Support Center > Search Results > SecureKnowledge Details
ATRG: Endpoint Security Anti-Malware Blade
Solution

Table of Contents:

  • Introduction
  • Product architecture
    • Client-Server architecture
    • Client architecture
  • Product functionality
  • Anti-Malware Blade UI
  • Updating Anti-Malware
  • Scanning
    • Understanding Scan Results
    • Viewing Quarantined Items
  • Integration with Media Encryption Blade
  • Viewing Anti-Malware Logs
  • Managing Anti-Malware blade
    • Anti-Malware status in SmartConsole
    • Defining policy for Anti-Malware blade
    • Understanding Anti-Malware exclusions
  • Troubleshooting and debugging

Introduction to End Point Anti-Malware blade

The Endpoint Anti-Malware blade's purpose is to protect PCs from viruses, spyware, and other malicious software.

This document describes several aspects of the Anti-Malware blade - its principal architecture, functionality, working with the blade within Endpoint Security Client and configuring its policies with SmartConsole, and troubleshooting recommendations.

Product architecture

Client-Server architecture

From the Anti-Malware perspective, Endpoint Security Client gets the following information from the Endpoint Security Server:

  • Policy definitions
  • Signatures

Signatures can also be downloaded from different Internet Sources according to the policy.

The Endpoint Security Client sends the following Anti-Malware-related information to the Endpoint Security Server:

  • Logs (from the other blades as well)

To reduce load to the Endpoint Security Server, additional servers can be deployed. These servers are called Policy Servers. Policy Servers provide the same functionality to Clients; however, they cannot be used to manage policies with SmartConsole.

Client architecture

On the client-side, there are several important components which communicate one with another, as described in the figure above.

These components are:

  • Check Point Endpoint Agent service - performs all communications with the Endpoint Security Server, including Policies download, log upload, etc. When this service is not running, the client is disconnected from the server.
  • Check Point Device Auxiliary Framework service - performs all communications with the installed Endpoint Security Blades and UI. When this service is not running, the blades do not get the latest policies and do not update the UI and server about their status.
  • Check Point Client UI service and Client UI process - perform user actions handling and show blades status and messages.
  • Check Point Anti-Malware Protection service - performs malware protection. When this service is not running, the Anti-Malware engine does not work according to the policy.
  • Signature updater - subcomponent of the Anti-Malware Protection service, which is not constantly running. The Anti-Malware Protection service must be running in order to update Signatures.
  • Anti-Malware Engine components - low-level kernel drivers that perform actual real-time protection and scans.
  • Other infrastructure components - less important modules. For example, deployment module and Log Viewer utility.

Product functionality

On the client-side, the Anti-Malware blade protects computers against viruses, spyware, and malicious software. Real-time and scheduled scans detect malicious software and make them harmless before they can cause damage.

Anti-Malware Blade UI

The Anti-Malware Blade UI shows blade status, including policy version, and all detected (quarantined and deleted) items.

To view the status of Anti-Malware, from the Endpoint Security Main Page, click "Anti-Malware".

On this page you can see the:

  • Current Status - A summary of the Anti-Malware status of your computer. See the history of when scans and updates occurred. If the status shows that the Anti-Malware signatures are out of date, click "Update Now". The status can be:
    • On - Anti-Malware has started and is up to date.
    • Off - Anti-Malware is turned off and not active.
    • Initializing - Anti-Malware is still starting.
    • Warning - Anti-Malware is not up to date. Update as soon as possible.
    • Alert - Anti-Malware is severely out of date. Update immediately.
    • Error - An error is preventing the Anti-Malware from working. Please contact administrator.
    • Infected - Untreated malware was detected on computer. Please contact administrator.
    • Scanning - Anti-Malware scan is currently in progress.
  • Dates and times of last scans and Last update.
  • Scan System Now - Click to start an Anti-Malware scan immediately
  • View Current Scans - See the progress of scans that are running.
  • See items that are quarantined. Quarantined items are deleted and put in a secure storage area. They can be restored from this area, if necessary. Either the administrator should add an infection to exclusion, or he should remove the detection from signatures to restore the file from quarantine.
  • Infections - Shows a list of infected files that were detected. In some cases, items detected during an Anti-Malware scan cannot be treated or removed automatically. These items are usually placed into quarantine so that they become harmless, but preserved so that they can be treated in the future. It includes this information about each file:
    • Infection Name - Name of the malware
    • Path - The original location of the malware on your computer.
    • Infection Status - If the infection is treated or untreated.
    • Detection Time - When the file was detected.
    • Treatment Time - When the file was treated.
    • Quarantined - If the file was put in quarantine.
  • You can select a file and choose one of these options: 
    • Rescan - Scan the file again (only if the file was not treated). 
    • Delete - Permanently delete the file (only if the file was in quarantine). 
    • Restore - Restore the file from quarantine. Do this only after you make sure that the file is safe.

Updating Anti-Malware

Every Anti-Malware application contains a definition file, with information to identify and locate malware on the computer. As new malware applications are discovered, the client updates its database with the definition files necessary to detect these new threats.

The Endpoint Security Client gets updates regularly. In the Client Status section of the Anti-Malware Detail pane, you can see when the last update occurred.

To run an update:

  • In the Endpoint Security Main Page, under Tools, click "Update Now".

or

  • Right-click the Endpoint Security icon in the taskbar notification area and select "Update Now".

If there is an error, you see a message:

  • Anti-Malware was unable to update. No connection to the server - Make sure that you are connected to the network. If you continue to see this, contact your administrator.
  • An unexpected error occurred - If you continue to see this, contact your administrator.
  • Anti-Malware Updater is off

Scanning

You can start a scan of your computer, or a specific file, folder or directory in these ways:

To scan the full computer:

  • In the Endpoint Security Main Page, click Tools > Scan system now.
  • Right-click the notification area icon and select Scan system now.

To scan a file, folder, or drive:

  • Right-click a file, folder, or drive on your computer and choose "Scan with Check Point Anti-Malware".

Based on the settings configured by your administrator, Anti-Malware scans the entire contents of your computer. It finds malware that might be dormant on all parts of your computer.

Because full-computer scans are very thorough, they require time and computer resources. Therefore, your computer's performance might be slow while a full-computer scan is in progress. To avoid impact on your work, your administrator can schedule scans to run at a time when you are not likely to use your computer.

Note: If you click "Pause" in the Scan window while a scan runs, only the current scan stops. On-Access scanning is not disabled. Click "Resume" to continue the scan.

Understanding Scan Results

After the scan is completed, the details of malware detected show in the scan window. The details are:

  • Threat - The name of the malware detected.
  • Type - The type of threat.
  • Action - What actions Endpoint Security took.
  • Result - The result of the action.
  • Path - Where the infection was found on the computer.

Viewing Quarantined Items

Quarantine is a configurable option. It is used only when configured (enabled by default).

Anti-Malware places an infected file in quarantine before attempting to cure it. After that, Anti-Malware tries to cure the file. If a cure is not possible, Anti-Malware deletes it.

An infected file is placed in quarantine, even if it can be cured or deleted.

To view and treat Anti-Malware in quarantine:

  1. Open Anti-Malware.

    The details of the quarantined files show in the Infections list:

    • Infection Name - Name of the malware
    • Path - The original location of the malware on your computer.
    • Infection Status - If the infection is treated or untreated.
    • Detection Time - When the file was detected.
    • Treatment Time - When the file was treated.
    • Quarantined - If the file was put in quarantine.
  2. Select a file and click:
    • Rescan - Scan the file again
    • Delete - Permanently delete the file.
    • Restore - Takes the file out of quarantine

Note: Only restore a file if you are sure that the file is not malware.

Integration with Media Encryption Blade

The Anti-Malware blade can be used together with the Media Encryption & Port Protection blade for automatic scans of the inserted media. The status of the scan is seen in "Authorization Status" in Media Encryption & Port Protection UI. This status can be one of the following:

  • Authorized - Clean from malware.
  • Not Authorized - Malware or suspicious files were found. You cannot open, encrypt, or decrypt a device that is not authorized.
  • Waiting for scan - The device was not scanned yet.

Depending on MEPP Policy, Authorization Scan may be started automatically when the media is inserted, or may be initiated manually. To initiate it manually, select a device In Media Encryption & Port Protection and click "Scan Device". Files are scanned according to the Media Encryption & Port Protection policy.

Note: Clicking "Pause" in the Scan dialog while a scan is being performed will stop the current scan only. On Access scanning will not be disabled. Click "Resume" to resume the current scan.

Viewing Anti-Malware Logs

The Log Viewer tool can show logs from different blades. The same logs can be viewed by the Administrator with SmartConsole.

To open Log Viewer, you can open Client UI, select "Advanced" and "View Logs".

Log Viewer shows many the following events for the Anti-Malware blade:

  • Scan Start - occurs when any scan (scheduled, system, contextual, ME, etc), or monitor (file, behavioral, web, etc) is initiated.
  • Scan Stop - occurs when any scan (scheduled, system, contextual, ME, etc), or monitor (file, behavioral, web, etc) is stopped.
  • Update - occurs when Signature update is initiated
  • Infection - occurs when Anti-Malware blade detects Malware
  • Infection Status Change - occurs when Malware status is changed (for example, when Malware is removed from quarantine)

For each event, Log Viewer can show the following information:

  • Time of event
  • Type of event
  • Active Policy
  • Scan type
  • Other information

Managing Anti-Malware blade

Anti-Malware status in SmartConsole

Overview tab

The Anti-Malware status is reflected in the Overview Tab of SmartEndpoint in "Alerts" and "Security Status" sections.

Alerts are configurable in the "Alerts" section in the Reporting tab. Alerts can be enabled/disabled, thresholds and email notifications can be configured for them.

Security status shows charts of different security status categories, including:

  • Anti-Malware Updates - Shows which endpoint computers have or are lacking current Anti-Malware signature updates.
  • Malware Infections - Shows which endpoint computers are malware-free, have not been scanned, or have malware problems.

For each category the following charts are shown:

  • Trend tab - A line chart that shows the trend over time.
  • Endpoints tab - A table that shows Endpoint computers in greater detail.

Reporting tab

The Reporting tab of SmartEndpoint shows the following report for the Anti-Malware blade:

  • Anti-Malware status
  • Top infections
  • Anti-Malware Provider Brands
  • Anti-Malware Scanned Date
  • Anti-Malware Updated on

For each report, SmartEndpoint shows a pie chart showing how many computers belong to each category and allows seeing the list of the computers. Here is the example of the Top Infections chart.

Push operations

Push Operations are operations that the Endpoint Security Management Server pushes directly to client computers with no policy installation required.

These Push Operations are available for Anti-Malware blade:

  • Scan for malware - Run an Anti-Malware scan on the computer, or computers, based on the configured settings.
  • Update malware signatures - Update malware signatures on the computer or computers, based on the configured settings.
  • Temporarily restore files from quarantine - Temporarily restores files from quarantine on the computer, or computers, based on the configured settings.

Starting Push Operations

To start Push Operations from an object in the SmartEndpoint:

  1. Right-click an object (user or computer) and select a blade, and then an operation.
  2. Click "Yes" to confirm that you want to do the operation.
  3. Optional: Click "Advanced Settings" to use settings that are not the default.

To start Push Operations from 'Reporting > Push Operations':

  1. In 'Reporting > Push Operations', click "Create new".
  2. Select a blade and an operation.
  3. Click "Next".
  4. Select an OU, node, or computer to get the operation.
  5. Click "Next".
  6. Configure the settings for the operation.
  7. Click "Next".
  8. Click "Finish".

Defining policy for Anti-Malware blade

Prerequisites

Before configuring Anti-Malware, you must:

  • Configure a proxy server if you plan to use Anti-Malware in an environment that includes a proxy server for Internet access.
  • Configure the firewall gateway to accept traffic from Anti-Malware updates and Cloud Reputation services.
  • Configure port access.

Configuring proxy-server

To configure the Endpoint Security Management Server to work with a proxy server:

  1. On the Endpoint Security Management Server, run: cpstop.
  2. Open $UEPMDIR/engine/conf and edit the local.properties file.
    Note: Delete the #character from the beginning of each row that you edit.
  3. Add these properties:  
    • The proxy server's IP address, as shown in the example below: http.proxy.host=<address>
    • The proxy server's listening port, as shown in the example below: http.proxy.port=8080 
    • The username, if basic authentication is enabled on the proxy server. Leave it empty, if no authentication is required. http.proxy.user= <username>
    • The password, if basic authentication is enabled on the proxy server. http.proxy.password=<password>
  4. Save the $UEPMDIR/engine/conf/local.properties file.
  5. On the Endpoint Security Management Server, run: cpstart.

Allowing Anti-Malware Update Traffic

After configuring the proxy server, configure the firewall gateway to accept the traffic to the update servers.

To enable update traffic through a proxy server:

  1. In your Security Gateway, allow outbound internet connectivity.
  2. In your Security Gateway, allow outbound connectivity to the Anti-Malware update server.

Port Access

The Endpoint Security server must have access to ports 80 and 443 to retrieve the latest malware definitions. Make sure that your firewall gateway allows this traffic.

Configuring Anti-Malware Policy Rules

For each Action in a rule, select an option, which defines the Action behavior. You can select a predefined Action option or select "New" to define a custom Action option.

Right-click an Action, and select "Edit" or "Edit Shared Action" to change the Action behavior.

Changes to policy rules are enforced only after you install the policy.

Note that exclusions that you configure in one action apply to all Anti-Malware scans.

Scan All Files on Access

By default, all file are scanned when they are opened, or used.

You can configure Trusted Processes, as exceptions. When a trusted process accesses a file, the file is not scanned. Exclude a process only if you fully trust it and are sure it is not malware. Refer to sk122706 for more details.

You can also select or clear these options:

  • Detect Unusual Activity - Use behavior detection methods to protect computers from new threats whose information has not been added to the databases yet. It does not monitor trusted processes.
  • Enable Cloud Reputation Services For Files, Web Resources, and Processes - Use cloud technologies to improve precision of scanning and monitoring functions. If you enable or disable this setting, it takes effect after the client computer restarts.
  • Connection Timeout - Change the maximum time to get a response from Reputation Services (in milliseconds). Note: If you decrease this value, it can improve the performance of the Anti-Malware blade but reduces security, as clients might not get a reputation status that shows an item to be zero-day malware.
  • Enable Web Protection - Prevents access to suspicious sites and execution of malicious scripts, Scans files, and packed executables transferred over HTTP, and alerts users if malicious content is found.
  • Mail Protection - Enable or disable scans of email messages when they are passed as files across the file system.

To configure trusted processes:

  1. In the Properties of the Scan all files on Access Action, click "Add".
  2. In the Trusted Processes window, enter the fully qualified path or an environment variable for the trusted executable file. For example:
    • C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe
    • %programdata%\MyTrustedProgram.exe
  3. Click "OK". The trusted program shows in the Trusted Processes list.

Malware Signature Updates

Anti-Malware gets malware signature updates at regular intervals to make sure that it can scan for the newest threats.

These Actions define the frequency of the signature updates and the source.

  • Check for malware signature updates every 4 hours - Signature updates occur every 4 hours from the Endpoint Policy Server and Check Point server.
  • Check for malware signature updates every 2 hours - Signature updates occur every 2 hours from the Endpoint Policy Server and Check Point server.

Double-click an Action to edit the Properties.

You can change these settings:

  • Updater Interval - Frequency, in hours, between client requests for malware signatures and scanning for engine updates.
  • Signature update will fail after - The connection time out, after which the update source is considered unavailable.
  • Update Signatures From - The server or servers that the client gets updates from.
  • Signature Source can be:
    • Local Endpoint Servers - Get updates from the Endpoint Security Management Server, or configured Endpoint Policy Server.
    • External Check Point Signatures Server - Get updates from an external Check Point server through the internet.
    • Other External source - Get updates from an external source through the internet. URL should be provided
  • If first update fails: Set a fallback update source to use if the selected update source fails. Select a different option than the first signature source.
  • If second update fails - Set a second fallback update source to use if the other sources fail.

Note: If only "Update from Local Endpoint Servers" is selected, clients that are disconnected from an Endpoint Security Server cannot get updates.

Schedule of Malware Scans

Anti-Malware scans computers for malware at regular intervals to make sure that suspicious files are treated, quarantined, or deleted.

These Actions define the frequency of the scans.

  • Perform periodic anti-malware scan every day - A scheduled scan occurs every day at the time shown in the Properties.
  • Perform periodic anti-malware scan every week - A scheduled scan occurs every week at the day and time shown in the Properties.
  • Perform periodic anti-malware scan every month - A scheduled scan occurs every month at the date and time shown in the Properties.

Double-click an Action to edit the Properties.

You can select the exact day and time of day that the scan occurs.

The targets of the scan are defined in the Scheduled Scan Targets Action.

Periodic Scan Options

These Actions define which components of computers are scanned during the scheduled malware scans.

Action Description

  • Periodically scan system critical areas only - The scheduled scan scans system critical areas, for example: the operating system, processes, and memory. These are the targets of most malicious programs.
  • Periodically scan local hard-drives - The scheduled scan scans system critical areas and local drives.
  • Periodically scan local and removable drives - The scheduled scan scans system critical areas and local and removable drives.

Double-click an Action to edit the Properties.

You can change:

  • The exact scan targets.
  • Files or folders that are excluded from scans.
    • Skip archives and non-executables - When selected, these types of files are not scanned.
    • Do not scan files larger than - Select the maximum size of files to be scanned. This option applies to On Demand scans, Scheduled scans and Contextual scans. It does not apply to On Access scans.
    • Configure files and folders exclusions - Click to configure specified file, or extensions to exclude.

Exclude Files and Folders from Scan

You can exclude the contents of trusted directories or files and specified trusted program executables from the Anti-Malware schedules scan. You can also exclude all files of a specified file extension. Refer to sk122706 for more details. 

For example, you might exclude these types of directories, or programs from the scan:

  • The directory or program is located in a Trusted Zone
  • The directory or program is a low risk target for viruses
  • Scanning has an adverse effect on computer performance

Excluding a folder prevents the Anti-Malware scanner from examining the folder contents. Excluding a process lets the specified, trusted executable run without being monitored by Anti-Malware. Exclude a process only if you fully trust it and are sure it is not malware.

Excluded items are not scanned during full computer, scheduled, and on access scans. They are not excluded from scans initiated by users with a right-click > Scan with Check Point Anti-Malware.

Notes

  • All directory paths must end with a backslash, for example: C:\folder\ Filenames do not end with a backslash.
  • You cannot use environment variables to exclude folders and file paths.

To configure a list of file paths that are excluded from scans:

  1. Right-click the Periodically scan action and select Edit Properties.
  2. In the Properties window, click the Configure files and folders exclusions link.
  3. In the New File Path Exclusion Properties window, click "Add" and enter:
    • The fully qualified path to a file, file type, or directory (including its subdirectories) to be excluded from the malware scan.
    • The fully qualified path to a trusted executable to be excluded from malware monitoring.
  4. In the Path Exclusions window, click "Browse" and go to the trusted directory. Alternatively, you can:
    • Enter a directory path. Example: C\Program Files\MyTrustedDirectory\
    • Enter a specific file. Example: C:\Program Files\excludeMe.txt
    • Enter a file type. Example: *.txt
  5. Click "OK".

The trusted directory shows in the Scan exclusions list.

Scan Optimization

The scan optimization options let you do malware scan quickly and with less impact on performance and system resources. The options are:

Do not optimize malware scan - Scan optimization is disabled.
Optimize malware scan - Enables the Perform scan optimizations feature only (see below).

You can define custom scan optimization actions by enabling these options:

  • Perform scan optimizations - Optimize the scan by storing file checksums and NTFS file system data during the first scan. NTFS cluster size, file name, and folder structure are cached. During subsequent scans, only new files or files whose checksum, file size, name, or structure has changed are scanned.
  • Scan Priority is lower than other running process - Makes sure that scans have a lower priority for CPU, disk and other I/O resources to minimize the performance impact on critical processes.

 

Malware Treatment

The malware treatment options let you choose what happens to malware that is detected on a client computer.

Double-click an Action to edit the Properties.

You can change the settings for malware and riskware. The options are:

  • Malware Treatment - Malware is software that is definitely dangerous.
    • Quarantine file if cure failed - If Endpoint Security cannot repair the file, it is deleted and put in a secure location, from where it can be restored if necessary.
    • Delete file if cure failed - If Endpoint Security cannot repair the file, it is deleted.
  • Riskware Treatment - Riskware is legal software that might be dangerous.
    • Treat as malware - Use the option selected for Malware.
    • Skip file - Do not treat Riskware files.

Exceptions

You can create a list of infections (by name) that will get different treatment than the selections above. Use an exception to allow a file that was detected as a threat in your organization, but was a false positive, or Riskware (software that can have both legitimate and malicious usage). For example, RAdmin might be detected as a threat, but you want to allow it. Refer to sk122706 for more details. 

You can get the virus names of threats detected in your organization from one of these sources:

  • In SmartEndpoint > Users and Computers, select a computer and click "Anti-Malware". The list of infections for that computer will show.
  • The Top Infections report.
  • Anti-Malware infection logs in Smart Log

To create a list of exceptions for malware treatment:

  1. In the Edit Properties - Malware Treatment window, click "Override treatment for specific infections".
  2. Click "Add" to add infections to the list.
  3. Enter the name of the infection.
  4. Click "OK".
  5. Click "OK".

Understanding Anti-Malware exclusions

There are several ways to configure exclusions in Anti-Malware policy.

  • White-listed processes in Scan all files action
  • Files and folders exclusions in Scheduled Scan Targets action
  • White-listed infections in Malware Treatment action

Also, you can disable some Anti-Malware technologies in Scan All Files and Scheduled Scan Targets actions. For example, you can exclude scanning mail messages, or skip scanning OS critical areas; however, it is not possible to exclude specific type, recipient or subject in email messages.

White-listed processes

The first type of exclusions (White-listed processes) is mostly for performance boost. If you have some application that performs many actions on system and is working slowly, you can add it to this white-list and most of the operations made by this application wonÂ’t be scanned and will work faster. An example of such an application is some application located on the mapped network drive. You cannot add some non-executable files to this whitelist.

Files and folders exclusions

The second type of exclusions allows you to list some files or folders on filesystem that should not be scanned. This list has effects on-access and scheduled scans. This is the most common exclusion used to make Anti-Malware skip some falsely-detected file. This file can be executable, document, media file or anything else.

White-listed infections

The last type of exclusions allows listing infections that are incorrectly detected. For example, RAdmin tool can be considered as Riskware (malware) in some organization, but in other organizations it can be one of the main tools used by personnel. This list allows configuring such exceptions. Paths to files and executables cannot be provided here. Instead, it should be the infection name, for example EICAR-Test-File. Infection name can be seen on the client in the Infections group, or on the server in the Reporting tab.

Troubleshooting and debugging

The very first step for troubleshooting Anti-Malware is examining its UI overview.

Status can be one of the following

  • On - Anti-Malware has started and is up to date.
  • Off - Anti-Malware is not active.
  • Initializing - Anti-Malware is still starting.
  • Warning - Anti-Malware is not up to date. Update as soon as possible.
  • Alert - Anti-Malware is severely out of date. Update immediately.
  • Error - An error is preventing the Anti-Malware from working. Contact your administrator.
  • Infected - Untreated malware was detected on your computer.
  • Scanning - Anti-Malware scan is currently in progress.

If Anti-Malware status is Error, Alert, Warning or Infected - actions are required. Manual update, scan or quarantine element treatment may be needed. If there are errors related to the Anti-Malware engine (as in the screenshot above) -restart may help. Otherwise - contact Check Point Support.

Problems with Signatures

If you see that the Anti-Malware blade does not get the latest updates, or if you see some errors with Signature update,  check the network communications and Updater policy settings.

If the problem continues - contact Check Point Support to determine the cause of problem.

Problems with infections

Reporting suspected malware or false detections to Check Point helps to improve the security and protection of all Internet users.

If you think that you have malware in your organization that was not detected by Anti-Malware, contact Check Point Support. If Anti-Malware mistakenly identifies a file as malware, contact Check Point Support.

Performance problems

The scan optimization options let you do a malware scan quickly and with less impact on performance and system resources.

You can define custom scan optimization actions by enabling these options:

  • Perform scan optimizations
  • Scan Priority is lower than other running process

Also, if some exact process is working slowly with Anti-Malware blade active, you can add this process to a white-list in Scan on Access action.

Other problems and debug procedures

Contact Check Point Support for resolution of all other problems with Anti-Malware blade. For AM-related problems, cpinfo and engine logs are usually required for successful investigation. Other logs or information may also be requested by Check Point Support.

Collecting cpinfo

On all systems installed with Endpoint Security there is a debug log collector accessible via the Endpoint Security Client App, the tool is called CPinfo, seesk90445E.

CPinfo can be executed in the below three modes. For faster investigation, always select Extended mode as it contains more information. The following information related to Anti-Malware blade is collected in different modes:

  • Basic: Basic information about Anti-Malware Signatures is collected
  • General: Additionally, main Anti-Malware logs are collected
  • Extended: Additionally, the MSinfo is gathered in this mode. This is needed during some investigations.

Collecting engine logs

Engine internals and logs may be different in different versions of Endpoint Security Client. Contact Check Point Support for exact instructions on how to collect engine logs.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment