Serious Discussion Harmony Endpoint by Check Point

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
This thread is for posts related to Check Point Harmony.

Harmony Endpoint Trial:

What's included in Check Point Harmony Endpoint?

Check Point Harmony Endpoint comes in few editions. Features will be compared first and then we will have an overview of each one of them (what they do, how they do it, why they are even there).

Harmony Endpoint Options and Specifications​






BASICADVANCEDCOMPLETE
Reduce Attack Surface

  • Host Firewall
  • Application Control
  • Compliance
NGAV: Prevent Attacks Before They Run

  • Anti-Malware
  • ML based NGAV
NGAV: Runtime Detection and Protection

  • Anti-Ransomware
  • Behavioral Guard
  • Anti-Bot
  • Anti-Exploit
Web Protection

  • Zero-day Phishing site protection
  • Corporate Password Reuse Protection
  • URL Filtering
  • Malicious site protection
Attack Investigation and Response

  • Forensics collection and detection
  • Forensics report – incident visibility, MITRE mapping
  • Automated attack chain full sterilization
  • Ransomware encrypted files restoration
  • Threat Hunting
VPN Access

  • Remote Access VPN
Threat Intelligence

  • Powered by ThreatCloud AI™
  • Automated IoC and IoA cloud sharing
Centralized Management

  • Cloud Management
  • On-Prem Management *
Support

  • Standard Pro Support (5*9)
Content Disarm & Reconstruction (CDR) across email and web

  • Threat Emulation (sandBox)
  • Threat Extraction (Sanitizes files in 1.5 seconds)
Data Protection

  • Host Encryption
  • Media encryption and port protection
✓ **
Mobile Protection

  • iOS Protection
  • Android Protection
++
Incident Response Service+++
Category 1:
Compliance blade:
Allows you to enforce endpoint compliance on multiple checks before users log into the network. You can check that the:

  • appropriate endpoint security components are installed
  • correct OS service pack are installed on the endpoint
  • only approved applications are able to run on the endpoint
  • appropriate anti-malware product and version is running on the endpoint.

Firewall and Application Control blades:
  • Defines the topology of the organizational network, separating it into Trusted and Internet domains.
  • Blocks or allows network traffic based on attributes of network connections.
  • Controls network access on a per-application basis, letting you restrict application access by zone and direction.
Category 2:
Anti-Malware blade:
  • This is standard, heuristics(mainly), signatures and generic detections provided by Sophos (Sophos AntiVirus Interface or SAVI) AV. This blade provides online and offline protection against known and unknown threats. Also detects malware targeting other platforms (Linux, MacOS and Android) and provides unarchiving abilities as well as True File Type parser that will insect fie properties such as Magic Bytes to determine the real format. The Sophos behavioural genotype by itself relies on Dynamic Analysis. Additional Link
Pre-execution: the behavior of code is analyzed before it runs and is prevented from running if it is considered to be suspicious or malicious (e.g. Behavioral Genotype ®, Suspicious File Detection)
  • Next-Gen AV (Static Analysis) blade: This is an engine trained to look at the attributes of executable files. In harmony Endpoint (opposed to ZoneAlarm) the strictness of NGAV can be tweaked across three confidence levels: Low, Medium and High. An admin can configure what levels of confidence will trigger incident investigation and remediation. Handling even low and medium confidence detection will improve the identification of malicious files but may increase false positives. It is recommended an admin to leave the solution at least for 2 weeks on default policy until it creates the appropriate whitelist and then security can be boosted.
There are three configuration options for this protection:

  • Prevent - Protects your files from malware threats.
  • Detect - Detects the threats, so they appear in the logs, although the virus or malware are still executable. Use this mode with caution.
  • Off - No protection from malware.
To configure the advanced settings for files protection, go to Advanced Settings > Files Protections.

General​

  • Malware Treatment - The malware treatment options let you select what happens to malware that is detected on a client computer:
    • Quarantine file if cure failed - If Endpoint Security cannot repair the file, it is deleted and put in a secure location from where it can be restored if necessary.
    • Delete file if cure failed - If Endpoint Security cannot repair the file, it is deleted.
  • Riskware Treatment - Riskware is a legal software that might be dangerous.
    • Treat as malware - Use the option selected for Malware.
    • Skip file - Do not treat riskware files.
    • Detect unusual activity - Use behavior detection methods to protect computers from new threats whose information were not added to the databases yet. It does not monitor trusted processes.
    • Enable reputation service for files, web resources & processes - Use cloud technologies to improve precision of scanning and monitoring functions. If you enable or disable this setting, it takes affect after the client computer restarts.
      Connection timeout - Change the maximum time to get a response from Reputation Services (in milliseconds). Default is 600.
      Note.png
      Note - If you decrease this value, it can improve the performance of the Anti-Malware component but reduces security, as clients might not get a reputation status that shows an item to be zero-day malware.
    • Enable web protection - Prevents access to suspicious sites and execution of malicious scripts Scans files, and packed executables transferred over HTTP, and alerts users if malicious content is.found.
  • Mail Protection - Enable or disable scans of email messages when they are passed as files across the file system.

Signature​

  • Frequency
    Anti-Malware gets malware signature updates at regular intervals to make sure that it can scan for the newest threats. These actions define the frequency of the signature updates and the source:
    • Update signatures every [x] hours - Signature updates occur every [x] hours from the Endpoint Policy Server Closed and the External Check Point Signature Server.
    • Signature update will fail after [x] seconds without server response - The connection timeout, after which the update source is considered unavailable.
  • Signature Sources
    • External Check point Signature Server - Get updates from a dedicated, external Check Point server through the internet.
    • Local Endpoint Servers - Get updates from the Endpoint Security Management Server Closed or configured Endpoint Policy Server.
    • Other External Source - Get updates from an external source through the internet. Enter the URL.
  • Shared signature source - Get updates from a shared location on an Endpoint Security client that acts as a Shared Signature Server. This solution is curated for Virtual Desktop Infrastructure (VDI) environments, but can be leveraged for other scenarios as well. This makes it possible to protect non-persistent virtual desktops in Virtual Desktop Infrastructure (VDI) environments. Each non-persistent virtual desktop runs an Endpoint Security, and gets Anti-Malware and Threat Prevention signatures from a shared folder on the Shared Signature Server that is a persistent virtual machine.
    • Second Priority - Set a fallback update source to use if the selected update source fails. Select a different option than the first signature source.
    • Third Priority - Set a fallback update source to use if the other sources fail.
    • Note.png
      Note - If only update from local Endpoint Servers is selected, clients that are disconnected from an Endpoint Security server cannot get updates.

Scan​

Anti-Malware scans computers for malware at regular intervals to make sure that suspicious files are treated, quarantined, or deleted.

  • Perform Periodic Scan - Select one of these options to define the frequency of the scans:
    • Every Month- Select the day of the month on which the scan takes place and the Scan start hour.
    • Every Week - Select the day of the week on which the scan takes place and the Scan start hour.
    • Every Day - Select the scan start hour.
    • Scan on Idle - Specify the idle time duration for the endpoint. The Harmony Endpoint Security client initiates the initial or periodic Anti-Malware scan only when the endpoint remains idle for the specified duration. If the device is not idle, the scan is postponed for 24 hours. After this 24-hour period, the Harmony Endpoint Security client initiates the initial or periodic Anti-Malware scan, irrespective of whether the device is idle or in use.
    • Note.png
      Note - Scan on Idle is not supported with the DHS compliant Anti-Malware blade.
    Optional :
    • Randomize scan time - Mandatory for Virtual Desktop Infrastructure (VDI). Select this option to make sure that not all computers do a scan for malware at the same time. This makes sure that network performance is not affected by many simultaneous scans. In Start scan and End scan, specify the time range during which the scan can start and end.
    • Run initial scan after the Anti-Malware blades installation.
    • Allow user to cancel scan.
    • Prohibit cancel scan if more than days passed since last successful scan.
  • Scan Targets - Select the target for the Anti-Malware scan:
    • Critical areas
    • Optical drives
    • Local drives
    • Mail messages
    • Removable drives
    • Unrecognized devices
    • Network devices
    • Note.png
      Note - Critical areas and Mail messages are not supported for macOS and with the DHS compliant Anti-Malware blade.
  • Scan Target Exclusions - Select the checkboxes to skip scanning of certain files.
    • Skip archives and non executables - Skips scanning of archive file formats (for example, .zip, 7zip, tar.gz, rar, and so on) and non-executable files (files without the execute permission).
      Note.png
      Note - Skip archives and non executables are not supported with the DHS compliant Anti-Malware blade.
    • Do not scan files larger than - Specify the file size limit. If the file size is larger than the specified limit, then the system skips scanning the file. The default file size limit is 20 MB.
      Note.png
      Note - The maximum supported file size for the Anti-Malware scan depends on the endpoint's system specifications, such as CPU, RAM and so on.

Category 3 (Runtime Protection)
Behavioural Guard, Forensics, Anti-Exploit, Anti-Bot, Anti-Ransomware: Constantly Monitor API Calls, memory, file, registry and network operations to classify, block and reverse behaviour that looks like malicious.

Behavioral Protection​

Behavioral protection includes Anti-Bot Closed , Behavioral Guard and Anti-Ransomware protections.

The Anti-Bot Component​

There are two emerging trends in today's threat landscape:

  • A profit-driven cybercrime industry that uses different tools to meet its goals. This industry includes cyber-criminals, malware operators, tool providers, coders, and affiliate programs. Their "products" can be easily ordered online from numerous sites (for example, do-it-yourself malware kits, spam sending, data theft, and denial of service attacks) and organizations are finding it difficult to fight off these attacks.
  • Ideological and state driven attacks that target people or organizations to promote a political cause or carry out a cyber-warfare campaign.
Both trends are driven by bot attacks.

A bot is malicious software that can invade your computer. There are many infection methods. These include opening attachments that exploit a vulnerability and accessing a website that results in a malicious download.

When a bot infects a computer, it:

  • Takes control over the computer and neutralizes its Anti-Virus Closed defenses. Bots are difficult to detect because they hide within your computer and change the way they appear to the Anti-Virus software.
  • Connects to a Command and Control (C&C) center for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to execute illegal activities without your knowledge. These activities include:
    • Data theft (personal, financial, intellectual property, organizational)
    • Sending SPAM
    • Attacking resources (Denial of Service Attacks)
    • Bandwidth consumption that affects productivity
In many cases, a single bot can create multiple threats. Bots are often used as tools in attacks known as Advanced Persistent Threats (APTs) where cyber criminals pinpoint individuals or organizations for attack. A botnet is a collection of compromised computers.

The Check Point Endpoint Anti-Bot component detects and prevents these bot threats

The Anti-Bot component:

  • Uses the ThreatCloud repository to receive updates, and queries the repository for classification of unidentified IP, URL, and DNS resources.
  • Prevents damage by blocking bot communication to C&C sites and makes sure that no sensitive information is stolen or sent out of the organization.
The Endpoint Anti-Bot component uses these procedures to identify bot infected computers:

  • Identify the C&C addresses used by criminals to control bots
  • These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.
The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.

Configuring Anti-Bot​

There are three configuration options for the Anti-Bot protection:

  • Prevent - Blocks bots.
  • Detect - Logs information about bots, but does not block them.
  • Off - Ignores bots (does not prevent or detect them)

Advanced Anti-Bot Settings:​

  • Background Protection Mode:
    • Background - This is the default mode. Connections are allowed while the bots are checked in the background.
    • Hold - Connections are blocked until the bot check is complete.
  • Hours to suppress logs for same bot protection - To minimize the size of the Anti-Bot logs, actions for the same bot are only logged one time per hour. The default value is 1 hour. To change the default log interval , select a number of hours.
  • Days to remove bot reporting after - If a bot does not connect to its command and control server after the selected number of days, the client stops reporting that it is infected. The default value is 3 days.
  • Confidence Level - The confidence level is how sure Endpoint Security is that an activity is malicious. High confidence means that it is almost certain that the activity is malicious. Medium confidence means that it is very likely that the activity is malicious. You can manually change the settings for each confidence level. Select the action for High confidence, medium confidence and low confidence bots:
    • Prevent - Blocks bots
    • Detect - Logs information about bots, but does not block them.
    • Off - Ignores bots (does not prevent or detect them).

The Behavioral Guard & Anti-Ransomware Component​

Behavioral Guard constantly monitors files and network activity for suspicious behavior.

Note.png
Note - Behavioral Guard also parses the email (through an add-in to Microsoft Outlook) to include the details in the forensics report in the event of a malicious attack through an email.
The Anti-Ransomware creates honeypot files on client computers, and stops the attack immediately after it detects that the ransomware modified the files.

The Anti-Ransomware creates the honeypot files in these folders:

  • C:\Users\Public\Music
  • C:\Users\<User>\Music (MyMusic)
  • C:\Users\Public\Documents
  • C:\Users\<User>\Documents (MyDocuments)
  • C:\Users\Public\Videos
  • C:\Users\<User>\Videos (MyVideos)
  • C:\Users\Public\Pictures
  • C:\Users\<User>\Pictures (MyPictures)
  • C:\Program Files (x86)
  • C:\ProgramData
  • C:\Users\<User>\AppData\Roaming
  • C:\Users\<User>\AppData\Local
  • C:\Users\<User>\Downloads
You can identify these folders by the lock icon that is associated with the name of the folder.

For example:

ar_lock.png


The file names include these strings, or similar:

  • CP
  • CheckPoint
  • Check Point
  • Check-Point
  • Sandblast Agent
  • Sandblast Zero-Day
  • Endpoint
Before ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.

  • Prevent - The attack is remediated. Logs, alerts and a forensic report are created.
  • Detect - Logs, alerts and a forensic report are created.
  • Off - Nothing is done on the detection, a log is not created

Advanced Behavioral Guard & Anti-Ransomware Settings​

  • Enable network share protection - Enables the protection of shared folders on the network. All shared folders are protected, regardless of the protocol. Remote devices are not protected.
  • Block Volume Encryption tools (BitLocker and Similar Tools): As many ransomwares use volume encryption software, such as BitLocker to encrypt drives.
    Note.png
    Note - This feature is supported with the Harmony Endpoint Security Client Closed version E86.30 with the default client mode as Detect. With the Harmony Endpoint Security Client version E86.50 and higher, the default client mode is Prevent.
    You can block such programs from:
    • Encrypting unencrypted drives
    • Modifying the encryption of encrypted drives (such as changing password)
    • If you want to encrypt your drive with BitLocker or a similar software:
    • Encrypt the drive before you install the Harmony Endpoint Security Client, or
    • Disable this protection, encrypt and resume this protection
  • Low memory mode: Significantly reduces memory utilization by retaining only the most recently matched signatures. However, there is a slight drop in the detection rate. It is recommended to enable this setting only for system with low memory capacity. This is supported only with the Endpoint Security Client version E87.30 and higher.

Backup Settings​

When Anti-Ransomware is enabled, it constantly monitors files and processes for unusual activity. Before a ransomware attack can encrypt files,Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.

  • Restore to selected location - - By default, files are restored to their original location. To restore files to a different location, select this option and enter the location to which you want to restore the files in the Choose location field. Each time files are automatically restored, they will be put in the selected location.
  • Anti-Ransomware maximum backup size on disk - Set the maximum amount of storage for Anti-Ransomware backups. The default value is 1 GB.
  • Backup time interval - Within this time interval, each file is only backed up one time, even if it is changed multiple times. The default value is 60 minutes.
  • Backup Settings - Change default types to be backed up - Click this to see a list of file types that are included in the Anti-Ransomware backup files. You can add or remove file types from the list and change the Maximum Size of files that are backed up.
  • Disk Usage - By default, Forensics uses up to 1 GB of disk space on the client computer for data.

The Anti-Exploit Component​

Harmony Endpoint Anti-Exploit detects zero-day and unknown attacks, and provides protection to vulnerable processes from exploitation. Files on your computer are sent to a testing area for emulation to detect malicious files and content.

There are three configuration options for the Anti-Exploit protection:

  • Prevent - Prevents the attack and suspends the application under attack.
  • Detect - Detects and logs the attack information. Does not prevent the attack.
  • Off - The Anti-Exploit protection is disabled.

Analysis & Remediation​

Automated Attack Analysis (Forensics)​

Harmony Endpoint Forensics analyzes attacks detected by other detection features like Anti-Ransomware or Behavioral Guard, and some third-party security products.
On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically initiated. After the analysis is completed, the entire attack sequence is presented as a Forensics Analysis Report. If Endpoint Security Management Servers do not have internet connectivity, Forensics information is stored and sent for evaluation immediately when a server connects to the internet.
Use the Forensics Analysis Report to prevent future attacks and to make sure that all affected files and processes work correctly.
Protection mode - Define in which confidence level the incident is analyzed: Always, High, Medium & High, or Never. The confidence level is how sure Endpoint Security is that a file is malicious. High confidence means that it is almost certain that a file is malicious. Medium confidence means that it is very likely that a file is malicious. The default value is Always.
Enable Threat Hunting - Threat Hunting is enabled by default. To learn more about Threat Hunting, see Threat Hunting.

Remediation & Response​

The Harmony Endpoint File Remediation component applies Remediation to malicious files. When Harmony Endpoint components detect malicious files, they can quarantine those files automatically based on policy, and remediate them if necessary.
You can manually define the confidence level in which Remediation is performed: Always, High, Medium & High, or Never. The confidence level is how sure Endpoint Security is that a file is malicious. High confidence means that it is almost certain that a file is malicious. Medium confidence means that it is very likely that a file is malicious. The default value is Medium & High.

Advanced Remediation & Response Settings​

File Quarantine​

Define the settings for files that are quarantined. By default, items are kept in quarantine for 90 days and users can delete items from quarantine.
  • File quarantine - Select the confidence level in which Remediation is performed: Always High, Medium & High, Never. The default value is Medium & HIgh.
  • Allow users to delete items from quarantine - When selected, users can permanently delete items from the quarantine file on their computers.
  • Allow users to restore items from quarantine - When selected, users can restore items from the quarantine file on their computers.
  • Copy quarantine files to central location -Enter a central location to which the quarantined files from the client computers are copied.

File Remediation​

Define what happens to the components of an attack that is detected by Forensics. When files are quarantined, they are deleted and put in a secure location from which they can be restored, if necessary.
You can manually edit the treatment for each category of file: Malicious, Suspicious, or Unknown. For each category, you can select:
  • Quarantine - Files are deleted and put in a secure location from which they can be restored, if necessary.
  • Delete - Files are permanently deleted.
  • Backup -- Delete the file and create an accessible duplicate.
  • None -- No action is taken.
Trusted files s are those defined as trusted by the Check Point Reputation Service. The Remediation options for Trusted Files are:
  • Terminate - stop the suspicious process.
  • Ignore - Do not terminate processes. Activity is monitored.
Category 4 Web Protection:
Blocks Malicious websites and displays icons next to search results.
Analyses sites in real time to detect brand impersonation and other forms of deception.
Blocks malicious scripts in websites such as scripts related to the Magecart malware.

Web & Files Protection​

This category includes Download (web) Emulation & Extraction, Credential Protection and Files Protection.

URL Filtering​

URL Filtering Closed rules define which sites you can access in your organization. The URL Filtering policy is composed of the selected sites and the mode of operation applied to them.

Note.png
Note:
SmartEndpoint Closed does not support the new capability. It is only supported for web users.
To create the URL Filtering policy:

  1. Select the URL Filtering mode of operation:
    • Prevent - Currently supported only in Hold mode. The request to enter a site is suspended until a verdict regarding the site is received.
    • Detect - Allows access if a site is determined as malicious, but logs the traffic.
    • Off -URL Filtering is disabled.
  2. Select the categories to which the URL Filtering policy applies:
    1. Go to Web & Files Protection > Advanced Settings > URL Filtering > Categories.
    2. Select the required categories:
      Note.png
      Note - For each category, click Edit to see the sub-categories you can select.
    3. Click OK.
  3. Optional: You can select specific URLs to which access is denied. See Blacklisting.
  4. If you want Harmony Endpoint to verify and filter all the URLs accessed by an application or a process, select the Enable Network URL Filtering checkbox. Otherwise, URL filtering is applied only to the URLs accessed through a browser.
The selected mode of operation now applies to the selected categories.

The user can access any site which was not selected in one of the categories or which was not blacklisted.

You can Allow user to dismiss the URL Filtering alert and access the website - This option is selected by default. This lets you access a site determined as malicious, if you think that the verdict is wrong. To do this, go to Advanced Settings > URL Filtering.

Blacklisting​

You can define specific URLs or domains as blacklisted. These URLs/domains will be blocked automatically, while other traffic will be inspected by the URL Filtering rules. You can add the URLs/domain names manually or upload a CSV file with the URLs/domain names you want to include in the blacklist.

To add a URL to the blacklist:

  1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.
  2. In the URLs pane, for each required URL, enter the URL and click the + sign
  3. click OK.
Note.png
Notes:
You can use * and ? as wildcards for blacklisting.
  • * is supported with any string. For example: A* can be ADomain or AB or AAAA.
  • ? is supported with another character. For example, A? can be AA or AB or Ab.
To search for a URL:

  1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.
  2. In the search box, enter the required URL.
    The search results appear in the URLs pane.
    You can edit or delete the URL.
To import URLs from an external source:

  1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.
  2. Next to the search box, click the
    import_URLs.png
    sign (import domains list from a 'csv' file).
  3. Find the required file and click Open.
  4. Click OK.
To export a list of URLs to from the Endpoint Security Management Server to an external source:

  1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.
  2. Next to the search box, click the
    export_URLs.png
    sign (export domains list to a 'csv' file).
  3. Click OK.

Category 5 (Remote Access VPN):
Provide users with secure, seamless remote access to corporate networks and resources when traveling or working remotely. Privacy and integrity of sensitive information is ensured through multi-factor authentication, endpoint system compliance scanning and encryption of all transmitted data.

Adding a New VPN Site to an Exported Package​

When you use an exported package, you can configure each package to connect to a default VPN site which you create.
By default, no VPN site is configured for a new package.
To add a new VPN site to an exported package:
  1. Make sure the exported package includes Endpoint Connect VPN.
  2. You can add a new VPN site through these locations:
    • The Create a Package wizard.
    • The Manage VPN sites button.
    • The package tile:
      • If no VPN site is configured, then click New

      • If a VPN site is already configured, then click Edit > New
  3. Configure these settings:
    • Name - Unique name for this VPN site.
    • Site Address - Site IP address.
    • Authentication Method - One of these:
      • Username-password - Endpoint users authenticate using their VPN user name and password.
      • CAPI certificate - Endpoint users authenticate using the applicable certificate.
      • P12 certificate - Endpoint users authenticate using the applicable certificate.
      • SecurID KeyFob - Endpoint users authenticate using a KeyFob hard token.
      • SecurID PinPad -Endpoint users authenticate using the an SDTID token file and PIN.
      • Challenge-response - Endpoint users authenticate using an administrator supplied response string in response to the challenge prompt.
  4. Click OK.
Category 6 (Content Disarm & Reconstruction (CDR) across email and web)
Makes sure downloads are safe by emulating files from various formats and cleaning up documents from any executable content that may be harmful.

Download (Web) Emulation & Extraction

Harmony Endpoint browser protects against malicious files that you download to your device. For the browsers supported with the Harmony Endpoint Browser extension, see Harmony Browse Administration Guide.

Threat Emulation Closed detects zero-day and unknown attacks. Files on the endpoint computer are sent to a sandbox for emulation to detect evasive zero-day attacks. The following files types are supported:


Threat Emulation Supported File Types
7zlnktbz2
arjpiftbz
bz2pdftb2
batppttgz
CABpptxudf
csvppsuue
compptmwim
cplpotxxlt
dllpotmxls
docppamxlsx
docxppsxxlm
dotppsmxltx
dotxps1xlsm
dotmrarxltm
docmrtfxlsb
exescrxla
gzsldxxlam
hwpsldmxll
isoslkxlw
iqyswfxz
jartarzip
Threat Extraction Closed proactively protects users from malicious content. It quickly delivers safe files while the original files are inspected for potential threats.

To see the list of file types which are supported by Threat Emulation and Threat Extraction, go to Advanced Settings > Threat Emulation > Override Default File Actions > Edit.

These are the configuration options for supported file types:

  • Prevent - Send files for emulation and extraction. For further configuration for supported files, go to Advanced Settings > Supported Files:
    • Get extracted copy before emulation completes - You can select one of these two options:
      • Extract potential malicious elements - The file is sent in its original file type but without malicious elements. Select which malicious parts to extract. For example, macros, Java scripts and so on.
      • Convert to PDF - Converts the file to PDF, and keeps text and formatting.
        Best_Practice.png
        Best Practice - If you use PDFs in right-to-left languages or Asian fonts, preferably select Extract files from potential malicious parts to make sure that these files are processed correctly.
    • Suspend download until emulation completes - The user waits for Threat Emulation to complete. If the file is benign, the gateway sends the original file to the user. If the file is malicious, the gateway presents a Block page and the user does not get access to the file. This option gives you more security, but may cause time delays in downloading files.
    • Emulate original file without suspending access - The gateway sends the original file to the user (even if it turns out eventually that the file is malicious).
    • Allow - All supported files are allowed without emulation. This setting overrides the Prevent setting selected in the main page.
  • Detect - Emulate original file without suspending access to the file and log the incident.
  • Off - Allow file. No emulation or extraction is done. The download of all supported files is allowed.

Unsupported Files​

File types which are not supported by Threat Emulation and Threat Extraction. Unsupported files types can be allowed or blocked. To configure, go to Advanced Settings > Download Protection > Unsupported Files. The settings selected here override the settings selected in the main page.

Additional Emulation Settings:​

Emulation Environments​

To define the maximum size of files that are sent for emulation, go to Advanced Settings > Download Protection > Emulation Environments and specify the file size for Upload and emulate files under.

Note.png
Note - Only the Endpoint Security Client Closed version E86.40 and higher support a maximum file size up to 50 MB. Client versions lower than E86.40 support a maximum file size up to 15 MB.
To select the operating system images on which the emulation is run, go to Advanced Settings > Download Protection > Emulation Environments, and select one of these options:

Override Default Files Actions​

You can override the default actions for specific file types. Go to Advanced Settings > Threat Emulation > Override Default Files Actions > Edit.

In Override Default Files Actions, you can also see the current number of overrides.
Category 7 (Data Protection):
Includes Full Disk Encryption, Media and Ports Protection.

Configuring Full Disk Encryption​

Full Disk Encryption Closed gives you the highest level of data security for Endpoint Security client computers.

It combines boot protection and strong disk encryption to ensure that only authorized users can access data stored in desktop and laptop PCs.

Check Point's Full Disk Encryption has two main components:

  • Check Point Disk Encryption for Windows - Ensures that all volumes of the hard drive and hidden volumes are automatically fully encrypted. This includes system files, temporary files, and even deleted files. There is no user downtime because encryption occurs in the background without noticeable performance loss. The encrypted disk is inaccessible to all unauthorized people.
  • Authentication before the Operating System Loads (Pre-boot) - Requires users to authenticate to their computers before the computer boots. This prevents unauthorized access to the operating system using authentication bypass tools at the operating system level or alternative boot media to bypass boot protection.
Full Disk Encryption also supports BitLocker Encryption for Windows Clients and FileVault Encryption for macOS

The Full Disk Encryption policy contains a pre-defined Default Policy rule Closed , which applies to the entire organization.

Each new rule you create, has pre-defined settings, which you can then edit in the right section of the screen.

The Policy Rule Base consists of these parts:

ColumnDescription
Rule NumberThe sequence of the rules is important because the first rule that matches traffic according to the protected scope is applied.
Rule NameGive the rule a descriptive name.
Applied toThe protected scope to which the rule applies.
Full Disk EncryptionThe configurations that apply to data encryption.
The Policy toolbar includes these options:

To do thisClick this
Create a new rule
create_new_rule.png
Save, view, or discard changes
policy-changes.png
Duplicate a rule
new-above.png

new-below.png
Install Policy
install_policy.png
Search for entity
search.png
Delete a rule
delete-rule.png
For Crypto-Shredding a computer, see sk179911.

Configuring Media Encryption & Port Protection​

Media Encryption & Port Protection Closed protects data stored in the organization by encrypting removable media devices and allowing tight control over computer ports (USB, Bluetooth, and so on). Removable devices are for example: USB storage devices, SD cards, CD/DVD media and external disk drives.

On the client-side, Media Encryption & Port Protection protects sensitive information by encrypting data and requiring authorization for access to storage devices and other input/output devices.

Media Encryption lets users create encrypted storage on removable storage devices that contain business-related data. Encrypted media is displayed as two drives in Windows Explorer. One drive is encrypted for business data. The other drive is not encrypted and can be used for non-business data. Rules can apply different access permissions for business data and non-business data.

Port Protection controls, according to the policy, device access to all available ports including USB and Firewire (a method of transferring information between digital devices, especially audio and video equipment). Policy rules define access rights for each type of removable storage device and the ports that they can connect to. The policy also prevents users from connecting unauthorized devices to computers.

Media Encryption & Port Protection functionalities are available in both Windows and macOS clients (for macOS starting at client version E85.30).

Best_Practice.png
Best Practice - We recommend to not encrypt non-computer external devices such as: digital cameras, smartphones, MP3 players, and the like. Do not encrypt removable media that can be inserted in or connected to such devices.
For instructions on how to encrypt, see sk166110.
Category 8 (Mobile Protection)
Includes the necessary packages to secure and manage mobile devices.

Deploying Endpoint Clients​

To deploy Harmony Endpoint clients to Windows devices:

1. Click Overview and then click Download on the top banner.

2. Click Download button under Windows or macOS, depending on the destination system.

To install the Initial Client:

  1. Do any of these to download the Initial Client:
    1. From the left navigation panel, click Service Management and then in the Download Initial Client section, click on the Download button.
    2. From the left navigation panel, click Overview.and then click on the Download button on the top banner.
2. Deploy the Initial Client to all your Endpoint devices, using a third party deployment tool.

  • Automatic - Use deployment rules to automatically download and install pre-configured packages on Endpoint devices (see Automatic Deployment of Endpoint Clients).
  • Manual - Export component packages to the endpoint devices, using third party deployment software, a shared network path, email, or other method (see Manual Deployment).
Note.png
Note - Admins are recommended not to pre-install Harmony Endpoint when using cloning utilities like Acronis. It is recommended to install Harmony Endpoint after the clone is created, or at least to block the initial registration before creating the clone.
 

kev7

Level 1
Jun 2, 2023
29
sorry i put this in the wrong place it is also in another post !hi is it had to set up and does it also include the threat Emulation what other features does it contain please thank you very much

thank you very much Trident

please may i ask when it is installed will it be installed already with a default settings so to speak and will these give me protection to start with thank you
 

likeastar20

Level 8
Verified
Mar 24, 2016
369
I'm currently using BD GZ mostly for the "sandbox" feature. You can upload files and get a report based on their behavior. Does Harmony Endpoint have something similar?
 

Attachments

  • cachedImage.png
    cachedImage.png
    48.7 KB · Views: 322
  • IMG_2549.jpeg
    IMG_2549.jpeg
    331.2 KB · Views: 289
  • IMG_2552.jpeg
    IMG_2552.jpeg
    327.6 KB · Views: 261
  • IMG_2551.jpeg
    IMG_2551.jpeg
    848.8 KB · Views: 251
  • IMG_2550.jpeg
    IMG_2550.jpeg
    1.5 MB · Views: 280

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
I'm currently using BD GZ mostly for the "sandbox" feature. You can upload files and get a report based on their behavior. Does Harmony Endpoint have something similar?
It can be configured to emulate all supported files (up to specified size no more than 50 MB) for emulation. If anything is malicious. detailed report much better than the BD one is saved. Their emulation integrates the BD engine as well.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
Harmony Endpoint for home user needs to come from reseller, correct? (Perhaps the trial is direct from Checkpoint?) @Trident can you explain a little about how reseller fits into this? I know in another forum you advised about reseller in UK, can you repeat that info here, and also reseller in US, and perhaps other locations too, or perhaps Checkpoint has a link to reseller info. Also, if reseller is in UK and user is in US, is user using cloud to Checkpoint via reseller, wondering about analysis time delay due to distance. How is support from reseller / Checkpoint if needed. (I have had good luck with DeepInstinct support from US reseller, the few times I thought I'd benefit from asking them a question). Thanks.
 

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
@simmerskool , it needs to come from reseller, yes. The whole setup is similar to Deep Instinct. They will provide a guide how to get started. I haven’t asked them any questions, knowing how competent most of these resellers are, they should be asking me.
I don’t think there will be delay in analysis.

You can use partner locator to find a reseller.

I believe I sent you one US-based that was cheap.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
@simmerskool , it needs to come from reseller, yes. The whole setup is similar to Deep Instinct. They will provide a guide how to get started. I haven’t asked them any questions, knowing how competent most of these resellers are, they should be asking me.
I don’t think there will be delay in analysis.

You can use partner locator to find a reseller.

I believe I sent you one US-based that was cheap.
@Trident thanks for the partner locator link. I had the sense the the US based reseller was not full service, but not sure? Meanwhile...
The one in UK you originally provided, Lithify, looks to be "full service" & I think will sell one (1) license(?) Under consideration... :unsure:
"Harmony Endpoint protects laptops and desktops, delivering advanced threat protection for known, unknown and zero-day malware, Sandbox Emulation, enhanced by automated endpoint forensics analysis, access control features and data protection capabilities. Cloud management portal for the service is included. Configuration and ongoing monitoring will be completed for you by Lithify's expert consultants, so that you can enjoy the world's most comprehensive protection without worrying about day to day running."
 

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
@Trident Bought it. is it possible to share the link to a forensic report? if so, how?
Forensic report can be shared by placing it in a compressed folder. Then you can upload it somewhere and send a link. In addition, in the Smart Endpoint Console you should have a link as well.

@simmerskool I purchased license only, which was cheaper. I sent them an enquiry and they gave me a lower quote. I don’t like my security being managed. You can do the same.

Guys, have a look at this. It’s again from Lithify, the single, unmanaged license is available for easy purchase at £39 + VAT (rounded up to £48).
 
Last edited:

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
@Trident Bought it. is it possible to share the link to a forensic report? if so, how?
Let us know how deployment (installation) went and general impressions, etc. :unsure:

@simmerskool I purchased license only, which was cheaper. I sent them an enquiry and they gave me a lower quote. I don’t like my security being managed. You can do the same.
Yes, I do not expect or want them to manage, but I might be ok with assistance with initial setup... Still thinking about Harmony...
 

likeastar20

Level 8
Verified
Mar 24, 2016
369
It can be configured to emulate all supported files (up to specified size no more than 50 MB) for emulation. If anything is malicious. detailed report much better than the BD one is saved. Their emulation integrates the BD engine as well.
Can you explain further "Their emulation integrates the BD engine as well."?
 
Last edited:

Scirious

Level 2
Feb 22, 2022
91
Note.png
Note - Admins are recommended not to pre-install Harmony Endpoint when using cloning utilities like Acronis. It is recommended to install Harmony Endpoint after the clone is created, or at least to block the initial registration before creating the clone.

Hi, Trident!

What happens if we regularly clone our system with Macrium once a week? Would it need to be removed every time?
 

NormanF

Level 8
Verified
Jan 11, 2018
363
Guys, have a look at this. It’s again from Lithify, the single, unmanaged license is available for easy purchase at £39 + VAT (rounded up to £48).

If you don't know how to set up an endpoint, they will take care of it for you. The question is, whether its worth it coughing up the extra cash for white glove service. :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top