This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
misj2
Explorer
‎2024-10-14 01:26 AM

Remediation Steps

I am new to harmony checkpoint endpoint and would like some guidance as to what the normal process is for companies when we encounter endpoint clients being flagged as malicious activity files quantined by Checkpoint,  under cyber security endpoint reporting for malware and antibot as active or blocked ?  At the moment our only step is to remove devices off the networks a re-image if they are infected.

Do checkpoint have any remediation tools or techniques to assist with confirming if they are false positives or genuinely infected ?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-10-14 12:20 PM

It depends on the type/severity of the incident as well as what's normal/expected in your environment.

There are some general hints for dealing with these situations (not specific to Check Point) here: https://community.checkpoint.com/t5/Incident-Response/No-Suits-No-Ties-MDR-and-Incident-Response-Goi... 

0 Kudos
misj2
Explorer
‎2024-10-14 02:24 PM
In response to PhoneBoy

One example of alerts include the following captured by protection : CeptBiro.TC.b726jHEV  , a few files were quarantined.  How to confirm if its a false positive or genuine malicious activity ?

URL : http://polyfill.io:443

Original Source URL : https://builtwith.com/aquila-capital.de

{"Nombre de protección":"CeptBiro.TC.b726jHEV","Medida adoptada":"Evitado","URL":http://polyfill.io:443,"Nombre del proceso":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","Identificador del proceso":"17248","Nombre del usuario":"PAZR1","Identificador del proceso principal":"0","Fecha y hora de primera infección":"14 de oct. de 2024 14:58","Fecha y hora de última infección":"14 de oct. de 2024 14:58"}

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-14 05:22 PM
In response to misj2

polyfill.io is a a legitimate issue described here (among other places): https://fossa.com/blog/polyfill-supply-chain-attack-details-fixes/
However, the domain registrar took the site offline a few months ago (DNS doesn't resolve), so I'm not sure how malware was downloaded from that domain.

Best to check this with TAC: https://help.checkpoint.com

0 Kudos
misj2
Explorer
‎2024-10-15 06:11 AM
In response to PhoneBoy

Most likely from from an embedded library or domain ?    

Once the files are quarantined is there a way from Infinity portal to re-scan and confirm they are clean before releasing them ?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-15 08:58 AM
In response to misj2

You can trigger an Anti-Malware scan via Push Operation.
See: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/... 

Upcoming Events

    Sort by:
    CheckMates Events