Serious Discussion Harmony Endpoint by Check Point

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
I've never tested GravityZone.
On the other hand, Kaspersky's OfficeSecurity can be compared to SEP, even though it doesn't have an administration console.
A few years ago Kaspersky offered an extended evaluation version of Kaspersky Endpoint Security for Windows version 10.0 of 90 or 120 days, I don't remember exactly when, and I went to check that it is now version 12.1.0.506, as time flies. I didn't want to because I thought it would be too complicated to configure.
 

NormanF

Level 9
Verified
Jan 11, 2018
404
I've never tested GravityZone.
On the other hand, Kaspersky's OfficeSecurity can be compared to SEP, even though it doesn't have an administration console.

GravityZone Enterprise, formerly Ultra - comes with XDR. The only difference with Kaspersky Endpoint Security Cloud Plus is the former has EDR. Keep in mind in the former, Patch Management is an add on and is included in Kaspersky.
 

NormanF

Level 9
Verified
Jan 11, 2018
404
A few years ago Kaspersky offered an extended evaluation version of Kaspersky Endpoint Security for Windows version 10.0 of 90 or 120 days, I don't remember exactly when, and I went to check that it is now version 12.1.0.506, as time flies. I didn't want to because I thought it would be too complicated to configure.

The Kaspersky cloud console is intuitive and easy to configure. GravityZone on the other hand, there's a slight learning curve involved but once you get the hang of it, you can do what you want done on it.
 

NormanF

Level 9
Verified
Jan 11, 2018
404
My personal opinion is that I would never spend a penny on an edr for a home user such as myself. All the best. =)

The reason to get an an industrial grade endpoint security product is for the next-gen capabilities, the fact you can gain insight into how good your security is on your endpoint and you can replace all your consumer grade security software with one solution.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
That's not quite right. DeepInstinct can be configured to block scripts in general, but it also anyalyzes the behaviour of potentially malicious script executions. So yeah, it can't detect malicious scripts with it's static engine, but it can analyze scripts dynamically post-execution.

View attachment 276525
The DI way of controlling scripts is more similar to the Application Control of Harmony Endpoint or the Adaptive Protection of Symantec Endpoint Protection Complete. It blocks calls from one LOLBin to another, for example from Equation Editor to PowerShell. It also blocks common commands like PowerShell with hidden window, with encoded command and others (Avast also uses similar logics). But it’s not a behavioural analyser like Symantec SONAR (now behavioural blocking), Bitdefender ATD or the Check Point behavioural guard. It’s more like system hardening or the Microsoft ASR rules (some of them).

In fact if comparing DI to Defender, SEP or HEP, the relevant components (ASR rules, Adaptive Protection and Application Control) should be deployed and properly configured so all of them are on the same page.
 

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,083
The reason to get an an industrial grade endpoint security product is for the next-gen capabilities, the fact you can gain insight into how good your security is on your endpoint and you can replace all your consumer grade security software with one solution.
I would use Linux if I had those concerns in any case, more cost-effective not to say free. Greetings, and I don't comment here anymore. Peace. All the best.
 
  • Like
Reactions: Jonny Quest

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Here is the moment to say that with my policy, Harmony Endpoint blocks malicious connections system-wide. It can block connections to many categories (most of them are parental control) but it also blocks connections to malicious and suspicious sites.

The blocking components are 3.

First one is the web filter which relies on ThreatCloud. It blocks known malicious domains and suspicious ones that look like machine-generated. It also uses DNS (whois) data analysis to take a decision in real time.

Second is the anti-bot. It blocks connections to known C&C. It is similar to web filter, but because these are domains contacted by malware, admins should treat such detections with extreme urgency, the system is probably infected. And a message “Your computer communicates to a known malicious domain. It is probably infected with malware” appears. In such cases, I recommend users to start running scans (including with tools like Norton Power Eraser) unless they are doing malware testing/research.
Anti-Bot also exhibits IPS capabilities, blocks exploits and lateral movement based on Deep Packet Inspection and Protocol analysis. It also analyses behaviour and reputation of programmes (it is an extension to Behavioural Guard).

Third is the Zero Phishing Real time analysis. Web Filter will block known phishing pages, Zero Phishing will analyse characteristics to block the unknown.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
The stealer was signed together with all files it drops and downloads. So no, it wouldn't have.
Actually it would have (and does). piquiteco kindly just provided that sample and at CF base Containment settings both the initial malware file and the spawned daughter (cursed.exe) are contained. The data stolen from Edge was blocked from getting out by the Firewall (Over 50K attempts out in a few minutes!). At my settings the outbound connections (only 3 intrusions) are blocked. Both malware files eventually delete in Containment after a minute or so.

Once again, the fact the a file is signed (and even counter signed) still won't make it trusted as the file must also be vetted by Comoodo first, and this is a quite important point.
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,631
Actually it would have (and does). piquiteco kindly just provided that sample and at CF base Containment settings both the initial malware file and the spawned daughter (cursed.exe) are contained. The data stolen from Edge was blocked from getting out by the Firewall (Over 50K attempts out in a few minutes!). At my settings the outbound connections (only 3 intrusions) are blocked. Both malware files eventually delete in Containment after a minute or so.

Once again, the fact the a file is signed (and even counter signed) still won't make it trusted as the file must also be vetted by Comoodo first, and this is a quite important point.

Can you tell me more about this sample?
I'd love to analyze it against AVs like DeepInstinct or observe its behavior.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Actually it would have (and does). piquiteco kindly just provided that sample and at CF base Containment settings both the initial malware file and the spawned daughter (cursed.exe) are contained. The data stolen from Edge was blocked from getting out by the Firewall (Over 50K attempts out in a few minutes!). At my settings the outbound connections (only 3 intrusions) are blocked. Both malware files eventually delete in Containment after a minute or so.

Once again, the fact the a file is signed (and even counter signed) still won't make it trusted as the file must also be vetted by Comoodo first, and this is a quite important point.
Last night @piquiteco said it wasn't contained? I'm confused. Why was it not contained on their test?
But this sample is now months old anyway. By now it should be covered by anyone.
Can you tell me more about this sample?
I'd love to analyze it against AVs like DeepInstinct or observe its behavior.
it is that stealer @Kongo posted on another thread. It was something like "stealer poses as game".
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
Can you tell me more about this sample?
I'd love to analyze it against AVs like DeepInstinct or observe its behavior.

Would have tested it myself, but the other license I got is on my girlfriends PC. So I am not really able to test DI atm. Please share the results if you decide to test it. (y)
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,631

Would have tested it myself, but the other license I got is on my girlfriends PC. So I am not really able to test DI atm. Please share the results if you decide to test it. (y)

Capture d’écran 2023-06-25 215441.png


;)
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
There is nothing else I could change to make static AI detect the sample. I already have the most sensitive settings possible..
From so much scanning, it may have fallen in some permanent cache or something. On a hex editor, try putting a dot or something at the end of the file.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Last night @piquiteco said it wasn't contained? I'm confused. Why was it not contained on their test?Last night @piquiteco said it wasn't contained? I'm confused. Why was it not contained on their test?
Wait there you got it wrong, I used the proactive configuration, and it failed, so it was my fault, not the CF, bad configuration on my part and operator fault. I have to admit. More I did not use it in the configuration @cruelsister I talked to her just now, she shared with me the screenshots of the CF, everything was contained, the C&C connections were all blocked, minutes later the malware died in the sandbox. In addition to the screenshots she provided, which were several, she also wrote explaining the running processes, and in addition she tested in two ways partially isolated and restricted all two ways the malware was contained minutes later it stopped breathing. I talked to @ErzCrz yesterday he used CF for years, he told me it never failed and found it strange my tests failed his status is ONLINE for me at the moment, if he sees the notification he will comment here. I told him that the configuration he used in CF is safe if it was @cruelsister's, because I did not use that configuration, it was probably a mistake on my part. I replied to @cruelsister that the screenshot tests were already worth a thousand words, it was still with ZOOM the screenshots she shared of the screenshot you could see all processes running clearly already had the explanations is more than a proof of concept. Wow, nothing else to say.;) 💯
But this sample is now months old anyway. By now it should be covered by anyone.

it is that stealer @Kongo posted on another thread. It was something like "stealer poses as game".
In @Kongo's post has the sample URL, I also posted the sample URL in another post but left the credits to @Kongo. Just below the post @SeriousHoax talks to @Kongo of the malware stealer tests that's right he posts with capital letters "An alleged fake game" that exactly the same sample I provided to @cruelsister. Sorry for the delay in answering, I am like a turtle when it comes to typing on the keyboard.:ROFLMAO:👍
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top