topic Re: SandBlast agent poor documentation in Endpoint

SandBlast agent poor documentation

18568 — Fri, 17 Aug 2018 09:47:27 GMT

I worked with Checkpoint security gateways for quite a few years and the technical documentation is usually quite complete (especially thanks to the ATRG pages), however I recently started setting up Sandblast agents for a client and I find the documentation very lacking, it is mostly a "black box" and the documentation tells you it will protect against this threat but without any technical details on how it will do it.

For example if I take the anti-ransomware feature I cannot find the following information:

How does the agent decides which file to backup
Are the files backed up when accessed by a process (does that mean the process have to wait the backup is completed before running) or is the agent actively looking for these files (and if so how - only local or also remote on file servers?)
How long is each file kept in the backup
I can configure a backup size limit in the Endpoint Management but what happens when the client reaches the limit (I assume some files will be deleted, but which one)
I see in the documentation that the agent is supposed to create some random files in My Documents, etc. I cannot find these files however I see folders such as "CheckPoint!FrameworkDirectoryDon'tDiscard" and "Sandblast Zero-Day-SystemFolder-Do notDiscard" but again no information on what they are
How is the anti-ransomware agent "constantly monitoring suspicious activities", I understand for this one that details might be restricted to not have other vendors copying it but at least some high level description would be useful

This is only for anti-ransomware but I can give a similar list for nearly every sandblast feature.

Did I miss an ATRG or SK for all this somewhere ?

Thanks

Re: SandBlast agent poor documentation

G_W_Albrecht — Fri, 17 Aug 2018 10:52:38 GMT

There is a lot of documention and SKs for SandBlast already, so we have a lot to study already ! But your question:

I see in the documentation that the agent is supposed to create some random files in My Documents, etc. I cannot find these files however I see folders such as "CheckPoint!FrameworkDirectoryDon'tDiscard" and "Sandblast Zero-Day-SystemFolder-Do notDiscard" but again no information on what they are

for me seem not relevant at all - the random files are in the folders you see, but how could information on "what they are" help you in any way ?

If you need these answer to make customer(s) happy, you can always involve TAC and ask for information.

Re: SandBlast agent poor documentation

_Val_ — Fri, 17 Aug 2018 11:48:58 GMT

For my understanding, you are looking for tech reference, not an admin guide, correct?

Re: SandBlast agent poor documentation

18568 — Fri, 17 Aug 2018 12:52:04 GMT

Günther W. Albrecht wrote:
the random files are in the folders you see

If that's the case the admin guide (page 187) is both wrong about the file names and the file locations:

Günther W. Albrecht wrote:
but how could information on "what they are" help you in any way ?

I assumed the documentation is correct and they were not anti-ransomware files, in that case yes I want to know and the client will ask what are these files in their My Documents.

Günther W. Albrecht wrote:

If you need these answer to make customer(s) happy, you can always involve TAC and ask for information.

I don't see how "opening a ticket to understand their product" is a good documentation strategy for CheckPoint.

The main thing for me is that on Gateway side the documentation is usually quite good so I would just expect the same level for Endpoints.

Re: SandBlast agent poor documentation

18568 — Fri, 17 Aug 2018 12:57:14 GMT

I would indeed love a tech reference on Sandblast agent the same way and level of details there is ATRG for ClusterXL or CoreXL.

But I even believe some of these questions and other should actually be in the admin guide as they are quite "basic" and quite important for the administration of the product (which is what an admin guide should be about isn't it ).

Re: SandBlast agent poor documentation

PhoneBoy — Fri, 17 Aug 2018 18:52:24 GMT

Let me see if I can answer the questions you've asked:

How does the agent decides which file to backup

Any file modified by a user gets backed up.

You can exclude certain directories if you prefer.

Are the files backed up when accessed by a process (does that mean the process have to wait the backup is completed before running) or is the agent actively looking for these files (and if so how - only local or also remote on file servers?)

As stated above, files that get modified get backed up.

I believe that also includes remote fileshares as well.

How long is each file kept in the backup
I can configure a backup size limit in the Endpoint Management but what happens when the client reaches the limit (I assume some files will be deleted, but which one)

Think of it as a first in, first-out buffer.

I see in the documentation that the agent is supposed to create some random files in My Documents, etc. I cannot find these files however I see folders such as "CheckPoint!FrameworkDirectoryDon'tDiscard" and "Sandblast Zero-Day-SystemFolder-Do notDiscard" but again no information on what they are

I assume these exist for similar reasons to the ones documented above, but will admit I don't know exactly what these folders are for.

How is the anti-ransomware agent "constantly monitoring suspicious activities", I understand for this one that details might be restricted to not have other vendors copying it but at least some high level description would be useful

Basically anything that would be inconsistent with normal user activity is flagged.

Modifying a large number of files at once is certainly suspicious, as is modifying our random files.

Re: SandBlast agent poor documentation

18568 — Fri, 17 Aug 2018 19:14:19 GMT

Thanks a lot Dameon that's useful.

If I may ask two more questions on the other modules of Sandblast :

I assume the file detection (modified file and not read file) is the same with Threat Emulation but if you could confirm that would be great
ZeroPhishing: this is quite a vague question but how does it actually work, there is very little in the admin guide. How does the agent know if it is similar to another legitimate webpage? Does it check the page against a DB of well-known website (banks, google, etc) and it would mean my small company authentication portal phishing would not be detected?

Re: SandBlast agent poor documentation

PhoneBoy — Fri, 17 Aug 2018 19:31:20 GMT

Threat Emulation is specifically looking at files downloaded, not necessarily existing files on the PC.

Zero Phishing is looking for a combination of:

IP and Domain Reputation
URL, Title, Visual, and Text Similarity
Image-only Sites
Multiple TLDs
Lookalike Favicon

My guess is based on IP/Domain Reputation or use of multiple TLDs, it could still find phishing sites.

Regardless, if corporate credentials are used on the site, it would block it (since presumably the phishing site would be outside your domain).

Re: SandBlast agent poor documentation

18568 — Fri, 17 Aug 2018 19:37:35 GMT

Unless I'm mistaken Threat Emulation on Sandblast Agent also looks for files on the PC, what is called "File System Emulation" in the admin guide / Endpoint console. However I think this answer was actually in the admin guide , as it says "Emulate files written to file system".

Thank you for your answer regarding zero phishing.

Re: SandBlast agent poor documentation

PhoneBoy — Fri, 17 Aug 2018 20:29:04 GMT

There are a few different components to SandBlast, and yes I missed the SBA-specific functionality (versus the browser plugin)