Quarantine Management

When SandBlast Agent Software Blades (Forensics and Anti-Ransomware, Anti-Bot, and Threat Extraction and Threat Emulation), detect malicious files, they can quarantine those files automatically based on policy. All Software Blades use the same remediation service, that:

• Receives the request to quarantine a file.
• Terminates the file's process, if running.
• Encrypts the file and stores it compressed along with metadata in a protected folder.

Two utilities let administrators and end-users manage quarantined files.

SandBlast Agent Quarantine Manager

The SandBlast Agent Quarantine Manager utility is called RemediationManagerUI.exe and it is located in C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation on client computers. It lets end-users:

• See the files in quarantine
• Delete the quarantined files
• Restore files from quarantine.

SandBlast Agent Quarantine Manager for Administrators

The administrator utility contains the capabilities of the end-user utility plus these additional features:

• Quarantine - Send files to quarantine.
• Delete - Use the SandBlast Agent remediation service to delete a file.
• Import - Import a quarantined file from a different computer or location.

Get the administrator utility from the release homepage.

Using the Quarantine Manager for Administrators

When you open the SandBlast Agent Quarantine Manager or the SandBlast Agent Quarantine Manager for Administrators, each quarantined item is shown as a file. The name of the file is the incident ID. To find a file, search for the incident ID found in the SandBlast Agent logs.

By default, quarantined files stored on the client are in C:\ProgramData\CheckPoint\Endpoint Security\Remediation\quarantine on the client computer.

Best practice is to configure Copy quarantine files to a central location in the File Quarantine Settings. Then you can use the Quarantine Manager for Administrators to import all files related to an incident from one location that you can access.

From the Quarantine Manager for Administrators you can:

• Restore files in a protected location to test them.
• Collect all malicious files related to an attack for research.

To permanently delete an item:

1. Open the SandBlast Agent Quarantine Manager for Administrators.
2. Select one or more items.
3. Click Delete.

To send a file to quarantine from outside of the utility:

1. Open the SandBlast Agent Quarantine Manager for Administrators.
2. Click Quarantine.
3. In the window that opens, browse to select the file to move to quarantine.

To import a suspicious file to the utility:

1. Open the SandBlast Agent Quarantine Manager for Administrators.
2. Click Import.
3. In the window that opens, browse to select the quarantined file to import.

   The file, with its metadata, is imported to the quarantine database from where the utility is run.