Support Center > Search Results > SecureKnowledge Details
ATRG: SandBlast Agent (Forensics and Anti-Ransomware) Technical Level
Solution

Table of Contents:

  • Introduction to SandBlast Agent
  • Architecture
  • SandBlast Agent GUI
  • Fundamental Functionality
  • Best-practice Recommendations / Procedures
  • Troubleshooting
Click Here to Show the Entire Article

Introduction to SandBlast Agent

Show / Hide this section

Sandboxing

A relatively recent technique, Sandboxing detects malware that does not match previous attacks. By capturing an executable file or document and activating that file in a virtual machine or an emulator, it then monitors behavior for suspicious changes to the registry, modifications of system files, or other signs of an attack.

Due to the time it takes to analyze files, many traditional sandboxes are designed only to detect, but not block, malware. What is more, hackers have now developed malware that recognizes when it is running on a virtual machine (and thus a possible sandbox) and does not activate, until it bypasses the sandbox and reaches a real endpoint device. Hackers also use sleep timers inside the malware, making sure that it opens minutes, or sometimes even days, after the infection - effectively out-waiting the defensive measures. Traditional sandboxing can be resource intensive, slowing down system performance, crashing much-needed applications, impeding workflow, and generally frustrating users.

Something more is needed to address current threats. Defensive measures must be more evasion resistant, less intrusive, more scalable, and more automated. They must combine speed and effectiveness. That combination is now available.

Advanced Sandboxing

In contrast to traditional sandboxes that often detect threats, only once the malware is running, advanced sandboxing inspects threats earlier in the cycle, enabling organizations to prevent threats before reaching the end-user. SandBlast™ Agent employs the advanced sandboxing capabilities of Threat Emulation with CPU-level detection and Threat Extraction, providing a higher catch rate, while delivering content quickly, maintaining business flow.

While traditional sandboxes detect attacks during execution in a virtual environment, advanced sandboxing adds the capability to detect malware in a data file, before it is fully deployed. By watching activity at the processor instruction level, during the exploit, CPU-level detection catches potential problems at the beginning stages. Receiving strong reviews, NSS Labs designates this evasion-resistant Threat Emulation sandboxing, as a recommended product for the past 2 years.

When it comes to workflow issues, traditional sandboxing technology is slow and disruptive, impeding a user’s need to get work done. In today's instant-demand world, it can take several minutes to find out whether content is safe or malicious. Web users downloading files will not wait this long after clicking on a link to find out if something is safe. This is where SandBlast Agent's Threat Extraction capability comes into play.

Threat Extraction creates a safe "snapshot" version of the file, delivering it to the user in about a second. The clean version is reconstructed from the original, removing any potential malicious content, e.g., the macros in an Excel file, or the dynamic content in a PDF. The user immediately sees a normal-looking file. While the user may not be able to interact fully with the file during this time, most users get what they need by reading a static document, decreasing workflow disruption. If the user requires the dynamic components, they are available once the file has been deemed safe - all with a simple click.

By offloading the tasks of sandboxing and Threat Extraction to a remote cloud service (either a hosted service, or a private cloud with on-premise appliances), SandBlast Agent is non-intrusive, and does not tie up endpoint processing capability.

Anti-Bot

Strengthening the defensive capabilities of the endpoint, Anti-Bot resides right on the endpoint, quickly detecting and containing bot infections coming through unprotected channels.

Anti-Bot monitors traffic for command and control communications sent over the network, and exposes hidden infections. It then prevents communication with command and control, or staging servers, blocking the spread of malware and stopping the exfiltration of sensitive data files and other crucial information. Anti-Bot is updated with the latest intelligence information on new malicious sites, or attack patterns with ThreatCloud, a collaborative network and cloud-driven knowledge base. Delivering real-time security intelligence based on the results of threat monitoring our customer base, it serves as a database of known malicious servers and behaviors. Most importantly, that database continuously updates, maintaining peak strength and providing a steady stream of up-to-date protections to SandBlast Agent.

Automated Forensic Analysis

A malware attack can be severe, crippling, and very costly for your organization. Speed and accuracy in diagnosing the problem is crucial in defending an enterprise under attack. This is where SandBlast Agent’s Automated Forensic Analysis capability delivers unique capabilities. In the case of an incident, SandBlast Agent generates an interactive report that delivers a full and deep analysis of endpoint activity. Providing a complete view of the attack flow, it reveals the actionable information that you need to effectively undertake remediation measures.



Traditional Post-Incident Response Measures

Once an attack has taken place, there are numerous remediation undertakings to clean up the damage. While offering some value, re-imaging of PCs and manual forensic analysis do have clear drawbacks and limitations, requiring significant time and resources.
  • Re-Imaging the PC is a common, yet highly disruptive approach to dealing with a malware infection. Rebuilding the system from scratch and restoring user files from backups is very labor intensive.
  • Manual Forensic Analysis requires the ability to review crucial historical system activity. In the case of many modern attacks that try to cover their tracks, that data may no longer be available. The information necessary for understanding the nature, scope, entry point and damage may be long gone, making meaningful analysis all but impossible. In addition, finding staff with these high-level forensics skills is extremely difficult. When you do find them, they are very expensive.
While it is clear that re-imaging and manual forensic analysis have their place, new post-incident response and remediation measures are sorely needed. User sites need a more streamlined, time-efficient and effective approach. This approach is available with SandBlast Agent's Automated Incident Analysis capability.

For more information, refer to:

Architecture

Show / Hide this section
SandBlast Agent continuously collects forensics information on the endpoint, creating full visibility into the life cycle of an attack. Using only minimal resources for this collection process, it securely stores and protects relevant information, including user activity, and file and network access.

When existing Anti-Virus products on the endpoint, detections on the network, Threat Emulation, or Anti-Bot (locally or at the gateway) detect a threat, SandBlast Agent logs from the involved endpoints are automatically uploaded for review. Advanced algorithms analyze the raw forensics data, quickly building an incident report - saving your response team hours of time.

The result is a complete view of the attack, including: the malware entry point; the scope of damage/business impact; malware activity before discovery; the identity of other affected hosts and users. Each one of these categories can be drilled down, providing even more detailed information.

 

SandBlast Agent GUI

Show / Hide this section

SandBlast Agent Overview Screen



SandBlast Agent Advanced Screen



SandBlast Agent Advanced Screen - View Policies



SandBlast Agent Advanced Screen - Logs Viewer



SandBlast Agent Advanced Screen - Collect logs


  • Log folder location is in C:/Users/<username>/CPInfo
  • Filename is cpinfo.<username>.Date_time.zip
  • cpinfo includes the following information:
    • Information about different file version
    • Registry key information
    • Logs

Client Update



Forensics and Anti-Ransomware Module View



Fundamental Functionality

Show / Hide this section

SandBlast Agent Forensics


Description

The SandBlast Agent Forensics and Anti-Ransomware component monitors file operations, processes, and network activity for suspicious behavior. It also analyzes attacks detected by other detection features, such as Anti-Ransomware or Behavioral Guard, the Check Point Gateway, and some third party security products. On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically initiated. After the analysis is completed, the entire attack sequence is then presented as a Forensics Analysis Report.

SandBlast Agent Behavioral Guard is a behavioral detection engine that detects and remediates all forms of malicious behavior. When the Behavioral Guard detects malicious behavior, a Forensics report is generated of the entire attack. The attack can be automatically or manually remediated based on the Forensics report.

Note: You can trigger incident analysis for a client on a one-time basis with Push Operations. You can run the Push Operation from SmartEndpoint or from the CLI. The analysis occurs without the need to install policy.

The Forensics Analysis Report provides full information on attacks and suspicious behavior with an easy interface. The report includes:
  • Entry Point - How did the suspicious file enter your system?
  • Business Impact - Which files were affected and what was done to them?
  • Remediation - Which files were treated and what is their status?
  • Suspicious Activity - What unusual behavior occurred that is a result of the attack?
  • Incident Details - A complete visual picture of the paths of the attack in your system.
To open a Forensics Analysis Report for an incident:
  • SmartLog - From the Log Details of a Forensics, Threat Emulation, or Anti-Bot log, under "Forensics", click "Report".
  • SmartEvent - From the Summary of a Forensics, Threat Emulation, or Anti-Bot log, under "Actions", click "Open Forensics Report".
  • Endpoint Security Client GUI - From the Client Overview, open the Forensics component and click the "Incident ID" in the incident table.
Anti-Ransomware constantly monitors files and processes for unusual activity. Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.

Analysis Triggers

  • Network detectors – AV, AB and TE on the network
  • Local security events – AM, AB, TE, AR on the endpoint
  • Third-party Antivirus detection on the endpoint
  • Manually from the Endpoint, or from the EP management

Damage Detection

  • Automatically identify: Data exfiltration, data manipulation or encryption, key logging

Root Cause Analysis

  • Trace and identify root cause across multiple system restarts in real-time

Malware Flow Analysis

  • Automatically generated interactive graphic model of the attack flow

Malicious Behavior Detection

  • Over 40 malicious behavior categories
  • Hundreds of malicious indicators

Forensics and Anti-Ransomware module

  • Forensics Service and DB:
    • DB is Stored locally on the client in C:\ProgramData\CheckPoint\DBStore
    • DB file is C:\ProgramData\CheckPoint\DBStore\EFR.db
    • Default file size is 1GB, and the maximum configurable file size is 4GB
  • Forensics service files are located in C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR
  • Forensics and Anti-Ransomware can work offline without the need for update or connection to the Internet/Management.
  • The Anti-Ransomware backup folder is located on the root of every logical drive in the "SandBlastBackup" folder
  • The Quarantine folder is located in: C:\ProgramData\CheckPoint\Endpoint Security\Remediation\Quarantine
  • These are the excluded directories (By Policy) from the Anti-Ransomware Backup:
    • %SystemRoot%
    • %USERPROFILE%\AppData
    • %ProgramData%
    • %ProgramW6432%
    • %ProgramFiles(x86)%
    • %ProgramFiles%
    • %SystemDrive%\$Recycle.Bin
    • %SystemDrive%\Windows.old
    • %SystemDrive%\$windows.~BT
    • %SystemDrive%\$windows.~WS
  • User data, and not program-related data, is backed up for better performance and ease of use. Programs can be reinstalled easily and backing up their information takes more resources.
For more information, refer to the Forensics section in the R80.30 Endpoint Security Administration Guide

Best-practice Recommendations / Procedures

Show / Hide this section

Troubleshooting

Show / Hide this section

Troubleshooting Tools

Push Operations

  • Select Push Operations from “Users and Computers” tab, or from the “Reporting” tab.





  • Sandblast Agent Forensics Remediation and Anti-Ransomware:
    • Analyze threat by URL
    • Analyze by Process or File



  • Push operations for Client Settings:

    • Shutdown
    • Restart
    • Collect Logs
    • Repair Client


File Locations

  • DBStore location: %programdata%\CheckPoint\DBStore
  • Events Store Location: %programdata%\CheckPoint\DBStore\Events
  • Binaries location: C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR
  • Backup location: <volume>\SandBlastBackup

Health Check

  • Verify that the forensics service is running:
    • sc query CPEFR
    • sc query RemediationService
  • Verify that additional drivers and monitors are running:
    • sc query EPNETFLT – network driver for traffic interception
    • sc query CPEPMON – driver used to monitor file system activity
    • sc query EPREGFLT – driver used to monitor registry activity
    • sc query CPBAK– driver used for backup
    • sc query ISWKL – injection monitor
  • Debug Logs:
    • C:\ProgramData\CheckPoint\Logs\EFRService.log
    • There are additional logs, one for every monitor.

Modules Troubleshooting Log Files

  • Modules troubleshooting log files are stored under C:\ProgramData\CheckPoint\Logs


Internal application will not behave as expected after installing SandBlast Agent

In addition to monitoring operations, Forensics drivers take part in the attack detection process. Legitimate behavior of an Internal application can be detected as suspicious and interrupted by the drivers. Determine which driver is interrupting legitimate behavior, by stopping them one by one. Capture driver operations with a trace log tool.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment