Check Point HARMONY R81 - Configuring Network Blades for Forensics Triggers and Remediation

To Next Page

To Previous Page

Configuring Forensics and Anti-Ransomware Policy Rules

R81 Harmony Endpoint Server Administration Guide|313

The Triggers include:

Events detected by Endpoint Security components: Anti-Bot, Threat Emulation, Anti-

Malware

Events detected by Network components: Anti-Bot, Threat Emulation, Anti-Malware,

URL Filtering

Configuring Network Blades for Forensics Triggers and Remediation

To make triggers and Remediation work for events detected by Network Threat Prevention

components, you must configure Security Gateway policy for the Threat Prevention

components: Anti-Bot, Anti-Virus, and Threat Emulation.

Each component must be enabled and have Protection settings of Prevent or Ask, which

include UserCheck.

Best practice is to use the Threat Prevention Recommended Profile (default) that includes all

required settings.

Main Page

Table of Contents5
Introduction to Endpoint Security19
Managing the Security of Users, Not Just Machines19
Organization-Centric Model19
Policy-Centric Model19
Endpoint Security Client19
Centralized Monitoring21
Centralized Deployment22
Endpoint Security Architecture23
Endpoint Security Server and Client Communication26
Smartendpoint Console and Server to Server Communication26
Client to Server Communication27
The Heartbeat Interval28
SHA-256 Certificate Support28
Tlsv1.2 Support28
External PKI Certificates for Client-Server Communication30
Importing External PKI Certificates30
Installing CA Certificates on Clients31
Installing SSL Certificates on Servers32
Replacing SSL Certificates in an Existing Environment33
Installing Full Disk Encryption Certificates33
Installing Certificates for Offline Groups34
Monitoring Certificates34
Connection Port to Services on an Endpoint Security Management Server35
Background36
Procedures39
Endpoint Security Licenses49
Endpoint Security Product Licenses49
Demo and Temporary Licenses49
License Enforcement49
Getting Licenses50
Getting and Applying Contracts51
Configuring a Proxy for Internet Access52
License Status52
Logging into Smartendpoint54
Using Smartendpoint55
Overview Tab55
Opening Smartendpoint56
Policy Tab56
Users and Computers Tab57
Monitoring Endpoint Security Deployment and Policy58
Alerts59
Configuring Alert Messages59
Configuring an Email Server60
Push Operations62
Starting Push Operations63
Push Operations Settings64
Compliance Status Reports65
Activity Reports66
Software Deployment Status Reports67
Versions in Use67
Full Disk Encryption Status Reports68
User Authentication (Onecheck) Status Reports69
Media Encryption & Port Protection Status Reports71
Discovered Devices71
Anti-Malware Status Reports72
Harmony Endpoint Anti-Bot Status Reports73
Policy Reports74
Licenses Report76
Deployment Tab77
Client Logging78
Finding Components79
Show/Hide Components80
Users and Computers81
Using the Users and Computers Tab82
Using the Object Details Window83
Changing Authentication Settings83
Using the Users and Computers Tree84
Managing Users86
Managing Ous or Groups87
Managing Computers88
Managing Users of a Computer88
Resetting a Computer89
Editing Properties of Non-AD Objects91
Managing Virtual Groups92
Active Directory Scanner93
Configuring a Directory Scanner Instance93
The Organization Scanners Page95
Directory Synchronization95
Troubleshooting the Directory Scanner96
SSL Troubleshooting96
Configuring DNS for GSS Connections97
Strengthening Active Directory Authentication to Use LDAPS97
Endpoint Security Administrator Roles101
Deploying Endpoint Security Clients102
Uploading Client Packages to the Repository103
Automatic Deployment Using Deployment Rules108
Manual Deployment Using Packages for Export114
Configuring Software Signatures for Packages for Export118
Seeing the Deployment Status119
Deploying Mac Clients120
Getting the Mac Client120
Manual Deployment120
Uninstalling the Client on Mac121
Upgrading Endpoint Security Clients122
Upgrading with Deployment Rules122
Upgrading with an Exported Package123
Gradual Upgrade124
Upgrading Legacy Clients125
Offline Upgrades125
Online Upgrades126
Upgrading Legacy Full Disk Encryption127
Troubleshooting the Installation130
Uninstalling the Client on Windows131
Configuring Logging132
Backup and Restore133
Prerequisites133
How to Back up and Restore133
Updating the PAT Version on the Server after Restore134
Defining Endpoint Security Policies135
Columns of a Policy Rule Base136
The Policy Toolbar137
User and Computer Rules138
Connected, Disconnected and Restricted Rules139
Rule Types for each Endpoint Security Component140
Rule Entities141
Protection for Servers142
Working with Rules143
Creating a Rule143
The Order in Which the Client Applies the Rules144
Changing the Order in Which the Client Applies the Rules145
Editing a Rule147
Editing a Shared Action148
What Happens When You Delete an Entity149
Saving and Installing Policy Changes on Clients149
Showing the Policy that Applies to a User or Computer150
Direct Assignment of Rules to Users and Computers150
Virtual Groups in Policy Rules152
Why Use Virtual Groups152
Prerequisites for Using Virtual Groups153
Types of Virtual Groups153
Predefined Virtual Groups153
Managing Virtual Groups154
Using a Computer Group in a User-Based Policy155
Example Deployment Rules for Virtual Groups156
Adding Objects with an Installation Package157
Monitoring Virtual Groups158
External Endpoint Policy Servers159
Installing and Configuring an Endpoint Policy Server159
Installing an Endpoint Policy Server159
Configuring an Endpoint Policy Server159
How Do Endpoint Policy Servers Work161
Configuring Policy Server Settings163
Endpoint Policy Server Proximity Analysis163
Configuring Endpoint Policy Server Connections164
Enabling the Management Server to be an Endpoint Policy Server164
Policy Server and Management Server Communication165
Configuring an Alert for a Non-Synchronized Policy Server167
Monitoring Endpoint Policy Server Activity169
Management High Availability170
Configuring a Secondary Server170
Synchronizing MSI Files, Dynamic Packages and Drivers172
Online Automatic Sync173
Before Failover173
Database Migration in a High Availability Environment174
Updating the PAT Version on the Server174
Deleting a Server175
Active Directory Authentication176
Endpoint Security Active Directory Authentication176
Configuring Active Directory Authentication177
UPN Suffixes and Domain Names180
Configuring Alternative Domain Names181
Troubleshooting Authentication in Server Logs181
Troubleshooting Authentication in Client Logs183
Full Disk Encryption185
Check Point Full Disk Encryption185
Configuring a Check Point Full Disk Encryption Policy186
Volume Encryption188
Custom Disk Encryption Settings189
Self-Encrypting Drives189
Authentication before the Operating System Loads (Pre-Boot)191
Temporary Pre-Boot Bypass192
Temporary Pre-Boot Bypass with a Script194
Temporarily Require Pre-Boot194
Advanced Pre-Boot Settings195
User Authorization before Encryption197
Single Sign-On with Onecheck Logon199
Check Point Full Disk Encryption Recovery201
Creating Data Recovery Media201
Using Data Recovery Media203
Before You Use the Drive Slaving Utility203
Using the Drive Slaving Utility204
Check Point Full Disk Encryption Self-Help Portal205
Activating the Self-Help Portal205
Configuring the Self-Help Portal206
User Settings for the Self-Help Portal206
Monitoring the Self-Help Portal Policy207
Bitlocker Encryption for Windows Clients208
Configuring a Bitlocker Encryption Policy209
Switching between Check Point Full Disk Encryption and Bitlocker Management212
Taking Control of Unmanaged Bitlocker Computers214
Bitlocker Recovery215
Installing and Deploying Full Disk Encryption217
Client Requirements for Full Disk Encryption Deployment217
Completing Full Disk Encryption Deployment on a Client218
Stages of the Deployment Phase218
Upgrading Full Disk Encryption220
Troubleshooting Full Disk Encryption221
User Authentication to Endpoint Security Clients (Onecheck)227
Configuring Onecheck User Settings Policy Rules228
Pre-Boot Authentication Methods228
Global Pre-Boot Authentication Settings228
Changing the User Pre-Boot Authentication Settings230
Password Complexity and Security232
Password Synchronization233
Account Lock234
Logon Settings236
Remote Help Permissions237
Managing Authorized Pre-Boot Users and Nodes238
Creating Pre-Boot Users239
AD Groups for Pre-Boot Authentication240
Before You Configure Smart Card Authentication241
Smart Card Scenarios241
Scenario 1: Moving from Password to Smart Card241
Scenario 2: MIX of Password and Smart Card Authentication242
Notes on Using Smart Cards243
Changing a User's Password244
Managing Dynamic Tokens245
Adding a Token245
Removing a Token246
Importing Tokens246
Upgrading Legacy Token Users246
Media Encryption & Port Protection248
Media Encryption & Port Protection Terminology249
Working with Actions in a Media Encryption & Port Protection Rule250
Configuring the Read Action251
Configuring a Write Action252
Configuring Business Related File Types254
Creating a Custom User Message255
Configuring Peripheral Device Access256
Creating a Custom Action256
Changing an Existing Action256
Defining Exceptions for Devices258
Editing Device Details258
Creating a Device with Automatic Device Discovery259
Creating a Device Manually260
Editing Device Access Setting260
Using Wild Card Characters261
Working with Advanced Actions in a Media Encryption & Port Protection Rule263
Offline Access Actions263
Custom Offline Access Settings263
Configuring Encryption Container Settings265
Password Constraints for Offline Access265
Media Lockout Settings266
Device Scanning and Authorization Actions268
Custom Scan and Authorization Actions269
Log Actions271
Usercheck Actions273
Media Encryption Site Actions274
Configuring Media Encryption Site Actions274
Global Automatic Access Action277
Custom Automatic Access Action Rules277
Capsule Docs279
Overview of Capsule Docs279
Prerequisites for Capsule Docs280
Configuring Capsule Docs281
Using Capsule Docs288
Configuring Capsule Docs Policy Rules289
Organization Settings289
Active Classifications289
Email Domains for Sharing Documents291
Automatic Protection291
Initial Protection Configuration292
Inviting Users292
Client Access Settings293
Single Sign-On with Active Directory293
Working with External Users293
Troubleshooting Capsule Docs Reverse Proxy294
Capsule Docs Recovery296
Anti-Malware297
Prerequisites for Anti-Malware297
Configuring Anti-Malware Policy Rules299
Scan All Files on Access299
Malware Signature Updates301
Performing Periodic Anti-Malware Scans303
Periodic Scan Options304
Exclude Files and Folders from Scan304
Scan Optimization306
Malware Treatment307
Submitting Malware and False Detections309
Harmony Endpoint Anti-Ransomware, Behavioral Guard and Forensics310
Anti-Ransomware Files311
Configuring Forensics and Anti-Ransomware Policy Rules312
Automatic Threat Analysis Settings312
Configuring Network Blades for Forensics Triggers and Remediation313
Monitoring and Exclusions314
Disk Space for Forensics315
Quarantine Settings and Attack Remediation316
File Quarantine Settings317
Anti-Ransomware Backup Settings318
Manual Anti-Ransomware Restoration319
Anti-Ransomware Restoration319
Integration with Third Party Anti-Virus Vendors321
Manual Analysis with CLI322
Manual Analysis with Push Operations324
Forensics325
Opening Forensics Analysis Reports326
Harmony Endpoint Dynamic Updates327
Harmony Endpoint Use Case328
Ransomware Use Case329
Quarantine Management330
Using the Quarantine Manager for Administrators330
Harmony Endpoint Anti-Bot332
The Need for Anti-Bot332
The Harmony Endpoint Anti-Bot Solution333
Configuring Anti-Bot Policy Rules334
Activating the Anti-Bot Component334
Defining Entities that Are Trusted by Anti-Bot335
Anti-Bot Protection Mode336
Harmony Endpoint Threat Extraction, Emulation and Anti-Exploit337
Configuring Threat Extraction and Threat Emulation Rules338
Web Download Protection339
File System Emulation341
Harmony Environment Settings342
Exclusions and Inspection Settings343
Zero Phishing Settings344
Firewall346
Planning Firewall Policy346
Inbound Traffic Rules347
Outbound Traffic Rules348
Creating Firewall Rules349
Services and Network Objects350
Disabling and Deleting Rules351
Wireless Connection Settings352
Hotspot Settings353
Ipv6 Traffic354
Choosing a Firewall Policy to Enforce355
Compliance356
Planning for Compliance Rules357
Configuring Compliance Policy Rules358
Ensuring Alignment with the Deployed Profile358
VPN Client Verification359
Compliance Action Rules360
Compliance Check Objects361
Compliance Remediation Objects363
Service Packs for Compliance365
Required Applications and Files366
Prohibited Applications and Files367
Anti-Malware for Compliance368
Ensuring that Windows Server Updates Are Installed369
Monitoring Compliance States370
The Heartbeat Interval370
Configuring the "About to be Restricted" State371
Application Control372
Creating the List of Applications on the Reference Computer373
Appscan Command Syntax373
Importing the Appscan XML File to the Endpoint Security Management Server376
Configuring if Imported Applications Are Allowed or Blocked by Default377
Configuring Application Permissions in the Application Control Policy378
Using the Reputation Service to Allow or Block Applications381
Pre-Requisites for Using the Reputation Service381
Using the Reputation Service with a Proxy382
Enabling the Reputation Service382
Disabling or Enabling Windows Subsystem for Linux (WSL)383
Preventing the Leakage of Sensitive Information through Git (Developer Protection)384
Client-Side Warning Notifications385
Installing the Application Control Policy386
Client Settings387
Configuring Client Settings Policy Rules387
Client User Interface Settings388
Log Upload389
Installation and Upgrade Settings390
Users Disabling Network Protection391
Sharing Data with Check Point392
Remote Access VPN393
Access Zones394
Trusted Zone395
Changing the Access Zones Policy397
Network Objects399
Configuring a Host as a Network Object399
Configuring an Address Range as a Network Object399
Configuring a Network as a Network Object400
Configuring a Site as a Network Object400
Configuring a Group as a Network Object401
Configuring a Site Group as a Network Object401
Remote Help403
Web Remote Help404
Turning on Web Remote Help on Endpoint Security Management Server404
Configuring the Length of the Remote Help Response404
Logging into Web Remote Help Portal405
Configuring a Standalone Web Remote Help Server406
Managing Web Remote Help Accounts406
Configuring SSL Support for AD Authentication411
Giving Remote Help to Full Disk Encryption Users412
Media Encryption & Port Protection Remote Help Workflow414
Disabling Remote Help416
User-Bound Remote Help417
Uninstalling the Endpoint Security Client Using Challenge-Response418
Offline Mode420
Configuring Offline Mode421
Creating Offline Administrators428
Editing Pre-Boot Users429
Moving from Offline to Online Mode431
Endpoint Offline Management Tool432
Logging in to the Offline Tool432
Password Assistance432
Selecting a User433
Challenge from User433
Response to User433
Disk Recovery433
Select a User Account433
Select Media434
Uninstalling Endpoint Security Using Challenge-Response in Offline Mode435
Glossary439

Check Point HARMONY R81 - Configuring Network Blades for Forensics Triggers and Remediation

Table of Contents

Related product manuals