This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PCTI
Participant
‎2021-10-26 01:17 AM

AntiExploit blocking Chrome and Edge

Hello.

I am having problems in one client because Harmony Endpoint is blocking Chrome and Edge with no special reason.

I get alert that Anti-Exploit block threat, but i dont find anything that might cause this.

 

Endpoint version - 85.10.0575

 

More info in attach

 

Regards

Pedro

 

Preview file
63 KB
10 Replies
Chris_Atkinson
Employee
Employee
‎2021-10-26 05:11 AM

Please follow-up with TAC regarding a permanent solution, in the interim see sk154455.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CCSM R77/R80/ELITE
0 Kudos
Tobias_Karsbo
Contributor
‎2021-10-26 05:28 AM
In response to Chris_Atkinson

Same for us:

Chrome yesterday for some users, Edge today.

Id: c20e8565-81a0-5410-6177-efad27a60000
Sequencenum: 1
Product Family: Endpoint
Event Type: Forensics Case Analysis

Severity: High
Description: To exclude: Open the Harmony Endpoint Management -> policy -> Threat Prevention -> EXCLUSION CENTER -> Exclusion Settings -> Web and Files Protection -> Threat Emulation... -> + -> SHA1 -> paste this: d3d8253e-3bd458aa-19968b0c-312c774d-26baef79 Attack status: Cleaned.
Client Name: Check Point Endpoint Security Client
Product Version: 85.40.2076
Installed Blades: Firewall; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation

Forensics Analysis: 457ab508-d779-4aa7-8720-89b8c60b407a
Triggered By: Endpoint Anti-Exploit
Attack Status: Cleaned
Protection Name: Gen.Exploiter.ROP
Protection Type: Generic
Malware Action: a ROP virtual memory allocation exploit
File Name: msedge.exe
File MD5: fda107354688b32939d7f3e4e286c069
File Type: exe
File Size: 8631461295071690752
File SHA-1: d3d8253e3bd458aa19968b0c312c774d26baef79
File SHA-256:
Confidence Level: High
Policy Name: Default Forensics settings
Policy Date: 2021-09-24T08:32:23Z
Policy Version: 18
Remediated Files: msedge.exe(Terminated before), msedge.exe(Terminated before), (Terminated before), msedge.exe(Terminated before), msedge.exe(Terminated before), msedge.exe(Terminated before), msedge.exe(Terminated before), (Terminated before)
Impacted Files:
Suspicious Events: Exploitation for Client Execution: msedge.exe; Drive-by Compromise: msedge.exe; User Execution: msedge.exe;
Incident Details: msedge.exe(fda107354688b32939d7f3e4e286c069);
General Information:
Service Domain: ep-demo
Action: Prevent
Packet Capture: Packet Capture
Type: Log
Blade: Forensics
Lastupdatetime: 1635250093000
Lastupdateseqnum: 1
Stored: true
Description: To exclude: Open the Harmony Endpoint Management -> policy -> Threat Prevention -> EXCLUSION CENTER -> Exclusion Settings -> Web and Files Protection -> Threat Emulation... -> + -> SHA1 -> paste this: xxxxxxxxxxxxxxxxxxxxxxxxx Attack status: Cleaned.

tom_allen
Contributor
‎2021-10-26 11:44 AM

Where can I see that SK? Anyone else have a solution?

0 Kudos
tom_allen
Contributor
‎2021-10-26 11:53 AM
In response to tom_allen

Nevermind, I found the SK but I would rather have a solution. 

Chris_Atkinson
Employee
Employee
‎2021-11-01 05:01 PM
In response to tom_allen

Hi Tom,

The fix is included in E86.00 available now from sk175945.

CCSM R77/R80/ELITE
0 Kudos
MikeB
Advisor
‎2021-10-26 03:26 PM

Same Issue with 4 endpoints, all with E85.40 version.

chrome.exe and msedge.exe affected. 

Malware action: a ROP virtual memory allocation exploit

Protection Name: Gen.Exploiter.ROP

0 Kudos
tom_allen
Contributor
‎2021-10-26 03:30 PM
In response to MikeB

Yes got a reply from Tech Support, know issue and the workaround is to add an exclusion.

0 Kudos
PCTI
Participant
‎2021-10-27 01:43 AM

I have updated to 85.40 with no sucess.

0 Kudos
Chris_Atkinson
Employee
Employee
‎2021-10-27 01:46 AM
In response to PCTI

Per above a workaround is currently required until a permanent fix is made available (E86.00).

 

CCSM R77/R80/ELITE
0 Kudos
Pedro_Marques
Participant
‎2021-10-28 03:07 AM

Also have the same problem ... had to apply the workarround 😞

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events