Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tony_Graham
Advisor

SandBlast Agent Quarantine Manager for Administrators

So I had CP Endpoint flag a file today that has been sitting on our network for the last 20 years (no joke), it's an ancient version of DeltaCopy. In any case, Endpoint moved it into a local folder on my PC. Okay, that's alright but, I have now determined I have no ability to view files that are quarantined. I have disabled the endpoints default images from being able to restore files in Quarantine because I do not trust end users to be able to evaluate whether or not a file is safe (ie. not a false positive).

However, as an administrator I need some ability to review those files at the local desktop level (pushing them all to a central location is not always possible).

Does anyone know where the utility is RemediationManagerUI.exe, since it is not deployed to any endpoint? I need to be able to plop this somewhere on a network drive so that I can review and possible delete or restore flagged files.

The CP website directs me, " Get the administrator utility from the release homepage.", but all that I can find there are monolithic installers. I believe I really only need the remediation utility for the given client version, so which package would contain them? They are all .msi installers. I do not work with .msi installers that often.

0 Kudos
6 Replies
Ruan_Kotze
Advisor

Hi Tony, this should do the trick.

0 Kudos
Tony_Graham
Advisor

First, thanks for the link!

Unfortunately all the download does is barf an Unhandled exception error.

1.png

 

If I click continue it brings up an interface that is empty and says Initializing....

2.png

If I click anywhere in the window I get:

3.pngSo....yah.

0 Kudos
Tony_Graham
Advisor

As a follow up on this, I tried using the Infinity Portal>Asset Manager>Right Click>Restore Files from Quarantine but it comes up empty. I am guessing you have to point it at some central repository but it is unclear how this is supposed to function in Portal.

Can I manually blast the file in Quarantine to clear out the flagged file? At present I have no solution to addressing quarantined files.

**Update I created a Restore Files push operation, pointed it at C:\Temp. Client machine got a pop-up saying Restore Files needed to happen. So I clicked Restore Files but nothing happened so I suspect it needs to point at a repository that you would configure in Portal. Not really the functionality I need at this point. I need something like the download file that doesn't work. Maybe I will try and create a deployment package that contains 'Restore Files' and copy that file to the target machine.

Just documenting for others but I was able to create a single policy for this machine in Infinity Portal that allows the machine I am working on to restore files in Quarantine. I pushed policy (also took the liberty of updating the client version to current recommended) and now the RemediationManagerUI.exe is available. The path to it was C:\ProgramData\Checkpoint\Endpoint Security\Installer\Checkpoint\Endpoint Security\Remediation which I do not believe is what is in the current documentation SK. I was able to successfully address the Quarantined file at this point.

0 Kudos
toviab
Employee
Employee

Hi Tony, 
This unhandled exception might be due to the wrong version being used. can you use the correct version as described in my comment above and see if it resolves this issue?

0 Kudos
Pavlo
Participant

Hi everyone!

Have the same problem even with newer version. It there any solution of this issue?

 

0 Kudos
toviab
Employee
Employee

Hi Tony,

There are currently three ways to restore a file from quarantine if it was quarantined by EFR or ThreatEmulation blades.

1. Push operation in management server. In push operation menu-> Add->Forensics and Remediation->File remediation->Choose the Machine->Check the "Restore the following files" option-> insert the MD5 or the file path/Incident ID.

2. RemediationManagementUI. This tool is deployed with the endpoint under c:\program filesx86\Checkpoint\endpoint Security\Remediation\RemediationManagementUI.exe. This requires that you allow this user the option of restoring the files,

3. AdminRemediationManagementUI.exe. This tool is version based so you need to know which version is installed on the machine with the file quarantined and download the correct version.
The correct version is published in the release notes of each new endpoint version being released.
You can find a list of Release notes for all the different versions in this SK.

So for example, the tool for E87.52 the Release notes can be found here and under Under the Utilities/Services Downloads there is a link to download the tool for this specific version.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events