I believe TAC is aware of this issue but please report your specific instance so you can be kept up to date accordingly.

Same here for a bunch of our clients.  Also seeing benign DNS requests blocked on the Endpoint.  Do have a high-sev ticket open with TAC.

Having the same issues, keepass, 7zip, visual studio, but also checkpoint own files are removed.

Our own tenant seems to be hit the hardest/earliest, but more customers with issues. 
not sure if its only 88.30+ or not

created a High severity ticket with TAC

TAC response:

There have been several cases reported, and the issue has been internally escalated. We are actively looking into it to resolve the problem on the Threat Cloud. As a temporary workaround, we recommend applying a local exclusion.

Currently, this issue is occurring across all versions. The issue has been resolved in the cloud, and the team is in the process of cleaning up all affected files. I will keep you updated with the latest information

Best  regards

---

deactivating advanced capabilities solved the issue only for 88+ versions. some customers are still on 87.x. There I also put files threat emulation mode to detect instead of prevent.

this seems to work for now

Hi all, we are aware of the issue, and the task force is working on the resolution. The "bad" signature is identified and already removed from the ThreatCloud, and we are working on removing the offending hashes through all instances. 

Whether you need assistance to roll back the file quarantine, please work with TAC.

Incident Reference: https://status.checkpoint.com/incidents/cfns8zwtg6kd

The users can restore their own files.

We have had to ask the affected users to run Quarantine Management tool on the computer - "C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation\RemediationManagerUI.exe"

They can restore the files from there.

You have to also give the user permissions to 'Allow users to restore items from quarantine' in the 'Anti-Ransomware, Behaviour Guard and Forensics' blade.

Not very happy about this.

I'm happy that TAC is aware of the issue, but handling this at scale is quite difficult with the fairly elementary quarantine tooling on Harmony EP.

Also not too happy with the speed at which this is remediated on the Threat Cloud site; currently we're still receiving tickets regarding removals of legitimate software (including CHKP software....).

Check Point really needs to polish up on these aspects of agent management; we need a better way to handle quarantine in these incidents (It's on the roadmap supposedly?), but most of all we need a way to handle signatures and protection packages used by features OTHER than Anti-Malware. If CHKP isn't doing a staging run before pushing out in general then at least let us do it internally..