the most dangerous exploits, and zero-day and targeted attacks.

Highest catch rate to protect your organization from unknown malware, zero-day and targeted attacks:

  • Detect and block new, unknown malware and targeted attacks found in email attachments, downloaded files, and URLs to files within emails
  • Provide protection across one of the widest range of file types including, MS Office, Adobe PDF, Java, Flash, executables, and archives, as well as multiple Windows OS environments
  • Uncover threats hidden in SSL and TLS encrypted communications

Stop hackers from evading detection and infiltrating your network, reducing risk of expensive breaches

  • Identify even the most dangerous attacks in their infancy using unique CPU-level inspection
  • Unlike static and behavioral analysis, or solutions based on heuristics, evaluation of potential malware occurs at the instruction level, where exploits cannot hide
  • Exploits are caught before malware has an opportunity to deploy and evade detection

Provide complete threat visibility with comprehensive integrated threat prevention and security management

  • Flexible and cost-effective deployment options for organizations of all sizes
  • Leverage existing infrastructure and management tools to reduce capital costs and speed implementation
  • Turn zero-day and unknown attacks into known and preventable attacks by updating signatures for newly discovered attacks to all Check Point gateways subscribed to the ThreatCloud intelligence database
Threat Extraction

Prompt delivery of safe content is critical to maintaining the flow of business. As part of the Check Point SandBlast Zero-Day Protection solution, the Threat Extraction capability immediately provides a safe version of potentially malicious content to users. Exploitable content, including active content and various forms of embedded objects, are extracted out of the reconstructed file to eliminate potential threats. Access to the original suspicious version is blocked, until it can be fully analyzed by SandBlast Zero-Day Protection. Users have immediate access to content, and can be confident they are protected from the most advanced malware and zero-day threats.


Proactively protect against threats contained in emailed and web-downloaded documents

  • Remove exploitable content, including active content and embedded objects
  • Reconstruct files with known safe elements

Promptly deliver safe content - or sanitized versions of potentially malicious files

  • Proactively provide users with clean, reconstructed files containing only safe elements
  • Immediately deliver reconstructed files to maintain uninterrupted business flow

Provide complete threat visibility with comprehensive, integrated threat prevention and security management

  • Eliminate delays associated with traditional sandboxes, and enable real-world deployment of SandBlast Zero-Day Protection in prevent mode
  • Provide the best protection by converting reconstructed files to PDF format, or maintain flexibility with options to maintain the original file format and specify the type of content to be removed
  • Ensure visibility into attack attempts, and allow access to original file after completing background analysis by SandBlast Threat Emulation

For each new threat discovered by Threat Emulation, a new signature is created and sent to Check Point ThreatCloud, where it is distributed to other Check Point connected gateways. Threat Emulation converts newly identified unknown attacks into known signatures, making it possible to block these threats before they have a chance to become widespread. This constant collaboration makes the ThreatCloud ecosystem the most advanced and up-to-date threat network available.