Check Point Takes Aim at Zero-Days With SandBlast

Check Point's new technology makes use of sandboxing and emulation to help mitigate security risks. It is available both on-premises and as a cloud service.

Check Point

Security vendor Check Point Software Technologies announced its new SandBlast technology on Sept. 2, providing a new approach to detecting and removing malware.

The SandBlast technology makes use of both sandboxing and emulation techniques to help secure enterprises from known and unknown threats. SandBlast is available as both an on-premises and a cloud service, according to Andy Feit, head of threat prevention at Check Point Software.

The threat emulation component of SandBlast uses operating system-level sandboxing as well as CPU-level exploit detection. Going a step further, SandBlast has threat extraction capabilities that provide a safe version of content immediately while the emulation is being completed.

"The CPU-level detection leverages the new debug and profiling hooks introduced with the Intel Haswell chipset," Feit told eWEEK. "While these were originally intended for other purposes, by understanding how return-oriented programming [ROP] exploits work at the instruction set level, we can use this data for malware detection by analyzing the flow control information to identify ROP techniques—among others—when they are being used."

The way that SandBlast works is that it can open up a given piece of content and then reconstruct it, such that no malware will be present. Feit said that the system is quite fast, though content reconstruction does depends on the size and complexity of the original document. In most customer environments, he said, Check Point found that SandBlast introduces no noticeable latency.

"Typical reconstruction times are sub-second, with larger documents being in the single-digit-second range," Feit said. "It's something that most users will not notice for email, or even in most cases for Web downloads as the larger attachments/files are already incurring greater lag."

While the SandBlast technology is powerful, Feit said Check Point does recommend users continue to scan for malware with traditional antivirus (AV) products, as part of a multilayered threat prevention strategy. That said, he noted that organizations will only catch previously known threats based on a signature with a traditional AV product.

"Sandboxing in general catches unknown malware, even true zero-day attacks, or modified variants of existing malware that will not yet have a signature," Feit said. "By delivering a reconstructed version immediately, we can give the user a safe copy to work with while still preventing any malware from ever reaching them."

The initial iteration of SandBlast supports Microsoft Office 2003-2015 (Word, PowerPoint and Excel) and PDFs, with other document formats set to be added over time.

A common attack vector in documents is to embed a Web link that leads to a malicious site. Links can be removed with SandBlast, based on configuration settings, according to Feit. Some customers may wish to leave links active and use other technology to prevent infection, he added. Links may be replaced with a text-only non-hyperlinked version or a placeholder ("unreviewed link removed"), or may be passed through.

Check Point isn't the only vendor making use of sandboxing and emulation techniques to protect organizations. Lastline, for example, has an advanced system that makes use of emulation to detect Windows kernel malware, among other risks. FireEye, meanwhile, makes uses its sandboxing technology to detect zero-day risks as well.

Feit noted that the ability to deploy in block mode as opposed to "detect-only" mode is a key attribute of the SandBlast technology.

"By promptly delivering a clean copy, even if it removes some active content, SandBlast can be deployed in block mode, while still allowing users to get the original once it has been emulated and deemed safe," Feit said.

The new SandBlast technology is all part of a continued expansion at Check Point as the company evolves beyond its firewall roots. Check Point has significantly extended the range of it products in recent years, with software blades that provide advanced threat protection (anti-bot, DDoS prevention, anti-spam, application control and URL filtering, for example), Feit said. Check Point has also introduced a number of products in the area of mobile security, including Capsule.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.