This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
secronis
Participant
‎2022-04-23 07:37 PM

E2 Sophos Ai/ML

Did CP integrate the full Sophos SDK? Is their ML engine included as like Kaspersky is?

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2022-04-24 06:57 PM

I believe the only thing a third party engine is used for is static file analysis.

0 Kudos
secronis
Participant
‎2022-04-24 07:04 PM
In response to PhoneBoy

The included Kaspersky SDK has runtime ML enabled thru it's PDM named detections. Those are static and dynamic models. 

 

In the case of Sophos... ML-PE & ML-PUA is their local deep learning static model. 

 

Back to the question. Is the full Sophos SDK integrated into CP? Thanks. We are well aware of all the engines on the market.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-25 07:52 AM
In response to secronis

It may be/have been integrated, but support for it is a separate question.
I recommend reaching out to your local Check Point office to discuss your precise requirements.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-04-28 02:53 AM
In response to secronis

According to my in-depth CP TP trainings, only a hash is sent by AV to compare with the Kaspersky AV database as a first TP step. Afaik ABOT, URLF and APCL use no Kaspersky engines - surely IPS, TE and TX do not.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Trident
Contributor
‎2024-07-14 06:50 PM
In response to G_W_Albrecht

It would make sense for a hash to be sent as a first step. The cloud will always have the most up-to-date information on objects which can be classified as:

Known safe: leave the object or scan once and leave (varies from vendor to vendor).

Known malicious: destroy the object, inform EFR which will take the object timestamp, check for additional objects created around this time (+- some offset of 20-30 seconds), and destroy all related objects. These additional objects can (and most likely will) include browser caches. Provided object was not executed, that will be all.

Unknown: object will be scanned using the full set of Kaspersky capabilities, including static analysis, dynamic analysis and definitions. The object will then be classified as "safe" or "malicious". If malicious, EFR will be informed.

 
 
 
0 Kudos
Trident
Contributor
‎2024-07-14 12:33 PM
In response to secronis

The answer is no. The ML-PE detections in Sophos are not produced by the antivirus engine (Sophos SAVI), it is another engine in Sophos that’s doing the pre-execution machine learning. It is called InterceptX and I don’t see it offered on the Sophos OEM website.

The Sophos SAVI is known for its behavioural genotype detections and as of 87.30 if I am not mistaken, Sophos Live Protection (cloud lookups) are enabled too.

 

Pre-execution machine learning (Static Analysis) in Harmony is performed by a proprietary engine that covers executables, office files and DLLs.

0 Kudos
the_rock
Legend
Legend
‎2024-07-14 07:17 PM
In response to Trident

Personally, I would always open TAC case for these things, just to get an official answer.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events