cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Ami_Barayev1
inside SandBlast Agent Wednesday
views 80
Employee+

SandBlast Agent Catalina macOS - early availability during Nov'

Hi all, Follow up Catalina macOS release, please note that we are working on a new endpoint client to support Catalina macOS. An early availability version is planned to be released during early November. Our motivation is to expedite the availability of the release to even prior to November, we will update once it will be ready.
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Agent Monday
views 136 2

Sandblast agent Endpoint installation error

Is it possible to deploy Sandblast agent Endpoint by Standalone deployement (without Endpoint server;).I have download Standalone client downloaded. And trying to install Master_FULL_x64 exe file. But it gives that error.
Mattia_Marini
Mattia_Marini inside SandBlast Agent a week ago
views 240 7

VPN Site Endpoint

Hi All,is possible to add a VPN Site configured in a client installed by Initial Client using Smart Endpoint R80.30 ?I know that this is possibile using an exported packages, but i cannot do it using initial client.Thanks 
Miguel_Barrios
Miguel_Barrios inside SandBlast Agent a week ago
views 209 2

SandBlast Agent Installation with Endpoint Connect VPN

Hi CheckMates,I have a customer that has SandBlast Agent - Full Package (AB + FRNC + TE + TEX) with a particular case depoying this agent in a few users.This few users had the Check Point VPN client already installed (to connect to a third party Checkpoint Gw) and when we try to deploy and install the Endpoint Security package, the following error appears: we solved this error previously in another client by enabling the "Endpoint Connect VPN" blade in the deployment tab of SmartEndpoint (as mentioned in the error), but in this particular case the icon is gray (disabled) and can't enable it (maybe some license is missing??)Is there a way to solve this issue? I need to install SBA and also keep the VPN agent but don't understand why these Check Point products are incompatible with each other
chico
chico inside SandBlast Agent 3 weeks ago
views 253 5

sandblast icap on R80.20

Hello,I configured the ICAP server on checkpoint R80.20, we use a F5 BIG-IP as a client ICAP. I configured the icap_uri value as mentionend on the checkpoint documentation "/sandblast" but with this value I get the error log"24/Sep/2019:17:12:58 +0200, ICAPserver ICAPclient REQMOD sanblast 404After configured the icap_uri value "avscan" the scan work pretty well24/Sep/2019:16:55:24 +0200, ICAPserver ICAPclient REQMOD avscan?allow204=on&sizelimit=off&mode=simple 200Tue Sep 24 16:55:24 2019, 492/3921324944, VIRUS DETECTED: Unknown , http client ip: x.x.x.x, http user: -So someone could tell me why the value "sanblast" seems doesn't work ? Best regards, 
Chinmaya_Naik
Chinmaya_Naik inside SandBlast Agent 3 weeks ago
views 143 1

Endpoint agents shows disconnected & unable to reach cloud MGMT when connected through Proxy

Hi Team,I have a query regarding Sandblast Agent.Endpoint Server is hosted on Cloud.We have a scenario where we have two networks so basically, one network (NETWORK_1) with Proxy and another network (NETWORK_2) without proxy. Did the Sandblast Agent have functionality that automatically detects and goes through Proxy?Because if I am going to connect the NETWORK_2 then Sandblast_Agent show connected but showing disconnected when we connect through (NETWORK_1).As I am not sure but Is this right that Sandblast Agent automatically take the proxy address from Browser ?Basically, we are using PAC file for Proxy.Thank YouRegards@Chinmaya_Naik 
Tom_Kendrick
inside SandBlast Agent a month ago
views 195 2
Employee+

Mitre ATT&CK view added to SandBlast Agent Forensic reports available in upcoming E81.40

One of the many new features that will be available in E81.40 is an updated SandBlast Agent Forensic report. For this, we have to thank our wonderful R&D Team at HQ for making this happen! The new Forensic report contains: Mitre ATT&CK screen: Showing links back to the Framework RDP Focus: Use the Ryuk RDP Report (Overview and General Screen provide RDP Details) Injections: Use the Ryuk RDP Report (Shown in both Mitre Screen and Tree Views) Privilege Escalation: Use Cerber or Sodinokibi (Shown in both Mitre Screen and Tree Views) Current Ransomware affecting US Municipalities: Ryuk, Sodinokibi and Robinhood               Some of these samples have been put online, which you can take a look at: Report Use Case Link Ryuk RDP RDP/Injections https://forensics.checkpoint.com/ryuk_rdp/ Sodinokibi Ransomware Current https://forensics.checkpoint.com/sodinokibi/ Robinhood Ransomware Current https://forensics.checkpoint.com/robinhood/ Astaroth Fileless Current https://forensics.checkpoint.com/astaroth/ Bad Rabbit Blog / Well Known Ransomware https://forensics.checkpoint.com/badrabbit/ Cerber Blog / Well Known Ransomware https://forensics.checkpoint.com/badrabbit/ Pokemongo Blog https://forensics.checkpoint.com/pokemongo/ CTB-Faker Blog https://forensics.checkpoint.com/ctb-faker/ Wannacry Blog/ Well Known Ransomware https://forensics.checkpoint.com/wannacryptor2_1/ Ranscam Blog/ Well Known Ransomware https://forensics.checkpoint.com/ranscam/    
Yossi_Hasson
inside SandBlast Agent 2019-09-08
views 115 1
Employee

BlueKeep exploit is weaponized: Check Point customers remain protected.

The notorious BlueKeep vulnerability has been escalated from a theoretical, critical vulnerability, to an immediate, critical threat. While BlueKeep’s devastating potential was always known, it was a theoretical threat, as there was no working exploit code. That code was released into the wild when the open source Metasploit penetration testing framework released a Bluekeep exploit module on September 6. Unfortunately, the Metasploit toolset is used by both security practitioners and cybercriminals alike. By publishing the BlueKeep exploit code hackers were essentially provided with weaponized, working code that enables the creation of a dangerous worm. How serious is the threat? If a single unpatched Windows machine with network admin access is running on a network, the attacker may have access to all in-use credentials to all systems on the network, whether they are running Windows, Linux, MacOS or NetBIOS. In effect, this scenario means that a single, infected Windows machine can completely own a network. Check Point’s BlueKeep protections for network and endpoint, released several months ago, protect against the new weaponized version of this attack. Check Point customers who have implemented these protections remain protected. We recommend all customers to take immediate action to make sure they are protected: Install the Microsoft patch on all vulnerable Windows systems Enable Check Point’s IPS network protection for BlueKeep Implement Check Point’s endpoint protection for BlueKeep
Beomseok_Jang
Beomseok_Jang inside SandBlast Agent 2019-08-22
views 3566 7 4

I'm trying to install a sandblast endpoint, but I get this warning message. What should I do?

I'm trying to install a sandblast endpoint, but I get this warning message. What should I do?message : Check Point Endpoint Security requires Administrator privileges. Log on as an administrator and then retry this installation.
Ami_Barayev1
inside SandBlast Agent 2019-08-14
views 101
Employee+

Endpoint Security / SandBlast Agent Newsletter - Version – E81.20

Hi, We recently released SandBlast Agent E81.20. E81.20 introduces new features, stability and quality improvements. A complete list of improvements can be found on the release Secure Knowledge sk158912 New Cloud based Zero Phishing Phishing is still one of the major attack vector and a common initial attack vector in multi-vector attacks campaign. Zero Day phishing protection is part of SandBlast offering and until now was based on local analysis on the agent. We are happy to introduce a major enhancement to the Zero-Phishing protection which now powered by Check Point Cloud and enhanced by new Machine Learning algorithm.   Phishing detection is based on: Static analysis – URL reputation check against Check Point’s cloud threat intelligence to see if the URL is known to be malicious or not. Dynamic analysis – Cloud Machine Learning based inspection analyze the page in real-time using multiple indicators (domain, Geo location, text, images, favorite icon, and many others indicators) to confirm the authenticity of the website. The new enhancements will improve the detection rate and reduce the fault positive of new zero day phishing sites Malicious scripts protection before execution Behavioral Guard engine detect and prevent complex file-less attacks and malicious scrips. E81.20 introduces enhancements to the Behavioral Guard engine. This version blocks malicious scripts like PowerShell, prior to the execution (In earlier releases, Behavioral Guard detected and terminated the scripts after their execution).   Performance improvements Performance improvements is an on-going effort with numerous enhancements introduced in previous SW releases.    E81.20 includes some major performance improvement, overall performance improved in average of 30%.   New VPN capabilities Ability to match the VPN user to the logged-in Windows user and display it in the username field of the connect dialog. Ability to disable implicit SDL when SDL is enabled. Ability to choose a customized Display Name when creating a site from a link. Ability to enable the Connect button before any response is written.    
Mattia_Marini
Mattia_Marini inside SandBlast Agent 2019-08-05
views 116 2

Anti-Malware Exception

Hi All,i'm tryng to add a local exception for a file present only on one client; is it possible without add the exception on the Smart Endpoint for all clients but locally directly on the client?Thanks 
Gad_Naveh
inside SandBlast Agent 2019-08-05
views 232 3
Employee+

New German Wiper Blocked By SandBlast Agent Zero Day Prevention

A thread on bleeping computer describes an outburst of a new Wiper Malware. This wiper mimics Ransomware behavior but instead of encrypting the files it fills them with zeros (Nulls). Our SandBlast Agent Anti-Ransomware zero day prevention detects and remidiate this attack without a need to update or signature usage.  The files are encrypted in our honeypot File is indeed filled with Nulls and not possible to decrypt SandBlast Agent Anti-Ransomware detects the ransomware process encrypting the files SandBlast Agent restores the files   The infection is based on powershell script, I will move next to test this versus our File-Less infection prevention and update.   Thanks, Gadi  
Dana_Traversie
inside SandBlast Agent 2019-07-18
views 405 2
Employee+

How-to fetch endpoint forensics reports on R80.20 programmatically

Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47. For those who simply cannot wait, I present the following stopgap solution: Authenticate to the smartlog server service listening on localhost to obtain an "FWMToken" value[Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242 tcp 0 0 127.0.0.1:18242 0.0.0.0:* LISTEN 3247/smartlog_serve [Expert@stack-mgmt-a0:0]#​# authenticate and obtain FWMToken value curl_cli -v -d @fwm-login.xml 'http://127.0.0.1:18242/login' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml fwm_token=`xmllint --format --shell fwm-login-resp.xml <<< "cat //root/token/text()" |tail -n +2 |head -n -1`​Content of fwm-login.xml:<login><user><![CDATA[admin]]></user><magic_number><![CDATA[CP_Etude_2055]]></magic_number><password><![CDATA[admin123]]></password><sso_token><![CDATA[]]></sso_token><get_all_columns_def /></login> Authenticate using mgmt_cli to obtain a "CPMToken" value# authenticate and obtain CPMToken value cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'` Fetch an XML report blog from the smartlog server serviceuid=A8571015-BF9A-492B-81D0-1D9EBCD6EB3F timestamp=`date -d '07/09/2019 12:00:00' +"%s"`   # $1 - report uid # $2 - date - a unix timestamp that equals noon on the same day the event was created # fetch the XML report blob export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&CPMToken=$cpm_token" curl_cli -v 'http://127.0.0.1:18242/packet_capture?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml The complete request parameters: '?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14' Note: Pay attention to the parameters that must be modified to match a different management server. Extract and decode XML report blob content# extract the XML report blob and decode it xmllint --nocdata --format --shell $1.xml <<< "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d > $1.zip
Adnan_Pajalic
Adnan_Pajalic inside SandBlast Agent 2019-07-05
views 957 5 1

R77.30 sandblast to new virtual machine

Hello,i have a customer that have r77.30 management server with sandblast.  It is currently running in vmplayer as a virtual machine.We want it to migrate to ESX as a new virtual management center running r77.30.My question is , how much problems can i encounter if i make a clean install of r77.30 with sandblast if we have around 200 workstations with sandlast agents running.Do i need to reinstall agents with new server or will they automatically be registered if the IP address of management center remains the same ?