topic Re: Harmony endpoint - anti exploit , How it works ? in Endpoint

Harmony endpoint - anti exploit , How it works ?

PrivateMM — Sun, 02 Jul 2023 10:08:16 GMT

Hi expert

I have question regarding to the product "Harmony endpoint" with feature "anti-exploit" , I want to know in detail how it works ?

and how many CVE that it can protect , How harmony endpoint apply or monitor for each exploit activity , How harmony endpoint can protect against vulnerability attack

As i understand there are two part

1. Signature based protection , block before process run

2. Anti-exploit behavioral based protection stop process before endpoint was exploited

Datasheet information

Anti-Exploit

Provides protection against exploit-based attacks compromising legitimate applications, ensuring those vulnerabilities can’t be leveraged. Harmony Endpoint Shuts down the exploited process upon detecting one, remediates the entire attack chain

Re: Harmony endpoint - anti exploit , How it works ?

PhoneBoy — Mon, 03 Jul 2023 19:21:26 GMT

Anti-Exploit is protecting against two types of attacks: IAT/EAT and ROP.
In the case of IAT/EAT, we are detect and block access to the import/export tables of loaded DLLs (used to bypass Address Space Layout Randomization).
In the case of ROP, which is a well-known technique used to bypass Data Execution Protection, we detect and block calls to Windows APIs used in a ROP chain.

Re: Harmony endpoint - anti exploit , How it works ?

PrivateMM — Fri, 07 Jul 2023 11:47:12 GMT

Can anti exploit protect against CVE attack

Re: Harmony endpoint - anti exploit , How it works ?

PhoneBoy — Sun, 09 Jul 2023 14:58:47 GMT

Depends on the CVE, but yes.

Re: Harmony endpoint - anti exploit , How it works ?

Swiftyyyy — Sun, 09 Jul 2023 17:38:59 GMT

Does Check Point ever publish specific Anti-Exploit protections intended to protect against specific exploits? We've had questions regarding this asked by our customers on a number of occassions.

advisories.checkpoint.com is a wonderful resource, but more often than not the only explicitly mentioned thing is an IPS protection for the Security Gateway.

In terms of Endpoint, we've never actually received a definitive answer from the advisories portal. In a case where we had to consult with TAC it took a little while (few redirects among departments and ticket holders) until we received an answer that EP did not have a specific protection for the vulnerability. Which I suppose is okay and understandable, you can't cover every CVE.

It would just be good to have a bit more positive feedback on Anti-Exploit and what it may actually defend against.
In general when it comes to high profile threats and exploits, some sort of (fairly accessible) "playbook" article would be really good to have.
With Log4J CHKP did come out with a script you could execute through the Endpoint (albeit it was much easier to just do it through GPO as it was just a powershell script), but it was a form of response at least.

Perhaps during emergence of these "high profile" exploits some custom queries for Threat Hunting could be suggested? Would be great to have a "go-to" response for our customers letting them know that Harmony EP is there for them in some capacity.

Re: Harmony endpoint - anti exploit , How it works ?

PhoneBoy — Sun, 09 Jul 2023 21:02:04 GMT

The advisories page you pointed to is specific to IPS.

Anti-Exploit, like many of the Harmony Endpoint controls, block specific attack vectors and are not signature based.
You can see some confirmation of this here: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-HEP/Capabilities-of-Offline-Endpoint-Security-Client.htm

I know for high profile exploits, we do tend to publish blog posts that explain how we protect against them, much like we did for Log4J.