This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PrivateMM
Explorer
‎2023-07-02 03:08 AM

Harmony endpoint - anti exploit , How it works ?

Hi expert

 

I have question regarding to the product "Harmony endpoint" with feature "anti-exploit"  , I want to know in detail how it works ?

and how many CVE that it can protect , How harmony endpoint apply or monitor for each exploit activity  , How harmony endpoint can protect against vulnerability attack

 

As i understand there are two part

1. Signature based protection , block before process run

2. Anti-exploit behavioral based protection stop process before endpoint was exploited

 

 

Datasheet information

Anti-Exploit

Provides protection against exploit-based attacks compromising legitimate applications, ensuring those vulnerabilities can’t be leveraged. Harmony Endpoint Shuts down the exploited process upon detecting one, remediates the entire attack chain

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-07-03 12:21 PM

Anti-Exploit is protecting against two types of attacks: IAT/EAT and ROP.
In the case of IAT/EAT, we are detect and block access to the import/export tables of loaded DLLs (used to bypass Address Space Layout Randomization).
In the case of ROP, which is a well-known technique used to bypass Data Execution Protection, we detect and block calls to Windows APIs used in a ROP chain.

0 Kudos
PrivateMM
Explorer
‎2023-07-07 04:47 AM
In response to PhoneBoy

Can anti exploit protect against CVE attack

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-09 07:58 AM
In response to PrivateMM

Depends on the CVE, but yes.

0 Kudos
Swiftyyyy
Advisor
‎2023-07-09 10:38 AM
In response to PhoneBoy

Does Check Point ever publish specific Anti-Exploit protections intended to protect against specific exploits? We've had questions regarding this asked by our customers on a number of occassions.

advisories.checkpoint.com is a wonderful resource, but more often than not the only explicitly mentioned thing is an IPS protection for the Security Gateway.

In terms of Endpoint, we've never actually received a definitive answer from the advisories portal. In a case where we had to consult with TAC it took a little while (few redirects among departments and ticket holders) until we received an answer that EP did not have a specific protection for the vulnerability. Which I suppose is okay and understandable, you can't cover every CVE.

It would just be good to have a bit more positive feedback on Anti-Exploit and what it may actually defend against.
In general when it comes to high profile threats and exploits, some sort of (fairly accessible) "playbook" article would be really good to have. 
With Log4J CHKP did come out with a script you could execute through the Endpoint (albeit it was much easier to just do it through GPO as it was just a powershell script), but it was a form of response at least.

Perhaps during emergence of these "high profile" exploits some custom queries for Threat Hunting could be suggested? Would be great to have a "go-to" response for our customers letting them know that Harmony EP is there for them in some capacity.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-09 02:02 PM
In response to Swiftyyyy

The advisories page you pointed to is specific to IPS.

Anti-Exploit, like many of the Harmony Endpoint controls, block specific attack vectors and are not signature based.
You can see some confirmation of this here: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/... 

I know for high profile exploits, we do tend to publish blog posts that explain how we protect against them, much like we did for Log4J.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top