SandBlast Threat Emulation (Sandboxing)

As part of the Check Point SandBlast Zero-Day Protection solution, Threat Emulation prevents infections from new malware and targeted attacks. This innovative zero-day threat sandboxing capability within the SandBlast solution delivers the best possible catch rate for threats, and is virtually immune to attackers’ evasion techniques.


Highest catch rate to protect your organization from unknown malware, zero-day and targeted attacks

  • Detect and block new, unknown malware and targeted attacks attacks found in email attachments and downloaded files
  • Provide protection across one of the widest range of file types including, MS Office, Adobe PDF, Java, Flash, executables, and archives, as well as multiple Windows OS environments
  • Uncover threats hidden in SSL and TLS encrypted communications

Stop hackers from evading detection and infiltrating your network, reducing risk of expensive breaches

  • Identify even the most dangerous attacks in their infancy using unique CPU-level inspection
  • Unlike static and behavioral analysis, or solutions based on heuristics, evaluation of potential malware occurs at the instruction level, where exploits cannot hide
  • Exploits are caught before malware has an opportunity to deploy and evade detection

Provide complete threat visibility with comprehensive integrated threat prevention and security management

  • Flexible and cost-effective deployment options for organizations of all sizes
  • Leverage existing infrastructure and management tools to reduce capital costs and speed implementation
  • Turn zero-day and unknown attacks into known and preventable attacks by updating signatures for newly discovered attacks to all Check Point gateways subscribed to the ThreatCloud intelligence database

Our Check Point Threat Emulation solution gives us immediate visibility and insight into threats. If an attack takes place, I can trace it down, determine its origin, and view the traffic of all the network elements it tried to reach before it was discovered. The discovery work is easy because we have access to all the logging information we need. We don’t have to guess.

Rich Peirce

Director, Infrastructure Services

Boston Properties


Evasion resistant detection using cutting edge CPU-level technology

Unlike other solutions, Check Point  zero-day threat sandboxing uses a unique technology that conducts inspection at the CPU-level to stop attacks before they have a chance to launch.

There are thousands of vulnerabilities and millions of malware implementations, but there are very few methods that cybercriminals utilize to exploit vulnerabilities.  The Check Point SandBlast Threat Emulation engine monitors CPU-based instruction flow for exploits attempting to bypass OS security controls.

By detecting exploit attempts during the pre-infection stage Threat Emulation sandboxing stops attacks before they have a chance to evade detection.

Identify more malware

Check Point SandBlast Zero-Day Protection conducts further investigation with OS-level sandboxing by intercepting and filtering inbound files, and running them in a virtual environment.  File behavior is inspected simultaneously across multiple operating systems and versions. Files engaging in suspicious activity commonly associated with malware, such as modifying the registry, network connections, and new file creation, are flagged and further analyzed. Malicious files are prevented from entering your network.

Analyze over 40 file types and support multiple operating systems

The Threat Emulation engine supports inspection of one the widest range of file types including: MS Office, PDFs, executables, archives, Java, and Flash. In addition, it provides protection against attacks targeting multiple Windows OS environments including Windows XP and Windows 7.

Full visibility into attack attempts with integrated security management and detailed reporting

Unified security management simplifies the monumental task of managing growing threats, devices and users. Newly identified threats caught by the Threat Emulation engine are displayed in Malware Reports and dashboards with infection summaries and trends to provide better visibility into organizational malware threats and risks.

Additionally, a detailed report is generated after any file goes through the sandbox. The report is easy to understand and includes detailed information about any malicious attempts originated by running the file. The report provides actual screenshots of the environment while running the file for any operating system on which it was simulated.

Uncover encrypted threats

Files delivered into the organization over SSL and TLS represent a secure attack vector that bypasses many industry standard implementations. Check Point SandBlast looks inside SSL and TLS tunnels to extract and launch files to discover threats hidden in those protected streams.

Collaboration for the best protection

For each new threat discovered by Threat Emulation, a new signature is created and sent to Check Point ThreatCloud, where it is distributed to other Check Point connected gateways. Threat Emulation converts newly identified unknown attacks into known signatures, making it possible to block these threats before they have a chance to become widespread. This constant collaboration makes the ThreatCloud ecosystem the most advanced and up-to-date threat network available.

Implementation flexibility to fit any organization

  • Cloud-Based Service – Files can be sent to the cloud-based service for emulation and analysis from an existing security gateway or from an agent for Exchange server. No infrastructure changes are required at the organization. The cloud-based service enables centralized management and visibility of both threat and service usage information.
  • Dedicated Appliance – An on-premise solution ideal for organizations that prefer not to use cloud applications due to regulatory requirements or privacy concerns. The SandBlast Zero-Day Protection dedicated appliances reduce costs by leveraging your existing security infrastructure. Four options are available to address the performance requirements of your organization.
  • Software Bundles for the Best Protection – With the Next Generation Threat Extraction (NGTX) software bundle, organizations are able to leverage the protections delivered by Check Point SandBlast Zero-Day Protection. In addition, they gain the added protections provided by IPS, Application Control, URL Filtering, Antivirus, Anti-Bot, and Anti-Spam to protect users from downloading malicious files, accessing risky websites, and to stop bot communications before damage is caused.  Organizations already leveraging the Next Generation Threat Prevention (NGTP) appliance, can add this capability via the TX bundle.

Learn More


Threat Emulation (Sandboxing) Specifications
Supported file typesOver 40 file types, including Adobe PDF, Microsoft Office, executables, archives, Flash, Java Applets, and PIF
Supported Emulation EnvironmentsWindows XP, 7
Microsoft Office
Adobe Reader
Deployment options• Cloud-based Service
• On-premise appliances
Operating EnvironmentSecurePlatform or GAiA