Serious Discussion Harmony Endpoint by Check Point

piquiteco said:
BTW Good Morning, Good Afternoon or Good Evening! Is everything ok with you? Now answering your question, because I was a dry ear lol, I literally parachuted into @Kongo's post, despite mentioning and leaving Kongo credits in another post, when I tested it, I should have at least asked his permission if I could share it in another post, but by referencing his post and leaving his credits in the post, @Kongo would have been aware if there were later any discussions on which I had posted, and he would have remedied it when the discussion about the stealer malware started, at least it would have avoided some unnecessary discussions on my part. Regarding the bad configuration I said, was that I enabled HIPS and everything maybe that there was no need in CF, firewall was in custom settings, when I ran the malware then several pop-pus appeared in HIPS and firewall when the malware started its execution, I had to make the decisions alone what I allowed or what I blocked, I must have allowed something that I shouldn't have, that ended up infecting the machine, too many settings that I adjusted, unnecessary rules created that culminated in a CF failure, who was to blame? Mine. Did you understand? I hope I understood. I apologize for the misunderstanding, I have a great admiration, respect and affection for you, since the first day I started talking to you here at MalwareTips. ;)
Click to expand...
You don't need anybodies permission for that. 😄
 
  • Like
  • HaHa
Reactions: Nevi, Trident, Shadowra and 2 others
eonline said:
My personal opinion is that I would never spend a penny on an edr for a home user such as myself. All the best. =)
Click to expand...
We respect your personal opinion. But you spend money on home software too. And this money goes on doohickeys like VPN, password manager and other yo-yo components. Most of which provide the bare minimum of functionality and take away revenue and time, that could be invested in core operations, you know. The operations related to your security.

If anybody wants to spend the same or $10 more on software they find important (they are on MalwareTips so most likely they like anti-malware), I don’t think it’s that big of a deal and it definitely won’t cause them to go bankrupt.
 
  • Like
  • +Reputation
  • Applause
Reactions: Nevi, simmerskool, Kongo and 3 others
Trident said:
We respect your personal opinion. But you spend money on home software too. And this money goes on doohickeys like VPN, password manager and other yo-yo components. Most of which provide the bare minimum of functionality and take away revenue and time, that could be invested in core operations, you know. The operations related to your security.

If anybody wants to spend the same or $10 more on software they find important (they are on MalwareTips so most likely they like anti-malware), I don’t think it’s that big of a deal and it definitely won’t cause them to go bankrupt.
Click to expand...
Or he can used open edr lol
 
  • Like
Reactions: simmerskool and Trident
Xeno1234 said:
How good is its threat emulation compared to Kaspersky's Opentip or Sandbox, since Kaspersky's is pretty good aswell?
Click to expand...
I haven’t used OpenTip, I can’t tell you.
Sandbox Breaker said:
Cloud version of TE I don't think can be customized
Click to expand...
It can be customised in settings. You can choose what OS-es you want, size and formats. You can also block download of files that can’t be emulated.
 
  • Like
Reactions: simmerskool
Trident said:
You can not use custom images. The software and everything must be curated in a way for attackers not to know that this is a VM and also, it is linked to CPU-level emulation. The images are created by Check Point.
Click to expand...
Understood. But there is a value in customising the image for very specific attacks. Then again good layering and a solid team can sqaush this crap
 
  • Like
Reactions: Trident
Trident said:
I haven’t used OpenTip, I can’t tell you.

It can be customised in settings. You can choose what OS-es you want, size and formats. You can also block download of files that can’t be emulated.
Click to expand...
Im pretty sure the way it works is that its based off of all other malware in KSN, so it uses that data to help it.
 
  • Like
Reactions: Trident
Xeno1234 said:
Im pretty sure the way it works is that its based off of all other malware in KSN, so it uses that data to help it.
Click to expand...
More like the other way around. Files are sent for emulation on OpenTip and their hashes are fed to KSN and are sold as Kaspersky Threat Intelligence to third parties.
Sandbox Breaker said:
Understood. But there is a value in customising the image for very specific attacks. Then again good layering and a solid team can sqaush this crap
Click to expand...
Check Point sandbox is a result of heavy research on evasion tactics. It moves the mouse, it clicks buttons, it provides information such as CPU name, temperature and does many other things for malware not to know that it’s been debugged. Check Point also writes custom signatures and Yara rules which can detect malware even if it terminates and doesn’t do anything.
 
Won
Trident said:
More like the other way around. Files are sent for emulation on OpenTip and their hashes are fed to KSN and are sold as Kaspersky Threat Intelligence to third parties.

Check Point sandbox is a result of heavy research on evasion tactics. It moves the mouse, it clicks buttons, it provides information such as CPU name, temperature and does many other things for malware not to know that it’s been debugged. Check Point also writes custom signatures and Yara rules which can detect malware even if it terminates and doesn’t do anything.
Click to expand...
Wonder how their Yara rules compare to Thor Valhalla
 
  • Like
Reactions: Trident
Trident said:
More like the other way around. Files are sent for emulation on OpenTip and their hashes are fed to KSN and are sold as Kaspersky Threat Intelligence to third parties.

Check Point sandbox is a result of heavy research on evasion tactics. It moves the mouse, it clicks buttons, it provides information such as CPU name, temperature and does many other things for malware not to know that it’s been debugged. Check Point also writes custom signatures and Yara rules which can detect malware even if it terminates and doesn’t do anything.
Click to expand...
Which do you think is better? Both are definetally good tools, however Opentip lacks the user activity that it needs and does miss some things every once in a while.
 
Last edited:
  • Like
Reactions: Sandbox Breaker - DFIR
Trident said:
We respect your personal opinion. But you spend money on home software too. And this money goes on doohickeys like VPN, password manager and other yo-yo components. Most of which provide the bare minimum of functionality and take away revenue and time, that could be invested in core operations, you know. The operations related to your security.

If anybody wants to spend the same or $10 more on software they find important (they are on MalwareTips so most likely they like anti-malware), I don’t think it’s that big of a deal and it definitely won’t cause them to go bankrupt.
Click to expand...

Speaking of endpoint security software, what's your opinion of Endpoint for Microsoft Defender? Its available for free trial and an account and license for a single user can be set up through DataLinksNetwork.net

They quoted Plan 1 for $2.61 a month; MSRP is $3 a month; Plan 2 for $4.53 a month; MSRP is $5.20.

Nobody needs to spend more than $10 on any endpoint security product sold through a reputable reseller.
 
  • Like
Reactions: simmerskool and Trident
Xeno1234 said:
Well which is better at finding malware if it doesnt require user activity?
Click to expand...
Again, I can’t tell you which one is better as I am not a Kaspersky active user, even less an Opentip user. CheckPoint is jam packed with engines, definitions and rules, and as confirmed by me and @Shadowra on more than one occasion, evasive threats with low detection (<5 on VT) have 2-3, even 4 detections by TE. I saw one where 5 detections were produced in total, 2 were Yara signatures. I can not tell you anything about Kaspersky’s sandbox.
 
  • Like
  • +Reputation
Reactions: Shadowra and simmerskool

You may also like...