cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
CHINMAYA_NAIK
CHINMAYA_NAIK inside SandBlast Agent yesterday
views 126 1 1

Ransomware Simulator Tool results showing Check Point Endpoint unable to detect known Ransomware

Hi Team, SetupOS: GAIA R80.20Client Package : E80.96 , E81.00 ,E80.97Windows Machine (Test): Windows 10 Pro, Windows 7 Pro, Windows 8 ProJumbo HotFix: Take_47 Tools Name: knowbe4 Link: https://www.knowbe4.com/ransomware KB: https://support.knowbe4.com/hc/en-us/articles/229040167 Issue: When I ran this application and start scanning then see some different results. Results 1: Windows 7 with E81.00 package, Suddenly Anti-Malware blade is not worked and we unable to find the SAB agent on the taskbar. Results 2: Windows 10 and 8 with E80.96 package, The application is started initially but suddenly it terminated but we got 4 results and it's showing checkpoint SBA is not venerable. (Reason: Maybe SBA behave kowbe4 application done some unknown activity so SBA terminate this application). I exclude the three process "Ranstart.exe", "Starter.exe" and "Collector.exe". Then again I start scanning and see the below results after scanned completed. Out of 14, 4 is showing vulnerable. Anti Malware version: 201906191126 Still, I need to check whether SBA is able to block those Ransomware or not but pls requesting everyone to look into this. I am sure that SBA will block those ransomware. Regards @CHINMAYA_NAIK
Baasanjargal_Ts
Baasanjargal_Ts inside SandBlast Agent 2 weeks ago
views 523 2

Checkpoint Sandblast appliance PoC

Hello,How to make Sandblast TE1000x appliance PoC safe way without affecting customer's Production network. Customer has Email server in their local network. In my opinion, i need Mirror mode deployment. But in this situation we need also make EMAIL emulation. I don't know what configs will be made on their local email server side.If anyone has a PoC guide document latest version. Please share.
Ami_Barayev1
inside SandBlast Agent 3 weeks ago
views 418
Employee

Endpoint Security / SandBlast Agent Newsletter - Version – E80.97

Hi all, We recently released SandBlast Agent E80.97 Complete list of improvements can be found on the release Secure Knowledge Enterprise Endpoint Security E80.97 Windows Clients sk154432 E80.97 provides protection against the critical Windows Remote Desktop Protocol (RDP) vulnerability, as defined in CVE-2019-0708 AKA BlueKeep BlueKeep (CVE-2019-0708) Microsoft has announced that a critical vulnerability was found in Remote Desktop Services (RDS) relevant to several Windows products, including Windows 7 and Windows Server 2008 R2. The vulnerability allows either Remote Code Execution or Denial of Service attacks by just communicating with the machine by any unauthenticated user. SandBlast Agent Provide protection against BlueKeep vulnerability using SBA Anti-Exploit technology. This protection is available in the following releases: E80.97 – Enterprise Endpoint Security E80.97 Windows Clients sk154432 CFG release over E81.00 – interested customers should contact support team to get this CFG release Available in the next official release E81.10 As always, we highly recommend installing the relevant Microsoft security patch. Additional information on how to protect against BlueKeep: How to protect RDP servers from CVE-2019-0708 (BlueKeep) sk154732 SandBlast Agent Protects Against BlueKeep RDP Vulnerability
Ami_Barayev1
inside SandBlast Agent 3 weeks ago
views 586 1
Employee

Endpoint Security / SandBlast Agent Newsletter - Version – E81.00

Hi all, We recently released SandBlast Agent E81.00 Complete list of improvements can be found on the release Secure Knowledge Enterprise Endpoint Security E81.00 Windows Clients sk153053 BlueKeep (CVE-2019-0708) Microsoft has announced that a critical vulnerability was found in Remote Desktop Services (RDS) relevant to several Windows products, including Windows 7 and Windows Server 2008 R2. SandBlast Agent support mitigation for BlueKeep vulnerability in the following releases: E80.97 – Enterprise Endpoint Security E80.97 Windows Clients sk154432 CFG release over E81.00 – interested customers should contact support team to get this CFG release Available in the next official release 81.10 As always, we highly recommend installing the relevant Microsoft security patch. Additional information on how to protect against BlueKeep – How to protect RDP servers from CVE-2019-0708 (BlueKeep) sk154732 Forensic with GEO Location One of the new enhancements in E81.00 is the GEO location of malicious connections, for example the malware bot communications with its C&C location Improved end-user experience Per feedback from our field and customers, we reduced the number of end-user popups and notifications starting E80.96. By default we no longer present notification which doesn’t require user action or immediately impact the user work. The motivation is to provide smoother experience to the end-user. More information can be found in the Ability to enable/disable user popups in Endpoint Security Client SK152613 Early Availability in E81.00 BitLocker Management BitLocker is a very popular full volume encryption feature included with Microsoft Windows versions. Due to its popularity we have integrated the management of BitLocker into SmartEndpoint to ease its operation to our customers We are looking for customers who would like to participate in the Early Availability version of the BitLocker Management. For customers who are interesting please contact CP_EA@checkpoint.com Virtual desktop infrastructure (VDI) Persistent Support for VMware Horizon Virtual desktop infrastructure (VDI) is virtualization technology that hosts a desktop operating system on a centralized server. With persistent VDI each desktop runs from a separate disk image. The user's settings are saved and appear each time at login and allows more personalization experience. E81.00 add EA support for VDI persistent mode. Support for VDI non-persistent mode is also in development. We will update when it became available. We are looking for customers who would like to participate in the Early Availability version of the VDI persistent mode for VMware. For customers who are interesting please contact CP_EA@checkpoint.com Forensics for Mac OS As of E80.89 we support SandBlast Agent for MAC with advanced threat prevention technologies including Threat emulation, anti-ransomware and Google Chrome Extension. We continuity to work and enhance our SandBlast threat technologies on Mac OS and have Forensic for Mac ready for Early Availability. We are looking for customers who would like to participate in the Early Availability version of Mac Forensic. For customers who are interesting please contact CP_EA@checkpoint.com
Yossi_Hasson
inside SandBlast Agent a month ago
views 831 2 2
Employee

[Breaking News] SandBlast Agent Protects Against BlueKeep RDP Vulnerability (CVE-2019-0708)!

Critical Vulnerability in Windows OS - Code execution using Remote Desktop Protocol (CVE-2019-0708) SandBlast Agent is the First Endpoint Security Solution to Protect Against BlueKeep RDP Vulnerability! Recently, a security advisory was released for a vulnerability in RDP (Remote Desktop Protocol) affecting multiple Windows Operating Systems prior to 8.1. According to Microsoft’s advisory https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708, this vulnerability can be exploited for both remote code execution and denial of service attacks. All this without needing the credentials of the target machine. Check Point’s SandBlast Agent Anti-Exploit now monitors the RDP service for both Windows 7 and Windows 2008R2 and is able to prevent this attack from occurring. Not only ןד SandBlast Agent able to prevent the exploit from being delivered on unpatched systems, but it is also able to prevent the exploit from being delivered to the previously vulnerable driver in patched systems. The protection is available in SandBlast Agent's E80.97 Client Version (Can be downloaded from sk154432). To see Anti-Exploit’s protection in action please see the following video, where our Threat Research Group’s POC used for exploitation is blocked. In addition, you can also see how we are able to block the scan of the Metasploit module that was recently developed to identify vulnerable systems. Video 1: SandBast Agent protects against Check Point's Threat Research group BlueKeep based exploit: LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-A4eWF2aDE67AYYWJlYso5GXChaYdUK5Jw1600h900r372', 'A4eWF2aDE67AYYWJlYso5GXChaYdUK5J', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos) Video 2: SandBast Agent protects against Metasploit module developed to identify vulnerable systems: This video is currently being processed. Please try again in a few minutes.(view in My Videos) SandBlast Agent BlueKeep Event Forensics Report: To learn more about SandBlast Agent's Anti-Exploit protection of BlueKeep, see: sk154232 - Anti-Exploit Protection for Remote Desktop Protocol Vulnerability (CVE-2019-0708) Note: Users who run SandBlast Agent with a third party Anti-Virus (AV) should be aware that Anti-Exploit is turned off in the presence of third party AVs. For this protection to be enabled, you must allow Anti-Exploit to work with third party AVs as detailed in sk154454 - Enabling Anti-Exploit when deployed with a third party Anti-Virus.
Boaz_Barzel
inside SandBlast Agent a month ago
views 1044
Employee

First Release - Learning Mode To Best Practice Methodology

I am pleased to finally share with you a methodology I have written from my many years of expertise with Check Point Solutions. Learning mode to Best Practice methodology was created to help you start and better utilize Check Point solutions. At the end of the process, you will be able to apply the Best Practice configuration while tailoring the solution to the organizational needs and maximizing the security effectiveness with minimal overhead to IT and Users experience Start from sk152772 - Learning Mode to Best Practice Methodology and subscribe to updates! The first release is for Check Point SandBlast Agent and includes the following SKs: sk153713 - SandBlast Agent - Learning Mode To Best Practice sk154072 - SandBlast Agent Deployment Best Practice sk153714 - SandBlast Agent Learning Mode Configuration sk154052 - SandBlast Agent Best Practice Configuration
Valeri_Loukine
inside SandBlast Agent 2019-05-17
views 1179
Admin

White Paper - Minimizing SBA Notifications with Check Point GuiDBedit

Author @Krzysztof__Chri Abstract: In some cases, customers needs to minimize notifications to end user as they may get overwhelmed with the notifications. This document will allow you to minimize SBA notifications by modifying the policy using Check Point Database Tool (GuiDBedit).
Shahar_Grober
Shahar_Grober inside SandBlast Agent 2019-05-06
views 1554 6

Sandblast Agent end-user guide

Hi, I am looking for Sandblast Agent user guide which explains for End-users how to work with SandBlast agent (SBA for browsers, TE/TEX on the endpoint) Is there such an animal?
Dan_Roddy
Dan_Roddy inside SandBlast Agent 2019-05-02
views 2072 5 2

Internet Exlplorer is not a browser according to Microsoft

If the intended use of IE is for legacy applications, we really need Sandblast support for Edge.Here is what Microsoft is saying about IE:"Is Internet Explorer (IE) a browser? According to Microsoft, no. Today, it's a 'compatibility solution' for enterprise customers to deal with legacy sites that should be updated for modern browsers.Chris Jackson, Microsoft's worldwide lead for cybersecurity, really doesn't want enterprise customers to use IE for all web traffic, even though for some organizations that would be the easiest option.Companies in that situation are willing to take on 'technical debt', such as paying for extended support for a legacy software, but that habit needs to stop in the case of IE, argues Jackson in a new blog post, 'The perils of using Internet Explorer as your default browser'."credit goes to ZDnet for this piece: https://www.zdnet.com/article/microsoft-security-chief-ie-is-not-a-browser-so-stop-using-it-as-your-default/
ISA_License_Adm
ISA_License_Adm inside SandBlast Agent 2019-04-19
views 1661 1

Sandblast Endpoint R80.20 partitioning assistance

Hi, I'm looking for some assistance around partition sizes when deploying the Sandblast agent to around 4000 users. I received feedback on roughly the size of the mgmt. and policy servers but nothing on the partitioning on the mgmt server. I'm fairly new to the Sandblast agent and need some guidance in how to partition the mgmt. and proxy servers.Specs for the mgmt. server would be a VM with 8 cores, 64Gb of ram and a 1TB HDD. Any help would be greatly appreciated. Regards,Ernest
Sanja_Rakic
Sanja_Rakic inside SandBlast Agent 2019-04-12
views 749

SandBlast agent Authentication

Hello everyone,I am facing issues with setting active directory authentication.These issues are consequence of configuration steps that cannot be done on domain controller, so this is not the question. I just want to know what are the consequences if working in authenticated mode is not set? What are exact security risks?Best regards,Sanja
Gad_Naveh
inside SandBlast Agent 2019-03-31
views 835 3
Employee+

LockerGoga from Norsk Hydro Analysis

#Edited# , a recording of the Threat Gazette Live session on the Norsk Hydro Cyber Attack and SandBlast Agent prevention for it is now available. The ongoing Cyber Attack on Norsk Hydro is changing fronts, adding fraud attempts that are trying to leverage the still not fully operational enterprise, still suffering from a cyber attack that started on March 19th . For more details you can join @Marcel_Afrahim and myself for the Threat Gazette Live on April 1st, scroll down for details. The following initial analysis by @Marcel_Afrahim shows LockerGoga is using multi process operation, where each process encrypts a few files. This is done to bypass detection and work in parallel together with having a separate decryption key for every bunch, supposedly to make it harder to break. You can deep dive and analyze the malware yourself using its online SandBlast Agent forensic report. Here is a view to the multi process using SandBlast Agent forensic report: The main process doesn't try to move laterally, suggesting an initial dropper insert it. On execution it enumerates the files and executes a child process to encrypt each bunch. After that he will cut the computer communication. Join Threat Gazette Live on April 1st to hear more, click a link for your preferred webinar time: Click to Register for the 8 a.m. GMT for EMEA and APAC Click to Register for the 11 a.m. EST for Americas Thanks, Gadi
Ami_Barayev1
inside SandBlast Agent 2019-03-25
views 915 1
Employee

Endpoint Security / SandBlast Agent Newsletter - Version – E80.92 & E80.94

We are happy to announce SandBlast Agent E80.94 Additional information can be found in below link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147532&partition=General&product=Endpoint
Adnan_Pajalic
Adnan_Pajalic inside SandBlast Agent 2019-03-19
views 616 4

R77.30 sandblast to new virtual machine

Hello,i have a customer that have r77.30 management server with sandblast. It is currently running in vmplayer as a virtual machine.We want it to migrate to ESX as a new virtual management center running r77.30.My question is , how much problems can i encounter if i make a clean install of r77.30 with sandblast if we have around 200 workstations with sandlast agents running.Do i need to reinstall agents with new server or will they automatically be registered if the IP address of management center remains the same ?