Manual Analysis with Push Operations

You can trigger incident analysis for a client on a one-time basis with Push Operations. You can run the Push Operation from SmartEndpoint or from the CLI. The analysis occurs without the need to install policy.

To use Forensics Push Operations from SmartEndpoint:

1. In SmartEndpoint, right-click on a computer object and select Forensics.
2. Select an option:
   • Analyze by URL - Enter the URL to inspect.

     Optional - Enter data to search for an incident that occurred.

   • Analyze by process or file - Enter the full path to the file.

     Optional - Enter data to search for an incident that occurred.

3. Click OK.

   The Forensics analysis runs on the users' computer.

To use Forensics Push Operations from the Endpoint Security Management Server CLI:

For complete information about a dedicated tool and integration with third party Anti-Malware solutions, see sk105122.

Run the $UEPMDIR/system/utils/EfrPushOperation.sh script on a computer, OU, or group.

Usage:

EfrPushOperation -name node_name|-fqdn node_FQDN|-dn node_DN -url URL|-file file [-i start_time [-r range]] [-a activity_event] [-c case_analysis_event] -u <username> -p <password>

Parameters:

Parameter	Description
-name <node_name>	The requested node name as appears in SmartEndpoint
-fqdn <node_FQDN>	The requested node FQDN name, for example, device1@mycompany.com
-dn <node_DN>	The requested node distinguished name , for example, CN=device1,OU=Computers,DC=mycompany,DC=com
-url <URL>	Analyze by URL
-file <file>	Analyze by file or process
-i <start_time>	Incident start time (date and time)
-r <range>	Time range (before and after start time) in minutes
-a <activity_event>	'f' if detailed activity logs should not be generated, default is 't'
-c <case_analysis_event>	'f' if case analysis report should not be generated, default is 't'
-u <username>	Security Management Server username (case-sensitive)
-p <password>	Security Management Server password (case-sensitive)

Forensics

SandBlast Agent Forensics analyzes attacks detected by other detection features like Anti-Ransomware or Behavioral Guard, the Check Point Gateway and some third party security products. On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically initiated. After the analysis is completed, the entire attack sequence is then presented as a Forensics Analysis Report.

The Forensics Analysis Report provides full information on attacks and suspicious behavior with an easy interface. The report includes:

• Entry Point - How did the suspicious file enter your system?
• Business Impact - Which files were affected and what was done to them?
• Remediation - Which files were treated and what is their status?
• Suspicious Activity - What unusual behavior occurred that is a result of the attack?
• Incident Details - A complete visual picture of the paths of the attack in your system.

Use the Forensics Analysis Report to prevent future attacks and to make sure that all affected files and processes work correctly.

Opening Forensics Analysis Reports

The Forensics Analysis Report opens in your internet browser.

To open a Forensics Analysis Report for an incident:

• SmartLog - From the Log Details of a Forensics, Threat Emulation, or Anti-Bot log, under Forensics, click Report.
• SmartEvent - From the Summary of a Forensics, Threat Emulation, or Anti-Bot log, under Actions, click Open Forensics Report.
• Endpoint Security Client GUI- From the Client Overview, open the Forensics Software Blade and click the Incident ID in the incident table.