Serious Discussion Harmony Endpoint by Check Point

[Kongo]

BTW Good Morning, Good Afternoon or Good Evening! Is everything ok with you? Now answering your question, because I was a dry ear lol, I literally parachuted into @Kongo's post, despite mentioning and leaving Kongo credits in another post, when I tested it, I should have at least asked his permission if I could share it in another post, but by referencing his post and leaving his credits in the post, @Kongo would have been aware if there were later any discussions on which I had posted, and he would have remedied it when the discussion about the stealer malware started, at least it would have avoided some unnecessary discussions on my part. Regarding the bad configuration I said, was that I enabled HIPS and everything maybe that there was no need in CF, firewall was in custom settings, when I ran the malware then several pop-pus appeared in HIPS and firewall when the malware started its execution, I had to make the decisions alone what I allowed or what I blocked, I must have allowed something that I shouldn't have, that ended up infecting the machine, too many settings that I adjusted, unnecessary rules created that culminated in a CF failure, who was to blame? Mine. Did you understand? I hope I understood. I apologize for the misunderstanding, I have a great admiration, respect and affection for you, since the first day I started talking to you here at MalwareTips.

You don't need anybodies permission for that.

 

[Trident]

My personal opinion is that I would never spend a penny on an edr for a home user such as myself. All the best. =)

We respect your personal opinion. But you spend money on home software too. And this money goes on doohickeys like VPN, password manager and other yo-yo components. Most of which provide the bare minimum of functionality and take away revenue and time, that could be invested in core operations, you know. The operations related to your security.

If anybody wants to spend the same or $10 more on software they find important (they are on MalwareTips so most likely they like anti-malware), I don’t think it’s that big of a deal and it definitely won’t cause them to go bankrupt.

 

[Sandbox Breaker]

We respect your personal opinion. But you spend money on home software too. And this money goes on doohickeys like VPN, password manager and other yo-yo components. Most of which provide the bare minimum of functionality and take away revenue and time, that could be invested in core operations, you know. The operations related to your security.

If anybody wants to spend the same or $10 more on software they find important (they are on MalwareTips so most likely they like anti-malware), I don’t think it’s that big of a deal and it definitely won’t cause them to go bankrupt.

Or he can used open edr lol

 

[Trident]

Or he can used open edr lol

Well yeah, I leave the privilege of running subpar, low quality software to them and to the Comodo/Xcitium’s last 5 fans.

 

[Sandbox Breaker]

Well yeah, I leave the privilege of running subpar, low quality software to them and to the Comodo/Xcitium’s last 5 fans.

Might as well use that Trident on EXITium LOL

 

[Xeno1234]

Testing Threat Emulation against documents Phishing.
View attachment 276627View attachment 276628View attachment 276629View attachment 276630View attachment 276631

How good is its threat emulation compared to Kaspersky's Opentip or Sandbox, since Kaspersky's is pretty good aswell?

 

[Sandbox Breaker]

Cloud version of TE I don't think can be customized

 

[Trident]

How good is its threat emulation compared to Kaspersky's Opentip or Sandbox, since Kaspersky's is pretty good aswell?

I haven’t used OpenTip, I can’t tell you.

Cloud version of TE I don't think can be customized

It can be customised in settings. You can choose what OS-es you want, size and formats. You can also block download of files that can’t be emulated.

 

[Sandbox Breaker]

I haven’t used OpenTip, I can’t tell you.

It can be customised in settings. You can choose what OS-es you want, size and formats. You can also block download of files that can’t be emulated.

Custom image.

 

[Trident]

Custom image.

You can not use custom images. The software and everything must be curated in a way for attackers not to know that this is a VM and also, it is linked to CPU-level emulation. The images are created by Check Point.

 

[Sandbox Breaker]

You can not use custom images. The software and everything must be curated in a way for attackers not to know that this is a VM and also, it is linked to CPU-level emulation. The images are created by Check Point.

Understood. But there is a value in customising the image for very specific attacks. Then again good layering and a solid team can sqaush this crap

 

[Xeno1234]

I haven’t used OpenTip, I can’t tell you.

It can be customised in settings. You can choose what OS-es you want, size and formats. You can also block download of files that can’t be emulated.

Im pretty sure the way it works is that its based off of all other malware in KSN, so it uses that data to help it.

 

[Trident]

Im pretty sure the way it works is that its based off of all other malware in KSN, so it uses that data to help it.

More like the other way around. Files are sent for emulation on OpenTip and their hashes are fed to KSN and are sold as Kaspersky Threat Intelligence to third parties.

Understood. But there is a value in customising the image for very specific attacks. Then again good layering and a solid team can sqaush this crap

Check Point sandbox is a result of heavy research on evasion tactics. It moves the mouse, it clicks buttons, it provides information such as CPU name, temperature and does many other things for malware not to know that it’s been debugged. Check Point also writes custom signatures and Yara rules which can detect malware even if it terminates and doesn’t do anything.

 

[Sandbox Breaker]

Won

More like the other way around. Files are sent for emulation on OpenTip and their hashes are fed to KSN and are sold as Kaspersky Threat Intelligence to third parties.

Check Point sandbox is a result of heavy research on evasion tactics. It moves the mouse, it clicks buttons, it provides information such as CPU name, temperature and does many other things for malware not to know that it’s been debugged. Check Point also writes custom signatures and Yara rules which can detect malware even if it terminates and doesn’t do anything.

Wonder how their Yara rules compare to Thor Valhalla

 

[Xeno1234]

More like the other way around. Files are sent for emulation on OpenTip and their hashes are fed to KSN and are sold as Kaspersky Threat Intelligence to third parties.

Check Point sandbox is a result of heavy research on evasion tactics. It moves the mouse, it clicks buttons, it provides information such as CPU name, temperature and does many other things for malware not to know that it’s been debugged. Check Point also writes custom signatures and Yara rules which can detect malware even if it terminates and doesn’t do anything.

Which do you think is better? Both are definetally good tools, however Opentip lacks the user activity that it needs and does miss some things every once in a while.

 

[Trident]

Which do you think is better? Both are definetally good tools, however Opentip lacks the user activity that it needs and does miss some things every once in a while.

In that case Check Point is better.

 

[NormanF]

We respect your personal opinion. But you spend money on home software too. And this money goes on doohickeys like VPN, password manager and other yo-yo components. Most of which provide the bare minimum of functionality and take away revenue and time, that could be invested in core operations, you know. The operations related to your security.

If anybody wants to spend the same or $10 more on software they find important (they are on MalwareTips so most likely they like anti-malware), I don’t think it’s that big of a deal and it definitely won’t cause them to go bankrupt.

Speaking of endpoint security software, what's your opinion of Endpoint for Microsoft Defender? Its available for free trial and an account and license for a single user can be set up through DataLinksNetwork.net

They quoted Plan 1 for $2.61 a month; MSRP is $3 a month; Plan 2 for $4.53 a month; MSRP is $5.20.

Nobody needs to spend more than $10 on any endpoint security product sold through a reputable reseller.

 

[Trident]

what's your opinion of Endpoint for Microsoft Defender

Everyone was convincing me how good it is at one point and then they all started moaning. I am not a fan of Defender myself. The only selling point is that it’s cheap.

 

[Xeno1234]

In that case Check Point is better.

Well which is better at finding malware if it doesnt require user activity?

 

[Trident]

Well which is better at finding malware if it doesnt require user activity?

Again, I can’t tell you which one is better as I am not a Kaspersky active user, even less an Opentip user. CheckPoint is jam packed with engines, definitions and rules, and as confirmed by me and @Shadowra on more than one occasion, evasive threats with low detection (<5 on VT) have 2-3, even 4 detections by TE. I saw one where 5 detections were produced in total, 2 were Yara signatures. I can not tell you anything about Kaspersky’s sandbox.