Preventing the Unknown with Static Analysis

This blog provides insights into zero-day unknown threats – what are they, and why is it a challenge to protect against them. Also, it covers Check Point SandBlast Agent’s approach, describing the broad aspects it covers – from Anti-Malware towards advanced Static Analysis unique methods.

What are zero-day threats?

A zero-day vulnerability is a security flaw in the software known to the software vendor but with no patch in place.

The name “zero-day” was initially referred to the number of days that the vendor has had to fix the vulnerabilities from the time it was discovered. That period is the sweet spot in time for the hackers to introduce zero-day attacks and exploits, releasing them into the wild before vendors can issue protection against them.

Zero-day attacks are very complex to detect as minimum information is available about them, if at all. These types of attacks come for your data from every direction possible, continuously growing in scale and intensity. One tiny loophole and your asset could be compromised.

An evolving challenge of protecting against those threats

A good practice would be to set your software to update automatically and promptly deploy any recommended updates upon release when it comes to preventing zero-day attacks.

But note, having an updated Anti-Malware will not necessarily protect you from a zero-day attack because until the software vulnerability is publicly known. Meaning, the Anti-Malware technology by itself may not have a way to detect what is – “by definition” – an unknown attack. Sandblast Agent’s Anti-Malware is still essential – as soon as the vulnerability is publicly announced, it will quickly update its signatures database and then be effective against the threat.

With that said, it all comes up to the challenge of blocking zero-day malware, which is yet unknown.

That’s where behavioral-based protections come into play. SandBlast Agent’s Behavioral Guard Engine analyzes system processes and their interactions with other types of processes, OS, the file system, and network. It monitors memory access to identify behavioral patterns typically exploited and leverages Check Point ThreatCloud threat intelligence database machine learning analysis, and behavioral analytics to unveil suspicious abnormal behavior. Behavioral Guard can provide adequate protection against zero-day exploits and more by identifying such patterns.

The challenge gets a bit more complicated as the SandBlast Behavioral Guard requires a running process to analyze. The running process, if malicious, can already do its damage before being identified Behavioral Guard.

That’s where the other layer of detecting zero-day threats by SandBlast Agent Static Analysis becomes crucial in preventing the attack before it runs. The solution prevents unknown attacks by pre-execution static analysis of the binary and observing its characteristics. In-depth analysis of the file elements, like sections profile and global entropy, size of code sections and virtual tables, document macros, and assembly level analysis, is used to train Machine Learning and Artificial Intelligence algorithms. The outcome is a model that can identify the vast majority of malicious executables, and before they run.

The last line of defense against zero-day threats is SandBlast Agent’s Threat Emulation Sandbox, and Threat Extraction content disarm & reconstruction (CDR) technologies.

With Threat Emulation sandboxing, objects can be triggered on a segregated sandbox environment to make sure the user machine is not infected and to be able to identify and protect against malicious activity that appears post-execution. The Threat Extraction/CDR solution ensures the content that has the potential to be exploited gets disarmed. Threat Extraction can also convert documents to PDF files, guaranteeing the user would get a safe copy.

Why SandBlast Agent?

Check Point SandBlast Agent’s Static Analysis stands out, acting as an essential and effective vector to fight zero-day threats. Not only it has a high catch rate, but it also allows to prevent the attack before the malicious code is executed, therefore, leaving it no chance to harm your machine.

SandBlast Agent is the only solution to have a straightforward approach to countering unknown threats based on a single logic, taking advantage of several technologies while mitigating their limitations and benefiting from their strengths, determining a malicious code, and preventing it from running.


SandBlast Agent is an essential product to prevent zero-day attacks. It combines multiple technologies under the same unified agent – starting from Anti-Malware that scans for known attacks, behavioral-based protections that analyze a running process, to Threat Emulation sandbox, Threat Extraction/CDR enforced by the unique layer of Static Analysis of binaries pre-execution.

Watch the Product Tour Video to get a first-hand experience of all the features and capabilities of SandBlast Agent