This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TimLofgren
Contributor
‎2020-03-17 10:51 AM
Jump to solution

I need to allow UltraVNC on the endpoint client

Hello all,

I have searched quite a bit on this and have not found a way to allow Ultra VNC (winvnc.exe) on the client endpoint.  The anti-malware keeps detecting it as a threat and removing it.  I have already added it to exception lists in anti-malware and SandBlast policies in SmartEndpoint.  I am not sure why it keeps removing it as it is in like 4 exception lists.  Any help would be much appreciated.

 

Tim

0 Kudos
1 Solution

Accepted Solutions
TimLofgren
Contributor
‎2020-03-18 10:08 AM
In response to PhoneBoy
Jump to solution

the last place I added the exclusion to was on SmartEndpoint in the Policy tab.  under the Anti-Malware policy.  Right click the Periodically scan local-hard drives only and select edit shared action.  Click on the link at the bottom that says Configure files and folders exclusions.  Click add and add the folder of where the executable is stored.  But I also added it to many other areas first.  I am not sure if it needs all of them or not but I will also list the other locations.

SmartEndpoint--->Policy--->Anti-Malware...right click Scan all files upon access and select edit shared action.  Add the folder location with the Add button under the Processes to exclude from scan.  I also added the specific process just as a precaution.  I assume if just the folder is there it will still work.

SmartEndpoint--->Policy--->Sandblast Agent Threat Extraction, Emulation and Anti-Exploit...right click on Inspect all domains and files and add the folder location to the Exclusions list in that window.

SmartEndpoint--->Policy--->Sandblast Agent Anti-Ransomware, Behavioral Guard and Forensics...right click on Default File Quarantine Settings and add the file location into the Items excluded from quarantine list.  I added the location and process.

 

I hope this helps someone.  It was a pain trying to find any of this information anywhere.  I basically just had to keep poking around in the policy until I found the locations.   But I found them one at a time and not all at once so I am assuming all need to be in place in order for it to work.

 

Tim

 

 

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-03-17 01:09 PM
Jump to solution

What version of the Endpoint client?
What precise logs are showing when it is removed?
0 Kudos
TimLofgren
Contributor
‎2020-03-18 07:32 AM
In response to PhoneBoy
Jump to solution

Thanks for the reply.  I found where I needed to add it.  I had it in many exception lists but apparently I needed it also in the one that does the periodic scan.  Once it was added to that one, it stopped deleting it.  I appreciate the efforts.  It just took longer than I expected to find the right place to add it, or it needed it in multiple places.  but it is now working.

 

Tim

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-18 09:48 AM
In response to TimLofgren
Jump to solution

For the folks following along, can you detail where you added it?
0 Kudos
TimLofgren
Contributor
‎2020-03-18 10:08 AM
In response to PhoneBoy
Jump to solution

the last place I added the exclusion to was on SmartEndpoint in the Policy tab.  under the Anti-Malware policy.  Right click the Periodically scan local-hard drives only and select edit shared action.  Click on the link at the bottom that says Configure files and folders exclusions.  Click add and add the folder of where the executable is stored.  But I also added it to many other areas first.  I am not sure if it needs all of them or not but I will also list the other locations.

SmartEndpoint--->Policy--->Anti-Malware...right click Scan all files upon access and select edit shared action.  Add the folder location with the Add button under the Processes to exclude from scan.  I also added the specific process just as a precaution.  I assume if just the folder is there it will still work.

SmartEndpoint--->Policy--->Sandblast Agent Threat Extraction, Emulation and Anti-Exploit...right click on Inspect all domains and files and add the folder location to the Exclusions list in that window.

SmartEndpoint--->Policy--->Sandblast Agent Anti-Ransomware, Behavioral Guard and Forensics...right click on Default File Quarantine Settings and add the file location into the Items excluded from quarantine list.  I added the location and process.

 

I hope this helps someone.  It was a pain trying to find any of this information anywhere.  I basically just had to keep poking around in the policy until I found the locations.   But I found them one at a time and not all at once so I am assuming all need to be in place in order for it to work.

 

Tim

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events