CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 4 of 4

Thread: Frustration with E80.70 anti-ransomware undocumented feature

  1. #1
    Join Date
    2017-05-02
    Posts
    9
    Rep Power
    0

    Default Frustration with E80.70 anti-ransomware undocumented feature

    Ok where to begin...

    2 weeks ago we noticed (after pushing E80.70 out to our clients) some strange files and folders written to all of our users network shares and home folders. One of these directories was called '00Fin' in all of their shares and that was one of the only common factors (along with strong time correlation to when each user was creating or last modifying these files). Along with that were some strange files inside those directories as well.

    At first this was just an annoying quirk. But as it spread more and more throughout our network this became more alarming. We looked into these files and saw that they had no discernible file signature (like an encrypted file would). After attempting to compress several of these files we found that there was 0% compression achieved it was confirmed that these are in fact highly entropic files (just like an encrypted file would be). So the worst was assumed... some ransomware was in our system attempting to infect things and not quite finishing somehow.

    Long story short, a week later... and after being assured by CP tech support that it was nothing they were doing, THEN after speaking with 2 different higher level people at checkpoint we have determined that, despite NO DOCUMENTATION ANYWHERE ON GOOGLE, AND NO DOCUMENTATION ANYWHERE ON CHECKPOINTS WEBSITE OR 80.70 RELATED DOCS, this is in fact standard behavior in 80.70 as some sort of decoy for ransomware!!

    Gee guys it would have been nice to tell us tech out in the field this so we're not tearing out our hair over things like this. Did you think it wouldn't be found? Did you think we wouldn't assume it was ransomware and get all freaked out. On the one hand I applaud CP for trying to find better techniques and tactics for catching ransomware but cmon guys, you GOT TO LET US KNOW somehow about things like this!!! That way when we come upon it we aren't freaking out and getting egg on our faces when we finally find out it's just standard behavior in on of our products.


    Hopefully my post will help someone in here to not have to go through what I did and lose hair or sleep over it.
    Last edited by nrm21; 2017-05-31 at 16:15.

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: Frustration with E80.70 anti-ransomware undocumented feature

    yikes.. yeah for sure thanks for passing this along. Interesting idea for sure, but it does suck no one knew it did that. Major egg on everyone's face. :/

  3. #3
    Join Date
    2017-06-19
    Posts
    4
    Rep Power
    0

    Default Re: Frustration with E80.70 anti-ransomware undocumented feature

    thanks for sharing , it happen too my pc too e80.70HF1 with sandblast agent enable

  4. #4
    Join Date
    2016-06-03
    Posts
    1
    Rep Power
    0

    Default Re: Frustration with E80.70 anti-ransomware undocumented feature

    This also surprised me, but when I googled for "00Fin" I got a hit, apparently it is indeed documented:
    From the CP_R7730.03_EndpointSecurity_AdminGuide.pdf:

    http://downloads.checkpoint.com/dc/d...d.htm?ID=53788

    SandBlast Agent Forensics and Anti-Ransomware
    Endpoint Security Administration Guide R77.30.03 Management Server | 188

    Anti-Ransomware Files
    SandBlast Agent creates honeypot files on client computers to better detect ransomware before it starts to encrypt the user's files.
    These are the files that SandBlast Agent creates:
    MyMusic\00Fin\**AR*.bmp
    MyMusic\00Fin\BB*.gif
    MyMusic\**AAAA*.jpg
    MyMusic\Check*In.png
    MyDocuments\00Fin\MyDoc*.doc
    MyDocuments\00Fin\MyDoc*.docx
    MyDocuments\wahoo*o.rtf
    MyDocuments\**.txt
    PublicVideos\00Fin\MyMovie*.wmv
    PublicVideos\00Fin\MyMovie*.mp3
    PublicVideos\wahoo*o.wmv
    PublicVideos\**.mp3
    PublicPictures\00Fin\**AR*.bmp
    PublicPictures\00Fin\BB*.gif
    PublicPictures\00Fin.jpg
    PublicPictures\Check*In.png
    PublicDocuments\00Fin\MyDoc*.doc
    PublicDocuments\00Fin\MyDoc*.docx
    PublicDocuments\wahoo*o.rtf
    PublicDocuments\**.txt
    If a file is deleted, it is automatically recreated after the next system boot.


    I already have this manual downloaded, but I have not had the time to read every page, so I was as frustrated as you all are.

    It should be noted at the BEGINNING of the documentation to expect this, and a link to the section on page 188 should be right there with it.

Similar Threads

  1. Sand blast and Anti-Ransomware
    By blason in forum Endpoint Security Product (E80 and All That)
    Replies: 3
    Last Post: 2017-03-08, 08:13
  2. Replies: 39
    Last Post: 2016-05-04, 12:48
  3. Undocumented feature in vsx_util
    By varera in forum VPN-1 VSX
    Replies: 3
    Last Post: 2015-02-06, 14:35
  4. Remove Anti-Bot & Anti-Virus blade from SmarView Monitor
    By armando.ferreira in forum Anti-Bot Software Blade
    Replies: 1
    Last Post: 2012-06-04, 05:08
  5. Anti-virus and anti-malware blade
    By amani in forum SmartDashboard
    Replies: 0
    Last Post: 2011-03-23, 10:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •