https://community.checkpoint.com/t5/Endpoint/Sandblast-Agent-preventing-applications-from-performing/m-p/19936#M3587 <HTML><HEAD></HEAD><BODY><P>I currently have the <SPAN style="display: inline !important; float: none; background-color: transparent; color: #3d3d3d; font-family: Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; word-wrap: break-word;">Sandblast E80.82 client</SPAN> installed and when the Forensic, Remediation and Anti-Ransomware is deployed users can not open files in&nbsp;<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3d3d3d; font-family: Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; word-wrap: break-word;">QuickBooks </SPAN>2017.&nbsp; When I uninstall the blade QuickBooks works. Apparently disabling the policy does nothing.</P><P></P><P>There are no notifications to the client that Sandblast has performed any action.</P><P>The GUI shows cases that occurred at 5:30 AM under analyzed cases or infections and that workstation was not being used at 5:30 AM, even still the Forensic Analysis reports "<SPAN style="color: #000000; font-family: 'Open Sans', 'Segoe UI', Arial; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">These are potentially malicious files that were not remediated."</SPAN></P><P>The log viewer shows that the same TE Event but the "Remediation Action" is Ignore.</P><P>SmartLog shows the same entry as Detect not Prevent.</P><P>I downloaded a file that I know would trigger a Prevent Action by Forensics Case Analysis and indeed the Action was Prevent and it was logged in SmartLog.</P><P></P><P>I have tried adding the QuickBooks executables as exclusions to the monitoring and exclusions of&nbsp;<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3d3d3d; font-family: Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; word-wrap: break-word;">Forensics</SPAN>, Remediation and Anti-Ransomware and the folders used by QuickBooks as exclusions to Threat Extraction and Emulation.</P><P></P><P>Any suggestions on how to resolve this.</P><P>Regards.</P></BODY></HTML> Sat, 28 Apr 2018 17:06:45 GMT Cliff_Becker 2018-04-28T17:06:45Z https://community.checkpoint.com/t5/Endpoint/Sandblast-Agent-preventing-applications-from-performing/m-p/19936#M3587 <HTML><HEAD></HEAD><BODY><P>I currently have the <SPAN style="display: inline !important; float: none; background-color: transparent; color: #3d3d3d; font-family: Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; word-wrap: break-word;">Sandblast E80.82 client</SPAN> installed and when the Forensic, Remediation and Anti-Ransomware is deployed users can not open files in&nbsp;<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3d3d3d; font-family: Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; word-wrap: break-word;">QuickBooks </SPAN>2017.&nbsp; When I uninstall the blade QuickBooks works. Apparently disabling the policy does nothing.</P><P></P><P>There are no notifications to the client that Sandblast has performed any action.</P><P>The GUI shows cases that occurred at 5:30 AM under analyzed cases or infections and that workstation was not being used at 5:30 AM, even still the Forensic Analysis reports "<SPAN style="color: #000000; font-family: 'Open Sans', 'Segoe UI', Arial; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">These are potentially malicious files that were not remediated."</SPAN></P><P>The log viewer shows that the same TE Event but the "Remediation Action" is Ignore.</P><P>SmartLog shows the same entry as Detect not Prevent.</P><P>I downloaded a file that I know would trigger a Prevent Action by Forensics Case Analysis and indeed the Action was Prevent and it was logged in SmartLog.</P><P></P><P>I have tried adding the QuickBooks executables as exclusions to the monitoring and exclusions of&nbsp;<SPAN style="display: inline !important; float: none; background-color: transparent; color: #3d3d3d; font-family: Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; word-wrap: break-word;">Forensics</SPAN>, Remediation and Anti-Ransomware and the folders used by QuickBooks as exclusions to Threat Extraction and Emulation.</P><P></P><P>Any suggestions on how to resolve this.</P><P>Regards.</P></BODY></HTML> Sat, 28 Apr 2018 17:06:45 GMT https://community.checkpoint.com/t5/Endpoint/Sandblast-Agent-preventing-applications-from-performing/m-p/19936#M3587 Cliff_Becker 2018-04-28T17:06:45Z https://community.checkpoint.com/t5/Endpoint/Sandblast-Agent-preventing-applications-from-performing/m-p/19937#M3588 <HTML><HEAD></HEAD><BODY><P>Try first to uninstall the SAB and replicate the behaviour. If everything is fine install it again and check if it is blocking. Normally you will see something on the logs.</P><P></P><P>Thanks,</P><P>Charris Lappas&nbsp;</P></BODY></HTML> Thu, 24 May 2018 04:21:24 GMT https://community.checkpoint.com/t5/Endpoint/Sandblast-Agent-preventing-applications-from-performing/m-p/19937#M3588 Charris_Lappas 2018-05-24T04:21:24Z