We have already published a huge number of training materials on Check Point. However, the topic of protecting workstations with Check Point SandBlast Agent while it is extremely poorly lit. We plan to improve and soon create training courses on this product, which is one of the leaders in the EDR segment for several years in a row. In the meantime, we are sharing information on the new agent features that appeared in version E83.10. Spoiler – beta version for LINUX and a new cloud-based “control panel” appeared.
All enhancements to version E83.10 can be found in sk166979. There is a lot of relevant information, but we’d better go through the new features.
New Cloud Management Portal
Check Point has long been developing the Infinity concept, where centralized management through the cloud portal portal.checkpoint.com plays a key role. At the moment there is a huge number of services available through this portal:
- CloudGuard SaaS
- Smart-1 Cloud
- Infinity soc
- CloudGuard Connect
- Threat hunting
- Sandblast mobile
- and much more
And now there is access to the SandBlast cloud “control” agents:
Integration is now much simpler and faster. The service starts literally within 5 minutes and you can start rolling agents. We will not focus on this, because This topic deserves a whole series of articles, which we plan in the near future.
The name speaks for itself. Now URL filtering will be available on agents. You can filter the traffic of even remote users, as if they were sitting in an office. Currently there are several main categories available for URL filtering:
- Productivity loss
- Legal liability & regulatory compliance
- Bandwidth consumption
- General use
Of the pluses – each agent includes a browser add-on that allows you to check encrypted HTTPS traffic, without the need for an intermediate device with SSL inspection function. This greatly simplifies integration, especially for remote users.
Currently there are several limitations:
- The browser add-on is only available for Google Chrome. Support for other browsers is expected soon.
- URL Filtering is currently only available through cloud management. This is what the interface looks like:
It is also worth noting that there is a new Anti-Credential Theft feature – Pass-the-Hash attack Protection. But we will probably tell you about it in detail as part of the future course.
New Platforms for SandBlast Agent
SandBlast now natively supports both persistent VDI and non-persistent operations. But another thing is more important. Finally, a beta version of SandBlast Agent for Linux systems appeared. Here’s a quick demo where integration with Check Point Threat Hunting is shown in one go:
In my opinion, policy management has become more convenient. Logs with SandBlast Agents are now also in a more familiar form.
As you probably understood, web-based management is currently only available for the cloud platform. However, it will also be available for local devices in the version of Gaia R81, which should be announced in the first quarter of the 21st year.
Key agent improvements
Here are a few key changes and improvements to SandBlast Agent version E83.10:
- Behavioral Guard now protects against the “Pass The Hash” technique for credential theft. Credential Dumping is new, as of the previous release.
- Fixes an issue where Anti-Ransomware does not detect a potential attack when the user is not logged in.
- Fixes Anti-Ransomware false positives due to user profile deletions.
- Fixes multiple rare cases of false positives in Anti-Ransomware.
- Fixes an issue where “out of memory” errors occur when the log lists a very large number of backups.
- When you disable Anti-Ransomware, the backup driver no longer operates.
- Improves performance as Forensics now stores fewer named objects, such as mutexes and events.
- Improves the performance of Forensics, Behavioral Guard and Threat Hunting with enhancements to our Registry Operation exclusion algorithms that reduce the number of recorded registry operations.
- Resolves an issue where an Anti-Malware scheduled scan occurs, even if it is not in the policy.
- Resolves an Anti-Malware icon scaling issue.
- Resolves a possible issue where the Anti-Malware process crashes as it shuts down.
- Resolves client network issues after a Firewall driver uninstallation failure.
- Resolves a rare issue where an added Firewall blade gets stuck in the “Initializing” state.
- Resolves a possible upgrade issue where the Firewall blade does not start due to a WatchDog failure.
- Resolves a rare issue where the Firewall policy is “Not Set” in the client after the policy download from the server.
- Resolves a possible issue where the Disk Encryption process crashes during shutdown.
- Resolves a removable media icon blink issue for an encrypted partition when Media Scan is enabled.
- Improves the work with non-UTF-8 applications. Users can toggle UTF-8 support.
- Fixes active File Transfer Protocol (FTP) traffic blocks on a standalone VPN client with Firewall.
- Includes stability and quality fixes. Supports all the features of previous releases.
- Resolves a possible issue where uninstalling the Endpoint removes components that are necessary for other applications.
- Resolves a possible issue where the uninstall fails after the user turns off “Network Protection”.
- Resolves a possible issue where the Endpoint Security Client does not run correctly after an operating system upgrade.
- Resolves a rare issue where the client uninstall fails with Error 1921: “Service Check Point Endpoint Agent (CPDA) could not be stopped.”
- Resolves a rare issue where an upgrade that uses “Dynamic Package” continuously loops after a download fails to resume.
- The pre-boot language selection choice is now correct after a language update in Windows.
- Fixes an incompatibility issue with Sophos Antivirus, which could not install on a machine with Endpoint Security Client on it.
- Resolves a rare User Interface (UI) issue where a malware resolution is not shown to a user.
- Resolves a client LogViewer issue, where it only shows log records that match the latest log schema.
- On the Endpoint Security Client screen, the Overview list now shows “Anti-Bot and URL Filtering” instead of “Anti-Bot”.
- The client User Interface (UI) is no longer shown during manual upgrades.
- Resolves URL infections report issues in the User Interface (UI) so that the infections records are not permanent in the client and server UIs.
- Anti-Bot and URL Filtering policy now translates to all supported languages.
- Improves the performance of the Endpoint Security core driver to reduce CPU consumption.
Instead of a conclusion
I am sure the article about forensics that SandBlast Agent can provide will be interesting. As already mentioned, we plan to publish new training materials, so stay tuned in our channels (Telegram, Facebook, VK, TS Solution Blog)!
In addition, several useful Check Point webinars will be held shortly:
- Information Security Automation with Red Hat Ansible Automation with Check Point as Example
- Remote access for employees. New author training course
Hurry up to register!