topic Re: SandBlast Agent Quarantine Manager for Administrators in Endpoint

SandBlast Agent Quarantine Manager for Administrators

Tony_Graham — Mon, 27 Feb 2023 18:00:50 GMT

So I had CP Endpoint flag a file today that has been sitting on our network for the last 20 years (no joke), it's an ancient version of DeltaCopy. In any case, Endpoint moved it into a local folder on my PC. Okay, that's alright but, I have now determined I have no ability to view files that are quarantined. I have disabled the endpoints default images from being able to restore files in Quarantine because I do not trust end users to be able to evaluate whether or not a file is safe (ie. not a false positive).

However, as an administrator I need some ability to review those files at the local desktop level (pushing them all to a central location is not always possible).

Does anyone know where the utility is RemediationManagerUI.exe, since it is not deployed to any endpoint? I need to be able to plop this somewhere on a network drive so that I can review and possible delete or restore flagged files.

The CP website directs me, " Get the administrator utility from the release homepage.", but all that I can find there are monolithic installers. I believe I really only need the remediation utility for the given client version, so which package would contain them? They are all .msi installers. I do not work with .msi installers that often.

Re: SandBlast Agent Quarantine Manager for Administrators

Ruan_Kotze — Mon, 27 Feb 2023 19:44:02 GMT

Hi Tony, this should do the trick.

Re: SandBlast Agent Quarantine Manager for Administrators

Tony_Graham — Mon, 27 Feb 2023 20:08:13 GMT

First, thanks for the link!

Unfortunately all the download does is barf an Unhandled exception error.

If I click continue it brings up an interface that is empty and says Initializing....

If I click anywhere in the window I get:

So....yah.

Re: SandBlast Agent Quarantine Manager for Administrators

Tony_Graham — Tue, 28 Feb 2023 21:51:04 GMT

As a follow up on this, I tried using the Infinity Portal>Asset Manager>Right Click>Restore Files from Quarantine but it comes up empty. I am guessing you have to point it at some central repository but it is unclear how this is supposed to function in Portal.

Can I manually blast the file in Quarantine to clear out the flagged file? At present I have no solution to addressing quarantined files.

**Update I created a Restore Files push operation, pointed it at C:\Temp. Client machine got a pop-up saying Restore Files needed to happen. So I clicked Restore Files but nothing happened so I suspect it needs to point at a repository that you would configure in Portal. Not really the functionality I need at this point. I need something like the download file that doesn't work. Maybe I will try and create a deployment package that contains 'Restore Files' and copy that file to the target machine.

Just documenting for others but I was able to create a single policy for this machine in Infinity Portal that allows the machine I am working on to restore files in Quarantine. I pushed policy (also took the liberty of updating the client version to current recommended) and now the RemediationManagerUI.exe is available. The path to it was C:\ProgramData\Checkpoint\Endpoint Security\Installer\Checkpoint\Endpoint Security\Remediation which I do not believe is what is in the current documentation SK. I was able to successfully address the Quarantined file at this point.

Re: SandBlast Agent Quarantine Manager for Administrators

Pavlo — Wed, 03 Jan 2024 12:45:55 GMT

Hi everyone!

Have the same problem even with newer version. It there any solution of this issue?

Re: SandBlast Agent Quarantine Manager for Administrators

toviab — Wed, 03 Jan 2024 16:34:27 GMT

Hi Tony,

There are currently three ways to restore a file from quarantine if it was quarantined by EFR or ThreatEmulation blades.

1. Push operation in management server. In push operation menu-> Add->Forensics and Remediation->File remediation->Choose the Machine->Check the "Restore the following files" option-> insert the MD5 or the file path/Incident ID.

2. RemediationManagementUI. This tool is deployed with the endpoint under c:\program filesx86\Checkpoint\endpoint Security\Remediation\RemediationManagementUI.exe. This requires that you allow this user the option of restoring the files,

3. AdminRemediationManagementUI.exe. This tool is version based so you need to know which version is installed on the machine with the file quarantined and download the correct version.
The correct version is published in the release notes of each new endpoint version being released.
You can find a list of Release notes for all the different versions in this SK.

So for example, the tool for E87.52 the Release notes can be found here and under Under the Utilities/Services Downloads there is a link to download the tool for this specific version.

Re: SandBlast Agent Quarantine Manager for Administrators

toviab — Wed, 03 Jan 2024 16:37:56 GMT

Hi Tony,
This unhandled exception might be due to the wrong version being used. can you use the correct version as described in my comment above and see if it resolves this issue?