Malwarebytes Anti-Exploit 1.07.1.1015 Premium

Standard Threat Prevention Policy: Description

The figure above shows a standard Threat Prevention policy rule, which by default applies to the entire organization (all installed agents) and includes three logical groups of protection components: Web & Files Protection, Behavioral Protection and Analysis & Remediation. Let's take a closer look at each of the groups.

Web & Files Protection

URL Filtering
URL Filtering allows you to control user access to web resources, using predefined 5 categories of sites. Each of the 5 categories contains several more specific subcategories, which allows you to configure, for example, blocking access to the Games subcategory and allowing access to the Instant Messaging subcategory, which are included in the same Productivity Loss category. URLs associated with specific subcategories are determined by Check Point. You can check the category to which a specific URL belongs, or request a category override, using the special URL Categorization resource. The action can be set to Prevent, Detect or Off. Also, when selecting the Detect action, a setting is automatically added that allows users to skip the URL Filtering warning and go to the resource of interest. If Prevent is used, this setting can be removed and the user will not be able to access the prohibited site. Another convenient way to control prohibited resources is to set up a Block List, in which you can specify domains, IP addresses, or upload a .csv file with a list of domains to block.

In the standard policy for URL Filtering, the action is set to Detect and one category is selected - Security, for which events will be detected. This category includes various anonymizers, sites with a Critical/High/Medium risk level, phishing sites, spam and much more. However, users will still be able to access the resource thanks to the “Allow user to dismiss the URL Filtering alert and access the website” setting.

Download (web) Protection

Emulation & Extraction allows you to emulate downloaded files in the Check Point cloud sandbox and clean up documents on the fly, removing potentially malicious content, or converting the document to PDF. There are three operating modes:

• Prevent
  - allows you to get a copy of the cleaned document before the final emulation verdict, or wait until emulation is completed and download the original file immediately;

• Detect
  - performs emulation in the background, without preventing the user from receiving the original file, regardless of the verdict;

• Off
  - any files are allowed to be loaded without going through emulation and cleaning potentially malicious components.

It is also possible to select an action for files that are not supported by Check Point emulation and cleaning tools - you can allow or deny the download of all unsupported files.

The standard policy for Download Protection is set to Prevent, which allows you to obtain a copy of the original document that has been cleared of potentially malicious content, as well as allowing the download of files that are not supported by emulation and cleaning tools.

Credential Protection

The Credential Protection component protects user credentials and includes 2 components: Zero Phishing and Password Protection.
Zero Phishing
protects users from accessing phishing resources, and
Password Protection
notifies the user not to use corporate credentials outside the protected domain. Zero Phishing can be set to Prevent, Detect or Off. When the Prevent action is set, it is possible to allow users to ignore the warning about a potential phishing resource and gain access to the resource, or to disable this option and block access forever. With a Detect action, users always have the option to ignore the warning and access the resource. Password Protection allows you to select protected domains for which passwords will be checked for compliance, and one of three actions: Detect & Alert (notifying the user), Detect or Off.

The standard policy for Credential Protection is to prevent any phishing resources from preventing users from accessing a potentially malicious site. Protection against the use of corporate passwords is also enabled, but without the specified domains this feature will not work.

Files Protection

Files Protection is responsible for protecting files stored on the user's machine and includes two components: Anti-Malware and Files Threat Emulation.
Anti-Malware
is a tool that regularly scans all user and system files using signature analysis.
In the settings of this component, you can configure the settings for regular scanning or random scanning times, the signature update period, and the ability for users to cancel scheduled scanning. Files Threat Emulation
allows you to emulate files stored on the user's machine in the Check Point cloud sandbox, but this security feature only works in Detect mode.

The standard policy for Files Protection includes protection with Anti-Malware and detection of malicious files with Files Threat Emulation. Regular scanning is carried out every month, and signatures on the user machine are updated every 4 hours. At the same time, users are configured to be able to cancel a scheduled scan, but no later than 30 days from the date of the last successful scan.

Behavioral Protection

Anti-Bot, Behavioral Guard & Anti-Ransomware, Anti-Exploit

The Behavioral Protection group of protection components includes three components: Anti-Bot, Behavioral Guard & Anti-Ransomware and Anti-Exploit.
Anti-Bot
allows you to monitor and block C&C connections using the constantly updated Check Point ThreatCloud database.
Behavioral Guard & Anti-Ransomware
constantly monitors activity (files, processes, network interactions) on the user machine and allows you to prevent ransomware attacks at the initial stages.
In addition, this protection element allows you to restore files that have already been encrypted by the malware. Files are restored to their original directories, or you can specify a specific path where all recovered files will be stored. Anti-Exploit
allows you to detect zero-day attacks. All Behavioral Protection components support three operating modes: Prevent, Detect and Off.

The standard policy for Behavioral Protection provides Prevent for the Anti-Bot and Behavioral Guard & Anti-Ransomware components, with the restoration of encrypted files in their original directories. The Anti-Exploit component is disabled and not used.

Analysis & Remediation

Automated Attack Analysis (Forensics), Remediation & Response

Two security components are available for analysis and investigation of security incidents: Automated Attack Analysis (Forensics) and Remediation & Response.
Automated Attack Analysis (Forensics)
allows you to generate reports on the results of repelling attacks with a detailed description - right down to analyzing the process of malware execution on the user machine.
It is also possible to use the Threat Hunting feature, which makes it possible to proactively search for anomalies and potentially malicious behavior using predefined or created filters. Remediation & Response
allows you to configure settings for the recovery and quarantine of files after an attack: user interaction with quarantine files is regulated, and it is also possible to store quarantined files in a directory specified by the administrator.

The standard Analysis & Remediation policy includes protection, which includes automatic actions for recovery (ending processes, restoring files, etc.), and the option to send files to quarantine is active, and users can only delete files from quarantine.

Malwarebytes Anti-Exploit 1.07.1.1015 Premium

Malwarebytes Anti-Exploit is a solution for protection against exploits that use 0day vulnerabilities. Protects core applications on the system from known and unknown exploits without the need to configure or update signatures.

Malwarebytes Anti-Exploit protects against known and unknown exploits for zero-day vulnerabilities, protecting users where traditional antivirus and security programs fail. To protect against exploitation of vulnerabilities, the program uses innovative, patented ZeroVulnerabilityLabs technologies that prevent the penetration of malicious exploits that could compromise your computer. Malwarebytes Anti-Exploit includes screens for all major browsers (IE, Firefox, Chrome, Opera) and browser components such as Java, Adobe Reader, Flash, Shockwave. The application blocks exploit kits such as Blackhole, Sakura, Phoenix, Incognito, without requiring any signature updates. There is no training or configuration required for the user, Malwarebytes Anti-Exploit is a 100% “set it and forget it” solution to protect against exploits.

Changes:

• New Features:
• Added new Layer0 exploit mitigations for IE VB scripting
• Added new Layer1 exploit mitigations for ROP detection
• Added new Layer3 exploit mitigations for Powershell abuse
• Added telemetry from Firefox
• Added ability to edit custom shields
• Added ability to log protection events to UI
• Added ability to auto-upgrade corporate builds
• Added support for Windows 10
• Added blacklisting of pirated and fraudulent license keys

• Improved Java shield in corporate environments
• Improved exploit telemetry
• Removed duplicate default shields for portable browsers
• Removed "shielded applications" counter from UI

• Fixed issue when printing to Adobe PDF
• Fixed issue with Speedbit Download Accelerator
• Fixed issue with plugins from PowerDVD and GAS Tecnologia
• Fixed issue with nProtect GameGuard Anti-Cheat
• Fixed issue with certain exclusions not respected
• Fixed issue with Knowledge Coach Office Add-In
• Fixed issue with false positive from IE
• Fixed issue with Foxit Reader startup
• Fixed issue with Excel PowerQuery
• Fixed issue with Excel DEP Enforcement
• Fixed issue with IE VB scripting block
• Fixed issue with Chrome crashes
• Fixed issue with Arcom Masterworks

OS: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, 10

Download Malwarebytes Anti-Exploit 1.07.1.1015 Premium (2.8 MB):

Standard Threat Prevention Policy: Testing

Check Point CheckMe Endpoint

The fastest and easiest way to check the security of a user's machine against the most popular types of attacks is to conduct a test using the Check Point CheckMe resource, which carries out a number of typical attacks of various categories and allows you to receive a report on the test results. In this case, the Endpoint testing option was used, in which an executable file is downloaded and launched onto the computer, and then the verification process begins.

In the process of checking the security of a working computer, SandBlast Agent signals about identified and reflected attacks on the user’s computer, for example: the Anti-Bot blade reports the detection of an infection, the Anti-Malware blade has detected and deleted the malicious file CP_AM.exe, and the Threat Emulation blade has installed that the CP_ZD.exe file is malicious.

Based on the results of testing using CheckMe Endpoint, we have the following result: out of 6 attack categories, the standard Threat Prevention policy failed to cope with only one category - Browser Exploit. This is because the standard Threat Prevention policy does not include the Anti-Exploit blade. It is worth noting that without SandBlast Agent installed, the user’s computer passed the scan only under the Ransomware category.

KnowBe4 RanSim

To test the operation of the Anti-Ransomware blade, you can use the free KnowBe4 RanSim solution, which runs a number of tests on the user’s machine: 18 ransomware infection scenarios and 1 cryptominer infection scenario. It is worth noting that the presence of many blades in the standard policy (Threat Emulation, Anti-Malware, Behavioral Guard) with the Prevent action does not allow this test to run correctly. However, even with a reduced security level (Threat Emulation in Off mode), the Anti-Ransomware blade test shows high results: 18 out of 19 tests passed successfully (1 failed to start).

Malicious files and documents

It is indicative to check the operation of different blades of the standard Threat Prevention policy using malicious files of popular formats downloaded to the user’s machine. This test involved 66 files in PDF, DOC, DOCX, EXE, XLS, XLSX, CAB, RTF formats. The test results showed that SandBlast Agent was able to block 64 malicious files out of 66. Infected files were deleted after downloading, or cleared of malicious content using Threat Extraction and received by the user.

Recommendations for improving the Threat Prevention policy

URL Filtering

The first thing that needs to be corrected in the standard policy to increase the level of security of the client machine is to switch the URL Filtering blade to Prevent and specify the appropriate categories for blocking. In our case, all categories were selected except General Use, since they include most of the resources to which it is necessary to restrict access to users in the workplace. Also, for such sites, it is advisable to remove the ability for users to skip the warning window by unchecking the “Allow user to dismiss the URL Filtering alert and access the website” parameter.

Download Protection

The second option worth paying attention to is the ability for users to download files that are not supported by the Check Point emulation. Since in this section we are looking at improvements to the standard Threat Prevention policy from a security perspective, the best option would be to block the download of unsupported files.

Files Protection

You also need to pay attention to the settings for protecting files - in particular, the settings for periodic scanning and the ability for the user to postpone forced scanning. In this case, the user's time frame must be taken into account, and a good option from a security and performance point of view is to configure a forced scan to run every day, with the time selected randomly (from 00:00 to 8:00), and the user can delay the scan for a maximum of one week.

Anti-Exploit

A significant drawback of the standard Threat Prevention policy is that the Anti-Exploit blade is disabled. It is recommended to enable this blade with the Prevent action to protect the workstation from attacks using exploits. With this fix, the CheckMe retest completes successfully without detecting vulnerabilities on the user's production machine.

Conclusion

Let's summarize: in this article we got acquainted with the components of the standard Threat Prevention policy, tested this policy using various methods and tools, and also described recommendations for improving the settings of the standard policy to increase the level of security of the user machine.
In the next article in the series, we will move on to studying the Data Protection policy and look at the Global Policy Settings. A large selection of materials on Check Point from TS Solution. In order not to miss the next publications on the topic SandBlast Agent Management Platform, follow the updates on our social networks (Telegram, Facebook, , TS Solution Blog, Yandex.Zen).