Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Olga_Kuts
Advisor

How to restore file in Endpoint Anti-Malware blade?

Hello!

 

Endpoint Anti-Malware blade detected malware and put it to the quarantine.

When I try to click "Restore" button on the agent - nothing happens, only message that file was infected and it was deleted. 

When I try to restore it via the Push Operation, I have message in SmartEndpoin console that operation was successful and pop-up message on the agent that files was infected and was deleted.

It looks like that file was restored and deleted immediately again. So how to restore file correctly?

0 Kudos
1 Reply
ED
Advisor

Hi Olga,

 

I'm no expert but here are my thoughts on that case. You have two options.

  1. Exclude that file for detection before trying to restore.  Make sure the client gets the new policy first.
  2. Setup a central location where you copy quarantine files to that network share. Make sure that this network share is excluded from detection if you have Endpoint protection also installed on that share. This setting is in SmartEndpoint or the Check Point portal. 

Here is an example how it looks like

network-share.JPG

(Photo is taken from this post: https://community.checkpoint.com/t5/Endpoint/Accessing-Quarantined-Files/td-p/75469 )

Also from Check Point Endpoint security administration guide:

"Best practice is to configure Copy quarantine files to a central location in the File Quarantine Settings. Then you can use the Quarantine Manager for Administrators to import all files related to an incident from one location that you can access."

https://sc1.checkpoint.com/documents/R81/SmartEndpoint_OLH/EN/Topics-EPSG/Quarantine-Management.htm 

 

 

0 Kudos