Support Center > Search Results > SecureKnowledge Details
Configuring Anti-Exploit for SandBlast Agent
Solution

Introduction

In E80.71, Anti-Exploit was introduced enabled in Silent mode. Anti-Exploit protects, web browsers, Microsoft Office applications, Adobe PDF Reader and Adobe Flash Player.
Anti-Exploit can be enabled or disabled via Management, or via the client policy file.

To enable or disable via Smart Endpoint (E80.80 and above):

Note: This only applies to E80.80 and above. Please see below for earlier versions.

  1. Launch the GuiDBEdit for SmartConsole installation (for the Endpoint Security version installed)  ("%ProgramFiles(x86)%\CheckPoint\SmartConsole\R77.30\PROGRAM\GuiDBedit.exe")
  2. Open the following table: Other => ep_orgp_te_policy_tbl
  3. Select the fourth with Class Name = ep_orgp_te_web_downloads_protection_action
    Please note that the object name is corresponding to the action name in the policies which is installed to clients where you are trying to disable Anti-Exploit.
  4. Select Field Name = browser_extensions_additional_data

  5. Add the following to the value field.The configurations are separated with a ":" antex=false:

  6. Save and Close GUIDB Editor: File => Save All
  7. Click "Install Policy" from SmartEndpoint Manager to the managed clients.

 

To enable or disable via Smart Endpoint (E80.71 and E80.72 only):

Note: This only applies to E80.71 and E80.72

  1. Open GUIDBEDIT
  2. Click GUIDBEDIT policy value under: Other ¨ ep_orgp_efr_policy_tbl ¨ log

    This will open all_logs.

  3. Now change BOTH the following fields to "false" for disabling Anti-Exploit, or to "true" to enable it.
    • log_case_analysis
    • log_single_activity
  4. Save and Close GUIDB Editor: File => Save All
  5. Click "Install Policy" from SmartEndpoint Manager to the managed clients.

 

To enable/disable Anti-Exploit via client policy file:

  1. Edit the policy file found in the following path: C:\ProgramData\CheckPoint\Endpoint Security\Antex\AntexPolicy.xml
  2. At the top of the AntexPolicy.xml file, make sure that the enabled parameter is set to "false" (to disable), or "true" (to enable). Don't forget the double quotes.

    <antiExploit enabled="false" kernelMode="true" dump="true" silent = "true">

Changing the protection mode: Silent, Detect and Prevent

Anti-Exploit Policy File: C:\ProgramData\CheckPoint\Endpoint Security\Antex\AntexPolicy.xml

When Anti-Exploit is enabled, there are three potential settings:

  • Silent

    This is the default policy. When in silent mode, end users will not receive any notifications, and only the Security Administrator will see the event in the Management. Forensic reports will not be created and the compromised application will not be terminated.

    To change to silent, change the first line in the policy file to:

    <antiExploit enabled="true" kernelMode="true" dump="true" silent = "true">

  • Detect

    Detects exploits and notifies the user on a detected exploit.  Security Administrator will see the event in the Management. Creates forensic reports, but does not terminate the compromised application.

    To change to detect mode, change the first line in the policy file to:

    <antiExploit enabled="true" kernelMode="true" dump="true" silent = "false">

    Then change ALL protectionGroup settings to have protect= "true" as shown below:

    <protectionGroup name="VulnerableNoDelay" protect="true" ignoreDebugger="true" delay="false">
    <protectionGroup name="VulnerableDelay" protect="true" ignoreDebugger="true" delay="true">
    <protectionGroup name="VulnerableAdobe" protect="true" ignoreDebugger="false" delay="true">
    <protectionGroup name="VulnerableDelayOffice" protect="true" ignoreDebugger="false" delay="true">

  • Prevent

    Detects exploits and terminates the compromised application. Both the user and the Security Administrator will be notified. Forensics report are also created.

    To change to prevent mode change the first line in the policy file to:

    <antiExploit enabled="true" kernelMode="true" dump="true" silent = "false">

    Then change ALL protectionGroup settings to have protect="true" and action="suspend" as shown below:

    <protectionGroup name="VulnerableNoDelay" protect="true" ignoreDebugger="true" delay="false" action="suspend" >
    <protectionGroup name="VulnerableDelay" protect="true" ignoreDebugger="true" delay="true" action="suspend">
    <protectionGroup name="VulnerableAdobe" protect="true" ignoreDebugger="false" delay="true" action="suspend">
    <protectionGroup name="VulnerableDelayOffice" protect="true" ignoreDebugger="false" delay="true" action="suspend">

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment