This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gerry_Locke
Participant
‎2019-11-20 08:25 PM

The first time it was funny.....

The first time this happened I just had a bit of a laugh. Subsequent times made me question the effectiveness of Checkpoint.

I have just done a fresh install of Windows on a Surface Pro. After the image was applied, I logged onto the device for the first time......and almost immediately I got a Checkpoint popup telling me that 18 files had been harmed by a ransomware attack and been quarantined. I clicked the link to show me that 18 files that had been quarantined.......only to find they all had names along the lines of 'checkpoint curriculum vitae-don'tdelete.pptx' or 'sandblast zero-day-funddon't-delete.txt'.

I am not the Checkpoint administrator in my organisation, so my understanding of Checkpoint is fairly limited, but I believe these are honeypot files placed on my C drive by Checkpoint? I don't know if this is an indicator of the quality of Checkpoint - they have created honeypot files so convincing that it managed to fool itself, or an indicator of the lack of quality of Checkpoint - it doesn't know the difference between a real ransomware infection and it's own honeypot files. Either way doesn't really fill me with a lot of confidence.

And on the subject of the honeypot files, we have had the odd user - admittedly only 1 or two - who have had gigabytes of these honeypot files placed in their user profiles. This causes major problems for users with roaming profiles!

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-11-21 02:34 AM

We do create a number of "honeypot" files as part of SandBlast Agent to more readily detect Ransomware infections.
It's possible these files were a part of the initial image somehow and we (falsely) detected them.
We also keep copies of modified files to allow quick restore in case we detect a Ransomware attack.

In the case where either the honeypot files and/or the backup files start taking up an unexpected amount of space, it is best to engage our TAC we can troubleshoot what's going on.
0 Kudos
Pasha_Pal
Employee Alumnus
Employee Alumnus
‎2019-11-21 03:39 AM

Hi Gerry,

GM of Anti-Ransomware here. The Honey pot files are one of several detection mechanisms that are not signature based for ransomware attacks. The deletion or modification of these files triggers an AR detection. In the past we had a problem with User Profile Deletions which was fixed. What version of the product are you running?

As was recommended earlier please open a ticket with TAC. We would love to see what is causing the AR honey pot files to be modified on your system and will then be able to help you accordingly.

As for the gigabytes of honey pot files, the next version of the agent (E82.10) due really soon has an older honey pot cleaner that should help remove the older honey pots on upgrade. In addition, the latest versions will not keep creating new honey pot folders. If this continues to be a problem please do reach out to us.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events