24 November 2019

SandBlast Agent POC

v1.02

User Guide
[Classification: Restricted]
Check Point Copyright Notice
© 2019 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check Point.
While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for
errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of
the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page for a list of our trademarks.

Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest
functional improvements, stability fixes, security enhancements and protection against new and
evolving attacks.

Certifications

For third party independent certification of Check Point products, see the Check Point
Certifications page.

Check Point v1.0

For more about this release, see the v1.0 home page.

Latest Version of this Document

Open the latest version of this document in a Web browser.

Download the latest version of this document in PDF format.

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments.

Revision History

Date Description

24 November 2019 First release of this document

Table of Contents
Introduction..................................................................................................................................5

POC Stages ...................................................................................................................................7

Initial Engagement .....................................................................................................................9

Expectations and Criteria .........................................................................................................12

Installation and Deployment ....................................................................................................25

Hands On .................................................................................................................................41

POC summary ..........................................................................................................................44

Troubleshooting .........................................................................................................................47

Appendix A - Technical Specifications ....................................................................................48

Appendix B – Relevant Log Files .............................................................................................53

Appendix C - Relevant SK Articles for POC ..........................................................................55

Introduction
Document Objective

This document describes how to set up the POC evaluation process for the Check Point SandBlast Agent Zero-Day
Solution, an Endpoint protection product, and provides resources for each stage.

POC Objective

The POC helps you implement SandBlast Agent advanced Endpoint protection while meeting all key customer
requirements.

Solution Overview
Check Point SandBlast Agent provides advanced Zero-Day Protection capabilities to protect web browsers and
endpoints and leverages Check Point's industry-leading network protections. SandBlast Agent ensures complete real-
time coverage across threat vectors, letting your employees work safely from any location without compromising
their productivity. Threat Emulation allows you to emulate unknown files in a contained environment to detect
malicious behaviors and prevent infections, while Threat Extraction instantly provides sanitized risk-free files.

Anti-Ransomware protection stops ransomware in its tracks and automatically reverses the damage. This ensures that
your organization is protected against malicious extortion attacks that encrypt your business data and demand a
ransom payment for its retrieval. Zero Phishing proactively blocks access to new or unknown deceptive websites and
safeguards user credentials by preventing the use of corporate passwords on external websites. SandBlast Agent
captures forensics data with continuous collection of all relevant system events, and then provides actionable incident
analysis to quickly understand the complete attack lifecycle. With greater visibility as to the scope, damage, and
attack vectors, incident response teams can maximize productivity and minimize organizational exposure of sensitive
files.

Zero Day Protection Benefits

§ Advanced Threat Prevention and automated endpoint forensic analysis for all malware types.
§ Prevents and remediates evasive ransomware attacks.
§ Proactively blocks known, unknown and zero-day malware.
§ Provides instant actionable understanding of attacks.
§ Automatically remediates infections.
§ Protects user credentials.

Check Point SandBlast Agent Features

§ Threat Emulation: Evasion resistant sandbox technology.
§ Threat Extraction: Delivers sanitized risk-free files to users in real-time.
§ Anti-Ransomware: Prevents and remediates evasive ransomware attacks.
§ Zero-Phishing: Blocks deceptive phishing sites and alerts on password reuse.
§ Anti-Bot: Identify and isolate infected hosts.
§ Anti-Exploit: Protects applications against exploit based attacks.
§ Behavioral Guard: Detects and blocks malicious behaviors.
§ Endpoint Anti-Virus: Protects against known malware.
§ Forensics: Records and analyzes all endpoint events to provide actionable attack forensics reports.
Comprehensive coverage across threat vectors:

§ Web downloads.
§ Content copied from removable storage devices.
§ Links or attachments in email messages.
§ Lateral movement of data and malware between systems on a network segment.
§ Infections delivered via encrypted content.

Full visibility of security events:

§ Full visibility by monitoring and recording all endpoint events, including files affected, processes launched,
system registry changes and network activity.

Detailed incident reports

§ Viewing event reports, triggered from the gateway or endpoint itself, from a central location using
SmartEvent and SmartLog.

Actionable incident analysis

§ Comprehensive attack diagnostics and visibility supporting automatic remediation.

§ System administrators and incident response teams can swiftly and efficiently triage and resolve attacks,
getting your organization back to business as usual.

Third-party integration

§ Enhancing the detection capabilities of existing Anti-Virus products, enabling protection from advanced
threats and providing actionable incident analysis. When triggered by third-party solution, endpoint forensics
logs are analyzed to generate reports viewable in SmartEvent and SmartLog.

Easy to deploy and manage

§ SandBlast Agent can be quickly deployed and all policies are managed centrally through SmartCenter.
§ The non-intrusive, low-overhead deployment utilizes a SandBlast remote sandbox running as a service–on
either the SandBlast Cloud or your own private appliances–resulting in minimal impact on local performance
and full compatibility with installed applications.
POC Stages
These are the main stages in the POC process:
"Initial Engagement" on page 9

§ Customer Presentation

§ Demo

§ RFP

"Expectations and Criteria" on page 12

§ How will the product be tested?

§ What's the success criteria?

§ Start and end date

"Installation and Deployment" on page 25

§ On premise\Cloud

§ Client types used in the POCs

"Hands On" on page 41

§ How to show Advanced Threat Prevention

"POC summary" on page 44

§ Logs

§ Forensics

§ Overview of outcome
Initial Engagement
Customer Presentation
The latest SandBlast Agent\Beyond the perimeter customer presentation as part of the “Basic Sales Toolkit” can be found
on the PartnerMap page:
https://usercenter.checkpoint.com/usercenter/portal/media-
type/html/role/usercenterUser/page/default.psml/js_pane/PartnerMapId,PartnerHomeId?pageUrl=/partners/resources/produ
cts/mobile-security/endpoint-security.html

Customer Demo
DemoPoint is a great resource for launching quick, real time demonstrations of the latest features and malware
attacks without the need to build and maintain environments. The DemoPoint Endpoint environment features a play-
by-play cookbook for presenting multiple prevention scenarios.

User Center DemoPoint access:

https://usercenter.checkpoint.com/usercenter/portal/media-
type/html/role/usercenterUser/page/default.psml/js_pane/ToolsId,cloudDemoEnvironments

1. Select CREATE ENVIRONMENT:

2. Enter the details, and select Advanced Threat Prevention > SandBlast Agent:
DemoPoint SK page:

sk119392 - DemoPoint - Cloud Based Demo Solution Material

RFP/ RFI
To assist with customer RFPs / RFIs:

1. Can use Checkmates Endpoint products community

https://community.checkpoint.com/t5/Endpoint-Security-Products/bd-p/endpoint-general
2. Use the following mailing list:

[email protected]
Expectations and Criteria
How will the product be tested?
Customer POCs can take many forms. However, the main focus at this point is to understand the testing method from
the most common methodologies, and configure the appropriate policy for each method:

Penetration Testing
Our main focus is to harden the policy in all Threat Prevention blades to increase the prevention / catch rate
over the potential false positives:

1. Anti-Malware is mandatory and must be enabled for any penetration testing. Third party signature Anti-Virus
can be used alongside SandBlast Agent, if Check Point's Anti-Malware blade is not chosen for the POC.
2. Behavioral Guard must be configured in aggressive rules mode so all experimental signatures can be enabled
in prevention mode. To perform the configuration, follow the instructions in sk130012 - SandBlast Agent
Behavioral Guard Advanced Configuration.
3. Use these profile settings to harden a SandBlast Agent Profile for Penetration Testing:

Blade Actions Features Settings

Anti-Ransomware, Triggers and Forensics Analysis Always

Behavioral Guard and Automatic Response
Forensics

File Quarantine Medium and

High

Machine Quarantine Never

Attack Remediation Medium and

High

Quarantine Settings Malicious files Delete

and Attack
Remediation

Suspicious files Quarantine

Unknown files Quarantine

Blade Actions Features Settings

Trusted files Terminate

Anti-Ransomware and Anti-Ransomware and Yes

Behavioral Guard Behavioral Guard
settings settings

Anti-Ransomware Yes
automatic restore

Anti-Bot Anti-Bot activation High Confidence Prevent

Medium Confidence Prevent

Low Confidence Prevent

Threat Extraction, Web Download Files that can be Emulate and

Threat Emulation and Protection extracted and emulated suspend
Anti-Exploit original file
until emulation
completes

Files that can only be Emulate and

emulated suspend
original file
until emulation
completes

Other files Block

Download

File System Monitor Action for files written Emulate

to file system
Blade Actions Features Settings

Monitoring Enable

Zero Phishing Settings Phishing Protection Prevent Access

and Log

Send log on each Yes

scanned site

Allow user to dismiss No

the phishing alert and
access the site

Allow user to abort No

phishing scan

Password reuse Alert user and

protection log

Anti-Exploit settings Enable Anti-Exploit Yes

Terminate exploited Yes

application and log

Detect exploited No
application and log
Limited Production Deployment
For production deployment, our aim is to provide maximum prevention while minimizing false positives and
user impact.

1. Remove any existing 3rd party Endpoint solution prior to the installation of SandBlast Agent. Keeping two
Endpoint protection products on the same client may result in prevention conflicts and degradation of
performance.
2. As Best Practice, we recommend a “Tuning Mode” period in which the environment's unique software and
network traffic is studied and used to create a custom exclusions list.

For more information on exclusions, refer to:

§ sk128472 - SandBlast Agent (Forensics, Anti-Ransomware, Anti-Bot, Threat Emulation) –

Exclusions
§ sk122706 - How to use Endpoint Security Client Anti-Malware Blade exclusions?

Use the following profile settings to tune a SandBlast Agent Profile for a Limited Production Deployment:

Blade Actions Features Settings

Anti-Ransomware, Triggers and Automatic Forensics Analysis Always

Behavioral Guard and Response
Forensics

File Quarantine Medium and

High

Machine Quarantine Never

Attack Remediation Never

Quarantine Settings and Malicious files Quarantine

Attack Remediation

Suspicious files None

Unknown files None

Trusted files Ignore

Blade Actions Features Settings

Anti-Ransomware and Anti-Ransomware and Yes

Behavioral Guard settings Behavioral Guard settings

Anti-Ransomware Yes
automatic restore

Anti-Bot Anti-Bot activation High Confidence Prevent

Medium Confidence Detect

Low Confidence Detect

Threat Extraction, Threat Web Download Files that can be extracted Emulate
Emulation and Anti- Protection and emulated original file
Exploit without
suspending
access

Files that can only be Emulate

emulated original file
without
suspending
access

Other files Allow

Download

File System Monitor Action for files written to Ignore

file system

Monitoring Enable

Zero Phishing Settings Phishing Protection Log Only

 Blade Actions Features Settings

Send log on each scanned Yes

site

Allow user to dismiss the No

phishing alert and access
the site

Allow user to abort No

phishing scan

Password reuse protection Log only

Anti-Exploit settings Enable Anti-Exploit No

Terminate exploited No
application and log

Detect exploited Yes

application and log

Lab setup:

Starting with R80.20, a pre-defined configuration is made for best practice and should reflect the actual production
configuration. (As documented in sk154052 - SandBlast Agent Best Practice Configuration).

What is the success criteria?

The Success Criteria and Test Plan need to be clear prior to evaluating Check Point SandBlast Agent Zero-Day
Solution.

Prerequisites prior to testing:

# SandBlast Agent Prerequisite Remarks

1 SandBlast Agent are deployed on properly patched and updated client stations or VMs.
 # SandBlast Agent Prerequisite Remarks

2 Chrome and IE extension for making web downloads scrubbing are installed and
configured. (Firefox browser extension can be enabled be following sk160794).

3 Anti-Malware blades are enabled, configured and updated via the Endpoint Management
Server or external public servers.

4 For Penetration Testing - Behavioral Guard is enabled and configured for aggressive
detection per sk130012.

5 SandBlast Agent detection is tested through various attack vectors: WEB, Email,
Removable media.

6 The logs are monitored through SmartLog and SmartEvent.

Product Features Criteria list for POC:

The table below lists all product features and their expected performance.

Traditional Endpoint Protections

Criteria Description Pass/Fail Remarks

Full Disk Encryption All volumes of the hard drive and hidden volumes are
automatically fully encrypted. This includes system files,
temporary files, and even deleted files.

Pre-boot Protection Users must authenticate to their computers in the pre-boot,

before the computer boots. This prevents unauthorized
access to the operating system using authentication bypass
tools at the operating system level or alternative boot media
to bypass boot protection.

Access management The solution automatically detects and authorizes logged in

users.
Criteria Description Pass/Fail Remarks

Lock screen secured Users log on one time (SSO) for authentication to the
Authentication operating system, Full Disk Encryption, and other Endpoint
Security blades.

Lock screen secured The solution requires that only an authorized pre-boot user is
Authentication allowed to log into Windows.

Media Encryption The solution protects sensitive information by encrypting

data and requiring authorization for access to storage
devices, removable media and other input/output devices.

Media Encryption For encrypted storage devices, the solution provides access
on computers without Media Encryption or when working
offline.

Port Protection The solution controls the access to different types of

peripheral devices

Port Protection The solution allows custom user message notifications when
connecting a device based on the scenario.

Storage Device Write All files that are defined as business related data must be
Access written to the encrypted storage. Non-business related data
can be saved to the device without encryption.

Anti-Malware The solution protects the computer from all kinds of

malware threats, ranging from worms and Trojans to adware
and keystroke loggers. The solution centrally manages the
detection and treatment of malware on your endpoint
computers.

Anti-Malware The solution allows scheduled scanning of local drives, mail

messages, optical drives and removable devices.
Criteria Description Pass/Fail Remarks

Anti-Malware If malware is detected, the solution isolates the files from the
OS, but does not permanently remove them. The user can
restore quarantined files, if they are not malicious.

Compliance The solution enforces endpoint computers to comply with

security rules that are defined for the organization.
Computers that do not comply are shown as non-compliant
and may have restrictive policies applied.

Compliance The solution enforces required applications and files based

on the compliance settings by monitoring for the presence
of specified files, registry values, and processes that must be
running or present on endpoint computers.

Compliance The solution enforces prohibited applications and files based

on the compliance settings by monitoring for the presence of
specified files, registry values, and processes that are
prohibited to be running or present on endpoint computers.

Compliance The solution enforces an Anti-Malware check to verify that

computers have an Anti-Malware program installed and
updated.

Firewall The solution enforces Firewall rules to allow or block

network traffic to endpoint computers based on connection
information, such as IP addresses, ports, and protocols.

Firewall The solution is used to determine if users can connect to

wireless networks while on your organization's LAN to
protect the network from threats associated with wireless
networks.

Firewall The solution defines if users can connect to the organization

network from hotspots in public places, such as hotels or
airports.

Firewall The solution is set to restrict or allow IPv6 network traffic.

Criteria Description Pass/Fail Remarks

Application Control The solution restricts network access for specified

applications. The Endpoint Security administrator defines
policies and rules that allow, block or terminate applications
and processes.

Application Control The solution can Whitelist/Blacklist applications.

SandBlast Agent

Criteria Description Pass/Fail Remarks

Forensics Full Forensic incident reports with process execution trees are
Analysis generated for every detected malicious activity.

Forensics Forensic reports automatically identify the malicious activity

Analysis entry point and highlight the potential damage, remediation action
and the entire chain of attack.

Forensics The solution can trigger a Forensics analysis based on 3rd party
Analysis malware detection.

Forensics The Forensics report logs present and unobfuscated PowerShell

Analysis scripts used during an attack.

Forensics The Forensics report lists reputation analysis on files and URLs
Analysis used during an attack.

Anti- The solution detects and prevents ransomware attacks.

Ransomware

Anti- The solution remediates and restores files that were encrypted
Ransomware during a ransomware attack.
SandBlast

Criteria Description Pass/Fail Remarks

Behavioral Guard The solution leverages forensics to effectively and uniquely

identify unknown malware behavior and accurately classify
malware according to its malware family.

Behavioral Guard The solution detects and prevents fileless attacks based on
scripting.

Behavioral Guard The solution integrates with Microsoft's Anti-Malware Scan

Interface (AMSI) to receive and analyze decoded scripts.

Anti-Bot The solution identifies and blocks out-going communication

to malicious C&C sites.

Anti-Bot Cloud threat intelligence resources are used for updates and
identification of zero-day C&C attacks.

Web download The solution must have scrubbing capabilities with no added
protection – Threat hardware. Potential malicious content such as scripts, macros
Extraction and active content are extracted from all incoming files.

Web download When scrubbing, the original file must be accessible by the
protection – Threat end user if it is found to be benign by the sandbox.
Extraction

Web download Incoming files are emulated by sandboxing for potentially

protection – Threat malicious content.
Emulation

Web browsing The solution detects zero-day phishing sites that request user
protection - Zero credentials even if unknown to reputation engines.
Phishing
 Web browsing Corporate (protected domain) password reuse on none-
protection -Cooperate domain sites are detected and logged.
Password Reuse

Threat Emulation All files written on the file-system are monitored and
statically analyzed. If found as potentially malicious, the
files are emulated by sandboxing and quarantined if found as
malicious.

Anti-Exploit The solution detects and prevents exploitation techniques on

trusted software.

Logging

Criteria Description Pass/Fail Remarks

SmartEvent The solution should generate periodic reports on malware types,

types of vulnerabilities exploited etc.

SmartEvent The solution must have the ability to generate visual reports.

Logging and Showcase affected process, affected registry keys and affected
Reporting files in the OS environment.

Logging and Showcase malicious file emulation screenshots in Sandbox

Reporting environment (Threat Emulation report).

Logging and The solution should be able to log the C&C communication from
Reporting the emulated BOT file.
Installation and Deployment
When approaching the POC, we choose the type of server topology: On-Premise or Cloud based. With the
introduction of SandBlast Agent Cloud Management, we can recommend the solution to most of the POCs.

Hardware and software requirements:

Resource Functionality Remarks

Endpoint client Latest client E81.40 - sk162334 - Enterprise Endpoint Security

E81.40 Windows Clients.

Check Point Management & R80.30 - sk144293 - Check Point R80.30.

Management Server Reporting

Client stations SandBlast Agent Windows OS Endpoint client stations, with relevant
platform updates and patches for SandBlast Agent installation.

IP Addresses Connectivity 1. Connectivity between clients and Endpoint

Management over ports 80 and 443.

2. Clients should have internet access per

sk116590.

3. Management Server should have internet

connectivity for Anti-Malware updates.

On Premise Endpoint Management Installation

Step 1 of 2: Install the Endpoint Security Management Server:

Step Description

1 Install the Gaia Operating System:

1. Installing the Gaia Operating System on a Check Point Appliance

2. Installing the Gaia Operating System on an Open Server

 Step Description

2 Run the Gaia First Time Configuration Wizard.

3 During the First Time Configuration Wizard, you must configure these settings:

1. In the Installation Type window, select Security Gateway and/or Security

Management.

2. In the Products window:

§ In the Products section, select Security Management only.

§ In the Clustering section, in the Define Security Management as field, selec

Primary.

3. In the Security Management GUI Clients window, configure the applicable allowed
computers:

§ Any IP Address - Allows all computers to connect.

§ This machine - Allows only the single specified computer to connect.

§ Network - Allows all computers on the specified network to connect.

§ Range of IPv4 addresses - Allows all computers in the specified range to

connect.

Step 2 of 2: Perform initial configuration in SmartConsole:

Step Description

1 Connect with SmartConsole to the Security Management Server.

2 From the left navigation panel, click Gateways & Servers.

3 Open the Security Management Server object.

4 On the General Properties page, click the Management tab.

 Step Description

5 Enable the Endpoint Policy Management blade.

6 Click OK.

7 In the SmartConsole top left corner, click Menu > Install database.

8 Select all objects.

9 Click Install.

10 Click OK.

For more information, see the R80.30 Endpoint Security Management Server Administration Guide.

Endpoint Cloud Management Installation

Step 1 of 4: Register for a new Endpoint MaaS account:

1. For each new tenant, a new registration is needed with a unique account name. Email can be shared across
Infinity Portal accounts. Registration URL: https://portal.checkpoint.com/register/endpoint
2. Each account request is individually authorized by:
After you are registered and authorized, you receive an authorization email:
Step 2 of 4: Login to EndpointCloud Portal:

1. Log in to the https://portal.checkpoint.com/signin/endpoint

2. Verify that you are logged in to the Endpoint Server Portal:

3. For multiple associated accounts in the Infinity portal , select the correct Profile:

4. Then select the created Account:

Step 3 of 4: Create the Cloud Endpoint management:

1. Click New Endpoint Management Service:

2. Enter the following information:
§ Hostname: Unique host name for the Endpoint management.
§ Hosting site: AWS server location for the created instance. Should be selected per the customer's
region and GDRP restrictions.
§ Service Capacity: Select the amount of endpoint clients expected.
§ SmartEndpoint User: Default user name is “admin”. This setting can be changed only following the
installation of the severs.
§ SmartEndpoint Console Password: Password to be associated with the “admin” user.

3. Once ready, click Deploy.

4. Installation status progress is displayed under Status:
In addition, a notification email for the deployment is sent:

Upon completion, a final confirmation mail is sent:

Step 4 of 4: Download and Install the recommended SmartConsole from the portal:

1. To connect to the SmartEndpoint, a dedicated SmartConsole must be used. It is available via a downloadable
link in the portal:

2. Following the installation, connect by using the unique host ID as address:

3. Select the “cloud” check box:

Licensing
For SandBlast Agent POC including Browsers Extension, you need:

§ SandBlast Agent evaluation license,

§ Endpoint Management license (included in the all-in-one license)
§ Local emulation license in case the emulation/extraction is done on local appliance.

Cloud Management:
SandBlast Agent Cloud Management evaluation license includes a 30-day trial (no need to generate one).

On premise:

Note - All licenses can be obtained from Check Point User Center > Winning the Security Market > Try Our
Products > Product Evaluation

All-In-One Evaluation: CPEP-COMPLETE-EVAL

Endpoint management package for 100 seats

Includes SmartEvent

To get and apply contracts for on-premise installation:

1. Log in to: Check Point User Center

2. Click Products.
3. Select Get Contracts File in the drop-down menu at the right of the row.
4. In the window that opens, save the contract file.
5. Open SmartUpdate. (Start menu > Check Point > SmartUpdate)
6. Select License & Contracts > Updated Contracts > From File.
7. In the window that opens, browse to where you saved the contract file and click Open.

The contract is applied to the Endpoint Security Management Server.

Deployment of Clients
When deploying clients, we can choose from 2 types of client types:

§ Initial client - A lightweight client of approximately 20MB that pulls the installation data for needed
software blades from the management server.
§ Software blades package - This package includes the specified Software Blades to be installed on the
endpoint client.

Deployment by Initial Client

Notes:

§ For Windows 7 OS, verify that the Windows host has the latest .NET installed, and Microsoft

KB3033929 is applied (relevant to Windows 7 editions).

§ HTTPS/Port 443 communication needs be allowed between the client deployed and the management server.
§ SandBlast Agent Cloud Management is updated with the latest recommended client versions.
§ See sk117536 for the latest Endpoint security clients downloads.

Instruction steps:

1. Open the SmartEndpoint and go to the Deployment tab > Actions > Load Client installer files.
2. Select the relevant EPS.msi files of the full package and initial package.

At the bottom of the GUI, select Manage Client Versions to check that the Initial Client version was
updated.

3. From the Initial Client window, click Download and follow the instructions to locally save the exported
initial client. The exported package already contains the IP information of Endpoint management.

4. Copy the exported Initial Client to the client machine and install it using administrative privileges from the
command line. You can also use system management software like SCCM to distribute the initial client (see
sk103395 - Best Practices - Endpoint Security (videos).
 The Initial client pulls the installation package from the Endpoint management server and shows a message to
the user, to agree to start the installation.

After the Initial Client is installed, the client reboots automatically.

5. Open the SmartEndpoint and go to the Overview tab. Monitor the client installation status from the Security
Status window.

Deployment by software blades package:

1. Open the SmartEndpoint and go to the Deployment tab > Actions.

2. Right click on Selected blades then select the needed blades for the package.

3. Right click on the rule name > Download package:

4. Copy the Software Blades client to the client machine and install it using administrative privileges from the
command line. You can also use system management software like SCCM to distribute the initial client (see
sk103395 - Best Practices - Endpoint Security (videos)).
5. After the Software Blades client is installed, the client reboots automatically.
6. Open the SmartEndpoint and go to the Overview tab. Monitor the client installation status from the Security
Status window:
Integration with Active Directory
You can sync your organization Active Directory to Endpoint management. After it is synced, you can use any
Active Directory entry as the Applies To target (similar to destination) for Endpoint blades and deployment rules.

On premises Active Directory Scanner:

1. On SmartEndpoint, go to the Deployment Tab > Organization Scanners.

2. Click Add Directory Scanner and enter the credentials for the domain.

Note - Providing the Active Directory admin user access to the Deleted objects container is mandatory.
You can check following Microsoft KB for assistance.

SandBlast AgentCloud Management Active Directory scanner

To add Active Directory user groups, SmartEndpoint is used to open a connection to the AD in the domain and
upload over HTTPS. The connection to the AD is created by the “current user” role.

To add a “File-Based” Scanner:

1. On the Deployment tab, select Organization Scanners:

2. Select Add File-Based Scanner:

3. Select Scan:
File-Based Scanner Limitations
§ The user accessing the SmartEndpoint must be part of the Active directory domain.
§ Each update in Active Directory must follow-up with a manual synchronization.
Hands On
This section focuses on how to use the SandBlast Agent to show Advanced Threat Prevention capabilities during a
POC.

CheckMe
CheckMe by Check Point is a proactive assessment that identifies security risks on your network, Endpoint, Cloud
and mobile environments. Based on this assessment, CheckMe instantly provides you with a detailed report that
shows if your environments are vulnerable to ransomware, zero day threats, malware infections, browser exploit, data
leakage and more.

For more information on the tool and tests use, refer to: sk115236.

To use CheckMe checkup tool:

1. Visit the following URL:

http://www.cpcheckme.com/checkme/

2. Select Endpoint as Simulation Target, accept the user agreement and click Check Security Now:

3. Download the executable and follow the instructions:

4. The test triggers these blades:
§ Anti-Malware
§ Anti-Bot
§ Threat Emulation
§ Anti-Exploit
§ Anti-Ransomware

A report is created and sent by mail:

Unknown 300 Repository
The 300 unknown malware repository holds the latest malware found on VitusTotal modified to become an
unknown zero-day attack:

VirusTotal is queried for .pdf, .doc and portable executable files detected as malicious by more than 10
Anti-Virus Engines, and then 300 known malware files are randomly selected (120 pdf, 120 exe, 60 doc) and
transformed into unknown malware files. New 300 unknown malware files are tested to simulate the reality of
a user downloading an infected file.

For accessing the repository use the following mailing list:

[email protected]

Sample Kit:

We can provide a dedicated sample kit to trigger each security blade.

Please contact the following mailing list:

[email protected]
POC summary
Logs
Log summary can be viewed on the client side or on the Log Server which is usually the management server.Starting
from R80.20, we have a predefined SmartEvent view, “Endpoint Cyber security.”

Note - SmartEvent is enabled and preconfigured when using SandBlast Agent Cloud Management.

For on premise installation, you must enable SmartEvent:

1. Open the SmartConsole > Endpoint Management object > Management tab > checking both SmartEvent
Server and SmartEvent Correlation Unit:

2. Install database on the management:

SmartView
Use the SmartView Web Application to see an overview of the security information for the environment in real-time
event monitoring and analysis without the need to install SmartConsole.

SandBlast AgentCloud Management

On the cloud portal you can find the address to access SmartView:

On premise
Once SmartEvent is up, access the SmartView URL:

https://<Security Management Server IP Address>/smartview/

Cyber Attack view - Endpoint:

1. Use the dedicated SmartEvent Endpoint Cyber Attack View to centrally view and monitor all Endpoint cyber
security events:

Activating the view

1. In SmartView, open a new view window by clicking the + sign:

2. Under Views, select Cyber Attack view - Endpoint:

Troubleshooting
For most issues, please use the following flow:

1. Collect cpinfo from the client machine - sk90445:

2. Collect relevant log files.

3. Open a Service Request with TAC:

https://help.checkpoint.com/s/create-new-sr

4. Escalate to local SE.

For technical questions or assistance in POCs, please use the CheckMates Endpoint community:

https://community.checkpoint.com/t5/Endpoint-Security-Products/bd-p/endpoint-general
Appendix A - Technical Specifications
SandBlast Agent - Packages

Available § SandBlast Anti-Ransomware – Includes Anti-Ransomware only

Packages
§ SandBlast Agent – Includes Threat Emulation, Threat Extraction, Anti-
Ransomware, Anti-Exploit, Zero Phishing, Credential Protection, Anti-Bot, DNA
Classifier, Forensics and Automated Incident Analysis.

§ SandBlast Agent SandBlast Agent Agent Next Generation Anti-Virus – Adds

protections against known malwares and can be deployed as a full replacement for
any Endpoint security solution.

§ Endpoint Complete Protection – The Endpoint complete protection adds Firewall,

Remote Access, Application Control, Full Disk Encryption, Media Encryption,
Port Protection and Anti-Virus to the SandBlast Agent package.

*Endpoint Compliance is provided with all Endpoint and SandBlast Agent packages.

Endpoint Security – SandBlast Agent

Operating § Windows Workstation 7, 8, and 10

System
§ Windows Server 2008 R2, 2012, 2012 R2, 2016

§ MacOS Sierra 10.12.6, MacOS High Sierra 10.13.4 (Threat Emulation, Threat
Extraction, Anti-Ransomware, Chrome for Mac Browser Extension)

Browser Protection – SandBlast Agent for browsers

Supported Browsers § Google Chrome, Internet Explorer,

Firefox
Download Protection - Threat Emulation and Threat Extraction

Threat Extraction – § Adobe PDF, Microsoft Word, Excel, and PowerPoint

Supported File Types

Threat Emulation – § Over 40 file types, including: Adobe PDF, Microsoft Word, Excel, and
Supported File Types PowerPoint, Executables (EXE, COM, SCR), Shockwave Flash –
SWF, Rich Text Format – RTF and Archives

Deployment Options § SandBlast Service (Hosted on Check Point cloud)

§ SandBlast Appliance (Hosted on premise)

Anti-Ransomware

Anti-Ransomware § Signature-less behavioral detection of ransomware, no Internet

connection is required

§ Malicious file encryption activity detection and automated

ransomware quarantine

§ Automated restoration of encrypted data (if encryption started

prior to quarantine)

Anti-Exploit

Anti-Exploit § Provides protection against exploit based attacks compromising

legitimate applications.

§ Detects exploits by identifying suspicious memory manipulations in

runtime.

§ On detection, shuts down the exploited process and remediates the full
attack chain.
Behavioral Guard – Malicious behavior detection and protection

Behavioral Guard § Adaptively detects and blocks malware mutations according to their
real-time behavior.

§ Identifies, classifies and blocks malware mutations in real time

based on minimal process execution tree similarities.

Zero Phishing and Credential Protection

Zero Phishing § Real-time protection from unknown phishing sites

§ Static and heuristic based detection of suspicious elements in sites

that request private info

Corporate Credential § Detection of reuse of corporate credentials on external sites

Protection

File system monitoring

Threat Emulation § Content copied from removable storage devices

§ Lateral movement of data and malware between systems on a

network segment

Enforcement Modes § Detect and alert, Block (background & hold modes)
Anti-Bot

Enforcement Modes § Detect and alert, Block (background & hold

modes)

EndpointAnti-Virus

Known Malware § Detects,prevents and remediates malware using signatures, behavior

Protection blockers and heuristic analysis

Forensics

Analysis § From the endpoint: Threat Emulation, Anti-Ransomware, Anti-Exploit,

Triggers Behavioral Guard, Anti-Bot, Check Point Anti-Virus and 3rd party Anti-Virus

§ From the network: Threat Emulation, Anti-Bot, Anti-Virus

§ Manual Indicators of Compromise (IoCs)

Damage § Automatically Identify: Data exfiltration, data manipulation or encryption, key

Detection logging

Root Cause § Trace and identify root cause across multiple system restarts in real-time
Analysis

Malware Flow § Automatically generated interactive graphic model of the attack flow
Analysis

Malicious § Over 40 malicious behavior categories, Hundreds of malicious indicators

Behavior
Detection
Forensics

Full Attack § Automatically, by tracking back and remediating all events the attack caused
Chain before detection
Remediation

Management

Policy Management § Endpoint Policy Management (EPM)

Event Monitoring § SmartLog, SmartEvent

Endpoint Management Version § R77.30.03

§ R80.20 - Coming Soon

Endpoint Management - Available § Included as standard with Security Management and

Packages Smart-1 Appliances

§ Available as a software license

Appendix B – Relevant Log Files
Problem Logfile Comment

Browser Chrome Extension Chrome

extension Extension
errors <Chrome Download Folder>\sandblast_logs.txt
Right click
on Browser
extension
IE11 extension: and Collect
Logs.
C:\Users\<UserName>\AppData\LocalLow\ CheckPoint\SandB
last\Logs

IE11
extension

Left click
on Browser
extension
and click
again on
Collect
Logs.

Provide
URL that
caused the
issue.

SandBlast SandBlast client logs (cpinfo) Collect logs

Agent UI from
errors, SandBlast
deployme Agent
nt errors client:

Advanced -
> Collect

Crashes / C:\Windows\Internet Logs\CP_EFR Crash*

Dump
Files
Problem Logfile Comment

Deployme C:\Program Files (x86)\CheckPoint\Endpoint Security

nt issues Agent\Endpoint Common\Logs\cpda.log (or %DADIR%\Logs)

False SandBlast client logs (cpinfo) Wait 15

Positive/ minutes
False Forensic Database: after FP/FN
Negative and then
C:\ProgramData\CheckPoint\DBStore\EFR.db copy EFR.
db aside
C:\ProgramData\CheckPoint\DBStore\Events\<Event ID> and
compact it.

Contact
your local
SE.
Appendix C - Relevant SK Articles for
POC
§ sk106123 - File types supported by SandBlast Threat Emulation
§ sk101553 - Check Point Document Threat Extraction Technology
§ sk108695 - Check Point SandBlast Agent for Browsers
§ sk142732 - How to configure SandBlast Agent for Browsers with Web Extraction (R80.30 Gateway)