How can I help you? Start Chat

US Phone: 1-866-488-6691
International Phone: +44-2036087492

  • E-Mail
  • Facebook
  • LinkedIn
  • Twitter

SandBlast Network Security

Hackers are increasingly targeting enterprise networks using sophisticated tools such as new zero-day threats. A more proactive security approach is required to identify and stop such attacks. SandBlast Zero-Day Protection elevates network security to the next level with evasion-resistant malware detection, and complete protection from even the most dangerous attacks – ensuring quick delivery of safe content to your users.


Stop hackers from evading detection and infiltrating your network, reducing risk of expensive breaches or downtime

  • Detect and block new or previously undiscovered threats, across a wide range of file types
  • Unique CPU-level inspection identifies the most dangerous targeted threats in their infancy, before malware has an opportunity to deploy and evade detection
  • Unlike static and behavioral analysis, or solutions based on heuristics, evaluation of potential malware occurs at the instruction level, where exploits cannot hide

Promptly deliver sanitized versions of potentially malicious files – maintaining uninterrupted business flow

  • Threat Extraction immediately provides users with clean, reconstructed files containing only known safe elements
  • Enables real-world deployment in prevent mode, while traditional sandboxes typically run only in detect mode because of unacceptable delays
  • Efficient analysis in the background ensures visibility into attack attempts, allowing access to original file once emulation is complete

Maximize operational value, minimize Total Cost of Ownership, and provide complete threat visibility with integrated threat prevention and security management

  • Leverage existing infrastructure and management tools to reduce capital costs and speed implementation
  • Flexible and cost-effective implementation architectures for a full range of performance and scalability needs
  • Multi-layer protection technologies combined with threat intelligence deliver complete security and threat visibility
  • Open framework enables easy integration with 3rd party security solutions

CPU-level inspection makes SandBlast even more attractive. It prevents exploits like Return-Oriented Programming attacks, and the sandboxing process is fast. The speed, simplicity, and ease of use mean a lot to us.

Saul Schwartz

Enterprise Security Engineer




Complete protection from zero-day threats

Check Point SandBlast Zero-Day Protection provides complete protection against the most dangerous zero-day and targeted attacks at the network, using two core technologies: Threat Emulation and Threat Extraction.

The combination of these cutting-edge technologies makes SandBlast uniquely capable of identifying the most sophisticated, zero-day threats in their infancy, before malware has an opportunity to deploy and even attempt to evade detection, while ensuring quick delivery of safe content to users.

Evasion resistant detection

Unlike other solutions, Check Point SandBlast Zero-Day Protection uses a unique technology that does inspection at the CPU-level to stop attacks before they have a chance to launch.

There are thousands of vulnerabilities and millions of malware implementations, but there are very few methods that cyber criminals utilize to exploit vulnerabilities. The Check Point SandBlast Threat Emulation engine monitors CPU-based instruction flow for exploits attempting to bypass operating system and hardware security controls.

By detecting exploit attempts during the pre-infection stage, Check Point SandBlast Threat Emulation sandboxing stops attacks before they have a chance to evade detection by the sandbox.

Catches more malware

Check Point SandBlast Zero-Day Protection conducts further investigation with OS-level threat emulation by intercepting and filtering inbound files and inspecting URLs linked to files within emails by running them in a virtual environment.  File behavior is inspected simultaneously across multiple operating systems and versions. Files engaging in suspicious activity commonly associated with malware, such as modifying the registry, network connections, and new file creation are flagged and further analyzed. Malicious files are prevented from entering your network.

Detailed reports

A detailed report is generated for each file emulated and found to be malicious. The easy to understand report includes file details and information about any abnormal activity or malicious attempts originated by running the file. The report provides actual screenshots of the environment while running the file for any operating system on which it was simulated.

ThreatCloud ecosystem

Newly discovered threats are sent to the ThreatCloud intelligence database.  Each newly discovered threat signature is distributed across the ThreatCloud ecosystem to protect other Check Point connected gateways. This enables connected gateways to block the new threat before it has a chance to become widespread. Constant collaboration makes ThreatCloud the most advanced and up-to-date threat Intelligence network available.

Proactive prevention with prompt delivery of safe content

When it comes to threat protection, it doesn’t have to be a trade-off between speed, coverage and accuracy. Unlike other solutions, Check Point SandBlast Zero-Day Protection can be deployed in detect and prevent mode, while still maintaining uninterrupted business flow.

Our Threat Extraction component within Check Point SandBlast eliminates threats by removing risky content such as macros or embedded links and then reconstructs the document using only known safe elements.

Unlike detection technologies that require time to search for and identify threats before blocking them, Threat Extraction preemptively eliminates risk, ensuring prompt delivery of safe documents.

Protects most common file types

Check Point SandBlast Zero-Day Protection secures a wide range of the most common document types used in organizations today, from Microsoft Office Word, Excel, Power Point and Adobe PDFs to archive files.

Flexible and easy to deploy

Check Point SandBlast Threat Emulation supports multiple deployment options, providing a cost-effective solution for virtually any size organization. Files can be sent from existing gateways to either the SandBlast cloud-based service or to an on-premise appliance available with a range of throughput capacities.

Installed as an additional software blade on the gateway, Check Point SandBlast Threat Extraction can be applied across the entire organization, or implemented only for specific individuals, domains, or departments. Administrators can configure included users and groups based upon their needs, easily facilitating gradual deployment to the organization.

Complete, integrated solution

Check Point SandBlast Zero-Day Protection is fully integrated with Check Point Security Management, allowing creation of security policies and profiles, and configuration from a unified platform.  Check Point SmartEvent provides visibility and reporting across your organization’s threat horizon, enabling rapid investigation and resolution of security events.

Bundles for best protection

With the Next Generation Threat Prevention & SandBlast™ (NGTX) bundle, organizations are able to leverage the protections delivered by Check Point SandBlast Zero-Day Protection, and gain the added protections provided by IPS, Application Control, URL Filtering, Antivirus, Anti-Bot, and Anti-Spam on any Check Point gateway. This comprehensive protection keeps users from downloading malicious files, accessing risky websites, and stops bot communications before damage occurs.

SandBlast family of solutions

The SandBlast Zero-Day Protection solution suite also includes additional products that provide advanced threat protection for web browsers, endpoints and cloud applications.

Learn More


Threat Emulation
Emulation environments
  • Windows XP
  • Windows 7
  • Windows 8.1
  • Windows 10
Analysis engines

Over 30 technologies including:

  • CPU-level exploit detection
  • OS-level behavioral detection
  • Machine learning dynamic analysis
  • Push-Forward emulation for Adobe Flash
  • Human interaction simulation
  • Virtual network services
  • C&C communication detection
  • Macro analysis
  • Static analysis
  • Link scanning, proactive download and emulation of linked file
  • Icon similarity evaluation
  • ThreatClould indicator lookup
File typesOver 50 file types, including: Adobe PDF, Microsoft Office, Windows PE (EXE), javascript, VBS, WSF, Adobe Flash, Java Applets, PIF, files in archives
Archive files
  • Scan files contained in archives
  • Open password protected archives
Threat Extraction
File types
  • Microsoft Word
  • Microsoft PowerPoint
  • Microsoft Excel
  • Adobe PDF
  • Image files
Extraction modes
  • Clean and keep original format
  • Convert to PDF
Extractable components

Over 15 extractable component types (configurable).

Examples of extractable components:

  • Macros and Code
  • Embedded Objects
  • Linked Objects
  • PDF JavaScript Actions
  • PDF Launch Actions
Threat Emulation integrationYes
Self-catered access to original filesYes
Access to original can be configured to depend on Threat Emulation benign verdict
Additional Protections (included with NGTX package)
IPSProtects from network-based intrusions and exploitations
Anti-VirusProtects from malware in files downloads and mail attachments (signature-based)
Anti-BotIdentify and contain infections by blocking C&C traffic
URL Filtering & App ControlBlock
SSL InspectionIncluded
Identity AwarenessIncluded
ManagementCheck Point SmartCenter, R77 and above
Supported protocols
Threat ExtractionSMTP, SMTPS – MTA deployment
Hosing locationService provided by
Check Point CloudSandBlast TE Cloud Service
Customer Data CenterSandBlast TE Appliances
HybridCombine SandBlast TE Cloud Service and SandBlast TE Appliances
GatewayDeployment OptionsNotes
Check Point Gateway with NGTX
  • Inline – L3 gateway or L2 bridge
  • TAP / Span port
  • Mail Transfer Agent (MTA)
  • ICAP server - web proxy integration*
  • Web Proxy
Emulation service performed either by Check Point Cloud or locally by TE appliance.

Gateway version: R77 and above
TE Appliance with NGTX

Inline: TE appliance deployed inline

  • Inline – L3 gateway
  • TAP / Span port
  • Mail Transfer Agent (MTA)
  • ICAP server - web proxy integration*
  • Web Proxy
Accepts files for emulation/extraction from NGTX gateways, SandBlast Agent and SandBlast API
TE Appliance

Distributed: TE appliance deployed as emulation service

Accepts files for emulation/extraction from NGTX gateways, SandBlast Agent and SandBlast API