Serious Discussion Harmony Endpoint by Check Point

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
@Trident

Your Quote

Btw, the anti-ransomware restoration module has a very granular configuration. You can choose file extensions that will be covered and you can specify maximum file size.

Unquote

Files Backup/Restore vs System Backup/Restore

I'm not in favor of files backup/restoration. I prefer system backup/restore.
If you don’t like it, you can disable it. It doesn’t come to play unless something has bypassed all other modules and has started to encrypt your system anyway.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
@Trident tried this sample yesterday and no response from Harmony, PC infected. VirusTotal



I am using a fake bitwarden and today I got an email saying "Failed login attempts detected".
For better coverage of these, it’s better to deploy it with Kaspersky. Or, you can block wscript.exe from connecting via program control. I’m aware Sophos doesn’t cover the Quakbot too well.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Yes, I think it would have been blocked if it was the Kaspersky engine.
With Sophos you have to do some LOtLBin hunting and blocking. Wscript.exe is one of the first that need to be blocked. PowerShell is another one. Kaspersky has the benefit of scanning memory content as well whereas Sophos supports memory scanning only on X86 and only hourly.

The weird thing in this case is ZoneAlarm emulates js files whereas Harmony Endpoint for some reason doesn’t. Via emulation it would’ve been blocked definitely.
 
Last edited:

likeastar20

Level 9
Verified
Mar 24, 2016
423
With Sophos you have to do some LOtLBin hunting and blocking. Wscript.exe is one of the first that need to be blocked. PowerShell is another one. Kaspersky has the benefit of scanning memory content as well whereas Sophos supports memory scanning only on X86 and only hourly.

The weird thing in this case is ZoneAlarm emulates js files whereas Harmony Endpoint for some reason doesn’t. Via emulation it would’ve been blocked definitely.
yes, the sample was not emulated. i got it by going to a website where it was automatically downloaded it. if it was in a zip, would it have been emulated? Or does it not do emulation on JS files at all? :unsure:
 
Last edited:

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
yes, the example was not emulated. i got it by going to a website where it was automatically downloaded. if it was in a zip, would it have been emulated? Or does it not do emulation on JS files at all? :unsure:
It emulates js content in a zip file. Rule can also be added for all *.js files to be automatically rejected but blocking wscript.exe is a much better alternative. It’s what DeepInstinct does as well.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
@Trident how do you delete the emulation logs from your pc?
I think support needs to provide a tool.
@Trident Doing a test like this means that the emulation module has no role to play, right?
Yeah, if they were introduced through an archive. Downloads are emulated.
Hello :)

I made a fight... Harmony vs DeepInstinct.
Since I'm busy this weekend, the video will be out on Monday :)
(you have to give me time to edit the video :p )
I’m excited 😀
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
fwiw I'm trying the ddg browser and at first glance it seems that Harmony anti-phishing does not work with it... (but that's not definitive just an initial observation)
What’s ddg browser? Only Chrome, Edge, Firefox and Brave support all capabilities. All other apps including unsupported browsers will be protected only by URL filtering and anti-bot but Zero-Phishing will not be available.
 

Dave Russo

Level 22
Verified
Top Poster
Well-known
May 26, 2014
1,149
How much does this cost for a home user? I have good protection already, but the forum makes this program sound great (and my Av expires soon) if affordable, I am just concerned I would be lost setting the program up properly?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top