Quarantine Management

When Harmony Endpoint components (Forensics and Anti-Ransomware, Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., and Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.), detect malicious files, they can quarantine those files automatically based on policy. All components use the same Remediation service, that:

  • Receives the request to quarantine a file.

  • Terminates the file's process, if running.

  • Encrypts the file and stores it compressed along with metadata in a protected folder.

Two utilities let administrators and end-users manage quarantined files.

Harmony Endpoint Quarantine Manager

The Harmony Endpoint Quarantine Manager utility is called RemediationManagerUI.exe and it is located in C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation on client computers. It lets end-users:

  • See the files in quarantine.

  • To delete quarantined files, select the file and click Permanently Delete.

  • To restore quarantined files, select the file and click Restore.

Harmony Endpoint Quarantine Manager for Administrators

The administrator utility contains the capabilities of the end-user utility plus these additional features:

  • Quarantine - Send files to quarantine.

  • Delete - Use the Harmony Endpoint Remediation service to delete a file.

  • Import - Import a quarantined file from a different computer or location.

You can download the administrator utility from here.

Using the Quarantine Manager for Administrators

When you open the Harmony Endpoint Quarantine Manager or the Harmony Endpoint Quarantine Manager for Administrators, each quarantined item is shown as a file. The name of the file is the incident ID. To find a file, search for the incident ID found in the Harmony Endpoint logs.

By default, quarantined files stored on the client are in C:\ProgramData\CheckPoint\Endpoint Security\Remediation\quarantine on the client computer.

Best practice is to configure Copy quarantine files to a central location in the File Quarantine settings. Then you can use the Quarantine Manager for Administrators to import all files related to an incident from one location that you can access.

From the Quarantine Manager for Administrators you can:

  • Restore files in a protected location to test them.

  • Collect all malicious files related to an attack for research.

To permanently delete an item:

  1. Open the Harmony Endpoint Quarantine Manager for Administrators.

  2. Select one or more items.

  3. Click Delete.

To send a file to quarantine from outside of the utility:

  1. Open the Harmony Endpoint Quarantine Manager for Administrators.

  2. Click Quarantine.

  3. In the window that opens, browse to select the file to move to quarantine.

To import a suspicious file to the utility:

  1. Open the Harmony Endpoint Quarantine Manager for Administrators.

  2. Click Import.

  3. In the window that opens, browse to select the quarantined file to import.

    The file, with its metadata, is imported to the quarantine database from where the utility is run.