Threat Emulation (Sandboxing)

Check Point Threat Emulation prevents infections from undiscovered exploits, zero-day and targeted attacks. This innovative zero-day sandboxing solution quickly inspects files and runs them in a virtual sandbox to discover malicious behavior. Discovered malware is prevented from entering the network.


Prevent new and unknown attacks

  • Discover and prevent new threats and zero-day attacks found using emulation in a virtual sandbox
  • Stop malicious email attachments and file downloads
  • Protect against threats in MS Office, Adobe PDF, Java, Flash, Executables, and archives
  • Prevent attacks that affect multiple Windows OS environments
  • Uncover threats hidden in SSL and TLS encrypted communications

Threat Emulation Cloud-Based Service

  • Cloud-Based service – works with your existing infrastructure. No need to install new equipment
  • A unique agent for exchange server monitors email attachments, even without Check Point infrastructure at the organization
  • Zero false-positives means you can secure the network without stopping the flow of business

ThreatCloud Enhances Real-time Security

  • Turns zero-day attacks into known and preventable attacks. Zero-day attacks become just another known threat for all other ThreatCloud subscribed Check Point gateways once the zero-day attack signature is uploaded to ThreatCloud
  • Enhances industry's first collaborative network to fight cybercrime by adding threat signatures found via Threat Emulation
  • Boost protection beyond the 250 million addresses analyzed for bot discovery, over 12 million malware signatures and over 1 million malware-infested sites

Integrated into Check Point's Software Blade Architecture

  • Saves time and reduces costs by leveraging existing security infrastructure
  • Detect and send files to Threat Emulation from any Check Point security gateway with R77
  • Maximize protection through unified management, monitoring and reporting
  • View and manage the "big malware picture" with integrated threat reports and dashboards that show new threats found via Threat Emulation, alongside Bot and Virus attack information
  • Check Point Threat Emulation can also be used with a local emulation device. Two appliances are available, varying the number of parallel virtual sandboxes they run and overall performance

Our Check Point Threat Emulation solution gives us immediate visibility and insight into threats. If an attack takes place, I can trace it down, determine its origin, and view the traffic of all the network elements it tried to reach before it was discovered. The discovery work is easy because we have access to all the logging information we need. We don’t have to guess.

Rich Peirce

Director, Infrastructure Services

Boston Properties


Industry-leading Virtual Sandboxing Technology

Check Point Threat Emulation works by intercepting and filtering inbound files, running them in a virtual environment, and flagging those files that engage in suspicious or malicious behavior commonly associated with malware, such as modifying the registry, network connections, new file creation, and more. Once these new threats are discovered, the file signature is sent to Check Point ThreatCloud to turn the new malware into a known and documented threat that can be prevented.

Two Implementation Options to Fit Any Organization

  • Threat Emulation Cloud-Based Service – No infrastructure changes are required at the organization – files can be sent to the cloud-based service for emulation from an existing security gateway or from an agent for Exchange server. The cloud-based service enables centralized management and visibility of both threat and service usage information.
  • Private Cloud Emulation Appliance – an on-premise solution ideal for organizations that prefer not to use cloud applications due to regulatory requirements or privacy concerns. The private cloud appliance reduces costs by leveraging your existing security infrastructure. Two appliance options are available to address the performance requirements of your organization.

Multiple Emulation OS Support

Check Point ThreatCloud Emulation provides multiple simultaneous environments for file simulation: Windows XP, 7, Office and Adobe environments.

Threat Emulation Detailed Report

A detailed report is generated per any file emulation. The report is simple to understand and includes detailed information about any malicious attempts originated by running this file. The report provides actual screenshots of the environment while running the file for any operating system on which it was simulated.

Encrypted Communications

Files delivered into the organization over SSL and TLS represent a secure attack vector that bypasses many industry standard implementations. Check Point Threat Emulation looks inside SSL and TLS tunnels to extract and launch files to discover threats hidden in those protected streams.

Stop exploits in MS Office and Adobe PDFs

Threat Emulation brings industry leading MS Office and Adobe file protections to threat emulation. MS Office and Adobe files comprise the most frequently distributed business critical documents, yet they are often overlooked as easily exploitable attack vectors. Threat Emulation delivers zero-false positives while providing increased security, allowing business to proceed uninterrupted.

Prevent Threats in EXEs and Zips

While less prevalent than common business documents, EXEs and ZIPs still pose a threat. Check Point Threat Emulation catches, detects, and prevents infections from EXEs and ZIP files that uses may download or receive in emails.

ThreatCloud Ecosystem

Zero-day and newly discovered threats are sent to ThreatCloud, which can then protect other Check Point connected gateways  via our zero-day threat sandboxing solution. Each newly discovered threat signature is distributed to other Check Point connected gateways to block before the threat has a chance to become widespread. This constant collaboration makes the ThreatCloud ecosystem the most advanced and up-to-date threat network available.

Integrated Security Management

Unified security management simplifies the monumental task of managing growing threats, devices and users. Newly identified threats caught by Threat Emulation are displayed in Malware Reports and dashboards with infection summaries and trends to provide better visibility to organizational malware threats and risks.


Learn More


Emulation Specifications
Supported files for Inspection

Adobe PDF, MS Office, Executables, archives

Supported Emulation Environments

Windows XP, 7
Microsoft Office

Adobe Reader

Security Gateway Specifications
To detect and send files to ThreatCloud Emulation Service
Supported Platforms

Check Point Appliances: 2000, 4000, 12000, 13000, and 21000 using R77 or higher
Other appliance and Open Servers with equivalent performance to the above models are supported

Supported OS

SecurePlatform or GAiA

The Check Point Threat Emulation Service can also be used with a local emulation device. A range of appliance options are available, with overall performance supporting organizations above 3,000 users.