Quarantine Management

When Endpoint Security components (such as Forensics and Anti-Ransomware, Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX., and Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.) detect malicious files, it quarantines the files automatically based on the configured policy.

All components use the same Remediation service, which performs these actions:

• Receives the request to quarantine a file.

• Terminates the file's process, if running.

• Encrypts the file and stores it compressed along with metadata in a protected folder.

Note - Starting with E89.20 (Windows), the Remediation Manager for Administrators (AdminRemediationManagerUI.exe) is no longer included. It's functionality is integrated into the Endpoint Quarantine Manager.

Known Limitations

• The Endpoint Quarantine Manager does not support the following actions that were available in the legacy administrator tool:

  • Sending a file to quarantine manually.

  • Deleting a file from the endpoint without sending it to quarantine.

  To perform these actions, use the legacy administrator tool, which is still included in the installation package.

Supported Actions

The Endpoint Quarantine Manager supports the following actions:

• Permanently delete files from quarantine

• Restore files from quarantine

• Import quarantined files

• Download quarantined files

Endpoint Quarantine Manager

The Endpoint Quarantine Manager lets administrators and users view and manage quarantined files.

Each quarantined item is displayed as a file, where the file name corresponds to the incident ID. Use the incident ID from logs to locate specific files.

By default, quarantined files are stored on the endpoint:

C:\ProgramData\CheckPoint\Endpoint Security\Remediation\quarantine

Best practice is to configure Copy quarantine files to a central location in the File Quarantine settings. Then you can use the Endpoint Quarantine Manager for Administrators to import all files related to an incident from one location that you can access.

The Endpoint Quarantine Manager provides additional capabilities:

• Restore files in a protected location to test them.

• Collect all malicious files related to an attack for research.

Deleting a Quarantined File

To permanently delete a file:

1. Open the Endpoint Quarantine Manager for Administrators.

2. Select one or more items.

3. Click Delete.

Restoring a Quarantined File

To restore a quarantined file:

1. Open the Endpoint Quarantine Manager for Administrators.

2. Select one or more items.

3. Click Restore.

Sending a File to Quarantine

To send a file to quarantine from outside of the utility:

1. Open the Endpoint Quarantine Manager for Administrators.

2. Click Quarantine.

3. In the pop-up that appears, browse to select the file to move to quarantine.

Importing a Quarantined File

To import a quarantined file:

1. Open the Endpoint Quarantine Manager for Administrators.

2. Click Import.

3. In the pop-up that appears, browse to select the quarantined file to import.

   The file, with its metadata, is imported to the quarantine database from where the utility is run.