CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 4 of 4

Thread: Sand blast and Anti-Ransomware

  1. #1
    Join Date
    2012-06-13
    Posts
    276
    Rep Power
    6

    Default Sand blast and Anti-Ransomware

    Hi Guys,

    Has anyone tried installing or deployed Sandblast agent in production so far?especially AntiRansomware feature? I am keen to know the responses. CP states that it backs up the files just before malicious binary starts encrypting the files. Can someone tell me where does it actually stores the files?

    Also hows sandblast review against known evasions?

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    899
    Rep Power
    12

    Default Re: Sand blast and Anti-Ransomware

    Second that
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: Sand blast and Anti-Ransomware

    Quote Originally Posted by blason View Post
    Hi Guys,

    Has anyone tried installing or deployed Sandblast agent in production so far?especially AntiRansomware feature? I am keen to know the responses. CP states that it backs up the files just before malicious binary starts encrypting the files. Can someone tell me where does it actually stores the files?

    Also hows sandblast review against known evasions?

    Tested with Zepto ransomware.

    SBA reacts:
    Click image for larger version. 

Name:	RANSOM1.jpg 
Views:	57 
Size:	42.7 KB 
ID:	1213

    It restored all converted .zepto files.
    Click image for larger version. 

Name:	RESTORERANSOMWAREFILES.jpg 
Views:	40 
Size:	30.0 KB 
ID:	1212

    ###
    SBA Logs
    ###

    C:\ProgramData\CheckPoint\Logs\BackupAndRestoratio n.log


    ###
    BackupAndRestoration.log
    ###

    /* SandBlastBackup */ is a hidden folder.


    [INFO] BackupAndRestoration.Interfaces.IRestoreBladeActio ns - RestoreByIncidentId is called, incident_id=1F5DBB17-570B-4680-8449-9F120C621CB4, isOrigLocation=False, restorationPath=C:\Users\ADIRTAM\Pictures, isAllVersions=False, requestSource=RestoreRequestSource::Blade
    2017-03-07 23:51:27,071 [1684:6] [INFO] BackupAndRestoration.Providers.RestoreByIncidentPr ovider - Provider is called, start process for CorrelationId=1F5DBB17-570B-4680-8449-9F120C621CB4


    [DEBUG] BackupAndRestoration.Providers.RestoreByIncidentPr ovider - Query GetFilesToRestoreByTime = SELECT * FROM ( SELECT * FROM ViewOriginalAndBackupFiles Where BackupTime <= 1488959198102 AND lower(Org_FileName) = "register.rtf" AND lower(Org_FilePath) = "c:\totalcmd" ORDER BY BackupTime DESC) UNION SELECT * FROM ( SELECT * FROM ViewOriginalAndBackupFiles Where BackupTime > 1488959198102 AND lower(Org_FileName) = "register.rtf" AND lower(Org_FilePath) = "c:\totalcmd" ORDER BY BackupTime ASC)





    [INFO] BackupAndRestoration.Providers.RecoveryProvider - file copy from 'C:\SandBlastBackup\{ca350d98-03a9-11e7-aca3-000c2993cba4}.0.RTF' to 'C:\Users\ADIRTAM\Pictures\C\totalcmd\REGISTER.RTF '
    2017-03-07 23:51:27,322 [1684:6] [INFO] BackupAndRestoration.Providers.RecoveryProvider - file copy from 'C:\SandBlastBackup\{ca350d99-03a9-11e7-aca3-000c2993cba4}.0.rtf' to 'C:\Users\ADIRTAM\Pictures\C\Users\TRMA\Documents\ SHELL.rtf'
    2017-03-07 23:51:27,322 [1684:6] [INFO] BackupAndRestoration.Providers.RecoveryProvider - file copy from 'C:\SandBlastBackup\{ca350d9c-03a9-11e7-aca3-000c2993cba4}.0.txt' to 'C:\Users\ADIRTAM\Pictures\C\Python27\Lib\email\te st\data\msg_01.txt'
    2017-03-07 23:51:27,338 [1684:6] [INFO] BackupAndRestoration.Providers.RecoveryProvider - file copy from 'C:\SandBlastBackup\{ca350d9d-03a9-11e7-aca3-000c2993cba4}.0.txt' to 'C:\Users\ADIRTAM\Pictures\C\Python27\Lib\email\te st\data\msg_02.txt'
    2017-03-07 23:51:27,338 [1684:6] [INFO] BackupAndRestoration.Providers.RecoveryProvider - file copy from 'C:\SandBlastBackup\{ca350d9e-03a9-11e7-aca3-000c2993cba4}.0.txt' to 'C:\Users\ADIRTAM\Pictures\C\Python27\Lib\email\te st\data\msg_03.txt'

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    899
    Rep Power
    12

    Default Re: Sand blast and Anti-Ransomware

    Quote Originally Posted by Tsubasa View Post
    Tested with Zepto ransomware.
    Nice one!
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Remove Anti-Bot & Anti-Virus blade from SmarView Monitor
    By armando.ferreira in forum Anti-Bot Software Blade
    Replies: 1
    Last Post: 2012-06-04, 05:08
  2. Anti-virus and anti-malware blade
    By amani in forum SmartDashboard
    Replies: 0
    Last Post: 2011-03-23, 10:38
  3. Anti Spam
    By kevin_turner in forum Messaging Security
    Replies: 29
    Last Post: 2008-05-29, 10:16
  4. anti-spoofing
    By aallsopp in forum Check Point UTM-1 Edge Appliances
    Replies: 1
    Last Post: 2006-03-23, 12:02
  5. Anti-Spoofing
    By mdelanoche in forum Topology Issues
    Replies: 1
    Last Post: 2005-09-13, 21:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •