This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
misj2
Explorer
‎2024-10-14 01:26 AM

Remediation Steps

I am new to harmony checkpoint endpoint and would like some guidance as to what the normal process is for companies when we encounter endpoint clients being flagged as malicious activity files quantined by Checkpoint,  under cyber security endpoint reporting for malware and antibot as active or blocked ?  At the moment our only step is to remove devices off the networks a re-image if they are infected.

Do checkpoint have any remediation tools or techniques to assist with confirming if they are false positives or genuinely infected ?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-10-14 12:20 PM

It depends on the type/severity of the incident as well as what's normal/expected in your environment.

There are some general hints for dealing with these situations (not specific to Check Point) here: https://community.checkpoint.com/t5/Incident-Response/No-Suits-No-Ties-MDR-and-Incident-Response-Goi... 

0 Kudos
misj2
Explorer
‎2024-10-14 02:24 PM
In response to PhoneBoy

One example of alerts include the following captured by protection : CeptBiro.TC.b726jHEV  , a few files were quarantined.  How to confirm if its a false positive or genuine malicious activity ?

URL : http://polyfill.io:443

Original Source URL : https://builtwith.com/aquila-capital.de

{"Nombre de protección":"CeptBiro.TC.b726jHEV","Medida adoptada":"Evitado","URL":http://polyfill.io:443,"Nombre del proceso":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","Identificador del proceso":"17248","Nombre del usuario":"PAZR1","Identificador del proceso principal":"0","Fecha y hora de primera infección":"14 de oct. de 2024 14:58","Fecha y hora de última infección":"14 de oct. de 2024 14:58"}

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-14 05:22 PM
In response to misj2

polyfill.io is a a legitimate issue described here (among other places): https://fossa.com/blog/polyfill-supply-chain-attack-details-fixes/
However, the domain registrar took the site offline a few months ago (DNS doesn't resolve), so I'm not sure how malware was downloaded from that domain.

Best to check this with TAC: https://help.checkpoint.com

0 Kudos
misj2
Explorer
‎2024-10-15 06:11 AM
In response to PhoneBoy

Most likely from from an embedded library or domain ?    

Once the files are quarantined is there a way from Infinity portal to re-scan and confirm they are clean before releasing them ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top