Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cstueckrath
Collaborator
Jump to solution

Advanced Capabilities triggered by everything since today

Good morning,

Unfortunately, I was rudely awakened today because apparently most of the msi and exe files on our devices were recognized as malicious by offline file reputation.
We have deactivated the Advanced Capabilities globally as a result, but the damage is still there.

Protection names are

Gen.Rep.lnk
Gen.Rep.msi
Gen.Rep.7z

and so on.

Anybody else? The files are definitely benign.

1 Solution

Accepted Solutions
_Val_
Admin
Admin

The issue should already be resolved in all environments.

It is also documented in https://support.checkpoint.com/results/sk/sk182688

View solution in original post

0 Kudos
10 Replies
Chris_Atkinson
Employee Employee
Employee

I believe TAC is aware of this issue but please report your specific instance so you can be kept up to date accordingly.

CCSM R77/R80/ELITE
Ruan_Kotze
Advisor

Same here for a bunch of our clients.  Also seeing benign DNS requests blocked on the Endpoint.  Do have a high-sev ticket open with TAC.

jurgenvrieze
Participant

Having the same issues, keepass, 7zip, visual studio, but also checkpoint own files are removed.

Our own tenant seems to be hit the hardest/earliest, but more customers with issues. 
not sure if its only 88.30+ or not

created a High severity ticket with TAC

cstueckrath
Collaborator

TAC response:

There have been several cases reported, and the issue has been internally escalated. We are actively looking into it to resolve the problem on the Threat Cloud. As a temporary workaround, we recommend applying a local exclusion.

Currently, this issue is occurring across all versions. The issue has been resolved in the cloud, and the team is in the process of cleaning up all affected files. I will keep you updated with the latest information

Best  regards


 

0 Kudos
jurgenvrieze
Participant

deactivating advanced capabilities solved the issue only for 88+ versions. some customers are still on 87.x. There I also put files threat emulation mode to detect instead of prevent.

this seems to work for now

0 Kudos
_Val_
Admin
Admin

Hi all, we are aware of the issue, and the task force is working on the resolution. The "bad" signature is identified and already removed from the ThreatCloud, and we are working on removing the offending hashes through all instances. 

Whether you need assistance to roll back the file quarantine, please work with TAC.

Incident Reference: https://status.checkpoint.com/incidents/cfns8zwtg6kd

0 Kudos
_Val_
Admin
Admin

The issue should already be resolved in all environments.

It is also documented in https://support.checkpoint.com/results/sk/sk182688

0 Kudos
Tom_CheckMate
Explorer

The users can restore their own files.

We have had to ask the affected users to run Quarantine Management tool on the computer - "C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation\RemediationManagerUI.exe"

They can restore the files from there.

You have to also give the user permissions to 'Allow users to restore items from quarantine' in the 'Anti-Ransomware, Behaviour Guard and Forensics' blade.

0 Kudos
cstueckrath
Collaborator

Yeah, so we've tried that, but unfortunately the users get an UAC prompt when they try to run RemediationManagerUI.exe

Our users are standard users without administrative privileges.

0 Kudos
Swiftyyyyy
Explorer

Not very happy about this.

I'm happy that TAC is aware of the issue, but handling this at scale is quite difficult with the fairly elementary quarantine tooling on Harmony EP.

Also not too happy with the speed at which this is remediated on the Threat Cloud site; currently we're still receiving tickets regarding removals of legitimate software (including CHKP software....).

Check Point really needs to polish up on these aspects of agent management; we need a better way to handle quarantine in these incidents (It's on the roadmap supposedly?), but most of all we need a way to handle signatures and protection packages used by features OTHER than Anti-Malware. If CHKP isn't doing a staging run before pushing out in general then at least let us do it internally..

(6)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events