SandBlast Agent Forensics and Anti-Ransomware

In This Section: Overview of Forensics and Anti-Ransomware Anti-Ransomware Files Configuring Forensics and Anti-Ransomware Policy Rules Integration with Third Party Anti-Virus Vendors Manual Analysis with CLI Manual Analysis with Push Operations SandBlast Agent Forensics Analysis Report SandBlast Agent Dynamic Updates SandBlast Agent Use Case Ransomware Use Case Quarantine Management

Overview of Forensics and Anti-Ransomware

The SandBlast Agent Forensics and Anti-Ransomware Software Blade monitors file operations, processes, and network activity for suspicious behavior. It also analyzes attacks detected by other client blades or the Check Point gateway. It applies remediation to malicious files.

Anti-Ransomware constantly monitors files and processes for unusual activity. Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.

All details of attacks are organized in the Forensics Analysis Report.

For example, if SandBlast Agent Anti-Bot detects a malicious URL, it notifies Forensics through internal communication. Forensics starts a complete investigation and generates a Forensics Analysis Report.

You can also configure the Forensics blade to analyze incidents that are detected by a third party Anti-Malware solution.

Configure the settings in the SandBlast Agent Forensics and Anti-Ransomware rule of in the SmartEndpoint Policy tab.

If Endpoint Security servers do not have internet connectivity, Forensics information is stored and sent for evaluation immediately when a server connects to the internet.