Print Download PDF Send Feedback

Previous

Next

Manual Analysis with Push Operations

You can trigger incident analysis for a client on a one-time basis with Push Operations. You can run the Push Operation from SmartEndpoint or from the CLI. The analysis occurs without the need to install policy.

To use Forensics Push Operations from SmartEndpoint:

  1. In SmartEndpoint, right-click on a computer object and select Forensics.
  2. Select an option:
    • Analyze by URL - Enter the URL to inspect.

      Optional - Enter data to search for an incident that occurred.

    • Analyze by process or file - Enter the full path to the file.

      Optional - Enter data to search for an incident that occurred.

  3. Click OK.

    The Forensics analysis runs on the users' computer.

To use Forensics Push Operations from the Endpoint Security Management Server CLI:

For complete information about a dedicated tool and integration with third party Anti-Malware solutions, see sk105122.

Run the $UEPMDIR/system/utils/EfrPushOperation.sh script on a computer, OU, or group.

Usage:

EfrPushOperation -name node_name|-fqdn node_FQDN|-dn node_DN -url URL|-file file [-i start_time [-r range]] [-a activity_event] [-c case_analysis_event] -u <username> -p <password>

Parameters:

Parameter

Description

-name <node_name>

The requested node name as appears in SmartEndpoint

-fqdn <node_FQDN>

The requested node FQDN name, for example, device1@mycompany.com

-dn <node_DN>

The requested node distinguished name , for example, CN=device1,OU=Computers,DC=mycompany,DC=com

-url <URL>

Analyze by URL

-file <file>

Analyze by file or process

-i <start_time>

Incident start time (date and time)

-r <range>

Time range (before and after start time) in minutes

-a <activity_event>

'f' if detailed activity logs should not be generated, default is 't'

-c <case_analysis_event>

'f' if case analysis report should not be generated, default is 't'

-u <username>

Security Management Server username (case-sensitive)

-p <password>

Security Management Server password (case-sensitive)

Forensics

SandBlast Agent Forensics analyzes attacks detected by other detection features like Anti-Ransomware or Behavioral Guard, the Check Point Gateway and some third party security products. On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically initiated. After the analysis is completed, the entire attack sequence is then presented as a Forensics Analysis Report.

The Forensics Analysis Report provides full information on attacks and suspicious behavior with an easy interface. The report includes:

Use the Forensics Analysis Report to prevent future attacks and to make sure that all affected files and processes work correctly.

Opening Forensics Analysis Reports

The Forensics Analysis Report opens in your internet browser.

To open a Forensics Analysis Report for an incident: