Manual Analysis with Push Operations

You can trigger incident analysis for a client on a one-time basis with Push Operations. You can run the Push Operations from SmartEndpointClosed A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies. or from the CLI. The analysis occurs without the need to install policy.

To use Forensics Push Operations from SmartEndpoint:

  1. In SmartEndpoint, right-click on a computer object and select Forensics.

  2. Select an option:

    • Analyze by URL - Enter the URL to inspect.

      Optional - Enter data to search for an incident that occurred.

    • Analyze by process or file - Enter the full path to the file.

      Optional - Enter data to search for an incident that occurred.

  3. Click OK.

    The Forensics analysis runs on the users' computer.

To use Forensics Push Operations from the Endpoint Security Management Server CLI:

For complete information about a dedicated tool and integration with third party Anti-MalwareClosed A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. solutions, see sk105122.

Run the $UEPMDIR/system/utils/EfrPushOperation.sh script on a computer, OU, or group.

Usage:

EfrPushOperation {-name <node_name> | -fqdn <node_FQDN> | -dn <node_DN>} {-url <URL> |-file <file>} [-i <start_time> [-r <range>]] [-a <activity_event>] [-c <case_analysis_event>] -u <username> -p <password>

Parameters:

Parameter

Description

-name <node_name>

The requested node name as appears in SmartEndpoint

-fqdn <node_FQDN>

The requested node FQDN name (for example, device1@mycompany.com)

-dn <node_DN>

The requested node distinguished name (for example, CN=device1,OU=Computers,DC=mycompany,DC=com)

-url <URL>

Analyze by URL

-file <file>

Analyze by file or process

-i <start_time>

Incident start time (date and time)

-r <range>

Time range (before and after start time) in minutes

-a <activity_event>

'f' if detailed activity logs should not be generated, default is 't'

-c <case_analysis_event>

'f' if case analysis report should not be generated, default is 't'

-u <username>

Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. username (case-sensitive)

-p <password>

Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. password (case-sensitive)

Forensics

SandBlast Agent Forensics analyzes attacks detected by other detection features like Anti-Ransomware or Behavioral Guard, the Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and some third party security products. On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically initiated. After the analysis is completed, the entire attack sequence is then presented as a Forensics Analysis Report.

The Forensics Analysis Report provides full information on attacks and suspicious behavior with an easy interface. The report includes:

  • Entry Point - How did the suspicious file enter your system?

  • Business Impact - Which files were affected and what was done to them?

  • Remediation - Which files were treated and what is their status?

  • Suspicious Activity - What unusual behavior occurred that is a result of the attack?

  • Incident Details - A complete visual picture of the paths of the attack in your system.

Use the Forensics Analysis Report to prevent future attacks and to make sure that all affected files and processes work correctly.

Opening Forensics Analysis Reports

The Forensics Analysis Report opens in your internet browser.

To open a Forensics Analysis Report for an incident: