Serious Discussion Harmony Endpoint by Check Point

NormanF

Level 9
Verified
Jan 11, 2018
404
The extension is intended for admins to make sure only trusted content is being downloaded. You can’t expect workers to be experts. If anyone knows better then they can decide to turn it off.

@Shadowra How long does Symantec Endpoint Protection run after installation?

The unmanaged SEP will run indefinitely. If you need to manage it, you need a license for the term its sold.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
The unmanaged SEP will run indefinitely. If you need to manage it, you need a license for the term its sold.
The unmanaged SEP has very little benefit over Norton though and is definitely not better than Harmony. Only SEP Complete can be compared to Harmony. Not sure how the prices are nowadays.
And if you want emulation, additional license is required for Symantec Cynic (never tried it myself although I would love to).
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
I was complaining about DeepInstinct's false positives, but Harmony is WORSE!
In fact, its reputation system literally deleted several files and programs without a hitch...

A few .RAR files were deleted (nothing personal, I assure you).
It completely deleted Neat Download Manager, IObit DriverBooster (it's not the only one) and even 3 .EXE files from GigaByte Aorus!

If you're going to install it, be sure to make exclusions.
 

NormanF

Level 9
Verified
Jan 11, 2018
404
I was complaining about DeepInstinct's false positives, but Harmony is WORSE!
In fact, its reputation system literally deleted several files and programs without a hitch...

A few .RAR files were deleted (nothing personal, I assure you).
It completely deleted Neat Download Manager, IObit DriverBooster (it's not the only one) and even 3 .EXE files from GigaByte Aorus!

If you're going to install it, be sure to make exclusions.

When I trialed it, it removed Process Hacker and quarantined it as malware when I tried to download it. I hate software that tries to protect me for my own good. I should be the one to make the call if something is harmful or not. I will never allow security software to overrule human judgment.
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
When I trialed it, it removed Process Hacker and quarantined it as malware when I tried to download it. I hate software that tries to protect me for my own good. I should be the one to make the call if something is harmful or not. I will never allow security software to overrule human judgment.

ProcessHacker several antivirus programs detect it as risky software...
I was even surprised that Bitdefender removed KillSwitch from COMODO....
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
ProcessHacker several antivirus programs detect it as risky software...
I was even surprised that Bitdefender removed KillSwitch from COMODO....
They detect it because it can be abused. The PUP detection in Harmony is very strong so yeah. Either admins should create exclusions by folder or riskware treatment should be disabled. I personally keep it enabled for maximum security.
Check Point for many years haven’t been fans of snake oil software.
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
They detect it because it can be abused. The PUP detection in Harmony is very strong so yeah. Either admins should create exclusions by folder or riskware treatment should be disabled. I personally keep it enabled for maximum security.
Check Point for many years haven’t been fans of snake oil software.

The problem is that Neat doesn't have any PUPs or the like... Harmony even classifies it as a Trojan! o_O

Capture d’écran 2023-07-08 195049.png
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
  • Like
Reactions: [correlate]

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630

Xeno1234

Level 14
Jun 12, 2023
684
One of the detections (gen.win.processhollowing) seems to be a generic detection for code injection via process hollowing (run process -> pause process -> replace portion of process memory with malicious code -> resume process). Seeing a process hollowing detection by behavioural blocking is quite unusual, many AVs are totally blind to that. Some can catch initial scripts early by using local emulator in memory but the emulator doesn’t have all day, it’s only got milliseconds and by using a JS with useless math operations and malicious actions somewhere in the middle, local emulator can easily be bypassed (unlike full blown emulation in the cloud that has the time).

This is why it has become attackers favourite. Quite a lot of malware can be blocked by this detection.

So when Check Point was saying that fileless malware is not a problem for behavioural guard, they’ve not been joking.
I've started to use Checkpoint and I'm definetally impressed by its detection capabilities, both from my usage of testing it and also seeing these tests. It's truely a great product.

On a RedLine FUD
Not even ESET knew about it when I tested...
Harmony shocked me...

How does Harmony face with Backdoors/RATS - Anti-Viruses I feel struggle at detecting those.
 
  • Like
Reactions: [correlate]

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
How does Harmony face with Backdoors/RATS - Anti-Viruses I feel struggle at detecting those.

To bypass Harmony, you must not be detected by Kaspersky/Sophos in AV, not be known by Kaspersky Cloud feeds, CheckPoint NGAV and above all by emulation.

I've never managed to bypass it at the moment.
 

Xeno1234

Level 14
Jun 12, 2023
684
To bypass Harmony, you must not be detected by Kaspersky/Sophos in AV, not be known by Kaspersky Cloud feeds, CheckPoint NGAV and above all by emulation.

I've never managed to bypass it at the moment.
Whats the NGAV - is that the Anti-Malware component or its own seperate Anti-Virus?
 
  • Like
Reactions: [correlate]

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
To bypass Harmony, you must not be detected by Kaspersky/Sophos in AV, not be known by Kaspersky Cloud feeds, CheckPoint NGAV and above all by emulation.

I've never managed to bypass it at the moment.
It also must not look in any way suspicious to behavioural guard and must not contact any known C&Cs as Harmony, just like Kaspersky, considers connections to malicious sites as the ultimate sin and initiates removal very quick. Also, if businesses use Harmony Email (as most threats on businesses arrive through email), the email must not in any way look like SPAM (which is extremely difficult, so far I haven’t been able to bypass Harmony Email).
Whats the NGAV - is that the Anti-Malware component or its own?
Yes, it is. By default it works on medium aggressivness as opposed to ZoneAlarm where it is not aggressive. Also, it is possible to ask support to enroll you into early availability models for NGAV and behavioural guard.
 

Xeno1234

Level 14
Jun 12, 2023
684
It also must not look in any way suspicious to behavioural guard and must not contact any known C&Cs as Harmony, just like Kaspersky, considers connections to malicious sites as the ultimate sin and initiates removal very quick. Also, if businesses use Harmony Email (as most threats on businesses arrive through email), the email must not in any way look like SPAM (which is extremely difficult, so far I haven’t been able to bypass Harmony Email).

Yes, it is. By default it works on medium aggressivness as opposed to ZoneAlarm where it is not aggressive. Also, it is possible to ask support to enroll you into early availability models for NGAV and behavioural guard.
So it is its own AV? Sorry to ask again but you said "Yes" to a "or" question.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top