Samsung Research America uses Check Point to secure their Mobile Devices.

Check Point recently deployed their Mobile Threat Prevention on Samsung’s mobile devices. The challenge was to completely secure the mobile environment. Like all companies Samsung employees increasingly work on smartphones, tablets, and their own devices.

“Mobile devices don’t operate behind a security infrastructure like corporate PCs, laptops, and servers do…” “Mobile devices are out in the wild, creating potential security issues and enabling malware to enter the samsungnetwork. There’s no mobile firewall to prevent cyber threats from getting in through emails and apps.”- Steven Lentz, CISSP, CIPP/US, Director Information Security at Samsung Research America

“Check Point had more up-to-date information and automated delivery of the latest malware-related intelligence,” said Lentz. “Check Point Mobile Threat Prevention offers the closest thing to zero-day detection on mobile devices. I like it when a product does what it is supposed to do—and more. Check Point did exactly that.” Check Point Mobile Threat Prevention also vmwareintegrated seamlessly with AirWatch by VMWare MDM and SIEM platforms. Now, Samsung gained comprehensive visibility
into mobile threats and automated enterprise-wide security policy enforcement.

See the testimonial:
Read the full article:

chkpt“Check Point Mobile Threat Prevention is the best
zero-day malware protection possible for mobile
devices. There’s nothing else out there with
multiple layers of protection. Our IP is secure,
and that’s peace of mind.”
Steven Lentz, CISSP, CIPP/US
Director Information Security at Samsung Research America

How Forensics is Better Than Detection

A friend and fellow colleague of mine Elijah Bagdonas recently sent me an awesome explanation of Check Point’s Forensics software. This software is a must have for any enterprise today. I wanted to share his writing with you.

 In the world of anti-malware most people are satisfied with good detection capabilities. But when we really stop to think about what detection gives us, it’s rather disappointing. It’s little more than a big red flashing light that says “ALERT: SOMETHING HAPPENED!” The question then becomes, what is that something that happened and what should I do about it? Here’s where the headache begins.

In most cases of virus detection the administrator has three realistic options:

  • Rely on Anti-Malware quarantine to clean up the mess
  • Re-Image the computer
  • Traditional forensic analysis

 In the case of Anti-Malware quarantine we first have to “know” about the malware. We must be able to identify a signature or behavior and be able to stop the infection before it starts. Sometimes malware can occur in a series of processes and we are only able to detect the last element in the chain. If we eliminate the known elements, the unknown elements can propagate again, putting us into an infection loop. We also can’t identify the damage done during the infection. Even though we detect the malware, it may have already accomplished its goal and we have no way of knowing.

Our second option has its own set of headaches. Re-imaging a computer is often the easy way out but it can be of great inconvenience to the user-base. This invasive process can often leave you with lost data and disruptive downtime to the end user resulting in lost productivity. This will also not protect you from future attacks of the same malware.

The final approach is traditional analysis of the machine to see what happened and how it can be reversed. Having this kind of skill with the advanced malware we see today is very scarce and requires specialized training. Traditional analysis is also very time consuming and costly to perform and with advanced malware, it can often clean up its own tracks before you get a chance to discover it.

There’s a better way

With the introduction of Check Point’s Endpoint Forensics we now have a way to see the whole picture. By keeping tabs on any and all changes that occur on the system, we can develop a comprehensive image of EXACTLY what happened when the infection hit in an easy to digest roadmap.



In this example, the oem7ec2.exe process triggered a malware event. Since we’ve been keeping tabs on the changes, we can backtrack and find out exactly what happened (even across system boots). Let’s look at the steps that brought us to this point.

  • Chrome process launched
  • Chrome exploit is used while browsing to launch handle.tmp process
  • tmp process schedules a shellcode download to occur on next boot
  • exe payload is downloaded and ran on startup
  • Malicious code runs and sends personal data to C&C center

Since we know the whole story and all of the processes involved, we can also see that companysecret.doc was sent outbound resulting in a loss of data.

With this roadmap, not only do we have the complete picture of the steps involved, but a means to clean it up. Knowing all the steps means we can dynamically generate a script to clean up the mess that was left behind for easy remediation.

Armed with knowledge of everything involved it’s easy to see why Endpoint Forensics is clearly better than detection.

US-CERT to Windows Users: Apple Ends Support for QuickTime for Windows

I wanted to share this with everyone as this is something that is very important for folks to do. recently reported that Microsoft is saying to remove Apple QuickTime for security concerns. Krebs reports:

“Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT).

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”

See the post from Apple “QuickTime 7 for Windows is no longer supported by Apple”


Thanks to Brian Krebs at for alerting us to this.

Security Policy Management Made Easy

Check Point’s security management architecture (SMART) has always been the best in the market. Upon release of the new R80 security management the best got even better.

In earlier versions you had to install SmartConsole applications (SmartDashboard) in order to manage security policies. This is a tool which enables centralized management of different products and versions. However, it always required that you had to install the application on a computer which was defined as a GUI-client in the security management server. It was also possible to manage policies using the command line tool DBEDIT, but that’s quite complicated tool that could not be recommended for normal policy manipulation. It was usually used in migrations and other more complex activities. Also only one administrator could be connected at a time in write-mode to the security management server.

All the above mentioned limitations are gone in R80. It contains a lot of new features and even more to come in future versions. However, in this post I focus on different ways to manipulate security policies.

  1. Unified SmartConsole
    This is the traditional way of creating rules. What is awesome is that you can do everything from the same console. SmartView Tracker is gone as a log viewer and replaced by SmartLog which is shown in the same SmartConsole window.
  2. SmartConsole CLI
    This is a command line interface that can be opened directly from the SmartConsole. By giving simple commands like “add host…” you can create objects and policies. It’s also possible to add commands into a file and upload this file directly to the CLI when all commands are executed. Think about the case where you need to quicly spin up several security policies or create 5000 objects. All you need to do is to create a command file and run it.Ok, ok… This has been possible with DBEDIT as well in earlier versions, but let’s have a quick look why the new way is better. In the following example we create the same network object with DBEDIT and with R80 CLI. Let’s see the difference (I omit the login and update/publish commands as they are only done once for all commands):


    create network Net_10.10.57.0
    modify network_objects Net_10.10.57.0 ipaddr
    modify network_objects Net_10.10.57.0 netmask
    R80 CLI
    mgmt_cli add network name Net_10.10.57.0 subnet mask-length 24 -s id.txt
    Instead of three commands in DBEDIT, with R80 you give only one. As I said this is a bit simplified statement as the login and publish are missing, but I’m sure you get the point.
    From Gaia command line you can login to the management console (see the example below). Gaia management console is similar as the one in SmartrConsole. Each command starts with a keyword “mgmt” like “mgmt add host…”.R80Mgmt> mgmt login user admin
    Enter password:
    R80Mgmt> mgmt show networks
    – uid: “0baad4de-7221-4578-b2b9-c3b78a759124”
    name: “CP_default_Office_Mode_addresses_pool”
    type: “network”
    name: “SMC User”
  4. mgmt_cli
    This small little tool is available on all R80 management servers and SmartConsole installations and allows you to access the management server from any Linux or Windows machine (in Windows the tool is called mgmt_cli.exe). You don’t have to install SmartConsole on the computer, it’s enough that you copy the mgmt_cli-tool (it doesn’t require any installation) from the existing installation to the computer you would like to use for accessing the management server. Only thing you need to do is to enable the API from the Management API Settings on R80 SmartConsole.
    The only difference with the mgmt_cli and SmartConsole or Gaia CLI is that the authentication needs to be carried out every time. When you login into SmartConsole you give the user name and password, but with the mgmt_cli you will either need to give this information every time or a login-command which creates a session for you. See the example below.
    The following is an example mgmt_cli -connection which logs into the system creating a session (the same id is used for every command) and then creates some host and network objects, policy package with one rule (clean up rule is there by default, but without logging, this example enables login for the clean up rule as well). Finally the config changes are published making them available for other admins as well and the session is ended with the logout -command.

    mgmt_cli login user admin password vpn123 -m > id.txt
    mgmt_cli add host name h_12 ip-address -s id.txt
    mgmt_cli add host name h_13 ip-address -s id.txt
    mgmt_cli add host name h_14 ip-address -s id.txt
    mgmt_cli add host name h_15 ip-address -s id.txt
    mgmt_cli add host name h_16 ip-address -s id.txt
    mgmt_cli add host name h_17 ip-address -s id.txt
    mgmt_cli add host name h_18 ip-address -s id.txt
    mgmt_cli add host name h_19 ip-address -s id.txt
    mgmt_cli add host name h_20 ip-address -s id.txt
    mgmt_cli add network name n_test_net1 subnet mask-length 24 -s id.txt
    mgmt_cli add network name n_test_net2 subnet mask-length 24 -s id.txt
    mgmt_cli add network name n_test_net3 subnet mask-length 24 -s id.txt
    mgmt_cli add package access True threat-prevention True name Policy_Lari -s id.txt
    mgmt_cli set access-rule layer “Policy_Lari Network” name “Cleanup rule” track “Log” -s id.txt
    mgmt_cli add access-rule layer “Policy_Lari Network” position 1 name “Test Rule” source n_test_net1 destination h_12 service “ssh” action “Accept” track “Full Log” -s id.txt
    mgmt_cli publish -s id.txt
    mgmt_cli logout -s id.txt

  5. Web Services
    You can create your own web app that simply uses HTTPS post to manipulate your security policies. This way you can integrate the security management to almost any web based ticketing system or similar.For more detailed information about the web services and usage examples visit the developers forum in R80 Exchange Point.

Adobe Critical Vulnerability and Patch

Brian Krebs wrote an article at Krebs on Security about Adobe. Seems they had to rush an emergency patch out because the security hole was already being exploited in active attacks.

Adobe said a “critical” bug exists in all versions of Flash including Flash versions and lower (older) across a broad range of systems, including Windows, Mac, Linux and Chrome OS.

Check Out the full article here at:


MDM for iPhone/iPad – You are at Risk !

Check Point disclosed details about SideStepper, a vulnerability that can be used to install malicious enterprise apps on iPhone and iPad devices enrolled with a mobile device management (MDM) solution. The Check Point mobile research team presented details about this vulnerability at Black Hat Asia 2016 in Singapore on April 1, 2016. The vulnerability impacts millions of iPhone or iPad devices enrolled with an MDM solution.

Check out the read about it here:



How to update CPUSE from the command line.

My friend  and fellow SE (William Garner) had a condition where he needed to do a CPUSE update from the command line, which he did and he wrote up a procedure on how to do it.  By luck of the draw I ran into a situation where CPUSE needed to be updated as well.  So I thought I would post this simple and effective procedure on how to do it.

Important to Note:  If you are updating from build 839 and above continue with steps below, if not refer to sk106696.

Download the package. Download package at sk92449 (Section 3-A)

Transfer the package to machine into /some_path_to_updated_DA/ directory.

UnPack the package:

[Expert@HostName]# cd /some_path_to_updated_DA/
[Expert@HostName]# tar -zxvf DeploymentAgent_<build>.tgz

Install the Deployment Agent RPM (the currently running Deployment Agent will be stopped automatically):

[Expert@HostName]# rpm -Uhv – -force CPda-00-00.i386.rpm

Start the Deployment Agent:

[Expert@HostName]# $DADIR/bin/dastart


How to know what Jumbo Hotfix is installed on your Check Point device

I have been asked ‘how do you see what Jumbo HF you are currently on’. There is a simple command you can run from your device to tell you. If you are running R77 with at least Take 38 do this:

Short answer:
As Expert type: installed_jumbo_take –n

This should return with a simple number like 128. That means you are on Jumbo Hotfix accumulator 128.
If no argument is specified ( -n above), then the command will print:RXX.XX Jumbo Hotfix Accumulator take_N is installed, see skXXXXX”.

Long Answer:
For Take 38 and above

The same command applies to Jumbo that was installed using Gaia CPUSE and using Legacy CLI.

[Expert@HostName:0]# installed_jumbo_take [-n | -h]

If no argument is specified, then the command will print: “RXX.XX Jumbo Hotfix Accumulator take_N is installed, see skXXXXX”.
If “-n” argument is specified, then the command will print only the number of the Take (value “0” means that a reference to the Jumbo Hotfix Accumulator was not found in Check Point registry).
If “-h” argument is specified, then the command will print the usage help.

On VSX Gateway, this command must be run from the context of VS0 (run “vsenv” command).

For Take 37 and lower

If Jumbo Hotfix Accumulator was installed using Gaia CPUSE:

[Expert@HostName]# $CPDIR/bin/cpprod_util CPPROD_GetValue “CPUpdates/6.0/BUNDLE_GULLI_HF_BASE_008” SU_Build_Take 0

If Jumbo Hotfix Accumulator was installed using Legacy CLI:

[Expert@HostName]# $CPDIR/bin/cpprod_util CPPROD_GetValue “Check Point Mini Suite/setup/GULLI_HF_BASE_008” Take 0

Security Solid Gateway

Once again Check Point shows why they are a leader in the security space. It isn’t the flash marketing, the catch phrases, or tag lines, the cool looking media. It is about whether or not your business is secured. That is ultimately why you buy a security product correct? We don’t buy a car without a test drive first, why would this be any different?

A friend of mine recently ran a Nessus scan and found this information on the Check Point R80 code on GAIA. This is what he wrote:

“So now that R80 Gaia is GA, on a whim I cranked up a custom Nessus scan in what I affectionately refer to as “Maximum Hostility” mode.  The goal is not just so see what is reported but what impact it has on the target (crashing processes, memory leaks, runaway logs, DoS, etc).  Gaia R80 passed with flying colors…

After running these nasty high-speed scans a couple of times I saw no restarted processes, memory increasing/leaking, no core dumps (I enabled them), nor excessive logging of the utter blasting that Nessus gave Gaia R80 on my quad-core i7 in VMWare. ”

So what is the bottom line here. You need a product that goes beyond the sales and marketing hype. Something that actually secures your environment. Why would you care about all this? I have a security product, so what you ask? Because you want to be able to go home at the end of the day or week and enjoy your life, and not be sitting on conference lines into the early am or on the weekend dealing with security issues at your place of business. That is why.

“the best problems to solve are ones that affect you personally” – Paul Graham.