https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132391#M55883 <P>I've been asked to show proof of protection from "blackmatter"...&nbsp; is there a way to look these up the protections in AV/AB blade? not sure what they're called - i've tried w.32.blackmatter, and a few other variations, and couldn't find anything.</P><P>&nbsp;</P><P>thanks.</P> Thu, 21 Oct 2021 17:12:58 GMT D_TK 2021-10-21T17:12:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132149#M55881 <P>Hello, does anyone know if there is an IPS Signature already made for Checkpoint we can download in our normal IPS updates for the BlackMatter Ransomware?&nbsp;</P><P><A href="https://us-cert.cisa.gov/ncas/alerts/aa21-291a" target="_blank" rel="noopener">https://us-cert.cisa.gov/ncas/alerts/aa21-291a</A></P><P>Or can we do a custom one with the info in the US Cert article?</P><P>&nbsp;</P> Tue, 19 Oct 2021 20:10:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132149#M55881 Noa_Moe 2021-10-19T20:10:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132164#M55882 <P>There are no IPS signatures for any ransomware types, that falls into the domain of the Anti-virus blade which has several signatures for Black Matter.&nbsp; You will want to use those if you have the Anti-Virus blade enabled.&nbsp;</P> <P>While IPS was kind of the "original Threat Prevention" and had lots of signatures for things like eDonkey/Gator/Nimda and such, all that got cleaned up in R80 as many IPS signatures got migrated into the "proper" blades as described here: <A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103766&amp;partition=Advanced&amp;product=IPS" target="_blank" rel="noopener">sk103766: List of IPS Protections removed in R8X.x</A>.&nbsp; Although IPS still has&nbsp; a signature for the EICAR test virus to this day which I find perplexing...</P> <P>But anyway if you can't or don't want to use the Anti-Virus blade for this, your best bet is to create a custom SNORT signature for your IPS blade matching Black Matter, I'm sure you could probably locate the proper SNORT rule(s) for it with a bit of research.&nbsp; All of the above is covered in my new IPS/AV/ABOT Immersion video series as well as Custom Threat Indicators (strongly preferred over the much older SNORT-based signatures) which you can't use in this case because they only function with AV and ABOT.</P> <P>&nbsp;</P> Thu, 21 Oct 2021 17:12:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132164#M55882 Timothy_Hall 2021-10-21T17:12:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132391#M55883 <P>I've been asked to show proof of protection from "blackmatter"...&nbsp; is there a way to look these up the protections in AV/AB blade? not sure what they're called - i've tried w.32.blackmatter, and a few other variations, and couldn't find anything.</P><P>&nbsp;</P><P>thanks.</P> Thu, 21 Oct 2021 17:12:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132391#M55883 D_TK 2021-10-21T17:12:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132393#M55884 <P>I found the BlackMatter AV protections listed in the ThreatWiki but not able to search that is was applied either.&nbsp;<A href="https://threatwiki.checkpoint.com/threatwiki/public.htm" target="_blank">https://threatwiki.checkpoint.com/threatwiki/public.htm</A></P> Thu, 21 Oct 2021 17:21:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132393#M55884 Noa_Moe 2021-10-21T17:21:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132395#M55885 <P>Go to the ThreatWiki (<A href="https://threatwiki.checkpoint.com/threatwiki/public.htm" target="_blank">https://threatwiki.checkpoint.com/threatwiki/public.htm</A>) and search for blackmatter to get the protection names:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blackmatter.png" style="width: 960px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14059i6F3DE93B9010A6EA/image-size/large?v=v2&amp;px=999" role="button" title="blackmatter.png" alt="blackmatter.png" /></span></P> Thu, 21 Oct 2021 17:23:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132395#M55885 Timothy_Hall 2021-10-21T17:23:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132420#M55886 <P>Check Point Harmony Endpoint provides protection against this threat:</P> <P><A href="https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=publication&amp;threatId=4561" target="_blank">https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=publication&amp;threatId=4561</A></P> <P>&nbsp;</P> Fri, 22 Oct 2021 10:07:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Signature-for-BlackMatter-Ransomware/m-p/132420#M55886 Tal_Paz-Fridman 2021-10-22T10:07:32Z