You can configure the Forensics component to analyze incidents that are detected by a third party Anti-Malware solution. To use this, after an incident is triggered you can run analysis manually on the client computer or use a dedicated tool.
To run analysis manually on a client computer with CLI:
Use the command: C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe <Type>:<Malicious resource> [options]
Parameter |
Description |
---|---|
<Type> |
The type of <malicious>: URL, File, MD5, IP [Mandatory] |
<Malicious> |
The resource description (for example URL). [Mandatory] |
-r, -remediation |
Remediate malicious, suspicious, unknown processes based on policy configuration. [Optional] |
-q, -quarantine |
Enter the machine to restricted mode based on policy configuration. [Optional] |
-id {GUID} |
Set ID to incident. The format of the id is GUID. [Optional] |
-b, -backup {Directory} |
Backup Forensics Database to local file. [Optional] |
-h, -help |
Open help manual. [Optional] |
Examples:
C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe file:c:\test\test.doc url:www.test.com -r
C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe file:test.doc -r -q
C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe ip:170.12.1.180 file:test.doc
C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe HYPERLINK "url:www.Malicious.com" md5:10010010010010010010010010010010 -q -b c:\ backupToFile.txt
C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe -b c:\backupToFile.txt
Notes: