Yes, not all features are made equal and that's why there's a protection difference in the different software.
Like to comment on files rollback usefulness or not so usefulness?
Harmony Endpoint by Check Point
- Thread starter Trident
- Start date
Like to comment on files rollback usefulness or not so usefulness?
- Feb 7, 2023
- 1,749
Not sure why out of all the features, this one has caught your attention that much.
That's because no security software can 100% protect and prevent against ransomware despite all its other fantastic features.
Yes, rollback is the last line of defense against ransomware so looking at this feature, if available, can save the cost of paying for a dedicated backup and restore software
Some AV/AM software do come with files rollback. No system rollback though.
Now looking at the more expensive endpoints. So far only looked at DI, Trellix and Harmony. Maybe some others will/will not offer such a feature.
- Feb 7, 2023
- 1,749
Rollback is available in Check Point Harmony. It saves the files prior to their modification. The bigger the size of the anti-ransomware database selected, the more files will be saved. Businesses can dedicate 5-10GB to the ransomware database or even more.
In addition, ransomware can be prevented across various layers, from malicious websites blocking and email protection, to anti-malware, emulation, behavioural blocking, trap files, Intel TDT and many others.
I believe its files-only rollback. No system rollback
Trellix provides a more comprehensive backup and rollback. And it has system backup and rollback. It's as good as a 3rd-party one
How to backup your data on Trellix
Learn how to backup your data on Trellix with ease. Our step-by-step guide will help you secure your important files and prevent data loss.
www.cybersecurityhq.io
Note
I hope I'm reading correctly its system backup is the same as the system backup carried out by a 3rd-party backup and restore software ie everything on the C: drive including system and boot partitions
Last edited:
- Apr 16, 2017
- 2,095
Perhaps off-topic, but Norton is backing up designated files / folders in the background in addition to whatever other backups I'm doing, although I don't know how that works with remediation if needed, I'm recently new to Norton, I have it on a VM. It was recommended by a friend.I believe its files-only rollback. No system rollback
Trellix provides a more comprehensive backup and rollback. And it has system backup and rollback. It's as good as a 3rd-party one
How to backup your data on Trellix
Learn how to backup your data on Trellix with ease. Our step-by-step guide will help you secure your important files and prevent data loss.
- Feb 7, 2023
- 1,749
For backup with Harmony Endpoint as well as with Trelix anr with any other Endpoint Security/EDR, admins will have to purchase and deploy a backup/disk cloning solution.
For Norton AV/AM it only provides files rollback
All AV/AM for home use don't come with system rollback feature unless I missed one.
Last edited:
- Feb 7, 2023
- 1,749
I am not really sure what you are talking about but the Norton discussion here is off-topic. Norton is not in any way related to Check Point. Also, I am not sure what you mean by system rollback, in my 20 years dealing with security software, this is the first time I am hearing that. Rollback from security software is offered to the point of deleting all infection components and reverting changes in files and settings.
Norton offers protection for its backup, its offline backup will not fall under ransomware encryption due to the unusual format (not media files) and the cloud backup can’t ever be encrypted.
Yup, for Trellix need to separate purchase another module
Support | Trellix
Need immediate assistance with your Trellix security product or service? Contact an expert and access support communities, customer portals, and knowledge centers here.
- Feb 7, 2023
- 1,749
This thread is for Check Point Harmony line of products. For other products and services as well as their internals, please start another thread and members will be happy to discuss.
Files rollback means rolling back encrypted files which are specified to be protected and monitored. Here the data files usually has a backup copy. In the event the original files are compromised the backup will be roll back. However, only some file extensions are covered since, by default, some folders/files are protected with some added folders/files by the user. As explained a ransomware is crafted to encrypt as many types of file extensions as possible. So those unmonitored and unprotected data files will be encrypted with no roll back. It can range from tens to tens of thousands of such files littered throughout the system. Whether some of such files do or not affect the system performance is unknown.
System rollback means rolling back the entire system (C: drive) of files. Here ALL the file extensions are covered. It is a better option than files rollback.
System rollback means rolling back the entire system (C: drive) of files. Here ALL the file extensions are covered. It is a better option than files rollback.
Last edited:
- Feb 7, 2023
- 1,749
Harmony covers all files by halting encryption programs until the file is copied in a repository. Once the file (any file in any directory) is copied, the program is allowed to perform modifications. If the behaviour looks like ransomware, files are restored from the repository. This is how all rollback software works. The one with the extensions manages access permissions. In addition, Harmony offers features such as Capsule Docs that can further protect documents from encryptions and exfiltration.
I copied the below from one of the spoilers on the 1st page
The Anti-Ransomware creates the honeypot files in these folders:
- C:\Users\Public\Music
- C:\Users\<User>\Music (MyMusic)
- C:\Users\Public\Documents
- C:\Users\<User>\Documents (MyDocuments)
- C:\Users\Public\Videos
- C:\Users\<User>\Videos (MyVideos)
- C:\Users\Public\Pictures
- C:\Users\<User>\Pictures (MyPictures)
- C:\Program Files (x86)
- C:\ProgramData
- C:\Users\<User>\AppData\Roaming
- C:\Users\<User>\AppData\Local
- C:\Users\<User>\Downloads
- Feb 7, 2023
- 1,749
Trap files are just one way of spotting ransomware, the anti-ransomware feature has a lot more functionality built-in.
- Feb 7, 2023
- 1,749
As I said in a post above already, all files are protected as long as there is space in the repository. The trap files are not linked to any other protections, as the name of the function suggests, these are files which cause ransomware to slip and reveal its behaviour. Even without touching the trap files, ransomware behaviour can be identified by monitoring api calls, memory operations and others. Trap files represent just one more way.
What I was saying is that those locations are the likely locations that important data files be found and the ransomeware will attack. That's why a honeypot has been set up to trap the ransomware. Of course those files in the honeypot are not the original files.
You (or the software) performs files rollback because the system has been breached otherwise there's no need to do one.
Last edited:
Similar threads
