Managing Policies and Configuration
Check Point Email Protection operates based on predefined policies. Admins can view and manage these policies directly from Guardz platform.
To do so, select the ‘All Customers’ view, click on the ‘Security Controls’ tab and open the ‘Email Protection’ section.
Please note:
Policies should be configured at the global level, from which they will be automatically inherited by all customers
It is also possible to override the global policies at the individual customer level, if tenant-specific configurations are required
“The Guardz in-house email protection policies remain accessible provided the service is activated for at least one customer.
A. Default Activated Configurations
1. Default configurations that cannot be changed:
Email protection working mode - Pre-delivery / Inline mode (meaning that emails are scanned and blocked before reaching inboxes)
URL re-writing (‘Link Replacement) for email body & attachments (the URLs of links found in both the email body text and attachments are changed and replaced)
Data retention policy - based on Check Point default values
2. Default activated configurations that can be changed by the admin:
Detection Sensitivity:
Admins can set the detection confidence level per threat type. Default values are:
Phishing Confidence Level: High
Spam Confidence Level: Medium
Baseline Workflows:
Admins can change the defined workflows (according to pre-defined drop down lists) applied to emails that match each threat type. The recommended option per each workflow is marked with a star symbol. The workflows are:
Phishing:
Email is quarantined
Suspected Phishing:
Email is delivered with warning banner
Dangerous Attachments:
Email is quarantined
Password Protected Attachments:
Enabled by default (end-user must provide a password for pre-scan)
Spam:
Email is moved to spam
Graymail:
Email is moved to spam
Clean emails:
‘Smart Banners’ enabled by default (banners/headers that get added automatically to incoming emails that are not outright malicious, to help with security awareness, context, and policy compliance)
Please note: at present, selecting the ‘Do Nothing’ option still results in issues being created on the admin side, even though the option is intended to indicate that no action is required.
Microsoft 365 Quarantine Sync:
Enabled by default (Quarantined Microsoft 365 emails sync to the platform; admins manage them, users can only view)
Phishing Detection for Internal-to-Internal Emails:
Enabled by default (Internal emails - sent between users within the organization - are scanned as well)
User Interactions:
Admin approval for quarantine release (Admin-Only quarantined):
Enabled by default
User Reported Email:
Enabled by default (note that it creates an event on the admin side whenever a user reports an email)
B. Additional Settings Admin Can Activate & Manage:
Phishing Report Mailbox:
Define a mailbox where users can send suspicious emails. Admin must enter the address, and this address must also belong to an active Guardz user (this feature is available in single customer mode only, and make sure to toggle on the 'Override' function).
Allow/Block Lists:
Add rules for email addresses, domains, IPs, headers, file types.
Trusted Senders:
Define email address or domain to be marked as ‘Not Spam’.
Admin Email Notifications
Admins were previously used to receiving alerts about quarantining if they set the lowest severity level, and they would always receive alerts regarding spam.
From now on, we help admins focus on what really matters: since both quarantining and spam are automatically handled by the system, no alerts will be sent for these events even if you were accustomed to receiving them before.
Remediations and Issues Handling
Emails are held in quarantine for the defined retention period. Users receive email alerts and can manage quarantined items in the user portal. If no action is taken, quarantined messages are deleted after the retention period.
Notes For Admins:
All suspicious emails are displayed to the admin as issues under the ‘Detection and Response’ section. These issues can be categorized into different types:
Alert emails
Spam emails
Quarantined emails
User-reported emails
2. Updates to the ‘Detection & Response’ view:
The ‘Source’ column represents the source of the detection: Check Point, Microsoft Quarantine or Guardz
Currently the ‘Threats’ column presents partial information only
3. Admins can review each issue by clicking the record and take appropriate actions:
The ‘Last Updated At’ field represents the last time the issue was updated by Check Point Email Protection
The ‘Reasons for detection’ section explains the factors that triggered the detection
The ‘Show Email Preview’ feature remains functional in accordance with the retention policy
Email meta data is now available to by clicking on ‘Show Email Headers’
Admins can proceed and take a remediation action according to the suggested options (i.e., Keep in Quarantine, Move to Spam, Restore Email, etc.)
Based on the selected remediation option, administrators can update the Allow and Block lists directly from the remediation screen with the relevant information
4. End-user portal functionalities remain the same
Reporting Aspects:
ROI Report:
Check Point Email Protection data is not currently reflected in ROI reporting
Compliance Report: data is included, with the following notes:
Data is merged and reflected regularly following migration
Email protection settings are not displayed in the current report
Deleting the Service:
Disabling Check Point Email Protection may occur in two distinct business scenarios:
1. Admin disables the email protection service:
In this case the admin chooses to deactivate this specific security control
To do so:
Select the relevant customer, click on the ‘Security Controls’ tab
Open the ‘Email Protection’ section
Click on the ‘Deactivate This Control’ button
Guardz will process the request automatically (may take a few hours)
2. Admin deletes the entire organization:
Deleting an organization triggers the same process
Please note:
For both scenarios, the MSP must remove the Avanan app from their workspace. Detailed instructions are automatically sent via email once the process begins.