Harmony Endpoint (former SandBlast Agent) Best Practice Configuration

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk154052
Technical Level
Product	Harmony Endpoint
Version	R80.40, R81, E82.x (EOL), E83.x (EOL), E84.x (EOL), E85.x (EOL), R81.10, E86.x, E87.x
Date Created	25-May-2019
Last Modified	11-Jan-2023

Solution

Refer to the following articles before you begin

Harmony Endpoint Best Practice configuration

The following section explains how to set the Best Practice configuration

Note that this is just the initial recommended configuration, and from this point any organization should tailor the solution to their needs in order to maximize the utilization
At the moment, you can get more granular control through SmartEndpoint

Step By Step - Web Console - Harmony Endpoint Best Practice configuration

Policy Description	Policy Configuration
Web & Files Protection
Best Practice - URL Filtering Set to Prevent Check Security Check Legal Liability/Regulatory compliance Additional categories should be enabled according to organizational and regulatory needs Add URLs to the Black list for specific use cases Exclude specific URLs if needed It is less recommended to globally allow users to dismiss the alert and access the website
Best Practice - Download protection Stage 1 - Set to Prevent Choose to suspend until emulation completes Unsupported files - Allow download (Fail Open)
Best Practice - Download protection Stage 2 - Choose to Get extracted copy before emulation completes Before enabling make sure to educate users that they receive a clean copy without any active content and if the file is not malicious they are able to receive it from the SandBlast Agent Browser extension
Best Practice - Files protection Set Anti-Malware Prevent to ON Set Files Threat Emulation Detect to ON Anti-Malware periodic scan every month and update signature interval every 4 hours It is possible to perform periodic scans in shorter interval and to allow users to cancel the scan up to one month Remember that SandBlast Agent include real time protection during runtime so an Anti-Malware periodic scan can be in longer intervals to support users productivity
Behavioral Protection
Best Practice - Anti-Bot Set to Prevent
Best Practice - Behavioral Guard & Anti-Ransomware Set to Prevent Enable network share protection if needed to recover from file encryption when network shares are used
Best Practice - Anti-Exploit Stage 1 - Set to Detect Monitor for events that can cause applications interruptions before moving to prevent
Best Practice - Anti-Exploit Stage 2 - Set to Prevent Once confidence is achieved that all applications work without interruptions Changing Anti-Exploit mode requires reboot to reload all monitored applications and complete the mode change
Analysis & Remediation
Best Practice - Automated attack analysis (Forensics) Set Enable protection to ON Set Enable Threat Hunting to ON
Best Practice - Remediation & Response Set Attack remediation to ON It is recommended to Terminate trusted processes for full attack chain remediation Set File quarantine to ON For critical locations or Power users it is possible to allow users to restore items from quarantine

Step By Step - SmartEvent - Harmony Endpoint Best Practice configuration

Table of Contents:

Anti-Ransomware, Behavioral Guard and Forensics settings
Anti-Bot settings
SandBlast Agent Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings
Anti-Malware settings
Exclusions

Anti-Ransomware, Behavioral Guard and Forensics settings

Policy Description	Policy profile configuration
Best Practice Action Profile = Triggers and automatic response Forensics Analysis = Always File Quarantine = High And Medium Machine Quarantine = Never Attack Remediation = High And Medium
Best Practice Action Profile = Monitoring and Exclusions Exclusions are set for the non_CP_AV certificate Maximum Forensics Database Size on Disk = 1GByte Note: It is recommended to monitor the forensics performance impact and to exclude trusted certificates and processes to reduce the load *Do not exclude the OS vendor certificate
Best Practice Action Profile = Attack Remediation Malicious files = Quarantine Suspicious files = Quarantine Unknown files = Quarantine Trusted files = Terminate
Best Practice Action Profile = File Quarantine No default exclusions Keep files in Quarantine for = 90 Days Quarantine folder name = %ProgramData%\CheckPoint\Endpoint Security\Remediation\Quarantine\ Copy quarantine files to a central location = Disabled Allow Users to delete items from quarantine = Enabled Allow users to restore items from quarantine = Disabled
Best Practice Action Profile = Anti Ransomware and Behavioral Guard Anti-Ransomware and Behavioral Guard = Enabled Exclusions are set for: C:\Windows\explorer.exe Check Point Software Technologies Ltd. Certificate Non_CP_AV certificate Backup settings: Anti-Ransomware Automatic Restore and Remediate = Enabled Restore to selected location = Disabled Anti-Ransomware Maximum Backup size on disk = 1025 Mbytes Backup time interval = 60 minutes Note: For Development areas it is recommended to exclude a specific folder that is used for development process once enabling Anti-Ransomware and Behavioral Guard It is recommended to set Behavioral Guard to prevent medium and High events and detect low Detailed information is at sk130012 - SandBlast Agent Behavioral Guard Advanced Configuration

Anti-Bot Settings

Policy Description	Policy profile configuration
Best Practice Action Profile = Blade Activation High Confidence = Prevent Medium Confidence = Prevent Low Confidence = Detect
Best Practice Action Profile = Detection Exclusions Allow detection exclusions for following trusted entities = Enabled Exclusions are set for: Protected domains Protected URLs
Best Practice Action Profile = General Settings Connection handling mode = Hold Hours to suppress logs for same bot protection = 1 Days to remove bot reporting after = 3 Note: Move to Hold mode gradually has it might have an impact on browsing time. It is recommeded to exclude protected domains and urls before moving to Hold mode

Harmony Endpoint Threat Extraction, Threat Emulation, Zero Phishing and Anti-Exploit settings

Policy Description	Policy profile configuration
Best Practice Action Profile = Web Download Protection Stage 1: Files that can be extracted and emulated = Emulate and Suspend original file until emulation completes Files that can only be emulated = Emulate and Suspend original file until emulation completes When neither extraction nor emulation is supported (Other Files) = Allow Download Note: It is recommended to move to Best Practice with Threat Extraction in 2 stages Threat Extraction affects the user experience and needs to be communicated and educated before it is enabled Stage 2: Files that can be extracted and emulated = Extract and Suspend original file until emulation completes Files that can only be emulated = Emulate and Suspend original file until emulation completes When neither extraction nor emulation is supported (Other Files) = Allow Download	Stage 1 Stage 2
Best Practice Action Profile = Files System Monitor Enabled monitoring = Enabled Default action for files written to file system = Emulate
Best Practice Action Profile = Environment Settings Appliance Type = SandBlast Cloud Emulation Environments = Use Check Point Recommended emulation environments Upload to emulation files less than = 15 MBytes
Best Practice Action Profile = Inspected Domains and files Exclusions are set for: Protected Domains
Best Practice Action Profile = Zero Phishing settings Phishing protection = Prevent Access and Log Send log on each scanned site = Enabled Allow user to dismiss the phishing alert and continue to access the site = Disabled Allow user to abort phishing scans = Disabled Note: For Password reuse to work, please add the protected domains under the password reuse section
Best Practice Action Profile = Anti-Exploit Settings Enable Anti-Exploit = Enabled Terminate exploited application and log = Enabled Detect exploited application and log = Disabled Protected Applications = Default existing list
Best Practice Action Profile = Static File Analysis Settings Static File Analysis is activated and prevent malicious files

Anti-Malware configuration - use default settings

Exclusions

It is recommended to create exclusions before the first deployment - through the planning phase. Exclusions can also be created through the first deployment phase on the Test/POC group of assets.

During the learning mode phase notice the following for exclusions:

Internally trusted processes or certified applications that create FPs or load.
Do not exclude the OS (Microsoft/Apple) certificate
Internally trusted and protected domains

How to exclude?

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating