CCES Flashcards
SmartEndpoint Combines what elements into package
Data
Network
Remote Access
Threat
SmartEndpoint Allows access control over
Company data
Attacks
Zero Day threats
Admins can perform what tasks in SmartEndpoint
- Centrally monitor, manage, and enforce user and machine based company policy
- Quickly deploy protections for users
- customize policies
- Monitor end user devices for malicious software
- Control access to corporate data and apps
- Protect sensitive data from virus and threats on the web and in attachements
- perform risk assessment to ensure compliance
- inform and remediate attacks on end user machines
- view and report security events
How does SmartEndpoint communicate with SmartEndpoint management server
SIC
How does the endpoint security management server communicate to clients.
Http/Https
main components of a SmartEndpoint deployment
- SmartEndpoint
- Endpoint management server
- Endpoint clients
Endpoint security database houses
Policy User and computer data Mgmt data Licenses Ad node objects
What is the default communication interval between client and mgmt server
60 seconds
What 2 components make up the endpoint agent
Agent
DA Framework
What are the activities performed by endpoint client
Communication
Deployment
EMON state info
Updating files and Drivers
What does the DA framework do?
Policy activation / updating
Log collection
What functions does the SmartEndpoint management interface
Deployment
Monitoring
Configuration endpoint clients
Manage policies
What are the 3 main components of an Endpoint security environment?
- Endpoint management server
- SmartEndpoint
- Endpoint Clients
How does the security management server work in the environment
Endpoint SMS contains security software and database
The server communicates with the endpoint to manage policies and update protections.
SmartEndpoint Management has 5 tabs, what are they?
Overview Policy User and Computers Reporting Deployment
The deployment tab shows what information
Security Summary
Active Alerts (10 Minute Update)
Security Status
The policy tab shows
Collection of security rules. This includes the default rules (cannot be deleted)
The users and computers tab shows
Hierarchical Tree of organization
Review of the status of the current blade
The reports tabs shows?
Pre-defined reports
The deployment tab shows?
Create deployment rules and manage packages
What does endpoint firewall blade do?
Controls inbound and outbound traffic
What does the URL filtering blade do
Limits and blocks access to websites by
- category
- user
- group
What’s does the Anti-Malware blade do?
Signature base for (scans all files accessed)
Viruses
Spyware
Trojans
What does the data security blades do?
- Capsule docs: Protects, track and restricts access to buisness doc
- FDE Encrypt Storage and provides access protection (pre-boot protection)
- Media & Port Protection: Strong encryption USB, CD/DVD/SD
What does the sandblast agent do?
Zero Day:
Anti-bot
Ransomware
Threat Extraction & Threat Emulation
What are the 3 licenses required for endpoint deployment
- Mgmt
- Container
- Software blade
What features does the management license components
Policy management
Logging & status
User directory
Container license components
FW
Appctl
Compliance (annual or perpetual)
Do you have to license each blade that you want to provide to a client
Yes
What places can you add/remove licenses
- Smart update
- Gai
- Colic
- Cpconfig
How do you recoup licenses from stale machines
Delete the client computers
What are the 5 areas of the users and computers tab
- All organization folder
- Global Action folder
- Favorites
- Blades Status
- Rule and status pane
What populates the directories node
After the initial AD scan
**objects can be part of AD and the virtual groups
Where are objects that are not part of AD places
Others users & computers
How do you manage users
Select from the tree, and then add blades and follow steps
Can anyone log into a computer with endpoint
No only authorized pre-boot users can log into machines
What happens when you reset a client
Removes license
Deletes settings
FDE and Recovery are removed
**must be reformatted before can connect machine back to endpoint
Where can push operations be accomplished from
Reporting
Global Actions
What things can be accomplished through push operations
Anti-malware scans Anti-malware updates Restore Files Sandblast forensics and analysis Restart /shutdown
Where is the initial client exported from in the console
Deployment tab
What does the initial client do?
Provides communication
Deployment
Client state
Policy and client status updates
Types of blade packages:
Master full- all blades
Master full without network protection: FDE & MEPP only
Master SBA: Sandblast with FW, Compliance, App protection
NEWDA: 32 bit initial client without blades (cannot be distributed via deployment rule)
How many packages are created when a new package created
- Desktop
- Laptop
* *done as laptops often have stricter policies
Does client install interfere with normal user operation
No
**FDE is an exception as might require reboot
What tab allows you to modify or upgrade protections
Policy tab
Two methods of mod or upgrade
Deployment Rules or Exported package
how do you get new version into mgmt server
- Download
2. Upload
Does the client and blade package need to be upgraded at the same time.
Yes
How would you allow postpone of client upgrade
Client settings allow postpone upgrade
Deployment rules characteristics
- Automatically download and install preconfigured client packages
- Deploy to individual or all nodes
- Policy needs to be installed for rules to apply
- Must do initial install before blade deployment
User Authentication settings are done in what tab in the console?
Reporting tab
What are the predefined actions in OneCheck
- User predefined windows recommended password complexity
- Pre-boot password updates
- Temp lock failed attempts
- Use default login settings
- Allow remote help
What is pre-boot
User must login before the OS boots
What are the pre-boot authentication options
- Passwords
- Smart cards
- Dynamic tokens
Why use FDE
When machines are shared amongst users
How and what type of encryption FDE
AES, HDD is encrypted, but data is not.
What feature is used for FDE authentication
OneCheck Logon policies manage FDE user logins and password security
When using AD recommended to use which authentication components
User Acquisition
OneCheck Logon
Password Sync (same creeds SSO login)
Is user acquisition enable by default for FDE
Yes
***Requires users log in and out to acquire pre-boot credentials
OneCheck Logon
SSO solution VPN and FDE password Sync
Password Sync
Pre-boot prevents OS from booting until user authenticated
Can passwords be changed at preboot.
Yes, and it automatically sent to all computers the user is authorized to access pre-boot.
Endpoint had monitoring built-in for what?
Connection State:Compliance:other data connected clients
Provide system-wide reporting or granular user and computers
monitoring reports for compliance, activity, software, deployments…etc
Name the 5 tabs in the SmartEndpoint GUI
- Overview
- Policy
- Users & computers
- Reporting
- Deployement
What are blades included in the data protections for endpoint
FDE, MEEP, Capsule docs, VPN
What licenses are required for endpoint security
Mgmt
Blades
Container
Where are endpoint historic logs kept
Smart console
What do OneCheck users settings define
How users authenticate to endpoint security. More specifically, how a user log into his/her computer and what happens with failed attempts
ESM Components
SmartEndpoint ESM blade Endpoint blades Endpoint DB Directory Scanner
Installation methods for ESM
- Standalone- with the network management server
2. Distributed - Helps ensures no hotfix upgrades
Things to watch out for during instalation
1: Network Security management and smart console must be installed
2: Ad structure can be replicated into EMD DB
3: Ad scanner will require AF permission to read only
What port handles loop back for Mgmt and AD scanner comes
8080
What port encrypted client comes to client sever, FDE, and MEPP
443
What is -port is SIC communications
18190
Which port handles SSL Gaia portal
4434
What port handles SOC proxy198
1080
What SK# provides all port access requirements
SK52421
What component is required to incorporate AD users, computers
AD Scanner
What type of information is captured by AD scanner
- OU’s
- Users (not contacts)
- Computers
- Security group
What is polling intervals for AD scanner
2 minute management server
AD refresh every 5 minutes`
How many scanners is recommended per domain
One, be sure not to duplicate scan networks
What are the four type of client deployment and installation
- Automatic deployment rules
- Package export and manual install
- CLI
- Third part tools (SCCM, GPO
What are the steps for client install in an automatic deployment
- Automatic =Manual install initial client and then deployment rules
**deployment log %programdata%\checkpoint\Endpoint Security
How do you install the endpoint client manually
Export package (via third party, file share, email), use the deployment tab;
Create/change deployment tab>packages for export
Run as administrator EPI.MSI
CLI msiexec /i EPS.msi
Install log %temp%\MSIXXXX.log
How do you uninstall endpoint client
Same as all other windows programs, but need admin access **make sure to remove from console after you are completed to free up licenses
How do you install endpoint client on the Mac
Manual only way possible install, expand *.zip file and start the install
What common third party tool most commonly used to install client in a windows env
SCCM/GPO
What type of information is in the endpoint client GUI
- Overview of protections on machine
- Client update status and scan info
- Allow users to request updates and view scans
4 Policies and log info on the advanced tab
Client Settings Policy does what?
Default settings for entire org, for the below settings A. General UI settings B. Log & alert confirms C. Install and upgrade settings D. Network protections E. Local deployment optons F. Data sharing options
What type of remote connection options (VPN) are available
IPSEC
SSL VPN
Mobile access
Where does VPN license reside
Network management server
What do access zoned do?
They define trusted and untrusted networks
Where can VPN settings be defined
- Compliance policy
2. Advanced Deployment options (This is where sites created)
Are VPN settings part of the automatic client deployment
No
You can have compliance checks run before an individual can access VPN. What two types of policy checking can be defined
Endpoint security compliance= use endpoint security policy
VPN SCV compliance= this forces security compliance with org policies
What is the client authentication process for?
Process of identifying client machine and the person working on it.
2 modes
Authenticated ( recommend live env)
Unauthenticated (insecure used IP and should be used in a lab)
How do you enable strong authentication
Based on Kerberos, user must be in AD
**Need to run it ktpass.exe, created key tab file> this will then be used to setup authentication connection type
Where are client logs stored
On the endpoint device
What type of security is used between the management server
TlSv1 & TLSvv2 certificate based key
What type of communication between the endpoint security server and other CP products
SIC + Certificate
When does a client check for updated
Startup
Heartbeat Response
Client Component Changes
Installation state changes
What is the AD scanner and how does it work
Scans AD and copies org chart into endpoint
What are the four ways to install endpoint
- Automatic
- Manual
- CLI
- Third Party
What are the two VPN Client authentication actions Which can be enforced when verification fails
Endpoint Security Compliance
VPN SCV Compliance
How do Endpoint Security Server communicate with other CP servers
SIC + Certificates
What does the policy server Do?
Houses log server
Manages client communication
Improves performance (decreases load on ESM)
How many policy servers should you have in each remote site
One
What are steps in installing log server
- Create new object in smart dashboard
- Enable EPM, Logging and status blades on the object
- Push policy and install database
- Then add the new policy server menu, management, endpoint servers new
What type of communication does policy server respond to
Heartbeat
Sync
Policy downloads
Malware Updates
**Client will connect to the server that is closest. So if policy server and management server client will choose.
How can you tell which policy server client is connected
Run activity report and will tell you which server the client is connected
When does new policy server sync
Initial sync is done after configured and installed
Then heartbeat will keep sync after first
How many standby management servers are allowed
One
Steps to create HA management server
Install new SMS server Enable network policy management Establish SIC primary EMS and standby Install DB on secondary Wait for sync Enable endpoint management on second management Install DB
When failing over to secondary EMS management, is it automatic
No
What two manual activities are required on secondary EMS
- packages
2. Failover
When does the initial sync occur between primary and standby management servers
After the policy server is configured and policy is installed
What type of data security can endpoint client provide
In transit
At rest
In use
Shared
What data security solutions are provided by the endpoint system
- FDE
- MEPP
- Capsule docs
- VPN
Features of FDE
Data at rest
Protects user data, OS file, temp and erased file
Combines OS boot protection with preboot auth
Features of MEPP
Data at rest
Controls and logs all endpoint port activity
Manages ports by blocking certain ports based on policy
Capsule Docs features
Data in-use /shared
Allows access and share corp docs
Integrates with windows client
Audit trail in smartview tracker
Remote Access VPN features
Transit, rest, in-use, and share
FDE Disk Encryption
To initiated requires user authentication
Process runs in the background
What type of encryption is default and available for FDE
AES 256 (default) 3DES 168 Blowfish 255 Cast 128 XTS AES 128 & 256 EFI
Why is FDE pre-boot important
Avoids unauthorized access to disk by removing third part tools
Ensures user identity prior to booting into data drive
Supports multi-factor
What are the FDE file components
FDE Service (FDE_SRV.exe)- config, encrypt and handles policy Crypto Core (CCore32.bin)- encryption algorithms Filter Driver (prot_2k.sys) Driver for encryption FAT drives sector location
Gotchas for FDE
Need 32mb contiguous space no Raid
no hybrid drive with cache / compressed root file system
By default encrypts all visible drives
How to start encrypting with FDE
- Connect machine to management
- Download FDE policy
- Run through user acquisition
- Pre-boot user created
- Create 32 mb paritiion
- Recovery data sent to server
FDE Recovery options
Full recovery with recovery media
Recovery files collected when initial FDE was established
As volumes are added to removed these activities are reflected in recovery info
Removes encryption without removing windows components
Restores boot record
Where is recovery media tool
Client tun the useRec.exe
Location: c:\program files\Checkpoint\endpoiny security\full disk encryption
Run as an administrator
FDE recovery options
Drive Slaving
Faster method extracting file from failed or encrypted drive
Dynamic Slave Utility
Access specific files on failed disks
Connect through USB
FDE auth is required
FDE recovery options
Drive Mount Utilities
FDE auth not required
Used to access data of an FDE without doing recovery.
How many types of media encryption are available in endpoint
2
Primary: Basic config, customizable read write permission & exclusions
Advanced Authorizatoin, Logging, policy violation (global permissions)
Capsule Docs does what
Protects documents and controls access
Integrated AD, when doc created appropriate permission are appplied
2 action types:
- Primary= default encryption behavior, classification, snd permissions
- Advanced= Granular permission, applied ou level
What does endpoint remote help provide
Allows admins to help users regain access from MEPP or FDE
How many types of recovery help is offered by endpoint management
2
Type 1: User logon preboot remote help challenge response procedure
One-time-login
*Allows bypass pre-boot without resetting password
*Does not uncles their account
* Use for lost smart cards and gettin updated to clients.
Remote password change
*Change user password at pre-boot
*By padded pre-boot login.
*Will in unlock account
How many types of recovery help is offered by endpoint management
2
Type 2 Media encryption remote help
*recovers removable media passwords remotely
* user must be authorized to use media
Is remote help enabled by default in OneCheck policy
Yes
What ways can you use recovery options
- Through smartendpoint
2. Through web portal
What is address of web portal for recovery
HTTPS:///weary
Features of one-time logon
Bypass preboot
Does not unlock account
Does not reset password
Features of remote password change
Change password
Unlock account
How do you enable remote help at pre-boot screen
Type is username and hit tab (this will show you remote help options)
What types of attacks are targeting endpoint devices
A. APT (Advanced Persistent Threat)’
Large Scale
State Sponsored
Devastating damage
Multi surface
B. Zero Day
Target unknown software vulnerabilities
C. Bot attacks
Remote control of machine
D. RansomwareIs Sandblast agent part of network sandblast
No
What are the advantageous of Sandblast mobile
Securing users outside the corp network
Protecting user who use removable media devices to share files
Blocking listeria threats
Detecting and preventing encrypted message that bypass security gateway
What is anti-bot doing
Searching for malicious outgoing traffic using threat intelligence (threat cloud)
Detecting and blocking C&C attempts
Quarantine files as needed
What are antibiotics actions and settings
Scans and assigns confidence interval to bot traffic
Default (detects and logs all bots with high confidence)
Exclusion list =domains, processed URLS, IP’s
Is Anti-Malware signature based
Yes
Features anti-malware
Signature based
Definition updates are coming from EMS , so need to maintain connectivity
Primary-scan scheduling
Advanced- Fine tune scan optimizations
Anti-Ransomware features
Continuous monitoring of client file operations
Monitors computer processes and look for triggers
Behavioral Guard (detected and remediates all forms malicious behavior.
Anti-Ransomware= quarantine infected files by deleting and storing safe locatio
-Actions & Settings
Actions are based on threats confidence level
Exclusions are possible
Need 1 GB minimum disk storage’
Whats is Threat extraction
Provides immediate response to malicious content in files. this is done by removing suspicious elements e.g macros
What is threat emulation
Proactively detects zero day. Then it send to Sandbox (cloud or local) for emulation. Deep examination as also accomplished by monitoring individual file for compromise
What is the inspection process look like
User downloads malicious file
SBA intercepts files and sends to sandblast service
Sandbox performs emulation
Extraction already providing clean content
Is suspicious = quarantine
If not suspicious send to recipient
What two modes of enforcement in threat emulation
Detect and alert
Block
What does ant-exploit accomplish
Monitors suspicious memory manipulation in running programs. It will shutdown exploited process when detected.
Actions and Settings:
Default=protect wed downloads with emulation, use cloud, inspect everything, 10MB emulation limit, add exclusions
What does the browser extension for sandblast agent
Captures downloads for threat extraction and emulation
Continually looks client files in case a crazy event.
recommendation deploying SBA
- Vigorously test SBA with the software used by those organization; thus ensuring that once turn on impact will be minimal
Options Deployment
-Default=use cloud for emulation
-Or can leverage an appliance to the be used locally
Why is a central login server a good idea
Takes the load of the other assets in the deployment, easier to correlate events.
What software blades are included with SBA
- Behavioral guard
- Anti-exploit
- Anti-bot
- Anti-ransomware
- Forensics
- Threat extraction / threat emulation
Default length for saving quarantined SBA files
90 days
What does browser extension for threat emulation and threat extraction
Intercepts downloads and send them for extraction and emulation
What type of reporting is provided by sandblast agent
- Predefined reports
- Alerts
- System operations
- Monitor
- Audit
- Client install / deployment
What do alerts display
Endpoint clients in violation of rules
What does push operations display
Displays recent activities:
Anti-malware scans and updates send directly to clients without policy install
What does compliance show
Verifies compliance by software OS updates, Service packs…etc
What does activity report show
Shows current activity status of clients, policy servers, users client connections and problems
What does software deployment show
Deployment status errors and policies
What does FDE show
Encryption status and problematic clients
What does user authentication (OneCheck) show/
Pre-boot status, configured auth methods, last authentication
What does MEPP Show
Displays all device connection event for last 14 days, reports all device connected to clients
What does Anti-malware show
Status of Am detections and result for updates of clients
What does ant-bot show
AB status
What does license show
License usage
What is the SmartEndpoint report structure
-Summary chart
Visual oveview of trends
Can be exported XLS, CSV, HTML, PDF
-Endpoint List
Detailed info for users and client machines
You can right click on the client to adjust behavior or rule settings
How do you setup policy reports
Scheduled in the ESM and generated CSV file
Execute cpstop
Edit $UEPMDIR/engine/conf/local.properties file
Set time #emon.scheduler,time
Set max reports #emon.scheduler.max.reports
Enable report #emon.scheduler.policy report=true
Create new folder $fwdir/conf/smc_files
Cost art
2 field
General: user and client info
Policy: identified policy name and rules actions for each client
How do forensics reports get generated
Automatically initiatives upon detection of a triggered event, file, or malicious behavior.
Report includes:
Entry point of suspicious file
Affected files
Remediation efforts
Suspicious behavior resulting from attack
Attack details
Name diagnostic tool
CPinfo contains
- all files data directory
- installation log
- file version info
- Registry Values
- Gina doll
- SMBios structure
- installed applications
- Windows partition list
FDE state
- Failure window encrypt/decrypt process
- Identifying which disks have failures
- FDE client issues
