https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226701#M9331 <P>Good morning,</P><P>Unfortunately, I was rudely awakened today because apparently most of the msi and exe files on our devices were recognized as malicious by offline file reputation.<BR />We have deactivated the Advanced Capabilities globally as a result, but the damage is still there.</P><P>Protection names are</P><P>Gen.Rep.lnk<BR />Gen.Rep.msi<BR />Gen.Rep.7z</P><P>and so on.</P><P>Anybody else? The files are definitely benign.</P> Mon, 16 Sep 2024 07:01:57 GMT cstueckrath 2024-09-16T07:01:57Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226701#M9331 <P>Good morning,</P><P>Unfortunately, I was rudely awakened today because apparently most of the msi and exe files on our devices were recognized as malicious by offline file reputation.<BR />We have deactivated the Advanced Capabilities globally as a result, but the damage is still there.</P><P>Protection names are</P><P>Gen.Rep.lnk<BR />Gen.Rep.msi<BR />Gen.Rep.7z</P><P>and so on.</P><P>Anybody else? The files are definitely benign.</P> Mon, 16 Sep 2024 07:01:57 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226701#M9331 cstueckrath 2024-09-16T07:01:57Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226703#M9332 <P>I believe TAC is aware of this issue but please report your specific instance so you can be kept up to date accordingly.</P> Mon, 16 Sep 2024 07:07:09 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226703#M9332 Chris_Atkinson 2024-09-16T07:07:09Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226708#M9333 <P>Same here for a bunch of our clients.&nbsp; Also seeing benign DNS requests blocked on the Endpoint.&nbsp; Do have a high-sev ticket open with TAC.</P> Mon, 16 Sep 2024 08:07:16 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226708#M9333 Ruan_Kotze 2024-09-16T08:07:16Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226710#M9335 <P>Having the same issues, keepass, 7zip, visual studio, but also checkpoint own files are removed.</P><P>Our own tenant seems to be hit the hardest/earliest, but more customers with issues.&nbsp;<BR />not sure if its only 88.30+ or not</P><P>created a High severity ticket with TAC</P> Mon, 16 Sep 2024 08:24:19 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226710#M9335 jurgenvrieze 2024-09-16T08:24:19Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226712#M9336 <P>TAC response:</P><BLOCKQUOTE><P>There have been several cases reported, and the issue has been internally escalated. We are actively looking into it to resolve the problem on the Threat Cloud. As a temporary workaround, we recommend applying a local exclusion.</P><P>Currently, this issue is occurring across all versions. The issue has been resolved in the cloud, and the team is in the process of cleaning up all affected files. I will keep you updated with the latest information</P><P>Best &nbsp;regards</P><HR /></BLOCKQUOTE><P>&nbsp;</P> Mon, 16 Sep 2024 08:33:13 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226712#M9336 cstueckrath 2024-09-16T08:33:13Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226715#M9338 <P>deactivating advanced capabilities solved the issue only for 88+ versions. some customers are still on 87.x. There I also put files threat emulation mode to detect instead of prevent.</P><P>this seems to work for now</P> Mon, 16 Sep 2024 09:00:13 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226715#M9338 jurgenvrieze 2024-09-16T09:00:13Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226732#M9340 <P>Hi all, we are aware of the issue, and the task force is working on the resolution. The "bad" signature is identified and already removed from the ThreatCloud, and we are working on removing the offending hashes through all instances.&nbsp;<BR /><BR />Whether you need assistance to roll back the file quarantine, please work with TAC.<BR /><BR />Incident Reference:&nbsp;<A href="https://status.checkpoint.com/incidents/cfns8zwtg6kd" target="_blank">https://status.checkpoint.com/incidents/cfns8zwtg6kd</A></P> Mon, 16 Sep 2024 12:18:40 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226732#M9340 _Val_ 2024-09-16T12:18:40Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226733#M9341 <P>The users can restore their own files.</P><P>We have had to ask the affected users to run Quarantine Management tool on the computer -&nbsp;<SPAN><SPAN class="">"C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation\RemediationManagerUI.exe"</SPAN></SPAN></P><P>They can restore the files from there.</P><P>You have to also give the user permissions to 'Allow users to restore items from quarantine' in the 'Anti-Ransomware, Behaviour Guard and Forensics' blade.</P> Mon, 16 Sep 2024 11:20:48 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226733#M9341 Tom_CheckMate 2024-09-16T11:20:48Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226783#M9342 <P>Not very happy about this.</P><P>I'm happy that TAC is aware of the issue, but handling this at scale is quite difficult with the fairly elementary quarantine tooling on Harmony EP.</P><P>Also not too happy with the speed at which this is remediated on the Threat Cloud site; currently we're still receiving tickets regarding removals of legitimate software (including CHKP software....).</P><P>Check Point really needs to polish up on these aspects of agent management; we need a better way to handle quarantine in these incidents (It's on the roadmap supposedly?), but most of all we need a way to handle signatures and protection packages used by features OTHER than Anti-Malware. If CHKP isn't doing a staging run before pushing out in general then at least let us do it internally..</P> Mon, 16 Sep 2024 13:06:00 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226783#M9342 Swiftyyyyy 2024-09-16T13:06:00Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226896#M9346 <P>Yeah, so we've tried that, but unfortunately the users get an UAC prompt when they try to run&nbsp;<SPAN>RemediationManagerUI.exe</SPAN></P><P>Our users are standard users without administrative privileges.</P> Tue, 17 Sep 2024 09:39:54 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/226896#M9346 cstueckrath 2024-09-17T09:39:54Z https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/227054#M9357 <P>The issue should already be resolved in all environments.<BR /><BR />It is also documented in&nbsp;<A href="https://support.checkpoint.com/results/sk/sk182688" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk182688</A></P> Wed, 18 Sep 2024 08:28:00 GMT https://community.checkpoint.com/t5/Endpoint/Advanced-Capabilities-triggered-by-everything-since-today/m-p/227054#M9357 _Val_ 2024-09-18T08:28:00Z