cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Arun_R
Copper

Sandblast Agent machines got rebooted automatically

Hi Team,

I recently implemented Endpoint Sandblast Agent for one of my client company where I have faced a challenge after installing Sandblast Agent.

Out of some client machines, few machines got rebooted automatically soon after installed sandblast Agent. 

There is no clue why it has rebooted so I decided to uninstall the Sandblast on one machine and though the machine was rebooted. I installed some third party Anti-VIrus(Norton antivirus)  and found some bugs on the client machine(which already exist on the machine). 

As soon as found the bug I removed and tried to installed SA(Sandblast Agent) once again and till now the machine is not rebooted. 

I am very surprised the way how the issue got fixed, I tried the same all problematic machines and all are fixed in the same manner. 

Note: Used Sandblast Agent blade: Forensic, Anti-ransomware, extraction and emulation.

Do anyone have an idea why sandblast Agent has not remediated the existing bugs on the client machine.

Regards,

Arun.R

7 Replies
Admin
Admin

Re: Sandblast Agent machines got rebooted automatically

Look at it this way: tools like SandBlast Agent, traditional AV, and malware operate at a similar level in the system.

If the malware was there first, it can potentially block these tools from working (or hide from them).

Also keep in mind that SandBlast Agent is specifically looking at files and EXEs entering the machine.

If the malicious files were already there before SBA is installed, it's not going to see them.

This is why SBA should be deployed in conjunction with a traditional Anti-Virus that does periodic scans.

Arun_R
Copper

Re: Sandblast Agent machines got rebooted automatically

Thanks for your update Dameon. Is there is any specific traditional Anti-Virus that we can use on SBA client machine.?

One more query is that should We need to keep the Anti-Virus software on the client machine even after deploying the SBA on the respective machine.

- Arun.R

0 Kudos
Admin
Admin

Re: Sandblast Agent machines got rebooted automatically

Check Point has an AV that comes with some of our endpoint licensing bundles.

We've also tested with some third party AV as well: SandBlast Integration with Third Party Anti-Virus Vendors 

AV and SBA look for different things and operate on different principles.

It's recommended to have both as part of a multi-layer prevention strategy.

Arun_R
Copper

Re: Sandblast Agent machines got rebooted automatically

Dear Dameon,

Thanks for your update on this.

Based on the update of your that gave me the impression of Anti-Malware blade in Checkpoint Endpoint Security Management Server license bundles and also some third-party AV vendor(If no Anti-malware been used).

Once again thanks for spending your time spends with me on this query, which gave a new experience/lesson for further SBA implementation.

- Arun.R

0 Kudos
Arun_R
Copper

Re: Sandblast Agent machines got rebooted automatically

Dear Dameon,

In addition to my last update, Is there is any knowledge base quote this " I.e best recommendation/Practice to use AV along with SBA.?

- Arun.R  

0 Kudos
Admin
Admin

Re: Sandblast Agent machines got rebooted automatically

The SBA package does not include Anti-malware (AV) but if you buy the Complete package, it is included.

As far as I know, there isn't an SK that says you should deploy both technologies as most customers do this already.

The reason we sell SBA without AV is many customers already have a preferred AV vendor.

0 Kudos
Arun_R
Copper

Re: Sandblast Agent machines got rebooted automatically

Dear Dameon,

Thanks for the update.

It improves my performance in SBA implementation.

Once again thanks for your's assist.

-ArunHari.R