Product Announcements

Hi all,

We recently released SandBlast Agent E81.40!

E81.40 introduces new features, stability and quality improvements. The complete list of improvements can be found in the version release’s Secure Knowledge sk162334.

New Engine – Machine Learning Static File Analysis

We are constantly working on improving our detection/prevention engines and on new technologies to mitigate new threats.

We are happy to introduce the availability of a new detection/prevention engine – Static File Analysis power by Check Point Machine Learning algorithms.

This new technology consists of examining the executable file, inspecting hundreds of static features which are processed by the Machine Learning algorithm to provide very quick verdicts.

The benefits are:

1. Ultra-fast scans and verdicts are given in a few tens of milliseconds.    
2. No performance impact on the machine.
3. Up-to-date Machine learning models – updates are pushed to the client when needed.
4. Extremely low false positive rate.
5. Complements SandBlast Agent security offering with no additional fee for threat prevention licensed customers.

Note that as of E81.40, Static File Analysis is enabled by default. 

Mitre ATT&CK view in Forensic Report

The MITRE ATT&CK™ framework is a comprehensive matrix of tactics and techniques used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization's risks.

The framework aim is to improve post-compromise detection behavior understanding in enterprises by illustrating the actions an attacker may have taken.

The E81.40 Forensics reports support the MITRE ATT&CK matrix which adds another layer of information to better understand the attack flow and technics/tactics used as defined in the framework.

Anti-Exploit detection of DejaBlue CVE-2019-1181

DejaBlue is a pre-authentication remote code execution vulnerability in Remote Desktop Protocol, similar to recent BlueKeep CVE-2019-0708 vulnerability.

The SandBlast Agent Anti-Exploit engine is able to detect and prevent against DejaBlue attacks.

This improvement is a continuation of our rapid release of protection against Bluekeep vulnerability where SandBlast Agent was the first endpoint security to provide a real detection and mitigation for Bluekeep.

Behavioral Guard and Forensic Enhancements

E81.40 introduces the following enhancements to Behavioral Guard and Forensics:

• Remote Desktop Protocol identification – Forensics reports will present information such as remote users who log into the machine, machine name, IP address, and remote connection access (inside or outside the network).
• Injection identification – Forensics reports now showcase and highlight injections that happen during an incident.
• Privilege Escalation identification – Forensic report will present process integrity levels and privilege escalation.

Hi,

 R80.30 Jumbo HF Take #50 is now our GA take.

This take will be available for download to all via CPUSE (as recommended) and via sk153152

Release Highlight:

• This Jumbo include fixes for both Gaia 2.6.18 (based on R80.30 GA Take 200) and Gaia 3.10 (based on R80.30 3.10 GA Take 273).
• Management support for 16000 and 26000 appliances ( with SmartConsole Build #08)
• SA-213 (PRJ-5028) - In a rare scenario, R80.30 Security gateway managed by R80.30 Management crashes when running a Threat Prevention Software Blade with the Forensics feature enabled. Refer to sk161812.

Additional information can be found in sk153152

Thanks,

RLM Group

R80.10 Jumbo HF Take #225 is now our GA take.

This take  is available for download to all via CPUSE (as recommended) and via  sk116380

Release Highlight :  

o   Added ability for R80.10 Security Management or Multi-Domain Server to manage R80.30 Security gateway

o   Added Management  support for 16000 and 26000 appliances

o   CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities.

Thanks

Release Management Group

Take #48 was replaced with Take #50 due to issue found in import of R77.x Multi-Domain Management Server  to target machine R80.30  installed with Jumbo HotFix.(PRJ-5065).

Impotent Note : Take 50  can be installed also on Gaia OS  3.10,  as mentioned in sk153152: 

"Starting from Take 50 of R80.30 Jumbo Hotfix Accumulator:

• Each Take is based on Check Point R80.30 with Gaia OS 2.6.18 GA Take 200 or Check Point R80.30 with Gaia OS 3.10 (R80.30 3.10) GA Take 273.
• All gateway related fixes are relevant for both Gaia 2.6.18 and Gaia 3.10 unless otherwise mentioned.
• Each Take supports Security Gateway R80.30 3.10 and can be installed on Check Point 26000 and 16000 series and CloudGuard IaaS products AWS, Azure, GCP."

For more information please refer to sk153152.

Hi all,

We recently released SandBlast Agent E81.30 that introduces stability and quality improvements.

A complete list of improvements can be found on the release Secure Knowledge sk160812.

SandBlast agent Software Release Policy

The security landscape is evolving and changing rapidly with more and more sophisticated cyber-attacks launched on a daily basis.

To meet these challenges we need to be agile with the introduction of new security engines and functionalities to SandBlast Agent.

SandBlast Agent monthly releases enables us to introduce new features and improve the solution quality and stability.

We understand that it may be challenging for our customers to deploy a new software release every month. For this reason, we came up with a new software release policy which will enable agile and rapid releases of new functionalities while maintaining high quality and stable releases.  

SandBlast Agent monthly software release policy:

Latest Releases – Monthly releases which focus on new functionalities and maintenance fixes:

• These releases are targeted for customers who wish to deploy the new features and/or maintenance fixes.
• The latest releases passed all Check Point quality assurance and are General Available quality for all customers.

Recommended Releases – Quarterly basis releases focused mainly on stability and maintenance fixes:     

• These releases are targeted for customers who wish to deploy Check Point’s recommended version.
• It’s a cumulative of previous “Latest releases” with no new content introduced in this version.
• General Availability quality for all customers.

E81.30 is our new recommended release candidate. As a quality release it includes only quality fixes with no new functionality.

We are monitoring the installation of each quality release. Once we get to high deployment numbers with no significant quality issues, we announce this release as the new recommended version.

Fixed Vulnerability in Initial Client CVE-2019-8461

SandBlast Agent Initial Client for Windows before version E81.30 is potentially vulnerable to privilege escalation on a clean image without Endpoint Client installed.

An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user.

Prior to E81.30, SandBlast Agent Initial Client for Windows tries to load a DLL placed in any PATH location on a clean image (i.e. without any prior Endpoint Client installed) allowing an attacker that already compromised the machine to put malicious DLL and use it for local escalation of privilege.

Installations of a version earlier to E81.30 are probably not vulnerable:

• For existing install base which already has any security blade installed – Not relevant as at this point the machine is no longer vulnerable.
• When deploying a full client and not an initial client – Not relevant as the full client is not vulnerable.
• When deploying an initial client that then pulls down the relevant blades as part of the IT deployment process before distributing machines to the employees – Not relevant as by the time the machine is handed out to the employee, it already has the blades deployed and therefore, not vulnerable.

When starting with 81.30, this is not relevant as the version is not vulnerable.

The only relevant case is in case:

1. Distributing of SandBlast Agent client with initial client to machines with no previous SandBlast Agent installed. In this case, please move this process to use E81.30 initial client.
2. You have an existing install base of machines with initial client (prior to E81.30) and with no security blade deployed to them (quite uncommon). In this case, either deploy the security blades or update the initial client to E81.30.

A new Ongoing Jumbo Hotfix Accumulator take for R80.30 (Take #48) is available. Please refer to sk153152.

Release Highlight:

• This Jumbo include fixes for both Gaia 2.6.18 (based on R80.30 GA Take 200) and Gaia 3.10 (based on R80.30 3.10 GA Take 273).
• Management support for 16000 and 26000 appliances ( with SmartConsole Build #08)

Please note the following:

• The new release will be mention in the JHF sk153152.
• The new release will not be published via CPUSE as a recommended version.
• Availability:

o   Will be provided by customer support

o   Available for download via CPUSE by using package identifier.