Performance improvements in Forensics, Behavioral Guard and Threat Emulation.
The Zero Phishing agent now uses a brand new Machine Learning model and the Check Point reputation service for up-to-date information on malicious phishing sites to improve detection rates.
Behavioral Guard now has the ability to prevent the execution of malicious scripts (PowerShell, for example). In earlier releases, Behavioral Guard detected and terminated the scripts after their execution.
VPN adds the ability to match the VPN user to the logged-in Windows user and display it in the username field of the connect dialog.
VPN adds the ability to disable implicit SDL when SDL is enabled.
VPN adds the ability to choose a customized Display Name when creating a site from a link.
VPN adds the ability to enable the Connect button before any response is written.
Fixes a rare crash that can occur when you send ICMP packets.
Includes stability and quality fixes. Supports all the features of previous releases.
Fixes an issue where no Anti-Malware logs show in the GUI under the Anti-Malware blade if a malicious file is quarantined after a manual Anti-Malware scan.
Threat Emulation and Anti-Exploit
30% reduction in I/O while monitoring files created on the system.
Fixes an Anti-Exploit issue that causes an instance of Chrome to crash occasionally with an "Aw, snap" message.
Anti-Ransomware, Behavioral Guard and Forensics
Files backed up by Anti-Ransomware can no longer be viewed by users who did not originally have access to the file.
Ransomware events first detected by Behavioral Guard are now treated like Anti-Ransomware detections, with the ability to restore modified files automatically.
Anti-Ransomware better recognizes older honeypots now and deletes them if they are not in use.
Fixes a false positive in Anti-Ransomware that involves runtimebroker.exe.
Fixes Anti-Ransomware false positives associated with user account deletions.
Anti-Ransomware is now much less likely to be triggered on file changes made over a very long period of time (days).
Improves Forensics performance with a drastic reduction in the number of Anti-Ransomware patterns that are no longer relevant.
Fixes an extremely rare infinite loop in Behavioral Guard.
Improves performance in Behavioral Guard by reducing the amount of local logs written.
Behavioral Guard now creates logs and sends them to Management.
Behavioral Guard now has the ability to block PowerShell attacks if the rule is set to prevent them. The scripts in such cases never execute.
Adds more behavioral detections that involve the use of Microsoft HTML Application (MSHTA).
Adds more default and dynamic exclusions to Forensics monitoring to improve performance.
Adds many new suspicious events in Forensics.
Improves the performance of user mode process certificate checks with the introduction of a caching system.
Fixes an issue where a certificate is mistakenly declared invalid in Forensics when the root certificate is not present. Processes using such certificates will no longer appear as unsigned.
Fixes a rare crash in Forensics where configuration settings for a Forensics sensor may be called before the sensor starts.
Fixes a potential, but rare, infinite loop in the Forensics Analysis.
Fixes an issue that causes a crash during Forensics Report creation that can occur if explorer is terminated.
Fixes an issue in the Forensics analysis that causes a Windows Management Instrumentation Command-Line Utility (WMIC) process that invokes another WMIC process to not appear in the execution tree.
Processes considered to be the "trigger" in Forensics can no longer be hidden when a large number of processes are involved in a Forensics incident.
Adds support for certain applications to be treated as Entry Point applications instead of appearing in the execution tree. This prevents automatic remediation of the application. The Lookeen application is an example.
Forensics now correctly shows that a file is already deleted when Anti-Malware quarantines the file.
Fixes an issue that occurs when a user name is not shown in a Forensics Report.
The Windows System process no longer appears in the list of remediation items, if it is involved in an incident, and it is not sent for remediation that would fail.
The Windows System process now always appears as trusted in the Forensics report.
Business Impact shown in the Forensics Report no longer contains files from Windows folders, as well as from the SandBlastBackup folder.
Media Encryption and Port Protection
Fixes issues with container size calculation, when encryption fails with "not enough space for encryption" error.
Media Encryption and Port Protection have performance improvements with Box Drive software.
Firewall and Application Control
Allows opening ranges of ports for hotspot registrations. See sk41586.
Fixes a rare issue where Endpoint crashes during an upgrade.
Resolves a BSOD in vsdatant.sys during client upgrade.
Fixes an issue where the "Application Control" blade uses 100% of the CPU for a few seconds during boot time.
SandBlast can now update quickly with new trusted signers to reduce the number of false positives across all the technologies.
Fixes an issue that causes expired root certificates to not be validated.
Starting from E80.85, SandBlast Agent improves coverage of malicious threats by sending anonymized Incident related data to the Check Point Threat Cloud. This feature is turned on by default. For more information, including how to disable this feature, refer to sk129753.
To support SmartLog or SmartView Tracker reporting with Endpoint Security Clients for all supported servers (except R80.20), you must update the log schema. Follow instructions in sk106662.
Endpoint Security E81.20 Clients
E81.20 Endpoint Security Clients for Windows OS (Recommended)
A zip file that contains all package permutations listed below.
E81.20 Complete Endpoint Security Client for 32 bit systems