Check Point SandBlast Agent. What's new?





We have already published a huge amount of Check Point training materials . However, the topic of protecting workstations with Check Point SandBlast Agent is still extremely poorly covered. We plan to improve and in the near future create training courses for this product, which has been one of the leaders in the EDR segment for several years in a row. In the meantime, we are sharing information about the new agent capabilities that appeared in version E83.10. Spoiler - there is a beta version for LINUX and a new cloud "control".



New features



All improvements to version E83.10 can be found in sk166979 . There is a lot of relevant information, but we’d better go through the new features.



New cloud management portal



Check Point has long been developing the Infinity concept, where centralized management through the cloud portal portal.checkpoint.com plays a key role. At the moment there is a huge number of services available through this portal:



  • CloudGuard SaaS
  • Smart-1 Cloud
  • Infinity SOC
  • CloudGuard Connect
  • Threat Hunting
  • SandBlast Mobile
  • and much more


And now there is access to the cloud "management" SandBlast agents:







Integration is now much easier and faster. The service starts literally within 5 minutes and you can start rolling out agents. We will not focus on this, because this topic deserves a whole series of articles, which we are planning in the near future.



URL Filtering



The name speaks for itself. Now URL filtering will be available on agents as well. You can filter the traffic of even remote users as if they were sitting in the office. Currently, there are several main categories available for URL filtering:



  • Security
  • Productivity loss
  • Legal liability & regulatory compliance
  • Bandwidth consumption
  • General use


On the plus side, each agent includes a browser add-on that allows you to inspect encrypted HTTPS traffic without the need for an intermediate device with an SSL inspection function. This makes integration much easier, especially for remote users.

There are several restrictions at the moment:



  • The browser addon is only available for Google Chrome. Support for other browsers is expected soon.
  • The URL Filtering feature is currently only available through cloud management. This is how the interface looks like:






It is also worth noting that there is a new Anti-Credential Theft feature - Pass-the-Hash attack Protection. But we will talk about it in detail, probably already within the framework of the future course.



New platforms for SandBlast Agent



SandBlast now natively supports both persistent VDI and non-persistent operations. But another thing is more important. Finally, a beta version of SandBlast Agent for Linux systems appeared. Here's a quick demo showing the Check Point Threat Hunting integration in one go:







In my opinion, policy management has become more convenient. Logs from SandBlast Agents are now also in a more familiar form.



As you probably understood, web management is currently only available for the cloud platform. However, it will also become available for local devices in the Gaia R81 version, which should be announced in the first quarter of the 21st year.



Key agent improvements



Here are a few key changes and improvements to SandBlast Agent version E83.10:



Threat prevention
  • Behavioral Guard now protects against the «Pass The Hash» technique for credential theft. Credential Dumping is new, as of the previous release.
  • Fixes an issue where Anti-Ransomware does not detect a potential attack when the user is not logged in.
  • Fixes Anti-Ransomware false positives due to user profile deletions.
  • Fixes multiple rare cases of false positives in Anti-Ransomware.
  • Fixes an issue where «out of memory» errors occur when the log lists a very large number of backups.
  • When you disable Anti-Ransomware, the backup driver no longer operates.
  • Improves performance as Forensics now stores fewer named objects, such as mutexes and events.
  • Improves the performance of Forensics, Behavioral Guard and Threat Hunting with enhancements to our Registry Operation exclusion algorithms that reduce the number of recorded registry operations.
  • Resolves an issue where an Anti-Malware scheduled scan occurs, even if it is not in the policy.
  • Resolves an Anti-Malware icon scaling issue.
  • Resolves a possible issue where the Anti-Malware process crashes as it shuts down.




Data and Access Control
  • Resolves client network issues after a Firewall driver uninstallation failure.
  • Resolves a rare issue where an added Firewall blade gets stuck in the «Initializing» state.
  • Resolves a possible upgrade issue where the Firewall blade does not start due to a WatchDog failure.
  • Resolves a rare issue where the Firewall policy is «Not Set» in the client after the policy download from the server.
  • Resolves a possible issue where the Disk Encryption process crashes during shutdown.
  • Resolves a removable media icon blink issue for an encrypted partition when Media Scan is enabled.
  • Improves the work with non-UTF-8 applications. Users can toggle UTF-8 support.
  • Fixes active File Transfer Protocol (FTP) traffic blocks on a standalone VPN client with Firewall.
  • Includes stability and quality fixes. Supports all the features of previous releases.




Installation & Infrastructure
  • Resolves a possible issue where uninstalling the Endpoint removes components that are necessary for other applications.
  • Resolves a possible issue where the uninstall fails after the user turns off «Network Protection».
  • Resolves a possible issue where the Endpoint Security Client does not run correctly after an operating system upgrade.
  • Resolves a rare issue where the client uninstall fails with Error 1921: «Service Check Point Endpoint Agent (CPDA) could not be stopped».
  • Resolves a rare issue where an upgrade that uses «Dynamic Package» continuously loops after a download fails to resume.
  • The pre-boot language selection choice is now correct after a language update in Windows.
  • Fixes an incompatibility issue with Sophos Antivirus, which could not install on a machine with Endpoint Security Client on it.
  • Resolves a rare User Interface (UI) issue where a malware resolution is not shown to a user.
  • Resolves a client LogViewer issue, where it only shows log records that match the latest log schema.
  • On the Endpoint Security Client screen, the Overview list now shows «Anti-Bot and URL Filtering» instead of «Anti-Bot».
  • The client User Interface (UI) is no longer shown during manual upgrades.
  • Resolves URL infections report issues in the User Interface (UI) so that the infections records are not permanent in the client and server UIs.
  • Anti-Bot and URL Filtering policy now translates to all supported languages.
  • Improves the performance of the Endpoint Security core driver to reduce CPU consumption.




Instead of a conclusion



I'm sure an article about forensics that SandBlast Agent can provide will be interesting . As already mentioned, we plan to publish new training materials, so stay tuned in our channels ( Telegram , Facebook , VK , TS Solution Blog )!

In addition, several useful Check Point webinars will be held shortly:





Hurry up to register!



All Articles