topic Re: Remediation Steps in Portal

Remediation Steps

misj2 — Mon, 14 Oct 2024 08:55:42 GMT

I am new to harmony checkpoint endpoint and would like some guidance as to what the normal process is for companies when we encounter endpoint clients being flagged as malicious activity files quantined by Checkpoint, under cyber security endpoint reporting for malware and antibot as active or blocked ? At the moment our only step is to remove devices off the networks a re-image if they are infected.

Do checkpoint have any remediation tools or techniques to assist with confirming if they are false positives or genuinely infected ?

Re: Remediation Steps

PhoneBoy — Mon, 14 Oct 2024 19:20:15 GMT

It depends on the type/severity of the incident as well as what's normal/expected in your environment.

There are some general hints for dealing with these situations (not specific to Check Point) here: https://community.checkpoint.com/t5/Incident-Response/No-Suits-No-Ties-MDR-and-Incident-Response-Going-Equipped-to/ba-p/226186

Re: Remediation Steps

misj2 — Mon, 14 Oct 2024 21:24:00 GMT

One example of alerts include the following captured by protection : CeptBiro.TC.b726jHEV , a few files were quarantined. How to confirm if its a false positive or genuine malicious activity ?

URL : http://polyfill.io:443

Original Source URL : https://builtwith.com/aquila-capital.de

{"Nombre de protección":"CeptBiro.TC.b726jHEV","Medida adoptada":"Evitado","URL":http://polyfill.io:443,"Nombre del proceso":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","Identificador del proceso":"17248","Nombre del usuario":"PAZR1","Identificador del proceso principal":"0","Fecha y hora de primera infección":"14 de oct. de 2024 14:58","Fecha y hora de última infección":"14 de oct. de 2024 14:58"}

Re: Remediation Steps

PhoneBoy — Tue, 15 Oct 2024 00:22:14 GMT

polyfill.io is a a legitimate issue described here (among other places): https://fossa.com/blog/polyfill-supply-chain-attack-details-fixes/
However, the domain registrar took the site offline a few months ago (DNS doesn't resolve), so I'm not sure how malware was downloaded from that domain.

Best to check this with TAC: https://help.checkpoint.com

Re: Remediation Steps

misj2 — Tue, 15 Oct 2024 13:11:54 GMT

Most likely from from an embedded library or domain ?

Once the files are quarantined is there a way from Infinity portal to re-scan and confirm they are clean before releasing them ?

Re: Remediation Steps

PhoneBoy — Tue, 15 Oct 2024 15:58:06 GMT

You can trigger an Anti-Malware scan via Push Operation.
See: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-Common-for-HEP-HB/Managing_Computers.htm?tocpath=Viewing%20Computer%20Information%7CManaging%20Computers%7C_____2#Push_Operations_..37