This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LazarusG
Collaborator
Collaborator
2 weeks ago
Jump to solution

problem endpoint signature generating large number of false positives?

Hi

We have a couple of customers reporting high attack rates in the portal and many applications being quarantined on their endpoints.

 

Doesn't seem to be any chatter on here - is anyone aware of a problem signature released into the wild or is their something more nefarious going on?

Thanks

0 Kudos
2 Solutions

Accepted Solutions
LazarusG
Collaborator
Collaborator
2 weeks ago
In response to LazarusG
Jump to solution

TAC update from an hour ago;

 

"We have a fix for this global issue now. The clients will be upgraded automatically in the next 2-3 hours".

 

They say there is a script for if you need it more urgently. 

View solution in original post

the_rock
Legend
Legend
2 weeks ago
In response to LazarusG
Jump to solution

I also ended up opening TAC case for this today and they confirmed issue was fully fixed.

Andy

View solution in original post

0 Kudos
22 Replies
_Val_
Admin
Admin
2 weeks ago
Jump to solution

Not something known. If any doubt, reach out ot TAC and (probably) IR

the_rock
Legend
Legend
2 weeks ago
Jump to solution

When did this start happening?

0 Kudos
LazarusG
Collaborator
Collaborator
2 weeks ago
In response to the_rock
Jump to solution

just getting wind of it from two customers in the last hour or two.

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to LazarusG
Jump to solution

Will check later with one of our clients, still early here : - )

Andy

0 Kudos
LazarusG
Collaborator
Collaborator
2 weeks ago
In response to the_rock
Jump to solution

both seem to be having high incidence of Protection name Gen.ML.SA - both will be logged to tac

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to LazarusG
Jump to solution

Is there something you see in the portal itself or mostly on endpoint side of things? I ask that, because I have access to this customer's portal on the cloud, so can check any time.

Andy

0 Kudos
LazarusG
Collaborator
Collaborator
2 weeks ago
In response to the_rock
Jump to solution

logs for blade:forensics - TAC have responded saying its a known issue.

the_rock
Legend
Legend
2 weeks ago
In response to LazarusG
Jump to solution

Thanks for the update, appreciated!

0 Kudos
m25487
Contributor
2 weeks ago
In response to LazarusG
Jump to solution

We also have elective files in quarantine. Is there anything we can do?

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to m25487
Jump to solution

Lets see if something official comes out in the meantime...

0 Kudos
LazarusG
Collaborator
Collaborator
2 weeks ago
In response to m25487
Jump to solution

sorry to hear that = guidance on my side is wait for official comment/fix

LazarusG
Collaborator
Collaborator
2 weeks ago
In response to LazarusG
Jump to solution

TAC update from an hour ago;

 

"We have a fix for this global issue now. The clients will be upgraded automatically in the next 2-3 hours".

 

They say there is a script for if you need it more urgently. 

the_rock
Legend
Legend
2 weeks ago
In response to LazarusG
Jump to solution

Is the script public (ie part of sk) or has to be requested?

Andy

0 Kudos
LazarusG
Collaborator
Collaborator
2 weeks ago
In response to the_rock
Jump to solution

im unaware of an SK so assume tac request - also wondering if the quarantined files will be released without intervention....

(1)
the_rock
Legend
Legend
2 weeks ago
In response to LazarusG
Jump to solution

Yea...super valid point @LazarusG 

0 Kudos
LazarusG
Collaborator
Collaborator
2 weeks ago
In response to the_rock
Jump to solution

I suppose you could use a push operation to release quarantined files
Push Operations

else the AdminRemediationManagerUI.exe ..

But am not sure how things look in the customer estate now.

They did confirm no more logs since about 2hrs ago.

(1)
the_rock
Legend
Legend
2 weeks ago
In response to LazarusG
Jump to solution

Thats true...IM not harmony endpoint guru by any means, but I do recall that sometimes even push operations can take some time and then eventually fail.

Andy

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to LazarusG
Jump to solution

I also ended up opening TAC case for this today and they confirmed issue was fully fixed.

Andy

0 Kudos
Tom_Hinoue
Advisor
Advisor
2 weeks ago
In response to the_rock
Jump to solution

We still have some customers that reported their applications are still quarantined even at this time.
Did TAC mention anything about what we need to do on client side like rebooting or manually updating the client status?

It's not realistic to release each app from quarantine with push operations.
There are dozens of apps that are quarantined on 1 client times by the number of actual customer devices..

Note, we already have a TAC case opened and pending their update.

0 Kudos
Tom_Hinoue
Advisor
Advisor
2 weeks ago
In response to Tom_Hinoue
Jump to solution

I just received an update from TAC.
We were provided with a script to release files from quarantine... will look into it now.

the_rock
Legend
Legend
2 weeks ago
In response to Tom_Hinoue
Jump to solution

That should help, for sure. You are 100% right about push operations...thats not really a viable option, specially in this case.

Andy

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Tom_Hinoue
Jump to solution

TAC lady told me they are advising customers to contact them and ask for script if issue is still there.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events