我们已经发布了大量Check Point培训材料。但是,使用Check Point SandBlast Agent保护工作站的主题仍然很难涵盖。我们计划改进并尽快为此产品创建培训课程,该产品已连续数年成为EDR领域的领导者之一。同时,我们正在共享有关版本E83.10中出现的新代理功能的信息。Spoiler-LINUX的Beta版和一个新的基于云的“控制面板”出现了。
新功能
可以在sk166979中找到对E83.10版的所有改进。那里有很多有用的信息,但是我们最好回顾一下新功能。
新的云管理门户
Check Point长期以来一直在开发Infinity概念,在该概念中,通过云门户网站portal.checkpoint.com进行的集中管理起着关键作用。目前,可以通过此门户网站获得大量服务:
- CloudGuard SaaS
- Smart-1云
- 无限SOC
- CloudGuard Connect
- 威胁搜寻
- SandBlast Mobile
- 以及更多
现在,代理可以访问SandBlast云“经理”:
集成现在变得更加简单和快捷。该服务实际上会在5分钟内启动,您可以开始部署代理。我们不会专注于此,因为 该主题值得一整篇文章,我们计划在不久的将来。
网址过滤
名字足以说明问题。现在,URL过滤也将在代理上可用。您甚至可以过滤远程用户的流量,就像他们坐在办公室一样。当前,有几种主要类别可用于URL过滤:
- 安全
- 生产力损失
- 法律责任与合规
- 带宽消耗
- 一般使用
优点-每个代理都包含一个浏览器附加组件,使您可以检查加密的HTTPS流量,而无需具有SSL检查的中间设备。这极大地简化了集成,尤其是对于远程用户。
目前有几个限制:
- 浏览器插件仅适用于Google Chrome。预计不久将支持其他浏览器。
- URL过滤功能当前仅可通过云管理使用。界面如下所示:
还值得注意的是,有一个新的“反凭据盗窃”功能-哈希传递攻击防护。但是,我们可能会在未来课程的框架内进行详细讨论。
SandBlast代理的新平台
SandBlast现在本地支持持久VDI和非持久VDI。但是还有其他更重要的事情。最后,出现了用于Linux系统的SandBlast Agent的beta版。这是一个快速演示,一次性展示了Check Point威胁搜寻集成:
我认为,管理政客变得更加方便。来自SandBlast代理的日志现在也以更熟悉的形式出现。
如您可能理解的那样,基于Web的控件当前仅可用于云平台。但是,Gaia R81版本的本地设备也可以使用它,应该在21年第一季度宣布。
关键代理改进
以下是对SandBlast Agent版本E83.10的一些关键更改和改进:
威胁预防
- Behavioral Guard now protects against the «Pass The Hash» technique for credential theft. Credential Dumping is new, as of the previous release.
- Fixes an issue where Anti-Ransomware does not detect a potential attack when the user is not logged in.
- Fixes Anti-Ransomware false positives due to user profile deletions.
- Fixes multiple rare cases of false positives in Anti-Ransomware.
- Fixes an issue where «out of memory» errors occur when the log lists a very large number of backups.
- When you disable Anti-Ransomware, the backup driver no longer operates.
- Improves performance as Forensics now stores fewer named objects, such as mutexes and events.
- Improves the performance of Forensics, Behavioral Guard and Threat Hunting with enhancements to our Registry Operation exclusion algorithms that reduce the number of recorded registry operations.
- Resolves an issue where an Anti-Malware scheduled scan occurs, even if it is not in the policy.
- Resolves an Anti-Malware icon scaling issue.
- Resolves a possible issue where the Anti-Malware process crashes as it shuts down.
数据和访问控制
- Resolves client network issues after a Firewall driver uninstallation failure.
- Resolves a rare issue where an added Firewall blade gets stuck in the «Initializing» state.
- Resolves a possible upgrade issue where the Firewall blade does not start due to a WatchDog failure.
- Resolves a rare issue where the Firewall policy is «Not Set» in the client after the policy download from the server.
- Resolves a possible issue where the Disk Encryption process crashes during shutdown.
- Resolves a removable media icon blink issue for an encrypted partition when Media Scan is enabled.
- Improves the work with non-UTF-8 applications. Users can toggle UTF-8 support.
- Fixes active File Transfer Protocol (FTP) traffic blocks on a standalone VPN client with Firewall.
- Includes stability and quality fixes. Supports all the features of previous releases.
安装与基础架构
- Resolves a possible issue where uninstalling the Endpoint removes components that are necessary for other applications.
- Resolves a possible issue where the uninstall fails after the user turns off «Network Protection».
- Resolves a possible issue where the Endpoint Security Client does not run correctly after an operating system upgrade.
- Resolves a rare issue where the client uninstall fails with Error 1921: «Service Check Point Endpoint Agent (CPDA) could not be stopped».
- Resolves a rare issue where an upgrade that uses «Dynamic Package» continuously loops after a download fails to resume.
- The pre-boot language selection choice is now correct after a language update in Windows.
- Fixes an incompatibility issue with Sophos Antivirus, which could not install on a machine with Endpoint Security Client on it.
- Resolves a rare User Interface (UI) issue where a malware resolution is not shown to a user.
- Resolves a client LogViewer issue, where it only shows log records that match the latest log schema.
- On the Endpoint Security Client screen, the Overview list now shows «Anti-Bot and URL Filtering» instead of «Anti-Bot».
- The client User Interface (UI) is no longer shown during manual upgrades.
- Resolves URL infections report issues in the User Interface (UI) so that the infections records are not permanent in the client and server UIs.
- Anti-Bot and URL Filtering policy now translates to all supported languages.
- Improves the performance of the Endpoint Security core driver to reduce CPU consumption.
而不是结论
我敢肯定,SandBlast Agent可以提供的有关取证的文章会很有趣。如前所述,我们计划发布新的培训材料,所以请继续关注我们的频道(Telegram,Facebook,VK和TS Solution Blog)!
此外,不久的将来还将举办一些有用的Check Point网络研讨会:
赶快注册!