Support Center > Search Results > SecureKnowledge Details
Check Point Response to SNIcat Technical Level
Symptoms
  • mnemonic published a tool for bypassing HTTPS Inspection on various firewalls, not including Check Point Security Gateway. Read the full report "SNIcat: Circumventing the guardians" at: https://www.mnemonic.no/blog/introducing-snicat
Solution
Check Point’s HTTP Inspection and Threat Prevention has multiple layers of defense that block the use of the SNIcat tool, and do not allow this attack vector to bypass our Security Gateway.

Yet, when there is already malicious software running inside the network, modifications of the SNIcat tool may be able to overcome some of the defenses. In order to avoid this, in addition to enabling all Threat Prevention blades and SSL inspection, Check Point also recommends:
  1. The use of Check Point Endpoint Security
  2. A hardened rule-base that includes blocking uncategorized destinations and HTTPS Inspection working in Hold mode.

In addition, Check Point has developed the following protections to catch the SNICat tool:

SandBlast Agent
  • Trojan.Win.Snicat.A
  • Trojan.Win.Snicat.B

Threat Emulation
  • Trojan.Wins.Snicat.C
  • Trojan.Wins.Snicat.D

Application Control
  • SNIcat (Server Name Indication Concatenator)
  • Part of the Anonymizer category

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment