https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5252#M3667 <HTML><HEAD></HEAD><BODY><P>hi,</P><P>i am using Total endpoint Security and it shows me the tampering event. What does this means? is it my PC is not secure or its something else....<IMG class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/57937_0-02-06-d7ec10927b2f54bc243161d6f0c2870a10b0a81335df182487121c0bde473a6b_full.jpg" style="width: 620px; height: 297px;" />me t</P></BODY></HTML> Mon, 14 Aug 2017 10:52:02 GMT Sagar_Manandhar 2017-08-14T10:52:02Z https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5252#M3667 <HTML><HEAD></HEAD><BODY><P>hi,</P><P>i am using Total endpoint Security and it shows me the tampering event. What does this means? is it my PC is not secure or its something else....<IMG class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/57937_0-02-06-d7ec10927b2f54bc243161d6f0c2870a10b0a81335df182487121c0bde473a6b_full.jpg" style="width: 620px; height: 297px;" />me t</P></BODY></HTML> Mon, 14 Aug 2017 10:52:02 GMT https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5252#M3667 Sagar_Manandhar 2017-08-14T10:52:02Z https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5253#M3668 <HTML><HEAD></HEAD><BODY><P>One of the ways SandBlast Agent monitors for suspicious activity is to track files that were modified (or deleted) by a process that is unusual or unexpected--files that might be tampered with.</P><P>On it's own, it's not necessarily an indicator of compromise.</P><P>If there are other indicators, compromise is far more likely.</P></BODY></HTML> Mon, 14 Aug 2017 16:44:44 GMT https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5253#M3668 PhoneBoy 2017-08-14T16:44:44Z https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5254#M3669 <HTML><HEAD></HEAD><BODY><P>sir, i cannot find any update regarding the tampering event in my endpoint server . Does these event occur in sandblast is update to server or not. Can i get the report of such event from the endpoint management server and how.&nbsp;</P><P>Thank you</P></BODY></HTML> Thu, 17 Aug 2017 03:52:03 GMT https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5254#M3669 Sagar_Manandhar 2017-08-17T03:52:03Z https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5255#M3670 <HTML><HEAD></HEAD><BODY><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">The screen you are showing is part of a forensics report.</SPAN></P><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">This report is triggered when we identify an attack and it is automatically analyzing the full scope of the attack.</SPAN></P><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">One of the sections in the report is to identify what is the attack damage. This is listed under the “Business Impact” section. Both in the overview tab and as a separate tab. In this case the attack included the tempering of some files.</SPAN></P><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000;"><SPAN style="font-family: Calibri; font-size: medium;">To see what triggered SBA to say there is an attack, you can look at the trigger data on the top of the overview tab. It will show the “</SPAN><SPAN style="font-family: 'Segoe UI',sans-serif; font-size: 10.5pt;">Trigger:”,</SPAN></SPAN><SPAN style="color: #000000; font-family: Calibri; font-size: medium;"> “</SPAN><SPAN style="color: #000000; font-size: 10.5pt; font-family: 'Segoe UI',sans-serif;">Triggered By:</SPAN><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">” &amp; “</SPAN><SPAN style="color: #000000; font-size: 10.5pt; font-family: 'Segoe UI',sans-serif;">Trigger Time:</SPAN><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">” information.</SPAN></P><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">&nbsp;</SPAN></P><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">These reports are available both on the client, and on the server.</SPAN></P><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">On the client it is on the Forensics tab of the client UI.</SPAN></P><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">On the server, it can be opened by a link on the Forensics log line. You can see it either in SmartLog or in SmartEvent.</SPAN></P><P style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-family: Calibri; font-size: medium;">If you want to use SmartEvent you can use </SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110894&amp;partition=General&amp;product=SmartEvent"><SPAN style="color: #0000ff; text-decoration: underline; font-size: medium; font-family: Calibri;">sk110894</SPAN></A><SPAN style="color: #000000; font-family: Calibri; font-size: medium;"> to see how to connect R80.10 SmartEvent to an R77.30.03 management, and </SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk118525"><SPAN style="color: #0000ff; text-decoration: underline; font-size: medium; font-family: Calibri;">sk118525</SPAN></A><SPAN style="color: #000000; font-family: Calibri; font-size: medium;"> to import SAB views to your SmartEvent.</SPAN></P><P></P><P style="margin: 0in 0in 0pt;"><STRONG><EM>Thanks</EM></STRONG></P><P style="margin: 0in 0in 0pt;"><STRONG><EM>Lior Arzi</EM></STRONG></P></BODY></HTML> Thu, 17 Aug 2017 08:56:15 GMT https://community.checkpoint.com/t5/Endpoint/data-tampering-event-in-enpoint-client/m-p/5255#M3670 Lior_Arzi 2017-08-17T08:56:15Z