How can I help you? Start Chat

US Phone: 1-866-488-6691
International Phone: +44-2036087492

  • E-Mail
  • Facebook
  • LinkedIn
  • Twitter

SandBlast Agent

As emerging threats increasingly target endpoints, organizations require proactive security that can keep up with the pace modern business demands. SandBlast Agent defends endpoints with a complete set of real-time advanced protection technologies, including Threat Emulation, Threat Extraction, Anti-Ransomware, Anti-Bot, Zero Phishing and Automated Incident Analysis.


Protect endpoints from sophisticated attacks and zero-day threats

  • Leverage Check Point’s evasion-resistant sandbox with the highest malware catch rate to block attacks from email, removable media and web-downloads
  • Quickly deliver safe, sanitized versions of common document formats to provide real-time protection and maintain uninterrupted business flow

Block and remove evasive ransomware infections

  • Detect and quarantine the most advanced and evasive ransomware
  • Automatically recover any encrypted data

Block unknown and zero-day phishing attacks targeting user credentials and prevent misuse of corporate passwords

  • Identify and prevent access to deceptive phishing sites in real-time using dynamic analysis and highly accurate heuristics
  • Keep credentials used to access business-related services safe by alerting when users attempt to utilize the same passwords on external sites

Neutralize the impact of malware infections contracted through unprotected channels, minimizing potential damages

  • Detect and block command and control communications, even when working remotely
  • Stop data exfiltration to prevent disclosure of sensitive information, and quarantine infected systems to limit spread of malware

Enable deep understanding of security events for faster response

  • Actionable forensics continuously collects data on user systems to reveal a comprehensive view of the attack flow
  • Accelerate remediation by empowering security teams with full understanding of root cause, malware entry points and scope of damage

Those of us on the front lines of enterprise security see the reality of modern hacking techniques, where anti-virus solutions are becoming less dependable against these newer threats. It is critical not only to do the best job possible detecting the latest malware, but also to respond rapidly as events occur. By preventing more attacks from reaching our users, and then empowering our team to quickly contain threats before they can impact operations, we allow our highly mobile workforce to manage their business with confidence.

Michael Brine

Infrastructure Manager

Community Newspaper Group


Prevents zero-day malware

Check Point SandBlast Agent extends the proven protections of SandBlast Zero-Day Protection to endpoint devices and web browsers. Threat Extraction reconstructs downloaded files in seconds, eliminating potential threats and promptly delivering a safe version to users. At the same time, Threat Emulation discovers malicious behavior and prevents infection from new malware and targeted attacks by quickly inspecting files in a virtual sandbox.

Prevent ransomware attacks

Ransomware’s ability to bypass some of the most advanced malware protections has impacted businesses around the globe. Check Point Anti-Ransomware keeps businesses one step ahead of attacks by automatically detecting, blocking and removing the most sophisticated ransomware infections and restoring any encrypted data as part of its automated remediation capability.

Blocks zero-day phishing attacks

The Zero Phishing capability within SandBlast Agent uses dynamic analysis and advanced heuristics to identify and prevent access to new and unknown phishing sites targeting user credentials through web browsers in real-time. In addition, this capability prevents theft of corporate credentials from potential breaches of passwords on third party sites by alerting users when violating the corporate password re-use policies.

Identifies and contains infections

With a local version of Anti-Bot security protection, continuously updated with the latest Threat Intelligence data via ThreatCloud, SandBlast Agent identifies and blocks bot communications with command and control servers to contain and quarantine any infected hosts.

Comprehensive coverage across threat vectors

SandBlast Agent secures endpoint devices from threats delivered via:

  • Web downloads
  • Content copied from removable storage devices
  • Links or attachments in email messages
  • Lateral movement of data and malware between systems on a network segment
  • Infections delivered via encrypted content

Full visibility of security events

The forensics capability within SandBlast Agent provides full visibility by monitoring and recording all endpoint events, including files affected, processes launched, system registry changes and network activity. SandBlast Agent is able to trace and report the steps taken by malware, including zero-day threats. Continuous monitoring by SandBlast Agent ensures that data is available after a completed attack, even those based on malware techniques that remove files and other indicators of compromise left on the system.

Detailed incident reports

The forensics capability within SandBlast Agent allows you to view event reports, triggered from the gateway or endpoint itself, from a central location using SmartEvent. Security Administrators can also generate reports for known malicious events, providing a detailed cyber kill chain analysis. These reports provide actionable incident analysis, accelerating the process of understanding the complete attack lifecycle, damage and attack vectors.

Third-party integration

SandBlast Agent works in conjunction with Antivirus and other security solutions from Check Point, as well as from other vendors. It enhances the detection capabilities of existing Antivirus products, enabling protection from advanced threats and providing actionable incident analysis.

When triggered by an event or investigation request by another Check Point component or third-party solution, endpoint forensics logs are analyzed to generate reports viewable in SmartEvent and SmartLog.

Actionable incident analysis

The forensics analysis process automatically starts when a malware event occurs. Using a combination of advanced algorithms and deep analysis of the raw forensic data, it builds a comprehensive incident summary. The summary provides key actionable attack information, including:

  • Malicious events – What evidence of suspicious behavior was detected throughout the attack lifecycle?
  • Entry point – How did the attack enter the network? What were the main elements used in the attack? How was the attack initiated?
  • Damage scope – What is the damage? What malicious and suspicious behavior has occurred within the system? What data has been stolen?
  • Infected hosts – Who else or what else is affected?

This comprehensive attack diagnostics and visibility supports remediation efforts. System administrators and incident response teams can swiftly and efficiently triage and resolve attacks, getting your organization back to business as usual quicker.

SandBlast Agent endpoint protection screenshot - incident analysis report

Easy to deploy and manage

SandBlast Agent provides flexible deployment options to meet the security needs of every organization. SandBlast Agent for Browsers can be quickly deployed as an integral part of the SandBlast Agent on the endpoint, or with a minimal footprint as a standalone solution for web browsers.

Regardless of which package you select, the non-intrusive, low-overhead deployment utilizes a SandBlast remote sandbox running as a service – on either the SandBlast Service or your own private appliances – resulting in minimal impact on local performance and full compatibility with installed applications.

  • SandBlast Agent for Browsers Package
    SandBlast Agent for Browsers is a browser extension focused on preventing attacks that use web browsers as a main entry point. It includes the capabilities of Threat Emulation, Threat Extraction, Zero Phishing and credential protection.This stand-alone solution can be implemented using a simple browser plugin and is an ideal fit for organizations looking for rapid deployment with a minimal footprint. SandBlast Agent for Browsers utilizes standard endpoint management tools, such as GPO (Group Policy Object) to push policy to user endpoints. ‘Compare Packages’.
  • SandBlast Agent Complete Package
    SandBlast Agent prevents threats on endpoint devices. It includes the capabilities of Threat Emulation, Threat Extraction, Forensics, Anti-Bot, as well as Zero Phishing and credential protection.SandBlast Agent can be quickly deployed, and all policies are managed centrally through SmartCenter. Event logs and incident reports are accessed through SmartEvent and SmartLog, providing deep insight to understand even the most advanced attacks. For a full list of supported capabilities, see ‘Compare Packages’.

SandBlast Family of Products

The SandBlast Zero-Day Protection solution suite also includes additional products that provide advanced threat protection for enterprise networks and cloud applications.

Learn More


Available Packages
  • SandBlast Anti-Ransomware – includes Anti-Ransomware only
  • SandBlast Agent for Browsers – includes Threat Emulation, Threat Extraction, Zero Phishing, Credential Protection
  • SandBlast Agent – includes Threat Emulation, Threat Extraction, Anti-Ransomware, Zero Phishing, Credential Protection, Anti-Bot, Forensics and Automated Incident Analysis
  • Endpoint Complete Protection – The endpoint complete protection adds Full Disk Encryption, Antivirus and Firewall to the SandBlast Agent package
Operating System
  • Windows 7, 8, and 10
  • Windows server 2008 R2, 2012, and 2012 R2
Supported Browsers
  • Google Chrome
  • Coming Soon - Internet Explorer and Firefox

Supported File Types – Threat Extraction
  • Adobe PDF
  • Microsoft Word, Excel, and PowerPoint
Supported File Types – Threat Emulation
  • Over 40 file types, including: Adobe PDF, Microsoft Word, Excel, and PowerPoint, Executables (EXE, COM, SCR), Shockwave Flash – SWF, Rich Text Format – RTF and Archives
Deployment Options
  • SandBlast Service (Hosted on Check Point cloud)
  • SandBlast Appliance (Hosted on-premise)

  • Signature-less behavioral detection of ransomware, no internet connection is required
  • Malicious file encryption activity detection
  • Automated ransomware quarantine
  • Automated restoration of encrypted data (if encryption started prior to quarantine)
Zero Phishing
  • Real-time protection from unknown phishing sites
  • Static and heuristic based detection of suspicious elements in sites that request user credentials

Corporate Credential Protection
  • Detection of reuse of corporate credentials on external sites
Threat Emulation
  • Content copied from removable storage devices
  • Lateral movement of data and malware between systems on a network segment

Enforcement Modes
  • Detect and alert
  • Block (background & hold modes)

Enforcement Modes
  • Detect and alert
  • Block (background & hold modes)
Analysis Triggers
  • Anti-Ransomware detection on the endpoint
  • Anti-Bot detection on the network or on endpoint
  • Threat Emulation detection on the network
  • Check Point Antivirus detection on the endpoint
  • Third-party Antivirus detection on the endpoint
  • Manual Indicators of Compromise (IoCs)
Damage Detection
  • Automatically identify: Data exfiltration, data manipulation or encryption, key logging
Root Cause Analysis
  • Trace and identify root cause across multiple system restarts in real-time
Malware Flow Analysis
  • Automatically generated interactive graphic model of the attack flow
Malicious Behavior Detection
  • Over 40 malicious behavior categories
  • Hundreds of malicious indicators
Policy Management
  • Endpoint Policy Management (EPM)
Event Monitoring
  • SmartLog
  • SmartEvent
Endpoint Management Version
  • R77.30.03/E80.65 and above
Endpoint Management - Available Packages
  • Included as standard with SmartCenter and Smart-1 appliances
  • Available as a software license

Compare Packages


Endpoint Complete Protection Suite

SandBlast Agent


SandBlast Agent for Browsers


Endpoint Agent

Endpoint Agent

Endpoint Agent

Browser Extension








Incident analysis & quarantine


Forensics report



Browser extension


Emulation & Extraction


Zero Phishing









Full Disk Encryption, Media Encryption




Firewall & VPN