App Review CheckPoint Harmony vs DeepInstinct Endpoint

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,517
They are a tie on malware protection. But then if you compare all other dangers which businesses can experience, these are:
  • Phishing (which is behind most breaches)
  • Credentials reuse by employees who are not careful
  • Attack investigation and response (Harmony is an EDR, DI is not)
  • Data theft and leakage
  • Network attacks
DeepInstinct does not protect against these and Harmony does, plus it blocked the malware. So how is DeepInstinct better, I am asking @HarborFront to explain the logic behind the statement that’s been repeated here few times.
Thats everything people have to know. Harmony is definitely more complete. DI only protects against malware, while it can't protect you from phishing and other attacks. When using Deep Instinct you should also rely on an external web-protection addon or secure DNS. If you only look for a strong, simple and light protection against malware, then Deep Instinct won't disappoint you. So it depends on the use case. I am a gamer so Deep Instinct feels like the perfect solution for me.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,755
Thats everything people have to know. Harmony is definitely more complete. DI only protects against malware, while it can't protect you from phishing and other attacks. When using Deep Instinct you should also rely on an external web-protection addon or secure DNS.
Preferably rely on both DNS and web filter because secure DNS like NextDNS and Control D will block for example Domain Generation Algorithms (where attackers generate and register domains at the spot, specially for you). Secure DNS will see they are less than 30 days old and will block that, something that ThreatCloud as of this year does as well (with AI).
Only a web filter (specially one that only works in the browser) you will leave some gaps, and it can come around and bite you.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,039
They are a tie on malware protection. But then if you compare all other dangers which businesses can experience, these are:
  • Phishing (which is behind most breaches)
  • Credentials reuse by employees who are not careful
  • Attack investigation and response (Harmony is an EDR, DI is not)
  • Data theft and leakage
  • Network attacks
DeepInstinct does not protect against these and Harmony does, plus it blocked the malware. So how is DeepInstinct better, I am asking @HarborFront to explain the logic behind the statement that’s been repeated here few times.
I'm not sure whether the DI vs Harmony test involved the above. @Shadowra should be able to answer this. If not then can @Shadowra do further test against phishing and data theft malware?

It's good to have layers of technologies for security since no single one can do everything to protect you.

There are 2 which I don't think it's useful

One is files backup/restore vs system backup/restore assuming a malware (especially ransomware) breached your system. Yes, you can turn it off but it's not going to help or use another 3rd-party one.

Secondly, it's the use of a sandbox for threat emulation. You cannot analyse a large file in the business environment for it'll take time to confirm the file is safe for use. Time which a user cannot wait. Generally, when a file is received it'll be worked upon immediately. Sandbox looks like yesterday technology. Also, does the Harmony vs DI test involved Harmony's threat emulation? If no maybe @Shadowra can trigger it some how. Or is it the last line of defense since malware can be blocked using other technologies?

As for network attacks. This is 2023 so not sure how's the going


Yes, DI can complement an EDR.

Sometimes less is more
 
Last edited:

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,755
I'm not sure whether the DI vs Harmony test involved the above. @Shadowra should be able to answer this. If not then can @Shadowa do further test against phishing and data theft malware?
@Shadowra will be unable to test DI against phishing because DI does not include any anti-phishing or other network filtering components.

Secondly, it's the use of a sandbox for threat emulation. You cannot analyse a large file in the business environment for it'll take time to confirm the file is safe for use. Time which a user cannot wait. Generally, when a file is received it'll be worked upon immediately. Sandbox looks like yesterday technology. Also, does the Harmony vs DI test involved Harmony's threat emulation? If no maybe @Shadowa can trigger it some how. Or is it the last line of defense since malware can be blocked using other technologies?
Threat emulation is not technology from yesterday, in fact Content Disarm and Reconstruction (patented by Check Point) and Threat Emulation are now deemed necessity, the second most important components on a business environment after Next Generation Firewall.

The Check Point threat emulation does not analyse large files and as a general rule, malware is not a large file. Large files must be trusted software installers (such as MS Office, Adobe Photoshop and others). Thousands of developers within these companies work for years and this is how the large file is born. Malware has just very few capabilities hence it is small.
Malware can be artificially inflated and packed with garbage!
In that case other components will block it, emulation is not the be-all end-all in Harmony.

Also, threat emulation can be configured to deliver the file instantly and then remove it later on if it turns out to be malicious. Documents are always delivered instantly in a sanitised format (businesses operate mostly with documents). Even if users will have to wait, 5 minutes spent waiting on emulation are nothing compared to what will happen if all machines experience a ransomware attack - there will be days, sometimes months of downtime and employees will work with flying papers and pen. And under the GDPR a EUR 25 Million or 4% of last year's turnover (whichever is greater) + the loss of business, customers and trust will be the consequence.

So, wanna wait 5 minutes or you prefer to open everything with full speed?
 
Last edited:

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,517
DI does not include any anti-phishing or other network filtering components

Screenshot 2023-06-26 011414.png


I already shared it a while ago. In this case DI prevented Ingress Tool Transfer so that the malicious content couldn't be downloaded from the C&C server. In this case the LOLBin "certutil.exe" was used to download the file.

You can find the samples on @cruelsister profile under "status updates"

So I would call that at least some kind of network protection.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,755
View attachment 276583

I already shared it a while ago. In this case DI prevented Ingress Tool Transfer so that the malicious content couldn't be downloaded from the C&C server. In this case the LOLBin "certuil.exe" was used to download the file.

You can find the test file on @cruelsister profile under "status updates"

So I would call that at least some kind of network protection.
Usually Ingress Tool Transfer translates to abuse of LOLBins, turning them into puppets to download malicious content. This can be blocked with network filters without a doubt, but can also be achieved via PowerShell monitoring (they may try downloading via BITS, IEX and others). Or they may use techniques such as process hollowing, abusing certutil and others. By monitoring API and LOLBin calls and by plugging in to the AMSI you can detect these even without network filter.

But of course, if you have network filters, even better.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,517
Usually Ingress Tool Transfer translates to abuse of LOLBins, turning them into puppets to download malicious content. This can be blocked with network filters without a doubt, but can also be achieved via PowerShell monitoring (they may try downloading via BITS, IEX and others). Or they may use techniques such as process hollowing. By monitoring API and LOLBin calls and by plugging in to the AMSI you can detect these even without network filter.

But of course, if you have network filters, even better.
So the question is how did DI manage to block it. Network monitoring or powershell monitoring? :unsure:
 

piquiteco

Level 14
Oct 16, 2022
624
Malware can be artificially inflated and packed with garbage!
In that case other components will block it, emulation is not the be-all end-all in Harmony.
This is true, I have to agree, the other day I saw the guy deflating a file using Hexadecimal editor and through there he removes the extra hex values, then saves and the file becomes relatively small and detectable by AV, believe me he uses this technique. If I am wrong in what I said please correct me @Trident or @Kongo or @Shadowra :rolleyes:
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,517
I am not sure what exactly the sample was doing but more information should be provided in logs. These are all DI drivers. There is no network monitor.
View attachment 276584
Will check the logs tomorrow. Either way, Firewall Hardenings LOLBin rules blocked the outbound connection.

I’ll get some sleep now. Wishing you all a good night. 🌙 🙃
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,755
Will check the logs tomorrow. Either way, Firewall Hardenings LOLBin rules blocked the outbound connection.

I’ll get some sleep now. Wishing you all a good night. 🌙 🙃
I checked the log with all network filters as well by running netsh wfp show filters. There is nothing related to DI.

Good night @Kongo.
 

Attachments

  • 1687736758977.png
    1687736758977.png
    101.7 KB · Views: 124

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,517
This is true, I have to agree, the other day I saw the guy deflating a file using Hexadecimal editor and through there he removes the extra hex values, then saves and the file becomes relatively small and detectable by AV, believe me he uses this technique. If I am wrong in what I said please correct me @Trident or @Kongo or @Shadowra :rolleyes:
Yeah it’s a pretty common technique nowadays to enlarge the file size to evade detection of the AV.
Here a little bit more in depth:

 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,039
@Shadowra will be unable to test DI against phishing because DI does not include any anti-phishing or other network filtering components.


Threat emulation is not technology from yesterday, in fact Content Disarm and Reconstruction (patented by Check Point) and Threat Emulation are now deemed necessity, the second most important components on a business environment after Next Generation Firewall.

The Check Point threat emulation does not analyse large files and as a general rule, malware is not a large file. Large files must be trusted software installers (such as MS Office, Adobe Photoshop and others). Thousands of developers within these companies work for years and this is how the large file is born. Malware has just very few capabilities hence it is small.
Malware can be artificially inflated and packed with garbage!
In that case other components will block it, emulation is not the be-all end-all in Harmony.

Also, threat emulation can be configured to deliver the file instantly and then remove it later on if it turns out to be malicious. Documents are always delivered instantly in a sanitised format (businesses operate mostly with documents). Even if users will have to wait, 5 minutes spent waiting on emulation are nothing compared to what will happen if all machines experience a ransomware attack - there will be days, sometimes months of downtime and employees will work with flying papers and pen. And under the GDPR a EUR 25 Million or 4% of last year's turnover (whichever is greater) + the loss of business, customers and trust will be the consequence.

So, wanna wait 5 minutes or you prefer to open everything with full speed?
DI says otherwise

 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,755
DI says otherwise

Check Point does not convert content to PDF. Original file with executable content becomes available few minutes after, but Check Point says above 90% of customers don't download these.


CDR breaks down files into their discrete components, strips away anything that doesn't conform to that file type's original specification, and rebuilds a "clean" version that continues on to the intended destination. This real-time process removes zero-day malware and exploits while avoiding the negative business productivity impact that is typically caused by sandbox detonation and quarantine delays.

According to Gartner, CDR is one of the essential items of any email security solution.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,039
Check Point does not convert content to PDF. Original file with executable content becomes available few minutes after, but Check Point says above 90% of customers don't download these.



Of course CDR has its strengths. And cons just like other technologies. Checlpoint will never tell you its CDR weakness nor the weakness of the other technologies it has similarly for DI

I believe Checkpoint also uses AI but not as deep as DI.

IMO, both are great. As a home user I would like to use one which has a simple UI and I don't need to read a 100-page manual
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,755
I believe Checkpoint also uses AI but not as deep as DI.
CheckPoint uses Deep AI as well.
Checlpoint will never tell you its CDR weakness nor the weakness of the other technologies it has.
Same goes for everyone else. Did DeepInstict tell you anywhere that Static Analysis can easily be evaded by the use of a custom packer? The extractor engine gets nothing but noise and the classifiers can’t work with noise, they need features. I don’t see it on the DI page.

BTW the manuals are always large. Even Norton and Bitdefender for home have like 200-300 pages manual :D
DI and Check Point one come at 300-400. I wanted to print the Check Point manual but I can't do this to the environment. We gotta be sustainable nowadays.
 
Last edited:

likeastar20

Level 8
Verified
Mar 24, 2016
369
this tool might help with bloated files GitHub - Squiblydoo/debloat: A GUI tool for removing bloat from executables
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top