When SandBlast Agent blades (Forensics and Anti-Ransomware, Anti-Bot, and Threat Extraction and Threat Emulation), detect malicious files, they can quarantine those files automatically based on policy. All blades use the same remediation service, that:
Two utilities let administrators and end-users manage quarantined files.
SandBlast Agent Quarantine Manager
The SandBlast Agent Quarantine Manager utility is called RemediationManagerUI.exe and it is located in C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation
on client computers. It lets end-users:
SandBlast Agent Quarantine Manager for Administrators
The administrator utility contains the capabilities of the end-user utility plus these additional features:
Get the administrator utility from the release homepage.
When you open the SandBlast Agent Quarantine Manager or the SandBlast Agent Quarantine Manager for Administrators, each quarantined item is shown as a file. The name of the file is the incident ID. To find a file, search for the incident ID found in the SandBlast Agent logs.
By default, quarantined files stored on the client are in C:\ProgramData\CheckPoint\Endpoint Security\Remediation\quarantine
on the client computer.
Best practice is to configure Copy quarantine files to a central location in the File Quarantine Settings. Then you can use the Quarantine Manager for Administrators to import all files related to an incident from one location that you can access.
From the Quarantine Manager for Administrators you can:
To permanently delete an item:
To send a file to quarantine from outside of the utility:
To import a suspicious file to the utility:
The file, with its metadata, is imported to the quarantine database from where the utility is run.