This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
18568
Collaborator
‎2018-08-17 02:47 AM

SandBlast agent poor documentation

I worked with Checkpoint security gateways for quite a few years and the technical documentation is usually quite complete (especially thanks to the ATRG pages), however I recently started setting up Sandblast agents for a client and I find the documentation very lacking, it is mostly a "black box" and the documentation tells you it will protect against this threat but without any technical details on how it will do it.

For example if I take the anti-ransomware feature I cannot find the following information:

  • How does the agent decides which file to backup
  • Are the files backed up when accessed by a process (does that mean the process have to wait the backup is completed before running) or is the agent actively looking for these files (and if so how - only local or also remote on file servers?)
  • How long is each file kept in the backup
  • I can configure a backup size limit in the Endpoint Management but what happens when the client reaches the limit (I assume some files will be deleted, but which one)
  • I see in the documentation that the agent is supposed to create some random files in My Documents, etc. I cannot find these files however I see folders such as "CheckPoint!FrameworkDirectoryDon'tDiscard" and "Sandblast Zero-Day-SystemFolder-Do notDiscard" but again no information on what they are
  • How is the anti-ransomware agent "constantly monitoring suspicious activities", I understand for this one that details might be restricted to not have other vendors copying it but at least some high level description would be useful

This is only for anti-ransomware but I can give a similar list for nearly every sandblast feature.

Did I miss an ATRG or SK for all this somewhere ?

Thanks

9 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-17 03:52 AM

There is a lot of documention and SKs for SandBlast already, so we have a lot to study already Smiley Happy ! But your question:

I see in the documentation that the agent is supposed to create some random files in My Documents, etc. I cannot find these files however I see folders such as "CheckPoint!FrameworkDirectoryDon'tDiscard" and "Sandblast Zero-Day-SystemFolder-Do notDiscard" but again no information on what they are

for me seem not relevant at all - the random files are in the folders you see, but how could information on "what they are" help you in any way ?

If you need these answer to make customer(s) happy, you can always involve TAC and ask for information.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
18568
Collaborator
‎2018-08-17 05:52 AM
In response to G_W_Albrecht

Günther W. Albrecht wrote:

the random files are in the folders you see

If that's the case the admin guide (page 187) is both wrong about the file names and the file locations:

Günther W. Albrecht wrote:

 but how could information on "what they are" help you in any way ?

I assumed the documentation is correct and they were not anti-ransomware files, in that case yes I want to know and the client will ask what are these files in their My Documents.

Günther W. Albrecht wrote:

 

If you need these answer to make customer(s) happy, you can always involve TAC and ask for information.

I don't see how "opening a ticket to understand their product" is a good documentation strategy for CheckPoint.

The main thing for me is that on Gateway side the documentation is usually quite good so I would just expect the same level for Endpoints.

0 Kudos
_Val_
Admin
Admin
‎2018-08-17 04:48 AM

For my understanding, you are looking for tech reference, not an admin guide, correct?

0 Kudos
18568
Collaborator
‎2018-08-17 05:57 AM
In response to _Val_

I would indeed love a tech reference on Sandblast agent the same way and level of details there is ATRG for ClusterXL or CoreXL.

But I even believe some of these questions and other should actually be in the admin guide as they are quite "basic" and quite important for the administration of the product (which is what an admin guide should be about isn't it Smiley Happy).

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-17 11:52 AM

Let me see if I can answer the questions you've asked:

  • How does the agent decides which file to backup

Any file modified by a user gets backed up.

You can exclude certain directories if you prefer.

  • Are the files backed up when accessed by a process (does that mean the process have to wait the backup is completed before running) or is the agent actively looking for these files (and if so how - only local or also remote on file servers?)

As stated above, files that get modified get backed up.

I believe that also includes remote fileshares as well.

  • How long is each file kept in the backup
  • I can configure a backup size limit in the Endpoint Management but what happens when the client reaches the limit (I assume some files will be deleted, but which one)

Think of it as a first in, first-out buffer.

  • I see in the documentation that the agent is supposed to create some random files in My Documents, etc. I cannot find these files however I see folders such as "CheckPoint!FrameworkDirectoryDon'tDiscard" and "Sandblast Zero-Day-SystemFolder-Do notDiscard" but again no information on what they are

I assume these exist for similar reasons to the ones documented above, but will admit I don't know exactly what these folders are for.

  • How is the anti-ransomware agent "constantly monitoring suspicious activities", I understand for this one that details might be restricted to not have other vendors copying it but at least some high level description would be useful

Basically anything that would be inconsistent with normal user activity is flagged.

Modifying a large number of files at once is certainly suspicious, as is modifying our random files.

18568
Collaborator
‎2018-08-17 12:14 PM
In response to PhoneBoy

Thanks a lot Dameon that's useful.

If I may ask two more questions on the other modules of Sandblast Smiley Happy :

  • I assume the file detection (modified file and not read file) is the same with Threat Emulation but if you could confirm that would be great
  • ZeroPhishing: this is quite a vague question but how does it actually work, there is very little in the admin guide. How does the agent know if it is similar to another legitimate webpage? Does it check the page against a DB of well-known website (banks, google, etc) and it would mean my small company authentication portal phishing would not be detected?
0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-17 12:31 PM
In response to 18568

Threat Emulation is specifically looking at files downloaded, not necessarily existing files on the PC.

Zero Phishing is looking for a combination of:

  • IP and Domain Reputation
  • URL, Title, Visual, and Text Similarity
  • Image-only Sites
  • Multiple TLDs
  • Lookalike Favicon

My guess is based on IP/Domain Reputation or use of multiple TLDs, it could still find phishing sites.

Regardless, if corporate credentials are used on the site, it would block it (since presumably the phishing site would be outside your domain).

0 Kudos
18568
Collaborator
‎2018-08-17 12:37 PM
In response to PhoneBoy

Unless I'm mistaken Threat Emulation on Sandblast Agent also looks for files on the PC, what is called "File System Emulation" in the admin guide / Endpoint console. However I think this answer was actually in the admin guide Smiley Happy, as it says "Emulate files written to file system".

Thank you for your answer regarding zero phishing.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-17 01:29 PM
In response to 18568

There are a few different components to SandBlast, and yes I missed the SBA-specific functionality (versus the browser plugin) Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events