- Feb 25, 2017
- 2,504
How can it have an advantage when both managed to keep a clean system. Even with threat emulation the system would have been clean. It can't be cleaner than clean
CheckPoint Harmony vs DeepInstinct Endpoint
- Thread starter Shadowra
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Feb 7, 2023
- 1,737
Exactly…How can it have an advantage when both managed to keep a clean system. Even with threat emulation the system would have been clean. It can't be cleaner than clean
My thought was the same.
- Feb 25, 2017
- 2,504
Thats everything people have to know. Harmony is definitely more complete. DI only protects against malware, while it can't protect you from phishing and other attacks. When using Deep Instinct you should also rely on an external web-protection addon or secure DNS. If you only look for a strong, simple and light protection against malware, then Deep Instinct won't disappoint you. So it depends on the use case. I am a gamer so Deep Instinct feels like the perfect solution for me.
- Feb 7, 2023
- 1,737
Preferably rely on both DNS and web filter because secure DNS like NextDNS and Control D will block for example Domain Generation Algorithms (where attackers generate and register domains at the spot, specially for you). Secure DNS will see they are less than 30 days old and will block that, something that ThreatCloud as of this year does as well (with AI).
Only a web filter (specially one that only works in the browser) you will leave some gaps, and it can come around and bite you.
I'm not sure whether the DI vs Harmony test involved the above. @Shadowra should be able to answer this. If not then can @Shadowra do further test against phishing and data theft malware?
It's good to have layers of technologies for security since no single one can do everything to protect you.
There are 2 which I don't think it's useful
One is files backup/restore vs system backup/restore assuming a malware (especially ransomware) breached your system. Yes, you can turn it off but it's not going to help or use another 3rd-party one.
Secondly, it's the use of a sandbox for threat emulation. You cannot analyse a large file in the business environment for it'll take time to confirm the file is safe for use. Time which a user cannot wait. Generally, when a file is received it'll be worked upon immediately. Sandbox looks like yesterday technology. Also, does the Harmony vs DI test involved Harmony's threat emulation? If no maybe @Shadowra can trigger it some how. Or is it the last line of defense since malware can be blocked using other technologies?
As for network attacks. This is 2023 so not sure how's the going
Deep Instinct Raises $100M To Block Endpoint, Network Attacks | CRN
Deep Instinct has raised $100 million to build out a channel organization and expand its prevention capabilities from the endpoint to the network and cloud.
www.crn.com
Yes, DI can complement an EDR.
Sometimes less is more
Last edited:
- Feb 7, 2023
- 1,737
@Shadowra will be unable to test DI against phishing because DI does not include any anti-phishing or other network filtering components.
Threat emulation is not technology from yesterday, in fact Content Disarm and Reconstruction (patented by Check Point) and Threat Emulation are now deemed necessity, the second most important components on a business environment after Next Generation Firewall.
The Check Point threat emulation does not analyse large files and as a general rule, malware is not a large file. Large files must be trusted software installers (such as MS Office, Adobe Photoshop and others). Thousands of developers within these companies work for years and this is how the large file is born. Malware has just very few capabilities hence it is small.
Malware can be artificially inflated and packed with garbage!
In that case other components will block it, emulation is not the be-all end-all in Harmony.
Also, threat emulation can be configured to deliver the file instantly and then remove it later on if it turns out to be malicious. Documents are always delivered instantly in a sanitised format (businesses operate mostly with documents). Even if users will have to wait, 5 minutes spent waiting on emulation are nothing compared to what will happen if all machines experience a ransomware attack - there will be days, sometimes months of downtime and employees will work with flying papers and pen. And under the GDPR a EUR 25 Million or 4% of last year's turnover (whichever is greater) + the loss of business, customers and trust will be the consequence.
So, wanna wait 5 minutes or you prefer to open everything with full speed?
Last edited:
- Feb 25, 2017
- 2,504
I already shared it a while ago. In this case DI prevented Ingress Tool Transfer so that the malicious content couldn't be downloaded from the C&C server. In this case the LOLBin "certutil.exe" was used to download the file.
You can find the samples on @cruelsister profile under "status updates"
So I would call that at least some kind of network protection.
- Feb 7, 2023
- 1,737
Usually Ingress Tool Transfer translates to abuse of LOLBins, turning them into puppets to download malicious content. This can be blocked with network filters without a doubt, but can also be achieved via PowerShell monitoring (they may try downloading via BITS, IEX and others). Or they may use techniques such as process hollowing, abusing certutil and others. By monitoring API and LOLBin calls and by plugging in to the AMSI you can detect these even without network filter.
Ingress Tool Transfer, Technique T1105 - Enterprise | MITRE ATT&CK®
But of course, if you have network filters, even better.
- Feb 25, 2017
- 2,504
So the question is how did DI manage to block it. Network monitoring or powershell monitoring?Usually Ingress Tool Transfer translates to abuse of LOLBins, turning them into puppets to download malicious content. This can be blocked with network filters without a doubt, but can also be achieved via PowerShell monitoring (they may try downloading via BITS, IEX and others). Or they may use techniques such as process hollowing. By monitoring API and LOLBin calls and by plugging in to the AMSI you can detect these even without network filter.
Ingress Tool Transfer, Technique T1105 - Enterprise | MITRE ATT&CK®
attack.mitre.org
But of course, if you have network filters, even better.
- Feb 7, 2023
- 1,737
I am not sure what exactly the sample was doing but more information should be provided in logs. These are all DI drivers. There is no network monitor.So the question is how did DI manage to block it. Network monitoring or powershell monitoring?
piquiteco
Level 14
- Oct 16, 2022
- 626
This is true, I have to agree, the other day I saw the guy deflating a file using Hexadecimal editor and through there he removes the extra hex values, then saves and the file becomes relatively small and detectable by AV, believe me he uses this technique. If I am wrong in what I said please correct me @Trident or @Kongo or @Shadowra
- Feb 25, 2017
- 2,504
Will check the logs tomorrow. Either way, Firewall Hardenings LOLBin rules blocked the outbound connection.
I’ll get some sleep now. Wishing you all a good night.
- Feb 7, 2023
- 1,737
I checked the log with all network filters as well by running netsh wfp show filters. There is nothing related to DI.Will check the logs tomorrow. Either way, Firewall Hardenings LOLBin rules blocked the outbound connection.
I’ll get some sleep now. Wishing you all a good night.
Good night @Kongo.
Attachments
- Feb 25, 2017
- 2,504
Yeah it’s a pretty common technique nowadays to enlarge the file size to evade detection of the AV.This is true, I have to agree, the other day I saw the guy deflating a file using Hexadecimal editor and through there he removes the extra hex values, then saves and the file becomes relatively small and detectable by AV, believe me he uses this technique. If I am wrong in what I said please correct me @Trident or @Kongo or @Shadowra
Here a little bit more in depth:
Poisoned CCleaner search results spread information-stealing malware
Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report...
malwaretips.com
DI says otherwise
Top-3 Drawbacks of Content Disarm + Reconstruction (CDR) for Malware Prevention | Deep Instinct
While traditional approaches like AV and Sandbox have been used by many organizations in an attempt to catch malicious content, they have severe drawbacks when it comes to speed, efficacy, and scale. CDR was created to address these concerns. On paper, Content Disarm and Reconstruction (CDR)...
www.deepinstinct.com
- Feb 7, 2023
- 1,737
Check Point does not convert content to PDF. Original file with executable content becomes available few minutes after, but Check Point says above 90% of customers don't download these.DI says otherwise
Top-3 Drawbacks of Content Disarm + Reconstruction (CDR) for Malware Prevention | Deep Instinct
While traditional approaches like AV and Sandbox have been used by many organizations in an attempt to catch malicious content, they have severe drawbacks when it comes to speed, efficacy, and scale. CDR was created to address these concerns. On paper, Content Disarm and Reconstruction (CDR)...
What is Content Disarm and Reconstruction (CDR) | Votiro
Content Disarm and Reconstruction is an innovative technology that protects businesses from file-borne malware. Dive in to learn more!
votiro.com
API-Based Email Security: Why You Need Content Disarm & Reconstruction
Content Disarm & Reconstruction is an important part of any email security architecture.
www.avanan.com
Check Point does not convert content to PDF. Original file with executable content becomes available few minutes after, but Check Point says above 90% of customers don't download these.
What is Content Disarm and Reconstruction (CDR) | Votiro
Content Disarm and Reconstruction is an innovative technology that protects businesses from file-borne malware. Dive in to learn more!
API-Based Email Security: Why You Need Content Disarm & Reconstruction
Content Disarm & Reconstruction is an important part of any email security architecture.
Of course CDR has its strengths. And cons just like other technologies. Checlpoint will never tell you its CDR weakness nor the weakness of the other technologies it has similarly for DI
I believe Checkpoint also uses AI but not as deep as DI.
IMO, both are great. As a home user I would like to use one which has a simple UI and I don't need to read a 100-page manual
- Feb 7, 2023
- 1,737
CheckPoint uses Deep AI as well.
ThreatCloud AI - Check Point Software
Learn about Check Point's ThreatCloud, the brain behind all of check point's products.
www.checkpoint.com
Same goes for everyone else. Did DeepInstict tell you anywhere that Static Analysis can easily be evaded by the use of a custom packer? The extractor engine gets nothing but noise and the classifiers can’t work with noise, they need features. I don’t see it on the DI page.
BTW the manuals are always large. Even Norton and Bitdefender for home have like 200-300 pages manual
DI and Check Point one come at 300-400. I wanted to print the Check Point manual but I can't do this to the environment. We gotta be sustainable nowadays.
Last edited:
this tool might help with bloated files GitHub - Squiblydoo/debloat: A GUI tool for removing bloat from executablesPoisoned CCleaner search results spread information-stealing malware
Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report...
- Feb 7, 2023
- 1,737
Yeah but it damages some files. I prefer to do it manually, it's fun
I wonder how long before debloating logics are built-in to AVs... probably not too long.
Similar threads
