And I forgot about one very annoying thing which should be fixed.

When you create and download a custom software package, you need to wait for the package to be ready for download (which is absolutely normal). However, you need to wait to click the “DOWNLOAD” button when it’s finished, and unfortunately, this option disappears after a while. Most customers miss that moment, and to be able to download the package, they need to recreate it.

This is super annoying because you need to wait for that specific moment to be able to download the package.

Is it possible to force the package to download automatically in the browser? It would be much more efficient.

Hello BarYassure,

Here are my suggestions:

1. E88.00, and above, allows to know hardware information about every machine by clicking on it. It would be very useful if this information could be added as columns, so that we could filter, for example, by RAM or by CPU.

2. When configuring AD connectors the portal shows all of the machines joined to the domain. This is useful to identify which ones don't have the agent installed, but some of these machines are not in use and were not deleted from domain. Adding a column with the last time of activity in domain would help to differentiate machines in use from not in use, so that we can deploy the agent to machines in use.

Regards.

Improvements in application control. The current process where you have to download and run a scan and maintain different images is cumbersome. Since the agent is already on the endpoint could it be tasked to do the scans and send them to a central database where you would have an ongoing list of all the applications in your environment both in aggregate and by device. Within it you could check what you want to allow and it would update for each scan finding any new applications and highlighting them for review. It would defer to ALLOW until we say DISALLOW.

Is there any consideration to consolidating the Identity Awareness agent into Harmony Endpoint? If not, I think that would be a good option. Less agents to deploy, the better.

Hi,

thank you for asking, we need it for Ubuntu 24.04

kind regards,

->cb

Reporting:
Reports with findings like "Threat Analysis Report" will only show IP addresses of hosts. Change that to system names.

Alerts:
The whole alerting part needs a major overhaul. Playblocks and Threat Hunting custom alerts feel more like a workaround instead of a solution.
I want to receive e-mails with information about what happened and which system and which user was affected without the need to log in to the portal at all.

Status of systems:
There needs to be a way to resolve a finding so the affected device doesn't appear on the dashboards for the next 30 days.
There should be also a way to see systems with any findings in Asset Management, too, and not only for Anti-Malware Infections.

Hi BarYassure,

• I would wish for policy inheritance in Media Encryption (possibly other blades too), similar to GPO settings, perhaps based on the same AD structure.
  Alternatively, if a user is assigned to multiple groups with different policies applied the resultant policy would be a combination of all that apply. Or machine and user polices.
  A scenario would be 2 separate policies applied to 2 separate groups. Lets say that a user who is a member of the first group now needs access to devices in the second group. I would need to create a new policy with a combination of the 2 policies settings (I now have to remember to keep 2 policies up to date).

• Performance improvements - as already mentioned by others.
• Improvements in detection, less false positives (SQL Extensions springs to mind).
• Remote viewing and restoration of quarantined files.
• Ability to restore files from the logs window and add the necessary exclusions.
• Resizing the agent UI results in everything just getting bigger not fitting more in the window. Most of the time when I resize the window it's because I want to see more, not increase the size.
• Single agent with Identity Awareness and User Check integrated.

Thanks.

Kaspersky and SentinelOne's Singularity are offering network discovery to map the entire network and disclose which endpoints have clients installed and which do not. When they find endpoints that do not have the agent installed, they can remotely push the installation to them. This is giving us the creeps because customers value this so much! To be honest, I have never seen this in practice, so take it with a grain of salt, but I think we should look into it.

Another thing they do is allow the creation of rules to automatically group endpoints with similar specifications like memory, OS version, CPU clock, disk type, network segment, etc. This eases the process of allocating machines to the correct rules according to feature and blade optimization. For instance, when a new 4GB RAM machine has the agent installed, it automatically goes to the 4GB RAM group, which is associated with a rule that has fewer blades/features activated to avoid slowness.

Hello BarYassure,

We summarize this list when we offer HEP to the customers and get feedback from them:

1. Application Control based on Signature like our Firewall, no need scan the app in the "master pc" first.

2. Reduce the offline installer package size, now we produce around 900MB only for Endpoint protection agent.

3. Policy based on User individually not only device.

4. Performance degradation issue after installing the agent.

5. Push Operation with more capability like the install the 3rd party application and remote agent.

6. Takes a long time every create the new package and the incredibly things is the DOWNLOAD button will gone if if we don't click on it immediately.

7. Quarantine Management, much better if Administrator possible to see quarantine files in the Dashboard.

1) Standard exclusion lists / profiles that can be selected based upon the applications installed on Servers or Workstations.
Having to create file or folder exclusions by hand is difficult and time consuming and not always necessary despite what the application vendor may tell you. Checkpoint know their product inside out, so they should be able to do more to standardised this process.

2) More assurance around knowing that an automated anti-malware update cannot take down the OS!
Any anti-malware software from any vendor is capable of causing the sort of outage that Crowdstrike customers fell victim to last week. But this is not the first occurrence of this problem, many years ago a similar automated update from Sophos enterprise protection product caused the Windows login process to be detected as malicious and quarantined userinit.exe, which prevented people logging in. Any company can make a mistake - but the lack of testing is the biggest concern. I'm sure Checkpoint are already re-evaluating their current processes and testing strategies around automated updates.

It's been a big scare and many of us are thinking very hard about what we should do in our own environments - even to the point of thinking about using different products from different vendors in a 50/50 split across our estates (the administrative overheads would be a nightmare) - but this is the level of concern and I don't think this one is just going to blow-over. It's really made people sit up and think about their approach to supply-chain attacks and vendor mistakes that could be just as damaging.

If Checkpoint could create a white paper showing their testing and release process for their automated updates, with detailed flow diagrams and mitigation, it would really help. Right now, due to the Crowdstrike incident, lots of CISOs are having difficult conversations with the wider-business. The number one question been asked is: Could this happen to us?

Would love to see a hit count on the exclusions to see if different exclusions are still needed.

Another suggestion:

In the URL filtering section, in the same way as on a Check Point gateway, have the possibility of : Block, Request, Inform or Cancel.

With the option of personalizing messages.

This is done with UserCheck.

For example, request a user confirmation before accessing a Games category.

Web access | Action: Request | Message: Default or Personalized

Could you please alter IDP Integration for ADFS so that the metadata.xml can be updated automatically? Right now it's only possible to upload the file to the portal manually:

Make it possible to alternatively enter an URL for publicly accessible xmls here (usually https://fed.example.com/federationmetadata/2007-06/federationmetadata.xml)

• Add more capabilities to configure remote Access VPN (Sites, settings, etc.) and don't limit it to push operations. For instance let the client fetch the latest settings automatically.
• Give us the capability to manage quarantine (restore, etc) and let us download infected files via the console for extended forensics.
• Let us acknowledge or resolve findings. The dashboard unecessarily alerting for 30 days adds to general alert fatigue.

Best regards,
Tobias

Another area that needs improvements is updates, specifically right after installation.

Despite running update through the client, a lot remains outdated for an extended period of time. Usually, I fix that by manually executing a file in TPCommon/Updater/Updater/Sbasignaturesupdate.exe (or something similar).

Extension (Browser Agent) is not updated instantly until I run the manual updater, and displays gear icon (setup) which shouldn’t be happening. Once I run the manual updater, this is resolved.

Static Analysis models remain outdated (those from 2022 instead of the newer models). At one point, they somehow get updated. Even the manual updater tool doesn’t fix that.

Offline Reputation (which my intuition tells me is a file called bloom.bin). The aforementioned file is 0 bytes for prolonged period of time, until I run this manual utility.

This is when I deploy through the small agent (not through package). Ideally, everything should be updated instantly.

I'd also like to make a few suggestions concerning the graphical interface and the display of information, illustrated with screenshots.

1 Not translated
2 poor translation

1 not translated
2 no back button
3 copy and paste doesn't work (must enter manually)
4 pressing the enter key doesn't work to validate, you have to use the mouse to click on the blue button

1 spanish translation
2 the buttons are in front of which protections? it's not clear
3 mix of french and english
4 what's the point of all this empty space?

1 not translated
2 why the line break?
3 the text placement is odd, why does the "delete" button require a full line?
4 no visual integration
5 tab is eaten by the bottom line

1 there are far too many columns for such a small interface, it's not usable without grumbling.
As far as information is concerned, I have the impression that only the anti-bot logs go up here. It would be nice to have URL filtering logs as well.

1 information not in front
2 is it really useful to have so much space for this kind of information?
3 I don't know what this button does. When you click it, nothing happens, and the translation means nothing at all.
4 does it make sense to place this button in the bottom right-hand corner?

The whole site creation and VPN connection interface doesn't match the new one, and it's old.

1 This button for enlarging the window doesn't give you more space in the interface (to display more things in the columns, for example), but just serves to zoom in. It's completely weird and I think it's a UI design error, nobody does that.

The log viewer should be integrated or at least modernized

1 No drop-down list design?

Miscellaneous suggestions :
Propose a full-screen interface mode for consulting logs (add more information for diagnostics).
Integrate old interfaces into a single interface (logs and VPN).
Integrate forensics reports into the interface. It's web-based, so it can be integrated easily, if the interface allows full-screen viewing.
Provide more nuance between the bottom line, the header line and the various elements. At present, the background is plain, which makes it difficult to distinguish between zones.

Thanks for this thread Bar Yassure! I'd love to see most of the ideas in this thread in production some day 🙂

We'd also love to see:

• Smart Exclusions: Grouping of rule exclusions by name or method (or asset, see below)
  
  • For example: Multiple hash exclusions grouped as a compact list or named exclusions as a list (you can already expand the rule exclusion to a one item list, maybe that can be expanded to multiple items?) 
• Smart Exclusions: Exclusions per asset in a rule exclusion (maybe a nested exclusion? Is that a good/bad idea?)
• Report on which exclusion was hit and the last hit date (as we already have it with the anti phishing exclusions "overridden" state )
• Diagnostics: More insight into how a blade responds to an application/file (which blade exclusion is really needed, and which exposes a higher security risk/loss of visibility)

I tested the 88.50 briefly, what I see now:

GUI seems to have been GPU optimised, not sure if that’s been done recently, when I last looked, it definitely wasn’t.

Some signatures were moved out of Program Files and are now in Program Data, perhaps you are trying to improve boot times by storing signatures more sequentially on disk… or you are just refactoring the structure.

Note: this “ pagination” in the client UI is very badly executed. The field is white, doesn’t match the rest of your CSS (or whatever is your UI framework based on). It also doesn’t display first/last page. It will be better to arrange pages like this (1 2 3) so user could click, instead of using a field to type.

I have an idea which can assist in cleaning infected endpoints. It is “aggressive cleanup”. To implement it, several components will be needed:

1. Warning that aggressive cleanup should only be used by admins, knowing well what they are doing (false positives warning).

2. Enumerate files in critical areas that have reputation other than safe. (Malicious, suspicious, unknown).

3. Eventually, implement other logics, such as looking for trusted digital signature. As certain digital signature providers (in the past being part of a company that heavily advertised default deny for example) are not so difficult to obtain, maybe present digital signature as a fact to admins, but don’t just ignore the file. You should still be able to trust certain certificates like class 3.

4. Eventually, implement the VT lookup which is already part of the forensics report.

5. Correlational engine: when admin is removing the file, don’t just delete that. Look around the registry for services, startup items, attempt to “undo the file actions” to an extent.  You are currently doing that through the EFR recordings, but it needs to be done without them too.

Finally, present the files to the admin with the VT lookup results and allow them to:

-Remove file

-Create Application Control rule (terminate, block connection) until more is known. 

Maybe put these files in a list and rescan them periodically. When reputation changes, admins can potentially change the AC rules. And why not allow “submission” as well.

Just an idea.