This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SWBW_Florian
Contributor
‎2024-06-10 05:38 AM

EFR: forensic recorder is working on excluded Paths

Hi there,

today we observed issues with the Exclusions of the forensic recorder.

Were using a Backupsystem built by commvault. Harmony is very intense in working on those processes so they will fail and files got deleted during backups and general activity of the commvault software.

So i created Exclusions for our Backup-Server.

I excluded, at the end, the whole Software folder C:\Program Files\Commvault\ at:

 

Forensics: Quarantine Exlusions

Forensics: Anti Ransomware

I also added at Forensics: Monitoring

C:\Program Files\Commvault\*.exe

But i can still see with the ressource monitor of windows that the service EFR is working in those folders

Is the rule not accepted/working? Or ignored? Or buggy?

 

Because of the EFR Processes some of the jobs are falling into timeouts. This is a problem.

 

Can you give me a hint on how to configure the EFR in a right manner?

Thanks in advance

kind regards

 

Florian

 

regards
0 Kudos
7 Replies
the_rock
Legend
Legend
‎2024-06-10 06:26 AM

This might be worth TAC case.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-10 11:05 AM

Where precisely did you try to define the exclusion?
I'd read this SK, which might shed some light on why this isn't working the way you expect: https://support.checkpoint.com/results/sk/sk128472 

0 Kudos
AdiGH
Employee
Employee
‎2024-06-10 11:11 AM

Hey,

 

Which client version are you using?

0 Kudos
JonnyRabinowitz
Employee
Employee
‎2024-06-10 12:38 PM

First the disclaimer ......... In general it best to have a full investigation of the issue; rather than just referring to a specific fix that would require an upgrade and may not address the issue. Also, not clear what version of client is being used.

However, since there was a recent fix released that seems very similar to this issue I will call it out and maybe relevant information for other people as well. It can be applicable to clients running E88.00 and later releases and there is a fix included in E88.31

See sk182277 for more information on this release. Specifically includes the following fix that may be related to this issue:

AHTP-30676 Some processes specified through the Monitoring and Exclusions action in the Policy are not fully excluded by the Forensics component from analysis as intended. 
SWBW_Florian
Contributor
‎2024-06-11 05:43 AM
In response to JonnyRabinowitz

were using client version 87.60 so maybe that fix wont suit here?

regards
0 Kudos
JonnyRabinowitz
Employee
Employee
‎2024-06-11 08:35 AM
In response to SWBW_Florian

As far as I know is not applicable to the E87.6x version. Note that the next release after E87.6x was in fact E88.00

At least have the information for future reference since seems to be a relevant use case for you

0 Kudos
SWBW_Florian
Contributor
‎2024-06-20 11:56 PM
In response to JonnyRabinowitz

OKay, thanks a lot. I just will go on and update the client. Lets see what happens

 

thank you very much so far

regards
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events