Slides attached below.
Selected Q&A from the session to follow.
How are the files restored? From a backup saved somewhere?
The data is stored locally on the forensics DB so we can do near real-time remediation.
Is it necessary to configure the folder or files that we want to recover after encryption? or any file regardless of its location is recovered?
Data is kept with self protection so its protected on driver level. We have the ability to recover large amount of data which is bigger than the data needed for our engines.
Are there any file size limit for encrypted file decryption?
To be clear: we are not decrypting the files, but we are restoring the files backed up prior to their encryption. Typically we reserve 1-2 GB on the primary disk for this purpose, but it is configurable.
On one of the screens in the demo, I saw 165 files, 152 recovered 13 unrecovered. What are the 13 unrecovered files?
Some exclusions are in place for the demo env. to work. In a production all files will be restored.
An EDR solution based on behavior but how to restore so many files?
We backup files to the internal forensic DB when saved, as already mentioned.
How does checkpoint proceed when installed after a ransomware attack?
Anti-Ransomware is a runtime protection and cannot recover files if it was installed after the attack. However, the machine will be remediated from active threats.
In order to do a full restore, it means that I need large storage to back-up "live" all the data of the end users?
No - Backup is about ~2GB on the users local filesystem. We only backup files that are saved by an application not associated with the file type.
Using EDR, can you write a policy to isolate the client?
Yes - We can isolate a machine using a push operation from the management.
What are all the functionalities of the agent? Also establishes VPN to Checkpoint FW?
We’re focusing on the Threat Prevention features in this session, but yes Remote Access VPN is also included with the various Harmony Endpoint packages.
Is Harmony Endpoint available for Chrome devices?
Not the full suite, but the Harmony Browse component (mentioned in this session) can also be leveraged on Chromebooks.
How to do same things from on-prem endpoint mgmt?
Web-based management is available from R81. The Threat Hunting piece currently requires cloud-based management. We are working on an on-prem/hybrid version of this.
What is the sandbox max file size?
As of now 15MB. In the next weeks the size will be increased to 100MB.
How are new versions of the agent software installed on the client machines?
We can push the client to all AD machines, or you can distribute it using GPO or SCCM or other software distribution. Once installed, the client can be upgraded using the management interface.
How does Harmony Endpoint compare against Harmony Connect?
These are complimentary solutions. Harmony Connect can protect traffic coming to/from an Endpoint, but provides no on-device protections such as the ones provided by Harmony Endpoint. Both solutions can run on the same system simultaneously.
Does the solution depend on any cloud-based services provided by Check Point?
You can use cloud based management service or install it on a local on premises machine. Threat Hunting currently requires cloud-based management. Some of the Threat Prevention features will benefit from access to the Internet to reach ThreatCloud.
How well does this product work with the various anti virus products on the market?
Harmony Endpoint has a signature based anti-virus along with many other protection technologies.. However it can work a long side any 3rd party AV.
Could you share the licensing schema with the catalog price?
Refer to our Product Catalog. All prices are list and before discounts. We offer three different bundles in order to offer modular prices per customer needs in a very compelling and competitive price points. We also offer a bundle with Harmony Mobile as well as the Harmony Total package, which includes other pieces of the Harmony suite.
The web filtering within the client, can you create a policy based on all categories or is it just utilized to block malicious websites?
Yes - both categories and block listing is available.
Any automated threat hunting via a checkpoint /external feed?
Currently, no, but this will likely be part of an upcoming XDR offering.
When recommended version of HE will be higher than 84.50.7526?
We generally make a new release the "recommended" version every ~4 months.