Thanks for this table full of advanced technical guides, @G_W_Albrecht.

This is definitely content that I like to read.

Yes, but I’ve got no questions about these detections, as I’ve read a few EFR patents available publicly and they covered EFR in extreme depth. My questions are regarding how this “multitude” of scan engines, some of them with duplicate features, coexist together, what is the scan sequence.

Thanks for your reply.

On what basis are you claiming that the E1/E2 engines we are using include the dynamic analysis features that said vendor may have in their own product?
I do see that the outbound connectivity requirements for Harmony Endpoint include a domain that appears to be associated with lookups that vendor does.
Since these lookups occur over DNS, I can't imagine they're sending any more data than we do in our own ThreatCloud lookups, which are primarily URL and file hash based.
However, I don't know for certain.

My understanding is the various engines are used in different contexts.

For example, file emulation is done on file downloads and is sent either to our cloud or an on-premise Threat Emulation server before they are fully written to the client.
Online checks are done fairly early in the process (e.g. ThreatCloud), which is primarily based on IoC-type information (URLs, IPs, DNS).
The E1/E2 engine applies for scheduled/on demand filesystem scans and on local file access.

Hopefully that helps.

I believe you did not understand “Dynamic Analysis” correctly. You think it is cloud emulation (detonation), similar to the Check Point Threat Emulation. Dynamic analysis refers to executing portions (of interest) from executables and scripts code in a virtual environment on your computer, that mimics a real system. The Cloud Detonation is sometimes referred to as “Dynamic Analysis” too, so it’s easy to make a mistake. 

I’ve read the full Sophos SAVI documentation (which since then became unavailable, perhaps it never should’ve been public) where all the features and how OEMs should configure them were listed. I am unsure if Dynamic Analysis in Sophos is enabled. This is why I’m asking whose dynamic analysis takes priority on the machine, as it looks like CP Static Analysis (part of NGAV) also emulates locally, on your computer, whatever it can’t analyse statically or disassemble (there are 2 guys doing the same).

The E2 engine does not perform just cloud lookups, cloud lookups were enabled in 87.30, before which the engine used only the full set of signatures and heuristics, which are about 500MB (2 sets x 250 mb each). 

The E1 was ran at full capacity, just like E2 with their “behavioural genotype”, E1 does not push simple signatures (fragments of malware), it is predominantly a heuristics-based engine and majority of heuristics are based on dynamic analysis, and not on static features. For example on a packer, there are almost no static features that could be extracted. Obfuscated scripts as well can only be handled through dynamic analysis.

The various engines are not used in different context, all engines listed in first post are used one after another in pre-execution protection (on every new file created that gets captured by the mini filter driver). I wonder which one is first, which one is second, etc. The scan flow is interesting to me.

I didn't mean to imply E2 was only performing cloud lookups, just that it appears to be doing so based on information that is public.
What the exact nature of those lookups are, I don't know.
Having said that, it doesn't seem to make sense to me use a function from a different vendor that we've implemented ourselves.

While I'll see what I can find out, I suspect these questions cannot be answered in a public forum like this.

Yes @PhoneBoy, you are right. My tests on a copy in my lab have confirmed that Mal/Generic-S can be produced by HEP, which is essentially a file with malicious reputation within the Sophos cloud. There is another detection that Sophos supports, Mal/Generic-R which refers to low-risk detections (hacktools, cracks, PUPs, etc) but I did not manage to trigger this one.

In one of the versions changelog (87.40 if I am not mistaken), there is an enhancement under E2 starting with AHTP that states “Implemented reputation service…”. This is when the cloud lookups were enabled.

in E1 world, this would have been Urgent Detection System, in E2 this is Live Protection.

Just to clarify that these are two different functions:
- Behavioral Guard (BG) is a CP signature driven detection mechanism. It looks at dynamic behavior performed on the operating system such as file based operations (reason for including on this thread), registry reads /writes, process activities etc. If behavior on device matches a signature then a detection event is created

- EFR: primary function relates to forensics and remediation. These are triggered by the each of the specific detections and Harmony Endpoint generates an interactive report that delivers a full and deep analysis of endpoint activity. Providing a complete view of the attack flow and it shows the status automated remediations performed

Yes, EFR primary function is to monitor and record newly created objects (again, information from the EFR patents) which can be: file, folder, registry entry, mutex, named pipe, url, miscellaneous and events (various activities going on at a system level) When any of the engines (let’s say Anti-Bot) is triggered, EFR first checks the timeframe of the attack by getting timestamps of first and last event (e.g file cutikitties.exe was downloaded at 12:30:00 via chrome.exe, was then executed at 12:31:00 and accessed malicious IP via PowerShell at 12:31:30). EFR determines that the attack was between 12:30:00(- small offset)and 12:31:30 (+some small offset). 
All objects related to the attack (for example written by PowerShell between 12:29:30 and 12:32:00) get their reputation checked, and “malicious” & “unknown” objects are deleted. Some additional steps are performed too and Forensics Report is generated.

Behavioural Guard is plugged to the EFR engine and works based on the information EFR captures through user mode hooks and kernel mode drivers. The only difference is that EFR records for later, whilst Behavioural Guard reiteratively classifies and outputs verdicts. This is the reason Behavioural Guard, Anti-Ransomware and Forensics go together as one blade 🙂

But Behavioural Guard, Anti-Ransomware. forensics and to an extent Anti-Bot, are all post-execution technologies that are well documented. What’s not so well documented is the pre-execution protection.

Let’s rephrase the question. Suppose I am downloading the file cutekitties.exe, which is 52MB and my emulation (I am still not aware that the limit was increased) is set to 50MB.

The file cutekitties.exe is a known malicious file to Sophos, it is known malicious file to Check Point too (by reputation) and it looks malicious to static analysis.

Which engine will be the first to delete cutekitties.exe? It’s just my hunger for knowledge really.

I can see that you have done a lot of technical investigation here (and guess can derive that from the title of the thread 😀 )

Three clarifications / information points:

- There are blocking detections that can occur as part of BG. Obviously depends on the trade-off between detection time and impact to user operations and so cannot be for all detections

- The limit of the emulation file size was increased to 100MB. You may not see this on your management tenant if was not yet upgraded (feel free to unicast to me tenant details if want to bring forward the upgrade)

- There can be multiple layers of detections (by design). A good way to see these are by changing settings to "Detect Mode" and seeing the logs of the various capabilities that generate detection logs

Thanks @JonnyRabinowitz the 50mb was hypothetical, I believe in 88.30 the size was increased. I installed the update the first day it was released and boosted the emulation size right away.

What else can you bring forward? Can I get enrolled to EA and/or the experimental signatures by any chance (if not too cheeky 🤷🏻‍)?

I’ve done a lot of investigation and not because I won’t be able to do my job without, but because I find all the CP technology fascinating and it just works. And it was a lot to investigate but very intriguing.

BTW it’s a good idea, to set everything to prevent and then the scan flow will reveal itself in the logs.

Appreciate the feedback that "it just works". As @PhoneBoy mentioned a lot of the deeper technical aspects of signatures / detections will not be discussed in public forums

For EAs and any other sessions with the Check Point team I recommend to work through your account manager / partner for such engagements