Slashdot Mirror

← Back to Stories (view on slashdot.org)

Check Point Introduces New CPU-Level Threat Prevention

Posted by samzenpus on from the raise-shields dept.

An anonymous reader writes: After buying Israeli startup company Hyperwise earlier this year, Check Point Software Technologies (Nasdaq: CHKP) now unveils its newest solution for defeating malware. Their new offering called SandBlast includes CPU-Level Threat Emulation that was developed in Hyperwise which is able to defeat exploits faster and more accurately than any other solution by leveraging CPU deubgging instruction set in Intel Haswell, unlike known anti-exploitation solutions like kBouncer or ROPecker which use older instruction sets and are therefore bypassable. SandBlast also features Threat Extraction — the ability to extract susceptible parts from incoming documents.

11 of 135 comments (clear)

  1. It seems to work, too by dreamchaser · · Score: 4, Insightful

    I do a lot of Check Point engineering/consulting services and this is one of the more exciting things they've done in awhile. Even though they didn't actually develop it they've done a good job integrating into their firewall suite. It is not a panacea; nothing in security is, but it is good stuff.

  2. Excited about what deubging Instructions are by Billly+Gates · · Score: 3, Interesting

    I never heard of deubging before and can't seem to find a Wikipedia article on it?

    However, what is stop malware from using this to avoid detection at the cpu level where there is no footprint. It could be used to disable AV endpoint software as well.

    --
    http://saveie6.com/
    1. Re:Excited about what deubging Instructions are by AmiMoJo · · Score: 3, Informative

      Those instructions are privileged. If normal software tries to execute them it will simply crash (remember those privileged instruction errors when running old software on Windows 95, Mr. Gates?)

      To execute these instructions the code needs to ask the OS to run it at the highest privilege level, normally reserved for the core OS and certain drivers that need to do some tricky hardware stuff. If a virus can get to that level you are screwed anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Article or press release? by Quinn_Inuit · · Score: 4, Insightful

    Is the anonymous reader just quoting a press release? It doesn't seem like there's much analysis or original thought in this "story."

    --

    Stop learning! Only you can prevent esoterrorism.
    1. Re:Article or press release? by cdrudge · · Score: 2

      It doesn't seem like there's much analysis or original thought in this "story."

      I thought almost every /. post was just the first paragraph of the article. There's summaries that aren't just copy/paste jobs?

  4. Interesting by Tough+Love · · Score: 4, Insightful

    Interesting. It should up the game for threat prevention, however it is a practical certainty that the black hats will learn from this technique in order to develop new and nastier exploits. If they have not already.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
  5. White list or you're jerking off by Karmashock · · Score: 2, Interesting

    You have a white list of acceptable code and instructions and those are the only ones permitted...

    Or you're basically daring the hackers that you're smarter than they are and you have thought of and dealt with any conceivable exploit they could think of or find.

    And guess what... you are not smarter than they are... individually man for man... maybe... collectively? Not even remotely.

    And it gets better because not only are you not smarter than them but you're also not aware of every exploit they're going to use.

    Which means your blacklisting of naughty bits of code will accomplish fuck all.

    You stop this by WHITE LISTing good code and good instructions. And yes yes... the thing that makes some things good or bad is the context... but that is implicit in the concept of white listing isn't it, chum? So there you go.

    You white list.

    Now is the home user douchebag going to white list properly? of fucking course not. Fuck him. He's on his fucking own. Sell him some of your blacklist snake oil. But for the SECURE environments... I'm talking about corporate and government systems that you don't want to be a giant fucking shit show... You whitelist or go fuck yourself.

    Its that simple.

    No no... White list... or:
    https://www.youtube.com/watch?...

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  6. I'm working on something even better by JoeyRox · · Score: 4, Insightful

    Electron-level threat protection. It analyzes randomly-moving electrons to decide how best to separate people from their IT budget dollars.

  7. Re:The strange power of delusional phantasy! by Karmashock · · Score: 2

    their are many companies that offer white listing solutions...

    Here was one I found with a single google search:
    http://www.kaspersky.com/partn...

    I also liked the barrage of toothless AC peasants cackling below you attempting to tag me with rotten produce.

    The white listing system works and has worked for many years and there are many applications of it that are known to work quite well.

    They're paradoxically easier to set up than blacklisting systems because they're a great deal more simple. All you do is make it so the computer can run LESS than it was designed to run and you set LESS to EQUAL what you want it to run. The other things that COULD run on the system before... simply can't.

    I love that you think this is hard to do... think of the way a black listing anti virus system works. It looks for known bad code and then intercepts it. That's how it works.

    A white listing system does the opposite. It intercepts EVERYTHING and prevents ANYTHING what so ever from running assuming that anything and everything is a virus... EXCEPT things specifically defined to it as NOT a virus.

    Its the same system only instead of trying to guess every virus and malware possible... I just define whatever is currently running as GOOD and if anything is added to the system then it is ASSUMED to be bad unless otherwise stated.

    Its a very simple system and I operate white lists pervasively on many systems using several of the most popular techniques for implementing them.

    This is fundamental IT security. That you're ignorant of it is not surprising or embarrassing for you. You don't know what you're talking about. I do. I am an expert. You're an AC shit head.

    *wink*

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  8. The final straw by johannesg · · Score: 4, Funny

    The software Checkpoint makes already prevents any kind of useful work from being done on a machine. Now it takes the logical final step, and just completely stops the CPU from doing anything at all! Our IT department will love it for sure. Anything they can do to slow down actual business processes.

    Seriously. We use Checkpoint at work. On a fast machine with an SSD, compiling takes longer than on machines with a normal harddisk...

  9. An Advert by Stonefish · · Score: 4, Insightful

    I expect my ads to be off to the side and not the main course on slashdot. What was the price of this post?
    +2 for subtlety......... cocks