Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Integrity Security Best Practice Advisory

Attack ID: CPSA-2005-10
Publish Date:
Category: Security Best Practices
Vulnerable Systems: Microsoft Windows clients
Source: Internal research
Description: SmartDefense Program Advisor (PA) provides policy recommendations for programs running on Integrity Clients.  PA provides recommendations from Check Point security professionals about assigning permissions to common programs.  These recommended permission settings can be accepted by the Integrity Server or overridden by a company’s custom policy.  PA helps reduce company workload and improves security.
Severity:
 

With limited resources and time, a company’s IT staff needs every advantage to effectively and rapidly respond to the newest emerging worm, trojan, and day zero threats.  PA automates Integrity’s application control decisions, lowers IT administrative overhead, and maintains the highest productivity and endpoint security levels.  This is done in the following ways.

  • Provide preemptive security by automating application control decisions through strengthening endpoint and network availability. 
  • Identifies emerging threats and automatically terminates malicious application processes, thus preventing network abuse. 
  • Safeguards enterprises from major financial damage associated with endpoint or network downtime.
  • Provides application control policies through the familiar Integrity management console.This enables IT administrators to auto/manual deploy, rapidly review, and customize application security policies.
     
  • IT administrators are able to implement the Check Point Security Alert recommended permission settings of over 85,000 applications.  This enables IT administrators to focus on analyzing unknown application security policies while ‘known good’ and ‘known bad’ application policies are quickly and simply deployed, protecting against emerging day zero threats. 
  • Increases the return on security investment by minimizing IT help desk calls and maximizing IT productivity and enterprise security. 
    • PA eliminates the uncertainty of granting ‘known good’ applications network access while silently blocking ‘known bad’ applications.  End users and IT administrators alike stay productive while maintaining real-time endpoint and network availability. 
    • PA reduces help desk calls by minimizing the need for end-user involvement. 

By integrating PA into the Integrity management console, Check Point application control policies can be quickly customized and deployed.  This reduces administrative overhead, improving IT productivity and overall enterprise security.

Details:

Frequently Asked Questions

How does PA match the appropriate permissions for each program?

By generating a unique check-sum for each program, PA is able to match the appropriate permissions for each program.  There are general practices followed by security professionals at Check Point, when setting permissions for applications in PA.

  • Non-malicious applications are allowed to only perform required network functions.  All other network functions requested by the non-malicious applications are either blocked or the user of the application is asked to decide whether or not the network function should be allowed or blocked.  In the case of a non-malicious application attempting to perform a network function that should never be allowed, the application is blocked.  If a non-malicious application attempts to perform a non-required network function that the application could legitimately request, the decision is at the discretion of the user.
     
  • Applications considered malicious are blocked and/or killed during execution.  If the Check Point recommended security policy for an application is not in agreement with that of the company policy, a custom application control policy can be created by an IT administrator.

What is the application policy of the Integrity Server?

Applications will attempt network access, listen as a server, or send mail.  When this occurs, the Integrity Client queries the Integrity server asking for the enterprise’s application control policy. 

  • If a custom policy exists, permission is given to the application based upon this policy.  The application is either allowed, blocked, or the user of the application is asked whether the application should be allowed or blocked.  
  • If a custom application control policy does not exist, the Integrity server queries PA.  Dependent upon the Check Point recommended permissions settings, the application is either allowed, blocked, or the user of the application is asked whether the application should be allowed or blocked. 
  • In the case that a custom policy created by an IT administrator does not exist or there is a policy in PA for a specific application, a company, serviced by Check Point Integrity, may have these unknown applications default to either allow, block, or ask.

If PA is used, is it still necessary to run anti-virus software on the desktop?

The purpose of PA is to provide recommended network permissions for programs running on Integrity Clients.  The purpose of anti-virus software is to detect and remove viruses.  Both are necessary in securing a network, but fulfill two distinct security roles.

What is the process by which PA assigns permission to Integrity Clients?

The Integrity Server receives program permission requests from the Integrity Client.  In conjunction with PA Server, it determines what permissions should be applied to the program, and how it should be displayed in the Program Manager page of the Integrity Advanced Server Administration Console. Integrity Client receives permissions from the PA Server in the following ways.

  • Receives the request from the Integrity Client.
  • Checks for a matching reference source.
    • If the program has a matching reference source, the Integrity Advanced Server sends a response to the Integrity Client, instructing it to mark the program as ‘Referenced’ in the Program Manager page. 
    • Integrity Client applies the permissions, which are set by the Integrity Administrator as the reference programs in the deployed enterprise policy
  • Checks PA is enabled.
    • If PA is not enabled, the Integrity Advanced Server sends a response to the Integrity client, instructing it to mark the program as ‘Not Referenced’ in the Program Manager page. 
    • Integrity Client applies the permissions set by the Integrity Administrator for ‘all other programs’ in the deployed enterprise policy.
  • Checks for custom overrides.
    • Integrity Administrator can set Integrity Advanced Server to override PA’s recommendations with a company’s custom permission set. 
    • If custom overrides have been set for this program, the Integrity Advanced Server sends a response to the Integrity Client, instructing it to mark the program as ‘Overridden’ in the Program Manager page.  The Integrity Client applies the custom permissions specified.
       
  • Integrity Advanced Server checks for PA recommendations.
    • Integrity Advanced Server either contacts the PA Server, or accesses a cached copy of PA’s previous recommendations.  PA recommendations stored on the Integrity Advanced Server include a time-to-live stamp. 
    • If the period of time that the PA recommendation is considered to be current has expired, the Integrity Server must contact the PA Server to check for new permissions.

If PA has recommendations for this program, the Integrity Advanced Server sends a response to the Integrity Client, instructing it to mark the program as ‘PA’ in the Program Manager page.  The Integrity Client applies PA permissions.

If PA does not have recommendation for this program, Integrity Advanced Server sends a response to the Integrity Client, instructing it to mark the program as ‘Unrecognized’ in the Program Manager page.  The Integrity Client applies the permissions that the Integrity Administrator has set for ‘all other programs’.

How are security policy settings from PA overridden?

If a company does not agree with the PA recommendations, they can be overridden with custom settings.  An example that may apply to a network is that PA settings do not attempt to block peer-2-peer programs.  However, the policy of a company network may be to block all peer-2-peer connections to and from endpoints.  Therefore, it would then be appropriate to override the recommended settings permissions provided by PA.

To Override PA Recommendations:

1. In the Program Manager page, click Product Name. The Policy Advisor Program Details page  opens.

2. Within Program Manager, configure the appropriate custom settings.

The individual permissions for each Connection Type and Zone can be overridden by the Integrity Administrator with a company’s own settings, or the whole application can be terminated.

3. Click Save.

When an Integrity Administrator chooses to override a PA recommendation for a program, a * symbol appears by that program name in the Program Manager page.

What is the PA ‘terminate’ feature and can it be overridden?

The terminate feature stops a process from running.  Check Point performs extensive research to ensure that only malicious programs are terminated in PA.  PA recommended programs can be overridden so that they are terminated. 

What should a company’s default policy be for programs unknown by a custom policy and PA?

PA can successfully identify approximately 85% of the programs in an enterprise network.   The remaining 15% of the programs may not be identified by PA for various reasons, including that they are custom programs or new programs that have not yet been assigned permissions by security professionals at Check Point.  For those programs that are not identified by custom overrides, a reference source, or PA, a default policy may be set.  There are two different recommended strategies in implementing a default policy for programs unknown by my policy and unknown by PA.

  • Set ‘all other programs’ within Program Manager to ‘allow’.  In doing so, the Program Manager will be more manageable, but less secure.  A company will rely upon PA to automatically provide the appropriate permissions to the majority of the programs on the network. There may be malicious programs that are not identified, and will be allowed to have network connectivity.  This occurrence is low as PA is able to successfully identify approximately 50,000 malicious programs.
  • Set ‘all other programs’ to block.  In doing so, the Program Manager will be more secure, but less manageable.  The unidentified malicious programs are blocked, disabling network connectivity.  However, the risk is that non-malicious programs will also be blocked.  This strategy is less manageable because these non-malicious programs will remain blocked until the appropriate custom permissions are assigned to ‘Unrecognized’ programs, within Program Manager.

How can PA recommendations be viewed?

All program permission recommendations that PA provides can be viewed in the Program Manager page.

To View PA Recommendations:

1. Go to Policy Studio | Programs.  The Program Manager page opens.

2. Each program has permissions set for the Trusted Zone and the Internet Zone.  For each program, PA blocks or allows access, asks the user whether or not to allow access, or terminates the program’s process.

How are programs, which are unrecognized, managed?

After a policy has been deployed, program observation should be used to detect programs on endpoints. Once this is complete an IT administrator should periodically check for unrecognized programs. 

Unrecognized programs are not referenced or governed by PA or a Program Group.  These programs should be added to groups so that permissions can be assigned more efficiently.

To manage unrecognized programs:

1. Go to Policy Studio | Programs.  The Program Manager page opens.

2. Expand All Programs.

3. Click Unrecognized.

4. Choose the programs and add them to your program groups as appropriate.

NOTE: For further details regarding PA, please reference the Integrity Document Library Administrator Guide.

Attack Detection:

 
Solution:

 
Industry Reference:

 
Additional Information: