New Update Harmony Endpoint Release Notes and Roadmaps

[Trident]

This thread provides release notes for Harmony Endpoint, Infinity Portal and Threat Emulation Engines.

Harmony Endpoint for Windows Client version 87.30 released 9th of May 2023.

Spoiler: What’s new

• Added Low Memory Mode, which reduces memory consumption.
• Added Built-in Help to the client UI.
• Added Client Demo and Health Check. The client will open the default browser on a page with various tests for client protections.
• Client notifications are now adapted to high resolution monitors.
• It is now possible to configure the Anti-Malware "Scan On Idle" feature via Endpoint Management.
• Endpoint Client Posture Management support for on-demand installation of patches from the Server is now available for Early Availability (EA) customers.
• Improved interoperability with cloud drives (in Endpoint Security client) and improved handling of exceptions for trusted processes in the Authorization scanning feature.
• Windows update will now be blocked when the firmware boots the computer incorrectly. This prevents Full Disk Encryption blade from crashing during the OS update.
• If some parameter in the trac.defaults file was modified, its new value will now be migrated during the VPN client upgrade.
• New value “default_browser” is available for the “idp_browser_mode” parameter in the trac.defaults file. When this value is set, the default system browser will now be used for SAML-based authentication.

Harmony Endpoint for Mac Client version 87.40 released 11th of June 2023

Spoiler: What’s new

• Posture Management Vulnerability Assessment is now available on macOS for Early Availability (EA) customers. It reduces the attack surface through accurate assessment of vulnerabilities, risky applications, and computers within the organization.
• It is possible now to customize the policy to prevent the installation of the Browser extension on a specific browser, even if Threat Emulation blade is enabled.
• Endpoint Security Browser Extension for macOS with Zero Phishing, Threat Emulation, Threat Extraction and URL Filtering blades is now supported in the Brave browser and Edge browser.
• Admins can now force pinning of the Endpoint Security browser extension in Chromium-based browsers (Chrome, Brave and Edge).

Harmony Endpoint and Infinity Portal Improvements Delivered in First Half of 2023

Harmony Endpoint - H1 2023 Product Enhancements

Hi 2023 was a busy year so far, we thought it would be cool to share our latest product enhancements with you. Please see the attached file with our 2023 H1 deliveries – With a deep-dive explanation of our newest capabilities. Posture Management: Customized Dashboard: Widget Catalog...

community.checkpoint.com

Threat Emulation Engine:
Release 11.05 from 15th of May 2023

• Threat Emulation now includes a new engine that is capable of statically deobfuscate office files and convicting them faster than before.
• Potential crashes in executable emulations have been fixed.

Previous notes:

https://support.checkpoint.com/results/sk/sk95235

Early Availability:
Smart Exclusions

Introducing - Smart Exclusion (EA)

We are very happy to announce “Smart Exclusion”! Our new Smart Exclusion is available for EA customers! With this new enhancement, we can save customers 80% of their time spent on creating, deleting, and managing exclusions. You can see more details in the attached demo & attached deck. Please...

community.checkpoint.com

 

[Trident]

Harmony Endpoint Client for Windows 87.31 released 19th of June

• This release prevents exploitation of CVE-2023-28133 on Window OS.
• Resolved an issue, when, in some scenarios, the ability to prevent deletion from an external media may not be enforced according to the policy.
• It is now possible to execute an elevated application on removable media.
• Resolved an issue when, in some scenarios, the E2 Anti-Malware exclusion set for removable drive may not be applied.
• Application Control blade does not block anymore newly started applications if the computer with the installed client was not rebooted for a long time.
• Resolved an issue when, in some scenarios, Behavioral Guard may not function correctly without reflecting its status to the Management Server.

Restart for upgrade not required.

New category in URL Filtering: Artificial Intelligence (blocks services such as ChatGPT).

 

[kev7]

hello, please may i ask would this update come threw automatically ? thank you

 

[Trident]

hello, please may i ask would this update come threw automatically ? thank you

It is deployed in a phased manner automatically so for you to release it, some time will pass. If you want to have it now, you can open the console, go to Policy -> Software Deployment and choose 87.31 from the dropdown menu. This will force the upgrade now.

 

[kev7]

thank you Trident

 

[Sandbox Breaker]

Im excited. They keep making it better every single year!

 

[Trident]

Harmony Endpoint Client for Windows 87.40 released 1st of Aug 2023
What’s new:

• The "smart preboot" option is now available for Early Availability (EA) customers in the General Policy settings.
• Added the "smart preboot" menu translation in all supported languages for Early Availability (EA) customers.
• Added ability to customize the Full Disk Encryption (FDE) Pre-boot UI from the policy.
• Improved FDE password synchronization between the client and Server.
• Improved Media Encryption Offline utility. During the first use of the tool, it is necessary to run it as an administrator to install the required drivers. After that, the tool no longer requires running as an administrator.
• Significantly reduced the rate of false-positive detections due to legitimate backup software and file-copy operations in the honeypot folder. It is also possible to roll back to the previous signature update method.
• The monthly update will now include only the variance between the most recent signatures package and the one currently installed on the computer with the client.
  This will decrease the size of an update from around 200MB to 4-6MB.
• Clients with the E2 Anti-Malware engine can now update the signature and the engine on computers not connected to the internet.
• The E2 logs are now separated from the Threat Emulation log and printed in a new file named AntiMalwareE2.log.
• Endpoint Client Posture Management supports the automatic installation of patches from the Server.

 

[Trident]

Threat Emulation Engine 11.07 released 26th of Jul 2023
What’s new:

• A new machine-learning model is developed to identify and block LNK attacks. Further info could be found in: sk181337
• A new report visualization enhancement: The infection Tree is now visualized in the TE report.
• Additional support for OneNote files has been added. Further info could be found in: sk181327
• TE file classifier is enhanced with better classification of office files.
  Spoiler

  [*]ProductThreat Emulation
  VersionR81, R81.10, R81.20
  Last Modified2023-08-02
  

  Solution​

  Check Point's Threat Emulation now supports Microsoft OneNote files!
  
  Starting in 2023, we have observed threat actors using OneNote attachments to deliver malicious content to victims as an alternative to the known Macro abuse which Microsoft disabledat the beginning of the year.
  
  Recently, Check Point's research team published information about a famous campaign to evade macro blocks:
  March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
  
  Customers protected by Threat Emulation can now enable OneNote inspection across all platforms. To do so:
  

  1. In SmartConsole, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings.
     The Threat Prevention Engine Settings window opens.
  2. Go to Threat Emulation > File Type Support, and click Configure.
     The Threat Emulation Supported File Types window opens.
  3. Select Microsoft OneNote and click OK.
  4. Click OK and publish your changes.

  For customers using Autonomous Threat Prevention, no action is required.
  
  
  [*]

 

[Trident]

Infinity Portal Update 6th of Aug 2023:

• Reports Automation – Automate the creation of new reports, by choosing the relevant report with the relevant timeframe.
• Reports Sharing – Share the relevant reports with the relevant stakeholders, by choosing the relevant report, timeframe, frequency, and the relevant recipients.

 

[simmerskool]

a related topic

Check Point to Acquire SASE Security Firm Perimeter 81 for $490 Million

Check Point will acquire SASE and ZTNA cybersecurity firm Perimeter 81 for $490 million, a big discount to its $1 billion valuation in 2022.

www.securityweek.com

 

[Trident]

Threat Emulation v11.08 released 28th Aug 2023

What’s new?

• MemDive - a new approach to prevent encrypted payload hidden in memory enabled by default in TE ( Cloud mode only). Further info could be found in: sk181419
• Improved DLL emulation mechanism triggers additional malicious behavioral

Required actions to receive update: none, this is a server-side update.

Introduction

Check Point’s Threat Emulation recently introduced an advanced technique for preventing encrypted malicious payload, using the new and innovative AI engine – ‘MemDive’, now integrated into ThreatCloud AI.

MemDive uses the Threat Emulation isolated environment to dynamically extract the hidden malicious payloads out of process memory and run a static scan during runtime. This way, it detects evasive malware that cannot be identified by static or dynamic monitoring.

What is an encrypted malicious payload?

Attackers frequently use encrypted malware payloads as a strategy to avoid detection and analysis by anti-virus software, firewalls, and other security utilities. A common practice is to unpack or download encrypted payloads at runtime, which effectively allows evasion of static detection methods.

To avoid dynamic detection, attackers take additional steps to obfuscate malicious activities. One common tactic used by malware at runtime is camouflage of malicious code in the context of legitimate process, away from the watchful eyes of anti-virus solutions or security monitoring systems. Another frequently used method is to decrypt and run a small piece of shellcode directly into memory, enabling the execution of a backdoor into the system.

‘MemDive’ - how does it work?

To counter such techniques, Threat Emulation implements dynamic memory extraction which blocks payload before it has the chance to run, and even if the attacks delete forensic evidence out of the memory.

The new implementation continuously scans the system memory for any modifications or any signs of manipulation. It extracts in-memory modification and manipulation such as decrypted payload for thorough analysis. With this improvement, we expose in-memory status information of files, and reverse this information to reconstruct the Portable Executable format. This process returns the hidden payload to the original attacker format.

This approach of dynamic memory extraction is a significant advancement for the recent Threat Emulation forensic memory scanning detection.

The engine is active by default for all Threat Emulation customers working in Cloud mode.

 

[Trident]

Expanding Zero-Phishing with new Brand Impersonation Engine:

AI-powered Brand Spoofing Prevention​

Expanding our zero-phishing offering, introducing our innovative AI-powered engine to prevent local and global brand impersonation employed in phishing attacks, collaboratory protecting across networks, emails, mobile devices, and endpoints.

Source: ThreatCloud AI

 

[nickstar1]

does the standard home application have this is well? very neat!

 

[simmerskool]

does the standard home application have this is well? very neat!

no offense, but Checkpoint Harmony is enterprise, not sure, or doubt, there is a "standard home application"

 

[Kongo]

no offense, but Checkpoint Harmony is enterprise, not sure, or doubt, there is a "standard home application"

He probably means ZoneAlarm Next Gen

 

[nickstar1]

He probably means ZoneAlarm Next Gen

correct.

 

[Xeno1234]

Threat Emulation v11.08 released 28th Aug 2023

What’s new?

• MemDive - a new approach to prevent encrypted payload hidden in memory enabled by default in TE ( Cloud mode only). Further info could be found in: sk181419
• Improved DLL emulation mechanism triggers additional malicious behavioral

Required actions to receive update: none, this is a server-side update.

Outside of Threat Emulation, are there any ways to combat these “encrypted” malicious payloads

 

[Trident]

correct.

ZoneAlarm NextGen runs the same threat emulation and Zero-Phishing engines [threat emulation has a much smaller limit]. All other engines are much older in ZoneAlarm. For example ZoneAlarm does not support Intel TDT for anti-ransomware and many other enhancements/features are not present. Also, products such as ZoneAlarm Anti-Ransomware are not at all similar to Check Point. It’s like comparing fine French wine to a supermarket wine for $2.5. I saw recent videos posted, some sisters should sometimes save themselves the hassle.

 

[Trident]

Harmony Endpoint for Windows Client v 87.50 released 5th Sep 2023.

What’s new?

• Endpoint Client now supports Posture Management (Vulnerability & Patch Management) for GA customers.
• Added a new feature - SmartExclusion. It is available for EA customers (Early Availability).
• Endpoint Security Client now has the "Upgrade now" button added to mini-UI, appearing when the installation is postponed.
• In Forensics report > Remediation tab > Registry key, the names of columns were renamed:
  "Old data" is changed to "Malicious data",
  "New data" is changed to "Original data".
• Improved the performance when handling network files.
• It is now possible to install the clients on Windows 11 with enabled Smart App Control when, during installation, the computer is connected to the Internet. Previously, the installation on such computers was blocked.
• Added ability to VPN clients to verify wildcard certificates presented by VPN sites.
• Standalone VPN client will now show the Office Mode IP address as the client IP address in main client window for clients that support Office Mode. For SecuRemote, it will show the physical interface IP address.
• Improved protections against evasion techniques.
• Added support for the "Prohibit cancel scan if more than" option on Anti-Malware DHS compliant engine. Admin can prohibit the users from canceling a scheduled scan if more than X days passed since the last scan.

Actions necessary to receive update: yes
In Infinity Portal, click Policy -> Software Deployment. From the dropdown menu, select 87.50.

What if I do not deploy manually?
Check Point will release hotfixes. In few months 87.50 will become the recommended version. At this point, all clients will be upgraded automatically.

What is the current recommended version?
87.31 released in July.

 

[simmerskool]

Harmony Endpoint for Windows Client v 87.50 released 5th Sep 2023.

What’s new?
[snip]
Actions necessary to receive update: yes
In Infinity Portal, click Policy -> Software Deployment. From the dropdown menu, select 87.50.

What if I do not deploy manually?
Check Point will release hotfixes. In few months 87.50 will become the recommended version. At this point, all clients will be upgraded automatically.

What is the current recommended version?
87.31 released in July.

so about a 6 weeks ago I "upgraded" Lithify to managed account (only a few dollars more per month -- paid for a year)(I've been preoccupied with some other stuff & was "afraid" I'd miss something). Exchanged a few friendly email with their staff, and I'm still running 87.30 here, about 2 weeks after I told them to handle update. Not exactly a problem, just info to share. I know, I can go into the infinity portal and fix this, but now I'm waiting to see what happens on their end... (also asked them to confirm my settings were correct...)