Print Download PDF Send Feedback

Previous

Next

Quarantine Management

When SandBlast Agent Software Blades (Forensics and Anti-Ransomware, Anti-Bot, and Threat Extraction and Threat Emulation), detect malicious files, they can quarantine those files automatically based on policy. All Software Blades use the same remediation service, that:

Two utilities let administrators and end-users manage quarantined files.

SandBlast Agent Quarantine Manager

The SandBlast Agent Quarantine Manager utility is called RemediationManagerUI.exe and it is located in C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation on client computers. It lets end-users:

SandBlast Agent Quarantine Manager for Administrators

The administrator utility contains the capabilities of the end-user utility plus these additional features:

Get the administrator utility from the release homepage.

Using the Quarantine Manager for Administrators

When you open the SandBlast Agent Quarantine Manager or the SandBlast Agent Quarantine Manager for Administrators, each quarantined item is shown as a file. The name of the file is the incident ID. To find a file, search for the incident ID found in the SandBlast Agent logs.

By default, quarantined files stored on the client are in C:\ProgramData\CheckPoint\Endpoint Security\Remediation\quarantine on the client computer.

Best practice is to configure Copy quarantine files to a central location in the File Quarantine Settings. Then you can use the Quarantine Manager for Administrators to import all files related to an incident from one location that you can access.

From the Quarantine Manager for Administrators you can:

To permanently delete an item:

  1. Open the SandBlast Agent Quarantine Manager for Administrators.
  2. Select one or more items.
  3. Click Delete.

To send a file to quarantine from outside of the utility:

  1. Open the SandBlast Agent Quarantine Manager for Administrators.
  2. Click Quarantine.
  3. In the window that opens, browse to select the file to move to quarantine.

To import a suspicious file to the utility:

  1. Open the SandBlast Agent Quarantine Manager for Administrators.
  2. Click Import.
  3. In the window that opens, browse to select the quarantined file to import.

    The file, with its metadata, is imported to the quarantine database from where the utility is run.