Serious Discussion Harmony Endpoint by Check Point

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Got it. Aside from that the reason cybersecurity vendors license someone else's AV is developing an in-house engine is expensive. It may be cheaper for them to pay to use someone else's.
It is a common practice in business products third party engines and feeds to be commissioned. It is not cheap, specially for Check Point. They are paying for threat intelligence feeds, third-party engines (2 of them at a time as Bitdefender always runs on the cloud) and the Check Point Threat Operations team is still hundreds of people. The whole company consists of 6K people staff.
It’s not about the savings, that’s how they want their product and they are doing a good job.
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
Just out of curiosity - it takes around 2-3 minutes to download a unknown file as its emulating, right? It was a bit faster earlier going for some files around 30 seconds but now its around 2-3 mintues.

Strangely enough, you're the only one who has problems with Harmony...
No problems on PCs where it's deployed and on virtual machines...
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Strangely enough, you're the only one who has problems with Harmony...
No problems on PCs where it's deployed and on virtual machines...
I was downloading the other day Epson printer drivers, obviously emulated by Harmony. It added about a minute to the download and needless to say I haven’t cried. Unless there is something lifesaving in that executable/script you download, I don’t see how the waiting is a problem. Nevertheless, whoever doesn’t wanna wait can turn emulation off or install something else.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Nevertheless, whoever doesn’t wanna wait can turn emulation off or install something else.
Oops, I'll wait, I took 9 months to be born, why wouldn't I wait 2 or 3 minutes?:LOL: Btw hi buddy, what's up?(y) see spoiler, I'm back.;)
1688696955829.png
 

NormanF

Level 9
Verified
Jan 11, 2018
404
I was downloading the other day Epson printer drivers, obviously emulated by Harmony. It added about a minute to the download and needless to say I haven’t cried. Unless there is something lifesaving in that executable/script you download, I don’t see how the waiting is a problem. Nevertheless, whoever doesn’t wanna wait can turn emulation off or install something else.

Their browser protection extension can't scan everything. On the Internet, you should know where you're downloading anyway. Best to turn it off.
 
  • Like
Reactions: Dave Russo

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Their browser protection extension can't scan everything. On the Internet, you should know where you're downloading anyway. Best to turn it off.
The extension is intended for admins to make sure only trusted content is being downloaded. You can’t expect workers to be experts. If anyone knows better then they can decide to turn it off.
 

NormanF

Level 9
Verified
Jan 11, 2018
404
The extension is intended for admins to make sure only trusted content is being downloaded. You can’t expect workers to be experts. If anyone knows better then they can decide to turn it off.

I agree but it can't scan dowloads bigger than 15 MB. That's its drawback. No one expects workers to be experts but they should be trained in safe practices online.
 
  • Like
Reactions: Dave Russo

Xeno1234

Level 14
Jun 12, 2023
684
I agree but it can't scan dowloads bigger than 15 MB. That's its drawback. No one expects workers to be experts but they should trained in safe practices online.
You have a older version - newer versions allow 50mb (and thats just for emulation). You also have anti-malware which doesnt have a file size limit.
 
Last edited:

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I agree but it can't scan dowloads bigger than 15 MB. That's its drawback. No one expects workers to be experts but they should be trained in safe practices online.
You can’t train them and even if you do, they will not be experts. Malware and attack’s don’t have one shape and form, you never know how and where it will come from. Many people have no clue about malware and it is not necessary to do — you can’t expect an English teacher or a hotel receptionist, or the bar manager to recognise malware links in emails for example. It they were experts on that, they would be working at NortonLifeLock. And even the one understand malware are still vulnerable to supply chain attack and many others. Remember how Kaspersky’s iPhone was hacked not too long ago and their security solution alerted them to anomaly?

Maybe to you the extension provides no value. To many other people, it does.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
fwiw, I like the checkpoint harmony browser extension, sends me reasonable popups and I'm not seeing any big delays. So I read the comments to the contrary with a shrugoff, to each his own. :whistle:
There is a free version of it but it only provides Zero Phishing and CDR and modifies search engine to Yahoo (disgusting). It doesn’t provide the search indicators, malicious website blocking, emulation and password reuse protection. The extension itself is available as standalone product called Harmony Browse and that’s £22 a year. It is also included with Harmony Total meaning Chromebooks for example that don’t have full EDR available, won’t be counted as a station. Unless you wanna install Harmony Mobile via the Play Store which is also quite good.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
On a RedLine FUD
Not even ESET knew about it when I tested...
Harmony shocked me...

One of the detections (gen.win.processhollowing) seems to be a generic detection for code injection via process hollowing (run process -> pause process -> replace portion of process memory with malicious code -> resume process). Seeing a process hollowing detection by behavioural blocking is quite unusual, many AVs are totally blind to that. Some can catch initial scripts early by using local emulator in memory but the emulator doesn’t have all day, it’s only got milliseconds and by using a JS with useless math operations and malicious actions somewhere in the middle, local emulator can easily be bypassed (unlike full blown emulation in the cloud that has the time).

This is why it has become attackers favourite. Quite a lot of malware can be blocked by this detection.

So when Check Point was saying that fileless malware is not a problem for behavioural guard, they’ve not been joking.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top