Behavioral Protection

The Anti-Bot component

  • Uses the ThreatCloud repository to receive updates and queries the repository for classification of unidentified IP, URL, and DNS resources
  • Prevents damage by blocking bot communication to C&C sites and makes sure that no sensitive information is stolen or sent out of the organization.

There are 3 configuration options for the Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. protection: Prevent, Detect, and Off.

The Anti-Ransomware Component

The Anti-Ransomware constantly monitors files and network activity for suspicious behavior. It creates honeypot files on client computers.

It stops the attack immediately after it detects that the ransomware modified the files.

Starting from version E88.50 and later, the Anti-Ransomware creates the honeypot files in these folders:

  • Drive root (C:\ , D:\ , Etc)

  • C:\Users\Public\Music

  • C:\Users\<User>\Music (MyMusic)

  • C:\Users\Public\Documents

  • C:\Users\<User>\Documents (MyDocuments)

  • C:\Users\Public\Videos

  • C:\Users\<User>\Videos (MyVideos)

  • C:\Users\Public\Pictures

  • C:\Users\<User>\Pictures (MyPictures)

  • C:\Program Files (x86)

  • C:\ProgramData

  • C:\Users\<User>\AppData\Roaming

  • C:\Users\<User>\AppData\Local

For versions prior to E88.50, the Anti-Ransomware creates the honeypot files in these folders:

  • C:\Users\Public\Music

  • C:\Users\<User>\Music (MyMusic)

  • C:\Users\Public\Documents

  • C:\Users\<User>\Documents (MyDocuments)

  • C:\Users\Public\Videos

  • C:\Users\<User>\Videos (MyVideos)

  • C:\Users\Public\Pictures

  • C:\Users\<User>\Pictures (MyPictures)

  • C:\Program Files (x86)

  • C:\ProgramData

  • C:\Users\<User>\AppData\Roaming

  • C:\Users\<User>\AppData\Local

Starting with version E88.41 and later, folders with restricted access are identified by a lock icon next to the folder name.

For example:

For versions prior to E88.41, folders with restricted access are identified by a lock icon next to the folder name.

For example:

The file names include these strings, or similar:

  • CP

  • CheckPoint

  • Check Point

  • Check-Point

  • Sandblast Agent

  • Sandblast Zero-Day

  • Endpoint

Before ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location.

The Anti-Exploit Component

Endpoint Security Anti-Exploit detects zero-day and unknown attacks.

Files on your computer are sent to a testing area for emulation to detect malicious files and content.