cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Beomseok_Jang
Beomseok_Jang inside SandBlast Agent yesterday
views 3233 7 2

I'm trying to install a sandblast endpoint, but I get this warning message. What should I do?

I'm trying to install a sandblast endpoint, but I get this warning message. What should I do?message : Check Point Endpoint Security requires Administrator privileges. Log on as an administrator and then retry this installation.
Ami_Barayev1
inside SandBlast Agent Wednesday
views 49
Employee+

General availability of Cloud Management for SandBlast Agent

Hi all, We are happy to announce the general availability of Cloud Management for SandBlast Agent. The service is available at https://portal.checkpoint.com/register/endpoint Cloud Management for SandBlast Agent The new Cloud Management for SandBlast Agent provides many advantages for our customers, partners, and Check Point’s technical teams by enabling quicker, smoother POCs and the spin-up of production environments within minutes. Main key features: Hosted on Amazon Web Services (AWS), secured by Check Point. Low latency by using USA or Europe AWS regions. Very simple, easy and quick creation of a new tenant management environment. No installations and no pre-requisite required. Fully managed service by Check Point, removes the overhead of managing and maintaining the management server by our customers Cloud management for SandBlast Agent is included in the package license with no additional fee. Our customers will no longer need to worry about setting up, deploying, and maintaining a server. SandBlast Agent cloud management is part of the Infinity Portal which is another major step to making the Infinity architecture a reality. In the past few months, Cloud Management for SandBlast Agent deployed successfully in dozens of POCs and live production with very good feedback from our customers and partners. We strive to continue the good momentum with this release!! Collateral Additional information on cloud management for SandBlast Agent is available. SandBlast Agent Cloud Technical Guide for Partners & SEs Cloud service initialization step by step guide SandBlast Agent Sales Enablement SandBlast Agent new solution brief New SandBlast Agent presentation SandBlast Agent Cloud Management Administration Guide Best Ami.B
Mattia_Marini
Mattia_Marini inside SandBlast Agent Tuesday
views 80 6

VPN Site Endpoint

Hi All,is possible to add a VPN Site configured in a client installed by Initial Client using Smart Endpoint R80.30 ?I know that this is possibile using an exported packages, but i cannot do it using initial client.Thanks
Ami_Barayev1
inside SandBlast Agent a week ago
views 49
Employee+

Endpoint Security / SandBlast Agent Newsletter - Version – E81.20

Hi, We recently released SandBlast Agent E81.20. E81.20 introduces new features, stability and quality improvements. A complete list of improvements can be found on the release Secure Knowledge sk158912 New Cloud based Zero Phishing Phishing is still one of the major attack vector and a common initial attack vector in multi-vector attacks campaign. Zero Day phishing protection is part of SandBlast offering and until now was based on local analysis on the agent. We are happy to introduce a major enhancement to the Zero-Phishing protection which now powered by Check Point Cloud and enhanced by new Machine Learning algorithm. Phishing detection is based on: Static analysis – URL reputation check against Check Point’s cloud threat intelligence to see if the URL is known to be malicious or not. Dynamic analysis – Cloud Machine Learning based inspection analyze the page in real-time using multiple indicators (domain, Geo location, text, images, favorite icon, and many others indicators) to confirm the authenticity of the website. The new enhancements will improve the detection rate and reduce the fault positive of new zero day phishing sites Malicious scripts protection before execution Behavioral Guard engine detect and prevent complex file-less attacks and malicious scrips. E81.20 introduces enhancements to the Behavioral Guard engine. This version blocks malicious scripts like PowerShell, prior to the execution (In earlier releases, Behavioral Guard detected and terminated the scripts after their execution). Performance improvements Performance improvements is an on-going effort with numerous enhancements introduced in previous SW releases. E81.20 includes some major performance improvement, overall performance improved in average of 30%. New VPN capabilities Ability to match the VPN user to the logged-in Windows user and display it in the username field of the connect dialog. Ability to disable implicit SDL when SDL is enabled. Ability to choose a customized Display Name when creating a site from a link. Ability to enable the Connect button before any response is written.
Mattia_Marini
Mattia_Marini inside SandBlast Agent 3 weeks ago
views 61 2

Anti-Malware Exception

Hi All,i'm tryng to add a local exception for a file present only on one client; is it possible without add the exception on the Smart Endpoint for all clients but locally directly on the client?Thanks
Gad_Naveh
inside SandBlast Agent 3 weeks ago
views 158 3
Employee+

New German Wiper Blocked By SandBlast Agent Zero Day Prevention

A thread on bleeping computer describes an outburst of a new Wiper Malware. This wiper mimics Ransomware behavior but instead of encrypting the files it fills them with zeros (Nulls). Our SandBlast Agent Anti-Ransomware zero day prevention detects and remidiate this attack without a need to update or signature usage. The files are encrypted in our honeypot File is indeed filled with Nulls and not possible to decrypt SandBlast Agent Anti-Ransomware detects the ransomware process encrypting the files SandBlast Agent restores the files The infection is based on powershell script, I will move next to test this versus our File-Less infection prevention and update. Thanks, Gadi
Dana_Traversie
inside SandBlast Agent 2019-07-18
views 332 2
Employee+

How-to fetch endpoint forensics reports on R80.20 programmatically

Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47. For those who simply cannot wait, I present the following stopgap solution: Authenticate to the smartlog server service listening on localhost to obtain an "FWMToken" value[Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242 tcp 0 0 127.0.0.1:18242 0.0.0.0:* LISTEN 3247/smartlog_serve [Expert@stack-mgmt-a0:0]#​# authenticate and obtain FWMToken value curl_cli -v -d @fwm-login.xml 'http://127.0.0.1:18242/login' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml fwm_token=`xmllint --format --shell fwm-login-resp.xml <<< "cat //root/token/text()" |tail -n +2 |head -n -1`​Content of fwm-login.xml:<login><user><![CDATA[admin]]></user><magic_number><![CDATA[CP_Etude_2055]]></magic_number><password><![CDATA[admin123]]></password><sso_token><![CDATA[]]></sso_token><get_all_columns_def /></login> Authenticate using mgmt_cli to obtain a "CPMToken" value# authenticate and obtain CPMToken value cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'` Fetch an XML report blog from the smartlog server serviceuid=A8571015-BF9A-492B-81D0-1D9EBCD6EB3F timestamp=`date -d '07/09/2019 12:00:00' +"%s"` # $1 - report uid # $2 - date - a unix timestamp that equals noon on the same day the event was created # fetch the XML report blob export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&CPMToken=$cpm_token" curl_cli -v 'http://127.0.0.1:18242/packet_capture?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml The complete request parameters: '?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14' Note: Pay attention to the parameters that must be modified to match a different management server. Extract and decode XML report blob content# extract the XML report blob and decode it xmllint --nocdata --format --shell $1.xml <<< "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d > $1.zip
Adnan_Pajalic
Adnan_Pajalic inside SandBlast Agent 2019-07-05
views 828 5 1

R77.30 sandblast to new virtual machine

Hello,i have a customer that have r77.30 management server with sandblast. It is currently running in vmplayer as a virtual machine.We want it to migrate to ESX as a new virtual management center running r77.30.My question is , how much problems can i encounter if i make a clean install of r77.30 with sandblast if we have around 200 workstations with sandlast agents running.Do i need to reinstall agents with new server or will they automatically be registered if the IP address of management center remains the same ?
Herson_A
Herson_A inside SandBlast Agent 2019-07-02
views 152 1

Sandblast Agent

Good morning all,I would like to know why is the Check point Endpoint Agent taking too much of the cpu usage on client endpoint, is it normal? the machine in the attachment is running slow since I've installed SandBlast Angent.Thanks in advance.
Ami_Barayev1
inside SandBlast Agent 2019-07-02
views 169 1
Employee+

Endpoint Security / SandBlast Agent Newsletter - Version – E81.10

We recently released SandBlast Agent E81.10. E81.10 introduces new features, stability and quality improvements. A complete list of improvements can be found on the release Secure Knowledge sk155792 Enterprise Endpoint Security E81.10 Windows Clients. Support for windows 10 19H1 E81.10 supports Windows 10 19H1 (version 1903), the latest version. Please note that Anti-Malware support with Windows 10 19H1 requires a server hotfix. Please refer to sk141033 for more information. Optimized Agent Package Size E81.10 introduces 32-bit and 64-bit download packages for the Threat Prevention Client (SBA/Threat Prevention services and Anti-Malware). The new package size is reduced from ~680MB to ~245MB. Note that the Threat prevention package includes an initial set of Anti-Malware signatures. The complete set updates right after the client connects to the update server. We continue to work on optimizing the package size and plan to introduce in the next releases even smaller package and dynamic updates which will improve dramatically the deployments package size. Stay tuned. J BlueKeep (CVE-2019-0708) Microsoft has announced that a critical vulnerability exists in Remote Desktop Services (RDS) relevant to several Windows products, including Windows 7 and Windows Server 2008 R2. The vulnerability allows either Remote Code Execution or Denial of Service attacks when any unauthenticated user communicates with the machine. SandBlast Agent Provide protection against BlueKeep vulnerability using SBA Anti-Exploit technology. Additional information on how to protect against BlueKeep: How to protect RDP servers from CVE-2019-0708 (BlueKeep) sk154732 SandBlast Agent Protects Against BlueKeep RDP Vulnerability New Threat Emulation Report E81.10 now supports by default the new Threat Emulation report with improved UI. Additional intelligence data enables better understanding of the malicious file and its effect on the machine. The new report format has server version requirements: All R80.30 versions are acceptable. The R80.20 version must be R80.20M2 or R80.20 Jumbo Hotfix 4. Customers who use server version 77.30.03 must use the SmartLog version released with Endpoint Security E80.92 or higher.
Chinmaya_Naik
Chinmaya_Naik inside SandBlast Agent 2019-06-26
views 783 4 1

Ransomware Simulator Tool results showing Check Point Endpoint unable to detect known Ransomware

Hi Team, SetupOS: GAIA R80.20Client Package : E80.96 , E81.00 ,E80.97Windows Machine (Test): Windows 10 Pro, Windows 7 Pro, Windows 8 ProJumbo HotFix: Take_47 Tools Name: knowbe4 Link: https://www.knowbe4.com/ransomware KB: https://support.knowbe4.com/hc/en-us/articles/229040167 Issue: When I ran this application and start scanning then see some different results. Results 1: Windows 7 with E81.00 package, Suddenly Anti-Malware blade is not worked and we unable to find the SAB agent on the taskbar. Results 2: Windows 10 and 8 with E80.96 package, The application is started initially but suddenly it terminated but we got 4 results and it's showing checkpoint SBA is not venerable. (Reason: Maybe SBA behave kowbe4 application done some unknown activity so SBA terminate this application). I exclude the three process "Ranstart.exe", "Starter.exe" and "Collector.exe". Then again I start scanning and see the below results after scanned completed. Out of 14, 4 is showing vulnerable. Anti Malware version: 201906191126 Still, I need to check whether SBA is able to block those Ransomware or not but pls requesting everyone to look into this. I am sure that SBA will block those ransomware. Regards @Chinmaya_Naik
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Agent 2019-06-12
views 716 2

Checkpoint Sandblast appliance PoC

Hello,How to make Sandblast TE1000x appliance PoC safe way without affecting customer's Production network. Customer has Email server in their local network. In my opinion, i need Mirror mode deployment. But in this situation we need also make EMAIL emulation. I don't know what configs will be made on their local email server side.If anyone has a PoC guide document latest version. Please share.
Ami_Barayev1
inside SandBlast Agent 2019-06-03
views 513
Employee+

Endpoint Security / SandBlast Agent Newsletter - Version – E80.97

Hi all, We recently released SandBlast Agent E80.97 Complete list of improvements can be found on the release Secure Knowledge Enterprise Endpoint Security E80.97 Windows Clients sk154432 E80.97 provides protection against the critical Windows Remote Desktop Protocol (RDP) vulnerability, as defined in CVE-2019-0708 AKA BlueKeep BlueKeep (CVE-2019-0708) Microsoft has announced that a critical vulnerability was found in Remote Desktop Services (RDS) relevant to several Windows products, including Windows 7 and Windows Server 2008 R2. The vulnerability allows either Remote Code Execution or Denial of Service attacks by just communicating with the machine by any unauthenticated user. SandBlast Agent Provide protection against BlueKeep vulnerability using SBA Anti-Exploit technology. This protection is available in the following releases: E80.97 – Enterprise Endpoint Security E80.97 Windows Clients sk154432 CFG release over E81.00 – interested customers should contact support team to get this CFG release Available in the next official release E81.10 As always, we highly recommend installing the relevant Microsoft security patch. Additional information on how to protect against BlueKeep: How to protect RDP servers from CVE-2019-0708 (BlueKeep) sk154732 SandBlast Agent Protects Against BlueKeep RDP Vulnerability
Ami_Barayev1
inside SandBlast Agent 2019-06-02
views 704 1
Employee+

Endpoint Security / SandBlast Agent Newsletter - Version – E81.00

Hi all, We recently released SandBlast Agent E81.00 Complete list of improvements can be found on the release Secure Knowledge Enterprise Endpoint Security E81.00 Windows Clients sk153053 BlueKeep (CVE-2019-0708) Microsoft has announced that a critical vulnerability was found in Remote Desktop Services (RDS) relevant to several Windows products, including Windows 7 and Windows Server 2008 R2. SandBlast Agent support mitigation for BlueKeep vulnerability in the following releases: E80.97 – Enterprise Endpoint Security E80.97 Windows Clients sk154432 CFG release over E81.00 – interested customers should contact support team to get this CFG release Available in the next official release 81.10 As always, we highly recommend installing the relevant Microsoft security patch. Additional information on how to protect against BlueKeep – How to protect RDP servers from CVE-2019-0708 (BlueKeep) sk154732 Forensic with GEO Location One of the new enhancements in E81.00 is the GEO location of malicious connections, for example the malware bot communications with its C&C location Improved end-user experience Per feedback from our field and customers, we reduced the number of end-user popups and notifications starting E80.96. By default we no longer present notification which doesn’t require user action or immediately impact the user work. The motivation is to provide smoother experience to the end-user. More information can be found in the Ability to enable/disable user popups in Endpoint Security Client SK152613 Early Availability in E81.00 BitLocker Management BitLocker is a very popular full volume encryption feature included with Microsoft Windows versions. Due to its popularity we have integrated the management of BitLocker into SmartEndpoint to ease its operation to our customers We are looking for customers who would like to participate in the Early Availability version of the BitLocker Management. For customers who are interesting please contact CP_EA@checkpoint.com Virtual desktop infrastructure (VDI) Persistent Support for VMware Horizon Virtual desktop infrastructure (VDI) is virtualization technology that hosts a desktop operating system on a centralized server. With persistent VDI each desktop runs from a separate disk image. The user's settings are saved and appear each time at login and allows more personalization experience. E81.00 add EA support for VDI persistent mode. Support for VDI non-persistent mode is also in development. We will update when it became available. We are looking for customers who would like to participate in the Early Availability version of the VDI persistent mode for VMware. For customers who are interesting please contact CP_EA@checkpoint.com Forensics for Mac OS As of E80.89 we support SandBlast Agent for MAC with advanced threat prevention technologies including Threat emulation, anti-ransomware and Google Chrome Extension. We continuity to work and enhance our SandBlast threat technologies on Mac OS and have Forensic for Mac ready for Early Availability. We are looking for customers who would like to participate in the Early Availability version of Mac Forensic. For customers who are interesting please contact CP_EA@checkpoint.com
Yossi_Hasson
inside SandBlast Agent 2019-05-28
views 1016 2 3
Employee

[Breaking News] SandBlast Agent Protects Against BlueKeep RDP Vulnerability (CVE-2019-0708)!

Critical Vulnerability in Windows OS - Code execution using Remote Desktop Protocol (CVE-2019-0708) SandBlast Agent is the First Endpoint Security Solution to Protect Against BlueKeep RDP Vulnerability! Recently, a security advisory was released for a vulnerability in RDP (Remote Desktop Protocol) affecting multiple Windows Operating Systems prior to 8.1. According to Microsoft’s advisory https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708, this vulnerability can be exploited for both remote code execution and denial of service attacks. All this without needing the credentials of the target machine. Check Point’s SandBlast Agent Anti-Exploit now monitors the RDP service for both Windows 7 and Windows 2008R2 and is able to prevent this attack from occurring. Not only ןד SandBlast Agent able to prevent the exploit from being delivered on unpatched systems, but it is also able to prevent the exploit from being delivered to the previously vulnerable driver in patched systems. The protection is available in SandBlast Agent's E80.97 Client Version (Can be downloaded from sk154432). To see Anti-Exploit’s protection in action please see the following video, where our Threat Research Group’s POC used for exploitation is blocked. In addition, you can also see how we are able to block the scan of the Metasploit module that was recently developed to identify vulnerable systems. Video 1: SandBast Agent protects against Check Point's Threat Research group BlueKeep based exploit: LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-A4eWF2aDE67AYYWJlYso5GXChaYdUK5Jw1600h900r676', 'A4eWF2aDE67AYYWJlYso5GXChaYdUK5J', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos) Video 2: SandBast Agent protects against Metasploit module developed to identify vulnerable systems: This video is currently being processed. Please try again in a few minutes.(view in My Videos) SandBlast Agent BlueKeep Event Forensics Report: To learn more about SandBlast Agent's Anti-Exploit protection of BlueKeep, see: sk154232 - Anti-Exploit Protection for Remote Desktop Protocol Vulnerability (CVE-2019-0708) Note: Users who run SandBlast Agent with a third party Anti-Virus (AV) should be aware that Anti-Exploit is turned off in the presence of third party AVs. For this protection to be enabled, you must allow Anti-Exploit to work with third party AVs as detailed in sk154454 - Enabling Anti-Exploit when deployed with a third party Anti-Virus.