How can I help you? Start Chat

US Phone: 1-866-488-6691
International Phone: +44-2036087492

  • E-Mail
  • Facebook
  • LinkedIn
  • Twitter

SandBlast Network Security

Hackers are increasingly targeting enterprise networks using sophisticated tools such as new zero-day threats. A more proactive security approach is required to identify and stop such attacks. SandBlast Zero-Day Protection elevates network security to the next level with evasion-resistant malware detection, and complete protection from even the most dangerous attacks – ensuring quick delivery of safe content to your users.


Stop hackers from evading detection and infiltrating your network, reducing risk of expensive breaches or downtime

  • Detect and block new or previously undiscovered threats, across a wide range of file types
  • Unique CPU-level inspection identifies the most dangerous targeted threats in their infancy, before malware has an opportunity to deploy and evade detection
  • Unlike static and behavioral analysis, or solutions based on heuristics, evaluation of potential malware occurs at the instruction level, where exploits cannot hide

Promptly deliver sanitized versions of potentially malicious files – maintaining uninterrupted business flow

  • Threat Extraction immediately provides users with clean, reconstructed files containing only known safe elements
  • Enables real-world deployment in prevent mode, while traditional sandboxes typically run only in detect mode because of unacceptable delays
  • Efficient analysis in the background ensures visibility into attack attempts, allowing access to original file once emulation is complete

Maximize operational value, minimize Total Cost of Ownership, and provide complete threat visibility with integrated threat prevention and security management

  • Leverage existing infrastructure and management tools to reduce capital costs and speed implementation
  • Flexible and cost-effective implementation architectures for a full range of performance and scalability needs
  • Multi-layer protection technologies combined with threat intelligence deliver complete security and threat visibility
  • Open framework enables easy integration with 3rd party security solutions

CPU-level inspection makes SandBlast even more attractive. It prevents exploits like Return-Oriented Programming attacks, and the sandboxing process is fast. The speed, simplicity, and ease of use mean a lot to us.

Saul Schwartz

Enterprise Security Engineer




Complete protection from zero-day threats

Check Point SandBlast Zero-Day Protection provides complete protection against the most dangerous zero-day and targeted attacks at the network, using two core technologies: Threat Emulation and Threat Extraction.

The combination of these cutting-edge technologies makes SandBlast uniquely capable of identifying the most sophisticated, zero-day threats in their infancy, before malware has an opportunity to deploy and even attempt to evade detection, while ensuring quick delivery of safe content to users.

Evasion resistant detection

Unlike other solutions, Check Point SandBlast Zero-Day Protection uses a unique technology that does inspection at the CPU-level to stop attacks before they have a chance to launch.

There are thousands of vulnerabilities and millions of malware implementations, but there are very few methods that cyber criminals utilize to exploit vulnerabilities. The Check Point SandBlast Threat Emulation engine monitors CPU-based instruction flow for exploits attempting to bypass operating system and hardware security controls.

By detecting exploit attempts during the pre-infection stage, Check Point SandBlast Threat Emulation sandboxing stops attacks before they have a chance to evade detection by the sandbox.

Catches more malware

Check Point SandBlast Zero-Day Protection conducts further investigation with OS-level threat emulation by intercepting and filtering inbound files and inspecting URLs linked to files within emails by running them in a virtual environment.  File behavior is inspected simultaneously across multiple operating systems and versions. Files engaging in suspicious activity commonly associated with malware, such as modifying the registry, network connections, and new file creation are flagged and further analyzed. Malicious files are prevented from entering your network.

Detailed reports

A detailed report is generated for each file emulated and found to be malicious. The easy to understand report includes file details and information about any abnormal activity or malicious attempts originated by running the file. The report provides actual screenshots of the environment while running the file for any operating system on which it was simulated.

ThreatCloud ecosystem

Newly discovered threats are sent to the ThreatCloud intelligence database.  Each newly discovered threat signature is distributed across the ThreatCloud ecosystem to protect other Check Point connected gateways. This enables connected gateways to block the new threat before it has a chance to become widespread. Constant collaboration makes ThreatCloud the most advanced and up-to-date threat Intelligence network available.

Proactive prevention with prompt delivery of safe content

When it comes to threat protection, it doesn’t have to be a trade-off between speed, coverage and accuracy. Unlike other solutions, Check Point SandBlast Zero-Day Protection can be deployed in detect and prevent mode, while still maintaining uninterrupted business flow.

Our Threat Extraction component within Check Point SandBlast eliminates threats by removing risky content such as macros or embedded links and then reconstructs the document using only known safe elements.

Unlike detection technologies that require time to search for and identify threats before blocking them, Threat Extraction preemptively eliminates risk, ensuring prompt delivery of safe documents.

Protects most common file types

Check Point SandBlast Zero-Day Protection secures a wide range of the most common document types used in organizations today, from Microsoft Office Word, Excel, Power Point and Adobe PDFs to archive files.

Flexible and easy to deploy

Check Point SandBlast Threat Emulation supports multiple deployment options, providing a cost-effective solution for virtually any size organization. Files can be sent from existing gateways to either the SandBlast cloud-based service or to an on-premise appliance available with a range of throughput capacities.

Installed as an additional software blade on the gateway, Check Point SandBlast Threat Extraction can be applied across the entire organization, or implemented only for specific individuals, domains, or departments. Administrators can configure included users and groups based upon their needs, easily facilitating gradual deployment to the organization.

Complete, integrated solution

Check Point SandBlast Zero-Day Protection is fully integrated with Check Point Security Management, allowing creation of security policies and profiles, and configuration from a unified platform.  Check Point SmartEvent provides visibility and reporting across your organization’s threat horizon, enabling rapid investigation and resolution of security events.

Bundles for best protection

With the Next Generation Threat Extraction (NGTX) bundle, organizations are able to leverage the protections delivered by Check Point SandBlast Zero-Day Protection, and gain the added protections provided by IPS, Application Control, URL Filtering, Antivirus, Anti-Bot, and Anti-Spam on any Check Point gateway. This comprehensive protection keeps users from downloading malicious files, accessing risky websites, and stops bot communications before damage occurs.

SandBlast family of solutions

The SandBlast Zero-Day Protection solution suite also includes additional products that provide advanced threat protection for web browsers, endpoints and cloud applications.

Learn More


Supported File TypesOver 40 file types, including: Adobe PDF, Microsoft Office, EXE, files in archives, Flash, Java Applets, and PIF
Supported Emulation Environments Microsoft Windows XP, 7, 8
Microsoft Office; Adobe Reader
Operating EnvironmentSecurePlatform or GAiA
Supported File TypesMicrosoft Office 2003-2013, Adobe PDF
Performance~1% of throughput decrease for 8000 people
1 GB of memory required
Version and OSFrom R77.30 using SecurePlatform or GAiA
Distributed Deployment – Check Point security gateways, deployed across the network and acting as sensors, send files and objects to be inspected by one or more SandBlast appliances.
SandBlast Service – Files can be sent to the cloud-based service for emulation and analysis from an existing security gateway or from an agent for Exchange server. No infrastructure changes are required at the organization. The cloud-based service enables centralized management and visibility of both threat and service usage information.
Inline or Span-Port Deployment – Connect the SandBlast appliance inline – files and objects are examined inline by the SandBlast appliance
MTA – Acting as a Mail Transfer Agent, the Check Point security gateway receives incoming mails, and scans or cleans their content before forwarding it to the next hop mail server – MTA supports both Threat Emulation and Threat Extraction
Threat Prevention API – Open API allows sending files to the SandBlast appliance for inspection by Threat Emulation and Threat Extraction