SandBlast agent poor documentation

Discussion created by 1fb431d2-d804-449a-bccd-5f3f95de6259 on Aug 17, 2018
Latest reply on Aug 17, 2018 by Dameon Welch-Abernathy

I worked with Checkpoint security gateways for quite a few years and the technical documentation is usually quite complete (especially thanks to the ATRG pages), however I recently started setting up Sandblast agents for a client and I find the documentation very lacking, it is mostly a "black box" and the documentation tells you it will protect against this threat but without any technical details on how it will do it.


For example if I take the anti-ransomware feature I cannot find the following information:

  • How does the agent decides which file to backup
  • Are the files backed up when accessed by a process (does that mean the process have to wait the backup is completed before running) or is the agent actively looking for these files (and if so how - only local or also remote on file servers?)
  • How long is each file kept in the backup
  • I can configure a backup size limit in the Endpoint Management but what happens when the client reaches the limit (I assume some files will be deleted, but which one)
  • I see in the documentation that the agent is supposed to create some random files in My Documents, etc. I cannot find these files however I see folders such as "CheckPoint!FrameworkDirectoryDon'tDiscard" and "Sandblast Zero-Day-SystemFolder-Do notDiscard" but again no information on what they are
  • How is the anti-ransomware agent "constantly monitoring suspicious activities", I understand for this one that details might be restricted to not have other vendors copying it but at least some high level description would be useful


This is only for anti-ransomware but I can give a similar list for nearly every sandblast feature.


Did I miss an ATRG or SK for all this somewhere ?