cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Tom_Kendrick
inside SandBlast Agent 13 hours ago
views 42
Employee

Mitre ATT&CK view added to SandBlast Agent Forensic reports available in upcoming E81.40

One of the many new features that will be available in E81.40 is an updated SandBlast Agent Forensic report. For this, we have to thank our wonderful R&D Team at HQ for making this happen! The new Forensic report contains: Mitre ATT&CK screen: Showing links back to the Framework RDP Focus: Use the Ryuk RDP Report (Overview and General Screen provide RDP Details) Injections: Use the Ryuk RDP Report (Shown in both Mitre Screen and Tree Views) Privilege Escalation: Use Cerber or Sodinokibi (Shown in both Mitre Screen and Tree Views) Current Ransomware affecting US Municipalities: Ryuk, Sodinokibi and Robinhood               Some of these samples have been put online, which you can take a look at: Report Use Case Link Ryuk RDP RDP/Injections https://forensics.checkpoint.com/ryuk_rdp/ Sodinokibi Ransomware Current https://forensics.checkpoint.com/sodinokibi/ Robinhood Ransomware Current https://forensics.checkpoint.com/robinhood/ Astaroth Fileless Current https://forensics.checkpoint.com/astaroth/ Bad Rabbit Blog / Well Known Ransomware https://forensics.checkpoint.com/badrabbit/ Cerber Blog / Well Known Ransomware https://forensics.checkpoint.com/badrabbit/ Pokemongo Blog https://forensics.checkpoint.com/pokemongo/ CTB-Faker Blog https://forensics.checkpoint.com/ctb-faker/ Wannacry Blog/ Well Known Ransomware https://forensics.checkpoint.com/wannacryptor2_1/ Ranscam Blog/ Well Known Ransomware https://forensics.checkpoint.com/ranscam/    
Yossi_Hasson
inside SandBlast Agent 2 weeks ago
views 94 1
Employee

BlueKeep exploit is weaponized: Check Point customers remain protected.

The notorious BlueKeep vulnerability has been escalated from a theoretical, critical vulnerability, to an immediate, critical threat. While BlueKeep’s devastating potential was always known, it was a theoretical threat, as there was no working exploit code. That code was released into the wild when the open source Metasploit penetration testing framework released a Bluekeep exploit module on September 6. Unfortunately, the Metasploit toolset is used by both security practitioners and cybercriminals alike. By publishing the BlueKeep exploit code hackers were essentially provided with weaponized, working code that enables the creation of a dangerous worm. How serious is the threat? If a single unpatched Windows machine with network admin access is running on a network, the attacker may have access to all in-use credentials to all systems on the network, whether they are running Windows, Linux, MacOS or NetBIOS. In effect, this scenario means that a single, infected Windows machine can completely own a network. Check Point’s BlueKeep protections for network and endpoint, released several months ago, protect against the new weaponized version of this attack. Check Point customers who have implemented these protections remain protected. We recommend all customers to take immediate action to make sure they are protected: Install the Microsoft patch on all vulnerable Windows systems Enable Check Point’s IPS network protection for BlueKeep Implement Check Point’s endpoint protection for BlueKeep
Chinmaya_Naik
Chinmaya_Naik inside SandBlast Agent 4 weeks ago
views 105

Endpoint agents shows disconnected & unable to reach cloud MGMT when connected through Proxy

Hi Team,I have a query regarding Sandblast Agent.Endpoint Server is hosted on Cloud.We have a scenario where we have two networks so basically, one network (NETWORK_1) with Proxy and another network (NETWORK_2) without proxy. Did the Sandblast Agent have functionality that automatically detects and goes through Proxy?Because if I am going to connect the NETWORK_2 then Sandblast_Agent show connected but showing disconnected when we connect through (NETWORK_1).As I am not sure but Is this right that Sandblast Agent automatically take the proxy address from Browser ?Basically, we are using PAC file for Proxy.Thank YouRegards@Chinmaya_Naik 
Beomseok_Jang
Beomseok_Jang inside SandBlast Agent a month ago
views 3395 7 3

I'm trying to install a sandblast endpoint, but I get this warning message. What should I do?

I'm trying to install a sandblast endpoint, but I get this warning message. What should I do?message : Check Point Endpoint Security requires Administrator privileges. Log on as an administrator and then retry this installation.
Mattia_Marini
Mattia_Marini inside SandBlast Agent 2019-08-20
views 179 6

VPN Site Endpoint

Hi All,is possible to add a VPN Site configured in a client installed by Initial Client using Smart Endpoint R80.30 ?I know that this is possibile using an exported packages, but i cannot do it using initial client.Thanks 
Ami_Barayev1
inside SandBlast Agent 2019-08-14
views 81
Employee+

Endpoint Security / SandBlast Agent Newsletter - Version – E81.20

Hi, We recently released SandBlast Agent E81.20. E81.20 introduces new features, stability and quality improvements. A complete list of improvements can be found on the release Secure Knowledge sk158912 New Cloud based Zero Phishing Phishing is still one of the major attack vector and a common initial attack vector in multi-vector attacks campaign. Zero Day phishing protection is part of SandBlast offering and until now was based on local analysis on the agent. We are happy to introduce a major enhancement to the Zero-Phishing protection which now powered by Check Point Cloud and enhanced by new Machine Learning algorithm.   Phishing detection is based on: Static analysis – URL reputation check against Check Point’s cloud threat intelligence to see if the URL is known to be malicious or not. Dynamic analysis – Cloud Machine Learning based inspection analyze the page in real-time using multiple indicators (domain, Geo location, text, images, favorite icon, and many others indicators) to confirm the authenticity of the website. The new enhancements will improve the detection rate and reduce the fault positive of new zero day phishing sites Malicious scripts protection before execution Behavioral Guard engine detect and prevent complex file-less attacks and malicious scrips. E81.20 introduces enhancements to the Behavioral Guard engine. This version blocks malicious scripts like PowerShell, prior to the execution (In earlier releases, Behavioral Guard detected and terminated the scripts after their execution).   Performance improvements Performance improvements is an on-going effort with numerous enhancements introduced in previous SW releases.    E81.20 includes some major performance improvement, overall performance improved in average of 30%.   New VPN capabilities Ability to match the VPN user to the logged-in Windows user and display it in the username field of the connect dialog. Ability to disable implicit SDL when SDL is enabled. Ability to choose a customized Display Name when creating a site from a link. Ability to enable the Connect button before any response is written.    
Mattia_Marini
Mattia_Marini inside SandBlast Agent 2019-08-05
views 90 2

Anti-Malware Exception

Hi All,i'm tryng to add a local exception for a file present only on one client; is it possible without add the exception on the Smart Endpoint for all clients but locally directly on the client?Thanks 
Gad_Naveh
inside SandBlast Agent 2019-08-05
views 202 3
Employee+

New German Wiper Blocked By SandBlast Agent Zero Day Prevention

A thread on bleeping computer describes an outburst of a new Wiper Malware. This wiper mimics Ransomware behavior but instead of encrypting the files it fills them with zeros (Nulls). Our SandBlast Agent Anti-Ransomware zero day prevention detects and remidiate this attack without a need to update or signature usage.  The files are encrypted in our honeypot File is indeed filled with Nulls and not possible to decrypt SandBlast Agent Anti-Ransomware detects the ransomware process encrypting the files SandBlast Agent restores the files   The infection is based on powershell script, I will move next to test this versus our File-Less infection prevention and update.   Thanks, Gadi  
Dana_Traversie
inside SandBlast Agent 2019-07-18
views 368 2
Employee+

How-to fetch endpoint forensics reports on R80.20 programmatically

Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47. For those who simply cannot wait, I present the following stopgap solution: Authenticate to the smartlog server service listening on localhost to obtain an "FWMToken" value[Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242 tcp 0 0 127.0.0.1:18242 0.0.0.0:* LISTEN 3247/smartlog_serve [Expert@stack-mgmt-a0:0]#​# authenticate and obtain FWMToken value curl_cli -v -d @fwm-login.xml 'http://127.0.0.1:18242/login' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml fwm_token=`xmllint --format --shell fwm-login-resp.xml <<< "cat //root/token/text()" |tail -n +2 |head -n -1`​Content of fwm-login.xml:<login><user><![CDATA[admin]]></user><magic_number><![CDATA[CP_Etude_2055]]></magic_number><password><![CDATA[admin123]]></password><sso_token><![CDATA[]]></sso_token><get_all_columns_def /></login> Authenticate using mgmt_cli to obtain a "CPMToken" value# authenticate and obtain CPMToken value cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'` Fetch an XML report blog from the smartlog server serviceuid=A8571015-BF9A-492B-81D0-1D9EBCD6EB3F timestamp=`date -d '07/09/2019 12:00:00' +"%s"`   # $1 - report uid # $2 - date - a unix timestamp that equals noon on the same day the event was created # fetch the XML report blob export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&CPMToken=$cpm_token" curl_cli -v 'http://127.0.0.1:18242/packet_capture?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml The complete request parameters: '?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14' Note: Pay attention to the parameters that must be modified to match a different management server. Extract and decode XML report blob content# extract the XML report blob and decode it xmllint --nocdata --format --shell $1.xml <<< "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d > $1.zip
Adnan_Pajalic
Adnan_Pajalic inside SandBlast Agent 2019-07-05
views 899 5 1

R77.30 sandblast to new virtual machine

Hello,i have a customer that have r77.30 management server with sandblast.  It is currently running in vmplayer as a virtual machine.We want it to migrate to ESX as a new virtual management center running r77.30.My question is , how much problems can i encounter if i make a clean install of r77.30 with sandblast if we have around 200 workstations with sandlast agents running.Do i need to reinstall agents with new server or will they automatically be registered if the IP address of management center remains the same ?
Herson_A
Herson_A inside SandBlast Agent 2019-07-02
views 203 1

Sandblast Agent

Good morning all,I would like to know why is the Check point Endpoint Agent taking too much of the cpu usage on client endpoint, is it normal? the machine in the attachment is running slow since I've installed SandBlast Angent.Thanks in advance.
Ami_Barayev1
inside SandBlast Agent 2019-07-02
views 199 1
Employee+

Endpoint Security / SandBlast Agent Newsletter - Version – E81.10

We recently released SandBlast Agent E81.10. E81.10 introduces new features, stability and quality improvements. A complete list of improvements can be found on the release Secure Knowledge sk155792 Enterprise Endpoint Security E81.10 Windows Clients.   Support for windows 10 19H1 E81.10 supports Windows 10 19H1 (version 1903), the latest version. Please note that Anti-Malware support with Windows 10 19H1 requires a server hotfix. Please refer to sk141033 for more information.   Optimized Agent Package Size E81.10 introduces 32-bit and 64-bit download packages for the Threat Prevention Client (SBA/Threat Prevention services and Anti-Malware). The new package size is reduced from ~680MB to ~245MB. Note that the Threat prevention package includes an initial set of Anti-Malware signatures. The complete set updates right after the client connects to the update server. We continue to work on optimizing the package size and plan to introduce in the next releases even smaller package and dynamic updates which will improve dramatically the deployments package size. Stay tuned. J   BlueKeep (CVE-2019-0708) Microsoft has announced that a critical vulnerability exists in Remote Desktop Services (RDS) relevant to several Windows products, including Windows 7 and Windows Server 2008 R2. The vulnerability allows either Remote Code Execution or Denial of Service attacks when any unauthenticated user communicates with the machine. SandBlast Agent Provide protection against BlueKeep vulnerability using SBA Anti-Exploit technology. Additional information on how to protect against BlueKeep: How to protect RDP servers from CVE-2019-0708 (BlueKeep) sk154732 SandBlast Agent Protects Against BlueKeep RDP Vulnerability New Threat Emulation Report E81.10 now supports by default the new Threat Emulation report with improved UI. Additional intelligence data enables better understanding of the malicious file and its effect on the machine. The new report format has server version requirements: All R80.30 versions are acceptable. The R80.20 version must be R80.20M2 or R80.20 Jumbo Hotfix 4. Customers who use server version 77.30.03 must use the SmartLog version released with Endpoint Security E80.92 or higher.  
Chinmaya_Naik
Chinmaya_Naik inside SandBlast Agent 2019-06-26
views 896 4 1

Ransomware Simulator Tool results showing Check Point Endpoint unable to detect known Ransomware

Hi Team, SetupOS: GAIA R80.20Client Package : E80.96 , E81.00 ,E80.97Windows Machine (Test): Windows 10 Pro, Windows 7 Pro, Windows 8 ProJumbo HotFix: Take_47 Tools Name: knowbe4 Link: https://www.knowbe4.com/ransomware KB: https://support.knowbe4.com/hc/en-us/articles/229040167 Issue: When I ran this application and start scanning then see some different results. Results 1: Windows 7 with E81.00 package, Suddenly Anti-Malware blade is not worked and we unable to find the SAB agent on the taskbar. Results 2: Windows 10 and 8 with E80.96 package, The application is started initially but suddenly it terminated but we got 4 results and it's showing checkpoint SBA is not venerable. (Reason: Maybe SBA behave kowbe4 application done some unknown activity so SBA terminate this application). I exclude the three process "Ranstart.exe", "Starter.exe" and "Collector.exe". Then again I start scanning and see the below results after scanned completed. Out of 14, 4 is showing vulnerable. Anti Malware version: 201906191126 Still, I need to check whether  SBA is able to block those Ransomware or not but pls requesting everyone to look into this. I am sure that SBA will block those ransomware. Regards @Chinmaya_Naik   
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Agent 2019-06-12
views 765 2

Checkpoint Sandblast appliance PoC

Hello,How to make Sandblast TE1000x appliance PoC safe way without affecting customer's Production network. Customer has Email server in their local network. In my opinion, i need Mirror mode deployment. But in this situation we need also make EMAIL emulation. I don't know what configs will be made on their local email server side.If anyone has a PoC guide document latest version. Please share.