Check Point Introduces New CPU-Level Threat Prevention

An anonymous reader writes: After buying Israeli startup company Hyperwise earlier this year, Check Point Software Technologies (Nasdaq: CHKP) now unveils its newest solution for defeating malware. Their new offering called SandBlast includes CPU-Level Threat Emulation that was developed in Hyperwise which is able to defeat exploits faster and more accurately than any other solution by leveraging CPU deubgging instruction set in Intel Haswell, unlike known anti-exploitation solutions like kBouncer or ROPecker which use older instruction sets and are therefore bypassable. SandBlast also features Threat Extraction — the ability to extract susceptible parts from incoming documents.

It seems to work, too

[dreamchaser]

I do a lot of Check Point engineering/consulting services and this is one of the more exciting things they've done in awhile. Even though they didn't actually develop it they've done a good job integrating into their firewall suite. It is not a panacea; nothing in security is, but it is good stuff.

Re:

[Monoman]

I would rather they buy out a company that has good tech support and services. We have been a CP customer for over a decade and their stuff is great until things go wrong. Dealing with their support/services can be a nightmare at times.

Re:

[dreamchaser]

Oh I agree. I rarely have to call the TAC but it can be a struggle. That's why a lot of our clients use our support services. I don't work our support desk, I do design/pre-sales/installation/consulting, but the guys who take calls are really good. They rarely have to escalate to the TAC unless it's a bug.

Re:

[Anonymous Coward]

Take all of this with a grain of salt as I'm an outsider who has never worked for them. This might not be the case with all of their offices. Buuuut....

To souce talent, Check Point uses some of the lowest quality recruiters I've had the, erm, "pleasure" of meeting. You know, the kind of agencies that hire ex-retail workers with a year of total working experience to screen serious IT folk.

Entry level people are often paid well under $20 per hour for networking-related labour, while "free lunches" (aka never

Excited about what deubging Instructions are

[Billly Gates]

I never heard of deubging before and can't seem to find a Wikipedia article on it?

However, what is stop malware from using this to avoid detection at the cpu level where there is no footprint. It could be used to disable AV endpoint software as well.

Re:Excited about what deubging Instructions are

[AmiMoJo]

Those instructions are privileged. If normal software tries to execute them it will simply crash (remember those privileged instruction errors when running old software on Windows 95, Mr. Gates?)

To execute these instructions the code needs to ask the OS to run it at the highest privilege level, normally reserved for the core OS and certain drivers that need to do some tricky hardware stuff. If a virus can get to that level you are screwed anyway.

Re:

[OhSoLaMeow]

Sandboxing

That's gotta be even more boring to watch than golf.

Article or press release?

[Quinn_Inuit]

Is the anonymous reader just quoting a press release? It doesn't seem like there's much analysis or original thought in this "story."

Re:

[cdrudge]

It doesn't seem like there's much analysis or original thought in this "story."

I thought almost every /. post was just the first paragraph of the article. There's summaries that aren't just copy/paste jobs?

Re:

[bonfirer]

It doesn't seem like there's much analysis or original thought in this "story."

I thought almost every /. post was just the first paragraph of the article. There's summaries that aren't just copy/paste jobs?

Right. PLUS- I haven't seen a comparison to other anti-exploitation methods in any of their PR

Re:

[Quinn_Inuit]

A fair point. I guess I'm used to it copying the first few paragraphs of an article about the topic, so there's at least some analysis involved. For instance, I thought these two articles from yesterday were much more helpful than a press release-type article like the one in the OP:
http://tech.slashdot.org/story... [slashdot.org]
http://developers.slashdot.org... [slashdot.org]

Re:

[coofercat]

It's very informative that they thought to put Checkpoints trading symbol in the advert^H^H^H^H^H article though, now I know where to invest my money - that's the kind of information I come to slashdot to find.

Re:

[sociocapitalist]

Is the anonymous reader just quoting a press release? It doesn't seem like there's much analysis or original thought in this "story."

I couldn't even get through the summary without choking on the Checkpoint marketing bullshit.

This might be a good product - might not. What I'm sure of is that it won't fix the underlying problems with the layers of ancient code that they're going to stack it on top of.

Interesting

[Tough Love]

Interesting. It should up the game for threat prevention, however it is a practical certainty that the black hats will learn from this technique in order to develop new and nastier exploits. If they have not already.

White list or you're jerking off

[Karmashock]

You have a white list of acceptable code and instructions and those are the only ones permitted...

Or you're basically daring the hackers that you're smarter than they are and you have thought of and dealt with any conceivable exploit they could think of or find.

And guess what... you are not smarter than they are... individually man for man... maybe... collectively? Not even remotely.

And it gets better because not only are you not smarter than them but you're also not aware of every exploit they're going to use.

Which means your blacklisting of naughty bits of code will accomplish fuck all.

You stop this by WHITE LISTing good code and good instructions. And yes yes... the thing that makes some things good or bad is the context... but that is implicit in the concept of white listing isn't it, chum? So there you go.

You white list.

Now is the home user douchebag going to white list properly? of fucking course not. Fuck him. He's on his fucking own. Sell him some of your blacklist snake oil. But for the SECURE environments... I'm talking about corporate and government systems that you don't want to be a giant fucking shit show... You whitelist or go fuck yourself.

Its that simple.

No no... White list... or:
https://www.youtube.com/watch?... [youtube.com]

Re:

[Anonymous Coward]

Dangerous comments - you're going to invoke APK talking like that!

Re:

[Karmashock]

I hold the distinction so far as I know of being the only person on this site that has gotten along well with APK... to give you some idea of how crazy you probably think I am.

He's an interesting guy and unlike most of his detractors he's actually built something that actually works and he actually knows "something". He's abrasive, largely indifferent to the opinions of people he sees as knowing less than him, and some what robotic in his communication style.

That said... I empathize with that entire persona

Re:

[KGIII]

Nah, you're not the only one who gets along with him. I get along with him and I don't even usually use a host file - however, I articulated my reasoning and know the consequences of my actions and make that choice based on security versus convenience. He might be a bit abrasive but I have a handy wheel on my mouse and don't actually care to silence anybody. Also, he knows some surprisingly esoteric stuff. I approached him much like you did. I enjoy poking the strange things - that's how you learn stuff. He

Re:

[Karmashock]

Its good to know I'm not alone in this respect. Its always distressing for me to see people ragging on the guy when most of the people doing it are f'ing useless fuckwits.

If there's anything I decry in the modern era it is that the playing field has been leveled not just between the haves and have nots but also between the competent and incompetent.

APK is a man on a mission... and he's actually built something pretty cool. To get dog piled by witless nothings is an indignity.

Re:

[KGIII]

Who among us is not abrasive when we know we're right? I'd not take his approach but that's probable because I'm a bit lazy and don't tend to care that much. I've noticed that his comments don't get repeated if nobody mods them down - he seems to repeat them because they are no longer visible by default.

Re:

[Karmashock]

It doesn't matter. I only get harassed by a couple AC trolls... I recognized one of them... and I've decided to call him "bingo the clowno"... :)

Oh and communists don't like me because whenever their failed ideology comes up I take some joy is rubbing their stupid faces in it.

Besides that... I generally get along with everyone.

APK, have you thought of making an application of your DNS hostfile thing ON a Raspberry pi? Like actually package it as an appliance image?

Because the Pi has more than enough brain p

Re:

[Karmashock]

their are many companies that offer white listing solutions...

Here was one I found with a single google search:
http://www.kaspersky.com/partn... [kaspersky.com]

I also liked the barrage of toothless AC peasants cackling below you attempting to tag me with rotten produce.

The white listing system works and has worked for many years and there are many applications of it that are known to work quite well.

They're paradoxically easier to set up than blacklisting systems because they're a great deal more simple. All you do is make

Re:

[Karmashock]

Its like talking to some moron that thinks his imaginary friends are supporting evidence.

Shall I click "post anonymously" here to make it look like I'm a third party when really I'm just agreeing with myself?

You're fooling no one but yourself with this pathetic display.

Re:

[drinkypoo]

You're arguing with APK, right? It seems like his "No, this isn't APK, you can tell because I didn't mention hosts files in this comment" style. Don't do that. It's a waste of time. He doesn't even write funny responses. HTH, HAND.

Re:

[Karmashock]

I get along with APK just fine. I've had a few discussions with him. I like him. :-D

Unlike most of the people that diss him he actually knows something, has accomplished something, and has one of the few novel perspectives on stuff.

Does he go on and on about his host file thing? Yeah. The man is advertising to a certain extent. he hears all these problems and he's like "my program solves this" and everyone is like "fuck you you're stupid!"... think about how that would make you feel.

As I said, I get along w

Re:

[Karmashock]

On the issue of hostfiles I like the concept of security through DNS because it eliminates a huge number of threat vectors very cheaply and is very hard to bypass.

The virus would have to have to have its own DNS query system which would increase the complexity, code size, and detection surface of the malware.

I think DNS filtration should be a bigger aspect of firewall operation. Obviously a proper firewall has to expand that to IP filtration.

I'd like to see two way filtration based on DNS name where in if t

Re:

[Karmashock]

As to electricity, I'm talking about a Pi to do it which would gobble 5 watts of juice.

Oh well, I don't know what you do professionally but if you came up with an appliance application of your software that could be integrated into a network... It would be worth yacht money.

As to OpenDNS... I've had some problems with their DNS lists.

But again, the concept here that would be GOLDEN would be a recursive white/black list that associated Domain and IP address firewall rules in a manner that if you blocked a Do

Re:

[Karmashock]

Sounds like you've earned your rest.

Its nice to find someone else here that agrees that the solution to all this sneaky security shit is to brute force block it.

Its always some new buffer overflow this or memory exploit that. Who can be bothered to keep up with it all. It wasn't a problem in the pre internet age and it is a problem now. So the problem is the access and the need to limit it to what it needs to be rather than anything any person anywhere could possibly want ever. Which is generally how people

Re:

[Karmashock]

On the issue of DNS, so long as the exchange server doesn't use Open DNS but the rest of the network does, I think in your scenario things would have been fine, no?

Re:

[Karmashock]

I'm sure you'll get issues. I'm just saying it is possible to mitigate them if you understand what is causing the problem.

I don't have a problem with an email server having a fairly permissive internet connection. I"m more inclined to restrict the connections of workstations.

That said... obviously the email server needs a heuristic firewall. And I've seen many email servers that are only permitted to connect to specific machines. As in... you cannot send addresses on that server unless you're on a whitelist

Re:

[Karmashock]

Yeah but you're supposed to use nested DNS.

host file > AD > Router linked DNS which can be open DNS.

So you point the workstation at the server as you would normally. Then you point the server at the router or whatever your DNS server is which can have OpenDNS set as its DNS and... no worries.

There are issues and more than what I've cited here but you can deal with it if you're determined.

I like your host file system. I'll fuck around with some scripts to see if I can burn the feature into a server.

Re:

[CODiNE]

And whitelisting blocks ROP?

Re:

[Karmashock]

How are you introducing the malware into the system? Specifically.

Re:

[Karmashock]

you didn't answer my question. How are you introducing the malicious code?

Answer the question please.

Re:

[Karmashock]

... and this was introduced to the computer... HOW?

did someone walk over to the machine and ejaculate it into the USB port? How did it get into the system?

I know what ROP is... I want to understand how you're introducing the infection to the system.

Lets say I have a clean system. Everything is from the factory. I put it together, I install from the DVD.

Okay... how are you infecting me? Lets say I connect this machine to my organziation's firewalled network. So... how are you infecting me. Where is your infe

Re:

[Karmashock]

Yep... I keep hearing about these demon PDF files... poor Adobe. First flash and now PDF.

Two issues with this concept.

1. You're assuming I'm opening the PDF with adobe acrobat. Its a good assumption but it isn't necessarily valid. Lots of programs can open, edit, and write in PDF. I prefer actually to not use acrobat precisely for this reason. I avoid standard programs where convenient. No one cares about acrobat. You change excel or word and people lose their god damned minds. But change acrobat and most p

Re:

[Karmashock]

You're not thinking about this systematically. You're using magical logic and I can't go through the chain of logic when everything looks like a long string of unlinked and unassociated preconceptions. Its just a bunch of givens.

You're saying
X=5
Y=2
R=94

etc

And there's no association or proof or causal chain in it anywhere that I can evaluate.

You say that if the code gets into a program with limited permission on a network with limited access to specific domains on the internet that someone is going to take ov

Re:

[Karmashock]

I made it very clear I wasn't trying to protect the home user.

My context is a secure and managed corporate or government network or data center.

You lower the bar to "that machine that guy over there is masturbating to" and the only way I can protect that system is to walled garden it so hard that it literally would have to have factory writelocked memory.

That's the whole security regime on these tablets and smartphones that everyone likes. So the home users are apparently okay with a big company telling eve

Re:

[Karmashock]

going through your video, the first thing I saw in there was "what happens if someone sends a link to bad executable code to your stupid employees through email?!" ... well, a white listing system would not allow the executable code in the link to do anything. Also the fucking link itself might not even work because depending on the security of the network I might not permit any random computer to talk to your computer.

Why would I let an email client download and execute any random fucking code in an email?

Re:

[Karmashock]

Wrong.

Rhonda does what she's told or else she gets the hose again. You people keep ignoring the point about this being a secure system.

We're not talking about whatever jerk off network for idiots at the mustard factory you're running.

I even cited blocking domains. In secure systems you only permit communication to domains on an explicit basis. You don't let them talk to just fucking anything.

So for example, facebook is blocked. Why would anyone doing their job need to access facebook? I do permit an isolate

Re:

[Karmashock]

Why would I talk to double click? I don't even talk to double click on my personal machine at home? why would I let a protected system talk to doubleclick?

Access denied.

I'm generally a believer in not running code that I don't need to run. That extends to javascript.

I am currently blocking about 5~7 domains from serving javascript on this site alone... right now. And I've seen sites that were trying to push me to run 20+ javascript domains for a single page.

Its dumb.

I run script when it serves a purpose. An

Re:

[Karmashock]

hmmm... I'm still seeing the presupposition that the program in question has the permissions. And you're still forgetting the firewalls.

I mean... fine... you might get by ONE defense by doing something like this but to actually be effective you need to get past them all. And I don't see that happening.

I mean, fine... you get some code into active memory... great... but what permissions does it have? Its going to inherit the permissions of the host program. So you're inheriting the permissions of what? Inter

Re:

[Karmashock]

... sure you could nest a million different things in there that will serially defeat everything but I don't see it working in one shot like that.

My experience with these things is that they contain one or two things in them to break through and then the presumption is that they'll be home free.

If the security is layered and pervasive and customized and contains lots of brute force defenses like write locked files or protocol shifts or nasty firewalls.

I've never even heard of a malware that worked like that

Re:

[Karmashock]

When I find someone has made an error, I tell them not only that they made the error but the nature of the error and help educate them so they learn from the experience.

lets say I'm wrong as a given here... what did I learn or did you teach me simply by saying I was wrong? I don't understand the error you're suggesting I made here. You've given me not only no opportunity to validate your opinion as to whether YOU are right but you've also given me no opportunity to correct my own opinion.

Can you explain my

Re:

[Karmashock]

I do it on a large a very large network, dude.

I do a lot of it with control of DNS servers. If you're talking about blocking doubleclick.. I mean... that's an easy one.

The whitelisting isn't just for programs. Its for web domains as well. We have several different networks but for this discussion you just need to know there is an unlocked Wifi Network for people to facebook on and there is a HEAVILY locked down wired network is which what the machines I actually give a shit about are connected to...

Totally

Re:

[Anonymous Coward]

http://l4hq.org/projects/os/
http://ssrg.nicta.com.au/

Please excuse me for brutally pasting this here:

Past achievements of the SSRG team include:

World's first formal proof of functional correctness of a complete, general-purpose operating-system kernel, plus a proof that the kernel binary is a correct translation of the C implementation;
Formal proofs of isolation properties (integrity and confidentiality) of the seL4; together with the above t

Re:

[Karmashock]

As to PDFs... two things.

1. I try to use non-standard applications for such uses where I can get away with it. Acrobat reader for example is one I generally replace with a third party alternative. Your executable code will assume acrobat and it won't get passed anywhere via that little tweak all by itself.

2. The PDF readers etc have restricted permissions. The code in the file uses the application's own permissions to do things and it doesn't have the permissions to do anything that would threaten me. Is th

Re:

[Karmashock]

As to subscriptions for signed modules... I think an open source list system will work just fine.

As to government hacks getting whitelisted... that's why it has to be open source.

That said, I think you're over estimating the difficulty here. The trick is to control ways code can be introduced into a system, properly identify that something is or is not code, and then run that code by the white list.

The trickiest thing is going to be some dumb hybrid file formats that contain executable code for dubious reas

I'm working on something even better

[JoeyRox]

Electron-level threat protection. It analyzes randomly-moving electrons to decide how best to separate people from their IT budget dollars.

The final straw

[johannesg]

The software Checkpoint makes already prevents any kind of useful work from being done on a machine. Now it takes the logical final step, and just completely stops the CPU from doing anything at all! Our IT department will love it for sure. Anything they can do to slow down actual business processes.

Seriously. We use Checkpoint at work. On a fast machine with an SSD, compiling takes longer than on machines with a normal harddisk...

Re:

[johannesg]

Your solutions are not solutions at all. You are basing everything on a combination of trust, and techniques of dubious real-world value. That's fine for a few very specific domains, but in the real world things like "time to market" also matter.

Whitelisting is bullshit. I should not have to rely on a "trusted" list of applications; I should trust that the OS has containers that stop any damage from being done in the first place. And I don't want to give an application either nothing, or the keys to the kin

Re:

[aberglas]

Yes, but you also demand vast amounts of useless functionality. 100% compatibility with every ill-concieved feature that has ever been added in the past. To be in lock step with the latest fads in UI. And that means huge amounts of code, and huge amounts of complexity.

Which is why your containers will leak like a sieve.

Re:

[Anonymous Coward]

> The software Checkpoint makes already prevents any kind of useful work from being done on a machine.

So it's taking over from MacAfee Home Edition?

An Advert

[Stonefish]

I expect my ads to be off to the side and not the main course on slashdot. What was the price of this post?
+2 for subtlety......... cocks

Re:

[nazsco]

not to mention the fake first post adds to the ad instead of cursing, as usual. can it get more obvious?

Is there an echo in here?

[phonewebcam]

Qualcomm just announced the same [smartphonevirus.com]

Re:

[bonfirer]

Not even closely related let alone "same" ... read both articles again