HARMONY ENDPOINT

THREAT ANALYSIS REPORT

Date Customer Prepared by:

Dec 30, 2023 infraestructura Harmony Endpoint - Check Point Technologies
 HARMONY ENDPOINT

THREAT ANALYSIS REPORT

Customer Analysis Duration

infraestructura 2023

Connection Token Account Id

Surtid-c3e00d8a-hap1 d4d41b93-c478-4fca-b71d-9463a5181e5c

Region Harmony Endpoint Version

United States R81.20

HARMONY ENDPOINT Classification: [Restricted]ONLY for designated groups and individuals Check Point Software Technologies Ltd. © All rights reserved.
TABLE OF CONTENTS

Table of Contents
EXECUTIVE SUMMARY

KEY FINDINGS
MALWARE ATTACKS
HIGH RISK WEB ACCESS
COMPROMISED CREDENTIALS

HARMONY ENDPOINT
HARMONY ENDPOINT PROTECTION
ABOUT CHECK POINT

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 2
EXECUTIVE SUMMARY

This report presents the security

Malware and Attacks
assessment of your organization by
Harmony Endpoint
vulnerabilities detected.
and the
9.1K 366 Hosts encountered
malicious files
14
This report provides a summary of Attacks were prevented Hosts Encountered
exposure to ransomware, phishing, Ransomware Attack
zero-day malware, CC communication,
data leakage, and other threats.

0 Hosts were
encountered
3.9K exploit attack
Check Point’s Anti-Ransomware includes
Attacks were detected active threat prevention that detects and
quarantines detect and quarantine
Zero-days downloads present a unique ransomware attacks, and of course, the
count of old or new malware variant with ability to restore your files from routine
un-known anti-virus signature. backups.

Compromised Credentials High Risk Web Access

0 234 2.1K 391

Credentials leak Phishing attacks were High risk website Incidents of access to
events were encountered access incidents websites marked as
encountered non-compliance by the
policy

Re-using corporate passwords on

unauthorized or non-corporate sites
puts organizations at risk. Access to Check Point's Zero-Phishing technology High risk websites include categories, such
corporate services are secure when identifies and blocks both known and as Phishing, Botnets, Spyware and so on. URL filtering controls access to millions of
employees are blocked from re-using unknown phishing sites. Sites are Access to these websites is blocked by the websites by category, users, groups and
their corporate credentials on non- inspected within the user's browser by pre-defined policy to prevent risk to the machines to ensure your corporate policy
corporate websites. analyzing multiple page elements. organization. is enforced.

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 3
Key Findings
KEY FINDINGS MALWARE ATTACKS

Top Protections Top Malware Activities

Protection Type Blade Severity Logs Malware Action Blade Logs

Forensics High 381 Verified Threat Extraction 49.3K

Behavioral Behavioral Guard Not Supported Threat Extraction 28.0K

Medium 12
Forensics
Extracted Threat Extraction 18.9K
CMI Reputation Forensics Critical 845 Forensics
Anti-Bot Malicious network activity 1.7K
High 713 Anti-Bot

Content Removal Threat High 4.2K Oversized Threat Extraction 1.5K

Extraction Critical Threat Extraction
953 Corrupted File 450
File Monitor Forensics High 65 Access to site known to contain Anti-Bot 344
malware
Medium 42
Forensics
Critical 32 Trojan 28
Threat Emulation
File Reputation Forensics High 577 Site
Critical 120 (http://10.0.3.105/kioscosurtidora/conte
nt/default.aspx) is unsecured and has Zero Phishing 19
File System Emulation Forensics High 71 indication for credit card / password
Threat Emulatio… Critical usage
2
behavioral Forensics 18
HTTP Emulation Threat Critical 22
Emulation Forensics
High 21 VNCInstaller","behavior 16
Threat Emulation
Medium 1
ransomware Forensics 14
Offline Reputation Forensics High 591
Anti-Bot
Critical 17 Communication with C&C 9
Forensics
Phishing Zero Phishing Medium 2.6K Site (http://10.0.1.110:8090/sku) is
unsecured and has indication for credit Zero Phishing 8
High 184
card / password usage
Phishing Prevention Zero Phishing High 50 Threat Emulation
Trojan","behavior 8
Forensics

trojan Forensics 8
Showing only events with severity: Critical, High and Medium

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 5
KEY FINDINGS HOSTS

Top Hosts by No. of Incidents

Critical High Medium Low Informational

10.0.3.77

10.0.7.98

10.0.7.107

10.0.1.76

10.0.7.36

10.0.3.39

10.0.3.95

10.0.5.210

10.0.7.80

10.0.5.185

0 5 10 15 20 25 30 35 40 45 50 55 60 65

Top Hosts by Severity

Source Severity Blade Protection Name Protection Type Action

Threat Extraction
Extract potentially malicious content Content Removal
Forensics Extract
Gen.ML.SA Static File Analysis
10.0.1.138 Critical Threat Emulation Gen.SB.pdf File System Emulation Prevent
Zero Phishing gen.ba.phishing Phishing Detect
gen.urlf URL Filtering
URL Filtering

Threat Extraction Extract potentially malicious content Content Removal Extract

10.0.3.68 Critical
URL Filtering gen.urlf URL Filtering Prevent

Zero Phishing Phishing Detect

gen.ba.phishing
10.0.9.140 Critical Threat Extraction Extract potentially malicious content Content Removal Extract
URL Filtering gen.urlf URL Filtering Prevent

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 6
KEY FINDINGS MALWARES

Top Actions by Malware

Verified

Not Supported

Extracted

Malicious network activity

Oversized

Corrupted File

Access to site known to contain malware

Trojan

Site (http://10.0.3.105/kioscosurtidora/content/default.aspx) is unsecured and has indicati...

behavioral

0 5K 10K 15K 20K 25K 30K 35K 40K 45K

Top Actions by Malware

Malware Action Protection Type Source Logs

Verified Content Removal 865 Sources 49.3K

Not Supported Content Removal 701 Sources 28.0K

Extracted Content Removal 620 Sources 18.9K

Malicious network activity CMI Reputation 16 Sources 1.7K

Oversized Content Removal 226 Sources 1.5K

Corrupted File Content Removal 94 Sources 450

Access to site known to contain malware URL Reputation 14 Sources 344

Trojan File System Emulation 8 Sources 28

Site
(http://10.0.3.105/kioscosurtidora/content/defa
Phishing Prevention 7 Sources 19
ult.aspx) is unsecured and has indication for
credit card / password usage

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 7
KEY FINDINGS MALICIOUS ACTIVITY

Top Malware Activity and Sources by Severity

Malware Action Source Severity Action Logs

Extracted 10.0.7.72 Critical Extract 177

10.0.1.60 Critical Extract 146
10.0.7.80 Critical Extract 139
10.0.8.63 Critical Extract 137
10.0.7.48 Critical Extract 119

Total: 1 Source Critical 1 Action 5.2K

Malicious network activity Prevent

10.0.6.68 Critical 347
Detect

10.0.15.64 Critical Prevent 288

10.0.4.144 Critical Prevent 268
10.0.10.190 Critical Prevent 237
10.0.10.170 Critical Prevent 220

Total: 1 Source Critical 2 Actions 1.6K

Access to site known to contain malware Detect

10.0.3.46 Critical 124
Prevent

Detect
10.0.7.36 Critical 65
Prevent

Detect
10.0.7.98 Critical 54
Prevent

Detect
10.0.3.39 Critical 22
Prevent

10.0.3.69 Critical Prevent 7

Total: 1 Source Critical 2 Actions 344

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 8
KEY FINDINGS MALICIOUS ACTIVITY

Malware Action Source Severity Action Logs

Site 10.0.3.46 High Detect 4

(http://10.0.3.105/kioscosurtidora/content/default.asp
10.0.3.63 High Detect 4
x) is unsecured and has indication for credit card /
password usage 10.0.3.39 High Detect 4
10.0.3.133 High Detect 3
10.0.7.36 High Detect 2

Total: 1 Source High 1 Action 19

ransomware 169.254.52.128 Medium Prevent 2
10.0.5.131 Medium Prevent 1
10.0.3.94 Medium Prevent 1
10.0.19.64 Medium Prevent 1
10.0.19.63 Medium Prevent 1

Total: 1 Source Medium 1 Action 14

Trojan 10.0.1.138 Critical Prevent 2

10.0.5.238 High Prevent 3
10.0.7.142 High Prevent 2
10.0.7.62 High Prevent 2
10.0.3.151 High Detect 2

Total: 1 Source Critical 1 Action 13

Corrupted File 10.0.7.143 High Extract 6
10.0.1.138 High Extract 2
10.0.3.21 High Extract 1

Total: 1 Source High 1 Action 9

VNCInstaller","behavior 10.0.50.7 High Prevent 7

10.0.4.92 High Prevent 1

Total: 1 Source High 1 Action 8

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 9
KEY FINDINGS MALICIOUS ACTIVITY

Malware Action Source Severity Action Logs

Site (http://10.0.1.110:8090/sku) is unsecured and has 10.0.3.39 High Detect 6

indication for credit card / password usage
10.0.7.136 High Detect 1
10.0.3.46 High Detect 1

Total: 1 Source High 1 Action 8

trojan 10.0.3.137 Medium Prevent 3
10.0.7.53 Medium Prevent 3
10.0.18.110 Medium Prevent 1
10.0.3.122 Medium Prevent 1

Total: 1 Source Medium 1 Action 8

Communication with C&C 10.0.7.98 Critical Prevent 3
10.0.3.39 Critical Prevent 2
10.0.5.139 Critical Prevent 2

Total: 1 Source Critical 1 Action 7

Site (http://10.0.1.110:8090/) is unsecured and has 10.0.3.39 High Detect 4
indication for credit card / password usage
10.0.3.133 High Detect 1
10.0.3.69 High Detect 1
10.0.3.46 High Detect 1

Total: 1 Source High 1 Action 7

behavioral 10.0.6.27 Medium Prevent 2

10.0.5.160 Medium Prevent 2
10.0.3.136 Medium Prevent 2

Total: 1 Source Medium 1 Action 6

Site (http://10.0.1.110:8090/forbidden) is unsecured 10.0.3.81 High Detect 2
and has indication for credit card / password usage
10.0.7.89 High Detect 1
10.0.3.39 High Detect 1

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 10
KEY FINDINGS MALICIOUS ACTIVITY

Malware Action Source Severity Action Logs

Site (http://10.0.1.110:8090/forbidden) is unsecured 192.168.1.80 High Detect 1

and has indication for credit card / password usage
Total: 1 Source High 1 Action 5

behavior 10.0.3.23 High Prevent 2

10.0.7.25 High Prevent 2

Total: 1 Source High 1 Action 4

Trojan","behavior 10.0.50.1 High Prevent 2
10.0.3.144 High Prevent 2

Total: 1 Source High 1 Action 4

Site (http://10.0.1.104:8087/) is unsecured and has 10.0.7.36 High Detect 1
indication for credit card / password usage
10.0.7.98 High Detect 1
10.0.3.63 High Detect 1

Total: 1 Source High 1 Action 3

Site (http://10.0.3.221/glpi/index.php?noauto=1) is 10.0.3.125 High Detect 2

unsecured and has indication for credit card /
password usage Total: 1 Source High 1 Action 2

Site (http://10.0.1.110:8090/productos) is unsecured 10.10.2.111 High Detect 1

and has indication for credit card / password usage
10.0.3.81 High Detect 1

Total: 1 Source High 1 Action 2

Site (http://10.0.1.104:8086/login/userlogin/? 10.0.3.125 High Detect 1
returnurl=%2fuser%2fuserhome) is unsecured and has
indication for credit card / password usage Total: 1 Source High 1 Action 1

Site (http://10.0.1.110:8090/prodatributos) is 10.0.3.81 High Detect 1

unsecured and has indication for credit card /
password usage Total: 1 Source High 1 Action 1

Site (http://10.0.3.221/glpi/front/authldap.form.php? 10.0.3.125 High Detect 1

id=4) is unsecured and has indication for credit card /
password usage Total: 1 Source High 1 Action 1

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 11
KEY FINDINGS MALICIOUS ACTIVITY

Malware Action Source Severity Action Logs

Bot","EtterSilent","GenDrop","MalChildren","Trojan","b 10.0.7.27 High Prevent 1

ehavior
Total: 1 Source High 1 Action 1
Site 10.0.3.63 High Detect 1
(http://10.0.3.105/tya_surtidora89/content/aes.ta.us.w
eb.acceso/login.aspx) is unsecured and has indication Total: 1 Source High 1 Action 1
for credit card / password usage
behavior","softonic 10.0.3.98 High Prevent 1

Total: 1 Source High 1 Action 1

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 12
KEY FINDINGS HIGH RISK WEB ACCESS
ACCESS TO HIGH RISK WEB SITES
Web use is ubiquitous in business today. But the constantly evolving nature of the web makes it extremely difficult to protect and enforce standards for web usage
in a corporate environment. To make matters more complicated, web traffic has evolved to include not only URL traffic, but embedded URLs and applications as
well. Identification of risky sites is more critical than ever. Access to the following risky sites was detected in your network, organized by category, number of users,
and number of hits.
Top high risk web sites (Top phishing attempts) Access to non-business websites or to sites
containing questionable content can expose an
Resource Time Source
organization to possible productivity loss,
http://10.0.1.110:8090/ Dec 7, 2023 6:35:57 PM 10.0.3.69 compliance and business continuity risks.
http://10.0.1.110:8090/ Dec 5, 2023 10:23:57 PM 10.0.3.133

http://10.0.1.110:8090/ Nov 28, 2023 3:35:29 PM 10.0.3.39 Access to Questionable Sites

https://www.actasenlace.com/acta- Category Hits
Nov 27, 2023 4:05:41 PM 10.0.4.57
matrimonio/jalisco.php/?page=registro-usuario
Gambling 137
Nov 23, 2023 10:44:45
http://10.0.1.110:8090/prodatributos 10.0.3.81 Media Streams, Illegal /
PM 88
Questionable
http://10.0.1.110:8090/forbidden Nov 23, 2023 5:48:04 PM 10.0.3.81
Media Streams, Illegal /
http://valledellago.mx/calendario/?nts-panel=anon%2flogin Nov 21, 2023 1:04:18 AM 192.168.1.88 Questionable, Computers / 25
Internet

Users With Credential Leak Events

No data found.

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 13
Harmony Endpoint
HARMONY ENDPOINT

How does It work? Harmony Endpoint is a

Harmony Endpoint Worldwide Major Player
Block malware coming from web browsing
All The Endpoint Protection or email attachments before it reaches the Check Point Harmony Endpoint has been
You Need endpoint, without impacting user recognized as a major player by IDC Marketplace
productivity. Every file received via email or for its unique strengths, including:
downloaded by a user through a web
Harmony Endpoint is a complete endpoint security browser is sent to the Threat Emulation Distinctive sandboxing and Content Disarm
solution built to protect the remote workforce sandbox to inspect for malware. Files can Reconstruction (CDR) capabilities which
from today's complex threat landspace. It prevents also be sanitized using a Threat Extraction allow advanced malware protection without
the most imminent threats to the endpoint, such process (Content Disarm Reconstruction reducing user productivity
as ransomware, phishing, or driven-by malware, technology) to deliver safe and cleaned Runtime protection and complete
while quickly minimizing breach impact with content in milliseconds. remediation from attacks, with the instant
autonomous detection and response. and automated restoration of ransomware-
Gain runtime protection against
ransomware, malware, and file-less encrypted files, even in offline mode.
This way, your organization gets all the endpoint Robust sales channel strategy and
attacks, with instant and full
protection it needs, at the quality, it deserves, in a continuous investment in both innovative
remediation, even in offline mode. Once an
single, efficient, and cost-effective solution. and core security technologies which make
anomaly or malicious behavior is detected,
Endpoint Behavioral Guard blocks and its endpoint security solution compelling for
Why Harmony Endpoint? remediates the full attack chain without the enterprise, SMB market, and even
leaving malicious traces. Anti-Ransomware consumers.
Today more than ever, endpoint security plays identifies ransomware behaviors such as Unified security solution with cloud-based
acritical role in enabling your remote workforce. encrypting files or attempts to compromise management which reduces vendor
With 70% of cyber attacks are through an endpoint, OS backups and safely restores relationships, and overhead in security
complete endpoint protection at the highest ransomware-encrypted files automatically. operations, and improves security readiness.
security level is crucial to avoid security breaches Harmony Endpoint uses a unique vaulted We were also recognized as a major player in
and data compromise. space locally on the machine that is only another IDC market scale report for
accessible to Check Point signed processes -
Harmony Endpoint is part of the Check Point endpoint security for small midsize
in case the malware attempts to perform a
Harmony product suite, the industry’s first unified businesses.
shadow copy deletion, the machine will not
security solution for users, devices, and access. lose data.
Harmony consolidates six products to provide Phishing Protection - Prevent credential
uncompromised security and simplicity for theft with Zero-Phishing® technology that
everyone. identifies and blocks the use of phishing
It protects devices and internet connections from sites. Sites are inspected and if found
the most sophisticated attacks while ensuring Zero- malicious, the user is blocked from entering
Trust Access to corporate applications - all in a credentials. Zero-phishing® even protects
single solution that is easy to use, manage and buy. against previously, unknown phishing sites
and corporate credentials re-use.

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 15
HARMONY ENDPOINT

FASTEST RECOVERY CONSOLIDATED SECURITY

KEY PRODUCT BENEFITS
MANAGEMENT
Automated attack containment and
remediation: Complete endpoint protection:
Managing the entire security network is often prevent the most imminent threats to
the only Endpoint Protection solution that complicated and demands a high level of human
automatically and completely remediates the endpoint.
expertise. Check Point Infinity, powered by R80.x Fastest recovery: Automating 90% of
the entire cyber kill chain. Once an attack security management version, brings all security
has been detected, the infected device can attack detection, investigation, and
protections and functions under one umbrella, remediation tasks.
be automatically quarantined to prevent with a single console that enables easier operation
lateral infection movement and restored to Best TCO: All the endpoint protection
and more efficient management of the entire you need in a single, efficient, and cost-
a safe state. security network. The single console introduces
Auto-generated forensic reports: effective.
unparalleled granular control and consistent
providing detailed visibility into infected security and provides rich policy management
assets, attack flow, and correlation with the which enables delegation of policies within the
MITRE ATT&CK™ Framework. The Forensics enterprise. The unified management, based on
capability automatically monitors and modular policy management and rich integrations UNIQUE PRODUCT CAPABILITIES
records endpoint events, including affected with 3rd party solutions through flexible APIs,
files, processes launched, system registry enables automation of routine tasks to increase Advanced behavioral analysis and
changes, and network activity, and creates a operational efficiencies, freeing up security teams machine learning algorithms shut down
detailed forensic report. Robust attack to focus on strategic security rather than repetitive malware before it inflicts damage.
diagnostics and visibility support tasks. High catch rates and low false positives
remediation efforts, allowing system ensure security efficacy and effective
administrators and incident response teams prevention.
to effectively triage and resolve attacks.
CHECKPOINT INFINITY Automated forensics data analysis offers
Threat Hunting powered by enterprise- detailed insights
Build on Check Point Infinity, the first consolidated
wide visibility and augmented by globally into threats.
security architecture designed to resolve the
shared threat intelligence from hundreds of Full attack containment and remediation
complexities of growing connectivity and
millions of sensors, collected by to quickly restore any infected systems.
inadequate security, delivering full protection and
ThreatCloud™. With the Threat Hunting
threat intelligence across networks, clouds,
capability, you can set queries or use
endpoints, mobile devices, and IoT.
predefined ones to identify and drill down
into suspicious incidents, and take manual Future-proof your business and ensure business
remediation actions. continuity with the architecture that keeps you
protected against any threat, anytime and
anywhere.

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 16
HARMONY ENDPOINT

About Check Point

security architecture that enables end-to-end CORPORATE HEADQUATERS
security with a single line of unified security
Check Point Software Technologies' mission is to gateways, and allow a single agent for all endpoint United States
secure the Internet. Check Point was founded in security that can be managed from a single unified Check Point Software Technologies Inc. 959 Skyway
1993, and has since developed technologies to management console. This unified management Road Suite 300
secure communications and transactions over the allows for ease of deployment and centralized San Carlos, CA 94070
Internet by enterprises and consumers. control and is supported by, and reinforced with, 1-800-429-4391
real-time security updates. International
Check Point was an industry pioneer with our Check Point Software Technologies Ltd.
FireWall-1 and our patented Stateful Inspection Our products and services are sold to enterprises, 5 Ha’Solelim Street
technology. Check Point has extended its IT service providers, small and medium sized Tel Aviv 67897, Israel
security innovation with the development of our businesses and consumers. Our Open Platform for +972-3-753-4555
Security (OPSEC) framework allows customers to Please contact us for more information and to
Software Blade architecture. The dynamic Software
schedule your onsite assessment:
Blade architecture delivers secure, flexible and extend the capabilities of our products and services
Within the US: 866-488-6691
simple solutions that can be customized to meet with third-party hardware and security software
Outside the US: +44 2036087492
the security needs of any organization or applications. Our products are sold, integrated and
environment. serviced by a network of partners worldwide. Check
Point customers include tens of thousands of
Check Point develops markets and supports a wide businesses and organizations of all sizes including
range of software, as well as combined hardware all Fortune 100 companies. Check Point's award-
and software products and services for IT security. winning ZoneAlarm solutions protect millions of
We offer our customers an extensive portfolio of consumers from hackers, spyware and identity
network and gateway security solutions, data and theft.
endpoint security solutions and management
solutions. Our solutions operate under a unified www.checkpoint.com

©Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals Security Checkup - Threat Analysis Report 17
HARMONY ENDPOINT