A relatively recent technique, Sandboxing detects malware that does not match previous attacks. By capturing an executable file or document and activating that file in a virtual machine or an emulator, it then monitors behavior for suspicious changes to the registry, modifications of system files, or other signs of an attack.
Due to the time it takes to analyze files, many traditional sandboxes are designed only to detect, but not block, malware. What is more, hackers have now developed malware that recognizes when it is running on a virtual machine (and thus a possible sandbox) and does not activate, until it bypasses the sandbox and reaches a real endpoint device. Hackers also use sleep timers inside the malware, making sure that it opens minutes, or sometimes even days, after the infection - effectively out-waiting the defensive measures. Traditional sandboxing can be resource intensive, slowing down system performance, crashing much-needed applications, impeding workflow, and generally frustrating users.
Something more is needed to address current threats. Defensive measures must be more evasion resistant, less intrusive, more scalable, and more automated. They must combine speed and effectiveness. That combination is now available.
Advanced Sandboxing
In contrast to traditional sandboxes that often detect threats, only once the malware is running, advanced sandboxing inspects threats earlier in the cycle, enabling organizations to prevent threats before reaching the end-user. SandBlast™ Agent employs the advanced sandboxing capabilities of Threat Emulation with CPU-level detection and Threat Extraction, providing a higher catch rate, while delivering content quickly, maintaining business flow.
While traditional sandboxes detect attacks during execution in a virtual environment, advanced sandboxing adds the capability to detect malware in a data file, before it is fully deployed. By watching activity at the processor instruction level, during the exploit, CPU-level detection catches potential problems at the beginning stages. Receiving strong reviews, NSS Labs designates this evasion-resistant Threat Emulation sandboxing, as a recommended product for the past 2 years.
When it comes to workflow issues, traditional sandboxing technology is slow and disruptive, impeding a user’s need to get work done. In today's instant-demand world, it can take several minutes to find out whether content is safe or malicious. Web users downloading files will not wait this long after clicking on a link to find out if something is safe. This is where Harmony Endpoint's Threat Extraction capability comes into play.
Threat Extraction creates a safe "snapshot" version of the file, delivering it to the user in about a second. The clean version is reconstructed from the original, removing any potential malicious content, e.g., the macros in an Excel file, or the dynamic content in a PDF. The user immediately sees a normal-looking file. While the user may not be able to interact fully with the file during this time, most users get what they need by reading a static document, decreasing workflow disruption. If the user requires the dynamic components, they are available once the file has been deemed safe - all with a simple click.
By offloading the tasks of sandboxing and Threat Extraction to a remote cloud service (either a hosted service, or a private cloud with on-premise appliances), Harmony Endpoint is non-intrusive, and does not tie up endpoint processing capability.
Anti-Bot
Strengthening the defensive capabilities of the endpoint, Anti-Bot resides right on the endpoint, quickly detecting and containing bot infections coming through unprotected channels.
Anti-Bot monitors traffic for command and control communications sent over the network, and exposes hidden infections. It then prevents communication with command and control, or staging servers, blocking the spread of malware and stopping the exfiltration of sensitive data files and other crucial information. Anti-Bot is updated with the latest intelligence information on new malicious sites, or attack patterns with ThreatCloud, a collaborative network and cloud-driven knowledge base. Delivering real-time security intelligence based on the results of threat monitoring our customer base, it serves as a database of known malicious servers and behaviors. Most importantly, that database continuously updates, maintaining peak strength and providing a steady stream of up-to-date protections to Harmony Endpoint.
Automated Forensic Analysis
A malware attack can be severe, crippling, and very costly for your organization. Speed and accuracy in diagnosing the problem is crucial in defending an enterprise under attack. This is where Harmony Endpoint’s Automated Forensic Analysis capability delivers unique capabilities. In the case of an incident, Harmony Endpoint generates an interactive report that delivers a full and deep analysis of endpoint activity. Providing a complete view of the attack flow, it reveals the actionable information that you need to effectively undertake remediation measures.
Traditional Post-Incident Response Measures
Once an attack has taken place, there are numerous remediation undertakings to clean up the damage. While offering some value, re-imaging of PCs and manual forensic analysis do have clear drawbacks and limitations, requiring significant time and resources.
Re-Imaging the PC is a common, yet highly disruptive approach to dealing with a malware infection. Rebuilding the system from scratch and restoring user files from backups is very labor intensive.
Manual Forensic Analysis requires the ability to review crucial historical system activity. In the case of many modern attacks that try to cover their tracks, that data may no longer be available. The information necessary for understanding the nature, scope, entry point and damage may be long gone, making meaningful analysis all but impossible. In addition, finding staff with these high-level forensics skills is extremely difficult. When you do find them, they are very expensive.
While it is clear that re-imaging and manual forensic analysis have their place, new post-incident response and remediation measures are sorely needed. User sites need a more streamlined, time-efficient and effective approach. This approach is available with Harmony Endpoint's Automated Incident Analysis capability.
Harmony Endpoint continuously collects forensics information on the endpoint, creating full visibility into the life cycle of an attack. Using only minimal resources for this collection process, it securely stores and protects relevant information, including user activity, and file and network access.
When existing Anti-Virus products on the endpoint, detections on the network, Threat Emulation, or Anti-Bot (locally or at the gateway) detect a threat, Harmony Endpoint logs from the involved endpoints are automatically uploaded for review. Advanced algorithms analyze the raw forensics data, quickly building an incident report - saving your response team hours of time.
The result is a complete view of the attack, including: the malware entry point; the scope of damage/business impact; malware activity before discovery; the identity of other affected hosts and users. Each one of these categories can be drilled down, providing even more detailed information.
The Harmony Endpoint Forensics and Anti-Ransomware component monitors file operations, processes, and network activity for suspicious behavior. It also analyzes attacks detected by other detection features, such as Anti-Ransomware or Behavioral Guard, the Check Point Gateway, and some third party security products. On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically initiated. After the analysis is completed, the entire attack sequence is then presented as a Forensics Analysis Report.
Harmony Endpoint Behavioral Guard is a behavioral detection engine that detects and remediates all forms of malicious behavior. When the Behavioral Guard detects malicious behavior, a Forensics report is generated of the entire attack. The attack can be automatically or manually remediated based on the Forensics report.
Note: You can trigger incident analysis for a client on a one-time basis with Push Operations. You can run the Push Operation from SmartEndpoint or from the CLI. The analysis occurs without the need to install policy.
The Forensics Analysis Report provides full information on attacks and suspicious behavior with an easy interface. The report includes:
Entry Point - How did the suspicious file enter your system?
Business Impact - Which files were affected and what was done to them?
Remediation - Which files were treated and what is their status?
Suspicious Activity - What unusual behavior occurred that is a result of the attack?
Incident Details - A complete visual picture of the paths of the attack in your system.
To open a Forensics Analysis Report for an incident:
SmartLog - From the Log Details of a Forensics, Threat Emulation, or Anti-Bot log, under "Forensics", click "Report".
SmartEvent - From the Summary of a Forensics, Threat Emulation, or Anti-Bot log, under "Actions", click "Open Forensics Report".
Endpoint Security Client GUI - From the Client Overview, open the Forensics component and click the "Incident ID" in the incident table.
Anti-Ransomware constantly monitors files and processes for unusual activity. Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.
Analysis Triggers
Network detectors – AV, AB and TE on the network
Local security events – AM, AB, TE, AR on the endpoint
Third-party Antivirus detection on the endpoint
Manually from the Endpoint, or from the EP management
Damage Detection
Automatically identify: Data exfiltration, data manipulation or encryption, key logging
Root Cause Analysis
Trace and identify root cause across multiple system restarts in real-time
Malware Flow Analysis
Automatically generated interactive graphic model of the attack flow
Malicious Behavior Detection
Over 40 malicious behavior categories
Hundreds of malicious indicators
Forensics and Anti-Ransomware module
Forensics Service and DB:
DB is Stored locally on the client in C:\ProgramData\CheckPoint\DBStore
DB file is C:\ProgramData\CheckPoint\DBStore\EFR.db
Default file size is 1GB, and the maximum configurable file size is 4GB
Forensics service files are located in C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR
Forensics and Anti-Ransomware can work offline without the need for update or connection to the Internet/Management.
The Anti-Ransomware backup folder is located on the root of every logical drive in the "SandBlastBackup" folder
The Quarantine folder is located in: C:\ProgramData\CheckPoint\Endpoint Security\Remediation\Quarantine
These are the excluded directories (By Policy) from the Anti-Ransomware Backup:
%SystemRoot%
%USERPROFILE%\AppData
%ProgramData%
%ProgramW6432%
%ProgramFiles(x86)%
%ProgramFiles%
%SystemDrive%\$Recycle.Bin
%SystemDrive%\Windows.old
%SystemDrive%\$windows.~BT
%SystemDrive%\$windows.~WS
User data, and not program-related data, is backed up for better performance and ease of use. Programs can be reinstalled easily and backing up their information takes more resources.
Verify that additional drivers and monitors are running:
sc query EPNETFLT – network driver for traffic interception
sc query CPEPMON – driver used to monitor file system activity
sc query EPREGFLT – driver used to monitor registry activity
sc query CPBAK– driver used for backup
sc query ISWKL – injection monitor
Debug Logs:
C:\ProgramData\CheckPoint\Logs\EFRService.log
There are additional logs, one for every monitor.
Modules Troubleshooting Log Files
Modules troubleshooting log files are stored under C:\ProgramData\CheckPoint\Logs
Internal application will not behave as expected after installing Harmony Endpoint
In addition to monitoring operations, Forensics drivers take part in the attack detection process. Legitimate behavior of an Internal application can be detected as suspicious and interrupted by the drivers. Determine which driver is interrupting legitimate behavior, by stopping them one by one. Capture driver operations with a trace log tool.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?