Enhances Behavioral Guard LNK file detections to cover more advanced techniques and exploits.
Adds a new zip sensor that scans the names of embedded files on zip creation and stores this information in Threat Hunting and Forensics. The Forensics Analysis uses this information to improve the Entry Point analysis.
The remote execution sensor now stores information for executions when the technique is unknown. This shows in Threat Hunting as type "Unknown".
Significantly improves Forensics Analysis performance and memory usage. Larger analyses can be 90% faster and consume 50% less memory.
Significantly reduces Forensic report size to allow faster downloads and views in SmartLog and Threat Hunting.
Resolves an issue where the Anti-Malware blade applies new "Client Settings" policy only if there is an update of the Anti-Malware policy.
SandBlast Agent Static Analysis
Enhances the current machine-learning model with a significantly increased detection rate for executables.
Anti-Ransomware, Behavioral Guard and Forensics
Improves the credential dumping protection to detect non-standard techniques.
Fixes an issue where the most recent two versions of the Endpoint Security Client incorrectly disable Credential Dumping improvements.
Adds new capabilities to the LNK sensor that allow Behavioral Guard to improve its malicious LNK detection rate.
Adds the ability to exclude PowerShell file execution by a folder or a signer.
Adds a new sensor that monitors the creation of zip files and stores the zipped content information for Forensics and Threat Hunting.
Significantly improves the Forensics analysis time and memory usage. The more complex the analysis, the greater the improvement.
Reduces the average size of the Forensics report by 40%. The larger the report, the greater the improvement.
Remote executions now show as generic remote execution records, if they do not map as one of the supported types.
Fixes an issue in the remote execution sensor for Forensics that causes an incorrect mapping of the source machine IP in rare scenarios.
Fixes an issue where Remote Desktop Protocol (RDP) connections incorrectly show as remote executions.
Reduces the Remote execution sensor's memory usage in Forensics.
Fixes a very rare crash in the Forensics component.
Improves Forensics performance on machines with the reduction of logged exceptions when a sensor does not activate.
Improves Forensics performance with the reduction of logged exceptions when reputation is not available.
Improves the performance of Behavioral Guard's rule matching when looking at file-related behaviors.
Fixes an issue where Forensics can cause high CPU usages when the reputation service is inaccessible.
Adds an optimization that improves the performance of the File Sensor in Forensics as it deletes duplicated records.
Fixes multiple issues in missing Forensic log information. Now the resource field and related file fields display correctly where relevant.
Fixes an issue where the associated Forensics log for an Anti-Ransomware event sends out a few hours later.
Fixes an issue where the Anti-Ransomware does not restore deleted honeypot files.
Fixes an issue where file operations may be lost immediately after the creation of an LNK file.
Fixes a rare issue where the user login information in a Forensics report does not calculate correctly.
Fixes an issue in the Forensics Analysis entry point where an incorrect process shows for files that download in the presence of the browser extension.
Fixes an issue where a GPO launched detection no longer adds other GPO scripts and processes to the Forensics incident.
Fixes an issue where a file operation does not show in the Forensics report if the operation succeeds after a failure.
Fixes an issue where the Forensics Report Overview redirects incorrectly if there is no execution tree or network data in the report.
Adds a new icon for unsigned and unknown reputation processes in the Forensics report.
Firewall and Application Control
Resolves a rare issue where the Application Control Process (Vsmon.exe) crashes when the "Termination On Execution" feature is set in policy.
Full Disk Encryption
Resolves an issue where 2 reboots are needed for the install of FDE in offline mode.
Pre-boot bypass with the Trusted Platform Module (TPM) resolves the issue with reboots during a Windows startup.
Improves the stability for reboots during the initial encryption of UEFI machines.
Improves Windows upgrades with FDE to address mistakes if the user does not follow sk120667.
The initial encryption of FDE for only data is now part of the FDE policy. See sk102026 for more details.
Media Encryption and Port Protection
Fixes the issue where Windows 10 upgrades require an extra restart to repair Media Encryption and Port Protection. Now, an extra restart is only necessary for Windows 10 version 1709 and lower.
Enhances the procedures for virtual drives to prevent file operation interruptions.
Fixes an issue with Always Connect after a reboot, if the user authenticates with the certificate from the CAPI store.
Fixes SCV for the TrendMicro Anti-Virus.
Corrects Japanese and Chinese text.
Adds stability improvements.
SandBlast Agent Browser Extension
Adds redesigned block-pages for URL Filtering, Zero Phishing, and Corporate Password Reuse. The new pages show when the browser extension blocks a page and notifies the user.
Resolves an issue where a redundant reboot occurs after an Endpoint Security Client upgrade due to an inaccurate calculation of the blades list.
Resolves an issue where the "Upgrade Now" option is still available after a manual upgrade.
Resolves an issue where the Endpoint Security Client does not connect and the VPN site configuration is missing after a clean install from an exported package, when the username has spaces and 8.3 names are disabled in the target OS.
Resolves an issue where it is not possible to access the cached MSI of a previous version during an Endpoint Security Client upgrade.
Fixes an issue where the client uninstall through the "Uninstall all blades" operation does not complete.
Improves the Endpoint Security Client installation performance when Full Disk Encryption (FDE) is in offline mode.
Fixes an issue where the client does not connect to the server after a clean installation of an exported dynamic package.
Resolves high CPU usage by the EP Watch Dog (EPWD) process while it tries to restart a monitored process.
Resolves an issue when 'Hosts' and 'Imhosts' files (at 'C:\Windows\System32\drivers\etc') are locked and users can not edit them.
Resolves an issue where most blades falsely show as not active for a few seconds after an Endpoint Security Client upgrade.
Resolves a rare issue where the blades falsely show as not active due to internal communication issues.
Increases the internal report buffer size to allow more reports to reach the server when the network throughput is low.
Starting from E80.85, SandBlast Agent improves coverage of malicious threats by sending anonymized Incident related data to the Check Point Threat Cloud. This feature is turned on by default. For more information, including how to disable this feature, refer to sk129753.
To support SmartLog or SmartView Tracker reporting with Endpoint Security Clients for all supported servers (except R80.20), you must update the log schema. Follow instructions in sk106662.