Collect Logs push operations - upload logs and debug information automatically to an FTP server.
Support for BitLocker encryption with Full Disk Encryption.
Support for external Certificate Authority certificates for Endpoint Security Client authentication and communication with the Endpoint Security Management Server.
Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment.
Policy can now control the level of notifications to end users.
Randomizes the Malware scan time to make sure that not all computers do a scan at the same time. This makes sure that network performance is not affected by many simultaneous scans.
Uninstalls Endpoint Security Clients using a Challenge-Response process.
Gaia Backup includes Endpoint Management components.
All client-server communication use HTTPS.
Endpoint Security Clients can connect to the Endpoint Security Management Server using FQDN in addition to the IP Address.
Enterprise Endpoint Security E84.20 Windows Clients is now available. It introduces new features such as, Remote Installation of Initial Client, Citrix VDI (Virtual Desktop Infrastructure), new "Isolated" mode that isolates the computer from the outside world, Adds an option to switch the language of the VPN standalone client user interface to the Windows locale. There are also many other features and enhancements under various categories.
Enterprise Endpoint Security E84.10 Windows Clients is now available. It introduces new features such as, Threat Hunting, an investigative tool to collect all events from endpoints and provides Security administrators with multiple manual remediation options such as Quarantine, KillProcess and Forensics Analysis with remediation. Anti-Malware can download signatures from an authenticated NTLM proxy with a logged in user's credentials and can also work in "Detect only" mode. There are also many other features and enhancements under various categories.
Enterprise Endpoint Security E83.30 Windows Clients is now available. It introduces enhancements under various categories, such as Anti-Malware, Anti-Ransomware, Firewall and Application Control and Infrastructure.
Enterprise Endpoint Security E83.20 Windows Clients is now available. It introduces new features such as, SandBlast Agent Browser Extension support for the Microsoft Edge (Chromium) browser, Detection of malicious LNK (Windows Shortcut) files, Content view in the Forensics report, and "Pass The Hash" detection. In addition, the Full Disk Encryption pre-boot has a modernized look and feel along with updates to the color-theme and background images. There are also many other features and enhancements under various categories.
Check Point Endpoint Security E83.20 macOS Clients is now available. It adds support for additional VPN features, such as Multiple Authentication Factors, Multiple Entry Point (Implicit mode) and Secondary Connect. In addition, it adds support for Anti-Malware Contextual scan.
Check Point Endpoint Security E83.11 Windows Clients is now available. This version adds protection for a critical DNS vulnerability released today - CVE-2020-1350. This is a vulnerability in the Windows DNS server affecting Windows Server versions 2003 to 2019, and can grant Domain Administrator rights, effectively compromising the entire corporate infrastructure. SandBlast Agent is the only endpoint which provides protection against this threat.
Check Point Endpoint Security E83.10 Windows Clients is now available. It supports VMware Horizon VDI (Virtual Desktop Infrastructure), persistent and non-persistent. See the Endpoint Security VDI E83.10 Administration Guide. It also introduces a new feature that adds a SandBlast Agent Chrome Browser Extension with URL Filtering capabilities. The feature is available for SandBlast Agent Web Management users. (It is In Early Availability mode for Chrome users.) There are also many other features and enhancements under various categories.
Check Point Endpoint Security E83.00 Windows Clients is now available. It introduces a new feature in SandBlast Agent that uses ssdeep-computed Fuzzy Hashing to detect and block malicious files. There are also many other features and enhancements under various categories.
Check Point Endpoint Security E82.55 Windows Clients is now available. This release resolves an issue that prevents machines from connecting to the Endpoint Security Server when the Domain Controller is not reachable.
Check Point Endpoint Security E82.50 Windows Clients is now available. E82.50 introduced a new package type (Dynamic) to be downloaded. Dynamic Package with R80.40 can reduce network traffic significantly during existing client upgrades. VMware Horizon Non-Persistent VDI is now in Early Availability. Application Control includes a new feature for developer protection that prevents leakage of sensitive information and the use of vulnerable packages. Behavioral Guard now protects against Credential Dumping. Forensics can now report the URL for the file source when the SandBlast Agent Browser Extension is active. Machine type, roles and features now show in the Forensics report. There are also many other features and enhancements under various categories.
Check Point Endpoint Security E82.40 Windows Clients is now available. E82.40 adds a new protection in Static Analysis against CVE-2020-0601, Behavioral Guard now detects Windows-reported CVEs to generate a log and Forensic Analysis, Meterpreter Reverse Shell detections and new injection detections including Process Hollowing are now active by default. There are also many other features and enhancements under various categories.
Check Point Endpoint Security E82.10 Windows Clients is now available. E82.10 adds support for Endpoint on Windows 10 19H2 (v1909), as well as many other features and enhancements under various categories, such as Compliance, Anti-Malware, Anti-Ransomware, Behavioral Guard and Forensics, Media Encryption and Port Protection, Full Disk Encryption and Firewall and Application Control.
R80.20.M1 and higher can manage E80.64 and higher Endpoint Security Clients.
Anti-Malware signature updates:
To allow Endpoint clients to get Anti-Malware signature updates from a cleanly installed R80.20 Primary Endpoint Security Management Server, or cleanly installed R80.20 Endpoint Policy Server, you must follow sk127074. No additional steps are required, if you upgraded the Primary Endpoint Security Management Server to R80.20.
Endpoint Security Clients can still acquire their Anti-Malware signature updates directly from an external Check Point signature server, or other external Anti-Malware signature resources, if your organization's Endpoint Anti-Malware policy allows it.
Cloud & Web Management for SandBlast Agent
Main key features:
Hosted on Amazon Web Services (AWS), secured by Check Point.
Use the SandBlast Agent Management Platform, to manage your Threat Prevention capabilities.
Low latency by using USA or Europe AWS regions.
Simple, easy and quick creation of a new tenant management environment.
No installations and no pre-requisite required, everything is accessible through your browser.
Fully managed service by Check Point, removes the overhead of managing and maintaining the management server.
Clients communicate with the Management Server over HTTP/HTTPs.
The Endpoint Management architecture works in a "star" scheme to support large-scale environments.
The central "brain" of the system is the "Management Server" and the delegate servers are named "Policy Servers".
Each Management Server can support a maximum of ~10,000 endpoints. Multiple Policy Servers can be chained to support a management of up to 400,000 devices from a single environment.
The environment supports unified log reporting through SmartLog.
Check Point Endpoint Security clients protect all of your Windows and Mac workstations, including laptops, Desktops, and Windows Servers.
Check Point takes part in various OS manufactures' development processes and we start the support of new versions when vendors release development builds.
We are committed to offer early availability clients within 3 weeks of OS GA and to announce GA within 2 months of OS GA, however in practice we are delivering much faster. See sk115192 for OS support timeline.
The packages provided below are Legacy CLI packages (not CPUSE packages).
Clean installation and In-Place Upgrade
Before installing the hotfixes, you need R77.30 to be installed and to update CPUSE Agent (sk92449) to the latest build. (Endpoint Security Servers are only supported on Gaia.)
You must install the R77.30 Jumbo Hotfix for Endpoint Security Server before you install the Endpoint Security Server Package for Gaia OS.
Order of Installation
Package
Link
1
R77.30 Jumbo Hotfix for Endpoint Security
(TGZ)
2
R77.30.02 Endpoint Security Server Package for Gaia OS
(TGZ)
Management Console Downloads
The SmartConsole for Endpoint Security Server allows the Administrator to connect to the Endpoint Security Server and to manage the new Endpoint Security Software Blades.
Latest Version (R77.30.02)
Endpoint Security Server
Package
Link
R77.30.02
SmartConsole for Endpoint Security Server R77.30.02 / E80.64
(EXE)
Previous Versions
Endpoint Security Server
Package
Link
R77.30.01
SmartConsole for Endpoint Security Server R77.30.01 / E80.64
(EXE)
R77.30
SmartConsole for Endpoint Security Server R77.30 / E80.64
Note: The packages provided below are Legacy CLI packages (not CPUSE packages).
Platform
Package
Link
Gaia
R77.30.01 HFA1 Check Point Endpoint Security Server Hotfix for Gaia OS
(TGZ)
Windows
R77.30.01 HFA1 Check Point Endpoint Security Server Hotfix for Windows OS
(TGZ)
Important: It is strongly recommended to apply the Gaia server hotfix provided in sk112099.
Installation
The R77.30.01 HFA1 Endpoint Security Server is based on the R77.30 Management Server and must be installed on the R77.30 Management Server. It has all the supported capabilities of a standard Check Point R77.30 Management Server.
The following upgrades are supported:
In place upgrade from R77.30
In place upgrade from R77.30.01
Advanced upgrade from R77.20.01
Note: Other upgrades paths or methods are not supported
Installing R77.30.01 HFA1 together with the R77.30 Jumbo Hotfix Accumulator is not supported. All existing security fixes are integrated into R77.30.01 HFA1.
For installation and upgrade instructions, use the procedures in the relevant guide:
The R77.30.01 HFA1 Endpoint Security Management Server can be activated only on a management-only machine (Standalone machine is not supported, i.e., Gateway + Management)
The R77.30.01 HFA1 Endpoint Security Server can manage Endpoint Security Clients E80.40 and higher.
Management Console Downloads
The SmartConsole for Endpoint Security Server allows the Administrator to connect to the Endpoint Security Server and to manage the new Endpoint Security Software Blades.
Platform
Package
Link
Windows
SmartConsole for Endpoint Security Server R77.30.01 HFA1
(EXE)
SmartConsole for Endpoint Security Server E80.62 / R77.20
(EXE)
SmartConsole for Endpoint Security Server E80.62 / R77.30
Note: The packages provided below are Legacy CLI packages (not CPUSE packages).
Platform
Package
Link
Gaia
R77.20.01 Check Point Endpoint Security Server HF for Gaia OS (TGZ)
(TGZ)
Windows
R77.20.01 Check Point Endpoint Security Server HF for Windows OS (TGZ)
(TGZ)
Installation
The R77.20.01 Endpoint Security Server is based on the R77.20 Management Server and must be installed on the R77.20 Management Server. It has all the supported capabilities of a standard Check Point R77.20 Management Server.
For installation and upgrade instructions, use the procedures in the relevant guide:
For upgrades to R77.20.01, only Advanced Upgrade procedures are supported.
The R77.20.01 Endpoint Security Management Server can be activated only on a management-only machine. (Not on a standalone machine, i.e. Gateway + Management)
The R77.20.01 Endpoint Security Server can manage E80.40 and higher Endpoint Security clients.
Management Console Downloads
The SmartConsole for Endpoint Security Server allows the Administrator to connect to the Endpoint Security Server and to manage the new Endpoint Security Software Blades.
Package
Link
R77.20.01 SmartConsole for Endpoint Security Server
In Endpoint Security Client E83.30 and higher, you can now install the Initial Client remotely without third party tools. See the SandBlast Agent Administration Guide for more information.
Virtual Desktop Infrastructure
Endpoint Security now supports Citrix VDI (Virtual Desktop Infrastructure) for persistent and non-persistent virtual machines. See sk167072.
Firewall and Application Control
Endpoint Security Client supports a new "Isolated" mode that isolates the computer from the outside world. See sk169758.
The Application Control blade can now choose to terminate applications on execution through policy. See sk141692.
VPN
Adds an option to switch the language of the user interface to the Windows locale. See sk75221 for configuration information
The option only affects standalone clients.
The installation process sets the language of the Endpoint Security full suite and the user cannot change it after the installation.
Adds the ability to withhold the name of the last VPN user. See sk75221 for configuration information.
Media Encryption and Port Protection
A new file audit log value contains the sha256 file checksum for written files on removable medias.
Infrastructure
The Endpoint Security Client now includes the Greek language.
Enhancements
Anti-Malware
Resolves an issue where the Anti-Malware engine delays its start for a few seconds after the application of a new policy.
Threat Hunting
Introduces the ability to isolate a machine through the Threat Hunting interface.
Fixes a rare issue with the Threat Hunting batch size where large batches block all data reporting until the next reboot.
Threat Emulation and Anti-Exploit
Anti-Exploit now blocks the actively exploited vulnerability CVE-2020-17087.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes an issue that can cause a delay for an Anti-Ransomware detection when a specific Windows process is active.
Reduces false positives in Anti-Ransomware with improvements to the thresholds for detecting mass encryption.
Improves performance for a hard-coded Anti-Ransomware feature with a move to Behavioral Guard. Rule updatability and exclusions for this feature are now possible in Behavioral Guard.
Anti-Ransomware exclusions now support environment variables.
Improves the Credential Dumping detection technique to reduce False Positives.
In Server environments, Forensics no longer delete files created by Windows processes that may do a lot of file processing.
Fixes a rare issue where Forensics drivers do not enforce exclusions. Forensics now enforces exclusions in user mode to handle these rare scenarios.
Fixes an issue where the Forensics Analysis fails to add a process to the incident model.
Fixes an issue which causes high CPU usage while Forensics purges older database data.
Windows scripts processes such as PowerShell.exe and wscript.exe are now "Suspicious" in Forensics Analysis. Remediation settings for "Suspicious" processes now apply.
Firewall and Application Control
Resolves a rare issue where the Firewall and Application Control process consumes high CPU on a blade startup.
Resolves a rare issue where the Firewall blade still blocks IPv6 traffic after the user stops network protection.
Full Disk Encryption
Fixes the issue where there is an unapplied preboot bypass configuration during the Operating System upgrade.
Fixes an incompatibility with the Google Drive File Stream where the EPS client can not install, upgrade or delete with the FDE blade.
Fixes the stretched screen in preboot on certain machines.
Fixes a rare scenario where Self Encrypting Disks are stuck on 0% encryption.
Fixes an issue with Smart Card single sign-on.
URL Filtering
URL Filtering now supports Mozilla Firefox along with the Chrome and Edge-Chromium browsers.
Installation
Resolves a rare issue where the Anti-Malware and Firewall blades do not unregister "Windows Security Center" correctly in Endpoint client uninstalls.
Resolves a rare issue in the Software deployment process where the package downloads while it already resides on the disk.
Resolves a rare issue where an Endpoint Security Client upgrade fails due to an Anti-Malware upgrade failure.
Resolves an issue where a command line window pops ups for a few seconds in the Anti-Malware uninstallation process.
Resolves a rare issue where an Endpoint Security component (cpda.exe) silently crashes as it tries to gather information from the installation file.
CVE-2020-6021: Resolves an issue in Check Point Endpoint Security Client for Windows prior to version E84.20 where users have write access to the directory where the installation repair occurs. Since the MS Installer allows regular users to run the repair, an attacker prior to E84.20 can initiate the installation repair and place a specially crafted DLL in the repair folder which runs with the Endpoint Security Client’s privileges.
Infrastructure
Resolves a rare issue where an Endpoint Security component (cpda.exe) crashes during the Endpoint Security Client upgrade process.
Resolves a rare issue where the Windows Security Center does not recognize Anti-Malware and Firewall blades correctly.
Support for the Endpoint Security Clients on macOS Big Sur (11).
Machine Authentication for the VPN client. It allows to perform VPN authentication with a machine certificate from the system keychain of the macOS. Machine Authentication works in user and machine authentication mode, which is a combination of a machine certificate and the selected user authentication method.
Enhancements
This release includes stability, quality and performance fixes.
The E84.10 release introduces Threat Hunting, an investigative tool to collect all events from endpoints. This allows an Endpoint Security administrator to get the full scope of an attack, or to uncover stealth attacks. Threat Hunting also provides Security administrators with multiple manual remediation options, such as Quarantine, KillProcess and Forensics Analysis with remediation. Threat Hunting on-boarding instructions are available in sk170052
Anti-Malware
Anti-Malware can download signatures from an authenticated NTLM proxy with a logged in user's credentials.
The Anti-malware blade can now work in "Detect only" mode. See sk169753.
VPN
The E84.10 release adds the ability to display relevant certificates only during user authentication. See sk169453.
Adds the ability to disable client shutdowns through the Windows tray icon menu. See sk75221.
Adds the ability to define the site display name when you create a new VPN site with the trac.exe command line utility.
Infrastructure
Endpoint Security can now connect to the Management server from an authenticated NTLM proxy with a logged in user's credentials.
Enhancements
Anti-Malware
Resolves a possible issue where Anti-Malware and UI processes crash during a machine shutdown.
Resolves a possible issue where the current Anti-Malware process crashes as Endpoint Security Client upgrades.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes a Local Privilege Escalation vulnerability that relates to the Anti-Ransomware file restoration process.
Fixes a vulnerability that can allow arbitrary file deletions when files restore in Anti-Ransomware.
Fixes a very rare issue that can cause an upgrade to fail when it does not delete Anti-Ransomware related files.
Fixes an Anti-Ransomware False Positive from a Java installation.
Fixes an issue where only the first trigger information was correct among multiple LNK file related triggers in Behavioral Guard.
Reduces the likelihood that Forensics quarantines user documents and files from False Positives on Windows Servers.
Fixes a rare issue that can cause permanent high CPU usage while Forensics monitors specific API calls.
Fixes a rare race condition that can cause Forensics to use the default policy instead of the latest installed policy.
Fixes a crash that can occur in injected processes if Forensics receives multiple monitored API events within a short period of time.
Forensics can now parse and process Spanish Symantec triggers.
Full Disk Encryption
Allows BitLocker Management to install on hardware RAID disks.
Adds the ability to use high resolution custom images in the FDE pre-boot.
Adds support for disk sectors larger than 512 bytes in FDE.
Installation
CVE-2020-6015: Resolves a denial of service vulnerability in releases before E84.10 to prevent the storage of service log files in non-standard locations. This is relevant to clean installs only. Customers with completed installations of Endpoint Security are not vulnerable.
Resolves a possible issue where a clean install with dynamic package fails due to a missing selected .NET framework.
Resolves a possible issue where the "Upgrade Time Change" popup does not appear after upgrades fail.
Resolves a possible issue where no lock icon displays in the system tray after Endpoint Security Client fails to upgrade.
Resolves a possible issue where some Anti-Malware driver leftovers remain after an Endpoint Security Client uninstall.
Resolves a possible issue where an Endpoint upgrade fails when it tries to remove an existing version of the product.
Resolves a possible issue where the Endpoint uninstall fails as it tries to upgrade itself with a software deployment rule.
Improves the upgrade performance for Forensics blade installations.
Infrastructure
Endpoint Security Client now ensures that blade logs and additional information go to the same policy server.
Resolves an issue where the Shutdown command does not execute from SmartEndpoint if a user on a client system does not have permission to perform a shutdown.
SandBlast Agent Browser Extension now supports the Microsoft Edge (Chromium) browser The SandBlast Agent Edge (Chromium) extension supports all the functionality the SandBlast Agent Chrome extension supports:
URL Filtering (for Web Management users only)
File Download Protection
Credential Theft protection including Zero-Phishing and Corporate-password-reuse protection
The Edge (Chromium) extension installs automatically when you install the SandBlast Agent, or upgrade to the Endpoint Security Client E83.20 version.
Detection of malicious LNK (Windows Shortcut) files
Behavioral Guard now analyzes the target of LNK files to determine if the file is malicious.
Forensics Analysis now determines if the start of an attack is from an LNK file.
Forensics Reports show the targets of all LNK files in an incident.
Content view in the Forensics report
Available from the Incident Details menu
Shows all LNK targets in the incident
Shows all AMSI content in the incident
"Pass The Hash" detection
Behavioral Guard now recognizes the "Pass The Hash" attempts.
Full Disk Encryption
The Full Disk Encryption pre-boot has a modernized look and feel along with updates to the color-theme and background images.
Enhancements
Anti-Malware
Fixes an issue where Anti-Malware status reports to the Windows Security Center do not work, if there are errors, or if the reports are disabled in the policy.
Resolves a possible issue where the Anti-Malware process crashes during the Endpoint Security Client upgrade.
Resolves an Anti-Malware signature update issue from an external server through a proxy.
Resolves an issue where no UserCheck message pops up and no log about the detection goes to the Endpoint Security Server when a JAR file is detected as malicious.
Anti-Ransomware, Behavioral Guard, and Forensics
Behavioral Guard now detects the Pass-The-Hash technique.
The Forensics service does not shut down and restart anymore during the Behavioral Guard Signature updates. The update process is faster as a result.
Adds new default exclusions to Anti-Ransomware to decrease the number of false positives.
Fixes an issue where Forensics can stop its responses if multiple triggers are in the queue, and the current analysis takes a long time to complete.
If the Forensics database does not contain a detected file or process, it now generates a minimal report with reputation.
If a detected URL is not in the Forensics database, Forensics now generates a minimal report with reputation.
Fixes a very rare issue of an infinite loop in Forensics.
Improves the Forensics performance as the result of decreased number of unnecessary registry operations.
If the reputation service is not available, the Forensic Analysis no longer treats unsigned processes as trusted processes.
Fixes a very rare issue in the termination of trusted processes that are part of a Forensics incident.
Fixes a rare issue where Forensics can lock up when it receives a new policy.
Fixes an issue where the Forensic Analysis fails when the trigger file has a short name.
Enhances Forensics analysis to identify attacks that start with Windows shortcut (LNK) files.
Adds a new screen to view all AMSI and LNK target content in an incident.
Fixes a Forensics report issue where a terminated process can appear in the "Already Terminated Processes" and "Terminated Processes" sections of the Remediation view.
The Remediation section of the Forensics report now mentions failures to access or use the remediation service.
Compliance
Resolves the client non-compliant state when the Windows Server Update Service (WSUS) compliance check configures regardless of the value set in the rule. See sk164060 for policy configuration details.
Media Encryption & Port Protection
Resolves an issue with the 3rd party backup application Veeam that fails to create a recovery media, if Media Encryption & Port Protection is installed.
Full Disk Encryption
Resolves the UseRec.exe crash when a recovery file contains users from several domains.
Installation
Resolves an issue after an upgrade, when the client UI language switches back to the default system language.
Resolves a rare issue where the Endpoint Security upgrade process does not complete because of a crash, but a new version registers.
Resolves a possible issue where the Endpoint Security Client upgrade fails with the error: "Wait for Install Helper process failed".
Resolves a possible issue where Endpoint Security Client upgrade fails with the error: "The paging file is too small for this operation".
Resolves a rare issue where Firewall policy is not set after an Endpoint Security Client upgrade.
Resolves a possible issue where the Endpoint Security Client upgrade fails with the error: "Changing configuration is not allowed, check the password".
Infrastructure
Endpoint Security Clients that are disconnected from the domain and use the same local SID can now connect to the management server as unique machines.
Resolves client registration issue where SmartEndpoint detects duplicates, when the client computer FQDN does not match the FQDN of its domain.
Optimizes the Endpoint Security processes monitor algorithm to decrease CPU consumption, when 3rd party Anti-Malware on-access scanners connect.
Introduces enhanced deployment capabilities for small fixes or patches with a new package type that installs changed files only.
Resolves CPDA.exe crashes where the Windows Management Instrumentation (WMI) service is disabled during a client upgrade.
Resolves the URL Filtering "waiting for policy" error after a client upgrade with the exported package, when the client is in the disconnected state.
Support for SandBlast Agent Chrome Browser Extension with URL Filtering capabilities. Note: The feature is available for SandBlast Agent Web Management users.
Support for additional VPN features:
Multiple Authentication Factors
Multiple Entry Point, Implicit mode
Secondary Connect
Enhancements
This release includes stability, quality and performance fixes.
This release prevents exploitation of CVE-2020-1350 on all Windows Server editions supported. Users who install or upgrade to this version are protected from potential attacks related to CVE-2020-1350.
Adds a SandBlast Agent Chrome Browser Extension with URL Filtering capabilities. Note: The feature is available for SandBlast Agent Web Management users. It is in Early Availability mode for Chrome users.
E83.10 shows a customized icon for encrypted drives.
Enhancements
Anti-Malware
Resolves an issue where an Anti-Malware scheduled scan occurs, even if it is not in the policy.
Resolves an Anti-Malware icon scaling issue.
Resolves a possible issue where the Anti-Malware process crashes as it shuts down.
Anti-Ransomware, Behavioral Guard and Forensics
Behavioral Guard now protects against the "Pass The Hash" technique for credential theft. Credential Dumping is new, as of the previous release.
Fixes an issue where Anti-Ransomware does not detect a potential attack when the user is not logged in.
Fixes Anti-Ransomware false positives due to user profile deletions.
Fixes multiple rare cases of false positives in Anti-Ransomware.
Fixes an issue where "out of memory" errors occur when the log lists a very large number of backups.
When you disable Anti-Ransomware, the backup driver no longer operates.
Improves performance as Forensics now stores fewer named objects, such as mutexes and events.
Improves the performance of Forensics, Behavioral Guard and Threat Hunting with enhancements to our Registry Operation exclusion algorithms that reduce the number of recorded registry operations.
Firewall and Application Control
Resolves client network issues after a Firewall driver uninstallation failure.
Resolves a rare issue where an added Firewall blade gets stuck in the "Initializing" state.
Resolves a possible upgrade issue where the Firewall blade does not start due to a WatchDog failure.
Resolves a rare issue where the Firewall policy is "Not Set" in the client after the policy download from the server.
Full Disk Encryption
Resolves a possible issue where the Disk Encryption process crashes during shutdown.
Media Encryption and Port Protection
Resolves a removable media icon blink issue for an encrypted partition when Media Scan is enabled.
VPN
Improves the work with non-UTF-8 applications. Users can toggle UTF-8 support.
Fixes active File Transfer Protocol (FTP) traffic blocks on a standalone VPN client with Firewall.
Includes stability and quality fixes. Supports all the features of previous releases.
Installation
Resolves a possible issue where uninstalling the Endpoint removes components that are necessary for other applications.
Resolves a possible issue where the uninstall fails after the user turns off "Network Protection".
Resolves a possible issue where the Endpoint Security Client does not run correctly after an operating system upgrade.
Resolves a rare issue where the client uninstall fails with Error 1921: "Service Check Point Endpoint Agent (CPDA) could not be stopped".
Resolves a rare issue where an upgrade that uses "Dynamic Package" continuously loops after a download fails to resume.
The pre-boot language selection choice is now correct after a language update in Windows.
Fixes an incompatibility issue with Sophos Antivirus, which could not install on a machine with Endpoint Security Client on it.
Infrastructure
Resolves a rare User Interface (UI) issue where a malware resolution is not shown to a user.
Resolves a client LogViewer issue, where it only shows log records that match the latest log schema.
On the Endpoint Security Client screen, the Overview list now shows "Anti-Bot and URL Filtering" instead of "Anti-Bot".
The client User Interface (UI) is no longer shown during manual upgrades.
Resolves URL infections report issues in the User Interface (UI) so that the infections records are not permanent in the client and server UIs.
Anti-Bot and URL Filtering policy now translates to all supported languages.
General
Improves the performance of the Endpoint Security core driver to reduce CPU consumption.
SandBlast Agent now uses ssdeep-computed Fuzzy Hashing to detect and block malicious files. This adds to the standard hash-based reputation check and to similarities through Static Analysis Machine Learning to improve SBA’s ability to catch polymorphic variants of known malware.
Enhancements
File Reputation, Static File Analysis and Threat Emulation
SandBlast Agent now checks the reputation of files based on their similarity to a known ssdeep hash.
Anti-Exploit
Fixes an issue where Anti-Exploit may not work immediately after an upgrade.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes a rare Forensics service crash that can occur when a client disconnects from the Management server.
Improves Forensics performance by not monitoring Windows Update operations
Improves Forensics, Behavioral Guard and Threat Hunting performance slightly by filtering out some sensor data from well known processes.
Fixes the re-creation of certain folders such as the document folder if the admin redirects them.
Policy can now disable Forensic Analysis for Anti-Ransomware and Behavioral Guard.
Fixes a rare issue where the Anti-Ransomware backup driver may not stop on upgrades.
Fixes an issue that can prevent an Anti-Ransomware file backup due to a specific sequence of file modification operations.
Improves the time to detection for Behavioral Guard and Anti-Ransomware rules by prioritizing active rules over rules being field-tested.
Windows Management Instrumentation (WMI) executions are now supported in Behavioral Guard rules.
Full Disk Encryption
Suspended BitLocker drives now display as unencrypted.
Now shows the Caps Lock notification in the pre-boot password change dialog.
Fixes a rare Full Disk Encryption pre-boot loop.
Media Encryption and Port Protection
Resolves an authorization issue, when the scan fails if there are files with long paths on the media.
VPN
Fixes an issue with privilege escalation vulnerability, where a regular user might be able to execute arbitrary code with system privileges.
Installation
Resolves a possible issue where an Anti-Malware blade addition that uses Dynamic Package results in Anti-Malware in an error state.
Resolves an issue where a command line window pops up briefly during the installation of an exported package.
Resolves a possible issue where a client upgrade fails if it happens during a signature update.
Resolves a possible issue where the client upgrade fails due to the Vsmon shutdown time being longer than expected.
Resolves a possible issue where an upgrade that uses Dynamic Package fails when the zip file extraction fails.
Infrastructure
Fixes an issue where the status of the client stays in "Deployment is in progress" although the deployment finishes successfully.
Fixes an issue where the tray icon of the Endpoint Security client is sometimes missing.
Resolves a possible issue where the client's failure to retrieve the SID does not show in the client UI.
Resolves an issue where the "Instprep.log" log file has no limit in size.
Resolves a possible issue where the reconnect tool doesn't restart the Device Agent service because of an incorrect certificate.
Resolves a possible issue where the client log viewer crashes.
The Anti-Bot blade is now "Anti-Bot and URL Filtering".
Resolves an issue where informative popups display although the policy for "Client User Interface Settings" is not set to "Show all notifications".
Dynamic Package is a new package type ready for download. Dynamic Package with R80.40 can reduce network traffic significantly during existing client upgrades. See "Deploying Endpoint Security Clients" in the R80.40 Endpoint Security Management Server Administration Guide.
VMware Horizon Non-Persistent VDI is now in Early Availability. Contact E81_EA@checkpoint.com for more information.
Application Control includes a new feature for developer protection that prevents leakage of sensitive information and the use of vulnerable packages. See sk165615 for details.
Behavioral Guard now protects against Credential Dumping.
Forensics can now report the URL for the file source, when the SandBlast Agent Browser Extension is active.
Machine type, roles and features now show in the Forensics report.
Enhancements
Infrastructure
Resolves an issue that prevents machines from connecting to the Endpoint Security Server when the Domain Controller is not reachable.
Resolves an issue, where the client may report logs incorrectly, if the username contains non-ANSI symbols.
Resolves a rare issue with policy corruption that may put some blades in non-running states.
Resolves an issue where the VPN client automatically reappears in Automatic Start, although it is disabled by the Task Manager.
Fixes the vulnerability to "RobinHood" (CVE-2018-19320).
Anti-Malware
Resolves a possible issue, where the server does not display the latest Anti-Malware signature version of the Endpoint Security clients.
Resolves an issue, where the policy state displays as "Unknown" in the client User Interface.
Anti-Exploit
Fixes a rare BSOD, related to Anti-Exploit infrastructure.
Anti-Ransomware, Behavioral Guard and Forensics
Reduces repeated logs for specific errors to improve Behavioral Guard performance.
Adds a default exclusion to prevent a known case of an Anti-Ransomware false positive.
Forensics and Anti-Exploit now correctly identify the latest versions of Microsoft Edge (based on Chromium) as a browser.
SandBlast Agent browser extensions now report the URLs used to download files to Forensics. This information now displays in the Entry Point view in the Forensics report, when it is present.
Fixes an issue where the Behavioral Guard log and the equivalent Forensics log show different levels of confidence.
Fixes a rare race condition that can override the current Forensics policy with the default policy.
Fixes an issue where Forensics generates "Analysis Failed" reports, when policy disables Forensics Analysis.
Fixes an issue that can cause DNS sensor information to be withheld from Forensics.
Fixes an issue in the Forensics report, where trigger processes incorrectly show as remotely executed by Windows Management Instrumentation (WMI).
The Overview screen Entry Point tool-tip now displays correctly for Windows Management Instrumentation (WMI) executions.
Adds the type of the machine to the General View of the Forensics Report. The type can be a desktop, a laptop, a Virtual Machine, or a server.
Machines Roles and Features, as defined by Windows, are now available in the General view of the Forensics Report.
The Reputation view in the Forensics report now has an option to select and copy Hashes, URLs and IPs.
Firewall and Application Control
Improves compatibility with 3rd-party VPN software.
Full Disk Encryption
The firmware logo wallpaper now shows, when Windows loads after the Full Disk Encryption pre-boot.
Fixes dual recovery file delivery on fresh installations, on UEFI machines.
Media Encryption and Port Protection
Resolves an issue, where allowed non-storage devices can show as blocked in SmartEndpoint Media Encryption and Port Protection reports.
Resolves an issue, where the user does not see an option to override company encryption policy to copy data from network shared folders.
Resolves an issue where the wrong authorization status shows in the Media Encryption UI.
Resolves a possible system freeze from corrupted settings of the Media Encryption blade.
Installation
Resolves an issue, where the Endpoint Security installation may fail after a miscalculation of the required disk space.
No longer displays a redundant user check pop-up on an installation retry.
Dynamic Package is a new package type ready for download. Dynamic Package with R80.40 can reduce network traffic significantly during existing client upgrades. See "Deploying Endpoint Security Clients" in the R80.40 Endpoint Security Management Server Administration Guide.
VMware Horizon Non-Persistent VDI is now in Early Availability. Contact E81_EA@checkpoint.com for more information.
Application Control includes a new feature for developer protection that prevents leakage of sensitive information and the use of vulnerable packages. See sk165615 for details.
Behavioral Guard now protects against Credential Dumping.
Forensics can now report the URL for the file source, when the SandBlast Agent Browser Extension is active.
Machine type, roles and features now show in the Forensics report.
Enhancements
Anti-Malware
Resolves a possible issue, where the server does not display the latest Anti-Malware signature version of the Endpoint Security clients.
Resolves an issue, where the policy state displays as "Unknown" in the client User Interface.
Anti-Exploit
Fixes a rare BSOD, related to Anti-Exploit infrastructure.
Anti-Ransomware, Behavioral Guard and Forensics
Reduces repeated logs for specific errors to improve Behavioral Guard performance.
Adds a default exclusion to prevent a known case of an Anti-Ransomware false positive.
Forensics and Anti-Exploit now correctly identify the latest versions of Microsoft Edge (based on Chromium) as a browser.
SandBlast Agent browser extensions now report the URLs used to download files to Forensics. This information now displays in the Entry Point view in the Forensics report, when it is present.
Fixes an issue where the Behavioral Guard log and the equivalent Forensics log show different levels of confidence.
Fixes a rare race condition that can override the current Forensics policy with the default policy.
Fixes an issue where Forensics generates "Analysis Failed" reports, when policy disables Forensics Analysis.
Fixes an issue that can cause DNS sensor information to be withheld from Forensics.
Fixes an issue in the Forensics report, where trigger processes incorrectly show as remotely executed by Windows Management Instrumentation (WMI).
The Overview screen Entry Point tool-tip now displays correctly for Windows Management Instrumentation (WMI) executions.
Adds the type of the machine to the General View of the Forensics Report. The type can be a desktop, a laptop, a Virtual Machine, or a server.
Machines Roles and Features, as defined by Windows, are now available in the General view of the Forensics Report.
The Reputation view in the Forensics report now has an option to select and copy Hashes, URLs and IPs.
Firewall and Application Control
Improves compatibility with 3rd-party VPN software.
Full Disk Encryption
The firmware logo wallpaper now shows, when Windows loads after the Full Disk Encryption pre-boot.
Fixes dual recovery file delivery on fresh installations, on UEFI machines.
Media Encryption and Port Protection
Resolves an issue, where allowed non-storage devices can show as blocked in SmartEndpoint Media Encryption and Port Protection reports.
Resolves an issue, where the user does not see an option to override company encryption policy to copy data from network shared folders.
Resolves an issue where the wrong authorization status shows in the Media Encryption UI.
Resolves a possible system freeze from corrupted settings of the Media Encryption blade.
Installation
Resolves an issue, where the Endpoint Security installation may fail after a miscalculation of the required disk space.
No longer displays a redundant user check pop-up on an installation retry.
Infrastructure
Resolves an issue, where the client may report logs incorrectly, if the username contains non-ANSI symbols.
Resolves a rare issue with policy corruption that may put some blades in non-running states.
Resolves an issue where the VPN client automatically reappears in Automatic Start, although it is disabled by the Task Manager.
Fixes the vulnerability to "RobinHood" (CVE-2018-19320).
Adds a new protection in Static Analysis against CVE-2020-0601. This prevents the use of spoofed ECC (Elliptic Curve Cryptography) certificates on malicious executables.
Behavioral Guard now detects Windows-reported CVEs to generate a log and Forensic Analysis. An example is CVE-2020.0601. This is different from the Static Analysis protection that is not dependent on Windows-reported CVEs.
Behavioral Guard Meterpreter Reverse Shell detections are now active, by default.
Behavioral Guard new injection detections including Process Hollowing are now active, by default.
Forensics can now identify starting points of attacks originating from lateral movement and Windows Management Instrumentation (WMI). Indirect execution on a single machine through WMI is now detected and followed in the Forensics Analysis.
Enhancements
Anti-Malware
Resolves the issue where an Anti-Malware infection event is not showing in SmartEndpoint Reporting, if special characters are in the path.
Resolves an issue where Anti-Malware reporting does not update in SmartEndpoint, after the infections list changes in the Anti-Malware blade.
Fixes an Anti-Malware system scan memory issue, when scanning files with alternate data streams.
Anti-Exploit
Fixes an issue that can cause the Anti-Exploit service to crash in x86 systems, after an upgrade.
Fixes a rare issue where the machine hangs during an upgrade (related to a driver that Anti-Exploit uses).
Fixes an issue where Anti-Exploit may not work immediately after an upgrade.
Anti-Bot
Anti-Bot detection status now updates to the server User Interface continuously for additions and removals from the client.
Behavioral Guard and Forensics
Improves performance slightly by removing unnecessary logs from Behavioral Guard.
Fixes an issue in the Forensics Log Card to report a trigger rather than the process of a trigger.
Fixes an issue with a Forensic crash in a Virtual Disk Infrastructure (VDI) environment.
Firewall and Application Control
Resolves a possible issue where the Firewall blade has the Initializing status after an upgrade due to some missing dll files.
Resolves a possible issue where registry parsing, while self protection is active, causes a BSOD.
Fixes the vsdatant.sys driver synchronization issue that causes a BSOD on driver unload.
Resolves the issue where Long Term Evolution (LTE) and Universal Mobile Telecommunication System (UMTS) devices are not recognized as wireless by the "Disconnect wireless connections when connected to the LAN" feature.
Full Disk Encryption
Resolves an incorrect report about the Full Disk Encryption blade not running during a Windows shutdown, when the Deployment Agent (CPDA) does not receive a shutdown notification.
Sets BCDBOOT as the default on fresh installs.
Fixes Unified Extensible Firmware Interface (UEFI) to use the customized image rebrandings of UEFI preboots.
No longer forces a reboot when the pre-boot bypass is off, by policy.
Media Encryption and Port Protection
Fixes and removes the requirement to install Visual Studio 2017 runtimes when running the Media Encryption offline utility "Access to Business Data". Note: The Mac offline utility now supports macOS Catalina (10.15).
VPN
Fixes an issue where the location inside the organization is not recognized properly.
Adds the detection of McAfee Security Endpoint v10.6 into Secure Configuration Verification (SCV).
Fixes an issue where the user is not able to use several question marks in the password.
Installer
Resolves a possible issue where the client upgrade fails, when the Anti-Malware blade cannot reach a database file, after an ungraceful process termination.
Resolves a sudden reboot, after a client upgrade finishes, before a custom countdown timer ends.
Resolves an issue where Installer terminates on machines with specific locales, if the user has a name with specific localized UTF-8 characters.
Resolves a possible issue where the installation fails, by waiting for a process from a previous installation to stop.
Increases the timeout value for Windows Installer (MSI) to wait for Full Disk Encryption to finish a deployment in offline mode.
Fixes the Full Disk Encryption uninstall, after a Windows 10 upgrade.
General
Fixes an issue with the Deployment Agent (CPDA). Now, it tries to resend the UpdateRegister message, when the machine has network configuration changes, if the message did not go through, during startup.
Resolves an issue where the "Disconnected Policy" is not defined, and appears in the display, when the client is connected.
Fixes the issue of duplicate user objects for the same user in Other Users / Computers.
Resolves an issue, where the Compliance blade no longer reflects the correct status of Microsoft Windows updates, after the Windows Server Update Services (WSUS) server is updated.
Firewall and Application Control
Resolves an issue, where Endpoint Security Firewall policy is not applied on the Endpoint Security Client, and shows as "Not Set" in UI, when Hotspot settings allow connections on any port.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes an issue where backups and Anti-Ransomware detections are not occurring on files encrypted using EFS. Thanks to Amit Klein from SafeBreach for discovering the vulnerability.
Fixes a rare potential performance issue in Forensics related to file events.
Reduces the time to shut down Forensics during upgrades and updates.
Installation
Resolves a possible issue, where the client reports "Failed to download package", while the package is already downloaded, during an upgrade.
Resolves a possible issue, where the client's old version displays in Smart Endpoint, after a client upgrade.
The new detection engine "File Reputation" is now active as part of the Threat Emulation blade.
Scans files eligible for Threat Emulation upon creation.
Checks the file hash against the Check Point cloud reputation service and treats malicious files accordingly.
Considers Malware, Riskware and Adware with medium or high confidence as malicious.
Is an online service.
For more information, see Known Limitations.
Adds the ability to check for the latest updates on the client using an integration with Microsoft's Windows Server Update Services (WSUS). See sk164060.
Adds DNS connection information to the Tree and Tree-Timeline Views of the Forensics Report.
Mutexes and other named objects now appear in the Tree and Tree-Timeline Views of the Forensics Report.
Adds Full Disk Encryption Caps Lock notification to pre-boot.
Enhancements
Anti-Malware
Fixes an issue where the Anti-Malware process does not stop during an upgrade in Windows 19H1.
Resolves a rare crash of Anti-Malware that happens if Anti-Malware exits, while a system scan is active.
Media Encryption and Port Protection
Fixes internal scanner error during the authorization scan with McAfee VirusScan Enterprise.
Fixes an unexpected UserCheck message when no data is being written to a removable media.
Fixes the incorrect deployed package name in deployment reports.
Fixes Windows Autoplay feature interference on unmanaged machines, when the Access To Business Data window is opened behind the Windows Explorer.
Firewall and Application Control
Fixes an issue where Windows Subsystems for Linux (WSL) processes sometimes hang on network access.
Anti-Ransomware, Behavioral Guard and Forensics
Improves performance by eliminating unnecessary logging from the API sensor.
Improves performance by not logging repeating errors in third party AV logs, when used with Forensics.
Improves performance of the Forensics Report collection subsystem by not attempting to resend corrupted reports.
Fixes an issue that could prevent Anti-Ransomware backup operations.
Fixes an issue that prevents Anti-Ransomware restoration, in the case of a delete failure followed by a delete success.
Removing a Folder exclusion from Anti-Ransomware now correctly enforces backup and restorations for the folder.
Fixes a Behavioral Guard rule issue that can result in failures in non-English language detections.
Adds a new section for Incident Remediation applied policy in the Remediation section of the Forensics report. This now shows the effective Incident Remediation settings when the report is created.
Removes the duplicate line in the Forensics Log Card Description for when the report is not created.
Fixes an issue where the user does not show correctly in the Forensics Report.
Kaspersky Anti-Virus detections now correctly trigger Forensics.
Forensics now treats PowerShell_ISE.exe similarly to PowerShell.exe for the relevant Mitre ATT&CK™ techniques.
Remote Logon techniques now show as either External or Internal Remote Logon techniques in the Forensics Report.
Fixed an issue in which processes were terminated although they were excluded in policy.
Installation
Fixes an issue where a redundant reboot is required when installing Endpoint on a machine with the Media Encryption and Port Protection (MEPP) offline utility.
Fixes an issue where the installation process crashes, causing the upgrade to fail.
Fixes an issue where services are down after a client upgrade due to a WatchDog failure.
Resolves a rare issue, where the Compliance blade crashes during an upgrade when WatchDog restarts the new blade before the installer completed files cleanup.
General
Fixes an issue where the Daf-Server process crashes due to error in logging infrastructure.
Resolves a possible issue, where the client sometimes does not connect to the Endpoint Security Server, when a synchronous connection takes too long.
Fixes uninstall password mismatch issue for a never connected client.
Fixes an issue where 5 minutes after login, the user policy is changed into the default policy for a few seconds.
Fixes an issue where Check Point processes are assigned with insufficient privileges and suspended after client installation.
Fixes an issue where blades might appear as not running due to a failure in the Check Point Device Auxiliary Framework Service (IDAFServerHostService.exe) process.
Enables forcing TLS 1.2 only, in client-server communication.
VPN
Stability improvements.
Minor localization issues are fixed.
Fixes not displaying the login prompt, when a user roams from the internal to an external network.
SandBlast Agent for Browsers
When a form site is scanned by SandBlast Agent for Browsers Zero Phishing, the user now has the following options:
In case of detection as phishing site, the user can report the detection as a false positive.
In case of no detection (the page was verified as Bengin by Zero Phishing), the user can report the page as a Phishing site by clicking on the "report Phishing site" link in the extension pop up.
E82.10 adds support for Endpoint on Windows 10 19H2 (version 1909).
Enhancements
Compliance
Fixes an issue when the Compliance blade fails to detect the McAfee Endpoint Security running status, if no user is logged in.
Anti-Malware
Fixes an issue where the Endpoint Security client upgrade fails because the Anti-Malware process fails to unload.
Fixes an issue for sites blocked by Anti-Malware web protection.
Fixes an issue where Endpoint Security significantly slows the Kaspersky Endpoint Protection upgrade process.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes an issue where symbolic links with Anti-Ransomware honeypot restoration may allow Denial of Service attacks.
Older Anti-Ransomware honeypots are now deleted on upgrades.
Fixes an issue where Anti-Ransomware honeypots are not created on newer locations like program data and app data, when upgrading from an earlier version of the product.
Fixes an Anti-Ransomware False Positive that can occur due to the VMware Horizon Persona Management application.
Improves performance of the injection sensor when many processes are launched in a short period of time.
Fixes an issue that may cause the Forensics Analysis to include benign processes when NVIDIA processes are launched prior to the Logon screen appearing.
Fixes an issue where the entire Forensic incident is not analyzed if it involves the use of NTFS Alternate Data Streams.
Fixes an issue where some IPv6 addresses are not correctly identified as internal IPs for the RDP Brute Force detection in Behavioral Guard.
Media Encryption and Port Protection
Fixes an issue where Media Encryption and Port Protection does not update the Offline Data Access utility on an encrypted removable media.
Full Disk Encryption
Fixes a rare issue where an FDE process crashes when switching from BitLocker Management to FDE.
VPN
Includes stability and quality fixes. Supports all the features of previous releases.
Improves the log mechanism. Logs will stay on the machine for a longer time.
Includes performance improvements with large scale topology.
General
The initial connection to the server does not require the Endpoint Security Client to be connected to the domain controller.
Fixes an issue for the Endpoint Security Client to report its name to display accurately in Deployment reports of SmartEndpoint.
Fixes a rare case of BSOD that may happen during an arbitrary process creation.
Support for the Endpoint Security Clients on macOS Catalina (10.15).
Enhancements
New User Interface aligned with the look and feel of the Windows product.
This release includes stability, quality and performance fixes.
The E82.00 Limited Availability release is focused on the support of macOS Catalina. Some of the blades have limited functionality, or are not supported. These blades will be available with full functionality for the E82.00 General Availability release planned for the end of the year.
Below are the unsupported blades in this release:
Media Encryption has limited functionality in this release. Refer to the Known Limitations section.
Threat Emulation is not supported.
Anti-Ransomware is not supported.
Capsule Docs is not supported.
The above blades and the new Forensic blade will be supported in the General Availability release of this software.
BitLocker Management Check Point Endpoint Security E82.00 Client introduces BitLocker Management as an option in the Full Disk Encryption Blade. BitLocker is an integrated part of Windows. The Check Point BitLocker Management feature uses the Endpoint Security Server, Client Agent and Management UI to manage BitLocker. BitLocker Management is Windows 10 only. See the BitLocker Management Administration Guide.
New Detection Techniques
Meterpreter / Reverse Shell Detection Behavioral Guard now supports enhanced behavioral detections of reverse shells. This detection is currently in silent and will be turned on via a remote update at a later stage.
RDP Brute Force Detections Behavioral Guard now supports RDP Brute Force detections. This detection is currently in silent and will be turned on via a remote update at a later stage.
VPN's Post Disconnect Feature The post disconnect script feature allows users to run scripts on client computers after disconnections from gateways. See the Revision History of the Remote Access for Windows Administration Guide.
Enhancements
Anti-Ransomware, Behavioral Guard and Forensics
Fixes a rare issue which causes Forensics to crash if there is corruption in the backup and restoration database.
Fixes an issue that results in the entire Forensics database being purged when the database size limit is reached.
Fixes an issue where Privilege Escalation is not determined for the start process in the Forensics Report.
Fixes an issue where the Bypass User Account Control Mitre ATT&CK technique is not determined accurately.
Firewall and Application Control
Fixes a rare issue where Firewall blade is not running after an upgrade.
Fixes a rare issue where arbitrary processes are suspended.
Capsule Docs
Enforcements to prevent screen captures are not implemented now because there are no practical needs for them.
Media Encryption and Port Protection
Resolves the "Unrecognized scan log format" message when scanning a removable media with McAfee 8.8 on the Japanese OS version.
Fixes a localization issue of Japanese text in the Offline Access tool.
Installation
Fixes the rejected client msi import in MS AD GPO deployment.
Informs the user to reboot the machine after Windows 10 OS upgrade from builds below 18000 instead of forcing the reboot.
General
Reconnects the server, if the Virtual Machine is cloned after connecting the server and assigned a new SID.
Fixes a rare issue where the cpda process crashes.
Fixes a rare issue where the client's connection status is incorrectly displayed as "connected".
Static File Analysis is a new prevention technology based on Machine Learning.
The technology inspects hundreds of static features on executables created on the endpoint and uses a machine learning model to deliver a verdict.
The technology has a high detection rate and an extremely low false-positive rate. It is fast and it can reach a verdict in a few tens of milliseconds.
The impact on performance is negligible.
Mitre ATT&CKTM Matrix is now supported in Forensics. After an incident has been analyzed, Mitre ATT&CK techniques and tactics are identified and shown in the report.
Overview screen now shows the ATT&CK matrix.
Dedicated ATT&CK matrix screen in Suspicious Events Menu.
Dedicated view for all events from a technique including a description of the technique taken from Mitre.
Mapping of some Suspicious events that are not categorized by Mitre into Mitre tactics.
Anti-Exploit is now detecting on DejaBlue CVEs (CVE-2019-1181) for Windows 10 machines.
DejaBlue represents a new set of Remote Code Execution exploits similar to that of BlueKeep.
Remote Desktop Protocol identification in Behavioral Guard and Forensics.
Forensic reports now highlight if an incident start can be traced to a user who was logged in remotely.
When available remote machine name and IP will also be shown in the General screen.
If the remote connection was made from inside or outside the network is also available in the Overview screen.
Privilege Escalation identification in Behavioral Guard and Forensics.
Forensic reports now highlight privilege escalation.
Process integrity levels have been added to the Process Security tab in the Incident Details view.
Injection identification in Behavioral Guard and Forensics.
Forensic reports now showcase and highlight injections that happen during an incident.
Multiple injection detection rules have been developed. These will be enabled via automatic update once enough telemetry is available.
Enhancements
Compliance
Improves the running status detection of Windows Defender.
Anti-Malware
Fixes Anti-Malware system scan error when scanning nested archives.
Anti-Bot
Reduces Anti-Bot's false positives significantly with better classification of the detections. This reduction does not affect Anti-Bot's detection rate.
Anti-Ransomware, Behavioral Guard and Forensics
Improves Behavioral Guard performance by optimizing log creation.
Anti-Ransomware backup exclusions that are removed from the policy are now being enforced correctly and do not require a reboot.
Turning Anti-Ransomware off and on now correctly creates the honeypot folders.
Honeypots deleted and in the recycle bin are no longer monitored by Anti-Ransomware.
Improves Forensic algorithm to find all executions of the identified execution root if it is not trusted. This ensures that all instances of a malicious process are detected.
Forensics Reports now highlight Mitre ATT&CKTM Tactics and Techniques. The Mitre ATT&CKTM matrix has its own screen and shows in the overview.
Injections are now monitored in the Forensic Report. These are the changes and enhancements:
The attack start is not a process that was injected into if the injecting process is also part of the incident.
The Incident Details Tree and Tree-Timeline views now show all injection links.
Processes injected into now show up after the process creation time of the process starting the injection.
Forensics now calculates Process Integrity levels. This allows us to see privilege escalation in Forensic Reports. The Process Security Tab in Incident Details shows the integrity level.
Forensics reports now show if the user who was connected at the start of an incident was connected remotely. In the case of RDP, the machine name and the IP shows as well.
Adds new Overview screen slider in to switch between Mitre ATT&CKTM, Network Map and Execution Tree screens.
Adds new default exclusions for taskhost.exe and taskhostw.exe to improve Forensics performance.
Suspicious events and Mitre ATT&CKTM techniques will no longer treat 'deleted file' events similar to 'create' and 'modification' events. This reduces the occurrence of miss-classified events or techniques.
The Incident Details screen now opens correctly in response to a click on the process tree in the Forensics Overview screen.
When the Forensic report is viewed in smaller resolutions, the MD5 value in the General screen may cut off. A new tool-tip was added to show the entire MD5.
Forensic reports no longer scale infinitely with the display size. The max width and height is now 2560 x 1600 pixels.
Process argument strings in Forensics reports are now encoded so that Anti-Malware does not detect on them.
Attempting to open a Forensics report prior to the analysis completion will now correctly show an in-progress page.
Media Encryption and Port Protection
Enables copying of Alternate Data Streams (ADS) over NTFS together with the original filename to a removable drive upon user consent.
Resolves Authorization scan error "Internal scanner error" when scanning a USB device with McAfee AV.
Fixes the code so that using wildcards for custom settings in device exceptions now accepts the wildcards in any position of the string.
Threat Emulation and Anti-Exploit
Improves Threat Emulation performance significantly. The number of I/O operations and the CPU consumption are greatly reduced.
Firewall and Application Control
Fixes a rare race condition that might result in a BSOD during process termination.
Updater
Fixes an issue when MSI upgrade logs are not collected on the Czech version of Windows.
Browser Extension
Browser extension logs for TAC requests are now included when the user creates regular CPInfo logs.
General
SandBlast Agent can now work in front of Private ThreatCloud instead of Checkpoint ThreatCloud. This is useful for customers who have isolated environments that do not connect to Checkpoint ThreatCloud.
Fixes a minor security issue with the SBA browser extension.
Anti-Malware
Fixes an issue with restore files from a quarantine operation via push operation on paths with non-English characters.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes an issue in Forensics, where if a silent detection occurs prior to an active detection on the same process, the report is not generated for the active detection. This also affects the Anti-Ransomware UI screens.
Fixes an issue where exclusions based on a process with a rule name are not enforced in Behavioral Guard when the rule involves more than one process.
Fixes a very rare issue in Behavioral Guard that is related to an infinite loop.
Fixes an Anti-Ransomware false positive related to filehistory.exe.
Aligns the default local backup policy to the default Management backup policy for Anti-Ransomware.
Firewall and Application Control
Fixes an issue when the "Disconnect Wireless connection when connected by LAN" feature does not work on Windows 10 version 1903.
Fixes an uncommon issue where the installation fails to upgrade the firewall driver.
Fixes an issue when the installer fails to install VPN or Firewall due to reaching the maximum number of network filters on Window 8 and higher.
Install / Uninstall
CVE-2019-8461: Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user.
Fixes an issue with restore files from a quarantine operation via push operation on paths with non-English characters.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes an issue in Forensics, where if a silent detection occurs prior to an active detection on the same process, the report is not generated for the active detection. This also affects the Anti-Ransomware UI screens.
Fixes an issue where exclusions based on a process with a rule name are not enforced in Behavioral Guard when the rule involves more than one process.
Fixes a very rare issue in Behavioral Guard that is related to an infinite loop.
Fixes an Anti-Ransomware false positive related to filehistory.exe.
Aligns the default local backup policy to the default Management backup policy for Anti-Ransomware.
Firewall and Application Control
Fixes an issue when the "Disconnect Wireless connection when connected by LAN" feature does not work on Windows 10 version 1903.
Fixes an uncommon issue where the installation fails to upgrade the firewall driver.
Fixes an issue when the installer fails to install VPN or Firewall due to reaching the maximum number of network filters on Window 8 and higher.
Install / Uninstall
CVE-2019-8461: Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user.
Performance improvements in Forensics, Behavioral Guard and Threat Emulation.
The Zero Phishing agent now uses a brand new Machine Learning model and the Check Point reputation service for up-to-date information on malicious phishing sites to improve detection rates.
Behavioral Guard now has the ability to prevent the execution of malicious scripts (PowerShell, for example). In earlier releases, Behavioral Guard detected and terminated the scripts after their execution.
VPN adds the ability to match the VPN user to the logged-in Windows user and display it in the username field of the connect dialog.
VPN adds the ability to disable implicit SDL when SDL is enabled.
VPN adds the ability to choose a customized Display Name when creating a site from a link.
VPN adds the ability to enable the Connect button before any response is written.
Enhancements
VPN
Fixes a rare crash that can occur when you send ICMP packets.
Includes stability and quality fixes. Supports all the features of previous releases.
Anti-Malware
Fixes an issue where no Anti-Malware logs show in the GUI under the Anti-Malware blade if a malicious file is quarantined after a manual Anti-Malware scan.
Threat Emulation and Anti-Exploit
30% reduction in I/O while monitoring files created on the system.
Fixes an Anti-Exploit issue that causes an instance of Chrome to crash occasionally with an "Aw, snap" message.
Anti-Ransomware, Behavioral Guard and Forensics
Files backed up by Anti-Ransomware can no longer be viewed by users who did not originally have access to the file.
Ransomware events first detected by Behavioral Guard are now treated like Anti-Ransomware detections, with the ability to restore modified files automatically.
Anti-Ransomware better recognizes older honeypots now and deletes them if they are not in use.
Fixes a false positive in Anti-Ransomware that involves runtimebroker.exe.
Fixes Anti-Ransomware false positives associated with user account deletions.
Anti-Ransomware is now much less likely to be triggered on file changes made over a very long period of time (days).
Improves Forensics performance with a drastic reduction in the number of Anti-Ransomware patterns that are no longer relevant.
Fixes an extremely rare infinite loop in Behavioral Guard.
Improves performance in Behavioral Guard by reducing the amount of local logs written.
Behavioral Guard now creates logs and sends them to Management.
Behavioral Guard now has the ability to block PowerShell attacks if the rule is set to prevent them. The scripts in such cases never execute.
Adds more behavioral detections that involve the use of Microsoft HTML Application (MSHTA).
Adds more default and dynamic exclusions to Forensics monitoring to improve performance.
Adds many new suspicious events in Forensics.
Improves the performance of user mode process certificate checks with the introduction of a caching system.
Fixes an issue where a certificate is mistakenly declared invalid in Forensics when the root certificate is not present. Processes using such certificates will no longer appear as unsigned.
Fixes a rare crash in Forensics where configuration settings for a Forensics sensor may be called before the sensor starts.
Fixes a potential, but rare, infinite loop in the Forensics Analysis.
Fixes an issue that causes a crash during Forensics Report creation that can occur if explorer is terminated.
Fixes an issue in the Forensics analysis that causes a Windows Management Instrumentation Command-Line Utility (WMIC) process that invokes another WMIC process to not appear in the execution tree.
Processes considered to be the "trigger" in Forensics can no longer be hidden when a large number of processes are involved in a Forensics incident.
Adds support for certain applications to be treated as Entry Point applications instead of appearing in the execution tree. This prevents automatic remediation of the application. The Lookeen application is an example.
Forensics now correctly shows that a file is already deleted when Anti-Malware quarantines the file.
Fixes an issue that occurs when a user name is not shown in a Forensics Report.
The Windows System process no longer appears in the list of remediation items, if it is involved in an incident, and it is not sent for remediation that would fail.
The Windows System process now always appears as trusted in the Forensics report.
Business Impact shown in the Forensics Report no longer contains files from Windows folders, as well as from the SandBlastBackup folder.
Media Encryption and Port Protection
Fixes issues with container size calculation, when encryption fails with "not enough space for encryption" error.
Media Encryption and Port Protection have performance improvements with Box Drive software.
Firewall and Application Control
Allows opening ranges of ports for hotspot registrations. See sk41586.
Fixes a rare issue where Endpoint crashes during an upgrade.
Application Control
Resolves a BSOD in vsdatant.sys during client upgrade.
Fixes an issue where the "Application Control" blade uses 100% of the CPU for a few seconds during boot time.
Infrastructure
SandBlast can now update quickly with new trusted signers to reduce the number of false positives across all the technologies.
Fixes an issue that causes expired root certificates to not be validated.
E81.10 adds support for Endpoint on Windows 10 19H1 (v1903). Anti-Malware users are only supported with a required server hotfix as seen in sk141033
When a file is determined as malicious by Threat Emulation, the TE report is in a new format. The report is now available from the Client UI and the SmartLog entry. The new format requires server versions shown in the "Management Requirements" section of the E81.10 Endpoint Security Client for Windows Release Notes.
This release adds a new authentication capability for VPN clients: Authentication with a CNG certificate.
This release introduces 32-bit and 64-bit download packages for the Threat Prevention Client. Important: The Threat Prevention package includes an initial set of Anti-Malware signatures. The complete set updates right after the client connects to the update server.
Anti-Exploit now protects against the Windows Remote Desktop Protocol (RDP) vulnerability, as defined in CVE-2019-0708.
Enhancements
Anti-Malware
Fixes an issue where using Anti-Malware in the "Windows Security Center" would suspend Anti-Malware.
Fixes an issue where an Anti-Malware scheduled scan does not start after waking the machine from sleep.
Fixes an issue where Endpoint upgrades from versions prior to 80.92 fail while the Anti-Malware scan is active.
Fixes an issue where Microsoft VPN and Direct Access do not work when the Anti-Malware blade is installed.
Improves security by using "protected process" support for Anti-Malware and firewall processes. This feature is the default when the client runs Windows 19H1, which requires a server hotfix for Anti-Malware users. For more information, see sk141033.
Threat Emulation and Anti-Exploit
Fixes a rare false positive with the Return Oriented Programming (ROP) detection in Anti-Exploit.
Anti-Exploit now protects against the Remote Desktop Protocol (RDP) vulnerability, as defined in CVE-2019-0708:
This represents a critical flaw found in the Remote Desktop Protocol of Windows allowing for either Remote Code Execution or Denial of Service attacks. Vulnerable systems protected by Anti-Exploit, include Windows 7 SP1 and Windows 2008R2. To learn more, see sk154232.
Note: Users who run SandBlast Agent with a third party Anti-Virus (AV) should be aware that Anti-Exploit is turned off in the presence of third party AVs. For this protection to be enabled, you must allow Anti-Exploit to work with third party AVs, as detailed in sk154454.
Anti-Ransomware, Behavioral Guard and Forensics
Anti-Ransomware Honeypots are now less likely to be skipped by certain ransomware families.
Reduces false positives in Anti-Ransomware, when using MS Office applications.
Fixes an issue so that the Backup and Restoration database does not grow beyond a certain limit.
Fixes an issue so that the Anti-Ransomware backup folder does not grow beyond a certain limit.
Anti-Ransomware now correctly backs up and restores for users who are explicitly named "temp".
Improves Forensics performance, when the system is waking up from hibernate and sleep.
Improves Forensics performance during OS upgrades.
Fixes a rare Forensics crash that can occur during the analysis, if the Entry Point is unknown.
Fixes a very rare issue that can occur where the Forensic Analysis takes hours to complete.
Fixes an issue of terminating processes that may be spawned, while the Forensics analysis is ongoing.
Fixes an incorrect remediation status in the Forensics report when copying a malicious file from a network share.
Improves Forensics to deal with command line parameters more effectively during an incident analysis.
If Reputation is unavailable, unsigned processes will no longer appear with incorrect details in the Reputation screen.
The IP Reputation is now calculated even when there are no http or https operations.
The Forensics Report now correctly shows the World Map of unknown or malicious IP addresses even when there are no http or https connections.
Media Encryption and Port Protection
Fixes additional cases where the Offline Data Access tool does not always start in Read-Only mode, if write protection is configured in the system.
Firewall and Application Control
Fixes a rare issue where the Endpoint Security Client stalls during an upgrade and the network is lost.
Fixes an issue where 'disabling Wi-Fi connection upon Ethernet connection' does not work if both connect to the same router or network.
Adds support to Device Guard features based on Hypervisor Enforced Code Integrity (HVCI).
Updater
Enhances the signature update mechanism to be more resilient during failures, and to hold the most up-to-date signatures.
URL Filtering
Reduces end-user popups and notifications to the items that require user knowledge or intervention, similar to the behavior of the other Endpoint blades.
General
Fixes a very rare issue where an installation from the "Initial Client" fails, when Windows 7 is missing KB2533623.
Fixes a rare issue when an Anti-Bot service uninstall may fail on the client with an unclear message.
Anti-Exploit now protects against the Windows Remote Desktop Protocol (RDP) vulnerability, as defined in CVE-2019-0708.
Enhancements
Anti-Exploit
CVE-2019-0708: This represents a critical flaw found in the Remote Desktop Protocol of Windows allowing for either Remote Code Execution or Denial of Service attacks. Vulnerable systems protected by Anti-Exploit include Windows 7 SP1 and Windows 2008R2. To learn more, see sk154232
Note: Users who run SandBlast Agent with a third party Anti-Virus (AV) should be aware that Anti-Exploit is turned off in the presence of third party AVs. For this protection to be enabled, you must allow Anti-Exploit to work with third party AVs as detailed in sk154454.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes an issue introduced in E80.96 that can lead to Forensic exclusions being ignored on reboot.
Fixes an issue so that the Backup and Restoration database does not grow beyond a certain limit.
The IP reputation and geo-location are now in the Forensics report. Changes in the Overview, Reputation and Network Screens highlight IP reputations and geo-locations.
Enhancements
Anti-Ransomware, Behavioral Guard and Forensics
Improves performance by moving Anti-Ransomware honeypot creation and deletion from logon/logoff to the product install/uninstall.
The manual restoration of files is now possible for any detected attack with Forensics, as well as Anti-Ransomware. Previously, this was limited to Anti-Ransomware attacks only.
Fixes an issue introduced in E80.96 which can lead to Forensic exclusions being ignored on reboot.
Fixes a rare issue where Forensics fails to accept a new policy from Management.
Fixes a rare crash in Forensics, when the service is shut down before the initialization is complete.
Improves Forensics Analysis to follow attacks that involve scheduled tasks, or WMI calls, when the associated processes are invoked.
Improves the Entry Point in Forensics to determine if an incident originates from a zip file.
Improves the Entry Point in Forensics to identify where certain incidents start from an lnk/shortcut file.
Fixes a rare issue with Forensic's Entry Point, where if Anti-Exploit triggers on a browser, more than one browser may appear in the report.
Fixes an issue with McAfee's Endpoint not triggering Forensics on a detection if the language is Portuguese.
Fixes an issue in the Forensics report where Business Impact icons use the same tooltip in the Overview section.
Fixes a missing icon, when Microsoft Edge is part of a Forensics incident.
Fixes a client UI issue where the Forensics analysis animation occurs without an analysis.
Fixes an issue to make the Additional Intelligence arrow in the Reputation screen in the Forensics Report function correctly for Edge and Internet Explorer.
Fixes incorrect capitalization in the Reputation screen of the Forensics report.
Fixes an issue where Edge and Internet Explorer incorrectly identify certain IPs as phone number links in the Forensics Report.
Increases the size of the reputation drop down in the Network Activity screen of the Forensics Report to accommodate the length of the largest value in the list.
Adds the ability for the Forensics CLI to accept the rule name, the third-party product name, and the hash value as parameters.
Threat Emulation and Anti-Exploit
Improves the performance of the SandBlast Agent Threat Emulation to minimize the effect on the Endpoint resources.
Import-Export Table Parsing in Anti-Exploit is now disabled by default. Disabling this greatly reduces the number of products incompatible with Anti-Exploit.
To enable this protection, follow the instructions in sk121793.
Anti-Malware
Hardens the security of the client against DLL injection. CVE-2019-8458: Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.
Fixes an issue with Anti-Malware, when it sometimes rejects updates from the OfflineUpdater tool.
Fixes an issue where sometimes adding the Anti-Malware blade to a current SandBlast Agent (only) Endpoint results in an Anti-Malware error state.
Full Disk Encryption
Full Disk Encryption now tries to wrap known third party credential providers.
The list of known credential providers that we support is in sk152915
Firewall and Application Control
Fixes an issue where the Application Control blade may randomly terminate a process due to an uninitialized local variable.
Fixes a rare case where the firewall blade may crash.
Fixes a crash in the Firewall blade when a LAN cable is connected, while "Disable Wireless on LAN" is enabled.
Media Encryption and Port Protection
Fixes issues with CD encryption to show the correct file sizes and correct occupied percentage in the CD.
Fixes the disknet.exe high CPU usage because of continuous file signature checks, when MEPP is configured to block all access to removable media.
Fixes a crash when a device is unexpectedly removed and has an empty friendly name.
Fixes an issue with the MEPP blade, where Windows freezes when the USB key is not removed safely.
Fixes a cosmetic issue in Enhanced Protected Mode (EPM) Explorer to show the status as read-only, if a read-only password is used and the file system is NTFS.
Infrastructure
Fixes an issue where the installer cannot run from a shared folder and fails with error 1720.
Fixes an issue where an operating system reboot is sometimes not enforced after a client removal.
Fixes a minor issue where an initial client always shows a connected status, even if it is disconnected.
Adds the ability to upload cpinfo to password-protected FTP servers after collecting it.
Fixes an issue where sometimes, after restart, the client will be in a disconnected state for 10 minutes.
Fixes a rare race condition where one of the blades crashes while trying to update the UI.
SandBlast Browser Extension
Improves Internet Explorer browser extension performance for web pages with many frames.
Updater
Enhances the mechanism that allows sending security updates to SandBlast agent.
Remote Access VPN
Performance improvements to the VPN throughput.
General
Adds an option to acknowledge and close multiple UserCheck messages when they appear.
Resolves a rare issue where Anti-Malware protection does not run after an upgrade.
Fixes an issue where Anti-Malware shows an incorrect status in UI, in some cases. (This is only relevant to the E2 package.)
Fixes an issue where sometimes the OfflineUpdater tool fails to update the signatures database on the client side.
Capsule Docs
Fixes an issue that may cause a failure in an upgrade, or in an uninstall process.
Anti-Ransomware, Behavioral Guard and Forensics
The latest version of the Anti-Ransomware Honey Pots are now correctly installed when upgrading from previous versions.
Anti-Ransomware Honey Pots no longer stop working if they receive a second Anti-Ransomware policy update.
Disabling Forensics now correctly disables Anti-Ransomware completely, including removing all Anti-Ransomware Honey Pot files.
Fixes an issue where Process information is corrupted before being inserted into the Forensics Database. With the fix, the number of instances of unknown processes in a Forensics report is dramatically reduced.
Fixes a rare case where the last received Forensics, Anti-Ransomware and Behavioral Guard policies are not saved and used, when the client cannot connect to the Management Server.
Fixes a rare crash in Forensics, when receiving policy before the full Forensics initialization is complete.
Fixes an issue where certain exclusions for Anti-Ransomware are not enforced, if the user logs in before the full service initialization is complete.
Threat Emulation and Anti-Exploit
Resolves an issue where, in some cases, Threat Emulation may not deploy the SBA4B Chrome extension if a user has other (non-Check Point) extensions.
Makes sure that Threat Emulation avoids a crash when the database is very large.
Anti-Exploit now turns off completely when used with a third party Anti-Virus. Check Point's Anti-Malware will not cause Anti-Exploit to disable.
Fixes a very rare issue where Anti-Exploit does not completely parse the policy from the Management.
Install / Uninstall
Fixes a rare case where an unrequired reboot occurs after upgrade.
Resolves a rare issue where a crash happens on an uninstall and upgrade.
Changes the upgrade retry frequency and removes unnecessary user interface popups.
Removes a "Validation failed" message that is displayed in error, during an upgrade from an old version.
Updates the list of supported Windows 10 versions in Compliance blade to include versions 1809 and 1803.
Infrastructure
Fixes an issue where the Full Disk Encryption policy is sometimes not updated.
Improves the security of the client when using hard linked files.
General
Reduces end-user popups and notifications to the items that require user knowledge or intervention.
This release includes stability and quality fixes. It supports all features of previous releases.
Enhancements
Anti-Malware
Resolves a rare case where Anti-Malware has errors when updating signatures.
Capsule Docs
Resolves an issue so that processes do not stay suspended after an unexpected termination.
Anti-Ransomware, Behavioral Guard and Forensics
Fixes an issue where OneDrive synchronization fails on Anti-Ransomware Honeypot files.
Adds the ability to exclude individual Anti-Ransomware rules. Behavioral Guard has a similar ability.
Changes the Forensics analysis to issue a more accurate Forensic Attack Tree on Dell machines.
Recognizes Google's new signature correctly, and no longer treats Chrome as an unknown process when Reputation is unavailable.
The updated trusted certificate file includes the latest trusted signers for use in Forensic Analyses.
Forensic Report files always upgrade correctly now, regardless of the previous Endpoint Security Client version present on the system. This prevents the issue of broken reports on machines that went through a specific upgrade path.
Threat Emulation and Anti-Exploit
Anti-Exploit now disables itself if Trend Micro or Mcafee security products are present.
Adds the ability to exclude Anti-Exploit detection technologies individually.
Install / Uninstall
Resolves an issue where blue screens can occur after Endpoint Security Clients upgrade without reboot.
Fixes an issue so that a required reboot is now enforced when uninstalling the client.
Fixes an issue to execute a required reboot during an upgrade.
This release includes stability and quality fixes. It supports all features of previous releases.
New Features
New consolidated Reputation View in Forensics. This view now contains reputation, where available from Threat Cloud for all non-trusted URLs, Domains and Hashes found in the Forensics Analysis.
Improved and faster remediation flow in Forensics. We have improvements in the performance of remediation when done through a Forensics Report. This includes fixes that report the remediation status at the time of report generation more accurately.
Support for multiple logged-in users in Anti-Ransomware. We are now able to generate and monitor our honeypot detections if multiple users are logged in simultaneously.
Further enhancements to PowerShell obfuscation detection in Behavioral Guard. This results in improved detection capabilities.
Boot time improvements in Forensics. Forensic data storage now occurs well after boot. This improves the time for boot, especially on older drives and on drives with a great deal of file activity during boot.
Enhancements
Anti-Ransomware, Behavioral Guard and Forensics
Fixes an issue in Anti-Ransomware honeypot creations during a login for a new user.
Fixes an issue where honeypot files were not created for all users in a multi-user system.
Fixes an issue on Windows Server editions, where some honeypots were not created when multiple users logged in simultaneously.
Improves PowerShell obfuscation detection support in Behavioral Guard.
A new consolidated Reputation view is available in the Forensics Report that combines intelligence for all non-trusted URLs, Domains and Files in the report.
Improves boot performance by introducing a delay in Forensics data storage during the boot cycle.
Hashes for files calculated by Threat Emulation are available for visualization and reputation in the Forensics Report.
Extends the Forensics API with hash information so that Threat Emulation and other products always get Reputation, if available in the Forensics Report.
Forensics Report Tree views have a new section in Network Operations for processes that are listening on a port for a connection.
Processes with invalid signatures now show as suspicious events with invalid signer names available in the Forensics Report. Behavioral Guard also supports rules for invalid signatures.
Fixes an issue where the reputation for files that are not processes are updated correctly in the Forensics Report.
Fixes a very rare infinite loop that may occur, when the data in the Forensics database is corrupted.
Fixes the Virus Total (VT) First Seen date to be the same format as other dates in the Forensics Report.
Suspicious Events of a process in the Tree and Tree Time-line views of the Forensics Report now show in the order of severity.
Fixes a missing icon for unsigned processes in the Overview and General views of the Forensics Report.
Fixes an issue to make triggers on files, with IPs in their path, appear correctly in the Overview view of the Forensics Report.
Fixes a visualization issue, where the reputation file size appeared as zero for files with no reputation in the Forensics Report.
Threat Emulation and Anti-Exploit
Fixes an issue in Anti-Exploit, where the protection name was not consistently displayed in the client UI and Forensics Reports.
Fixes an issue in Anti-Exploit with a specific build version of Internet Explorer not having VBScript God Mode protection enabled correctly.
Fixes a slow performance problem in Threat Emulation, when accessing files on a non-local disk.
Resolves an issue, where Internet Explorer can freeze when navigating to trusted sites.
Full Disk Encryption
Resolves an issue, where connections through Remote Desktop Protocol (RDP) to a machine with Full Disk Encryption can fail intermittently.
Resolves an issue, where Full Disk Encryption, enabled for UEFI BCDBOOT, sometimes experiences a boot loop.
Media Encryption & Port Protection
Fixes an issue where Explorer flickers every second, when inserting an encrypted media.
Resolves an issue where the "copy" file operation is not logged in some conditions.
This new engine provides a multi-phase ability to detect malicious PowerShell usage that is unique.
Includes full AMSI (Advanced Malware Scan Interface) integration to get, analyze and report decoded scripts.
Forensic report overhaul with a new style and enhanced reputation integration.
Completely redesigned Overview and General screens.
Many small usability and visual enhancements throughout the report.
View decoded script content as part of the report itself.
See the Enhancements section below for additional information.
Forensics now has major performance improvements.
There is a major reduction (roughly 50% fewer events) in the amount of data stored. This results in lower IO usage and better performance.
See the enhancements below for the full list of performance enhancements.
Forensics Analysis takes on average 20% less time to complete. For larger reports the time taken will be further reduced.
Stack Pivoting detection was turned on as a new exploit detection technique for Anti-Exploit. Stack Pivoting involves trying to create a fake stack from attacker controlled memory.
Anti-Exploit now default protects the Equation Editor process. This helps to cover the following CVEs:
CVE-2017-11882
CVE-2018-0802
CVE-2018-0812
Enhancements
Anti-Ransomware, Behavioral Guard and Forensics
Enhances Behavioral Guard with the ability to perform deep inspections of both behavior and script content of PowerShell and Fileless attacks.
Improves Forensic reports with decoded PowerShell scripts from AMSI integration. This feature is only available in Windows 10.
Adds many new suspicious events for the Forensic report, including new PowerShell related suspicious events.
Fixes a crash occurring when Forensics, Anti-Ransomware and Behavior Guard are processing an existing policy while receiving a new policy.
Fixes a rare issue with large continuous CPU utilization when the Forensics service is unable to communicate with the driver.
Improves Forensic performance by adding static exclusions for well known file operations. This addition alone can reduce the number of file operations stored by up to 80% on some machines.
Improves Forensics performance by adding dynamic exclusions for file operations based on a new heuristic. This can reduce the number of file operations stored by up to 30%.
Improves Forensic performance by dynamically excluding registry operations based on a new heuristic. On average, 10% of registry operations are now excluded.
Fixes an issue which caused duplication of log events in Forensics.
Improves Entry Point calculations across multiple scenarios to be more accurate in the Forensic Report.
Fixes a majority of issues where the Entry Point of an attack could be empty. Now there should almost always be an Entry Point.
Improves the Forensics report so that Command Prompts (cmd.exe) opened for typing no longer appear in the Forensic report, but may appear in the Entry Point instead.
Improves the Forensic Analysis to consider following files in the argument of processes already included as part of the incident.
The Forensics report now shows the termination status for every process present in the report.
Fixes an issue that could lead to incomplete termination of processes involved in a Ransomware incident.
Processes, showing in a report, that are closed at the time of the generation of the report will now correctly show as terminated, even if the remediation policy for termination is disabled.
Fixes an issue where some Forensic report icons may be missing when upgrading to E80.89. The icons are now present when upgrading to E80.90.
Fixes an issue with the scroll bar not appearing correctly if there are multiple nodes in the Entry Point view of the Forensics Report.
Fixes a Forensics Analysis issue where script processes like PowerShell do not appear in the report when Cmd is involved and the script process is not the trigger.
Process arguments and script contents are now encoded in the Forensic reports. This prevents the deletion of the reports by Anti-Viruses looking for specific signatures found in the argument or script content.
Adds support to include the Malware Family from URL reputation if present in the Forensic report.
Fixes an issue which could result in the User Name appearing empty in the Forensic Report.
Fixes a visual issue in the Forensic report where the distance between processes could be very large if a process has a lot of lines of text.
Updates the default exclusions for Anti-Ransomware.
Threat Emulation and Anti-Exploit
Anti-Exploit now has an additional exploit prevention technology called stack pivoting.
Anti-Exploit now protects Equation Editor from known and unknown exploit attempts.
Anti-Bot
Fixes a crash when the Anti-Bot database is held by another process in the system.
SandBlast Agent Updater
Adds support for Static Analysis updates running in parallel to other updates using the Updater. Fixes an issue where the wrong service is restarted when updating two products together.
Support for the Endpoint Security Clients on macOS Mojave (10.14)
Support for SandBlast Agent previously only available on the Windows platform:
Threat Emulation - Evasion resistant sandbox technology detects malicious behavior and prevents any imminent attack. As in Windows, the protection is available in 2 levels:
Protection from files written to the file system.
Inspection of files downloaded by Chrome using the Chrome browser extension to prevent malicious files from getting to the file system.
Anti-Ransomware - Detects and quarantines the most evasive Ransomware variants.
Google Chrome Extension with:
Threat Extraction - Reconstructs downloaded file, delivering sanitized risk-free files to users in real time.
Zero Phishing - Blocks deceptive phishing sites and alerts on password reuse in real-time.
Full support for macOS 64-bit.
Adds the ability for Remote Access to verify the integrity of the Endpoint Security Management where the Endpoint Security VPN clients connect. This ability exists in the Endpoint Security VPN client for Windows, and is now available for the Endpoint Security client for macOS. See sk108892.
Enhancements
Native Encryption Management now supports mobile network users.
Remote Access - Opens the default browser of the machine to register to hotspot.
This release includes stability and quality fixes. It supports all features of previous releases.
New Features
No Reboot Deployment
Endpoint Security client deployment is now available, without reboots, for the following:
Compliance
Anti-Malware
Firewall and Application Control
Remote Access VPN
URL Filtering
SandBlast Agent Blades
Upgrades from E80.89 to later releases are supported, without reboots, for the following:
Compliance
Firewall and Application Control
Remote Access VPN
URL Filtering
SandBlast Agent Blades Note: Upgrades of some Full Disk Encryption, Media Encryption and Port Protection, Capsule Docs and Anti-Malware versions might require reboot.
Forensics Report
The report has updates and improvements in the overview and general screens. The overview screen now includes additional information such as malware family, attack types and other details. The general screen contains more information about incidents.
The Tree and Tree Time Line screens also have updated navigational toolbars.
Remote Access Client
Support for Windows 10 October 2018 Update (1809).
Enhancements
Anti-Ransomware, Behavioral Guard and Forensics
Forensics reports no longer show Anti-Bot in "Detect" mode as having a "Blocked" status.
Resolves a Forensics Analysis issue when incidents that include the Task Scheduler may add unrelated processes to the Forensics report.
Resolves a Forensics Analysis issue where some "riskware" processes are not properly followed and terminated.
Forensics reports now include the Malware Family Name when available to the reputation section of a process.
Resolves a rare Forensics Analysis issue when an entry point jumps between different browsers incorrectly.
The Forensic report's network view now shows entry point URLs and associated Domains.
Enforces exclusions of Check Point signed process related file activity in the driver to improve Forensics performance.
Threat Emulation and Anti-Exploit
Resolves several cases where Threat Emulation file monitoring locks the file, interfering with other application uses.
Resolves an issue where benign zero phishing logs appear as malicious.
SandBlast Agent Infrastructure
Resolves an issue of Remediation request ID collisions and the interference in remediation, if multiple requests appear together.
This release includes stability and quality fixes. It supports all features of previous releases.
New Feature
Forensic Reports now include URL and domain reputation analyses from Network Operations. A new view for Network Operations is available with this information. Click on Network Events under the Suspicious Activity menu option to access this view.
Enhancements
Anti-Ransomware, Behavioral Guard and Forensics
Resolves an issue related to missing buttons on the Remediation Manager User Interface.
Anti-Ransomware, Behavioral Guard and Forensics now default to the most recently used policy, if they have not received a new policy from Management.
Resolves apparent hang in the Forensics report when there is no execution tree to display.
Full Path exclusions now work in Anti-Ransomware. When Anti-Ransomware excludes a process by its full path, it does not exclude other processes with the same name in different paths.
Improves the exclusion of Check Point, Trend Micro and McAfee process activities from Forensics monitoring for better blade performance.
Resolves the issue of continuous high CPU utilization when a very large Forensics report transmission fails.
Fixes a rare crash in Forensics when resources are scarce during maintenance tasks.
Threat Emulation and Anti-Exploit
Resolves a file system performance issue in the Threat Emulation blade to prevent delays in file creation or copy on local disks.
Resolves a non-local file access monitoring issue. Threat Emulation now monitors file creation and access on non-local disks, and emulates them, if necessary.
Fixes a crash in Anti-Exploit protected applications when Control Guard is on in Windows 10.
Full Disk Encryption
Resolves an issue in which Full Disk Encryption failed to synchronize a hostname change.
Resolves an issue for Pre-Boot keyboard functionality on Epson NA512E.
Resolves an issue in which Pre-Boot went into a reboot loop, on some UEFI machines, during disk cache issues.
Resolves an instability issue of Full Disk Encryption Single-Sign-On functionality on Microsoft Windows 10 1803.
Installation
Resolves upgrade issues when two product lines were shown for Check Point Endpoint Security in Add\Remove Programs, after previously failed upgrades.
Behavioral Guard - SandBlast Agent Behavioral Guard is a behavioral detection engine that detects and remediates all forms of malicious behavior. If malicious behavior is detected, a forensics report is generated of the entire attack. The attack can be automatically or manually remediated based on the forensics report. To learn how to configure Behavioral Guard, see sk129892.
Data Collection - SandBlast Agent improves the detection of malicious threats by sending anonymized incident-related data to the Check Point ThreatCloud. It is enabled by default. To learn more about data collection and to find out how to disable it, see sk129753.
Remote Access VPN - Support for Key Storage Providers (KSP) for machine certificates. Support for KSP is enabled by default for machine authentication. If machine authentication is configured on the client and on the Security Gateway, clients can authenticate with machine certificates that use a Key Storage Provider.
Enhancements
Full Disk Encryption - Improved logging when enabling or disabling Pre-boot using the fdecontrol.exe utility.
Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.
(CAB)
E80.84 Capsule Docs Standalone Client
Capsule Docs package for environments that are managed by Capsule Docs Cloud Service.
(EXE)
Capsule Docs PC Viewer
Check Point Capsule Docs Viewer is a stand-alone client that lets you view documents that were protected through Capsule Docs.
Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.
(CAB)
E80.82 Capsule Docs Standalone Client
Capsule Docs package for environments that are managed by Capsule Docs Cloud Service.
(EXE)
Capsule Docs PC Viewer
Check Point Capsule Docs Viewer is a stand-alone client that lets you view documents that were protected through Capsule Docs.
This release supports all Software Blades and features of previous releases.
New Features
Support for Windows 10 April 2018 Update (version 1803).
Enhancements
Remote Access VPN - When Secure Domain Logon (SDL) is configured, the Connect window in implicit mode SDL is displayed only when the client has network connectivity.
Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.
(CAB)
E80.82 Capsule Docs Standalone Client
Capsule Docs package for environments that are managed by Capsule Docs Cloud Service.
(EXE)
Capsule Docs PC Viewer
Check Point Capsule Docs Viewer is a stand-alone client that lets you view documents that were protected through Capsule Docs.
This release supports all Software Blades and features of previous releases.
New Features
Remote Access VPN - Ability to create a VPN site automatically without user interaction using a hyperlink.
Capsule Docs StandAlone Client - Reboot is not required after the client is upgraded.
Enhancements
SandBlast Agent for Browsers - Improved inspection during a simultaneous download of multiple ZIP files.
Threat Emulation - Improved synchronization of the policy state (Disconnected / Connected).
Anti-Exploit - Improved stability of the Anti-Exploit Blade. It does not attempt to protect browsers that are already protected by third-party Kaspersky Anti-Virus products.
Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.
(CAB)
E80.81 Capsule Docs Standalone Client
Capsule Docs package for environments that are managed by Capsule Docs Cloud Service.
(EXE)
Capsule Docs PC Viewer
Check Point Capsule Docs Viewer is a stand-alone client that lets you view documents that were protected through Capsule Docs.
Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.
(CAB)
E80.80 Capsule Docs Standalone Client
Capsule Docs package for environments that are managed by Capsule Docs Cloud Service.
(EXE)
Capsule Docs PC Viewer
Check Point Capsule Docs Viewer is a stand-alone client that lets you view documents that were protected through Capsule Docs.
Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.
(CAB)
E80.72 Capsule Docs Standalone Client
Capsule Docs package for environments that are managed by Capsule Docs Cloud Service.
(EXE)
Capsule Docs PC Viewer
Check Point Capsule Docs Viewer is a stand-alone client that lets you view documents that were protected through Capsule Docs.
This release supports all Software Blades and features of previous releases. There are many quality improvements that add to the stability and resilience of the product.
General Endpoint Security Client Enhancements
Client is compatible with the Microsoft January 2018 Patch Tuesday update.
Localization improvements in the client.
SandBlast Agent
Anti-Ransomware
Backup - Optimizations of the backup database size for performance improvements.
Restoration - Improved file deletion in the presence of symbolic links.
Restoration - Security strengthening to address the AVGater vulnerability.
Remediation - Improved handling of reputation when the service is offline.
SandBlast Agent for Browsers
Web Extension - Improved handling of file downloads from Dropbox in Internet Explorer.
Zero Phishing - Improved resilience for networking issues that may cause the site to not respond in the first scan.
Anti-Exploit
Improved handling of Edge browser protection when upgrading from Windows 7 to 10.
Forensics reports are now correctly displayed when there is an Anti-Exploit detection.
Threat Emulation - Improved handling of large backup files.
Anti-Bot - Improved handling of disabled policy configuration – Anti-Bot can be enabled even ifit is disabled in the policy.
Media Encryption & Port Protection
File delete audit logging works on Windows 10 Build 1703 and higher
Remote Access VPN
Ability to add a notification when a user certificate expires.
Unattended Remote Access VPN clients, managed with CLI and API and do not have a User interface for automatic upgrade through the gateway. For SmartDashboard-managed clients only.
(CAB)
E80.71 Capsule Docs Standalone Client
Capsule Docs package for environments that are managed by Capsule Docs Cloud Service.
(EXE)
Capsule Docs PC Viewer
Check Point Capsule Docs Viewer is a stand-alone client that lets you view documents that were protected through Capsule Docs.
This release supports all Software Blades and features of previous releases. It adds support for Windows 10 Fall Creators Update (version 1709) and support for new and improved features.
In-place OS Upgrade Support
For in-place upgrades with the Full Disk Encryption Blade, refer to sk120667
General Client Enhancements
UserCheck Ultra HD Screens Support
Full Disk Encryption
XTS-AES 128/256-bit encryption for BIOS systems
Allow encryption algorithm change from AES-CBC to XTS-AES with seamless re-encryption, on UEFI-based computers.
Note: The XTS-AES encryption options require a management backend that supports them.
SandBlast Agent
Anti-Exploit - Detects and prevents exploit based attacks. By default, Anti-Exploit protects web browsers, MS Office applications, Adobe Acrobat Reader and Adobe Flash Player. Anti-Exploit is able to detect and prevent the exploit attempt, before the attack downloads the malware and executes the malicious payload. If configured to prevent mode, on detection, Anti-Exploit will shut down the process being exploited and then will generate a forensics report. Please refer to sk121793.
SandBlast Agent Browser extension was upgraded to a new version and is now also supported on Internet Explorer 11. Please refer to sk108695.
Media Encryption & Port Protection
CryptoCore 4.0 support - Improved encryption speed, and a new password protection scheme. Note: Previous Media Encryption versions cannot authenticate with a password on media that is encrypted with the new version. However, Remote Help and Automatic Access do work. The new Media Encryption version opens old and new versions.
Remote Access VPN
Machine authentication - Authentication capability for Remote Access clients to authenticate with a machine certificate from the Windows System Store. This requires a Security Gateway version that supports this feature. See sk121173
Device Guard support - the Remote Access clients can be installed on a Microsoft Windows computer with Device Guard enabled.
High DPI support - Support for devices with High-dots-per-inch (DPI) display.
E80.70 Endpoint Security Clients for Windows OS (Recommended)
(ZIP)
E80.70 Complete Endpoint Security Client for 32 bit systems
(ZIP)
E80.70 Complete Endpoint Security Client for 64 bit systems
(ZIP)
E80.70 Complete Endpoint Security Client without Anti-Malware for 32 bit systems
(ZIP)
E80.70 Complete Endpoint Security Client without Anti-Malware for 64 bit systems
(ZIP)
E80.70 SandBlast Agent client for 32 bit systems
(ZIP)
E80.70 SandBlast Agent client for 64 bit systems
(ZIP)
E80.70 Full Disk Encryption and Media Encription and Port Protection client for 32 bit systems
(ZIP)
E80.70 Full Disk Encryption and Media Encription and Port Protection client for 64 bit systems
(ZIP)
E80.70 Initial client
(ZIP)
Note: Initial client is a very thin client without any blade that allows the admin to use it in order to download the large ZIP file and then distribute it in his organization.
This release supports all Software Blades and features of previous releases. It adds support for Windows 10 Creators Update (version 1703) and support for new VPN and improved features.
Remote Access VPN
New VPN Features
Option to exclude local network traffic when Hub mode (Route all traffic) is configured.
Register to hotspots with the computer's default browser instead of the client?s embedded browser.
The Full Disk Encryption OneCheck Logon features are improved to continue to work transparently with new versions of operating systems.
SandBlast Agent
The SandBlast Web Extension is supported on Internet Explorer 11. While the Web Extension is enabled automatically for Google Chrome, for Internet Explorer it is disabled by default.
E80.65 Complete Endpoint Security Client for 32 bit systems
(ZIP)
E80.65 Complete Endpoint Security Client for 64 bit systems
(ZIP)
E80.65 Complete Endpoint Security Client without Anti-Malware for 32 bit systems
(ZIP)
E80.65 Complete Endpoint Security Client without Anti-Malware for 64 bit systems
(ZIP)
E80.65 SandBlast Agent client for 32 bit systems
(ZIP)
E80.65 SandBlast Agent client for 64 bit systems
(ZIP)
E80.65 Initial client
(ZIP)
Note: Initial client is a very thin client without any blade that allows the admin to use it in order to download the large ZIP file and then distribute it in his organization.
This release supports all Software Blades and features of previous releases. It includes new SandBlast Agent features and enhancements and support for new VPN features.
SandBlast Agent
Anti-Ransomware As part of the Forensics blade, Anti-Ransomware constantly monitors files and processes for unusual activity. Before a ransomware attack can encrypt files, Anti-Ransomware backs up files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.
Improved Browser Extension The SandBlast Agent Browser Extension protects against malicious files that come from Internet sources. It supports Google Chrome for Threat Emulation, Threat Extraction, and Zero Phishing. The new Zero Phishing feature provides:
Phishing Prevention - Checks different characteristics of a website to make sure that a site does not pretend to be a different site and use personal information maliciously.
Password Reuse Prevention - Alerts users not to use their corporate password in non-corporate domains.
Simple Integration with Third Party Anti-Virus Vendors
Forensics can use information from the Windows Event Log to monitor and analyze malware events from third party anti-virus vendors.
Works with most common vendors without manual configuration.
Events are detected when the client is online or offline.
SandBlast Agent Dynamic Updates
SandBlast Agent dynamic updates enable stronger security for endpoints, with regular updates to SandBlast Agent files. This keeps clients protected from the latest threats.
E80.65 Remote Access VPN clients have the ability to connect to an IPsec VPN gateway that is configured with Multiple Login Options.
One of the authentication factors can be Dynamic ID - Users who successfully complete the first-phase authentication can be challenged to provide an additional credential: a Dynamic ID One Time Password (OTP). The OTP is sent by text message or email.
The new support requires an R80.10 or higher IPsec VPN gateway.
Check Point SandBlast Agent delivers advanced Threat Extraction and Threat Emulation, Forensics, and Anti-Bot to endpoint devices. Refer to SandBlast Agent Product Page. Key Benefits
Defends against multiple attack vectors, including web downloads, external storage devices, lateral movement, or encrypted content.
Quickly delivers safe, sanitized versions of documents without business interruption.
Identifies and contains infected hosts to limit damage and spread of malware.
Continuously collects data about user systems for later forensics use.
Automatically builds actionable forensics reports with important attack information.
Integrates monitoring and investigation of security events through SmartEvent and SmartLog.
Key Features
Check Point SandBlast Agent delivers advanced Threat Extraction and Threat Emulation, Forensics, and Anti-Bot to endpoint devices.
Threat Emulation for web downloads and for files copied to the file-system.
Windows 10 Anniversary Update (version 1607) support for Endpoint Security clients.
Endpoint Security Server installation on R77.30 with a dedicated Jumbo Hotfix for Endpoint Security. (This Jumbo hotfix is aligned to Take 143 of the Jumbo Hotfix Accumulator for R77.30.)
Management
New Policies & Reports.
Offline Management Tool for Full Disk Encryption Offline Mode.
Faster synchronization between Endpoint Security Management and Policy Servers.
General performance improvements.
New Client UI look and feel.
Full Disk Encryption
Offline Mode - Provides Endpoint Security client support for computers that are not connected to an Endpoint Security Management Server, with the same level of security as regular deployments. Features include:
Policy management.
Data recovery and Emergency Access.
Logs, Statistics, and Reporting.
New Deployment User type for creating Offline Mode users at preboot.
XTS-AES Encryption on UEFI Systems - Supports new AES algorithms for optimal performance and security:
XTS-AES 128 (2x128) encryption.
XTS-AES 256 (2x256) encryption.
Performance optimizations for disk I/O.
Pre-boot usability improvements.
Media Encryption
Media Encryption Default container size configuration.
Optical Media Scan support.
Capsule Docs
Support for new File Types.
Support for Adobe Acrobat Reader DC.
New Document Expiration feature- Set an expiration date for protected files. After the expiration date, only the author can access the document.
Ability to set, change, and remove protection from Microsoft Office and PDF files with a right-click context menu.
Remote Access VPN
VPN performance enhancements in upload and download paths.
Support for ATM client.
Endpoint Security Clients for macOS
macOS Sierra (10.12) support for the Endpoint Security clients.
VPN support for SHA-256 and Diffie-Helman group 14.
Support for Smart Card authentication in Full Disk Encryption Pre-boot.
New compliance checks for the Endpoint Security Compliance blade:
Check if a computer is in an Active Directory Domain
E80.62 Endpoint Security VPN for Mac OS X - Disc Image (DMG)
(DMG)
E80.62 Endpoint Security VPN for Mac OS X - Installation package (PKG)
(PKG)
E80.62 Endpoint Security VPN for Mac OS X - Signature for automatic upgrade
(signature)
* Note: Mac OS X 10.11 can work only with E80.62 clients. Therefore, you must upgrade the Remote Access VPN Client to E80.62 version before you can upgrade the Mac OS X to 10.11.
Capsule Docs Bulk Protection Services applies protection to documents based on location and properties. The protection is based on your configuration.
There are two options to manage Bulk Protection Services:
Content-Aware File Protection for CIFS and NFS-compatible Network Locations - Protection is applied through a network gateway with the DLP Software Blade to files that match specified data types.
File Protection for Windows-based Servers and Workstations - Protection is applied locally and runs on the Windows computer. Continuous monitoring on specific targets is also available to protect new files as soon as they are created. Refer to the Capsule Docs Bulk Protection Guide
Content-Aware Protection for Mail Attachments
This feature enables DLP Gateway administrators to set protect action for E-mails:
Seamless experience - Automatic protection based on administrator configuration.
Flexibility - The administrator can allow sending protected documents, and allow or block attachments.
Content Awareness - Different protection settings for different types of data.
Access Control - The authorized user list can include defined users and groups and/or e-mail sender/recipients.
End User Education - UserCheck alerts the user to the organization security policy.
UDM is a web based application that manages a range of user and device related tasks in an organization. A typical user accesses organizational resources from multiple devices: computers, laptops, smartphones, and tablets. UDM provides a unified environment for managing various user and device related tasks, such as provisioning, transparency of access via SmartLog logs, viewing user and device details, certificate management, AD user management, and FDE password recovery (for Endpoint Security clients).
With UDM, security administrators can delegate user and device management tasks to Help Desk administrators. This delegation of responsibilities lets the network security team handle security policy issues and the Help Desk team manage some user access tasks.
UDM includes:
Remote Access certificate management
Manage, create, and revoke user certificates for remote access.
Use email templates to send information to users on how to connect remotely from their devices.
Integration with Active Directory
See all users in the organization and the devices they are using to connect to organizational resources.
Change the status of Active Directory users when necessary (expired, disabled, or locked).
Manage Active Directory user groups.
Integration with SmartLog
See user login and activity logs.
Search and filter logs for a specified user.
See if a device is connected or disconnected.
Integration with Endpoint Security Server
See activity of users and devices.
Use Full Disk Encryption password recovery.
Active Directory integration.
Integration with Capsule Cloud
See logs of Capsule Cloud users.
Send new registration codes to users.
Full Disk Encryption
TPM support for version 1.2 and 2.0.
Support for Active Directory groups in Pre-boot.
Mobile Access Blade
Simple and comprehensive mobile/remote access solution that delivers exceptional operational efficiency.
Allows mobile and remote workers to connect easily and securely from any location, with any Internet device to critical resources while protecting networks and endpoint computers from threats.
Data transmitted by remote access is decrypted and then filtered and inspected in real time by Check Point?s award-winning gateway security services such as Anti-Virus, Intrusion Prevention and Web Security.
Includes in-depth authentications, and the ability to check the security posture of the remote device. This further strengthens the security for remote access.
The Mobile Access Blade is available in its latest versions in R77.20 (sk101208).
Endpoint Security Client for Mac
This release adds these new features:
Support for the Endpoint Security client on Mac OS X 10.10 Yosemite.
Support for the Media Encryption Offline Access utility on Mac OS X 10.10 Yosemite.
Features:
From E80.60: New Capsule Docs Software Blade (alpha) for Mac
Compatibility with both Check Point On-Premises deployment and Cloud Deployment
Enhanced rendering capabilities
Support unprotecting a document based on user permissions
From R77.20 (and higher): Full Disk Encryption Software Blade new features
Dynamic Tokens
Remote Help Response Length
Full Disk Encryption support for In-place major OS upgrade (until September, 2015, this is available only as EA, see sk106668.)
Remote Access VPN
Remote Access Clients for Windows
Improved stability, and bug fixes.
Configure password complexity requirements in the VPN Configuration Utility.
The Check Point Capsule Docs Software Blade, managed by an on-premise Security Management Server, lets organizations protect and share documents safely within the organization and with business partners, and manage the organizational Check Point Capsule Docs policy, monitoring, and deployment through SmartEndpoint.
The Check Point Capsule Docs Software Blade comes integrated with the Endpoint Security on Microsoft Windows computers. There is also a non-managed Check Point Capsule Docs plugin for supported applications, and the Check Point Capsule Docs Viewer. The Viewer does not require administrative privileges or the installation of Microsoft Office or Adobe Acrobat Reader, and gives read-only access to protected documents. The Check Point Capsule Docs plugin, which is mainly for the external users, and the Check Point Capsule Docs Software Blade give full editing capabilities and these benefits:
Control the parties that can access the data
Restrict access to individuals, groups or entire organizations
Use granular Classification model to assign different permissions for internal and external users
Control data distribution (Forward, Copy/Paste, Print)
Choose contacts from your Outlook address book with whom you usually communicate
Prevent unintentional data loss with the help of UserCheck
Protect data stored on untrusted servers and shared via untrusted channels
Each protected document remains protected even on untrusted servers
Prevent forwarding to unauthorized parties
Secure all created documents automatically
See full audit trail for data access
All actions on protected documents are logged and are available through SmartView Tracker and SmartLog
Follow paper trail for a single document
Audit distribution patterns for documents in an organization
Monitor access by external parties
Access protected documents easily from your platform of choice
Seamless integration with Microsoft Office and Adobe Acrobat on Windows platforms
Lightweight Windows Viewer that does not require administrative privileges or Microsoft Office or Adobe Acrobat clients installed
Lightweight flexible viewer for Mac OS X
Access protected documents from proprietary Apps on Android, and iOS mobile devices
Full Integration with Organizational Active Directory
Users that are defined in the Active Directory are automatically provisioned to use Check Point Capsule Docs
User's Active Directory account authentication is sufficient to access relevant protected documents
Customize Document Security policy for different Users, Organizational Units and Groups
Capsule Docs Proxy
Allows accessing protected documents managed with the on-premise Security Management Server for users outside of the organizational network.
Provides secured connectivity, leveraging HTTP security and IPS inspection on a hardened Gaia operating system.
Built on top of Check Point Mobile Access Blade.
Delivered as a Hotfix on top of R77.10 and on top of R77.20.
Check Point Capsule Docs encrypts documents to protect them from unauthorized access. It protects users from unintentional data leaks. It is not possible to prevent all intentional violations made by malicious authorized users and this is not the goal of Check Point Capsule Docs.
URL Filtering
The Check Point Endpoint URL Filtering Software Blade lets an organization control access to web sites by category, user or group. This way it improves network security and enhances user productivity.
User Check technology empowers and educates Endpoint users on web usage policy in real time.
The Endpoint URL Filtering Software Blade has these benefits:
Lets you utilize a database of over 200 million websites, updated in real-time
Lets you choose from 64 predefined content categories or create custom categories and URL families
Works inside and outside of the organization - policy is enforced on the client
Does unified management - lets the administrator configure one Rule Base in SmartDashboard for an Endpoint and a Gateway policy
Does unified log reporting through SmartLog
Uses Identity Awareness - lets the administrator grant, limit, or block user access, group access, or access from specific machines to individual web sites or categories of web sites
Fully integrates the organization's Active Directory
Utilizes SSL Inspection
Supported Features for Endpoint Security URL Filtering
Uses the ThreatCloud repository to receive updates, and queries it for classification of unidentified IP, URL, and DNS resources.
Prevents damage by blocking bot communication to C&C sites and makes sure that no sensitive information is stolen or sent out of the organization.
The Endpoint Anti-Bot blade uses these procedures to identify bot infected computers:
Identify the C&C addresses used by criminals to control bots.
These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.
Check Point uses the ThreatCloud repository to find bots based on these procedures.
The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.
The Endpoint Anti-Bot blade gets reputation updates from the ThreatCloud repository. It can query the cloud for new, unclassified URL/DNS resources that it finds.
Media Encryption & Port Protection
This release adds NTFS file system support for encrypted storage devices. NTFS file system lets you encrypt files over 4GB.
Notes:
Check Point Media Encryption Offline Utility lets you access NTFS encrypted storage devices on non-managed MS Windows computers in admin mode.
Apple Mac computers do not by default support the NTFS file system. To make an encrypted storage device accessible on a Mac computer, format it as a FAT32.
To create encrypted NTFS storage on a Windows 7 computer, you must first install SP1 on it.
Forensics
The Check Point Endpoint Forensics Software Blade monitors files and the registry for suspicious processes and network activity. When the Anti-Malware or the Anti-Bot Client Software Blade, or the Check Point Gateway Software Blade detects an attack, the Check Point Endpoint Forensics Software Blade analyzes the attack, and uploads the complete attack report to the Endpoint Security Management Server.
Note: The Check Point Endpoint Forensics Software Blade is not supported on Microsoft Windows XP operating system.
Full Disk Encryption Features
This release adds support for these features:
Use of TPM to measure integrity of Pre-boot components.
Password synchronization between the OS and Pre-boot after Remote Help.
Remote Access VPN
For new features in the Remote Access VPN blade and standalone Remote Access Clients see
Simple and comprehensive mobile/remote access solution that delivers exceptional operational efficiency.
Allows mobile and remote workers to connect easily and securely from any location, with any Internet device to critical resources while protecting networks and endpoint computers from threats.
Data transmitted by remote access is decrypted and then filtered and inspected in real time by Check Point?s award-winning gateway security services such as antivirus, intrusion prevention and web security.
Includes in-depth authentications, and the ability to check the security posture of the remote device. This further strengthens the security for remote access.
The Mobile Access Blade is available in its latest versions in R77.10 (sk97617) and R77.20 (sk101208)
User and Device Management
Helps organizations roll out Check Point Capsule to users.
Provides Remote Access certificate management for organizational Active Directory users.
Provides visibility of organizational Active Directory users and the devices they use to connect.
Leveraging SmartLog for user login and activity logs, including filtering capabilities.
Provides Integration with Endpoint Security Server for Full Disk Encryption password recovery.
User and Device Management is available via sk101672.
What's New in Remote Access VPN E80.60 Clients
SHA-256 (SHA-2) IPSEC support for Remote Access (Windows) Clients Data Integrity encryption
Certificate Enhancements:
Display the Friendly Name for a certificate
Filter certificates according to the Enhanced Key Usage attribute (certificates without client authentication are not shown)
Choose not to show expired certificates in the certificate selection list
Automatic upgrades from the gateway with a customized package
Support for the visually impaired with MSAA (Microsoft active accessibility component) integration
Ability to close open session before you make configuration changes
Improved server certificate verification for less browser warnings
Added support for Certificate Subject Alternative Name (DNS entries only) as part of certificate verification (previously only based on CN)
Policy Compression for gateways that support it, to enable policy compression for faster topology download
UTF-8 support in all user input fields (user names, passwords, CN). P12 certificate paths still must have only ASCII characters.
Dual hotspot detection mechanism.
Hotspot registration and mini-browser in Endpoint Security Suite (was previously in Standalone client only).
Set R80.40 as "Recommended & Latest", and stated that "It is also required to download the General Availability Take of the Jumbo Hotfix Accumulator for R80.40."
06-May-2020
Added information about E83.00
23-Apr-2020
Added information about E82.55
07-Apr-2020
Added information about E82.50 macOS Clients
31-Mar-2020
Added information about E82.50
16-Feb-2020
Added information about E82.40
28-Jan-2020
Added information about R80.40
19-Jan-2020
Added information about E82.30
19-Dec-2019
Added information about E82.20
24-Nov-2019
Added information about E82.10
20-Nov-2019
Added information about E82.00 for Mac macOS
03-Nov-2019
Added information about E82.00
06-Oct-2019
Added information about E81.30_HF
24-Sept-2019
Added information about E81.40
26-Aug-2019
Added information about E81.30
07-Aug-2019
Added information about E81.20
30-Jun-2019
Added information about E81.10
27-May-2019
Added information about E80.97
22-May-2019
Added information about E81.00
16-Apr-2019
Added information about E80.96
31-Mar-2019
Added information about E80.95
12 Mar 2019
Added information about E80.94
14 Feb 2019
Added information about E80.92
31 Dec 2018
Added information about E80.90
30 Dec 2018
Added information about E80.89 for Mac
09 Dec 2018
Added information about E80.89
08 Nov 2018
Added information about E80.88
27 Sep 2018
Added information about E80.87
22 August 2018
Added information about E80.86
11 July 2018
Added information about E80.85
20 June 2018
Added information about E80.84
08 Mar 2018
Added information about E80.81
06 Feb 2018
Added information about E80.80
21 Dec 2017
Added information about E80.71 for Mac
30 Nov 2017
Added information about E80.71
27 Aug 2017
First release of this document.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
