Analysis & Remediation

Automated Attack Analysis (Forensics)

Harmony Endpoint Forensics analyzes attacks detected by other detection features like Anti-Ransomware or Behavioral Guard, and some third-party security products.

On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically initiated. After the analysis is completed, the entire attack sequence is presented as a Forensics Analysis Report. If Endpoint Security Management Servers do not have internet connectivity, Forensics information is stored and sent for evaluation immediately when a server connects to the internet.

Use the Forensics Analysis Report to prevent future attacks and to make sure that all affected files and processes work correctly.

Protection mode - Define in which confidence level the incident is analyzed: Always, High, Medium & High, or Never. The confidence level is how sure Endpoint Security is that a file is malicious. High confidence means that it is almost certain that a file is malicious. Medium confidence means that it is very likely that a file is malicious. The default value is Always.

Enable Threat Hunting - Threat Hunting is enabled by default. To learn more about Threat Hunting, see Threat Hunting.

Remediation & Response

The Harmony Endpoint File Remediation component applies Remediation to malicious files. When Harmony Endpoint components detect malicious files, they can quarantine those files automatically based on policy, and remediate them if necessary.

You can manually define the confidence level in which Remediation is performed: Always, High, Medium & High, or Never. The confidence level is how sure Endpoint Security is that a file is malicious. High confidence means that it is almost certain that a file is malicious. Medium confidence means that it is very likely that a file is malicious. The default value is Medium & High.

Advanced Remediation & Response Settings

File Quarantine

Define the settings for files that are quarantined. By default, items are kept in quarantine for 90 days and users can delete items from quarantine.

  • File quarantine - Select the confidence level in which Remediation is performed: Always High, Medium & High, Never. The default value is Medium & HIgh.

  • Allow users to delete items from quarantine - When selected, users can permanently delete items from the quarantine file on their computers.

  • Allow users to restore items from quarantine - When selected, users can restore items from the quarantine file on their computers.

  • Copy quarantine files to central location -Enter a central location to which the quarantined files from the client computers are copied.

File Remediation

Define what happens to the components of an attack that is detected by Forensics. When files are quarantined, they are deleted and put in a secure location from which they can be restored, if necessary.

You can manually edit the treatment for each category of file: Malicious, Suspicious, or Unknown. For each category, you can select:

  • Quarantine - Files are deleted and put in a secure location from which they can be restored, if necessary.

  • Delete - Files are permanently deleted.

  • Backup -- Delete the file and create an accessible duplicate.

  • None -- No action is taken.

Trusted files s are those defined as trusted by the Check Point Reputation Service. The Remediation options for Trusted Files are:

  • Terminate - stop the suspicious process.

  • Ignore - Do not terminate processes. Activity is monitored.