This new engine provides a multi-phase ability to detect malicious PowerShell usage that is unique.
Includes full AMSI (Advanced Malware Scan Interface) integration to get, analyze and report decoded scripts.
Forensic report overhaul with a new style and enhanced reputation integration.
Completely redesigned Overview and General screens.
Many small usability and visual enhancements throughout the report.
View decoded script content as part of the report itself.
See the Enhancements section below for additional information.
Forensics now has major performance improvements.
There is a major reduction (roughly 50% fewer events) in the amount of data stored. This results in lower IO usage and better performance.
See the enhancements below for the full list of performance enhancements.
Forensics Analysis takes on average 20% less time to complete. For larger reports the time taken will be further reduced.
Stack Pivoting detection was turned on as a new exploit detection technique for Anti-Exploit. Stack Pivoting involves trying to create a fake stack from attacker controlled memory.
Anti-Exploit now default protects the Equation Editor process. This helps to cover the following CVEs:
Anti-Ransomware, Behavioral Guard and Forensics
Enhances Behavioral Guard with the ability to perform deep inspections of both behavior and script content of PowerShell and Fileless attacks.
Improves Forensic reports with decoded PowerShell scripts from AMSI integration. This feature is only available in Windows 10.
Adds many new suspicious events for the Forensic report, including new PowerShell related suspicious events.
Fixes a crash occurring when Forensics, Anti-Ransomware and Behavior Guard are processing an existing policy while receiving a new policy.
Fixes a rare issue with large continuous CPU utilization when the Forensics service is unable to communicate with the driver.
Improves Forensic performance by adding static exclusions for well known file operations. This addition alone can reduce the number of file operations stored by up to 80% on some machines.
Improves Forensics performance by adding dynamic exclusions for file operations based on a new heuristic. This can reduce the number of file operations stored by up to 30%.
Improves Forensic performance by dynamically excluding registry operations based on a new heuristic. On average, 10% of registry operations are now excluded.
Fixes an issue which caused duplication of log events in Forensics.
Improves Entry Point calculations across multiple scenarios to be more accurate in the Forensic Report.
Fixes a majority of issues where the Entry Point of an attack could be empty. Now there should almost always be an Entry Point.
Improves the Forensics report so that Command Prompts (cmd.exe) opened for typing no longer appear in the Forensic report, but may appear in the Entry Point instead.
Improves the Forensic Analysis to consider following files in the argument of processes already included as part of the incident.
The Forensics report now shows the termination status for every process present in the report.
Fixes an issue that could lead to incomplete termination of processes involved in a Ransomware incident.
Processes, showing in a report, that are closed at the time of the generation of the report will now correctly show as terminated, even if the remediation policy for termination is disabled.
Fixes an issue where some Forensic report icons may be missing when upgrading to E80.89. The icons are now present when upgrading to E80.90.
Fixes an issue with the scroll bar not appearing correctly if there are multiple nodes in the Entry Point view of the Forensics Report.
Fixes a Forensics Analysis issue where script processes like PowerShell do not appear in the report when Cmd is involved and the script process is not the trigger.
Process arguments and script contents are now encoded in the Forensic reports. This prevents the deletion of the reports by Anti-Viruses looking for specific signatures found in the argument or script content.
Adds support to include the Malware Family from URL reputation if present in the Forensic report.
Fixes an issue which could result in the User Name appearing empty in the Forensic Report.
Fixes a visual issue in the Forensic report where the distance between processes could be very large if a process has a lot of lines of text.
Updates the default exclusions for Anti-Ransomware.
Threat Emulation and Anti-Exploit
Anti-Exploit now has an additional exploit prevention technology called stack pivoting.
Anti-Exploit now protects Equation Editor from known and unknown exploit attempts.
Fixes a crash when the Anti-Bot database is held by another process in the system.
SandBlast Agent Updater
Adds support for Static Analysis updates running in parallel to other updates using the Updater. Fixes an issue where the wrong service is restarted when updating two products together.
Download SmartConsole with the E80.90 client to avoid "signature verification failed" messages when uploading the client to the SmartConsole.
Starting from E80.85, SandBlast Agent improves coverage of malicious threats by sending anonymized Incident related data to the Check Point Threat Cloud. This feature is turned on by default. For more information, including how to disable this feature, refer to sk129753.
To support SmartLog or SmartView Tracker reporting with Endpoint Security Clients for all supported servers (except R80.20), you must update the log schema. Follow instructions in sk106662.
Endpoint Security E80.90 Clients
E80.90 Endpoint Security Clients for Windows OS (Recommended)
A zip file that contains all package permutations listed below.
E80.90 Complete Endpoint Security Client for 32 bit systems