This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sagar_Manandhar
Advisor
‎2017-08-14 03:52 AM

data tampering event in enpoint client

hi,

i am using Total endpoint Security and it shows me the tampering event. What does this means? is it my PC is not secure or its something else....me t

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2017-08-14 09:44 AM

One of the ways SandBlast Agent monitors for suspicious activity is to track files that were modified (or deleted) by a process that is unusual or unexpected--files that might be tampered with.

On it's own, it's not necessarily an indicator of compromise.

If there are other indicators, compromise is far more likely.

Sagar_Manandhar
Advisor
‎2017-08-16 08:52 PM
In response to PhoneBoy

sir, i cannot find any update regarding the tampering event in my endpoint server . Does these event occur in sandblast is update to server or not. Can i get the report of such event from the endpoint management server and how. 

Thank you

0 Kudos
Lior_Arzi
Employee Alumnus
Employee Alumnus
‎2017-08-17 01:56 AM
In response to Sagar_Manandhar

The screen you are showing is part of a forensics report.

This report is triggered when we identify an attack and it is automatically analyzing the full scope of the attack.

One of the sections in the report is to identify what is the attack damage. This is listed under the “Business Impact” section. Both in the overview tab and as a separate tab. In this case the attack included the tempering of some files.

To see what triggered SBA to say there is an attack, you can look at the trigger data on the top of the overview tab. It will show the “Trigger:”,Triggered By:” & “Trigger Time:” information.

 

These reports are available both on the client, and on the server.

On the client it is on the Forensics tab of the client UI.

On the server, it can be opened by a link on the Forensics log line. You can see it either in SmartLog or in SmartEvent.

If you want to use SmartEvent you can use sk110894 to see how to connect R80.10 SmartEvent to an R77.30.03 management, and sk118525 to import SAB views to your SmartEvent.

Thanks

Lior Arzi

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events