This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
64Bit
Contributor
‎2020-05-27 09:24 AM
Jump to solution

Deleting a quarantined file

What's the best way to remotely delete files that have been quarantined?

In R80.20 SmartEndpoint UI there is a restore file option but no delete file option.

DeleteFileMissing.jpg

 

The above image shows options for Anti-Malware blade but there can be quarantined files from other blades like Threat Emulation. Where would we be able to remotely delete these quarantined files?

I understand restoring files can be done from the client machine but we wouldn't always have access, especially for those devices within different timezone to us. Remote management is also more suitable as it's less disruption to the users workday. 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-06-11 12:56 PM
In response to 64Bit
Jump to solution

I assume it's the same quarantine used for both.
The SBA Quarantine Manager for Administrators can theoretically run on any machine and an admin can remove files from quarantine for other machines.
A user can also potentially run it for themselves as well.

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2020-05-29 12:16 PM
Jump to solution

I don't believe we have the ability to remotely delete files.
I'm assuming you're referring to files in quarantine here, correct?
0 Kudos
64Bit
Contributor
‎2020-06-02 01:12 AM
In response to PhoneBoy
Jump to solution

Hey PhoneBoy, thanks for your reply.

Yes files in quarantine, I'm guessing that irrespective of the blade that quarantined the files they are stored locally on the host in C:\ProgramData\CheckPoint\Endpoint Security\Remediation\Quarantine ?

Is there a setting to automatically remove quarantined after a specific date ?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-10 07:06 PM
In response to 64Bit
Jump to solution

That looks correct.
In the Default File Quarantine Settings, files are kept in quarantine for 90 days and users can permanently delete items from quarantine.
You can further configure this.

Also, there does appear to be a utility (referred to as "SandBlast Agent Quarantine Manager for Administrators") that will allow remote deletion.
Search SupportCenter and download the version relevant version:

Screen Shot 2020-06-10 at 7.04.42 PM.png

0 Kudos
64Bit
Contributor
‎2020-06-11 02:11 AM
In response to PhoneBoy
Jump to solution

The Default File Quarantine Settings is part of the Forensics Blade, am i right to assume that it doesn't affect files quarantined by other blades, like Anti-Malware for example?

We have used "SandBlast Agent Quarantine Manager for Administrators" and this can manually delete files from %ProgramData%\CheckPoint\Endpoint Security\Remediation\Quarantine i take it this has to be used from the host machine?
Many thanks for your reply Phone Boy.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-11 12:56 PM
In response to 64Bit
Jump to solution

I assume it's the same quarantine used for both.
The SBA Quarantine Manager for Administrators can theoretically run on any machine and an admin can remove files from quarantine for other machines.
A user can also potentially run it for themselves as well.
0 Kudos
Daniel_Kavan
Advisor
‎2021-07-15 09:10 AM
In response to PhoneBoy
Jump to solution

Hi mates,

Is there any change to this solution RE: Endpoint Security?  I have a user who wants to delete a Quarantined file but doesn't see the Quarantine folder.

C:\ProgramFiles(x86)\CheckPoint\Endpoint Security\Remediation\Quarantine

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events