Check Point’s SandBlast Agent monitors the computer for malicious activity and behaviour, as well as bulk file encryption, amongst other things. To give SandBlast Agent the worst chance of success I could, I downloaded the sample and then disconnected my virtual PC from the Internet. This meant that there was no possibility of cheating by knowing the malware fingerprint (file hash).
So, assuming I was a user who had received a file – maybe from a friend who had also been compromised or through a phishing email – I thought: “Lets run the file; what’s the worst that can happen?”
As you can see, in just a few seconds, something starts to take over the computer; my data files start disappearing and new files, with strange names replace them.
At this point, SandBlast Agent comes to the rescue; it detects this malicious activity, terminates the malicious file, preventing it carrying out any further bad activity, and finds all the files that have been deleted.
Now for the cool bit – SandBlast Agent was monitoring my computer for changes to my files, so, each file that it found was encrypted, it goes to a special folder which only Check Point can access, and gives me a copy of the file it backed up!
For the more technical out there, there’s a forensics report, that shows what the malicious file did; this is so you can make improvements to your security within your organisation. But, that’s for those that are interested; the user can just relax, in the knowledge they are safe, and their data is intact.
Tom Kendrick is a European threat prevention security engineer at Check Point Technologies.