Static Analysis (NGAV) and Reputation-based Antivirus

Online and offline, these proprietary components boost Check Point Harmony and ZoneAlarm's overall catch rates.

Tripple Heuristic Engine

The Static Analysis engine is actually just a part of a triple heuristic system and supports executables, modules and Office documents.
The whole system includes static analysis, disassembler that allows looking for behavioural pattern of files and emulator that enhances detection of packers and other forms of heavily-obfuscated malware. Once all relevant features and information is extracted, Check Point uses gradient-boosted machine learning models which are known to be more effective than random forest algorithms. The models are ran locally on the device and don't require internet connection.

Reputation-based antivirus

Through ThreatCloud which includes feeds from Check Point telemetry, researchers, third-party intelligence providers and more, and based on fuzzy hashes, Check Point and ZoneAlarm can block threats quickly, before other protection methods have been developed. Reputation at Check Point is not based on prevalence (that's Broadcom Symantec's favourite) but rather based on confirmed-to-be malicious file feed. Also unlike Symantec, Sophos and many others which perform cloud-lookups on executables only, Check Point performs look-ups for all file formats and is able to detect malicious scripts, archives, Java files and many others, providing a much broader coverage.

One of the most prominent feeder is Kaspersky. Because this engine was banned on government computers (due to privacy concerns), Check Point uses Kaspersky feeds (just consuming information from Kaspersky without giving them any access to yours).

These are not the only protection components.

Go back and learn more.