- CheckMates
- :
- Products
- :
- Harmony
- :
- Endpoint
- :
- Advanced Capabilities triggered by everything sinc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Advanced Capabilities triggered by everything since today
Good morning,
Unfortunately, I was rudely awakened today because apparently most of the msi and exe files on our devices were recognized as malicious by offline file reputation.
We have deactivated the Advanced Capabilities globally as a result, but the damage is still there.
Protection names are
Gen.Rep.lnk
Gen.Rep.msi
Gen.Rep.7z
and so on.
Anybody else? The files are definitely benign.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue should already be resolved in all environments.
It is also documented in https://support.checkpoint.com/results/sk/sk182688
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe TAC is aware of this issue but please report your specific instance so you can be kept up to date accordingly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here for a bunch of our clients. Also seeing benign DNS requests blocked on the Endpoint. Do have a high-sev ticket open with TAC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having the same issues, keepass, 7zip, visual studio, but also checkpoint own files are removed.
Our own tenant seems to be hit the hardest/earliest, but more customers with issues.
not sure if its only 88.30+ or not
created a High severity ticket with TAC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TAC response:
There have been several cases reported, and the issue has been internally escalated. We are actively looking into it to resolve the problem on the Threat Cloud. As a temporary workaround, we recommend applying a local exclusion.
Currently, this issue is occurring across all versions. The issue has been resolved in the cloud, and the team is in the process of cleaning up all affected files. I will keep you updated with the latest information
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
deactivating advanced capabilities solved the issue only for 88+ versions. some customers are still on 87.x. There I also put files threat emulation mode to detect instead of prevent.
this seems to work for now
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, we are aware of the issue, and the task force is working on the resolution. The "bad" signature is identified and already removed from the ThreatCloud, and we are working on removing the offending hashes through all instances.
Whether you need assistance to roll back the file quarantine, please work with TAC.
Incident Reference: https://status.checkpoint.com/incidents/cfns8zwtg6kd
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue should already be resolved in all environments.
It is also documented in https://support.checkpoint.com/results/sk/sk182688
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The users can restore their own files.
We have had to ask the affected users to run Quarantine Management tool on the computer - "C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation\RemediationManagerUI.exe"
They can restore the files from there.
You have to also give the user permissions to 'Allow users to restore items from quarantine' in the 'Anti-Ransomware, Behaviour Guard and Forensics' blade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, so we've tried that, but unfortunately the users get an UAC prompt when they try to run RemediationManagerUI.exe
Our users are standard users without administrative privileges.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not very happy about this.
I'm happy that TAC is aware of the issue, but handling this at scale is quite difficult with the fairly elementary quarantine tooling on Harmony EP.
Also not too happy with the speed at which this is remediated on the Threat Cloud site; currently we're still receiving tickets regarding removals of legitimate software (including CHKP software....).
Check Point really needs to polish up on these aspects of agent management; we need a better way to handle quarantine in these incidents (It's on the roadmap supposedly?), but most of all we need a way to handle signatures and protection packages used by features OTHER than Anti-Malware. If CHKP isn't doing a staging run before pushing out in general then at least let us do it internally..
Advanced Capabilities triggered by everything since today
Good morning,
Unfortunately, I was rudely awakened today because apparently most of the msi and exe files on our devices were recognized as malicious by offline file reputation.
We have deactivated the Advanced Capabilities globally as a result, but the damage is still there.
Protection names are
Gen.Rep.lnk
Gen.Rep.msi
Gen.Rep.7z
and so on.
Anybody else? The files are definitely benign.