Support Center > Search Results > SecureKnowledge Details
Configuring Anti-Exploit for SandBlast Agent
Solution

Introduction

In E80.71, Anti-Exploit was introduced enabled in silent mode. Anti-Exploit protects, web browsers, Microsoft Office applications, Adobe PDF Reader and Adobe Flash Player.
Anti-Exploit can be enabled or disabled via Management, or via the client policy file.

To enable or disable via Smart Endpoint:

  1. Open GUIDBEDIT
  2. Click GUIDBEDIT policy value under: Other ¨ ep_orgp_efr_policy_tbl ¨ log

    This will open all_logs.

  3. Now change BOTH the following fields to "false" for disabling Anti-Exploit, or to "true" to enable it.
    • log_case_analysis
    • log_single_activity


To enable/disable Anti-Exploit via client policy file:

  1. Edit the policy file found in the following path: C:\ProgramData\CheckPoint\Endpoint Security\Antex\AntexPolicy.xml
  2. At the top of the AntexPolicy.xml file, make sure that the enabled parameter is set to "false" (to disable), or "true" (to enable). Don't forget the double quotes.

    <antiExploit enabled="false" kernelMode="true" dump="true" silent = "true">

Changing the protection mode: Silent, Detect and Prevent

Anti-Exploit Policy File: C:\ProgramData\CheckPoint\Endpoint Security\Antex\AntexPolicy.xml

When Anti-Exploit is enabled, there are three potential settings:

  • Silent

    This is the default policy. When in silent mode, end users will not receive any notifications, and only the Security Administrator will see the event in the Management. Forensic reports will not be created and the compromised application will not be terminated.

    To change to silent, change the first line in the policy file to:

    <antiExploit enabled="true" kernelMode="true" dump="true" silent = "true">

  • Detect

    Detects exploits and notifies the user on a detected exploit.  Security Administrator will see the event in the Management. Creates forensic reports, but does not terminate the compromised application.

    To change to detect mode, change the first line in the policy file to:

    <antiExploit enabled="true" kernelMode="true" dump="true" silent = "false">

    Then change ALL protectionGroup settings to have protect= "true" as shown below:

    <protectionGroup name="VulnerableNoDelay" protect="true" ignoreDebugger="true" delay="false">
    <protectionGroup name="VulnerableDelay" protect="true" ignoreDebugger="true" delay="true">
    <protectionGroup name="VulnerableAdobe" protect="true" ignoreDebugger="false" delay="true">
    <protectionGroup name="VulnerableDelayOffice" protect="true" ignoreDebugger="false" delay="true">

  • Prevent

    Detects exploits and terminates the compromised application. Both the user and the Security Administrator will be notified. Forensics report are also created.

    To change to prevent mode change the first line in the policy file to:

    <antiExploit enabled="true" kernelMode="true" dump="true" silent = "false">

    Then change ALL protectionGroup settings to have protect="true" and action="suspend" as shown below:

    <protectionGroup name="VulnerableNoDelay" protect="true" ignoreDebugger="true" delay="false" action="suspend" >
    <protectionGroup name="VulnerableDelay" protect="true" ignoreDebugger="true" delay="true" action="suspend">
    <protectionGroup name="VulnerableAdobe" protect="true" ignoreDebugger="false" delay="true" action="suspend">
    <protectionGroup name="VulnerableDelayOffice" protect="true" ignoreDebugger="false" delay="true" action="suspend">

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment