Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Olga_Kuts
Advisor

How to restore file in Endpoint Anti-Malware blade?

Hello!

 

Endpoint Anti-Malware blade detected malware and put it to the quarantine.

When I try to click "Restore" button on the agent - nothing happens, only message that file was infected and it was deleted. 

When I try to restore it via the Push Operation, I have message in SmartEndpoin console that operation was successful and pop-up message on the agent that files was infected and was deleted.

It looks like that file was restored and deleted immediately again. So how to restore file correctly?

0 Kudos
2 Replies
ED
Advisor

Hi Olga,

 

I'm no expert but here are my thoughts on that case. You have two options.

  1. Exclude that file for detection before trying to restore.  Make sure the client gets the new policy first.
  2. Setup a central location where you copy quarantine files to that network share. Make sure that this network share is excluded from detection if you have Endpoint protection also installed on that share. This setting is in SmartEndpoint or the Check Point portal. 

Here is an example how it looks like

network-share.JPG

(Photo is taken from this post: https://community.checkpoint.com/t5/Endpoint/Accessing-Quarantined-Files/td-p/75469 )

Also from Check Point Endpoint security administration guide:

"Best practice is to configure Copy quarantine files to a central location in the File Quarantine Settings. Then you can use the Quarantine Manager for Administrators to import all files related to an incident from one location that you can access."

https://sc1.checkpoint.com/documents/R81/SmartEndpoint_OLH/EN/Topics-EPSG/Quarantine-Management.htm 

 

 

Tony_Graham
Advisor

Note ALL Links to solutions are broken in this post. Is there ANY current documentation on how Endpoint file Quarantine works/best practices etc? I currently have two files, one is visible in Remediation app and one that is flagged in the Endpoint Security app (different files) and I can restore neither (both are false positives). I click Restore, nothing happens. I tried doing it as a push operation but Infinity Portal doesn't even show either file available for restore. I need to get a handle on this before it goes berzerk on a user and I cannot get their files back. Any help appreciated. The agents are R86.70. I don't want to contact TAC about this but I've about had it with Endpoint, I like our old solution better.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events