Edit C:\ProgramData\CheckPoint\Logs\EFRService.log
20191101 11:19:42.866 I dcc CEFRService::OnStart: ########## CPEFR Service Starting, PID=4028, Version=860058011 20191101 11:19:42.913 I dbc CEFRService::ThreadedStart: Starting Service.... 20191101 11:19:42.928 W dbc TPCommonHelper::Init: could not load TPCommonCli dll, error: 126 20191101 11:19:42.928 E dbc TPCommonHelper::RegisterExceptionHandler: unavailable 20191101 11:19:42.928 V dbc EfrPolicy::LoadLastAppliedPolicy: Loading last applied policy. 20191101 11:19:42.928 V dbc EfrPolicy::LoadLastAppliedPolicy: Failed to read last applied policy from local disk. Trying to load from resource. 20191101 11:19:42.928 I dbc EFRUtils::GetEFRMode: Using EFR mode: zamm 20191101 11:19:42.928 I dbc EfrPolicy::LoadDefaultForensicsPolicy: IDT_DEFAULT_POLICY_AR_OFF loaded 20191101 11:19:42.928 V dbc EfrPolicy::LoadDefaultForensicsPolicy: Successfully loaded default Forensics policy. 20191101 11:19:42.944 I dbc XMLPolicyParser::XMLEFRPolicyParser::InitializeARPolicy: Loaded AR policy from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\ARPolicy.xml 20191101 11:19:42.959 I dbc ServerConnectorFactory::GetServerConnector: LiteAgent mode on 20191101 11:19:42.959 I dbc LiteAgentConnector::Init: Starting 20191101 11:19:45.866 E dbc LiteAgentConnector::Init: Failed to get EFR policy. Retval is 0 20191101 11:19:45.866 E dbc LiteAgentConnector::Init: Failed to get Common Client Settings policy. Retval is 0 20191101 11:19:45.866 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_AR.dll 20191101 11:19:45.866 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_AR.dll 20191101 11:19:45.866 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_ENV.dll 20191101 11:19:45.866 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_ENV.dll 20191101 11:19:45.866 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_FLT.dll 20191101 11:19:45.881 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_FLT.dll 20191101 11:19:45.881 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_INJECT.dll 20191101 11:19:45.897 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_INJECT.dll 20191101 11:19:45.897 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_NET.dll 20191101 11:19:45.913 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_NET.dll 20191101 11:19:45.913 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_PS.dll 20191101 11:19:45.913 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_PS.dll 20191101 11:19:45.913 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_REG.dll 20191101 11:19:45.913 I 1374 NgavBridge::Init: NGAV Engine init 20191101 11:19:45.944 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_REG.dll 20191101 11:19:45.944 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_REGDETECT.dll 20191101 11:19:45.944 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_REGDETECT.dll 20191101 11:19:45.944 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_SCRIPTS.dll 20191101 11:19:45.944 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_SCRIPTS.dll 20191101 11:19:45.944 I dbc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_USER.dll 20191101 11:19:45.991 I dbc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_USER.dll 20191101 11:19:45.991 V dbc CEFRService::SetSensorsConfig: Setting sensors configurations 20191101 11:19:46.116 I dbc BackupAndRestorationManager::InvokeBackupAndRestoration: Start Call BackupAndRestorationManager Invoke 20191101 11:19:46.147 I dbc BackupAndRestorationManager::InvokeBackupAndRestoration: End Call BackupAndRestorationManager Invoke 20191101 11:19:46.147 I dbc BackupAndRestorationManager::InitBackupDriver: Start Create Backup Driver 20191101 11:19:46.147 I dbc BackupAndRestorationManager::InitBackupDriver: Success to connect to backup driver 20191101 11:19:46.147 I dbc BackupAndRestorationManager::InitBackupDriver: End Create Backup Driver 20191101 11:19:46.147 I dbc UIFactory::GetActiveUI: Using LiteAgentUIManager 20191101 11:19:46.147 I dbc APIManager::Init: API manager initialized 20191101 11:19:46.147 I 728 BehavioralGuardManager::EventsPumpThread: Waiting for event arrival 20191101 11:19:46.163 E dbc RemediationConnector::Init: LoadLibrary failed, error 126 20191101 11:19:46.163 I 724 RollbackManager::HandleRollbackThread: Waiting for event arrival 20191101 11:19:46.163 V dbc CEFRService::ApplyPolicy: EfrPolicy: Name='ATP_Forensics_Default_Policy' Version=0 Date=1479630910236 IsEfrEnabled=Yes YellowWatermark=disabled RedWatermark=disabled DBMaximumSizeOnDisk=1 IsLogUploadEnabled=Yes Exclusions: procexp.exe , procexp64.exe , taskmgr.exe , Symantec Corporation , Trend Micro , Trend Micro, Inc. , McAfee , devenv.exe Microsoft Corporation , McAfee ePO Development (SPC) , setupprep.exe Microsoft Windows , setup.exe Microsoft Corporation , setuphost.exe Microsoft Windows , MsMpEng.exe Microsoft Corporation , Kaspersky Lab , devenv.exe Microsoft Corporation , procexp.exe Microsoft Corporation , procexp64.exe Microsoft Corporation , taskmgr.exe Microsoft Windows , Trend Micro, Inc. , Sophos Limited , McAfee, Inc. , Check Point Software Technologies Ltd. , Cisco Systems, Inc. FtpURL: is empty EventsDetectionByConfidence: TriggerType::FileReputation Confidence Confidence::Low, TriggerType::StaticAnalysis Confidence Confidence::Low, TriggerType::AntiBot Confidence Confidence::Low, TriggerType::CLI Confidence Confidence::Low, TriggerType::Antimalware Confidence Confidence::Low, TriggerType::ThreatEmulation Confidence Confidence::Low, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Low, TriggerType::GatewayAB Confidence Confidence::Low, TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::GatewayURLF Confidence Confidence::Disable, QuarantineMachineByConfidence: TriggerType::FileReputation Confidence Confidence::Disable, TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::StaticAnalysis Confidence Confidence::Disable, TriggerType::AntiBot Confidence Confidence::Disable, TriggerType::Antimalware Confidence Confidence::Disable, TriggerType::ThreatEmulation Confidence Confidence::Disable, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Disable, TriggerType::GatewayAB Confidence Confidence::Disable, TriggerType::GatewayURLF Confidence Confidence::Disable, AttackRemediationByConfidence: TriggerType::FileReputation Confidence Confidence::Disable, TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::StaticAnalysis Confidence Confidence::Disable, TriggerType::AntiBot Confidence Confidence::Disable, TriggerType::Antimalware Confidence Confidence::Disable, TriggerType::ThreatEmulation Confidence Confidence::Disable, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Disable, TriggerType::GatewayAB Confidence Confidence::Disable, TriggerType::GatewayURLF Confidence Confidence::Disable, RemediationEvents: MaliciousOp None, SuspiciousOp None, UnknownOp None, TrustedOp None, fileOpMask: 1022, fileSystemOpMask: 2898, registryOpMask: 1047 MaintenanceTask mode=Off CPULevels=CPULevels=Busy:18; Critical:70; EFRMax:10; AntiRansomewareEnabled=0 BackupDiskSpaceUsageGB=1.024 BackupTimeIntervalMinutes=60 ConsistencyBetweenFileToDBMinutes=2880 PurgeOldFilesInDBMinutes=60 BackupFileTypeExtensions= {.txt MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.docx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.gif MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.rtf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.doc MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mp4 MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.png MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.jpg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.dib MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.dot MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.bmp MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.bpg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.docm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xlsb MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.dotx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.dotm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.docb MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xlsm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xls MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.webp MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xltx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xlt MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xlm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pbm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xlsx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xltm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.tiff MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.ppt MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pot MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pnm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.sldx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.wpd MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pps MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pptx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pptm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.dibl MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.potx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.rle MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.ppsx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.ps MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.eps MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mov MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.prn MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.emf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.csv MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.jfif MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.tif MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.jpeg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.html MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.ppm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pdf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pgm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mp3 MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.hdr MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.heif MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.htm MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.avi MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.3gp MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.flv MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.m4v MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mpeg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.swf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mpg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.wmv MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.asf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.ram MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.wav MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.aif MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.aiff MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mpa MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.m4a MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.wma MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.oef MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.7z MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.zip MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.svg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.rar MaxSizeMB:25 IgnoreAssociatedApps:Yes } AutomaticRestorationAndRemediation=Yes ARSilentMode=No RestorationLocation= BackupFolderExclusion= "C:\Windows" Recursive:Yes "C:\$windows.~WS" Recursive:Yes "C:\Users\Admin\AppData" Recursive:Yes "C:\ProgramData" Recursive:Yes "C:\Program Files" Recursive:Yes "C:\Program Files (x86)" Recursive:Yes "C:\Windows.old" Recursive:Yes "C:\$Recycle.Bin" Recursive:Yes "C:\$windows.~BT" Recursive:Yes BackupProcessExclusion=c:\windows\explorer.exe , Symantec Corporation , Trend Micro , McAfee , McAfee ePO Development (SPC) , Check Point Software Technologies Ltd. , Piriform Ltd , Ghisler Software GmbH , C. Ghisler & Co. , filehistory.exe Microsoft Windows , runtimebroker.exe Microsoft Windows , setupprep.exe Microsoft Windows , setup.exe Microsoft Corporation , setuphost.exe Microsoft Windows , onedrive.exe Microsoft Corporation , groove.exe Microsoft Corporation , dropbox.exe Dropbox, Inc , dropbox.exe Dropbox , cleanmgr.exe Microsoft Corporation , Sync.com Inc. , devenv.exe Microsoft Corporation , JetBrains s.r.o. , McAfee, Inc. , Kaspersky Lab , Trend Micro, Inc. , Sophos Limited , Cisco Systems, Inc. , git.exe Johannes Schindelin ARProcessExclusion= ransomware.win.rank winword.exe Microsoft Corporation , ransomware.win.rank excel.exe Microsoft Corporation , ransomware.win.rank onenote.exe Microsoft Corporation , ransomware.win.rank powerpnt.exe Microsoft Corporation , ransomware.win.rank mspub.exe Microsoft Corporation , ransomware.win.rank msaccess.exe Microsoft Corporation , ransomware.win.rank visio.exe Microsoft Corporation RemediateFilesCreatedDuringAttackToString=Quarantine Automatic PreventAskAlternative=Detect AskAlternativeTimeoutSeconds=120 AREventList= UnsignedAbnormalLaunch Action:Detect Validate SignedAbnormalLaunch Action:Detect Validate ShadowCopyDeletion Action:Prevent AbnormalSvchostLaunch Action:Detect Validate TotalModifiedFiles Action:Detect ModifiedSpecificFileType Action:Detect Ranking Action:Detect Validate DummyPotFilesModified Action:Detect Validate MBRDetection Action:Prevent ModifiedSpecificFolders Action:Detect AREventSilentList= ModifiedFilesPerMinute Action:Silent TotalModifiedFiles Action:Silent ModifiedDifferentFileTypes Action:Silent ModifiedSpecificFileType Action:Silent Ranking Action:Silent FileActivityMap has 64 entries 20191101 11:19:46.163 I dbc BackupAndRestorationManager::SetPolicy: Start Call SetPolicy for BackupDriver 20191101 11:19:46.163 I dbc BackupAndRestorationManager::SetPolicy: AntiRansomeware is disabled, call SetDriverPolicy with empty policy 20191101 11:19:46.163 I dbc BackupAndRestorationManager::SetDriverPolicy: SetDriverPolicy, policy_set_timeout 0 seconds 20191101 11:19:46.163 I dbc BackupAndRestorationManager::SetPolicy: End Call SetPolicy for BackupDriver 20191101 11:19:46.163 I dbc BackupAndRestorationManager::SetPolicy: Start Call SetPolicy for BackupAndRestore 20191101 11:19:46.163 I dbc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBasicPolicy 20191101 11:19:46.163 I 6dc RemediationPushOperationHandler::PushOpPumpThread: Waiting for event arrival 20191101 11:19:46.725 I dbc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBasicCleaningProceduresPolicy 20191101 11:19:46.725 I dbc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBackupProcessExclusions 20191101 11:19:46.725 I dbc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetFileTypeExtensionsPolicy 20191101 11:19:46.725 I dbc BackupAndRestorationManager::SetBackupAndRestorationPolicy: End Call SetPolicy for BackupAndRestore 20191101 11:19:46.725 I dbc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBackupFolderExclusion 20191101 11:19:46.725 E dbc EFRUtils::DriverInfoHelper::FillDriverDetails: DriverInfoHelper::FillDriverDetails [VolumeLtr=(null)], [DeviceName=\Device\HarddiskVolume1] 20191101 11:19:46.725 E dbc EFRUtils::DriverInfoHelper::FillDriverDetails: DriverInfoHelper::FillDriverDetails [VolumeLtr=C:\], [DeviceName=\Device\HarddiskVolume2] 20191101 11:19:46.725 I dbc BackupAndRestorationManager::SetPolicy: End Call SetPolicy for SetDetection 20191101 11:19:46.725 V dbc CEFRService::SetExclusionList: Setting exclusion list 20191101 11:19:46.725 V dbc CEFRService::SetExclusionList: Exclusion list was set 20191101 11:19:46.725 E dbc ThirdPartyManager::PushPolicy: Enabled by policy 20191101 11:19:46.913 V dbc CEFRService::ApplySensorsPolicy: Apply Sal Policy config 20191101 11:19:46.913 V dbc DataCollectionManager::ApplyPolicy: Using policy from telemetry 20191101 11:19:48.459 I dbc DataCollectionManager::Start: Started 20191101 11:19:48.459 I dbc MaintenanceTasksMgr::ApplyPolicy: Maintenance Tasks settings: state is On, CPU Busy is: 18, Critical is: 70, EFR max is 10 20191101 11:19:48.459 I dbc NgavBridge::ApplyPolicy: NGAVpolicyViaExclusions from local file 20191101 11:19:55.903 I cb0 LiteAgentConnector::SendInitialStatus: SendInitialStatus called 20191101 11:19:55.965 I dbc NgavBridge::EngineStartCallBack: Return started from engine 20191101 11:19:55.965 I 1b9c NgavBridge::RunSalDataCollection: Started 20191101 11:19:55.965 V dbc CEFRService::SalStartSnapshot: Getting SALs start snapshot 20191101 11:19:55.965 I dbc NgavBridge::Start: Started 20191101 11:19:55.965 V dbc EfrPolicy::SaveAppliedPolicy: Trying to save applied policy. 20191101 11:19:55.965 V dbc EfrPolicy::SaveAppliedPolicy: Successfully saved Forensics policy. 20191101 11:19:55.965 I dbc UpdatesManager::Start: Started 20191101 11:19:55.965 V dbc CEFRService::PostConfigStart: Starting SALs post config 20191101 11:19:55.965 I 1ba4 CEFRService::PostponeDBFeeder: Starting runner 20191101 11:19:55.965 I 1bac EventManager::EventPumpThread: Waiting for event arrival 20191101 11:19:55.965 I dbc CEFRService::ThreadedStart: Service Started. [build '8.60.5.8011'] 20191101 11:20:50.387 I fb8 CEFRService::OnStop: Stopping Service.... 20191101 11:20:50.387 I fb8 MaintenanceTasksMgr::Stop: Stopping Maintenance Tasks Manager 20191101 11:20:50.387 I fb8 MaintenanceTasksMgr::Stop: Thread signaled to exit 20191101 11:20:50.387 I fb8 Scheduler::Stop: scheduler was signaled to exit 20191101 11:20:50.387 I fb8 Scheduler::Stop: Stopped 20191101 11:20:50.387 V 7e0 APIManager::CallerThread: signaled to exit 20191101 11:20:50.387 V 1ba4 CEFRService::PostponeDBFeeder: Shutdown event is signaled, exiting 20191101 11:20:50.387 I fb8 BehavioralGuardManager::Stop: Stopping... 20191101 11:20:50.387 I fb8 BehavioralGuardManager::Stop: threads signaled to exit 20191101 11:20:50.387 I fb8 BehavioralGuardManager::Stop: Stopped 20191101 11:20:50.387 I fb8 BackupAndRestorationManager::Stop: Stopping... 20191101 11:20:51.153 I fb8 BackupAndRestorationManager::Stop: Start Call BackupAndRestorationManager Stop 20191101 11:20:51.153 I fb8 BackupAndRestorationManager::Stop: End Call BackupAndRestorationManager Stop 20191101 11:20:51.153 I fb8 BackupAndRestorationManager::Stop: Start Call Backup Driver Stop 20191101 11:20:51.153 I fb8 BackupAndRestorationManager::Stop: end Call Backup Driver Stop 20191101 11:20:51.153 I fb8 BackupAndRestorationManager::Stop: Stopped 20191101 11:20:51.153 I fb8 APIManager::Stop: API thread was signaled to exit 20191101 11:20:51.153 I fb8 APIManager::Stop: Stopped 20191101 11:20:51.153 V fb8 DBFeeder::Stop: Stopping 20191101 11:20:51.153 V fb8 DBFeeder::Stop: Stopped 20191101 11:20:51.153 I fb8 LiteAgentConnector::Stop: Stopping 20191101 11:20:51.153 I fb8 FileBehaviorHandler::Stop: Stopping File Activity Notification Handler... 20191101 11:20:51.153 I fb8 FileBehaviorHandler::Stop: threads signaled to exit 20191101 11:20:51.153 I fb8 FileBehaviorHandler::Stop: File Activity Notification Handler Stopped 20191101 11:20:51.231 I fb8 EventViwerMonitor::ReleaseEvents: Releasing ThirdPartyManager events 20191101 11:20:51.231 I fb8 UpdatesManager::Stop: Stoped 20191101 11:20:51.231 I fb8 DataCollectionManager::Stop: Trying to stop 20191101 11:20:56.231 I fb8 DataCollectionManager::Stop: Stoped 20191101 11:20:56.231 I fb8 RemediationPushOperationHandler::Stop: threads signaled to exit 20191101 11:20:56.231 I 1b9c NgavBridge::RunSalDataCollection: Marked to stop 20191101 11:21:11.231 I fb8 NgavBridge::Stop: Stopped 20191101 11:21:11.231 I fb8 EventManager::Stop: Stopping... 20191101 11:21:11.231 I fb8 EventManager::Stop: Stopped 20191101 11:21:11.231 I fb8 CEFRService::OnStop: Service Stopped. 20191101 11:21:45.715 I 1bc4 CEFRService::OnStart: ########## CPEFR Service Starting, PID=6996, Version=860058011 20191101 11:21:45.715 I 1bcc CEFRService::ThreadedStart: Starting Service.... 20191101 11:21:45.715 W 1bcc TPCommonHelper::Init: could not load TPCommonCli dll, error: 126 20191101 11:21:45.715 E 1bcc TPCommonHelper::RegisterExceptionHandler: unavailable 20191101 11:21:45.715 V 1bcc EfrPolicy::LoadLastAppliedPolicy: Loading last applied policy. 20191101 11:21:45.715 V 1bcc EfrPolicy::LoadLastAppliedPolicy: Successfully loaded Forensics policy. 20191101 11:21:45.731 I 1bcc EFRUtils::GetEFRMode: Using EFR mode: zamm 20191101 11:21:45.731 I 1bcc XMLPolicyParser::XMLEFRPolicyParser::InitializeARPolicy: Loaded AR policy from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\ARPolicy.xml 20191101 11:21:45.731 I 1bcc ServerConnectorFactory::GetServerConnector: LiteAgent mode on 20191101 11:21:45.731 I 1bcc LiteAgentConnector::Init: Starting 20191101 11:21:46.872 I 1bcc XMLPolicyParser::XMLEFRPolicyParser::InitializeARPolicy: Loaded AR policy from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\ARPolicy.xml 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector UnsignedAbnormalLaunch is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector SignedAbnormalLaunch is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector ShadowCopyDeletion is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector AbnormalSvchostLaunch is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector TotalModifiedFiles is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector ModifiedSpecificFileType is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector Ranking is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector DummyPotFilesModified is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector MBRDetection is silent in policy 20191101 11:21:46.872 I 1bcc EfrPolicy::UpdateEFRPolicyFromARConfig: Detector ModifiedSpecificFolders is silent in policy 20191101 11:21:46.872 V 1bcc CEFRService::ApplyPolicy: EfrPolicy: Name='ZA Forensics Policy' Version=0 Date=1487829766172 IsEfrEnabled=Yes YellowWatermark=disabled RedWatermark=disabled DBMaximumSizeOnDisk=1 IsLogUploadEnabled=Yes Exclusions: procexp.exe , procexp64.exe , taskmgr.exe , Symantec Corporation , Trend Micro , Trend Micro, Inc. , McAfee , devenv.exe Microsoft Windows , McAfee ePO Development (SPC) , Check Point Software Technologies Ltd. , setupprep.exe Microsoft Windows , setup.exe Microsoft Corporation , setuphost.exe Microsoft Windows , MsMpEng.exe Microsoft Corporation , Kaspersky Lab , devenv.exe Microsoft Corporation , procexp.exe Microsoft Corporation , procexp64.exe Microsoft Corporation , taskmgr.exe Microsoft Windows , Trend Micro, Inc. , Sophos Limited , McAfee, Inc. , Check Point Software Technologies Ltd. , Cisco Systems, Inc. FtpURL: is empty EventsDetectionByConfidence: TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::StaticAnalysis Confidence Confidence::Low, TriggerType::AntiBot Confidence Confidence::Low, TriggerType::CLI Confidence Confidence::Low, TriggerType::Antimalware Confidence Confidence::Low, TriggerType::ThreatEmulation Confidence Confidence::Low, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Low, TriggerType::GatewayAB Confidence Confidence::Low, TriggerType::GatewayURLF Confidence Confidence::Disable, QuarantineMachineByConfidence: TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::StaticAnalysis Confidence Confidence::Disable, TriggerType::AntiBot Confidence Confidence::Disable, TriggerType::Antimalware Confidence Confidence::Disable, TriggerType::ThreatEmulation Confidence Confidence::Disable, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Disable, TriggerType::GatewayAB Confidence Confidence::Disable, TriggerType::GatewayURLF Confidence Confidence::Disable, AttackRemediationByConfidence: TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::StaticAnalysis Confidence Confidence::Disable, TriggerType::AntiBot Confidence Confidence::Disable, TriggerType::Antimalware Confidence Confidence::Disable, TriggerType::ThreatEmulation Confidence Confidence::Disable, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Disable, TriggerType::GatewayAB Confidence Confidence::Disable, TriggerType::GatewayURLF Confidence Confidence::Disable, RemediationEvents: MaliciousOp Quarantine, SuspiciousOp Quarantine, UnknownOp Quarantine, TrustedOp Terminate, fileOpMask: 1022, fileSystemOpMask: 2898, registryOpMask: 1047 MaintenanceTask mode=Off CPULevels=CPULevels=Busy:18; Critical:70; EFRMax:10; AntiRansomewareEnabled=0 BackupDiskSpaceUsageGB=1.024 BackupTimeIntervalMinutes=60 ConsistencyBetweenFileToDBMinutes=2880 PurgeOldFilesInDBMinutes=60 BackupFileTypeExtensions= {.doc MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.docx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.gif MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.rtf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mp4 MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.png MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.7z MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.jpg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xlsx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xls MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.bmp MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pdf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mp3 MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.wmv MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.zip MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.svg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.rar MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.txt MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pptx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.avi MaxSizeMB:25 IgnoreAssociatedApps:Yes } AutomaticRestorationAndRemediation=No ARSilentMode=Yes RestorationLocation= BackupFolderExclusion= "C:\Windows" Recursive:Yes "C:\$windows.~WS" Recursive:Yes "C:\Users\Admin\AppData" Recursive:Yes "C:\ProgramData" Recursive:Yes "C:\Program Files" Recursive:Yes "C:\Program Files (x86)" Recursive:Yes "C:\Windows.old" Recursive:Yes "C:\$Recycle.Bin" Recursive:Yes "C:\$windows.~BT" Recursive:Yes BackupProcessExclusion=c:\windows\explorer.exe , procexp.exe , procexp64.exe , taskmgr.exe , Symantec Corporation , Trend Micro , Trend Micro, Inc. , McAfee , devenv.exe Microsoft Windows , McAfee ePO Development (SPC) , Check Point Software Technologies Ltd. , Piriform Ltd , Ghisler Software GmbH , C. Ghisler & Co. , filehistory.exe Microsoft Windows , runtimebroker.exe Microsoft Windows , setupprep.exe Microsoft Windows , setup.exe Microsoft Corporation , setuphost.exe Microsoft Windows , onedrive.exe Microsoft Corporation , groove.exe Microsoft Corporation , dropbox.exe Dropbox, Inc , dropbox.exe Dropbox , cleanmgr.exe Microsoft Corporation , Sync.com Inc. , devenv.exe Microsoft Corporation , JetBrains s.r.o. , McAfee, Inc. , Kaspersky Lab , Sophos Limited , Cisco Systems, Inc. , git.exe Johannes Schindelin ARProcessExclusion= ransomware.win.rank winword.exe Microsoft Corporation , ransomware.win.rank excel.exe Microsoft Corporation , ransomware.win.rank onenote.exe Microsoft Corporation , ransomware.win.rank powerpnt.exe Microsoft Corporation , ransomware.win.rank mspub.exe Microsoft Corporation , ransomware.win.rank msaccess.exe Microsoft Corporation , ransomware.win.rank visio.exe Microsoft Corporation RemediateFilesCreatedDuringAttackToString=Quarantine Ask PreventAskAlternative=Detect AskAlternativeTimeoutSeconds=120 AREventList= UnsignedAbnormalLaunch Action:Silent Validate SignedAbnormalLaunch Action:Silent Validate ShadowCopyDeletion Action:Silent AbnormalSvchostLaunch Action:Silent Validate TotalModifiedFiles Action:Silent ModifiedSpecificFileType Action:Silent Ranking Action:Silent Validate DummyPotFilesModified Action:Silent Validate MBRDetection Action:Silent ModifiedSpecificFolders Action:Silent AREventSilentList= ModifiedFilesPerMinute Action:Silent TotalModifiedFiles Action:Silent ModifiedDifferentFileTypes Action:Silent ModifiedSpecificFileType Action:Silent Ranking Action:Silent FileActivityMap has 64 entries 20191101 11:21:46.872 I 1bcc BackupAndRestorationManager::SetPolicy: Start Call SetPolicy for BackupDriver 20191101 11:21:46.872 I 1bcc BackupAndRestorationManager::SetPolicy: AntiRansomeware is disabled, call SetDriverPolicy with empty policy 20191101 11:21:46.872 I 1bcc BackupAndRestorationManager::SetPolicy: End Call SetPolicy for BackupDriver 20191101 11:21:46.872 I 1bcc BackupAndRestorationManager::SetPolicy: Start Call SetPolicy for BackupAndRestore 20191101 11:21:46.872 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBasicPolicy 20191101 11:21:46.872 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBasicCleaningProceduresPolicy 20191101 11:21:46.872 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBackupProcessExclusions 20191101 11:21:46.887 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetFileTypeExtensionsPolicy 20191101 11:21:46.887 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: End Call SetPolicy for BackupAndRestore 20191101 11:21:46.887 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBackupFolderExclusion 20191101 11:21:46.887 E 1bcc EFRUtils::DriverInfoHelper::FillDriverDetails: DriverInfoHelper::FillDriverDetails [VolumeLtr=(null)], [DeviceName=\Device\HarddiskVolume1] 20191101 11:21:46.887 E 1bcc EFRUtils::DriverInfoHelper::FillDriverDetails: DriverInfoHelper::FillDriverDetails [VolumeLtr=C:\], [DeviceName=\Device\HarddiskVolume2] 20191101 11:21:46.887 I 1bcc BackupAndRestorationManager::SetPolicy: End Call SetPolicy for SetDetection 20191101 11:21:46.887 V 1bcc CEFRService::ResumeAllSensors: Resuming SALs 20191101 11:21:46.887 V 1bcc CEFRService::ResumeAllSensors: Resumed SALs 20191101 11:21:46.887 I 1bcc UIFactory::GetActiveUI: Using LiteAgentUIManager 20191101 11:21:46.887 I 1bcc LiteAgentUIManager::SendStatusUpdate: SendStatusUpdate: 0 , 0 20191101 11:21:46.887 V 1bcc CEFRService::SetExclusionList: Setting exclusion list 20191101 11:21:46.887 V 1bcc CEFRService::SetExclusionList: Exclusion list was set 20191101 11:21:46.887 E 1bcc ThirdPartyManager::PushPolicy: Enabled by policy 20191101 11:21:46.918 V 1bcc CEFRService::ApplySensorsPolicy: Apply Sal Policy config 20191101 11:21:46.918 V 1bcc DataCollectionManager::ApplyPolicy: Using policy from telemetry 20191101 11:21:46.918 I 1bcc DataCollectionManager::Start: Started 20191101 11:21:46.918 I 1bcc MaintenanceTasksMgr::ApplyPolicy: Maintenance Tasks settings: state is On, CPU Busy is: 18, Critical is: 70, EFR max is 10 20191101 11:21:46.918 I 1bcc NgavBridge::Init: NGAV Engine init 20191101 11:21:46.918 I 1bcc NgavBridge::ApplyPolicy: NGAVpolicyViaExclusions from local file 20191101 11:21:46.918 I 1bcc NgavBridge::Start: Started 20191101 11:21:46.918 V 1bcc EfrPolicy::SaveAppliedPolicy: Trying to save applied policy. 20191101 11:21:46.918 V 1bcc EfrPolicy::SaveAppliedPolicy: Successfully saved Forensics policy. 20191101 11:21:46.934 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_AR.dll 20191101 11:21:46.934 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_AR.dll 20191101 11:21:46.934 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_ENV.dll 20191101 11:21:46.934 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_ENV.dll 20191101 11:21:46.934 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_FLT.dll 20191101 11:21:46.934 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_FLT.dll 20191101 11:21:46.934 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_INJECT.dll 20191101 11:21:46.950 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_INJECT.dll 20191101 11:21:46.950 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_NET.dll 20191101 11:21:46.950 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_NET.dll 20191101 11:21:46.950 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_PS.dll 20191101 11:21:46.950 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_PS.dll 20191101 11:21:46.950 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_REG.dll 20191101 11:21:46.950 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_REG.dll 20191101 11:21:46.950 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_REGDETECT.dll 20191101 11:21:46.965 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_REGDETECT.dll 20191101 11:21:46.965 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_SCRIPTS.dll 20191101 11:21:46.965 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_SCRIPTS.dll 20191101 11:21:46.965 I 1bcc CEFRService::StartAllSensors: Loading SAL sensor from C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_USER.dll 20191101 11:21:46.965 I 1bcc CEFRService::StartSingleSensor: Sensor started C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRSAL_USER.dll 20191101 11:21:46.965 V 1bcc CEFRService::SetSensorsConfig: Setting sensors configurations 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::InvokeBackupAndRestoration: Start Call BackupAndRestorationManager Invoke 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::InvokeBackupAndRestoration: End Call BackupAndRestorationManager Invoke 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::InitBackupDriver: Start Create Backup Driver 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::InitBackupDriver: Success to connect to backup driver 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::InitBackupDriver: End Create Backup Driver 20191101 11:21:47.012 I 1bcc APIManager::Init: API manager initialized 20191101 11:21:47.012 I 1060 BehavioralGuardManager::EventsPumpThread: Waiting for event arrival 20191101 11:21:47.012 E 1bcc RemediationConnector::Init: LoadLibrary failed, error 126 20191101 11:21:47.012 I 23c RollbackManager::HandleRollbackThread: Waiting for event arrival 20191101 11:21:47.012 V 1bcc CEFRService::ApplyPolicy: EfrPolicy: Name='ZA Forensics Policy' Version=0 Date=1487829766172 IsEfrEnabled=Yes YellowWatermark=disabled RedWatermark=disabled DBMaximumSizeOnDisk=1 IsLogUploadEnabled=Yes Exclusions: procexp.exe , procexp64.exe , taskmgr.exe , Symantec Corporation , Trend Micro , Trend Micro, Inc. , McAfee , devenv.exe Microsoft Windows , McAfee ePO Development (SPC) , Check Point Software Technologies Ltd. , setupprep.exe Microsoft Windows , setup.exe Microsoft Corporation , setuphost.exe Microsoft Windows , MsMpEng.exe Microsoft Corporation , Kaspersky Lab , devenv.exe Microsoft Corporation , procexp.exe Microsoft Corporation , procexp64.exe Microsoft Corporation , taskmgr.exe Microsoft Windows , Trend Micro, Inc. , Sophos Limited , McAfee, Inc. , Check Point Software Technologies Ltd. , Cisco Systems, Inc. FtpURL: is empty EventsDetectionByConfidence: TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::StaticAnalysis Confidence Confidence::Low, TriggerType::AntiBot Confidence Confidence::Low, TriggerType::CLI Confidence Confidence::Low, TriggerType::Antimalware Confidence Confidence::Low, TriggerType::ThreatEmulation Confidence Confidence::Low, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Low, TriggerType::GatewayAB Confidence Confidence::Low, TriggerType::GatewayURLF Confidence Confidence::Disable, QuarantineMachineByConfidence: TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::StaticAnalysis Confidence Confidence::Disable, TriggerType::AntiBot Confidence Confidence::Disable, TriggerType::Antimalware Confidence Confidence::Disable, TriggerType::ThreatEmulation Confidence Confidence::Disable, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Disable, TriggerType::GatewayAB Confidence Confidence::Disable, TriggerType::GatewayURLF Confidence Confidence::Disable, AttackRemediationByConfidence: TriggerType::GatewayTE Confidence Confidence::Disable, TriggerType::StaticAnalysis Confidence Confidence::Disable, TriggerType::AntiBot Confidence Confidence::Disable, TriggerType::Antimalware Confidence Confidence::Disable, TriggerType::ThreatEmulation Confidence Confidence::Disable, TriggerType::GatewayAM Confidence Confidence::Disable, TriggerType::None Confidence Confidence::Disable, TriggerType::GatewayAB Confidence Confidence::Disable, TriggerType::GatewayURLF Confidence Confidence::Disable, RemediationEvents: MaliciousOp Quarantine, SuspiciousOp Quarantine, UnknownOp Quarantine, TrustedOp Terminate, fileOpMask: 1022, fileSystemOpMask: 2898, registryOpMask: 1047 MaintenanceTask mode=Off CPULevels=CPULevels=Busy:18; Critical:70; EFRMax:10; AntiRansomewareEnabled=0 BackupDiskSpaceUsageGB=1.024 BackupTimeIntervalMinutes=60 ConsistencyBetweenFileToDBMinutes=2880 PurgeOldFilesInDBMinutes=60 BackupFileTypeExtensions= {.doc MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.docx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.gif MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.rtf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mp4 MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.png MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.7z MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.jpg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xlsx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.xls MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.bmp MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pdf MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.mp3 MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.wmv MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.zip MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.svg MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.rar MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.txt MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.pptx MaxSizeMB:25 IgnoreAssociatedApps:Yes } {.avi MaxSizeMB:25 IgnoreAssociatedApps:Yes } AutomaticRestorationAndRemediation=No ARSilentMode=Yes RestorationLocation= BackupFolderExclusion= "C:\Windows" Recursive:Yes "C:\$windows.~WS" Recursive:Yes "C:\Users\Admin\AppData" Recursive:Yes "C:\ProgramData" Recursive:Yes "C:\Program Files" Recursive:Yes "C:\Program Files (x86)" Recursive:Yes "C:\Windows.old" Recursive:Yes "C:\$Recycle.Bin" Recursive:Yes "C:\$windows.~BT" Recursive:Yes BackupProcessExclusion=c:\windows\explorer.exe , procexp.exe , procexp64.exe , taskmgr.exe , Symantec Corporation , Trend Micro , Trend Micro, Inc. , McAfee , devenv.exe Microsoft Windows , McAfee ePO Development (SPC) , Check Point Software Technologies Ltd. , Piriform Ltd , Ghisler Software GmbH , C. Ghisler & Co. , filehistory.exe Microsoft Windows , runtimebroker.exe Microsoft Windows , setupprep.exe Microsoft Windows , setup.exe Microsoft Corporation , setuphost.exe Microsoft Windows , onedrive.exe Microsoft Corporation , groove.exe Microsoft Corporation , dropbox.exe Dropbox, Inc , dropbox.exe Dropbox , cleanmgr.exe Microsoft Corporation , Sync.com Inc. , devenv.exe Microsoft Corporation , JetBrains s.r.o. , McAfee, Inc. , Kaspersky Lab , Sophos Limited , Cisco Systems, Inc. , git.exe Johannes Schindelin ARProcessExclusion= ransomware.win.rank winword.exe Microsoft Corporation , ransomware.win.rank excel.exe Microsoft Corporation , ransomware.win.rank onenote.exe Microsoft Corporation , ransomware.win.rank powerpnt.exe Microsoft Corporation , ransomware.win.rank mspub.exe Microsoft Corporation , ransomware.win.rank msaccess.exe Microsoft Corporation , ransomware.win.rank visio.exe Microsoft Corporation RemediateFilesCreatedDuringAttackToString=Quarantine Ask PreventAskAlternative=Detect AskAlternativeTimeoutSeconds=120 AREventList= UnsignedAbnormalLaunch Action:Silent Validate SignedAbnormalLaunch Action:Silent Validate ShadowCopyDeletion Action:Silent AbnormalSvchostLaunch Action:Silent Validate TotalModifiedFiles Action:Silent ModifiedSpecificFileType Action:Silent Ranking Action:Silent Validate DummyPotFilesModified Action:Silent Validate MBRDetection Action:Silent ModifiedSpecificFolders Action:Silent AREventSilentList= ModifiedFilesPerMinute Action:Silent TotalModifiedFiles Action:Silent ModifiedDifferentFileTypes Action:Silent ModifiedSpecificFileType Action:Silent Ranking Action:Silent FileActivityMap has 64 entries 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::SetPolicy: Start Call SetPolicy for BackupDriver 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::SetPolicy: AntiRansomeware is disabled, call SetDriverPolicy with empty policy 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::SetDriverPolicy: SetDriverPolicy, policy_set_timeout 0 seconds 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::SetPolicy: End Call SetPolicy for BackupDriver 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::SetPolicy: Start Call SetPolicy for BackupAndRestore 20191101 11:21:47.012 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBasicPolicy 20191101 11:21:47.028 I 149c RemediationPushOperationHandler::PushOpPumpThread: Waiting for event arrival 20191101 11:21:47.106 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBasicCleaningProceduresPolicy 20191101 11:21:47.106 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBackupProcessExclusions 20191101 11:21:47.106 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetFileTypeExtensionsPolicy 20191101 11:21:47.106 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: End Call SetPolicy for BackupAndRestore 20191101 11:21:47.106 I 1bcc BackupAndRestorationManager::SetBackupAndRestorationPolicy: SetPolicy for BackupAndRestore, call to SetBackupFolderExclusion 20191101 11:21:47.106 I 1bcc BackupAndRestorationManager::SetPolicy: End Call SetPolicy for SetDetection 20191101 11:21:47.106 V 1bcc CEFRService::SetExclusionList: Setting exclusion list 20191101 11:21:47.106 V 1bcc CEFRService::SetExclusionList: Exclusion list was set 20191101 11:21:47.106 E 1bcc ThirdPartyManager::PushPolicy: Enabled by policy 20191101 11:21:47.106 I 1bcc ThirdPartyManager::Init: Third party notifications already on 20191101 11:21:47.106 V 1bcc CEFRService::ApplySensorsPolicy: Apply Sal Policy config 20191101 11:21:47.106 V 1bcc DataCollectionManager::ApplyPolicy: Using policy from telemetry 20191101 11:21:47.106 I 1bcc DataCollectionManager::Start: Already started 20191101 11:21:47.106 I 1bcc MaintenanceTasksMgr::ApplyPolicy: Maintenance Tasks settings: state is On, CPU Busy is: 18, Critical is: 70, EFR max is 10 20191101 11:21:47.106 I 1bcc NgavBridge::ApplyPolicy: NGAVpolicyViaExclusions from local file 20191101 11:21:47.106 I 1bcc NgavBridge::Start: Started 20191101 11:21:47.106 V 1bcc EfrPolicy::SaveAppliedPolicy: Trying to save applied policy. 20191101 11:21:47.106 V 1bcc EfrPolicy::SaveAppliedPolicy: Successfully saved Forensics policy. 20191101 11:21:47.122 I 1bcc UpdatesManager::Start: Started 20191101 11:21:47.122 V 1bcc CEFRService::PostConfigStart: Starting SALs post config 20191101 11:21:47.122 I 160c CEFRService::PostponeDBFeeder: Starting runner 20191101 11:21:47.122 I 1bcc CEFRService::ThreadedStart: Service Started. [build '8.60.5.8011'] 20191101 11:21:47.122 I 8d4 EventManager::EventPumpThread: Waiting for event arrival 20191101 11:24:47.125 V 160c CEFRService::PostponeDBFeeder: Finish to wait for postpone DBFeeder 20191101 11:24:47.468 W 160c DBFeeder::OpenDBFile: New database is created 20191101 11:24:47.468 I 160c CEFRService::InitSchedulerTasks: Initialize Scheduler Tasks 20191101 11:24:47.468 V 1b0c DBFeeder::Run: Started 20191101 11:24:47.468 I 160c Scheduler::Init: scheduler initialized 20191101 11:24:47.468 I 160c CEFRService::InitMaintenanceTasks: Initialize Maintenance Tasks Manager 20191101 11:24:47.468 I 160c MaintenanceTasksConfigParser::TryParseMaintenanceTasksConfig: Did not find configuration file for maintenance tasks. Use default 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::Start: Starting Maintenance Tasks Manager 20191101 11:24:47.468 E 160c JsonParser::TryParseJson: Can't parse Json 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::CreateNewTask: Register new task: type: MaintenanceTasksStatistics, with interval 1440 minutes 20191101 11:24:47.468 I 10e4 MaintenanceTasksMgr::TasksRun: No task registered. Wait till next registration 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::RegisterTask: Register Task MaintenanceTasksStatistics. Next run is at Sat Nov 2 11:24:47 2019 20191101 11:24:47.468 V 160c MaintenanceTasksMgr::HaltMaintenanceTasks: Stop task thread for 1200000 ms or less. Handle is 4704 20191101 11:24:47.468 I 10e4 MaintenanceTasksMgr::TasksRun: Next Task at Sat Nov 2 11:24:47 2019 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::CreateNewTask: Register new task: type: WaitSleepTask, with interval 0 minutes 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::RegisterTask: Register Task WaitSleepTask. Next run is at Wed Dec 31 21:00:00 1969 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::CreateNewTask: Register new task: type: BackupConsistency, with interval 2880 minutes 20191101 11:24:47.468 I 10e4 MaintenanceTasksMgr::HandleTask: Handle task WaitSleepTask 20191101 11:24:47.468 I 10e4 MaintenanceTasksMgr::HandleTask: No need to measure state idleness 20191101 11:24:47.468 I 10e4 MaintenanceTasksMgr::DoWait: Enter sleep for 1200000 milliseconds 20191101 11:24:47.468 V 1b0c DBFeeder::TryScanSmallDFiles: File C:\ProgramData\Checkpoint\DBStore\EFRSAL_ENV.20191101.112051.153.ds deleted 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::RegisterTask: Register Task BackupConsistency. Next run is at Sun Nov 3 11:24:47 2019 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::CreateNewTask: Register new task: type: BackupStatisticsTelemetry, with interval 1440 minutes 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::RegisterTask: Register Task BackupStatisticsTelemetry. Next run is at Sat Nov 2 11:24:47 2019 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::CreateNewTask: Register new task: type: CleanEventsFolder, with interval 1440 minutes 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::RegisterTask: Register Task CleanEventsFolder. Next run is at Sat Nov 2 11:24:47 2019 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::CreateNewTask: Register new task: type: PurgeBackupFolder, with interval 60 minutes 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::RegisterTask: Register Task PurgeBackupFolder. Next run is at Fri Nov 1 12:24:47 2019 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::CreateNewTask: Register new task: type: PurgeEfrDb, with interval 60 minutes 20191101 11:24:47.468 I 160c MaintenanceTasksMgr::RegisterTask: Register Task PurgeEfrDb. Next run is at Fri Nov 1 12:24:47 2019 20191101 11:24:47.484 V 1b0c DBFeeder::TryScanSmallDFiles: File C:\ProgramData\Checkpoint\DBStore\EFRSAL_FLT.20191101.112051.184.ds deleted 20191101 11:24:47.484 V 1b0c DBFeeder::TryScanSmallDFiles: File C:\ProgramData\Checkpoint\DBStore\EFRSAL_NET.20191101.112051.200.ds deleted 20191101 11:24:47.484 W 1b0c DBFeeder::Update_PsTable: Process ID 5212 creation time 1572617981647 has terminated with image unknown 20191101 11:24:47.484 W 1b0c DBFeeder::Update_PsTable: Process ID 5988 creation time 1572617981663 has terminated with image unknown 20191101 11:24:47.484 V 1b0c DBFeeder::TryScanSmallDFiles: File C:\ProgramData\Checkpoint\DBStore\EFRSAL_PS.20191101.112051.200.ds deleted 20191101 11:24:47.500 V 1b0c DBFeeder::TryScanSmallDFiles: File C:\ProgramData\Checkpoint\DBStore\EFRSAL_REG.20191101.112051.215.ds deleted 20191101 11:24:47.500 I 160c ClassifierConfigParser::TryParseClassifierConfig: Classifier configurations were successfully loaded 20191101 11:24:47.500 V 1b0c DBFeeder::TryScanSmallDFiles: File C:\ProgramData\Checkpoint\DBStore\EFRSAL_USER.20191101.112051.215.ds deleted 20191101 11:25:47.514 E 1924 TPCommonHelper::SendTelemetry: unavailable 20191101 11:25:47.514 E 1924 TelemetryManager::SendStatusReport: Error sending storage telemetry. Returned -1 20191101 11:25:47.514 E 1924 TPCommonHelper::SendTelemetry: unavailable 20191101 11:25:47.514 E 1924 TelemetryManager::SendPing: Error sending ping telemetry. Returned -1 20191101 11:25:47.530 E 1924 TPCommonHelper::SendTelemetry: unavailable 20191101 11:25:47.530 E 1924 TelemetryManager::SendBackupReport: could not send Backup telemetry (returned -1) 20191101 11:25:47.530 V 1924 Scheduler::TasksThread: ran 4 of 5 scheduled tasks; 3 tasks failed! 20191101 11:36:36.640 I 1b24 CEFRService::OnStop: Stopping Service.... 20191101 11:36:36.640 I 1b24 MaintenanceTasksMgr::Stop: Stopping Maintenance Tasks Manager 20191101 11:36:36.640 I 1b24 MaintenanceTasksMgr::Stop: Thread signaled to exit 20191101 11:36:36.640 V 18ac APIManager::CallerThread: signaled to exit 20191101 11:36:36.640 V 1b0c DBFeeder::Run: Shutdown event is signaled, exiting. 20191101 11:36:36.640 I 1b24 Scheduler::Stop: scheduler was signaled to exit 20191101 11:36:36.640 I 1b24 Scheduler::Stop: Stopped 20191101 11:36:36.640 I 1b24 BehavioralGuardManager::Stop: Stopping... 20191101 11:36:36.640 I 1b24 BehavioralGuardManager::Stop: threads signaled to exit 20191101 11:36:36.640 I 1b24 BehavioralGuardManager::Stop: Stopped 20191101 11:36:36.640 I 1b24 BackupAndRestorationManager::Stop: Stopping... 20191101 11:36:37.109 I 1b24 BackupAndRestorationManager::Stop: Start Call BackupAndRestorationManager Stop 20191101 11:36:37.109 I 1b24 BackupAndRestorationManager::Stop: End Call BackupAndRestorationManager Stop 20191101 11:36:37.109 I 1b24 BackupAndRestorationManager::Stop: Start Call Backup Driver Stop 20191101 11:36:37.109 I 1b24 BackupAndRestorationManager::Stop: end Call Backup Driver Stop 20191101 11:36:37.109 I 1b24 BackupAndRestorationManager::Stop: Stopped 20191101 11:36:37.109 I 1b24 APIManager::Stop: API thread was signaled to exit 20191101 11:36:37.109 I 1b24 APIManager::Stop: Stopped 20191101 11:36:37.109 V 1b24 DBFeeder::Stop: Stopping 20191101 11:36:37.109 V 1b24 DBFeeder::Stop: Stopped 20191101 11:36:37.109 I 1b24 LiteAgentConnector::Stop: Stopping 20191101 11:36:37.109 I 1b24 FileBehaviorHandler::Stop: Stopping File Activity Notification Handler... 20191101 11:36:37.109 I 1b24 FileBehaviorHandler::Stop: threads signaled to exit 20191101 11:36:37.125 I 1b24 FileBehaviorHandler::Stop: File Activity Notification Handler Stopped 20191101 11:36:37.187 I 1b24 EventViwerMonitor::ReleaseEvents: Releasing ThirdPartyManager events 20191101 11:36:37.187 I 1b24 UpdatesManager::Stop: Stoped 20191101 11:36:37.187 I 1b24 DataCollectionManager::Stop: Trying to stop 20191101 11:36:37.187 I 1b24 DataCollectionManager::Stop: Stoped 20191101 11:36:37.187 I 1b24 RemediationPushOperationHandler::Stop: threads signaled to exit 20191101 11:36:37.203 I 1b24 EventManager::Stop: Stopping... 20191101 11:36:37.203 I 1b24 EventManager::Stop: Stopped 20191101 11:36:37.203 I 1b24 CEFRService::OnStop: Service Stopped.
Ms-Dos/Windows
Unix
Write backup
jsp File Browser version 1.2 by
www.vonloesch.de