07 June 2022

HARMONY ENDPOINT

Administration Guide
[Classification: Protected]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
 Table of Contents

Table of Contents
Introduction to Harmony Endpoint 12
Getting Started 13
Registering to the Infinity Portal 13
Registering to Harmony Endpoint 16
Creating a New Endpoint Management Service 17
Walkthrough Wizard 18
Online Deployments 18
Offline Deployments 18
Preliminary & Recommended Steps 18
Preliminary Steps 18
More Recommendations 18
Reconnect Tool 19
Supported Operating Systems for the Endpoint Client 20
Microsoft Windows 20
macOS 21
Linux 21
Deploying Endpoint Clients 22
Token-Limited Installation 23
Automatic Deployment of Endpoint Clients 24
Automatic Deployment of Endpoint Clients for Windows OS 24
Troubleshooting Issues with the Tiny Agent on Windows OS 25
Automatic Deployment of Endpoint Clients for macOS 26
Deployment Rules 27
Manual Deployment 28
Adding a New VPN Site to an Exported Package 31
Remote Installation of Initial Client 33
Setting the Deployment Agent 33
Certificates and DNS 34
Privileges 35
Setting the Target Devices 35
Remotely Installing the Initial Client 36
Security Considerations 37
Progress of Installation and Error Handling 38

Harmony Endpoint Administration Guide | 3

 Table of Contents

Ports and Permissions 38

Upgrades 39
Heartbeat Interval 40
Uninstalling Third-Party Anti-Virus Software Products 41
Monitoring Harmony Endpoint Deployment and Policy 42
Configuring Alert Messages 42
Configuring an E-mail Server 43
How to Verify that Harmony Endpoint can Access Check Point Servers 45
Disabling Incognito Mode, BrowserGuest Mode, and InPrivate Mode 46
Overview 46
Chrome on Windows: 46
Firefox on Windows 46
Microsoft Edge on Windows 47
Chrome on macOS 47
Firefox on macOS 47
Microsoft Edge on macOS 48
Managing Endpoint Components in SmartEndpoint Management Console 49
Managing Licenses 51
Managing Users in Harmony Endpoint 54
Managing Accounts in the Infinity Portal 59
Managing Harmony Browse 60
Overview 60
Limitations 60
Viewing Computer Information 61
The Asset Management View 61
Select a View 61
Status Icon 61
Apply Filter 61
Managing Computers 63
The Overview View 65
Operational Overview 65
Security Overview 67
Configuring the Endpoint Policy 68
Configuring the Threat Prevention Policy 69
The Unified Policy 69

Harmony Endpoint Administration Guide | 4

 Table of Contents

The Parts of the Policy Rule Base 69

The Threat Prevention Policy Toolbar 70
Web & Files Protection 71
URL Filtering 71
Blacklisting 71
Download (Web) Emulation & Extraction 72
Unsupported Files 73
Additional Emulation Settings: 73
Emulation Environments 73
Override Default Files Actions 73
Credential Protection 74
Zero-Phishing 74
Password reuse protection 74
Safe Search 74
Files Protection 75
Advanced Settings for Files Protection 75
General 75
Signature 76
Scan 77
Behavioral Protection 78
The Anti-Bot Component 78
Configuring Anti-Bot 79
Advanced Anti-Bot Settings: 79
The Behavioral Guard & Anti-Ransomware Component 79
Advanced Behavioral Guard & Anti-Ransomware Settings 79
Backup Settings 80
The Anti-Exploit Component 80
Analysis & Remeditation 81
Automated Attack Analysis (Forensics) 81
Remediation & Response 81
Advanced Remediation & Response Settings 81
File Quarantine 81
File Remediation 81
Adding Exclusions to Rules 83
Web and Files Protection Exclusions 83

Harmony Endpoint Administration Guide | 5

 Table of Contents

Behavioral Protections 87
Analysis & Response Exclusions 89
Configuring the Data Protection Policy 91
Configuring Full Disk Encryption 92
Check Point Disk Encryption for Windows 93
Configuration Options 93
Authentication before the Operating System Loads (Pre-boot) 94
Temporary Pre-boot Bypass Settings 94
Advanced Pre-boot Settings 95
User Authorization before Encryption 96
User Assignment 96
BitLocker Encryption for Windows Clients 98
Taking Control of Unmanaged BitLocker Devices 98
FileVault Encryption for macOS 100
User Authentication to Endpoint Security Clients (OneCheck) 101
Pre-boot Authentication Methods 102
Before You Configure SmartCard: 102
Password Complexity and Security 104
User Account Lockout Settings 105
Remote Help Permissions 106
Logon Settings 107
Bi-Directional Password Sync Settings 108
Configuring Media Encryption & Port Protection 109
Configuring the Read Action 110
Configuring the Write Action 111
Configuring Business-Related File Types 112
Managing Devices 113
Managing Groups 114
Using Wild Card Characters 114
Advanced Settings for Media Encryption 116
Authorization Settings 116
UserCheck Messages 116
Advanced Encryption 117
Site Configuration 117
Media Lockout 118

Harmony Endpoint Administration Guide | 6

 Table of Contents

Offline Access 118

Media Encryption Remote Help 119
Port Protection 120
Media Encryption Access Rules 121
Configuring Access & Compliance Policy 122
Firewall 123
Configuring Inbound/Outbound Rules 124
Inbound Traffic Rules 124
Outbound Traffic Rules 124
Parts of Rules 125
Editing a Rule 125
Deleting a Rule 126
Managing Firewall Objects and Groups 127
Supported Object Categories 127
Creating Objects 129
Used In 130
Configuring Security Zones 131
Configuring Firewall Rule Advanced Settings 132
Application Control 133
Creating the List of Applications on the Reference Device 134
Appscan Command Syntax 135
Uploading the Appscan XML File to the Endpoint Security Management Server 137
Configuring Application Permissions in the Application Control Policy 138
Application Control in Backward Compatibility Mode 138
Default Action for Unidentified Applications 138
Configuring the Application Control Policy 139
Disabling or Enabling Windows Subsystem for Linux (WSL) 140
Developer Protection 141
Exclusions to Developer Protection 141
Compliance 143
Planning for Compliance Rules 144
Configuring Compliance Policy Rules 145
Ensuring Alignment with the Deployed Profile 146
Remote Access Compliance Status 147
Compliance Action Rules 148

Harmony Endpoint Administration Guide | 7

 Table of Contents

Compliance Check Objects 149

Compliance Remediation Objects 152
Service Packs for Compliance 154
Ensuring that Windows Server Updates Are Installed 155
Anti-Virus for Compliance 156
Monitoring Compliance States 157
"About to be Restricted" State 157
Configuring Client Settings 158
Client User Interface Settings 159
Default Client User Interface 159
Customized Images 159
Customized Browser Block Pages 160
Log Upload 161
Installation and Upgrade Settings 162
Agent Uninstall Password 162
Local Deployment Options 162
Sharing Data with Check Point 164
Users Disabling Network Protection 165
Connection Awareness 166
Super-Node 167
Connected, Disconnected and Restricted Rules 168
Backward Compatibility 169
Policy Operation 170
IOC Management 172
Import or Export Policies 173
Overview 173
Limitations 173
Prerequisites 173
Exporting Policies 173
Importing Policies 174
Performing Data Recovery 175
Check Point Full Disk Encryption Recovery 176
BitLocker Recovery 179
FileVault Recovery 180
Managing Virtual Groups 183

Harmony Endpoint Administration Guide | 8

 Table of Contents

Managing Active Directory Scanners 184

Organization Distributed Scan 184
Full Active Directory Sync 184
Giving Remote Help to Full Disk Encryption Users 186
Active Directory Authentication 187
Endpoint Security Active Directory Authentication 187
Configuring Active Directory Authentication 187
UPN Suffixes and Domain Names 190
Configuring Alternative Domain Names 190
Troubleshooting Authentication in Client Logs 192
Harmony Endpoint Logs 193
Query Language Overview 195
Criteria Values 195
NOT Values 196
Wildcards 196
Field Keywords 198
Boolean Operators 200
Exporting Logs 201
Creating Security Certificates for TLS Mutual Authentication 201
Performing Push Operations 205
Threat Hunting 210
Enabling Threat Hunting 210
Using Threat Hunting 211
Use Case - Maze Ransomware Threat Hunting 212
Supported Versions 212
Two Factor Authentication 213
Harmony Endpoint for Linux 214
Harmony Endpoint for Linux Overview 215
Prerequisites 215
Minimum Hardware Requirements 215
Deploying Harmony Endpoint for Linux 216
Harmony Endpoint for Linux CLI Commands 217
Help & Information Commands 217
Quarantine Commands 217
Scans & Detections 218

Harmony Endpoint Administration Guide | 9

 Table of Contents

Logs 218
Uninstall Harmony Endpoint for Linux 219
Harmony Endpoint for Linux Additional Information 220
Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI) 221
Configuring Clients for Persistent Desktops 222
Software Blades for Persistent Desktops 222
Creating a Basic Golden Image for Persistent Desktops 222
Client Machine Configuration for Persistent Desktops 223
Creating a Pool for Persistent Desktops 223
VMware Horizon Key Points 223
Citrix XenDesktop Key Points 225
Configuring Clients for Non-Persistent Desktops 226
General 226
Shared Signatures Server 227
Configuring the Signatures Server 228
Setup Validation 228
Client Machine Configuration for Non-Persistent Desktops 228
Creating a Basic Golden Image for Non-Persistent Desktops 228
Configuring the Client Machine 229
Post Setup Actions 229
Creating a Pool for Non-Persistent Desktops 229
VMware Horizon Key Points 230
Citrix Xen-Desktop Key Points 231
Pool Validation 231
Disabling the Anti-Malware Periodic Scan 231
Software Blades for Non-Persistent Desktops 232
Basic Golden Image Settings 233
Assigning Policies to VDI Pools 234
Limitations 235
Appendix 235
Disabling the Anti-Malware Periodic Scan 235
Advanced Settings Non-Persistent Desktops 238
Configuring the Shared Signatures Server 238
Configuring the Client Machine 240
Harmony Endpoint for Terminal Server / Remote Desktop Services 242

Harmony Endpoint Administration Guide | 10

 Table of Contents

Software Blades for Terminal Servers 242

Licensing 242
Limitations 243
Deploying the Harmony Endpoint Client on a Terminal Server / Remote Desktop Service 244
Prerequisites 244
Procedure 244
Best Practice to Enable Software Blades 245
Recent Tasks 247
Known Limitations 248
Revision History 249

Harmony Endpoint Administration Guide | 11

 Introduction to Harmony Endpoint

Introduction to Harmony Endpoint

Harmony Endpoint creates virtual Endpoint Management services in the cloud to manage policies and
deployments for Endpoint Security and Harmony Browse clients (for more information on Harmony Browse,
see Harmony Browse Administration Guide).
Harmony Endpoint supports the management of these components:
n Threat Prevention
n Data Protection
n Media Encryption & Port Protection
n Firewall
n Application Control
n Developer Protection
n Compliance
n Software Deployment
Harmony Endpoint supports up to 400,000 endpoint clients.
Notes -
n Please note that the only browser Harmony Endpoint supports is Google Chrome.
n A Domestic Homeland Security (DHS) compliant Anti-Malware blade (or non-Kaspersky Anti-
Malware blade) supports only periodic and contextualized scan (In the endpoint, right-click a
file, and click Scan with Check Point Anti-Malware).

Harmony Endpoint Administration Guide | 12

 Getting Started

Getting Started
Registering to the Infinity Portal
Note - The Harmony Endpoint management portal (in the Infinity Portal) is supported
only through the Chrome browser.

Harmony Endpoint is hosted on the Infinity Portal. Create an account in the Infinity Portal to be able to use
Harmony Endpoint.

To create an account in the Infinity Portal:

Go to the registration page:
https://portal.checkpoint.com/create-account/SandBlastAgent
This page appears:

Harmony Endpoint Administration Guide | 13

 Getting Started

Harmony Endpoint Administration Guide | 14

 Getting Started

1. Fill in your details.

Note - Your data residency region can be one of locations:
n Ireland - All countries, except the United States.
n The United States - If you select the United States as your country.

If you select Use specific data residency region, you can select a different
region than your default region.
After the account is created, you cannot change your data residency region.
2. Click Next.
You receive this confirmation e-mail which includes an activation link:

Harmony Endpoint Administration Guide | 15

 Registering to Harmony Endpoint

Registering to Harmony Endpoint

After you registered to the Infinity Portal, you can register to Harmony Endpoint:
1. In the confirmation e-mail you received after registering to the Infinity Portal, click this link:
https://portal.checkpoint.com
This page appears:

2. Enter your selected password and click Next.

This window opens:

3. Click the button in the upper left corner: and select Harmony Endpoint.
4. In the popup window:
a. Select I accept the Infinity Portal terms of service and the privacy policy.
b. Click Try Now.
You can start using Harmony Endpoint.

Harmony Endpoint Administration Guide | 16

 Creating a New Endpoint Management Service

Creating a New Endpoint Management Service

After you registered to Harmony Endpoint, you must set your Endpoint Management Service to be able to
manage your Endpoint clients. An administrator can create and deploy one virtual Endpoint Management
service per account.

To create a New Endpoint Management Service:

1. From the left navigation panel, click the Service Management view.
2. Click New Endpoint Management Service and enter the information in these fields:
n Service Identifier - Select your Endpoint Management Service name for this account. Use the
Service Identifier when you connect to SmartEndpoint Management Console.
The Service Identifier:
l Must consist of 2-16 characters: uppercase letters (A-Z), lowercase letters (a-z),
numbers (0-9), or hyphens (-).
l Must not start with a hyphen (-).
n Hosting Site - The cloud location where the Endpoint Management Service is deployed. This
information is derived from your selection of data residency region when you created the
account. See Registering to the Infinity Portal.
3. Click Create.
The deployment process starts.
You can monitor the deployment process in the portal. The portal sends an email on completion.

Harmony Endpoint Administration Guide | 17

 Walkthrough Wizard

Walkthrough Wizard
Once you successfully deployed a service, clicking on the “Overview” page will display the “Getting Started”
wizard.

Online Deployments
Tiny Agent for Windows OS. The Tiny Agent functionality introduces a few major improvements to the
current Initial Client package (which is a very thin client, without any blade, used for software deployment
purposes).
The Initial Client is the Endpoint Agent that communicates with the Endpoint Security Management Server.

Offline Deployments
You can export a package of the Endpoint Security components from the Endpoint Security Management
Server to Endpoint devices using a third-party deployment software, a shared network path, email or other
method. When you download a package for manual deployment, the Initial Client is already included in the
package and there is no need to install it separately.
When you create the package for export there are two options: Threat Prevention and All capabilities.

Preliminary & Recommended Steps

Preliminary Steps
The preliminary steps are the ones Check Point recommend/encourage the user to complete for most
deployments clicking on a step you are redirected to the relevant page.
1. Configure AD scanner (Optional) – For any deployment involving topologies with Active Directory.
This is optional as not all customers have topologies with Active Directory.
2. Change uninstall password – All users should replace the default uninstall password ‘secret’.

More Recommendations
1. Set predefined policies – Set a pre-defined profile.
2. Explore Asset Status – Explore your Endpoints, users and telemetries.
3. Define alerts – Configure proactive alerts.
4. Configure strong authentication – Set strong authentication with your Active Directory.
5. Change policy operation mode – Control your policy operation mode (Mixed/Devices/Users).

Harmony Endpoint Administration Guide | 18

 Reconnect Tool

Reconnect Tool
You can use the Reconnect tool to reconnect all your Endpoint Security clients to a new Endpoint
Management Server.

To install the Reconnect tool:

1. Log in to the Endpoint Manager Server to which you want to connect your Endpoint Security clients.
2. Go to Service Management and click Reconnect Tool to download the reconnect.utility.exe file.
3. Run the .exe file.
4. Select Start and type CMD.
5. Right-click Command Prompt and select Run as administrator.
The Command Prompt window opens.
6. Navigate to the directory where the Recovery tool is located.
7. Run:
maketool.bat .\config.dat <client_uninstall_password>

The system creates the reconnect_utility.exe file that contains the details of server that the endpoint
requires to reconnect to the new sever.
Notes -
n Use of a client_uninstall_password is optional. If you do not specify the
password, user must enter the password when running the Recovery tool
on their computer. If you use special (non-alphanumeric) characters in the
password, such as !,@, $, enclose the password within quotation marks.
For example,"!1@3$5^7*9".
n If you do not want to show the confirmation message “The reconnect tool
was run successfully", add /silent in the command. For example,
maketool.bat /silent \path_to\config.dat[client_
uninstall_password].
9. Distribute the reconnect_utility.exe file to the computers.
i. Double-click the reconnect_utility.exe file and follow the on-screen instructions.
The Endpoint Security client connects to the new Endpoint Management Server.
j. Stop all the daemons.
k. Replace the configuration file.
l. Reload the daemon.

Note - If Endpoint Security clients with version E85.60 and higher cannot connect to the
new Endpoint Management Server, your Endpoint Security clients may still be
connected to the old Endpoint Management Server. For more information, see sk92329.

Harmony Endpoint Administration Guide | 19

 Reconnect Tool

Supported Operating Systems for

the Endpoint Client
Microsoft Windows
Operating
Version Architecture Service Pack
System

Windows 7 1,2 N/A 32/64-bit SP1 Microsoft

update
KB3033929

Windows 8.1.1 N/A 32/64-bit Update 1

2

Windows 10 2 1709 32/64-bit N/A

1803 32/64-bit N/A

1809 32/64-bit N/A

1903 32/64-bit N/A

1909 32/64-bit N/A

2004 32/64-bit N/A

2009 32/64-bit N/A

2103 32/64-bit N/A

21H2 32/64-bit N/A

Windows 11 2 21H2 32/64-bit N/A

Windows 2022 64-bit N/A

Server 3
2019 64-bit N/A

2016 64-bit N/A

2012 64-bit N/A

2012 R2 64-bit N/A

2008 R2 32/64-bit Microsoft

update
KB3033929

1 For additional information on Windows 7 support, refer to sk164006.

Harmony Endpoint Administration Guide | 20

 Reconnect Tool

2 Microsoft Windows instance on Amazon Web Services (AWS) is supported.

3 For Microsoft Windows Server:

n To support Endpoint Compliance rules for Windows Server 2016 on versions older than R80.20, see
sk122136.
n Windows Server CORE is not supported.

macOS
Operating System Version

Mojave 10.14

Catalina 10.15

Big Sur 11

Monterey 12

Linux
Operating System Version

Amazon Linux 2

CentOS 7.8 - 8.4

Debian 9.12 - 10.10

OpenSUSE 15.3

42.3

Oracle Linux 7.9 - 8.4

RHEL 7.8 - 8.4

SLES 12 SP5

15 SP3

Ubuntu 16.04

18.04

20.04

Harmony Endpoint Administration Guide | 21

 Deploying Endpoint Clients

Deploying Endpoint Clients

To deploy Harmony Endpoint clients to Windows devices:
1. Click Overview and then click Download on the top banner.
2. Click Download button under Windows or macOS, depending on the destination system.

To install the Initial Client:

1. Do any of these to download the Initial Client:
a. From the left navigation panel, click Service Management and then in the Download Initial
Client section, click on the Download button.
b. From the left navigation panel, click Overview.and then click on the Download button on the
top banner.
2. Deploy the Initial Client to all your Endpoint devices, using a third party deployment tool.
n Automatic - Use deployment rules to automatically download and install pre-configured packages on
Endpoint devices (see "Automatic Deployment of Endpoint Clients" on page 24).
n Manual - Export component packages to the endpoint devices, using third party deployment
software, a shared network path, email, or other method (see "Manual Deployment" on page 28).

Note - Admins are recommended not to pre-install Harmony Endpoint when using cloning utilities like
Acronis. It is recommended to install Harmony Endpoint after the clone is created, or at least to block
the initial registration before creating the clone.

Harmony Endpoint Administration Guide | 22

 Token-Limited Installation

Token-Limited Installation
Token-limited installation protects against sending unauthorized copies of exported packages and
installation of packages on computers which do not belong to the organization that created the packages.
The administrator is responsible for enabling the token-limited installation feature and creating the token.
If token-limited installation is enabled, then during the installation of the Endpoint client, the token is entered
automatically by the client.
The token is limited in time. If the token is expired, the registration is rejected.

To enable token-limited registration:

1. Go to Endpoint Settings > Authentication Settings > Time-Limit Installation.
2. Click Enable Time-Limited Installation.
3. Select the Enabled checkbox.
A token is created in the Value field.

4. In the Valid until field, click the calendar to select the date on which the token expires.
5. Click OK.

To copy the token, click the copy button next to the token.

Harmony Endpoint Administration Guide | 23

 Automatic Deployment of Endpoint Clients

Automatic Deployment of Endpoint Clients

Software deployment rules are supported for both Windows and macOS.
Use deployment rules to automatically download and install pre-configured packages on endpoint devices.
To manage your Endpoint Security clients and install Endpoint Security Policy on them, you must first
deploy the Initial Client to them.
The Initial Client is the Endpoint Agent that communicates with the Endpoint Security Management Server.

Automatic Deployment of Endpoint Clients for Windows OS

Tiny Agent for Windows OS

The Tiny Agent functionality introduces a few major improvements to the current Initial Client package
(which is a very thin client, without any blade, used for software deployment purposes).
The Initial Client is the Endpoint Agent that communicates with the Endpoint Security Management
Server.
You can extract the Initial Client from the Tiny Agent.
The improvements include:
n The Tiny Agent has a very small executable (smaller than 1MB)
n It can be shared in various forms, enabling fast, easy and seamless first-time deployment.
n Once combined with the Dynamic Package, it installs only what is necessary for each machine.
n It is agnostic to the client version.
n It passes Smart Screen validation - no more download warnings
n It reduces network traffic for installing selected blades.
It is available for cloud deployments and for on-premises deployments running Endpoint Security
Management Server R81 or higher.
To download the Tiny Agent:
n Click Overview, and then click Download Endpoint on the top banner.
n Click Policy > Deployment Policy > Software Deployment, and then click Download Endpoint on
the top banner.
It is seamless to our users. The only difference is that the file's extension is .EXE instead of the normal
.MSI.

Note - To extract the MSI file, run:

EndpointSetup.exe /CreateMSI

Note - You can deploy the Initial Client to all your endpoint devices, using a third-
party deployment tool, manually or remotely (see "Remote Installation of Initial
Client" on page 33).

Harmony Endpoint Administration Guide | 24

 Automatic Deployment of Endpoint Clients

Troubleshooting Issues with the Tiny Agent on Windows OS

The Tiny Agent shows simple error messages in cases of network issues (connectivity problems, proxy
issue, and so on).
Error messages and Remediation

Console Error Description Remediation

Endpoint Setup failed! Exception occurred (either Download the file again and
allocation failed on any internal check its signature (it could be
component, or another type of corrupted), and make sure you
abnormal termination) have enough free RAM.

Failed to initialize Either we cannot verify our own Make sure you have enough
Endpoint Setup! signature, or map the installer memory.
in the memory.

Failed to parse Failed to parse the URL for File downloaded from the
internal data! downloading eps.msi from Management Server
CDN is corrupted. Contact Check
Point Support.

Failed to download or Failed to verify downloaded Make sure that your Security
verify Windows EPS.msi Gateway, or any network
Installer package security component, does not
(EPS.msi)! corrupt the installer.

Failed to find program Failed to get program files from Make sure your OS is updated.
files folder Microsoft.

Failed to create our Either there is some Check Make sure that the Endpoint
program files folder Point product installed, or the Security Client is not already
for config.dat Administrator cannot create installed.
folders in the Program Files
folder

Failed to save Either there is some Check Make sure that the Endpoint
config.dat Point product installed, or the Security Client is not already
Administrator cannot create installed.
folders in program files folder

Failed to install the Cannot run Windows Installer Make sure Windows Installer is
product to install EPS.msi enabled.

Failed to download Failed to download eps.msi Make sure you have access to
Windows Installer CDN:
package (EPS.msi)! sc1.checkpoint.com

Failed to authenticate Data corruption occurred, or Make sure the file is not
EndpointSetup! data added to the file is corrupted, and/or that you
corrupted downloaded it from the correct
location.

Harmony Endpoint Administration Guide | 25

 Automatic Deployment of Endpoint Clients

Console Error Description Remediation

Failed to parse Failed to find the server config Make sure you downloaded the
configuration data information. file from the portal.

Setup failed another Another installation is stuck, or Reboot the machine, or

installation is has not finished. fix/complete any pending
currently in progress installation.

Log File Location

The log file is located here:

C:\Windows\System32\LogFiles\WMI\EndpointSetup.etl

Silent Installation
Run:

PsExec.exe -accepteula -nobanner -s "C:\Users\<Administrator

Username>\Desktop\EndpointSecurity.exe"
Endpoint Security Component Package

This package includes the specified components to be installed on the endpoint device.
You can distribute it automatically with deployment rules.
You can configure the policies for the components before or after you deploy the component package.
Deploy the Endpoint Security component package with deployment rules.

Automatic Deployment of Endpoint Clients for macOS

Roadmap - This feature is planned.

Harmony Endpoint Administration Guide | 26

 Automatic Deployment of Endpoint Clients

Deployment Rules
Deployment rules let you manage Endpoint Security Component Package deployment and updates.
Deployment rules work on both Windows OS and macOS. Linux OS is not supported yet.
The Default Policy rule applies to all Endpoint devices for which no other rule in the Rule Base applies.
You can change the default policy as necessary.
You can define more rules to customize the deployment of components to groups of Endpoint devices with
different criteria, such as:
n Specific Organizational Units (OUs) and Active Directory nodes.
n Specific computers.
n Specific Endpoint Security Virtual Groups, such as the predefined Virtual Groups ("All Laptops", "All
Desktops", and others.). You can also configure your own Virtual Groups.
Deployment rules do not support user objects.
Mixed groups (that include both Windows OS and macOS objects) intersect only with the applicable
members in each rule.
To create new deployment rules for automatic deployment

1. From the left navigation panel, click the Policy view.

2. Click Deployment Policy > Software Deployment.
3. From the top toolbar, click New Above or New Below.
The Clone Rule window opens.
4. Configure the rule:
n Enter the rule name
n Select the groups to which the rule applies.
Mixed groups (that include both Windows OS and macOS objects) intersect only with the
applicable members in each rule.
n Select the applicable parts of the organization.
n Select the affected devices.
5. Click OK to create the new rule.
6. Click the new rule to select it.
7. In the right section Capabilities & Exclusions, click the applicable tab - Windows or macOS.
8. Configure the deployment settings:
a. To deploy a package immediately, select the applicable package version.
b. Select the package capabilities.
9. Click Save.
10. Above the right section Capabilities & Exclusions, click Install Policy.

See "Installation and Upgrade Settings" on page 162 for local deployment options.

Harmony Endpoint Administration Guide | 27

 Manual Deployment

Manual Deployment
You can export a package of Harmony Endpoint or Harmony Browse from the Endpoint Security
Management Server to Endpoint devices using a third-party deployment software, a shared network path,
email or other method.
When you download a package for manual deployment, the Initial Client is already included in the package
for Harmony Endpoint and there is no need to install it separately.

Initial Client is not supported for Harmony Browse.

When you create the package for export, you select your set of components.
The package installation program automatically detects the computer type and installs the applicable
components.

Harmony Endpoint Administration Guide | 28

 Manual Deployment

1. Create the package for export

Step Instructions

1 Go to Policy > Export Package.

2 Do any of these:
n To export package for Harmony Endpoint, click Endpoint Client.
n To export package for Harmony Browse, click Browse Client and continue
with "Export the package" on the next page.

3 Click the plus sign to create a new export package.

The Create Export Package window opens.

4 Enter the Package Name and select the applicable Operating System.
Windows and macOS are supported.

5 Select the Agent Version and Capabilities.

For Linux, only the Anti-Malware blade is supported with the exported package.
For capabilities supported by Windows, macOS and Linux, see sk169996.
For general limitations on macOS, see sk110975.

6 Optional: Select a Virtual Group or create a new one.

Users who install this package will automatically be part of this virtual group.
You can use the virtual group to apply a security policy to the entire group instead of
to each object in the group separately.

7 Optional: Select a VPN Site.

n Select a predefined VPN site from the drop-down list.
n Add a new VPN site. You can create the VPN site in this wizard or through the
package card or the VPN Sites modal.
See "Adding a New VPN Site to an Exported Package" on page 31.

8 Configure the Dynamic Package options (see the corresponding step below).

Harmony Endpoint Administration Guide | 29

 Manual Deployment

Step Instructions

9 If the package is a Dynamic Package, configure these settings:

n General

Disable the Endpoint Security Client user interface - for unattended machines,
like ATMs.
To learn about packages for ATMs, see sk133174. By default, the client user
interface is included in the package.
n Dependencies

Select the dependencies to include in the package:

l .NET Framework 4.6.1 Installer (60MB) - Recommended for Windows

7 computers without .NET installed.

l 32-bit support (40MB) - Selected by default. Recommended for 32-bit

computers.
l Visual Studio Tools for Office Runtime 10.050903 (40 MB) -

Recommended if the package includes Capsule Docs.

n Dependencies Settings

Select the signature to include in the package.

This sets the level of Anti-Malware protection from the time that a client gets
the package until it gets the latest Anti-Malware signatures from the signature
provider:
l Full - Recommended for installing on devices without high-speed

connectivity to the Anti-Malware server.

l Minimum - Selected by default. Recommended for a clean installation

on devices that are connected to the Anti-Malware server.

l None - Recommended for upgrades only.

10 Click OK.

Note - You can duplicate the package configuration for future use. Click the
icon.

2. Export the package

Step Instructions

1 In the Export Package window, select a package.

2 Click Download Package.

3 Select a location to save the files.

The package is downloaded to the specified path.
When using Dynamic Package, the name of the exported package is EPS.exe.
Otherwise, the name of the package is EPS.msi for Harmony Endpoint.

Dynamic package is not supported for Harmony Browse.

3. Install the exported package on the client computer

Harmony Endpoint Administration Guide | 30

 Manual Deployment

Send the package to the users. When using a Dynamic Package, the exported package is a self-
extracting executable (*.exe).
By default for Harmony Endpoint, the filename is EPS.exe.
For other types of packages, the name of the package is EPS.msi for Harmony Endpoint and
SBA4B_Installer.msi for Harmony Browse.
Starting from the Harmony Endpoint client version E85.20, you can extract an MSI version of the
package. Run the EPS.exe /CreateMSI command in the Windows Command Prompt. It works for
both 32-bit and 64-bit Windows. You select the version when you exported the package. If you
selected both, then the 64-bit version is located in the current folder, and the 32-bit version is
located in a subfolder "32\EPS.msi".
Endpoint users manually install the packages.

Note - On Windows 8.1 and higher clients, you must install an exported
package with Run as administrator. You cannot install it with a double-click.

You can also use third party deployment software, a shared network path, email, or some other
method.
You can only see the deployment status after the package is successfully installed.

Adding a New VPN Site to an Exported Package

When you use an exported package, you can configure each package to connect to a default VPN site
which you create.
By default, no VPN site is configured for a new package.

To add a new VPN site to an exported package:

1. Make sure the exported package includes Endpoint Connect VPN.
2. You can add a new VPN site through these locations:
n The Create a Package wizard.
n The Manage VPN sites button.
n The package tile:
l If no VPN site is configured, then click New
l If a VPN site is already configured, then click Edit > New
3. Configure these settings:
n Name - Unique name for this VPN site.
n Site Address - Site IP address.

Harmony Endpoint Administration Guide | 31

 Manual Deployment

n Authentication Method - One of these:

l Username-password - Endpoint users authenticate using their VPN user name and
password.
l CAPI certificate - Endpoint users authenticate using the applicable certificate.
l P12 certificate - Endpoint users authenticate using the applicable certificate.
l SecurID KeyFob - Endpoint users authenticate using a KeyFob hard token.
l SecurID PinPad -Endpoint users authenticate using the an SDTID token file and PIN.
l Challenge-response - Endpoint users authenticate using an administrator supplied
response string in response to the challenge prompt.
4. Click OK.

Harmony Endpoint Administration Guide | 32

 Remote Installation of Initial Client

Remote Installation of Initial Client

The Initial Client is the Endpoint Security agent that communicates with the Harmony Endpoint.
You install the Initial Client on Endpoint devices before you use automatic software deployment to deploy
components.
The remote installation is the installation of an Initial Client on an Endpoint Security component package.
In Endpoint Security Client E84.40 and higher, you can now install the Initial Client remotely without third
party tools such as Microsoft System Center Configuration Manager (SCCM) or Intune.
The Push Operation mechanism extends to devices that do not have the Initial Client installed yet.

Setting the Deployment Agent

The Deployment Agent is the cornerstone of the remote push feature. The agent is a domain-joined device
that you select as an initiator for remote installation requests on target workstations in the same Active
Directory domain.

Best Practice - We recommend that the Deployment Agent has good hardware specs, network
connectivity, availability and a "remote install" compatible Endpoint Security Client (E83.30 and higher).

Harmony Endpoint Administration Guide | 33

 Remote Installation of Initial Client

You can configure multiple devices in each domain as Deployment Agents with no limitation on the total
count. All devices qualify as an agent for an installation bundle.

Certificates and DNS

To add Active Directory Credentials to the Deployment Agent on the Endpoint Security Client Screen:
1. Open the Endpoint Security client screen, and click Advanced.
2. In the Remote Deployment section, click Configure.

3. Enter the Domain Administrator credentials with ad\administrator or [email protected] as the

Harmony Endpoint Administration Guide | 34

 Remote Installation of Initial Client

User Name.

Note - You must be in the Domain Administrators group in the Active Directory.

Privileges
User must have permission to connect from the Deployment agent computer to the target computer and
create the scheduled task on the target computer.
For additional references, please see Microsoft's guide here: https://docs.microsoft.com/en-
us/windows/win32/api/taskschd/nf-taskschd-itaskservice-connect

Setting the Target Devices

Windows Defender
n Windows 10 regards the remote execution of msiexec.exe through the Task Scheduler as
malicious activity. Windows blocks this on the target computer.
n Disable Windows Defender's Real-Time Protection with a PowerShell command on the target
computer:
Set-MpPreference -DisableRealtimeMonitoring $true
n If the remote installation procedure fails, the Windows Defender enables after a restart. Disable the
Windows Defender's Real-Time Protection again.

Other AV Solutions
n We recommend that you disable the Windows Defender and disable or uninstall third-party anti-virus
software on the target computer.

Harmony Endpoint Administration Guide | 35

 Remote Installation of Initial Client

n An attempt to run remote software triggers a notification. The remote deployment procedure fails.

Enable Access to the Task Scheduler Through the Windows Firewall in a Domain Profile
n When the Windows Firewall blocks the remote connection to the target's Task Scheduler, run this
PowerShell command on the target computer:
Get-NetFirewallProfile -Name Domain | Get-NetFirewallRule | ? Name -like
*RemoteTask-In-TCP-NoScope* | Enable-NetFirewallRule

Remotely Installing the Initial Client

You remotely install the Initial Client from the Push Operations view or from the Asset Management view.
To install the Initial Client remotely from the "Push Operations" view

1. From the left navigation panel, click Push Operations.

2. From the top toolbar, click (+) Add.
The Add Push Operation window opens.
3. On the Select push operation page:
a. From the menu, select Agent Settings.
b. In the list of options, click Deploy New Endpoints.
c. At the bottom, click Next.
4. On the Select devices page:
a. Click (+).
b. Select devices that do not have Endpoint installed and are not in the process of deployment.

Notes:
n To select several non-adjacent entries, press and hold the CTRL
key while you click the applicable entries.
n To select several adjacent entries, press and hold the SHIFT
key, click the applicable top entry, and then, click the applicable
bottom entry.
n To clear a selection, press and hold the CTRL key while click the
applicable entry again.
n You can select up to 5,000 entries.

c. At the bottom, click Update Selection.

d. In the table with the entries, select the checkboxes of applicable devices.
e. At the bottom, click Next.
5. On the Configure Operation page:
a. In the Comment field, enter the applicable text.
b. In the Select deployment agent field, select one device for this push operation.
c. In the Endpoint version menu, select the applicable version.Only devices with Windows 7
and higher are supported.

Harmony Endpoint Administration Guide | 36

 Remote Installation of Initial Client

d. In the Scheduling section, configure one of the applicable settings:

n Execute operation immediately
n Schedule operation for, and click the calendar icon to configure the date and time
e. Click Finish.

To install the Initial Client remotely from the "Asset Management" view

1. From the left navigation panel, click Asset Management.

2. Select the checkboxes of applicable devices (up to 5,000).
3. From the top toolbar, click Push Operation > from the menu that appears click Agent Settings >
Deploy New Endpoints.
The Push Operation Creation Dialog window opens.
4. Enter the required values:
a. In the Comment field, enter the applicable text.
b. In the Select deployment endpoint field, select one device for this push operation.
c. In the Endpoint version menu, select the applicable version.Only devices with Windows 7
and higher are supported.
d. In the Scheduling section, configure one of the applicable settings:
n Execute operation immediately
n Schedule operation for, and click the calendar icon to configure the date and time
5. Click Create.

Windows Task Scheduler on endpoint devices

1. After a connection to the Task Scheduler service on Windows OS, the Deployment Agent
registers a new task: "CP_Deployment_{unique ID}".
2. The Deployment Agent runs the task from the domain administrator's account on the target
computer.
3. The Task Scheduler spawns the msiexec.exe to download the client installer and launch it in
silent mode.
4. The installation proceeds with the MSI script instructions.

Security Considerations
n The Deployment Agent does not store the administrator password in clear text.
n The client UI collects the credentials and passes them to the device agent to store in separate values
of a registry key under EP root.
n The password stores as an encryption and the principal name stores in plain text.
n Administrator accounts have access permissions of FULL CONTROL for the registry key.
n The SYSTEM account has READONLY access permissions for the registry key.

Harmony Endpoint Administration Guide | 37

 Remote Installation of Initial Client

n The user and password never pass to the target devices. They establish the Task Scheduler
connection.

Progress of Installation and Error Handling

The installation status shows at the bottom page of the Push Operation view.
Target devices that fail to install and download the Initial Client, set their status accordingly. In case of a
connection failure, the Deployment Agent tries to connect to the target service three more times with
increasing interval between attempts. The default is ten seconds. This mechanism increases the success
rate in case of network-related issues.

The Deployment Agent Cannot Reach the Remote Task Scheduler

If the Deployment Agent cannot reach the remote task scheduler on the target device, the specific
installation procedure fails. The target device's Operation Status changes to "Failed to access remote task
scheduler".

The Target Device Fails to Download the Initial Client

If the target device cannot download the Initial Client, the target device's Operation Status changes to
"Failed to download client".

Invalid Credentials
If the domain administrator credentials are invalid, the Deployment Agent stops connecting to remote
targets, and the target device's Operation Status changes to "Access denied due to Invalid credentials".

Missing Credentials
If the domain administrator credentials are missing, the Deployment Agent stops connecting to remote
targets, and the target device's Operation Status changes to "Deployment agent is not configured".

Failed to Install Initial Client on Target Device

If the target device fails to install the Initial Client, the target device's Operation Status changes to "Failed to
install agent on target device".

Target Device Already Has an Agent installed

If the target device has an agent already installed, the Initial Client installation fails. The target device's
Operation Status changes to "Agent already installed".

The Deployment Agent is Not Available to Deploy Targets

If the Deployment Agent cannot be reached while a push operation takes place, the push operation aborts,
fails and sets the entire push-operation status to "The deploying Agent is not available to deploy targets".

Ports and Permissions

For installations that traverse a perimeter Firewall, enable this port: Port 135 for RPC over TCP traffic.

Harmony Endpoint Administration Guide | 38

 Remote Installation of Initial Client

Upgrades
Upgrades are seamless to our users. A new type of Push Operation are rolled out and added to all Harmony
Endpoint users.

Harmony Endpoint Administration Guide | 39

 Heartbeat Interval

Heartbeat Interval
Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the
connectivity status and report updates. The time between heartbeat messages is known as the heartbeat
interval.

Note - The default heartbeat interval is 60 seconds. A shorter heartbeat interval can
cause additional load on the management. A longer heartbeat interval may lead to less
up-to-date logs and reports.

Harmony Endpoint Administration Guide | 40

 Uninstalling Third-Party Anti-Virus Software Products

Uninstalling Third-Party Anti-Virus Software

Products
When you install the Endpoint Security client E84.70 or higher through manual, automatic, or remote
deployment, it automatically detects and uninstalls third-party Anti-Virus software products after you
successfully install the Endpoint Security client.

Note - We recommend that you first test the uninstallation on a test environment before
you implement it on a live environment.

You can also uninstall a third-party antivirus software manually.

To uninstall a single software product:

Open the command prompt window and run:
msiexec /i EPS.msi REMOVEPRODUCTS="Product{Product code or upgrade code of
Product}"

To uninstall multiple software products:

Run:
msiexec /i EPS.msi REMOVEPRODUCTS="Product1, Product2, {Product code or
upgrade code of Product1} {Product code or upgrade code of Product2}"

For example, to uninstall Symantec and McAfee, run:

msiexec /i EPS.msi REMOVEPRODUCTS="Symantec, McAfee, {8D92DEB1-A516-4B03-8731-
60974682B69C} {9BE518E6-ECC6-35A9-88E4-87755C07200F}"

Tip- To find the product code, do any of these:

n In the Registry Editor, navigate to the Uninstall folder under
HKEY_LOCAL_MACHINE\SOFTWARE\.
For example, HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall.
n In PowerShell, run:
Get-WmiObject win32_product -Filter "name like '%any part of the product name%”
n To find the upgrade code using the product code, run:
gwmi -Query "SELECT Value FROM Win32_Property WHERE Property='UpgradeCode' AND
ProductCode='{YourGuid}”
Notes -
n Symantec.cloud is not supported by the this command. To remove Symantec.cloud,
navigate to
C:\Program Files\Symantec.cloud\PlatformAgent\ and run Uninstall.exe.
n You cannot uninstall software products whose cached msi is not found on your
computer.

Harmony Endpoint Administration Guide | 41

 Monitoring Harmony Endpoint Deployment and Policy

Monitoring Harmony Endpoint Deployment and

Policy
Monitoring your Endpoint Security policy and deployment should be a very important part of your-day-to-day
work.
The Overview view > Operational Overview page has the Active Alerts pane on the right. This page shows
which endpoint computers are in violation of critical security rules.
These violation types can trigger alerts about various issues.
For example:
n Compliance warning
n Failed deployment
n Encryption problem
n Anti-Malware issues
n Policy server out-of-sync

Configuring Alert Messages

To define security alerts

1. Go to the Endpoint Settings view > Alerts, and select a security violation.
2. Select the applicable alert from the list.
3. In the right section Alert Configuration:
a. Select ON in the top line:
The computer is restricted or about to the restricted

Harmony Endpoint Administration Guide | 42

 Monitoring Harmony Endpoint Deployment and Policy

b. Configure these settings:

n Threshold Settings - Select how the amount of endpoints that trigger alerts are
measured, by percentage or number.
n Notification Settings - Select the notification type you receive when an alert is
triggered:
l Notify on alert activation - Sends a notification when an alert the number of
Endpoint devices with violations exceeds the configured threshold.
l Notify on alert resolution - Sends a notification when an alert the number of
Endpoint devices with violations decreases below the configured threshold.
l Remind me every - Sends a notification repeatedly according to a specified
frequency, as long as the number of Endpoint devices with security violations
exceeds the configured threshold.
l Recipients - Enter the email addresses of the message recipients (separated
by comma).
n Email Template Settings - You can configure a unique email template to be sent to
you when an alert is triggered. The email Subject and Body contain dynamic tags.
Dynamic tags are replaced by the server with the relevant information during email
sending. Remove the tags you do not wish to include in the email.
l Attach report to mail notification - If selected, a CSV report with all the device
details related to a particular alert will be attached to email. If there are no
affected devices, nothing is attached
l Subject - Contains these dynamic tags: type (alert activation, alert resolution
or alert reminder), alert name, and tenant name.
l Body - Contains these dynamic tags: type(alert activation, alert resolution or
alert reminder), alert name, affected-count, and total-count.
l Send Test Report - If selected, a notification email according to the configured
template is sent for a particular alert.
To send emails for alerts, you must follow the steps in the "Configuring an E-mail
Server" below section below.
4. Click Save.
Note - Alerts are reevaluated every 10 minutes.
When the alerting criteria are updated, the alerting is reevaluated on the next
iteration.
When alerting is (re)enabled, it forces the alerting mechanism to immediately
(re)start and (re)evaluate.

Configuring an E-mail Server

You must configure your email server setting for Endpoint Security to send you alert email messages.
If you use Capsule Docs it is also important to configure this.
The settings include the network and authentication parameters necessary for access to the email server.
You can only configure one email server.

Harmony Endpoint Administration Guide | 43

 Monitoring Harmony Endpoint Deployment and Policy

To configure the email server

1. In Endpoint Settings > Alerts > at the top, click Email Service Settings.
The Email Service Settings window opens.
2. Enter these details:
n Host Name - Email serve host name.
n From Address - Email server IP address.
n User Authentication is Required - If email server authentication is necessary, select this
option and enter the credentials in the User Name and the Password fields.
n Enable TLS Encryption - Select this option if the email server requires a TLS connection.
n Port - Enter the port number on the email server.
n Test Email - Enter an email address to send the test to, and click Send Test:
l If the verification succeeds, an email is sent to the email address entered and a
success message shows in the Email Service Settings window.
l If the verification fails, an error message shows in the Email Service Settings
window.
Correct the parameters errors or resolve network connectivity issues. Stand on the
error message to see a description of the issue.
3. Click OK to save the email server settings and close the window.

Harmony Endpoint Administration Guide | 44

 How to Verify that Harmony Endpoint can Access Check Point Servers

How to Verify that Harmony Endpoint can

Access Check Point Servers
See article in the following link:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_
doGoviewsolutiondetails=&solutionid=sk116590

Harmony Endpoint Administration Guide | 45

 Disabling Incognito mode,BrowserGuest mode and InPrivate mode

Disabling Incognito Mode,

BrowserGuest Mode, and InPrivate
Mode
Overview
The browser extension is not installed automatically if the Incognito, Guest or InPrivate mode is enabled in
your browser. We recommend that you disable these modes to secure your users.

Chrome on Windows:
To disable Incognito mode and BrowserGuest mode:
1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.
The Command Prompt window appears.
3.
To disable Run

Incognito mode REG ADD HKLM\SOFTWARE\Policies\Google\Chrome /v

IncognitoModeAvailability /t REG_DWORD /d 1

BrowserGuest REG ADD HKLM\SOFTWARE\Policies\Google\Chrome /v

mode BrowserGuestModeEnabled /t REG_DWORD /d 0

Firefox on Windows
To disable InPrivate mode:
1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.
The Command Prompt window appears
3.
To disable Run

InPrivate REG ADD HKLM\SOFTWARE\Policies\Mozilla\Firefox /v

mode DisablePrivateBrowsing /t REG_DWORD /d 1

Harmony Endpoint Administration Guide | 46

 Disabling Incognito mode,BrowserGuest mode and InPrivate mode

Microsoft Edge on Windows

To disable BrowserGuest mode and InPrivate mode:
1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.
The Command Prompt window appears
3.
To disable Run

BrowserGuest REG ADD HKLM\SOFTWARE\Policies\Microsoft\Edge /v

mode BrowserGuestModeEnabled /t REG_DWORD /d 0

InPrivate mode REG ADD HKLM\SOFTWARE\Policies\Microsoft\Edge /v

InPrivateModeAvailability /t REG_DWORD /d 1

Chrome on macOS
To disable incognito mode and BrowserGuest mode:
1. In the Finder, click Go > Utilities.
2. Open the Terminal app.
The Terminal app window appears.
3.
To disable Run

Incognito mode defaults write com.google.chrome

IncognitoModeAvailability -integer 1z

BrowserGuest defaults write com.google.Chrome BrowserGuestModeEnabled

mode -bool false

Firefox on macOS
To disable InPrivate mode:
1. In the Finder, click Go > Utilities.
2. Open the Terminal app.
The Terminal app window appears.

Harmony Endpoint Administration Guide | 47

 Disabling Incognito mode,BrowserGuest mode and InPrivate mode

3.
To disable Run

InPrivate defaults write /Library/Preferences/org.mozilla.firefox

mode DisablePrivateBrowsing -bool TRUE

Microsoft Edge on macOS

To disable BrowserGuest mode and InPrivate mode:
1. In the Finder, click Go > Utilities.
2. Open the Terminal app.
The Terminal app window appears.
3.
To disable Run

BrowserGuest defaults write com.microsoft.edge

mode BrowserGuestModeEnabled -integer 0

InPrivate mode defaults write com.microsoft.edge

InPrivateModeAvailability -integer 1

Harmony Endpoint Administration Guide | 48

 Managing Endpoint Components in SmartEndpoint Management Console

Managing Endpoint Components in

SmartEndpoint Management
Console
In addition to Harmony Endpoint, you can also manage the Endpoint components through a cloud-based
SmartEndpoint management console.
To manage the Endpoint components through the SmartEndpoint console:
1. Download SmartConsole from the Service Management view:

Note - Before you download SmartConsole, you must change your SmartConsole
administrator password.

2. In the SmartEndpoint Login window:

a. Enter the username, password and service identifier that you entered when you created the
New Endpoint Management Service.
See "Creating a New Endpoint Management Service" on page 17.
b. Select Cloud Server.

Harmony Endpoint Administration Guide | 49

 Managing Endpoint Components in SmartEndpoint Management Console

c. Click Login.

The SmartEndpoint console manages all Endpoint components, whereas the Harmony Endpoint manages
only SandBlast components.
Harmony Endpoint does not support all of SmartEndpoint features. Therefore, there can be conflicts
between configurations in the two platforms. For more information, see "Backward Compatibility" on
page 169.

Harmony Endpoint Administration Guide | 50

 Managing Licenses

Managing Licenses
A new account has a 30-day trial period by default.
To extend the trial period

1. Log in to the Check Point User Center.

2. If you do not have a User Center account, go to My Check Point > My accounts and create a new
User Center account.
3. Go to My Check Point > Product Center.
4. In the Product Center, go to the Evaluations tab.
5. Select Other Evaluation Option and click Select a product.
The Other Evaluation Options window opens.
6. Select CP-HAR-EP-COMPLETE-EVAL or CP-HAR-EP-ADVANCED-EVAL from the drop-down
list and click Select.

7. Click Next.
8. In the Provide Evaluation Info section that opens, fill in these details:
a. User Center Account
b. Email Address
c. Evaluation Product will be used by
d. Purpose of Evaluation
9. Click Get Evaluation.

Harmony Endpoint Administration Guide | 51

 Managing Licenses

A confirmation notice is received that the product was successfully added to your User Center
account.
Click the link in the confirmation notice to view the license in the Product Center.

10. In the Product Center, go to Selected Account and select the account to which the license was
added.
11. Select the license and click the License button above the list of the licenses.

12. Fill in the required details in the page that opens:

n IP address 164.100.1.8
n Hardware brand name: Mixed Environment
n Operation System: Mixed Windows Environment

Harmony Endpoint Administration Guide | 52

 Managing Licenses

13. Click License.

To activate a license

1. In Harmony Endpoint (portal.checkpoint.com), go to Global Settings > Contracts.

At the upper-right .of the screen, click Associated Accounts.
The Managed Accounts window opens.
2. Click Attach Account.
The Attach Account window opens.
3. Enter your User Center credentials, and click Next.
4. Select the license to apply and click Finish.
Your license should now appear in the Contracts page.

Note - If you already have an associated account and wish to add another
license, go to Global Settings > Contracts > Associated Accounts and use
the sync option to refresh the license.

To see your license information, go to the Endpoint Settings view.

Note - It may take up to 12 hours for the license to appear in the Infinity Portal.
During these 12 hours, you might not be able to start the server. Until the
license is synchronized, the expiration date may show as invalid.

Harmony Endpoint Administration Guide | 53

 Managing Users in Harmony Endpoint

Managing Users in Harmony

Endpoint
After you create an account, you can create users who have access to Harmony Endpoint using this
account.
To each user you create, you must assign a user role.
Only User Admin can assign roles.
There are two types of user roles:
n Global roles.
When creating a new user, you must assign a Global role to the user.
n Specific Service roles.
Assigning a Specific Service role to a new user is optional.
Global Roles

Global Roles define the user's permissions to define user roles.

The Global Roles apply to the Infinity Portal platform and to all the services in the Infinity Portal.
Currently, these are the supported Infinity Portal roles:

Role Description

Admin Allows Read & Write permissions across all services in your Infinity Portal account.
When a new service is activated in your account, an Admin user automatically gets Read
& Write permissions in this service.

Read- Allows full Read-Only visibility to all services in your Infinity Portal account.
Only When a new service is activated in your account, a Read-Only user automatically gets
read permissions in this service.

User Allows management of all aspects of users and roles in your Infinity Portal account.
Admin Only administrators with User Admin permission can access the Users tab and
associate roles with users.
Administrators with an Admin role and no User Admin role, cannot access the Users tab.

You can assign multiple Global Roles to each user.

Specific Service Roles

Roles which apply only to a specific service, in this case the role selected here applies only to the
Harmony Endpoint service. You can assign only one Harmony Endpoint role per user. The Specific
Service role selected overrides the assigned Global roles. There are 6 types of specific Harmony
Endpoint roles:

Harmony Endpoint Administration Guide | 54

 Managing Users in Harmony Endpoint

Role Description

Admin Full Read & Write access to all system aspects.

Read-Only Has access to all system aspects, but cannot make any changes.
User

Helpdesk User Has Read-Only access to the service.

Has Read & Write access to data protection, computer actions, and logs.

Log Only User Has full access to the Logs tab.

Has no access to other features.

Power User Has full Read & Write access to the Harmony Endpoint service, but cannot control
the service.

Remote Help Helps Full Disk Encryption and Media Encryption users with access to encrypted
User media.

The table below summarizes the permissions of each user type:

Remote
Tab on Admin Helpdesk Log Only Power Read-
Section Help
Left Panel User User User User Only
User

Overview All Read Read- Read & No Read & Read-

& Only Write Permissio Write Only
Write n

Policy All Read Read- No No Read & Read-

& Only Permissio Permissio Write Only
Write n n

Software Read Read & No No Read & Read-

Deployment & Write Permissio Permissio Write Only
- Install Write n n
Policy

Software Read Read & No No Read & Read-

Deployment & Write Permissio Permissio Write Only
-Write Policy Write (Cannot n n
edit
groups,
only select
objects in
rules)

Threat Read Read- No No Read & Read-

Prevention - & Only Permissio Permissio Write Only
Exclusions Write n n

Harmony Endpoint Administration Guide | 55

 Managing Users in Harmony Endpoint

Remote
Tab on Admin Helpdesk Log Only Power Read-
Section Help
Left Panel User User User User Only
User

Asset All Read Read- No No Read & Read-

Manageme & Only Permissio Permissio Write Only
nt Write n n

Data Read Read & Read & No Read & Read-

Protection & Write Write Permissio Write Only
(Recover Write n
Media)

Data Read Read & Read & No Read & Read-

Protection & Write Write Permissio Write Only
(Full Disk Write n
Encryption
Remote
Help)

Push Read No No No Read & Read-

Operations & Permissio Permissio Permissio Write Only
(Remediatio Write n n n
n)

Push Read Read & No No Read & Read-

Operations & Write Permissio Permissio Write Only
(All, Write n n
except
remediation)

Computer Read Read & No No Read & Read-

Actions & Write Permissio Permissio Write Only
(Reset Write n n
computer,
Delete
computer
data, add
Pre-boot
users)

Logs All Read Read & No Read & Read & Read-
& Write Permissio Write Write Only
Write n

Harmony Endpoint Administration Guide | 56

 Managing Users in Harmony Endpoint

Remote
Tab on Admin Helpdesk Log Only Power Read-
Section Help
Left Panel User User User User Only
User

Push All Read No No No Read & Read-

Operations & Permissio Permissio Permissio Write Only
Write n n n

Remediation Read No No No Read & Read-

& Permissio Permissio Permissio Write Only
Write n n n

All except Read Read & No No Read & Read-

remediation & Write Permissio Permissio Write Only
Write n n

Endpoint All Read No No No Read & Read-

Settings & Permissio Permissio Permissio Write Only
Write n n n

Service All Read No No No Read & Read-

Manageme & Permissio Permissio Permissio Write Only
nt Write n n n

Service Read No No No No Read-

Actions & Permissio Permissio Permissio Permissio Only
(Restart, Write n n n n
pause or
terminate the
service)

Threat All Read No No No Read & Read-

Hunting & Permissio Permissio Permissio Write Only
Write n n n

To see the list of users and the roles assigned to them, go to the Global Settings view > Users.

To create a new user:

1. From the left navigation panel, click Global Settings (at the bottom of the panel).
2. In the top left section, click Users.
The list of currently defined users appears.

3. From the top toolbar, click New.

The Add User window opens.
4. Configure the required details:
n Name
n Email
n Phone

Harmony Endpoint Administration Guide | 57

 Managing Users in Harmony Endpoint

n User Groups
n Global Roles
n Specific Service Roles

Note - If the user you wish to add is not registered in Harmony Endpoint, they receive a
registration invitation to establish login credentials for the portal.

5. Click Add.

Note: - To edit or delete a user, select the user and click Edit or Delete from the top toolbar.

Harmony Endpoint Administration Guide | 58

 Managing Accounts in the Infinity Portal

Managing Accounts in the Infinity

Portal
You can create additional accounts for the same user.
To create an additional account for an user

1. Go to the registration page:

https://portal.checkpoint.com/register/endpoint
2. For each new account, use a different account name (Company Name).

To switch between accounts

At the upper-middle of your screen, near the name Harmony Endpoint, click the current account and
select the required account from the drop-down menu.

To add an administrators to an account

1. From the left navigation panel, click Global Settings (at the bottom of the panel).
2. In the top left section, click Users.
The list of currently defined users appears.

3. From the top toolbar, click New.

The Add User window opens.
4. Configure the required details:
n Name
n Email
n Phone
n User Groups
n Global Roles - select Admin or User Admin

Note - If the administrator you wish to add is not registered in Harmony Endpoint, they
receive a registration invitation to establish login credentials for the portal.

5. Click Add.

Harmony Endpoint Administration Guide | 59

 Managing Harmony Browse

Managing Harmony Browse

Overview
You can install and manage the Harmony Browse lightweight client through Harmony Endpoint. This is
suitable when you want to provide only the Harmony Browse service to users and manage it's policy through
Harmony Endpoint. For more information on Harmony Browse, see Harmony Browse Administration Guide.
After you install the Harmony Browse client:
n You can apply same Client Setting and Threat Prevention policies to both Harmony Browse and
Harmony Endpoint clients.

n
in Asset Management > Computers indicates a Harmony Browse client. You can filter for clients
using the Agent Installed filter.
n The Overview and Logs menu show the information for both Harmony Browse and Harmony
Endpoint clients.

To manage Harmony Browse client through Harmony Endpoint:

1. Install the Harmony Browse client from Harmony Endpoint. For more information, see "Manual
Deployment" on page 28
2. Apply an existing Threat Prevention policy or configure a new Threat Prevention policy for the
Harmony Browse client.
3. Apply an existing Client Setting policy or configure a new Client Setting policy for the Harmony
Browse client.

Limitations
Harmony Browse does not support Push Operations and Threat Hunting.

Harmony Endpoint Administration Guide | 60

 Viewing Computer Information

Viewing Computer Information

The Asset Management View
The view shows information on each computer, such as deployment status, active components on the
computer, client version installed on the computer and more.

Select a View
From the top menu Columns, select a preconfigured view:
n Deployment
n Compliance
n Health
n Full Disk Encryption
n Anti-Malware
n Host Isolation
n Alternatively, click Custom and select the required columns.

Status Icon
The icon in the Status column shows the client or computer status.

Status
Description
Icon

Indicates Harmony Endpoint client.

Indicates Harmony Browse client.

Indicates that the client connection is active.

Indicates that a new computer was discovered that has no client installed.

Indicates that the computer was deleted from the Active Directory or from the
Organizational Tree.

Apply Filter
Use the Filters pane in the right-hand side of the screen.
These are the main filters for this view:

Harmony Endpoint Administration Guide | 61

 Viewing Computer Information

n Filter by computer property

n Filter by Virtual Group
n Filter by Organization Unit (this information is pulled from your Active Directory)

Harmony Endpoint Administration Guide | 62

 Viewing Computer Information

Managing Computers
Select the checkbox to the left of the applicable computers to perform these actions:
View Computer Logs

You can view logs of computers based on it's IP address.

To view computer logs by it's IP address:

1. Go to Asset Management > Computers.
2. Right-click on a computer and select View Computer Logs.
The system opens the Logs menu and shows the computer logs.

Reset computer

When the Endpoint client is installed on a computer, information about the computer is sent to and stored
on the Endpoint Security Management Server.
Resetting a computer means deleting all information about it from the server.
Resetting a computer does not remove the object from the Active Directory tree or change its position in
the tree.
Important - You can only reset a computer if the Endpoint client is not installed. If you
reset a computer that has Endpoint installed, important data is deleted and the
computer can have problems communicating with the Endpoint Security
Management Server.
Computer reset:
n Removes all licenses from the computer.
n Deletes Full Disk Encryption Recovery data.
n Deletes the settings of users that can log on to it.
n Removes the computer from Endpoint Security Monitoring.
n Deletes the Pre-boot settings.
n Marks the computer as unregistered.
After you reset a computer, you must reformat it before it can connect again to the Endpoint Security
service.
You may decide to reset a computer if:
n The Endpoint client was uninstalled or the computer is re-imaged.
n It is necessary to reset the computer's configuration before a new Endpoint client is installed. For
example, if the computer is transferred to a different person.

Delete computer data

Everything in the Endpoint server database that is connected to that computer is deleted.

Harmony Endpoint Administration Guide | 63

 Viewing Computer Information

Add to Virtual Group

You can add a computer to a virtual computer group (see "Managing Virtual Groups" on page 183).

Harmony Endpoint Administration Guide | 64

 Viewing Computer Information

The Overview View

The Overview view shows a graphical summary of important information about the Endpoint clients in your
organization, based on the information in the Asset Management view.
The Overview view is divided into these panes:

Pane Description

Operational Shows the deployment status of Endpoint clients in your organization, their health
Overview status, client versions and operating systems on the clients.

Security Shows the attack statistics of the Endpoint clients.

Overview

Operational Overview
The information in the Operational Overview appears in widgets described below. Each widget is clickable,
and takes you to the relevant view it is based on in the Asset Management view.
Contains graphical information on the endpoint clients which is based on the views in the Asset
Management view.
The information is presented in these widgets:

Widget Description

All Endpoints Shows the number of protected endpoints and the number of endpoints which report
issues.
This widget is based on the Health view.

Desktops Shows a division of the desktops by operating systems: Windows, macOS, and
Linux.
This widget is based on the Health view.
This widget only includes protected entities.

Laptops Shows a division of the laptops by operating systems: Windows, macOS, and Linux.
This widget is based on the Health view.
This widget only includes protected entities.

Deployment Shows the deployment status of the devices according to these values:
Status
n Success - Devices with these Deployment Statuses: "Completed" in their
status.
n In progress - Devices with these Deployment Statuses: "Deploying",
"Uninstalling", "Retrying", or "Downloading" in their status.
n Failed - Devices with these Deployment Statuses: "Not Installed", "Not
Scheduled" or "Unknown".

Harmony Endpoint Administration Guide | 65

 Viewing Computer Information

Widget Description

Pre-boot Status This widget shows the Pre-boot status of the devices according to these values:
n Enabled
n Temporarily disabled
n Disabled
n Installed
n Not installed
This widget is visible only when the Full Disk Encryption capability is enabled.
This widget is based on the Full Disk Encryption view.

Encryption This widget shows the Full Disk Encryption status of the devices according to these
Status values:
n Encrypted
n In Progress
n Not Encrypted
n Not installed or Unknown
n Encrypting
n Re-encrypting
n Decrypting
n Not running
n Status information is missing
n Setup protection
This widget is based on the Full Disk Encryption view.
This widget is visible only when the Full Disk Encryption capability is enabled.

Anti-Malware Shows the time when updates were installed on the endpoint clients:
Update
n On the last 24h
n On the last 72h
n Over 72h ago
n Never
n Not installed or Unknown
This widget is based on the Anti-Malware update ON data in the Deployment
Status.

Harmony Shows the client versions installed on the endpoint clients.

Endpoint This widget is based on the Deployment view.
Version

Operating Shows the type of operating system installed on the endpoint clients:
System
n Windows
n macOS
n Linux
n Other

In addition, in the top right section Active Alerts you can see alerts for the thresholds you created in the
Endpoint Settings view > Alerts (see "Monitoring Harmony Endpoint Deployment and Policy" on page 42).

Harmony Endpoint Administration Guide | 66

 Viewing Computer Information

Security Overview
Shows the attack statistics of the Endpoint clients.
The information is presented in these widgets:
n Hosts Under Attack
n Active/Dormant Attacks
n Cleaned/Blocked Attacks
n Infected Hosts
n Attacks Timeline

Harmony Endpoint Administration Guide | 67

 Configuring the Endpoint Policy

Configuring the Endpoint Policy

The Harmony Endpoint security policy contains these components:
n Threat Prevention - which includes Web & Files Protection, Behavioral Protection and Analysis &
Remediation. The Threat Prevention policy is unified for all the Threat Prevention components. This
is different than the Policy Rule Base in SmartEndpoint, where each SandBlast component has its
own set of rules.
n Data Protection - which includes Full Disk Encryption and Media Encryption & Port Protection.
n Access Policy - Includes Firewall, Application Control, Developer Protection, Deployment Policy and
Client Settings.
When you plan the security policy, think about the security of your network and convenience for your users.
A policy should permit users to work as freely as possible, but also reduce the threat of attack from malicious
third parties.
You can add more rules to each Rule Base and edit rules as necessary. Changes are enforced after the
policy is installed.

Harmony Endpoint Administration Guide | 68

 Configuring the Threat Prevention Policy

Configuring the Threat Prevention Policy

The Unified Policy
Harmony Endpoint introduces the unified policy for the Endpoint components.
The unified policy lets you control all security components in a single policy. The policy is composed of a set
of rules. Each rule in the policy defines the scope which the rule applies to and the activated components.
This is different from the policy Rule Base in SmartEndpoint, where each component has its own set of
rules.
A Threat Prevention Default Policy rule which applies to the entire organization is predefined in your Policy
tab.
Each new rule you create, has pre-defined settings, which you can then edit in the right section of the
screen.
The Threat Prevention policy contains these components which you can edit:
n "Web & Files Protection" on page 71
n "Behavioral Protection" on page 78
n "Analysis & Remeditation" on page 81
The Threat Prevention policy contains device rules and user rules.
n You can use user objects only in the user policy, and you can use device objects only in the device
policy.
n There is no default rule for the user policy.
n User rules override device rules.
n You can use the same group in multiple rules.
n You can use the same group in user and device rules at the same time.
n If a group contains both users and devices, the rule is implemented according to the policy in which
the rule is included.
To enable user policy, go to the Endpoint Settings view > Policy Operation Mode, and select Mixed mode.

The Parts of the Policy Rule Base

Column Description

Rule Number The sequence of the rules is important because the first rule that matches traffic
according to the protected scope is applied.

Rule Name Give the rule a descriptive name.

Applied to The protected scope, to which the rule applies.

Web & Files The configurations that apply to Download Protection, Credential Protection and Files
Protection Protection.

Harmony Endpoint Administration Guide | 69

 Configuring the Threat Prevention Policy

Column Description

Behavioral The configurations apply to Anti-Bot, Anti-Ransomware and Anti-Exploit protections.

Protection

Analysis & The configurations that apply to attack analysis and remediation.
Response

Client Version Version number of the Initial Client that you downloaded.

The Threat Prevention Policy Toolbar

To do this Click this

Create, duplicate, and delete rules

Note - You can duplicate device rules into

user rules, and user rules into device rules.

Search

Save, view, and discard changes

Note - The View Changes functionality
shows the policy type that was changed and
the date of the change.

Harmony Endpoint Administration Guide | 70

 Web & Files Protection

Web & Files Protection

This category includes Download (web) Emulation & Extraction, Credential Protection and Files Protection.

URL Filtering
URL Filtering rules define which sites you can access in your organization. The URL Filtering policy is
composed of the selected sites and the mode of operation applied to them.

Note:
SmartEndpoint does not support the new capability. It is only supported for web users.

To create the URL Filtering policy:

1. Select the URL Filtering mode of operation:
n Prevent - Currently supported only in Hold mode. The request to enter a site is suspended until
a verdict regarding the site is received.
n Detect - Allows access if a site is determined as malicious, but logs the traffic.
n Off -URL Filtering is disabled.
2. Select the categories to which the URL Filtering policy applies:
a. Go to Web & Files Protection > Advanced Settings > URL Filtering > Categories.
b. Select the required categories:

Note - For each category, click Edit to see the sub-categories you can select.

c. Click OK.
3. Optional: You can select specific URLs to which access is denied. See "Blacklisting" below.
4. If you want Harmony Endpoint to verify and filter all the URLs accessed by an application or a
process, select the Enable Network URL Filtering checkbox.
The selected mode of operation now applies to the selected categories.
The user can access any site which was not selected in one of the categories or which was not blacklisted.
You can Allow user to dismiss the URL Filtering alert and access the website - This option is selected by
default. This lets you access a site determined as malicious, if you think that the verdict is wrong. To do this,
go to Advanced Settings > URL Filtering.

Blacklisting

You can define specific URLs or domains as blacklisted. These URLs/domains will be blocked
automatically, while other traffic will be inspected by the URL Filtering rules. You can add the URLs/domain
names manually or upload a CSV file with the URLs/domain names you want to include in the blacklist.

Harmony Endpoint Administration Guide | 71

 Web & Files Protection

To add a URL to the blacklist:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.
2. In the URLs pane, for each required URL, enter the URL and click the + sign
3. click OK.
Notes:
You can use * and ? as wildcards for blacklisting.
n * is supported with any string. For example: A* can be ADomain or AB or
AAAA.
n ? is supported with another character. For example, A? can be AA or AB
or Ab.

To search for a URL:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.
2. In the search box, enter the required URL.
The search results appear in the URLs pane.
You can edit or delete the URL.

To import URLs from an external source:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. Next to the search box, click the sign (import domains list from a 'csv' file).
3. Find the required file and click Open.
4. Click OK.

To export a list of URLs to from the Endpoint Security Management Server to an external source:
1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. Next to the search box, click the sign (export domains list to a 'csv' file).
3. Click OK.

Download (Web) Emulation & Extraction

Harmony Endpoint browser protects against malicious files that you download to your device. The Harmony
Endpoint Browser extension is supported on Google Chrome, Edge Chromium, Firefox, Internet Explorer
and Safari. For more information, see Harmony Browse Administration Guide.
Threat Emulation detects zero-day and unknown attacks. Files on the endpoint computer are sent to a
sandbox for emulation to detect evasive zero-day attacks.
Threat Extraction proactively protects users from malicious content. It quickly delivers safe files while the
original files are inspected for potential threats.
To see the list of file types which are supported by Threat Emulation and Threat Extraction, go to Advanced
Settings > Threat Emulation > Override Default File Actions > Edit.
These are the configuration options for supported file types:

Harmony Endpoint Administration Guide | 72

 Web & Files Protection

n Prevent - Send files for emulation and extraction. For further configuration for supported files, go to
Advanced Settings > Supported Files:
l Get extracted copy before emulation completes - You can select one of these two options:
o Extract potential malicious elements - The file is sent in its original file type but without
malicious elements. Select which malicious parts to extract. For example, macros, Java
scripts and so on.
o Convert to PDF - Converts the file to PDF, and keeps text and formatting.

Best Practice - If you use PDFs in right-to-left languages or Asian

fonts, preferably select Extract files from potential malicious parts
to make sure that these files are processed correctly.

l Suspend download until emulation completes - The user waits for Threat Emulation to
complete. If the file is benign, the gateway sends the original file to the user. If the file is
malicious, the gateway presents a Block page and the user does not get access to the file. This
option gives you more security, but may cause time delays in downloading files.
l Emulate original file without suspending access - The gateway sends the original file to the
user (even if it turns out eventually that the file is malicious).
l Allow - All supported files are allowed without emulation. This setting overrides the Prevent
setting selected in the main page.
n Detect - Emulate original file without suspending access to the file and log the incident.
n Off - Allow file. No emulation or extraction is done. The download of all supported files is allowed.

Unsupported Files

File types which are not supported by Threat Emulation and Threat Extraction. Unsupported files types can
be allowed or blocked. To configure, go to Advanced Settings > Download Protection > Unsupported
Files. The settings selected here override the settings selected in the main page.

Additional Emulation Settings:

Emulation Environments

To define the maximum size of files that are sent for emulation, go to Advanced Settings > Download
Protection > Emulation Environments
To select the operating system images on which the emulation is rrun, go to Advanced Settings >
Download Protection > Emulation Environments, and select one of these options:
n Use Check Point recommended emulation environments
n Use the following emulation environments - Select other images for emulation, that are closest to
the operating systems for the computers in your organization

Override Default Files Actions

You can override the default actions for specific file types. Go to Advanced Settings > Threat Emulation >
Override Default Files Actions > Edit.
In Override Default Files Actions, you can also see the current number of overrides.

Harmony Endpoint Administration Guide | 73

 Web & Files Protection

Credential Protection
This protection includes two components:

Zero-Phishing

Phishing prevention checks different characteristics of a website to make sure that a site does not pretend to
be a different site and use personal information maliciously.
There are three configuration options for this protection:
n Prevent - If the site is determined to be a phishing site, users cannot access the site. A log is created
for each malicious site.
n Detect - When a user uses a malicious site, a log is created.
n Off - Phishing prevention is disabled.
For further configuration of the Zero-Phishing protection, go to Advanced Settings > Credential Protection:
n Allow user to dismiss the phishing alert and access the website - Users can select to use a site that
was found to be malicious.
n Send log on each scanned site - Send logs for each site that users visit, whether malicious or not.
n Allow user to abort phishing scans - Users can stop the phishing scan before it is completed.

Password reuse protection

Alerts users not to use their corporate password in non-corporate domains.

There are three configuration options for this protection:
n Detect & Alert - - If a user enters a corporate passwords in a non-corporate site, the user gets an alert
and a log is created.
n Detect - If a user enters a corporate passwords in a non-corporate site, a log is created.
n Off - Password Reuse Prevention is disabled.
For further configuration options for password reuse protection, go to Advanced Settings > Credential
Protection > Password Reuse Protection > Edit > Protected Domains:
Add domains for which Password Reuse Protection is enforced.Harmony Endpoint keeps a cryptographic
secure hash of the passwords used in these domains and compares them to passwords entered outside of
the protected domains.

Safe Search
Safe Search feature in web browsers is designed to filter out explicit content like pornography, violence and
gore, in the browser's search results for all your queries across images, videos and websites. While no filter
is 100% accurate, Safe Search helps to avoid content you may prefer not to see or would rather your
children did not stumble across.
User can change the settings of Safe Search from the browser for each specific search engine.
This feature supports Safe Search in search engines (currently Google, Bing and Yahoo).

Harmony Endpoint Administration Guide | 74

 Web & Files Protection

Select this option to require use of the safe search feature in search engines. When activated, the URL
Filtering Policy uses the strictest available safe search option for the specified search engine. This option
overrides user specified search engine options to block offensive material in search results. (i took this
paragraph from online helo).

Files Protection
protects the files on the file system. This protection has two components:
n Anti-Malware - Protection of your network from all kinds of malware threats, ranging from worms and
Trojans to adware and keystroke loggers. Use Anti-Malware to manage the detection and treatment
of malware on your endpoint computers.
There are three configuration options for this protection:
l Prevent - Protects your files from malware threats.
l Detect - Detects the threats, so they appear in the logs, although the virus or malware are still
executable. Use this mode with caution.
l Off - No protection from malware.

Note - Starting from E83.20 Endpoint Security client, Check Point certified the E2
client version (the Anti-Malware engine is based on Sophos as opposed to
Kaspersky) for Cloud deployments.

n Files Threat Emulation - Emulation of files on the system.

Advanced Settings for Files Protection

To configure the advanced settings for files protection, go to Advanced Settings > Files Protections.

General

n Malware Treatment - The malware treatment options let you select what happens to malware that is
detected on a client computer:
l Quarantine file if cure failed - If Endpoint Security cannot repair the file, it is deleted and put in
a secure location from where it can be restored if necessary.
l Delete file if cure failed - If Endpoint Security cannot repair the file, it is deleted.
n Riskware Treatment - Riskware is a legal software that might be dangerous.
l Treat as malware - Use the option selected for Malware.
l Skip file - Do not treat riskware files.
l Detect unusual activity - Use behavior detection methods to protect computers from new
threats whose information were not added to the databases yet. It does not monitor trusted
processes.

Harmony Endpoint Administration Guide | 75

 Web & Files Protection

l Enable reputation service for files, web resources & processes - Use cloud technologies to
improve precision of scanning and monitoring functions. If you enable or disable this setting, it
takes affect after the client computer restarts.
Connection timeout - Change the maximum time to get a response from Reputation Services
(in milliseconds). Default is 600.

Note - If you decrease this value, it can improve the performance of the Anti-Malware
component but reduces security, as clients might not get a reputation status that shows
an item to be zero-day malware.
l Enable web protection - Prevents access to suspicious sites and execution of malicious
scripts Scans files, and packed executables transferred over HTTP, and alerts users if
malicious content is.found.
n Mail Protection - Enable or disable scans of email messages when they are passed as files across
the file system.

Signature

n Frequency
Anti-Malware gets malware signature updates at regular intervals to make sure that it can scan for the
newest threats. These actions define the frequency of the signature updates and the source:
l Update signatures every [x] hours - Signature updates occur every [x] hours from the
Endpoint Policy Server and the External Check Point Signature Server.
l Signature update will fail after [x] seconds without server response - The connection
timeout, after which the update source is considered unavailable.
n Signature Sources
l External Check point Signature Server - Get updates from a dedicated, external Check Point
server through the internet.
l Local Endpoint Servers - Get updates from the Endpoint Security Management Server or
configured Endpoint Policy Server.
l Other External Source - - Get updates from an external source through the internet. Enter the
URL.
n Shared signature source - Get updates from a shared location on an Endpoint Security client that
acts as a Shared Signature Server. This solution is curated for Virtual Desktop Infrastructure (VDI)
environments, but can be leveraged for other scenarios as well. This makes it possible to protect non-
persistent virtual desktops in Virtual Desktop Infrastructure (VDI) environments. Each non-persistent
virtual desktop runs an Endpoint Security, and gets Anti-Malware and Threat Prevention signatures
from a shared folder on the Shared Signature Server that is a persistent virtual machine.
l Second Priority - Set a fallback update source to use if the selected update source fails. Select
a different option than the first signature source.
l Third Priority - Set a fallback update source to use if the other sources fail.

Note - If only update from local Endpoint Servers is selected, clients that are
disconnected from an Endpoint Security server cannot get updates.

Harmony Endpoint Administration Guide | 76

 Web & Files Protection

Scan

Anti-Malware scans computers for malware at regular intervals to make sure that suspicious files are
treated, quarantined, or deleted.
n Perform Periodic Scan - Select one of these options to define the frequency of the scans:
l Every Month- Select the day of the month on which the scan takes place and the Scan start
hour.
l Every Week - Select the day of the week on which the scan takes place and the Scan start
hour.
l Every Day - Select the scan start hour.
Optional :
l Randomize scan time - Mandatory for Virtual Desktop Infrastructure (VDI). Select this option
to make sure that not all computers do a scan for malware at the same time. This makes sure
that network performance is not affected by many simultaneous scans. In Start scan and End
scan, specify the time range during which the scan can start and end.
l Run initial scan after the Anti-Malware blades installation.
l Allow user to cancel scan.
l Prohibit cancel scan if more than days passed since last successful scan.

Harmony Endpoint Administration Guide | 77

 Behavioral Protection

Behavioral Protection
Behavioral protection includes Anti-Bot, Behavioral Guard and Anti-Ransomware protections.

The Anti-Bot Component

There are two emerging trends in today's threat landscape:
n A profit-driven cybercrime industry that uses different tools to meet its goals. This industry includes
cyber-criminals, malware operators, tool providers, coders, and affiliate programs. Their "products"
can be easily ordered online from numerous sites (for example, do-it-yourself malware kits, spam
sending, data theft, and denial of service attacks) and organizations are finding it difficult to fight off
these attacks.
n Ideological and state driven attacks that target people or organizations to promote a political cause or
carry out a cyber-warfare campaign.
Both trends are driven by bot attacks.
A bot is malicious software that can invade your computer. There are many infection methods. These
include opening attachments that exploit a vulnerability and accessing a website that results in a malicious
download.
When a bot infects a computer, it:
n Takes control over the computer and neutralizes its Anti-Virus defenses. Bots are difficult to detect
because they hide within your computer and change the way they appear to the Anti-Virus software.
n Connects to a Command and Control (C&C) center for instructions from cyber criminals. The cyber
criminals, or bot herders, can remotely control it and instruct it to execute illegal activities without your
knowledge. These activities include:
l Data theft (personal, financial, intellectual property, organizational)
l Sending SPAM
l Attacking resources (Denial of Service Attacks)
l Bandwidth consumption that affects productivity
In many cases, a single bot can create multiple threats. Bots are often used as tools in attacks known as
Advanced Persistent Threats (APTs) where cyber criminals pinpoint individuals or organizations for attack.
A botnet is a collection of compromised computers.
The Check Point Endpoint Anti-Bot component detects and prevents these bot threats
The Anti-Bot component:
n Uses the ThreatCloud repository to receive updates, and queries the repository for classification of
unidentified IP, URL, and DNS resources.
n Prevents damage by blocking bot communication to C&C sites and makes sure that no sensitive
information is stolen or sent out of the organization.
The Endpoint Anti-Bot component uses these procedures to identify bot infected computers:
n Identify the C&C addresses used by criminals to control bots
n These web sites are constantly changing and new sites are added on an hourly basis. Bots can
attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites
are legitimate and which are not.

Harmony Endpoint Administration Guide | 78

 Behavioral Protection

The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery
and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this
information to classify bots and viruses.

Configuring Anti-Bot

There are 3 configuration options for the Anti-Bot protection:

n Prevent - Blocks bots.
n Detect - Logs information about bots, but does not block them.
n Off - Ignores bots (does not prevent or detect them)

Advanced Anti-Bot Settings:

n Background Protection Mode:

l Background - This is the default mode. Connections are allowed while the bots are checked in
the background.
l Hold - Connections are blocked until the bot check is complete.
n Hours to suppress logs for same bot protection - To minimize the size of the Anti-Bot logs, actions
for the same bot are only logged one time per hour. The default value is 1 hour. To change the default
log interval , select a number of hours.
n Days to remove bot reporting after - If a bot does not connect to its command and control server
after the selected number of days, the client stops reporting that it is infected. The default value is 3
days.
n Confidence Level - The confidence level is how sure Endpoint Security is that an activity is malicious.
High confidence means that it is almost certain that the activity is malicious. Medium confidence
means that it is very likely that the activity is malicious. You can manually change the settings for each
confidence level. Select the action for High confidence, medium confidence and low confidence bots:
l Prevent - Blocks bots
l Detect - Logs information about bots, but does not block them.
l Off - Ignores bots (does not prevent or detect them).

The Behavioral Guard & Anti-Ransomware Component

Constantly monitors files and network activity for suspicious behavior. It creates honeypot files on client
computers, and stops the attack immediately after it detects that the ransomware modified the files. Before
ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the
attack is stopped, it deletes files involved in the attack and restores the original files from the backup
location.
n Prevent - The attack is remediated. Logs, alerts and a forensic report are created.
n Detect - Logs, alerts and a forensic report are created.
n Off - Nothing is done on the detection, a log is not created

Advanced Behavioral Guard & Anti-Ransomware Settings

n Enable network share protection - Enables the protection of shared folders on the network.All
shared folders are protected, regardless of the protocol. Remote devices are not protected.

Harmony Endpoint Administration Guide | 79

 Behavioral Protection

Backup Settings

When Anti-Ransomware is enabled, it constantly monitors files and processes for unusual activity. Before a
ransomware attack can encrypt files,Anti-Ransomware backs up your files to a safe location. After the attack
is stopped, it deletes files involved in the attack and restores the original files from the backup location.
n Restore to selected location - - By default, files are restored to their original location. To restore files
to a different location, select this option and enter the location to which you want to restore the files in
the Choose location field. Each time files are automatically restored, they will be put in the selected
location.
n Anti-Ransomware maximum backup size on disk - Set the maximum amount of storage for Anti-
Ransomware backups. The default value is 1 GB.
n Backup time interval - Within this time interval, each file is only backed up one time, even if it is
changed multiple times. The default value is 60 minutes.
n Backup Settings - Change default types to be backed up - Click this to see a list of file types that are
included in the Anti-Ransomware backup files. You can add or remove file types from the list and
change the Maximum Size of files that are backed up.
n Disk Usage - By default, Forensics uses up to 1 GB of disk space on the client computer for data.

The Anti-Exploit Component

Harmony Endpoint Anti-Exploit detects zero-day and unknown attacks.
Files on your computer are sent to a testing area for emulation to detect malicious files and content.

Harmony Endpoint Administration Guide | 80

 Analysis & Remeditation

Analysis & Remeditation

Automated Attack Analysis (Forensics)
Harmony Endpoint Forensics analyzes attacks detected by other detection features like Anti-Ransomware
or Behavioral Guard, and some third-party security products.
On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically
initiated. After the analysis is completed, the entire attack sequence is presented as a Forensics Analysis
Report. If Endpoint Security Management Servers do not have internet connectivity, Forensics information
is stored and sent for evaluation immediately when a server connects to the internet.
Use the Forensics Analysis Report to prevent future attacks and to make sure that all affected files and
processes work correctly.
Protection mode - Define in which confidence level the incident is analyzed: Always, High, Medium & High,
or Never. The confidence level is how sure Endpoint Security is that a file is malicious. High confidence
means that it is almost certain that a file is malicious. Medium confidence means that it is very likely that a
file is malicious. The default value is Always.
Enable Threat Hunting - Threat Hunting is enabled by default. To learn more about Threat Hunting, see
"Threat Hunting" on page 210.

Remediation & Response

The Harmony Endpoint File Remediation component applies remediation to malicious files. When Harmony
Endpoint components detect malicious files, they can quarantine those files automatically based on policy,
and remediate them if necessary.
You can manually define the confidence level in which remediation is performed: Always, High, Medium &
High, or Never. The confidence level is how sure Endpoint Security is that a file is malicious. High
confidence means that it is almost certain that a file is malicious. Medium confidence means that it is very
likely that a file is malicious. The default value is Medium & High.

Advanced Remediation & Response Settings

File Quarantine

Define the settings for files that are quarantined. By default, items are kept in quarantine for 90 days and
users can delete items from quarantine.
n File quarantine - Select the confidence level in which remediation is performed: Always High,
Medium & High, Never. The default value is Medium & HIgh.
n Allow users to delete items from quarantine - When selected, users can permanently delete items
from the quarantine file on their computers.
n Allow users to restore items from quarantine - When selected, users can restore items from the
quarantine file on their computers.
n Copy quarantine files to central location -Enter a central location to which the quarantined files from
the client computers are copied.

File Remediation

Define what happens to the components of an attack that is detected by Forensics. When files are
quarantined, they are deleted and put in a secure location from which they can be restored, if necessary.

Harmony Endpoint Administration Guide | 81

 Analysis & Remeditation

You can manually edit the treatment for each category of file: Malicious, Suspicious, or Unknown. For each
category, you can select:
n Quarantine - Files are deleted and put in a secure location from which they can be restored, if
necessary.
n Delete - Files are permanently deleted.
n Backup -- Delete the file and create an accessible duplicate.
n None -- No action is taken.
Trusted files s are those defined as trusted by the Check Point Reputation Service. The remediation options
for Trusted Files are:
n Terminate - stop the suspicious process.
n Ignore - Do not terminate processes. Activity is monitored.

Harmony Endpoint Administration Guide | 82

 Adding Exclusions to Rules

Adding Exclusions to Rules

You can exclude specific objects from inspection by the Harmony Endpoint protections:
1. Go to the applicable policy rule, for which you want to create the exclusion.
2. In the Capabilities & Exclusions pane, click Exclusions Center.
The Exclusions Center window opens.
3. Add the required type of exclusion.
4. Click OK.
5. In the bottom right corner of the policy configuration pane, click Save.
6. From the top, click Install Policy.
Notes -
n You can also add exclusions from the Logs menu:
l In the Logs menu, right-click a log to add and configure an exclusion to your

endpoint device. This redirects you to the appropriate rule, section, and
capability.
l Apply the exclusions through:

o Effective option: Pertains to a specific device or a user rule.

o All options: Pertains to a specific rule.

n This is supported with Harmony Endpoint client version 86.20 or higher.

n For Harmony Endpoint client version 86.20 or lower, or for blades/capabilities which
are not supported, the system redirects you to the relevant rule in the exclusions
center to create exclusions.
Below is the list of supported exclusions.

Web and Files Protection Exclusions

URL Filtering Exclusions

You can exclude specific URLs from a rule. Click + to add the required URL you want to exclude from the
rule.
Syntax
n * indicates a string or a character. For example: A* can be ADomain or AB or AAAA.
n ? indicates a character. For example, A? can be AA or AB or Ab.

Process Exclusions

Harmony Endpoint scans files when you create, open, or close them.
When you exclude a trusted process from inspection, it's file or network operation is not scanned.
Exclude a process only if you are sure, it is not Malware.

Harmony Endpoint Administration Guide | 83

 Adding Exclusions to Rules

Best Practice - We recommend excluding a process if:

n It's behaviour is abnormal.
n It's performance is slow after you installed the Anti-Malware
blade.
n A false-positive is detected.
Windows
You can exclude only .EXE files.
Syntax:
Fully qualified paths or an environment variable for the trusted executable.
Examples:
n C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe
n %programdata%\MytrustedProgram.exe

macOS
Syntax:
Fully qualified path for the trusted executable file.
Example:
/Applications/FileZilla.app/Contents/MacOS/filezilla

Files and Folders Exclusion

Files and Folder Exclusions are applied to all types of scans except contextual scan. The reason for
configuring exclusions is to reduce the CPU usage of Anti-Malware.

Note - Files and folders must be excluded only if they are located in a Trusted zone
or are considered a low-risk target for viruses.

Windows
Syntax:
Directory paths must end with a backlash.
Examples:
n Directory:
l C:\Program Files\MyTrustedDirectory\
l %programdata%\MyTrustedDirectory\
n Specific file:
l C:\ProgramFiles\MyTrustedDirectory\excludeMe.txt
l %programdata%\MyTrustedDirectory\excludeMe.txt
n File type:

Harmony Endpoint Administration Guide | 84

 Adding Exclusions to Rules

l *.exe
l \\ServerName\Share\folder\file.txt or \\ip_
addres\Share\folder\file.txt depending on a way file is attached.
l C:\Program Files\MyTrustedDirectory**.exe(recursive exclusion - applies for all
.exe in C:\Program Files\MyTrustedDirectory\ and all subfolders)
n For Harmony Endpoint client version E80.80 or higher, you can exclude MD5 hash from the
scheduled malware scan. For example:
l md5:0123456789012345
o Exclude by hash in any folder
l md5:0123456789012345:app.exe
o Exclude by hash and exact file name
l md5:0123456789012345:c:\folder\app.exe
o Exclude by hash and full path
l md5:0123456789012345:%ENV%\app.exe
o Exclude by hash and environment variable
n For Harmony Endpoint client version E86.10 or higher, you can exclude URL from the scheduled
malware scan. For example:
l url:*.example.com
l url:http://*.example.com
l url:http://example.com/*
l url:www.example.com/abc/123
l url:*192.168.*
l url:http://192.168.*

Notes for URL exclusions-

n The * character replaces any sequence that contains zero or more characters.
n The www. character sequence at the beginning of an exclusion mask is
interpreted as a *. sequence.
n If an exclusion mask does not start with the * character, the content of the
exclusion mask is equivalent to the same content with the *. prefix.
n If an exclusion mask ends with a character other than / or *, the content of the
exclusion mask is equivalent to the same content with the /* postfix.
n If an exclusion mask ends with the / character, the content of the exclusion
mask is equivalent to the same content with the /*. postfix.
n The character sequence /* at the end of an exclusion mask is interpreted as /*
or an empty string.
n URLs are verified against an exclusion mask, taking into account the protocol
(http or https).

Note - For Windows, files and folder names are not case-sensitive.

macOS

Harmony Endpoint Administration Guide | 85

 Adding Exclusions to Rules

Syntax:
Directory path, a specific file, or a file type. Environment variables are not supported.
Example:
Trusted directory
n /Users/Shared/MyTrustedDirectory/

Specific file
n /Users/*/Documents/excludeMe.txt

File type
n *.txt

Note - For macOS, files and folder names are case-sensitive.

Anti-Malware\Exclude Infection by Name Exclusion

You can exclude some riskware files and infections from the scheduled malware scan on your computer.
Best Practice:
n Exclude when the specific software is allowed.
n As a temporary exclusion when there is a false positive
detection.
Syntax
Infection name and protection name in your log.
Example:
n EICAR-Test-File
Notes -
n The infection name is case-sensitive.
n If you get a file protection detection, share the file with Check Point to resolve
the file protection.

Threat Emulation, Threat Extraction, and Zero-Phishing Exclusions

You can exclude specific folders, domains or SHA1 hashes from the Threat Emulation, Threat Extraction
and Zero-Phishing protection.
Domain exclusions
n Relevant only for Harmony Endpoint extension for Browsers.
n To exclude an IP, in the Element field, enter IP address followed by subnet mask in the format
<X.X.X.X>/ <subnet mask >. For example, to exclude a computer with IP address 192.168.100.30,
enter 192.168.100.30/24.
n Domain exclusions must be added without http/s, *, or any other special characters.
Domain exclusions can be added with or without www.

Harmony Endpoint Administration Guide | 86

 Adding Exclusions to Rules

n Sub-domain exclusions are supported.

Exclusion of a domain will exclude all its subdomains as well.
SHA1 exclusions -
n Relevant only for Threat Emulation blade (File system monitoring).
For Harmony Endpoint version E86.40, SHA1 exclusion is supported on Harmony Endpoint
extension for browsers as well (not including Internet Explorer).
n File Reputation exclusions are set by SHA1.
n Folder path cannot contain environment variables.
n When you exclude a folder, enter the folder as a windows path. For example:
C:\Program Files\MyTrustedDirectory\

Folder exclusions -
n Relevant only for Threat Emulation blade (File system monitoring).
n If the path of created file begins with exclusion, it will be excluded.
n Folder exclusions support wildcards. These wildcards are supported:
? - Each question mark masks one character.
* - Each star masks zero or more characters.
n It is not advised to add * in the middle of path exclusions, as it may hurt the performance.
n Exclude network files by path \\ServerName\Share\folder\.This excludes all files located
under \ServerName\Share\folder\\.

Behavioral Protections
Anti-Bot Exclusions

By default, the Anti-Bot component inspects all entities except:

n Process - Name of an executable
n URL - Website URL
n Domain - Full Domain name
n Protection Name - Predefined malware signature
n IP range - Internal or external IP address

Anti-Ransomware and Behavioral Guard Exclusions

You can exclude these elements from the Anti-Ransomware and Behavioral Guard protection:
n Folder – To exclude a folder or non-executable files
n Process - To exclude an executable by element, MD5, and signer.
n Certificate - To exclude processes based on the company that signs the certificate.
n Protection - To exclude signature by it's name.
Excluded process will be monitored but not triggered.

Harmony Endpoint Administration Guide | 87

 Adding Exclusions to Rules

Excluded protection will not be triggered.

Syntax:
n Folder can contain environment variables
n Folder cannot contain wildcards (*)
n By default, sub-folders are included.
Excluding a Certificate / Process means that files modified / created by a certain process will not be
backed up, or monitored by Anti-Ransomware and Behavioral Guard.
Windows
Syntax:
n You must specify name or full path
n Full path can contain environment variables
n Path or file name cannot contain wildcards
Examples:
n Full path
l C:\Program Files\MyTrustedDirectory\
n Process
l C:\Program Files\MyTrustedDirectory\ExcludeMe.exe
n Certificate
l Microsoft
n md5: 0123456789012345
n Protection: win.blocker
macOS
Syntax:
n You must specify full path or wildcard
n Path or file name can contain wildcards
n Paths are case sensitive
Examples:
n Full path or Xcode exclusion:
:/Appliations/Xcode.app/Contents?MacOS/Xcode
n To cover all Xcode-related executables (not only GUI app):
/Applicatoins/Xcode.app/*

Anti-Exploit Exclusions

You can exclude these elements from the Anti-Exploit protection:

n Protection Name - Predefined malware signature
n Process - To exclude an executable

Harmony Endpoint Administration Guide | 88

 Adding Exclusions to Rules

Currently there are five different Anti-Exploit protections available. Following is a list of the protections
per-name.
Syntax for exclusions:

Protection Protection Rule Name

Import-Export Address Table Parsing Gen.Exploiter.IET

Return Oriented Programming Gen.Exploiter.ROP

VB Script God Mode Gen.Exploiter.VBS

Stack Pivoting Gen.Exploiter.SP

RDP Vulnerability (CVE-2019-0708) Gen.Exploiter.CVE_

2019_0708

RCE Vulnerability (CVE-2019-1181) Gen.Exploiter.CVE_

2019_1181/2

Excluding a protection means that files will not be monitored by Anti-Exploit.

n Process and protection
l C:\Program Files\MyTrustedDirectory\excludeMe.exe
l Gen.Exploiter.ROP
n Protection
l Gen.Exploiter.ROP

Analysis & Response Exclusions

Excluding a Certificate / Process means that files modified / created by a certain process will not be backed
up, or monitored by Anti-Ransomware and Behavioral Guard.
Monitoring Exclusions

You can exclude these elements from monitoring:

n Process - To exclude an executable by element, MD5 and signer.
n Certificate - To exclude processes based on the company that signs the certificate.
Syntax:
n Process can be excluded by name only, or by full path.
For example C:\Program Files\MyTrustedDirectory\excludeMe.exe
n Full path can contain environment variables.
n Full path CANNOT contain wildcards
n Certificate
l Microsoft
n md5:0123456789012345

Harmony Endpoint Administration Guide | 89

 Adding Exclusions to Rules

l Exclude a process by hash.

n Excluding a Certificate / Process means that files modified / created by a certain process will not
be backed up, or monitored by Anti-Ransomware and Behavioral Guard.

Remediation

Excluding a file / folder / certificate from quarantine means that even if it is detected by one of the
following blades: Threat Emulation / Anti-Ransomware / Anti-Bot, the file will not be quarantined:
n Full path can contain wildcards (*).
n Full path CANNOT contain environment variables.

Quarantine Exclusions

You can exclude a file or process from quarantine. You can define the exclusion by these criteria:
certificate, file, folder, MD5 hash, SHA1 hash, and file extension. When an element is excluded from
quarantine, even if there is a detection of malware, the file is not quarantined.

Harmony Endpoint Administration Guide | 90

 Configuring the Data Protection Policy

Configuring the Data Protection Policy

.

Harmony Endpoint Administration Guide | 91

 Configuring Full Disk Encryption

Configuring Full Disk Encryption

Full Disk Encryption gives you the highest level of data security for Endpoint Security client computers.
It combines boot protection and strong disk encryption to ensure that only authorized users can access data
stored in desktop and laptop PCs.

The Policy Rule Base consists of these parts:

Column Description

Rule Number The sequence of the rules is important because the first rule that matches traffic
according to the protected scope is applied.

Rule Name Give the rule a descriptive name.

Applied to The protected scope to which the rule applies.

Full Disk The configurations that apply to data encryption.

Encryption

Full Disk Encryption

Check Point's Full Disk Encryption has two main components:
n "Check Point Disk Encryption for Windows" on page 93
Ensures that all volumes of the hard drive and hidden volumes are automatically fully encrypted.
This includes system files, temporary files, and even deleted files.
There is no user downtime because encryption occurs in the background without noticeable
performance loss.
The encrypted disk is inaccessible to all unauthorized people.
n "Authentication before the Operating System Loads (Pre-boot)" on page 94
Requires users to authenticate to their computers before the computer boots.
This prevents unauthorized access to the operating system using authentication bypass tools at the
operating system level or alternative boot media to bypass boot protection.
Full Disk Encryption also supports "BitLocker Encryption for Windows Clients" on page 98 for Windows and
"FileVault Encryption for macOS" on page 100 for macOS.

Harmony Endpoint Administration Guide | 92

 Check Point Disk Encryption for Windows

Check Point Disk Encryption for Windows

Ensures that all volumes of the hard drive and hidden volumes are automatically fully encrypted. This
includes system files, temporary files, and even deleted files. There is no user downtime because
encryption occurs in the background without noticeable performance loss. The encrypted disk is
inaccessible to all unauthorized people.

Configuration Options

n Algorithms used
Go to Advanced Settings > Encryption > Choose Algorithm.
Full Disk Encryption can use these encryption algorithms:
l AES-CBC 256 bit (Default)
l XTS-AES 128 bit
l XTS-AES 256 bit
n Volumes encrypted
By default, all drives that are detected after the installation and all visible disk volumes are encrypted.
IRRT are not encrypted.
Go to Advanced Settings > Encryption > Allow Self-Encrypting Drives (SED) hardware
functionality.
Full Disk Encryption probes and uses SED disks that comply with the OPAL standard. If a compatible
system and disk are detected, Full Disk Encryption uses the hardware encryption on the disk instead
of the traditional software encryption.
When using SED drives, leave Encrypt hidden disk volumes checked (which is the default setting):
l AES encryption is always used with SED drives
l Manage SED drives in the same way as software-encrypted drives.

Harmony Endpoint Administration Guide | 93

 Authentication before the Operating System Loads (Pre-boot)

Authentication before the Operating System Loads (Pre-boot)

Protection requires users to authenticate to their computers before the operating system loads. This
prevents unauthorized access to the operating system using authentication bypass tools at the operating
system level or alternative boot media to bypass boot protection.

To enable Pre-boot:
Go to the Policy view > Data Protection > General >.Capabilities and Exclusions > Full Disk Encryption >
click Enable Pre-boot.
Best Practice - We recommend to enable Pre-boot. When Pre-boot is disabled, the user
can bypass the Pre-boot authentication at the cost of reducing the security to a level
below encryption strength. Users authenticate to their computers only at the operating
system level. If Pre-boot is disabled, consider using SSO or enable bypass pre-boot
when connected to LAN.

Temporary Pre-boot Bypass Settings

Temporary Pre-boot Bypass lets the administrator disable Pre-boot protection temporarily, for example, for
maintenance. It was previously called Wake on LAN (WOL). You enable and disable Temporary Pre-boot
Bypass for a computer, group, or OU from the computer or group object. The Pre-boot settings in the Full
Disk Encryption policy determine how Temporary Pre-boot Bypass behaves when you enable it for a
computer.
Temporary Pre-boot Bypass reduces security. Therefore use it only when necessary and for the amount of
time that is necessary. The settings in the Full Disk Encryption policy set when the Temporary Pre-boot
Bypass turns off automatically and Pre-boot protection is enabled again.
You can configure the number of minutes the Pre-boot login is displayed before automatic OS logon.
There are different types of policy configuration for Temporary Pre-boot Bypass:
n Allow OS login after temporary bypass
n Allow bypass script
If you run scripts to do unattended maintenance or installations (for example, SCCM) you might want
the script to reboot the system and let the script continue after reboot. This requires the script to turn
off Pre-boot when the computer is rebooted . Enable this feature in the Temporary Pre-boot Bypass
Settings windows. The Temporary Pre-boot Bypass script can only run during the timeframe
configured in Temporary Pre-boot Bypass Settings.

Running a temporary bypass script:

In a script you execute the FdeControl.exe utility to enable or disable Pre-boot at the next restart:
l To disable Temporary Pre-boot Bypass, run:

FDEControl.exe set-wol-off

l To enable Temporary Pre-boot Bypass, run:

FDEControl.exe set-wol-on

The above commands fail with code "13 ( UNAUTHORIZED )" if executed outside the timeframe
specified in the policy.

Harmony Endpoint Administration Guide | 94

 Authentication before the Operating System Loads (Pre-boot)

You can select the Temporary Pre-boot Bypass duration:

n On demand, Once, or Weekly,
n Disable after X automatic logins - Bypass turns off after the configured number of logins to a
computer.
n Disable after X days or hours - Bypass turns off after the configured days or hours passed.

Note - If you select both Disable after X automatic logins and Disable after X days or
hours, bypass turns off when any of these options occurs.

Best Practice - Select a small number so that you do not lower the security by disabling
the Pre-boot for a long time.

Advanced Pre-boot Settings

Action Description

Display last logged The username of the last logged on user shows in the Pre-boot logon window.
on user in Pre-boot That user only needs to enter a password or SmartCard pin to log in

Reboot after [x] n If active, specify the maximum number of failed logons allowed before a
failed logon reboot takes place.
attempts were n This setting does not apply to smart cards. SmartCards have their own
made thresholds for failed logons.

Verification text for Select to notify the user that the logon was successful, halting the boot-up
a successful logon process of the computer for the number of seconds that you specify in the
will be displayed Seconds field.
for

Enable USB Select to use a device that connects to a USB port. If you use a USB SmartCard
devices in Pre- you must have this enabled.
boot environment If you do not use USB SmartCards, you might need this enabled to use a mouse
and keyboard during Pre-boot.

Enable TPM two- Select to use the TPM security chip available on many PCs during pre-boot in
factor conjunction with password authentication or Dynamic Token authentication.
authentication The TPM measures Pre-boot components and combines this with the configured
(password & authentication method to decrypt the disks.
dynamic tokens) If Pre-boot components are not tampered with, the TPM lets the system boot.
See sk102009 for more details.

Firmware update Disables TPM measurements on Firmware/BIOS level components.

friendly TPM This makes updates of these components easier but reduces the security gained
measurements by the TPM measurements because not all components used in the boot
sequence are measured.
If this setting is enabled on UEFI computers, the Secure Boot setting is included in
the measurement instead of the firmware.

Harmony Endpoint Administration Guide | 95

 Authentication before the Operating System Loads (Pre-boot)

Action Description

Enable remote Select to enable remote help without the need of assigning any Pre-boot user to
help without pre- the computer. When giving remote help, select the Pre-Boot Bypass Remote Help
boot user type that performs a One-Time logon. The setting is only available if Pre-boot is
configured to be disabled.

Remote Help Users can use Remote Help to get access to their Full Disk Encryption protected
computers if they are locked out.
Here you configure the number of characters in the Remote Help response that
users must enter.

User Authorization before Encryption

Full Disk Encryption policy settings enable user acquisition by default. If user acquisition is disabled, the
administrator must assign at least one Pre-boot user account to each client computer before encryption can
start. You can require one or more users to be acquired before encryption can start. You can also configure
clients to continue user acquisition after Pre-boot is already enabled. This might be useful if a client
computer is used by many users, also called roaming profiles.
Usually a computer has one user and only one user must be acquired. If the computer has multiple users, it
is best if they all log on to the computer for Full Disk Encryption to collect their information and acquire them.
User acquisition settings
n Enable automatic user acquisition
n Amount of users to acquire before Pre-boot is enabled - Select the number of users to acquire
before the Harmony Endpoint enforces Pre-boot on acquired users.
n Enable Pre-boot if at least one user has been acquired after X days - Select the number of days to
wait before Pre-boot is enforced on acquired users. This setting limits the number of days when user
acquisition is active for the client. If the limit expires and one user is acquired, Pre-boot is enforced
and encryption can start. If no users are acquired, user acquisition continues. Pre-boot is enforced on
acquired users after one of the criteria are met.
To configure the advanced settings for user acquisition, go to Advanced Settings > User Acquisition:
n Continue to acquire users after Pre-boot has been enforced - Pre-boot is active for users who were
acquired and user acquisition continues for those who were not acquired.
n User acquisition will stop after having acquired additional X users - User acquisition continues until
the selected number of additional users are acquired.

Note - If you need to terminate the acquisition process, for example, if the client fails to
acquire users although an unlimited time period is set, define a new automatic
acquisition policy.

User Assignment

You can view, create, lock and unlock authorized Pre-boot users.

To add a user to the list of users authorized to access a device:

1. From the left navigation panel, click Asset Management.
2. In the left pane, click Computers.

Harmony Endpoint Administration Guide | 96

 Authentication before the Operating System Loads (Pre-boot)

3. From the top toolbar, click Computer Actions > in the section Full Disk Encryption, click Preboot
User Assignment.
The Authorize Pre-Boot Users window opens. You can see the authorized users for each device you
search.

4. Click the icon.

The Create New Pre-boot User window opens.
5. Enter these details:
n Logon Name
n Password
n Account Details
l Lock user for Pre-boot
l Require change password after first logon - Applies only to password authentication.
Select this option to force users to change their password after the first pre-boot logon.
n Expiration Settings - Select an expiration date for the user authorization.

To lock or unlock a user:

1. From the left navigation panel, click Asset Management.
2. In the left pane, click Computers.
3. From the top toolbar, click Computer Actions > in the section Full Disk Encryption, click Preboot
User Assignment.
The Authorize Pre-Boot Users window opens. You can see the authorized users for each device you
search.
4. In the search box, search for the applicable device.
The list of authorized users to access the device appears.
5. Click on the user on the list to select it and click on the lock icon above the list to lock or unlock the
user.

Harmony Endpoint Administration Guide | 97

 BitLocker Encryption for Windows Clients

BitLocker Encryption for Windows Clients

BitLocker encrypts the hard drives on a Windows computer, and is an integral part of Windows.
Check Point BitLocker uses the Endpoint Security Management Server, Client Agent and the Harmony
Endpoint UI to manage BitLocker.
BitLocker Management is implemented as a Windows service component called Check Point BitLocker
Management.
It runs on the client together with the Client Agent (the Device Agent).
Check Point BitLocker Management uses APIs provided by Microsoft Windows to control and manage
BitLocker.
Configuration options:

Setting Description

Initial n Encrypt entire drive - Recommended for computers that are in production and
Encryption already have user data, such as documents and emails.
n Encrypt used disk space only - Encrypts only the data. Recommended for fresh
Windows installations.

Drives to n All drives - Encrypt all drives and volumes.

encrypt n OS drive only - Encrypt only the OS drive (usually, C:\). This is the default.

Encryption n Windows Default - This is recommended. On Windows 10 or later, unencrypted

algorithm disks are encrypted with XTS-AES-128. On encrypted disks, the encryption
algorithm is not changed.
n XTS-AES-128
n XTS-AES-256

Note - To take control of a BitLocker-encrypted device, the target device must have a
Trusted Platform Module (TPM) module installed.

Taking Control of Unmanaged BitLocker Devices

You can do a takeover of BitLocker-encrypted devices that are not managed by Harmony Endpoint, and
make them centrally managed. You can do this using BitLocker Management or Check Point Full Disk
Encryption.

To take control of unmanaged BitLocker devices using BitLocker Management:

Define and install a Full Disk Encryption policy with BitLocker Management. Follow these guidelines:
n Define a Full Disk Encryption rule that applies to the entire organization or only to the entities that
need BitLocker Management.
n In BitLocker Encryption Settings, select Windows Default as the Encryption Algorithm. This is
important because it leaves the existing BitLocker encryption in place. Selecting another algorithm
explicitly may result in a re-encryption, if the existing algorithm does not match the algorithm in the
policy. It is a good idea to avoid re-encryption because it can take a long time. The time it takes
depends on the disk size, disk speed and PC hardware.

Harmony Endpoint Administration Guide | 98

 BitLocker Encryption for Windows Clients

To take control of unmanaged BitLocker devices using Check Point Full Disk Encryption:
1. Follow the procedure for "To take control of unmanaged BitLocker devices using BitLocker
Management:" on the previous page.
2. After the devices are under Check Point BitLocker Management, define a rule with Check Point Full
Disk Encryption that applies to the Entire Organization or only to the entities that need Check Point
Full Disk Encryption. See "Check Point Disk Encryption for Windows" on page 93
Best Practice - When you change the encryption policy for clients from BitLocker
Management to Check Point Full Disk Encryption, the disk on the client is decrypted and
then encrypted. This causes the disk to be in an unencrypted state for some time during
the process. We recommend that you do not change the encryption policy for entire
organization in one operation. Make the change for one group of users at a time.

Harmony Endpoint Administration Guide | 99

 FileVault Encryption for macOS

FileVault Encryption for macOS

FileVault encrypts the hard drive on a Mac computer, and is an integral part of macOS. The Harmony
Endpoint automatically starts to manage the disk encrypted with FileVault without disabling the encryption.

Harmony Endpoint Administration Guide | 100

 User Authentication to Endpoint Security Clients (OneCheck)

User Authentication to Endpoint Security Clients (OneCheck)

OneCheck User Settings define how users authenticate to Endpoint Security client computers.
OneCheck User Settings include:
n How users authenticate to Endpoint Security.
n If users can access Windows after they are authenticated to Endpoint Security or if they must also log
on to Windows.
n What happens when a user enters invalid authentication details.
n A limit for how many times a user can access a computer.
n If Remote Help is permitted. This lets users get help from an administrator, for example if their
computers become locked after too many failed authentication attempts.
When OneCheck Logon is enabled, a different logon window opens that looks almost the same as the
regular Windows authentication window. The logon credentials are securely stored internally. These actions
define if you enable OneCheck Logon:
To configure OneCheck Logon properties, go to the Policy view > Data Protection > General > Full Disk
Encryption > Advanced Settings > Windows Authentication:
n Enable lock screen authentication (OneCheck) - Users log on one time to authenticate to the
operating system, Full Disk Encryption, and other Endpoint Security components. To configure the
password properties for the single sign-on, go to Policy > Data Protection > OneCheck > Password
Constraints.
n Enable Check Point Endpoint Security screen saver - The screen saver is active only after a Full
Disk Encryption policy was installed on the client. After selecting the Check Point Endpoint Security
screen saver option, enter the text that appears when the screen saver is active, and the number of
minutes the client remains idle before the screen saver activates.
n Only allow authorized Pre-boot users to log into the operating system - If selected, only users that
have permission to authenticate to the Pre-boot on that computer can log on to the operating system.
n Use Pre-boot account credentials in OS lock screen - If selected, users authenticate in the regular
Operating System login screen but with the credentials configured for Pre-boot.
Best Practice - Best practice is to only use this feature when there is no Active
Directory available. For customers that use Active Directory, we recommend a
combination of User Acquisition, OneCheck Logon, and Password
Synchronization that will let users use the same credentials for Pre-boot and
Windows login.

Harmony Endpoint Administration Guide | 101

 Pre-boot Authentication Methods

Pre-boot Authentication Methods

If the Pre-boot is required on a computer as part of Full Disk Encryption, users must authenticate to their
computers in the Pre-boot, before the computer boots. Users can authenticate to the Pre-boot with these
methods:
n Password - Username and password. This is the default method.
The password can be the same as the Windows password or created by the user or administrator.
n SmartCard - A physical card that you associate with a certificate. Users must have a physical card,
an associated certificate, and SmartCard drivers installed.

To configure the authentication method:

1. Go to the Policy view > Data Protection > SmartCards > Pre-boot Authentication.
2. Select one of these options:
a. Password - Users can only authenticate with a username and password.
b. SmartCard (requires certificate) - Users can only authenticate with a SmartCard.
Change authentication method only after user successfully authenticates with a SmartCard
- If you select this option, users can authenticate with a password until all of the requirements
for SmartCard authentication are set up correctly. After users successfully authenticate one
time with a SmartCard, they must use their SmartCard to authenticate. If you configure a user
for SmartCard only and do not select this, that user is not able to authenticate to Full Disk
Encryption with a password
c. Either SmartCard or Password - Users can authenticate with a user name and password or a
SmartCard.

Before You Configure SmartCard:

n Users must have the physical SmartCard in their possession.

n Users' computers must have a SmartCard reader driver and token driver installed for their specific
SmartCard. Install these drivers as part of the "To configure the SmartCard options:" below.
n Each user must have a certificate that is active for the SmartCard. The Directory Scanner can scan
user certificates from the Active Directory. Configure this as part of the "To configure the SmartCard
options:" below
n In the Full Disk Encryption Policy rule > Advanced Settings > Pre-boot Authentication, make sure
that Enable USB devices in pre-boot environment is selected

To configure the SmartCard options:

1. In the Format used in your organization area, select the SmartCard protocol that your organization
uses:
n Not Common Access Card (Not CAC) - all other formats
n Common Access Card (CAC) - the CAC format
2. In the SmartCard driver deployment area, select the drivers for your SmartCard and Reader. All
selected drivers will be installed on endpoint computers when they receive policy updates.
If you do not see a driver required for your SmartCard, you can:

Harmony Endpoint Administration Guide | 102

 Pre-boot Authentication Methods

n Enter a text string in the Search field.

n Click Import to import a driver from your computer. If necessary, you can download drivers to
import from the Check Point Support Center.
3. In the Directory Scanner area, select Scan user certificates from Active Directory if you want the
Directory Scanner to scan user certificates.
4. If you selected to scan user certificates, select which certificates the Directory Scanner will scan:
n Scan all user certificates
n Scan only user certificates containing the SmartCard Logon OID - The OIDs are:
1.3.6.1.4.1.311.20.2.2.

Harmony Endpoint Administration Guide | 103

 Password Complexity and Security

Password Complexity and Security

To configure the password for OneCheck Logon, go to Policy > Data Protection > OneCheck > Password
Constraints. These actions define the requirements for the OneCheck password:

Action Description

Use Windows complexity requirements The standard Windows password requirements are
enforced:
The password must:
n Have at least six characters
n Have characters from at least 3 of these categories:
uppercase, lowercase, numeric characters, symbols.

Use custom requirements If you select this, select the requirements for which type of
characters the password must contain or not contain:
n Consecutive identical characters, for example, aa or
33
n Require special characters. These can be: ! " # $ % &
'()*+,-./:<=>?@{
n Require digits, for example 8 or 4.
n Require lower case characters, for example g or t.
n Require upper case characters, for example F or G.
n Password must not contain user name or full name.

Minimum length of password Enter the minimum number of characters for a valid
password.

Password can be changed only after Enter the minimum number of days that a password must
be valid before the user can change it.

Password expires after Enter the maximum number of days that a password can be
valid before the user must change it.

Number of passwords before a Enter the minimum number of password changes needed
previously used password may be used before a previously used password can be used again.
again

Harmony Endpoint Administration Guide | 104

 User Account Lockout Settings

User Account Lockout Settings

You can configure Full Disk Encryption to lock user accounts after a specified number of unsuccessful Pre-
boot login attempts:
n Temporarily - If an account is locked temporarily, users can try to log on again after a specified time.
n Permanently - If the account is locked permanently, it stays locked until an administrator unlocks it.

To configure an Account Lock Action:

1. Go to the Policy view > Data Protection > OneCheck > User Account Lockout Settings.
2. Configure the settings as necessary:

Option Description

Number of failed logins Maximum number of failed logon attempts before an account is
before a user account is temporarily locked out.
temporarily locked

Number of failed logins Maximum number of failed logon attempts allowed before an
before a user account is account is permanently locked. The account is locked until an
permanently locked administrator unlocks it.

Duration for a temporary user Duration of a temporary lockout period, in minutes.

lockout

Harmony Endpoint Administration Guide | 105

 Remote Help Permissions

Remote Help Permissions

Remote Help lets users access their Full Disk Encryption protected computers if they are locked out. The
user calls the designated Endpoint Security administrator and does the Remote Help procedure.
There are two types of Full Disk Encryption Remote Help:
n One Time Login - One Time Login allows access as an assumed identity for one session, without
resetting the password.
If users lose their SmartCards, they must use this option.
n Remote password change - This option is for users who use fixed passwords and forgot them.
For devices protected by Media Encryption & Port Protection policies, only remote password change is
available.

To let users work with Remote Help:

1. Go to the Policy view > Data Protection > OneCheck > Remote Help
2. Select the allowed type(s) of Remote Help:

Option Description

Allow account to receive Let users get help from an administrator to reset the account
remote password change password (for example, if the user forgets the password).
help

Allow account to receive Let the user get help from an administrator to log on, one time.
One-Time Logon help One-time logon is for users who have lost their SmartCard.
It is also useful if the user made too many failed attempts but
does not want to change the password.

Harmony Endpoint Administration Guide | 106

 Logon Settings

Logon Settings

OneCheck Logon Settings define additional settings for how users can access computers.
To configure Logon Settings, go to the Policy view > Data Protection > OneCheck > Logon:

Option Description

Allow logon to Lets a different user than the logged on user authenticate in Pre-boot to a system in
system hibernate mode.
hibernated by
another user

Allow use of Let user authenticate to use recovery media to recover and decrypt data from an
recovery encrypted system.
media Note: In E80.20 and higher, if this is not selected, users can still access recovery
media that is created with a temporary user and password.

Allow user to Let users change the password on an endpoint client during the Pre-boot.
change his
credentials
from the
endpoint client

Allow Single Let users use Single Sign On to log on to Pre-boot and Windows when OneCheck
Sign-On use Logon is disabled. Single Sign on applies only to Pre-boot and Windows and not to
different components, such as VPN or Media Encryption. Users are always allowed to
use Single Sign On when OneCheck Logon is running.

Harmony Endpoint Administration Guide | 107

 Bi-Directional Password Sync Settings

Bi-Directional Password Sync Settings

OneCheck Bi-Directional Password Sync Settings define additional settings password sychronization.

Options Description

Allow OS password reset upon Pre-boot Reset the OS password after a successful Pre-boot
password reset password reset.

Harmony Endpoint Administration Guide | 108

 Configuring Media Encryption & Port Protection

Configuring Media Encryption & Port Protection

Media Encryption & Port Protection protects data stored in the organization by encrypting removable media
devices and allowing tight control over computer ports (USB, Bluetooth, and so on). Removable devices are
for example: USB storage devices, SD cards, CD/DVD media and external disk drives.
On the client-side, Media Encryption & Port Protection protects sensitive information by encrypting data and
requiring authorization for access to storage devices and other input/output devices.
Media Encryption lets users create encrypted storage on removable storage devices that contain business-
related data. Encrypted media is displayed as two drives in Windows Explorer. One drive is encrypted for
business data. The other drive is not encrypted and can be used for non-business data. Rules can apply
different access permissions for business data and non-business data.
Port Protection controls, according to the policy, device access to all available ports including USB and
Firewire (a method of transferring information between digital devices, especially audio and video
equipment). Policy rules define access rights for each type of removable storage device and the ports that
they can connect to. The policy also prevents users from connecting unauthorized devices to computers.
Media Encryption & Port Protection functionalities are available in both Windows and macOS clients (for
macOS starting at client version E85.30).

Best Practice - We recommend to not encrypt non-computer external devices such as:
digital cameras, smartphones, MP3 players, and the like. Do not encrypt removable
media that can be inserted in or connected to such devices.

For instructions on how to encrypt, see sk166110.

Harmony Endpoint Administration Guide | 109

 Configuring the Read Action

Configuring the Read Action

The Read action defines the default settings for read access to files on storage devices. For each action,
you can define different settings for specified device types. The default predefined actions are:
n Allow encrypted data - Users can read encrypted data from storage devices (typically business-
related data).
n Allow unencrypted data - Users can read unencrypted data from storage devices (typically non
business-related data).
You can configure these actions for specific devices.

To configure the Read action:

1. In the Media Encryption tab, go to Exclusions Center.
2. Click New to create a new exclusion or configure an existing exclusion on the list.
3. Configure the options as necessary for: Read Encrypted, Read Unencrypted:
n Read Encrypted
l Accept - Allow reading only encrypted data from the storage device. Users cannot read
unencrypted data from the storage device.
l According to Policy - According to the default Media Encryption & Port Protection rule.
l Block - Block all reading from the storage device.
n Read Unencrypted
l Accept - Allow reading of unencrypted files from the storage device.
l According to Policy - According to the default Media Encryption & Port Protection rule
l Block - Block reading of unencrypted files from the storage device.

Harmony Endpoint Administration Guide | 110

 Configuring the Write Action

Configuring the Write Action

The Write action lets users:
n Create new files
n Copy or move files to devices
n Delete files from devices
n Change file contents on devices
n Change file names on devices
The default predefined write actions are:
n Data Type - Encrypt business-related data on storage devices - All Files that are defined as
business-related data must be written to the encrypted storage. Non-business related data can be
saved to the device without encryption. See "Configuring Business-Related File Types" on the next
page.
n Allow writing data on storage devices:
l Allow encryption - Users can write only encrypted files to storage devices.
l Enable deletion of file on read-only media - Allow users to delete files on devices with read-
only permissions.
You can configure these settings for specific devices.

To configure the Write action:

1. In the Media Encryption tab, go to Exclusions Center.
2. Click New to create a new exclusion or configure an existing exclusion on the list.
3. Per each device, configure the options as necessary for: Data Type and Write Encrypted:
n Data Type - Select one of these options:
l Allow any data - Users can write all file types to storage devices.
l Encrypt business-related data - Users must encrypt all business-related files written to
storage devices. Other files can be written without encryption. See "Configuring
Business-Related File Types" on the next page.
l Encrypt all data - Users must encrypt all files written to storage devices.
l Block any data - Users cannot write any files to storage devices.
n Write Encrypted - Select one of these options:
l Accept - Users must encrypt files written to storage devices.
l According to Policy - According to the default Media Encryption & Port Protection rule.
l Block - Block all writing to storage devices.
Notes:
n If no read policy is allows, the write policy is disabled automatically.
n If Block any Data is selected, Allow encryption and Configure File Types are
disabled.

Harmony Endpoint Administration Guide | 111

 Configuring the Write Action

Configuring Business-Related File Types

The organization's policy defines access to business and non-business related data. Business-related files
are confidential data file types that are usually encrypted in the business-related drive section of storage
devices. These files are defined as business-related file types by default:
n Multimedia - QuickTime, MP3, and more.
n Executable - Exe, shared library and more.
n Image - JPEG, GIF, TIF and more.
These files are defined as non-business related file types by default:
n Spreadsheet - Spreadsheet files, such as Microsoft Excel.
n Presentation - Presentation files, such as Microsoft Power Point.
n Email - Email files and databases, such as Microsoft Outlook and MSG files.
n Word - Word processor files, such as Microsoft Word.
n Database - Database files, such as Microsoft Access or SQL files.
n Markup - Markup language source files, such as HTML or XML.
n Drawing - Drawing or illustration software files, such as AutoCAD or Visio.
n Graphic - Graphic software files such as Photoshop or Adobe Illustrator.
n Viewer - Platform independent readable files, such as PDF or Postscript.
n Archive - Compressed archive files, such as ZIP or SIT.

To see the list of business-related file types and non-business related file types:
In Harmony Endpoint, go to the Policy view > Data Protection > Capabilities and Exclusions pane > Media
Encryption > Write Policy > Configure File Types > View Mode. Select Non-Business-Related or
Business-Related to see the relevant file types.

To configure business and non-business related file types:

1. In Harmony Endpoint, go to the Policy view > Data Protection > Capabilities and Exclusions pane >
Media Encryption > Write Policy > Configure File Types.
2. You can:
n Add or delete files from the business-related or non-business related file list. In View Mode,
select Business-related or Non-business related. Add or delete the required files. A file type
which is not in the business-related file list, is automatically included in the non business-
related file type list.
n Create new file types in the business-related or non-business related file type list. Click the
Create new file type button. The File type add/edit window opens. Configure Name, File
Extension and File Signatures and click OK.

Harmony Endpoint Administration Guide | 112

 Managing Devices

Managing Devices
You can configure custom settings for specified devices or device types. These device settings are typically
used as exceptions to settings defined in Media Encryption & Port Protection rules.
There are two types of devices:
n Storage Device -Removable media device on which users can save data files. Examples include:
USB storage devices, SD cards, CD/DVD media and external disk drives.
n Peripheral Device - Devices on which users cannot save data and that cannot be encrypted.

Click the icon to filter your view.

New devices are added manually or are automatically discovered by the Endpoint Server.
To view your devices, in the Data Protection view, go to Manage Devices. You can select to see Manually
added devices or Discovered devices. In the Device Type column, you can see if the device is a storage
device or a peripheral device.

To manually add a new device:

1. In the Data Protection view, go to Manage Devices.

2. Click the Add Manually icon , and select Storage Device or Peripheral Device.
3. Edit device details:
n Device Name - Enter a unique device display name, which cannot contain spaces or special
characters (except for the underscore and hyphen characters).
n Connection type - Select the connection type Internal, External or Unknown (required).
n Category - Select a device category from the list.
n Serial Number - Enter the device serial number. You can use wild card characters in the serial
number to apply this device definition to more than one physical device. See "Using Wild Card
Characters" on the next page.
n Extra Information - Configure whether the device shows as fixed disk device (Hard Drive with
Master Boot Record), a removable device (Media without Master Boot Record) or None.
n Icon - Select an icon to show in the GUI.
n Device ID Filter - Enter a filter string that identifies the device category (class). Devices are
included in the category when the first characters in a Device ID match the filter string. For
example, if the filter string is My_USB_Stick, these devices are members of the device
category:
l My_USB_Stick_40GB
l My_USB_Stick_80GB

Harmony Endpoint Administration Guide | 113

 Managing Devices

n Supported Capabilities
l Log device events - Select this option to create a log entry when this device connects to
an endpoint computer (Event ID 11 or 20 only).
l Allow encryption - Select this option if the device can be encrypted (storage devices
only).
4. Assign Groups (relevant for storage devices only) - you can assign the device to an existing group,
create a new group or do not add to group.
5. Click Finish.

To add an exclusion to a device:

1. In the Data Protection view, go to Manage Devices.
The Manage storage and peripheral devices window opens.
2. Right-click the applicable device and select Create Exclusion.
The Device Override Settings window opens.
3. Configure the required Read Policy and Write Policy. For more information on the configuration
options, see "Configuring the Read Action" on page 110 and "Configuring the Write Action" on
page 111
4. Click Finish.

Note - If a device has an exclusion already in place, the new exclusion overrides an
existing exclusion.

Managing Groups

You can create groups for storage devices. Using device groups facilitates policy management because you
can create exclusion rules for an entire group of devices instead of per one device each time. To create a
new device group, in the Policy view, go to Data Protection > Manage Devices > Storage Device Groups.
You can create new groups or edit existing groups.

Note - You cannot delete groups that are in use.

Using Wild Card Characters

You can use wild card characters in the Serial Number field to apply a definition to more than one physical
device. This is possible when the device serial numbers start with the same characters.
For example: If there are three physical devices with the serial numbers 1234ABC, 1234BCD, and
1234EFG, enter 1234* as the serial number. The device definition applies to all three physical devices. If
you later attach a new physical device with the serial number 1234XYZ, this device definition automatically
applies the new device.
The valid wild card characters are:
The '*' character represents a string that contains one or more characters.
The '?' character represents one character.
Examples:

Harmony Endpoint Administration Guide | 114

 Managing Devices

Serial Number with Wildcard Matches Does Not Match

1234* 1234AB, 1234BCD, 12345 1233

1234??? 1234ABC, 1234XYZ, 1234567 1234AB, 1234x, 12345678

Because definitions that use wildcard characters apply to more endpoints than those without wildcards,
rules are enforced in this order of precedence:
1. Rules with serial numbers containing * are enforced first.
2. Rules with serial numbers containing ? are enforced next.
3. Rules that contain no wildcard characters are enforced last.
For example, rules that contain serial numbers as shown here are enforced in this order:
1. 12345*
2. 123456*
3. 123????
4. 123456?
5. 1234567

Harmony Endpoint Administration Guide | 115

 Advanced Settings for Media Encryption

Advanced Settings for Media Encryption

Authorization Settings

You can configure a Media Encryption & Port Protection rule to require scans for malware and unauthorized
file types when a storage device is attached. You also can require a user or an administrator to authorize the
device. This protection makes sure that all storage devices are malware-free and approved for use on
endpoints.
On Windows E80.64 and higher clients, CDs and DVDs (optical media) can also be scanned.
After a media device is authorized:
n If you make changes to the contents of the device in a trusted environment with Media Encryption &
Port Protection, the device is not scanned again each time it is inserted.
n If you make changes to the contents of the device in an environment without Media Encryption & Port
Protection installed, the device is scanned each time it is inserted into a computer with Media
Encryption & Port Protection.
You can select one of these predefined options for a Media Encryption & Port Protection rule:
Require storage devices to be scanned and authorized -
n Scan storage devices and authorize them for access - Select to scan the device when inserted.
Clear to skip the scan.
l Enable self-authorization - If this option is selected, users can scan the storage device
manually or automatically. If this setting is cleared, users can only insert an authorized device.
o Manual media authorization - The user or administrator must manually authorize the
device.
Allow user to delete unauthorized files - The user can delete unauthorized files
detected by the scan. This lets the user or administrator authorize the device after the
unauthorized files are deleted.
o Automatic media authorization -The device is authorized automatically.
Allow user to delete unauthorized files - The user can delete unauthorized files
detected by the scan. This lets the user or administrator authorize the device after the
unauthorized files are deleted.
n Exclude optical media from scan - Exclude CDs and DVDs from the scan.
In Advanced Settings > Authorization Scanning, you can configure authorized and non-authorized file
types.
Unauthorized - Configure the file types that are blocked. All other file types will be allowed.
Authorized - Configure file types that are allowed. All other file types will be blocked.

UserCheck Messages

UserCheck for Media Encryption & Port Protection tells users about policy violations and shows them how to
prevent unintentional data leakage. When a user tries to do an action that is not allowed by the policy, a
message shows that explains the policy.
For example, you can optionally let users write to a storage device even though the policy does not allow
them to do so. In this case, users are prompted to give justification for the policy exception. This justification
is sent to the security administrator, who can monitor the activity.

Harmony Endpoint Administration Guide | 116

 Advanced Settings for Media Encryption

Advanced Encryption

n Allow user to choose owner during encryption - Lets users manually define the device owner before
encryption. This lets users create storage devices for other users. By default, the device owner is the
user who is logged into the endpoint computer. The device owner must be an Active Directory user.
n Allow user to change the size of encrypted media - Lets users change the percentage of a storage
device that is encrypted, not to be lower than Minimum percentage of media capacity used for
encrypted storage or Default percentage of media capacity used for encrypted storage. .
n Allow users to remove encryption from media - Lets users decrypt storage devices.
n When encrypting, unencrypted data will be - Select one of these actions for unencrypted data on a
storage device upon encryption:
l Copied to encrypted section - Unencrypted data is encrypted and moved to the encrypted
storage device. We recommend that you back up unencrypted data before encryption to
prevent data loss if encryption fails. For example, if there is insufficient space on the device.
l Deleted - Unencrypted data is deleted.
l Untouched - Unencrypted data is not encrypted or moved.
n Secure format media before encryption - Run a secure format before encrypting the storage device.
Select the number of format passes to do before the encryption starts.
n Change device name and icon after encryption - When selected, after the device is encrypted, the
name of the non-encrypted drive changes to Non Business Data and the icon changes to an open
lock. When cleared, the name of the non-encrypted drive and the icon do not change after the device
is encrypted.
n When encrypting media, file system should be:
l As already formatted -According to the original format.
l ExFAT
l FAT32
l NTFS
Allow user to change the file system of the encrypted storage - After storage was encrypted in a
specific format, the user can change this format to another format.

Site Configuration

Site Actions control when to allow or prevent access to encrypted devices that were encrypted by different
Endpoint Security Management Servers. Each Endpoint Security Management Server (known as a Site)
has a Universally Unique Identifier (UUID). When you encrypt a storage device on an Endpoint Security
client, the Endpoint Security Management Server UUID is written to the device. The Site action can prevent
access to devices encrypted on a different Endpoint Security Management Server or from another
organization. The Site action is enabled by default.
When a user attaches a storage device, Media Encryption & Port Protection makes sure that the device
matches the UUID the Endpoint Security Management Server UUID or another trusted Endpoint Security
Management Server. If the UUIDs match, the user can enter a password to access the device. If the UUID
does not match, access to the device is blocked.
Allow access to storage devices encrypted at any site - Endpoint Security clients can access encrypted
devices that were encrypted at any site.

Harmony Endpoint Administration Guide | 117

 Advanced Settings for Media Encryption

Allow access to storage devices encrypted at current site only - Media Encryption Site (UUID) verification
is enabled. Endpoint Security clients can only access encrypted devices that were encrypted by the same
Endpoint Security Management Server.

Media Lockout

You can configure Media Encryption & Port Protection to lock a device after a specified number of
unsuccessful login attempts:
n Temporarily - If a device is locked temporarily, users can try to authenticate again after a specified
time. You can configure the number of failed login attempts before a temporary lockout and the
duration of lockout.
n Permanently - If a device is locked permanently, it stays locked until an administrator unlocks it. You
can configure the number of failed login attempts before a permanent lockout

Offline Access

Password protect media for access in offline mode - Lets users assign a password to access a storage
device from a computer that is not connected to an Endpoint Security Management Server. Users can also
access the storage device with this password from a non-protected computer
Allow user to recover their password using remote help - Lets user recover passwords using remote help.
Copy utility to media to enable media access in non-protected environments - Copies the Explorer utility
to the storage device. This utility lets users access the device from computers that are not connected to an
Endpoint Security Management Server.

Harmony Endpoint Administration Guide | 118

 Media Encryption Remote Help

Media Encryption Remote Help

Media Encryption & Port Protection lets administrators recover removable media passwords remotely, using
a challenge/response procedure. Always make sure that the person requesting Remote Help is an
authorized user of the storage device before you give assistance.

To recover a Media Encryption & Port Protection password with Remote Help assistance from Harmony
Endpoint:
1. From the left navigation panel, click Asset Management.
2. In the left pane, click Computers.
3. From the top toolbar, click Computer Actions > in the section Remote Help & Recovery, click Media
Encryption.
The Media Encryption Remote Help window opens.
4. Fill in these details:
a. Select the user
b. In the Challenge field, enter the challenge code that the user gives you. Users get the
Challenge from the Endpoint client.
c. Click Generate Response.
Media Encryption & Port Protection authenticates the challenge code and generates a
Response code..
d. Give the Response code to the user.
e. Make sure that the user can access the storage device successfully.

Harmony Endpoint Administration Guide | 119

 Port Protection

Port Protection
Port Protection protects the physical port when using peripheral devices.
Peripheral devices are for example, keyboards, screens, blue tooth, Printers, SmartCard, network adapters,
mice and so on.

To create a new Port Protection rule:

1. In the Data Protection policy, go to the right pane - Capabilities & Exclusions > Port Protection >
Edit Policy.
The Port Protection Settings window opens.
2. Click New.
The New Port Protection Rule window opens.
3. Select a device from the drop-down menu or click New to create a new device (see Managing
Devices for details on how to create a new device).
4. Select the Access Type from the drop-down menu:
Accept - Allow connecting the peripheral device.
Block - Do not allow connecting the peripheral device.
5. In the Log Type field, select the log settings:
n Log - Create log entries when a peripheral device is connected to an endpoint computer
(Action IDs 11 and 20).
n None - Do not create log entries.
6. Click Create.

Harmony Endpoint Administration Guide | 120

 Media Encryption Access Rules

Media Encryption Access Rules

You can select a global action that defines automatic access to encrypted devices. This has an effect on all
Media Encryption & Port Protection rules, unless overridden by a different rule or action.
Make sure that the Read Policy allows access to the specified users or devices.
In the Policy view > Data Protection > Access Rules > Preset > click the drop-down menu. You can select
one of these settings or create your own custom rules for automatic access to encrypted devices:
n Encrypted storage devices are fully accessible by all users - All users can read and change all
encrypted content.
n All users in the organization can read encrypted storage devices, only owners can modify - All
users can read encrypted files on storage devices. Only the media owner can change encrypted
content.
n Only owners can access encrypted storage devices - Only media owners can read and/or change
encrypted content.
n Access to encrypted storage devices requires password authentication - Users must enter a
password to access the device. Automatic access in not allowed.
n Custom - Create a customized automatic access rule to encrypted devices. There are two predefined
action rules in this window. You cannot delete these rules or change the media owner or media user.
But, you can change the access permissions. The two predefined actions are defaults that apply
when no other custom action rules override them. The Any/Media Owner action rule is first by default
and the Any/Any action rule is last by default. We recommend that you do not change the position of
these rules.

To create a new customized automatic access rule to encrypted devices:

1. Configure these settings:
l In the Encrypted Media Owner field, select one of these options:
o Rule applies to any encrypted media owner - This action applies to any user.
o Choose a user/group/ou from your organization - Select the applicable user,
group or OU to which this action applies.
l In the Encrypted Media User field, select one of these options:
o Rule applies to any encrypted media user - This action applies to any user.
o Select the media owner as the encrypted media user - The media owner is also
defined as the user.
o Choose a user/group/ou from your organization - Select the applicable user,
group or OU to which this action applies.
2. Click the field in the Access Allowed column, and select one of these parameters:
l Full Access
l No Automatic Access
l Read-Only

Harmony Endpoint Administration Guide | 121

 Configuring Access & Compliance Policy

Configuring Access & Compliance Policy

Harmony Endpoint Administration Guide | 122

 Firewall

Firewall
The Firewall guards the "doors" to your devices, that is, the ports through which Internet traffic comes in and
goes out.
It examines all the network traffic and application traffic arriving at your device, and asks these questions:
n Where did the traffic come from and what port is it addressed to?
n Do the firewall rules allow traffic through that port?
n Does the traffic violate any global rules?
The answers to these questions determine whether the traffic is allowed or blocked.
When you plan a Firewall Policy, think about the security of your network and convenience for your users.
A policy must let users work as freely as possible, but also reduce the threat of attack from malicious third
parties.
Firewall rules accept or drop network traffic to and from Endpoint computers, based on connection
information, such as IP addresses, Domains, ports and protocols.

Harmony Endpoint Administration Guide | 123

 Configuring Inbound/Outbound Rules

Configuring Inbound/Outbound Rules

The Endpoint client checks the firewall rules based on their sequence in the Rule Base. Rules are enforced
from top to bottom.
The last rule is usually a Cleanup Rule that drops all traffic that is not matched by any of the previous rules.

Important - When you create Firewall rules for Endpoint clients, create explicit rules that
allow all endpoints to connect to all the domain controllers on the network.

Note - The Endpoint client do not support DNS over HTTPS.

Inbound Traffic Rules

Inbound traffic rules define which network traffic can reach Endpoint computers (known as localhost).
The Destination column in the Inbound Rule Base describes the Endpoint devices to which the rules apply
(you cannot change these objects).
These four inbound rules are configured by default:

No. Name Source Service Action Track Comment

1 Allow Trusted Trusted_Zone Any Allow None

Zone

2 Allow IP obtaining Internet_Zone bootp Allow None

dhcp-relay
dhcp-req-
local
dhcp-rep-
local

3 Allow PPTP Internet_Zone gre Allow None

pptp-tcp
L2TP

4 Cleanup rule Any Any Block Log

Outbound Traffic Rules

Outbound traffic rules define which outgoing network traffic is allowed from Endpoint computers.
The Source column in the outbound Rule Base describes the Endpoint devices to which the rules apply.
This outbound rule is configured by default:

No. Name Destination Service Action Track Comment

1 Allow any outbound Any Any Allow None

Harmony Endpoint Administration Guide | 124

 Configuring Inbound/Outbound Rules

Parts of Rules

As opposed to SmartEndpoint GUI, Harmony Endpoint has a unified Rule Base, which enables the user to
view the entire Rule Base at a glance - both inbound and outbound. Both are sections of the same Rule
Base.
These are the parts of the Firewall inbound/outbound rules:

Column Description

# Rule priority number.

Rule name Name of the Firewall rule.

Source Source location of the network traffic.

For an outbound rule, the source is always set to the local computer/user/group.

Destination Destination location of the network traffic.

For an inbound rule, the destination is always set to the local computer/user/group.

Service Network protocol or service used by the traffic.

Action The action that is done on the traffic that matches the rule - Allow or Block.

Track The tracking and logging action that is done when traffic matches the rule:
n Log - Records the rule enforcement in the Endpoint Security Client Log Viewer.
n Alert - Shows a message on the endpoint computer and records the rule
enforcement in the Endpoint Security Client Log Viewer.
n None - Logs and Alert messages are not created.

Editing a Rule

1. From the left navigation panel, click Policy > Access & Compliance.
2. Click the rule to select it.
When you edit a rule, a purple indication is added next to it (on the left of the rule).
3. In the right pane, in the section Capabilities & Exclusions, click the Firewall tab.
4. Click the Edit Inbound/Outbound Rulebase button.
5. Make the required changes.
To add a new rule, do one of these:
n From the top toolbar, the applicable option (New Above or New Below)
n Right-click the current rule and select the applicable option (New Above or New Below)
6. Click OK in the bottom right corner.
7. Click Save in the bottom right corner.
You can click Cancel to revert the changes.
8. Above the rule base, click Install Policy.

Harmony Endpoint Administration Guide | 125

 Configuring Inbound/Outbound Rules

Deleting a Rule

1. Click the rule to select it.

2. From the top toolbar, click the garbage can icon ("Delete rule").
If you are inside the Edit Inbound/Outbound Rulebase view, then a red indication is added next to it
(on the left of the rule).
3. If you are inside the Edit Inbound/Outbound Rulebase view, then click OK in the bottom right corner.
4. If your are in the Firewall policy view, click Delete to confirm.
5. Click Save in the bottom right corner.
6. Above the rule base, click Install Policy.

Harmony Endpoint Administration Guide | 126

 Managing Firewall Objects and Groups

Managing Firewall Objects and Groups

Objects defined in Harmony Endpoint and stored in the object database, represent physical and virtual
network components (such as Endpoint devices and servers), and logical components (such as IP address
ranges). You can create new objects to be used in the policy.

Supported Object Categories

Harmony Endpoint supports the object categories described below.

Hosts

A host can have multiple interfaces, but no routing takes place. It is an Endpoint device that receives
traffic for itself through its interfaces. (In comparison, a Security Gateway routes traffic between its
multiple interfaces). For example, if you have two unconnected networks that share a common Endpoint
Security Management Server and a Log Server, configure the common server as a host object.
A host has no routing mechanism, it is not capable of IP forwarding, and cannot be used to implement
Anti-Spoofing.
The Endpoint Security Management Server object is a host.
Enter these properties data to define a host
n Name - A name for the host. The name must start with a letter and can include capital and small
letters, numbers and '_'. All other characters are prohibited
n IPv4 and/or IPv6 addresses of the host you want to use.
n Description (Optional) - A description of the host object.

Networks

A network is a group of IP addresses defined by a network address and a net mask. The net mask
indicates the size of the network.
A Broadcast IP address is an IP address which is destined for all hosts on the specified network. If this
address is included, the Broadcast IP address is considered as part of the network.
Enter these properties to define a network:
n Name - A name for the network. The name must start with a letter and can include capital and
small letters, numbers and '_'. All other characters are prohibited.
n Network Address (IPv4) and Netmask (IPv4) of the network object you want to use.
or
Network Address (IPv6) and Prefix (IPv6) of the network object you want to use.
n Description (optional)- A description of the network object.

Network Groups

A network group is a collection of hosts, networks, or other groups. The use of groups facilitates and
simplifies network management. When you have the same set of objects which you want to use in
different places in the Rule Base, you can create a group to include such set of objects and reuse it.
Modifications are applied to the group instead of to each member of the group.

Harmony Endpoint Administration Guide | 127

 Managing Firewall Objects and Groups

Groups are also used where Harmony Endpoint lets you select only one object, but you need to work with
more than one.
Enter these properties to define a network group object:
n Name - A name for the network object. The name must start with a letter and can include capital
and small letters, numbers and '_'. All other characters are prohibited
n Click the + icon to add the required objects to your group.
n Description (Optional) - A description of the group.

Domains and Domain Groups

A Domain object lets you define a host or a DNS domain by its name only. It is not necessary to have the
IP address of the site. You can use the Domain object in the source and destination columns of the
Firewall Policy.
Enter these properties to define a Domain:
n Name - A name for the Domain. The name must start with a letter and can include capital and
small letters, numbers and '_'. All other characters are prohibited.
n Host name - Use the Fully Qualified Domain Name (FQDN). Use the format .x.y.z (with a dot "."
before the FQDN). For example: www.example.com
Sub-sites must be added separately, if you want to apply the rule to them as well. Wildcard
symbols like * are not allowed. Non-Qualified Domain Names are not supported.

Note - The DNS resolution is executed only once the policy is applied, or
following a reboot.

n Description (Optional) - A description of the Domain or Domain group object.

Enter these properties to define a Domain group:
n Name - A name for the Domain. The name must start with a letter and can include capital and
small letters, numbers and '_'. All other characters are prohibited.
n Click the + icon to add the required Domains to the Domain group.
n Description - A description of the Domain group

Address Ranges

An address range is a range of IP addresses on the network, defined by the lowest and the highest IP
addresses. Use an Address Range object when you cannot define a range of IP addresses by a network
IP and a net mask. The Address Range objects are also necessary for the implementation of NAT and
VPN.
Enter these properties to define an address range object:
n Name
n From IP address (IPv4) - To IP address (IPv4) - First and last IPv4 addresses of the range.
or
From IP address (IPv6) - To IP address (IPv6) - First and last IPv6 addresses of the range.
n Description (Optional) - A description of the address range.

Harmony Endpoint Administration Guide | 128

 Managing Firewall Objects and Groups

Security Zones

See "Configuring Security Zones" on page 131.

Services and Service Groups

Data transmission services, such as UDP and TCP.

The Endpoint identifies (matches) a service according to IP protocol, TCP and UDP port number, and
protocol signature.

Creating Objects

Create objects for areas that programs must have access to, or areas that programs must be prevented
from accessing.
Configure objects for each policy or define objects before you create a policy. After you configure an object,
you can use again it in other policies.

To create an object:
1. In the Access view, go to Manage > Manage Firewall Objects > Manage Objects and Groups
(or, in the in the Access view > go to Edit Inbound/Outbound Rule Base).
The Manage Objects and Groups window opens.
2. Click this icon:
3. Configure the relevant properties and click OK.
When you create a new network object, the name must start with a letter and can include capital and small
letters, numbers and "_ / -". All other characters are prohibited.

Harmony Endpoint Administration Guide | 129

 Managing Firewall Objects and Groups

Used In

You can check in which rule each object is used.

To check in which rule an object is used:

1. In the Access view, go to Manage > Manage Firewall Objects > Manage Objects and Groups.
2. Select the object and look at the right corner of the window to see the rules in which the object is used.
For example:

Harmony Endpoint Administration Guide | 130

 Configuring Security Zones

Configuring Security Zones

Security Zones let you create a strong Firewall policy that controls the traffic between parts of the network.
A Security Zone object represents a part of the network (for example, the internal network or the external
network).
There are two types of Security Zones:
n Trusted Zone - The Trusted Zone contains network objects that are trusted. Configure the Trusted
Zone to include only those network objects with which your programs must interact. You can add and
remove network objects from a Trusted Zone. A device can only have one Trusted Zone. This means
that if the Firewall policy has more than one rule, and more than one Trusted Zone applies to a
device, only the last Trusted Zone is enforced.
These two network elements are defined as Trusted Zones by default:
l All_Internet - This object represents all legal IP addresses.
l LocalMachine_Loopback - Endpoint device's loopback address: 127.0.0.1. The Endpoint
device must always have access to its own loopback address. Endpoint users must not run
software that changes or hides the local loopback address. For example, personal proxies that
enable anonymous internet surfing.
n Internet Zone - All objects that are not in the Trusted Zone are automatically in the Internet Zone.
Objects in the Trusted Zone:
These object types can be defined as Trusted Zones:
n Hosts
n Networks
n Network Groups
n Domains
n Address Ranges

To configure a Trusted Zone:

1. In the Access policy view, go to the right pane - Firewall Rule Settings, and click Manage Trusted
Zone.
2. Click the + icon to see the list of objects you can define as a Trusted Zone.

Note - To add objects to the list , go to the Access view > Manage > Manage
Firewall Objects, and click Create.

3. Select the required object.

4. Click OK.

Harmony Endpoint Administration Guide | 131

 Configuring Firewall Rule Advanced Settings

Configuring Firewall Rule Advanced Settings

To configure the advanced settings for a Firewall rule:

1. From the left navigation panel, click Policy > Access & Compliance.
2. Click the rule to select it.
3. In the right pane, in the section Capabilities & Exclusions, click the Firewall tab.
4. In the Advanced Settings section, select the applicable options:
n Allow wireless connections when connected to the LAN - This protects your network from
threats that can come from wireless networks.
If you select this checkbox, users can connect to wireless networks while they are connected to
the LAN.
If you clear this checkbox, users cannot connect to wireless networks while they are connected
to the LAN.
n Allow hotspot registration - Controls whether users can connect to your network from hotspots
in public places, such as hotels or airports.
If you select this checkbox, the Firewall is bypassed to let users connect to your network from a
hotspot.
If you clear this checkbox, users are not able to connect to your network from a hotspot.
n Block IPv6 network traffic - Controls whether to block IPv6 traffic to endpoint devices. Clear
this checkbox to allow IPv6 traffic to endpoint devices.
n From the When using Remote Access, enforce Firewall policy from menu, select the
applicable option:
l Above Endpoint Firewall policy (this is the default)
l Remote Access Desktop Security Policy
If your environment had Endpoint Security VPN and then moved to the complete
Endpoint Security solution, select this option to continue using the Desktop Policy
configured in the legacy SmartDashboard.
To learn how to configure a Desktop Policy, see the Remote Access Clients for Windows
Administration Guide.
5. Click Save in the bottom right corner.

Note - For more information about Firewall, see sk164253.

Harmony Endpoint Administration Guide | 132

 Application Control

Application Control
The Application Control component of Endpoint Security restricts network access for specified applications.
The Endpoint Security administrator defines policies and rules that allow, block or terminate applications
and processes. The administrator can also configure that an application is terminated when it tries to access
the network, or as soon as the application starts.
This is the workflow for configuring Application Control:
1. Set up a Windows device with the typical applications used on protected Endpoint computers in your
organization. This is your reference device. If you have several different standard images, set up a
reference device for each.
2. Generate the list of applications on the computer by running the Appscan tool. This generates an
XML file that contains the details of all the applications on the computer.
3. Upload the Appscan XML file to the Endpoint Security Management Server using Harmony Endpoint.
4. Configure the action for each application in the Application Control policy. You can configure which
applications are allowed, blocked, or terminated.
5. Install policy.

Harmony Endpoint Administration Guide | 133

 Creating the List of Applications on the Reference Device

Creating the List of Applications on the Reference Device

You need to generate a list of the applications on your reference device. This is a Windows device with a
tightly-controlled disk image that contains the typical applications used on protected Endpoint devices in
your organization. If you have several different standard images, set up a reference device for each.

Important - The reference device must be free of malware.

To generate the list of applications, run the Appscan command on the reference device. This generates an
XML file that contains the details of all the applications and operating system files on the device. In the
XML file, each application, and each application version, is uniquely identified by a checksum. A checksum
is a unique identifier for programs that cannot be forged. This prevents malicious programs from
masquerading as other, innocuous programs.

To collect a list of applications on the reference device:

1. Go to Policy > Access & Compliance > Manage > Manage Applications > Upload Applications >
Download Appscan, and click Download.

Harmony Endpoint Administration Guide | 134

 Creating the List of Applications on the Reference Device

2. Run the Appscan application on your target device with the applicable parameters. See "Appscan
Command Syntax" below.
This creates an Appscan XML file for each disk image used in your environment. When the scan is
complete, an output file is created in the specified directory. The default file name is scanfile.xml

Appscan Command Syntax

Description
Scans the host device and creates an XML file that contains a list of executable programs and their
checksums.

Syntax

Appscan [/o <filename> /s <target directory> /x <extension strung /e /a /p

/verbose /warnings /?

Parameters

Parameter Description

/o Sends output to the specified file name. If no file name is specified, Appscan uses
the default file name (scanfile.xml) in the current folder.

file name Output file name and path.

Harmony Endpoint Administration Guide | 135

 Creating the List of Applications on the Reference Device

Parameter Description

/s <target Specifies the directory, including all subdirectories, to scan.

directory>
n You must enclose the directory/path string in double quotes.
n If no directory is specified, the scan runs in the current directory only.

/x Specifies the file extension(s) to include in the scan.

<extension
string>
n The extension string can include many extensions, each separated by a semi-
colon.
n You must put a period before each file extension.
n You must enclose full extension string in double quotes.
n You must specify a target directory using the /s switch.
n If you do not use the /x parameter only .exe executable files are included in
the scan

/e Include all executable files in the specified directory regardless of the extension. Do
not use /e together with /x.

/a Includes additional file properties for each executable.

/p Shows progress messages during the scan.

/verbose Shows progress and error messages during the scan.

/warnings Shows warning messages during the scan.

/? Shows the command syntax and help text.

or
/help

Examples
n appscan /o scan1.xml

This scan, by default, includes .exe files in the current directory and is saved as scan1.xml.
n appscan /o scan2.xml /x ".exe;.dll" /s "C:\"

This scan includes all .exe and .dll files on drive C and is saved as scan2.xml.
n appscan /o scan3.xml /x ".dll" /s c:\program files

This scan includes all .dll files in c:\program files and all its subdirectories. It is saved as
scan3.xml.
n appscan /s "C:\program files" /e

This scan includes all executable files in c:\program files and all its subdirectories. It is saved
as the default file name scanfile.xml.

Harmony Endpoint Administration Guide | 136

 Uploading the Appscan XML File to the Endpoint Security Management Server

Uploading the Appscan XML File to the Endpoint Security Management

Server
After you generate the Appscan XML file, upload it to the Endpoint Security Management Server.

Note - Before you upload the Appscan XML file, remove all special characters, such as
trademarks or copyright symbols, from the Appscan XML .

To upload the Appscan XML file:

1. In the Policy view, go to Access > Application Control> Manage > Manage applications > Upload
Applications.
The Upload Applications window opens.
2. In the Upload XML section, click Upload.

3. Search for the Appscan XML file and click Open.

Harmony Endpoint Administration Guide | 137

 Configuring Application Permissions in the Application Control Policy

Configuring Application Permissions in the Application Control Policy

Applications that were uploaded with the Appscan XML file are allowed by default. You cannot change the
default action for the uploaded applications.
After the applications are uploaded, you can review the actions for each application In the Application
Control policy.
For applications and application versions that you are know are secure, change the permission setting to
Allow .
If you know the applications or application versions are not secure, change the permission setting to Block.
You can also configure that blocked applications will be terminated when they are started, or when they try
to establish a network connection.

To review the policy settings for applications and application versions:

1. In the Policy view, go to Access > Application Control > Application Management > Edit
Application Control Policy.
2. The Action column shows the permission for each application. Left-click the Action column to select
the permission.

Permission Explanation

Allow The application is allowed.

Block The application is blocked.

Terminate The application is terminated when it tries to access the network or

immediately when it runs.

3. The Version column shows the details for each version of the application, including a unique hash
value that identifies the signer of the application version. You can block or allow specific versions of
the same program. Each version has a unique Version number, Hash, and Created On date.

To configure termination settings:

1. In the Policy view, go to Access > Application Control > Application Management.
2. Select one of these options:
n Terminate on execution - Selected by default. Makes sure that all terminated applications
terminate immediately when they run.
n Terminate on connection - Terminate an application when the application tries to access the
network

Application Control in Backward Compatibility Mode

Default Action for Unidentified Applications

Changing the default action for unidentified applications is only supported in backward compatibility mode.

Harmony Endpoint Administration Guide | 138

 Configuring Application Permissions in the Application Control Policy

To enable backward compatibility mode:

1. Go to Endpoint Settings > Policy Operation Mode.
2. Go to the required policy and select Mixed mode.

To change the default action for uploaded applications:

1. In the Policy view, go to Access > Application Control > Application Management > Default action.
2. Select the required default action.

Configuring the Application Control Policy

In addition to Allow, Block and Terminate, there are two more actions that you can configure in backward
compatibility mode:
Unidentified (Allow) - The application is allowed because the default setting for applications that are
imported from the Appscan XML is
Allow, and the administrator did not change this action.
Unidentified (Block) - The application is blocked because the default setting for applications that are
imported from the Appscan XML is Block, and the administrator did not change this action.

Harmony Endpoint Administration Guide | 139

 Disabling or Enabling Windows Subsystem for Linux (WSL)

Disabling or Enabling Windows Subsystem for Linux (WSL)

Windows Subsystem for Linux (WSL) is the scripting language in Windows 10 and higher. It makes it
possible to run Linux binary executables under Windows. WSL has the potential for compromising security.

To enable or disable Windows Subsystem for Linux (WSL) on Endpoint Security client computers:
1. In the Policy view, go to Access > Application Control > Windows Sub-systms for Linux (WSL)
Traffic
2. Select Allow Windows Sub-systms for Linux (WSL) Traffic or leave this option cleared.

Harmony Endpoint Administration Guide | 140

 Developer Protection

Developer Protection
Developer Protection prevents developers leaking sensitive information such as RSA keys, passwords, and
access tokens through the Git version control system. It also detects and warn the developer when using
packages with known vulnerabilities.
Developer Protection intercepts git commit commands issued by the developer, and scans all modified
files in a Git repository. It prevents the uploading of private information in plain text and vulnerable
dependencies from Endpoint Security client computers to public locations.
Developer protection is supported on Endpoint Security Client release E84.60 and higher.

To configure Developer protection:

1. In the Policy view, go to Developer Protection.
2. Select the Developer Protection mode:

Option Explanation

Off Developer Protection is disabled. This is the default.

Detect n Information leakage is detected and a log message is generated, but the
Commit is allowed.
n The administrator can examine the audit log Detect messages of the
Application Control component.
n The developer sees a notification on the client computer.

Prevent n Information leakage is detected, a log message is generated, and the Commit
is blocked.
n The administrator can examine the audit log Prevent messages of the
Application Control component.
n The developer sees a warning notification on the client computer. The
developer can decide to override the notification and allow the traffic (with or
without giving a justification).
n The notification message suggests how to fix the problem. For example, by
adding a file to .gitignore, or updating the version in package.json

3. Click Save.
4. Install Policy.

Exclusions to Developer Protection

You can define exclusion to developer protection based on the SHA256 hash of the files.
To define an exclusion to developer protection:
1. Click Edit Exclusion.
The Developer Protection Exclusion window opens.
2. Click the + sign.
3. In the SHA256 Hash field enter the SHA256 hash of the file.
4. Optional: Enter a Description.

Harmony Endpoint Administration Guide | 141

 Developer Protection

5. Optional: Select Copy to all rules, to copy this exclusion to all existing Developer Protection rules.
6. Click OK.

Harmony Endpoint Administration Guide | 142

 Compliance

Compliance
The Compliance component of Endpoint Security makes sure that endpoint computers comply with security
rules that you define for your organization. Computers that do not comply show as non-compliant and you
can apply restrictive policies to them.
The Compliance component makes sure that:
n All assigned components are installed and running on the endpoint computer.
n Anti-Malware is running and that the engine and signature databases are up to date.
n Required operating system service packs and Windows Server updates are installed on the endpoint
computer through WIndows Servers Update Services.

Note - This is not supported through Windows Settings > Update & Security on
your endpoint computer.

n Only authorized programs are installed and running on the endpoint computer.
n Required registry keys and values are present.

Note - For macOS limitations, see sk110975.

If an object (for example an OU or user) in the organizational tree violates its assigned policy, its compliance
state changes, and this affects the behavior of the endpoint computer:
n The compliant state is changed to non-compliant.
n The event is logged, and you can monitor the status of the computer and its users.
n Users receive warnings or messages that explain the problem and give a solution.
n Policy rules for restricted computers apply. See "Connected, Disconnected and Restricted Rules" on
page 168.

Harmony Endpoint Administration Guide | 143

 Planning for Compliance Rules

Planning for Compliance Rules

Before you define and assign compliance rules, do these planning steps:
1. Identify the applications, files, registry keys, and process names that are required or not permitted on
endpoint computers.
2. Collect all information and remediation files necessary for user compliance. Use this information
when you create remediation objects to use in compliance rules.
Compliance rules can prevent users from accessing required network resources when they are not
compliant. Think about how to make it easy for users to become compliant.
3. Make sure that the Firewall rules gives access to remediation resources. For example, sites from
which service packs or Anti-virus updates can be downloaded.

Note - In Windows 7, make sure the Interactive Service Detection service is

running. This is necessary for remediation files (running with system credentials)
that must interact with the user.

4. Define rule alerts and login policies to enforce the rules after deployment.

Harmony Endpoint Administration Guide | 144

 Configuring Compliance Policy Rules

Configuring Compliance Policy Rules

Harmony Endpoint Administration Guide | 145

 Ensuring Alignment with the Deployed Profile

Ensuring Alignment with the Deployed Profile

This action makes sure that all installed components are running and defines what happens if they are not
running. The action options are:

Action Description

Inform if assigned Software Blades Send a warning message if one or more Endpoint Security
are not running components are not running.

Restrict if assigned Software Blade Restrict network access if one or more Endpoint Security
are not running components are not running.

Monitor if assigned Software Create log entries if one or more Endpoint Security components
Blades are not running are not running. No messages are sent.

Do not check if assigned Software No check is made whether Endpoint Security components are
Blades are not running running.

Harmony Endpoint Administration Guide | 146

 Remote Access Compliance Status

Remote Access Compliance Status

Remote Access Compliance Status selects the procedure used to enforce the upon verification failure from
Policy > Access & Compliance > Remote Access Compliance Status.
The options available are:
n Endpoint Security Compliance - Uses the Endpoint Security policy to control access to
organizational resources.
n VPN SCV Compliance - Uses SCV (Security Configuration verification) settings from the Security
Gateway to control access to organization resources. SCV checks, which are defined in the
Local.scv policy, always run on the client. This option is described in the "Secure Configuration
Verification (SCV)" section of the E80.72 and higher Remote Access clients for Windows
Administration Guide.

Note - Endpoint Security clients on macOS always get their compliance status
from Endpoint SecurityCompliance, even if VPN Client verification process will
use VPN SCV Compliance is selected.

Harmony Endpoint Administration Guide | 147

 Compliance Action Rules

Compliance Action Rules

Many of the Compliance Policy actions contain Action Rules that include these components:
n Check Objects (Checks) - Check objects define the actual file, process, value, or condition that the
Compliance component looks for.
n One of these Action options - What happens when a computer violates the rule:

Action Definition

Observe Log endpoint activity without further action. Users do not know that they are non-
compliant. Non-compliant endpoints show in the Observe state in the Reporting
tab.

Warn Alerts the user about non-compliance and automatically does the specified
remediation steps.
Send a log entry to the administrator.

Restrict Alerts the user about non-compliance and automatically does the specified
remediation steps.
Send a log entry to the administrator.
Changes applicable policies to the restricted state after a pre-defined number of
heartbeats (default =5). Before this happens, the user is in the about to be restricted
state. On the monitoring tab, the user is shown as pre-restricted.

n One or more Remediation objects - A Remediation object runs a specified application or script to
make the endpoint computer compliant. It can also send alert messages to users.
The Compliance component runs the rules. If it finds violations, it runs the steps for remediation and does
the Action in the rule.
Some Action Rules are included by default. You can add more rules for your environment.

Basic Workflow for defining additional compliance rules:

1. Click Policy > Access & Compliance > Compliance > Compliance Rulebase.
2. Click New Above or New Below to create new Action Rules as necessary:
a. In the Name field, enter the Action rule name.
b. Click Check to add Check objects to add to the Action "Compliance Check Objects" on
page 149.
c. Select an Action from the list.
d. Click the Remediation tab to add remediation objects to the "Compliance Remediation
Objects" on page 152. If the selected Action is Observe, the rule does not require a
remediation object.
e. Optional: In the Comment field, enter a comment for the action rule.
Do these steps again to create additional Action rules as necessary.

Harmony Endpoint Administration Guide | 148

 Compliance Check Objects

Compliance Check Objects

Each Compliance Action Rule contains a Check object that defines the actual file, process, value or
condition that the Compliance component looks for.

To create a new or change an existing Check object:

1. In the Checks column or in the manage objects in your toolbar, click the relevant Check object.

Note: To edit the existing check object, click the existing check object.

2. Click New to create a new Check object.

3. For System/Application/File Checks, fill in these fields.

Option Description

Name Unique name for this Check Object.

Comment Optional: Free text description.

Operating Select the operating system that this Check object is enforced on.
System

Registry Enter the registry key.

value name Enabled only if the Modify and check registry checkbox is selected.
To detect Log4j vulnerability, in the Registry value name field enter:
HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Compliance\Log4jScan and in the Registry value field,
enter 1.
Applies only to Windows.

Registry Enter the registry value to match.

value Enabled only if the Modify and check registry checkbox is selected.
Applies only to Windows.

Modify Select an action:

registry key o Add

and value o Replace

o Update
o Remove

Enabled only if the Modify and check registry checkbox is selected.

Applies only to Windows.

Reg type Select a registry type:

o REG_SZ
o REG_DWORD

Enabled only if the Modify and check registry checkbox is selected. Applies only
to Windows.

Harmony Endpoint Administration Guide | 149

 Compliance Check Objects

Option Description

Check Select one of these options to enable the registry check or clear to disable it:
registry key Registry key and value exist - Find the registry key and value.
and value If the registry key exists, the endpoint computer is compliant for the required file.
Registry key and value do not exist - Make sure the registry key and value do
not exist.
If the key does not exist, the endpoint computer is compliant for an application
that is prohibited.

Check File Select one of these options to check if an application is running or if a file exists:
File is running at all times - For example, make sure that client is always running.
File exists - For example, make sure that the user browsing history is always
kept.
File is not running - For example, make sure that DivX is not used.
File does not exist - For example, make sure that a faulty DLL file is removed.

File name Enter the name of the file or executable to look for. To see if this file is running or
not, you must enter the full name of the executable, including the extension
(either .exe or .bat).

File path Enter the path without the file name.

Select the Use environment variables of logged in user option to include paths
defined in the system and user variables.
Do not add the "\" character at the end of the path.macOS uses "/" and file PATH
is case sensitive. For more information on macOS limitations, see sk110975.

Check files Additional options to check for an existing or non-existing file.

Properties

Match the Make sure that a specific version or range of versions of the file or application
file version complies with the file check.

Match MD5 Find the file by the MD5 Checksum. Click Calculate to compare the checksum on
checksum the endpoint with the checksum on the server.

File is not Select this option and enter the maximum age, in days, of the target file. If the age
older than is greater than the maximum age, the computer is considered to be compliant.
This parameter can help detect recently installed, malicious files that are
disguised as legitimate files.

Check Enable Check domain in order to specify the domain. Select a domain:
Domain o Any Domain
o Specific Domain

Applies only to macOS.

Domain Enter the domain name if the specific domain is selected. Applies only to macOS.
Name

4. System Check can be grouped

n Require at least one check to succeed – At least one of the Checks must match in order for
Check to succeed.

Harmony Endpoint Administration Guide | 150

 Compliance Check Objects

n Require all checks to succeed - All Checks must match in order for Check to succeed.
For Group Check window, fill in these fields.

Option Description

Name Unique name for this Check Object.

Comment Optional: Free text description.

Select the action

o Require at east one check to

succeed
o Require all checks to succeed

Name of the check object.

Click + to add check objects to the table

Harmony Endpoint Administration Guide | 151

 Compliance Remediation Objects

Compliance Remediation Objects

Each Compliance Action Rule contains one or more Remediation objects. A Remediation object runs a
specified application or script to make the endpoint computer compliant. It can also send alert messages to
users.
After a Remediation object is created, you can use the same object in many Action rules.

To create a new or change an existing Remediation object:

1. Click Manage Object of Compliance Rulebase, click * and select Remediation.
2. In the Remediation Properties window, fill in these fields:

Option Description

Name Unique name for the Remediation.

Comment Optional: Free text description.

Operations

Run Custom File Run the specified program or script when an endpoint computer is not
compliant.

Download Path n Enter the temporary directory on the local computer to download the
program or script to. This path must be a full path that includes the
actual file and extension (*.bat or *.exe).
n This parameter is required.
n The endpoint client first tries to access the file from the specified
path. If the client fails, it downloads the file from the URL to the
temporary directory and runs it from there.
n To run multiple files, use one of the popular compression programs
such as WinRAR to produce a self-extracting executable that
contains a number of .exe or .bat files.

URL n Enter the URL of an HTTP or file share server where the file is
located.
n Enter the full path that includes the actual file with one of the
supported extensions (*.bat or *.exe).
n This field can be left empty.
n Make sure the file share is not protected by a username or
password.

Parameters If the executable specified in the URL runs an installation process, make
sure that the executable holds a parameter that specifies the directory
where the program should be installed. If the executable does not hold
such a parameter, enter one here.

MD5 Checksum Click Calculate to generate a MD5 Checksum, a compact digital

fingerprint for the installed application or the remediation files.

Harmony Endpoint Administration Guide | 152

 Compliance Remediation Objects

Option Description

Run as System Apply system rights for running the executable file. Not all processes can
run with user rights. System rights may be required to repair registry
problems and uninstall certain programs.

Run as User Apply user rights and local environment variables for running the
executable file.

Messages

Automatically Run the executable file without displaying a message on the endpoint
execute operation computer.
without user
notification

Execute operation Run the executable file only after a user message opens and the user
only after user approves the remediation action. This occurs when Warn or Restrict is the
notification selected action on a compliance check.

Use same Select that the same text be used for both messages.
message for both A Non-Compliant message tells the user that the computer is not complaint
Non-Compliant and and shows details of how to become compliant.
Restricted A Restricted message tells the user that the computer is not compliant,
messages shows details of how to achieve compliance, and restricts computer use
until compliance is achieved.

Message Box Displays selected non-compliant and restricted messages. The message
box is available only by selecting the Execute only after user notification
setting. Click Add, Remove, or Edit to add a message, and remove or
revise a selected message.

Note: User cannot prevent the remediation application or file

from running.

Harmony Endpoint Administration Guide | 153

 Service Packs for Compliance

Service Packs for Compliance

The Service Packs Compliance check makes sure that computers have the most recent operating system
service packs and updates installed. The default settings show in the Latest Service Packs Installed Action
Rules.
For more information, see "Compliance Action Rules" on page 148.

Harmony Endpoint Administration Guide | 154

 Ensuring that Windows Server Updates Are Installed

Ensuring that Windows Server Updates Are Installed

Windows Server Update Services (WSUS) allows administrators to deploy the latest Microsoft product
updates.The WSUS compliance check ensures that Windows update are installed on the Endpoint Security
client computer. You can restrict network access of the client computer if Windows updates have not been
installed within a specified number of days. Alternatively, you can warn the user by means of a pop-up
message without restricting access, or log the non-compliance event without restricting or informing the user

To configure the WSUS compliance check:

Under Windows Server Update Services action, select a preset action. The action is applied if Windows
updates have not been installed on the Endpoint Security client computer for a specified number of days
(default is 90 days):

Preset Action Meaning

Restrict if Windows Server Updates are not Restrict the network access of the user.
installed

Observe Windows Server Update Services Create a log, and show a warning message to the
user.

Monitor Windows Server Update Services Create a log. The user is not notified.

Do not check Windows Server Update Services No compliance check. This is the default.

1. Optional: The compliance check makes sure that the Windows updates have been installed within a
specified number of days (default is 90 days).
To change the number of days,
a. Click Compliance and under Windows Server Update Services , select the Enable Windows
software update services check checkbox.
b. Change the number of days in Windows updates must be installed within.

Harmony Endpoint Administration Guide | 155

 Anti-Virus for Compliance

Anti-Virus for Compliance

The Anti-Virus check makes sure that computers have an anti-malware program installed and updated. The
default settings show in the Anti-Virus Compliance Action Rules.
For more information, see "Compliance Action Rules" on page 148.

Harmony Endpoint Administration Guide | 156

 Monitoring Compliance States

Monitoring Compliance States

Monitor the compliance state of computers in your environment from:
1. Click Asset Management > Computers.
2. Select the Compliance view in the Columns profile selector in your toolbar.
These compliance states are used in the Security Overview and Compliance reports:
n Compliant - The computer meets all compliance requirements.
n About to be restricted - The computer is not compliant and will be restricted if steps are not done to
make it compliant. See ""About to be Restricted" State" below.
n Restricted - The computer is not compliant and has restricted access to network resources.
n N/A – Compliance policy is not applicable for the computer.
n Warn - The computer is not compliant but the user can continue to access network resources. Do the
steps necessary to make the computer compliant.
n Not Running – Compliance policy is not running on the computer.
n Unknown – Compliance status is unknown.
n Not Installed – Compliance policy is not installed on the computer.
The endpoint computer Compliance state is updated at each heartbeat. The heartbeat interval also controls
the time that an endpoint client is in the About to be restricted state before it is restricted.
It is possible to create restricted policies that will automatically be enforced once the endpoint client enters a
restricted state

"About to be Restricted" State

The About to be restricted state sends users one last warning and gives an opportunity to immediately
correct compliance issues before an endpoint computer is restricted.
The formula for converting the specified time period to minutes is:
<number of heartbeats > * <heartbeat interval (in seconds)> * 60.

Harmony Endpoint Administration Guide | 157

 Configuring Client Settings

Configuring Client Settings

Client Settings define:
n General user interface settings
n If users can postpone installations and for how long.
n The client uninstall password
n When log files are uploaded to the server
n Specified Network Protection settings
To configure these settings go to the Policy view > Client Settings.

Harmony Endpoint Administration Guide | 158

 Client User Interface Settings

Client User Interface Settings

Default Client User Interface
You can select the default client user interface settings or edit them to customize the Endpoint Security
client interface on user computers.
You can change these settings:
n Display client icon - When selected, the client icon shows in the windows notification area when the
Endpoint Security client is installed.
n Allow view logs locally - Define how many UserCheck messages a user may see.
An administrator may decide which type of messages can be shown to the user, and which must not
be visible. The administrator can select one of three options:
l Critical only - do not show any messages unless critical (e.g. system boot warning) or user
interface messages (yes/no questions).
l When-affecting user experience (recommended) - only show messages related to operation
flows affecting user activity, or requiring user interaction (e.g. "Malware was detected and
removed").
l All - show all messages.
Note: This change applies to the Endpoint Security Client only. Events are still being logged on the
server, and the administrator can still see everything on the management interface.

Customized Images
Customized Images - For each of these graphics, you can select to upload a new image or Revert to
Default image:

Item Description Size of Image

Pre-boot Background Image Image on Pre-boot screen behind the smaller 800 x 600
logon window pixels

Pre-boot Background Image high Pre-boot background image high resolution 3840×2160
resolution

Pre-boot Screen Saver Image that shows when the system is idle 260 x 128
pixels

Pre-boot Banner Image The banner image on the smaller logon window 447 x 98
pixels

Windows Image in the background of the Windows logon 256 KB or

Background Image window smaller
if OneCheck Logon is enabled

Customized Client Image Icon in the top-right of a Client Notification 134 x 46

(UserCheck) pixels

Harmony Endpoint Administration Guide | 159

 Client User Interface Settings

Customized Browser Block Pages

Browser extension uses block pages to warn the end users about security incidents. There are three events
which trigger a blocking page:
1. Accessing a site that is blocked by URL Filtering policy – the block page blocks access to the site and
warns the end user that attempted to enter the site that it is blocked by the policy.
2. Providing credentials in a phishing site – the block page warns the end user that it is a phishing site
and the user is therefore blocked from providing credentials there.
3. Using corporate password in a non-corporate domain - end users are warned that use of corporate
password in a non-corporate domain is prohibited, and that his/her corporate password was just
exposed.
The blocking pages above are customizable. The following can be changed per each of them:
1. Company logo (replacing the Check Point logo)
2. Blocking page title.
3. Blocking page description.
The user may preview the change before saving the policy by pressing the preview button.

Note - The preview only works in the Chrome or Edge browsers, when the browser extension is
installed.

Harmony Endpoint Administration Guide | 160

 Log Upload

Log Upload
The components upload logs to the Endpoint Policy Server.
These log upload options are available:

Option Description

Enable Log Upload Select to enable log upload (this is the default).
Clear to disable log upload.

Log upload interval Frequency in minutes between logged event uploads.

The clients upload logs only if the number of logs is more than the
Minimum number of events before attempting an upload.
The default is 3 minutes.

Minimum number of events Upload logged events to the server only after the specified number of
before attempting an upload events occur.
The default is 1.

Maximum number of events to Maximum number of logged events to upload to the server.
upload The default is 100.

Maximum age of event before Optional: Upload only logged events that are older than the specified
upload number of days.
The default is 5 days.

Discard event if older than Optional: Do not upload logged events if they are older than the
specified number of days.
The default is 90 days.

Harmony Endpoint Administration Guide | 161

 Installation and Upgrade Settings

Installation and Upgrade Settings

The default installation and upgrade setting is that users can postpone the Endpoint Security Client
installation or upgrade.
You can change these settings:
n Default reminder interval - Set the time, in minutes, after which users are reminded to install the
client.
n Force Installation and automatically restart after - Set the time, in hours, after which the installation
starts automatically.
n Maximum delay in download of packages - Set the maximum time, in hours, by which to postpone
the download.

Agent Uninstall Password

You can allow a user to uninstall the Endpoint Security client on their remote Windows computer.
Agent Uninstall Password is the password you use to uninstall the client. The password protects the client
from unauthorized removal. The password can only contain English letters in lower or upper case, and these
special characters: 0-9 ~ = + - _ ( ) ' $ @ , .
The default uninstall password is "secret".

Best Practice - For security reasons, we strongly recommend that you change the default uninstall
password.

Local Deployment Options

When you use Automatic Deployment, you can configure clients to use local storage to upgrade Endpoint
Security clients. This lets administrators use Automatic Deployment, without the need for each Endpoint
Security client to download a package from the Endpoint Security Management Server
This is only supported on Windows clients.

Note - If local deployment is enabled for a client, the administrator can still choose whether clients try
to download packages from the Endpoint Security Management Server if packages are not found in local
storage. This option is called: Enable Deployment from server when no MSI was found in local paths.

To enable Deployment with a locally stored package:

1. Upload each package to the Package Repository of the Endpoint Security Management Server.
2. Put the same packages in local storage location on client computers, for example:
C:\TEMP\EPS\32bit\EPS.msi

3. Go to the Policy view > Client Settings > Installation > Deployment from Local Paths and URLs
4. Select Allow to install software deployment packages from local folders and URLs.
5. Optional: Select Enable Deployment from Server when no MSI was found in local paths. When
selected, if no MSI file is in the local paths or URLs, the client checks the Endpoint Security
Management Server for packages.
6. Click Deployment Paths and add the package or patch location.

Harmony Endpoint Administration Guide | 162

 Installation and Upgrade Settings

7. Click OK.
8. Go to Deployment Policy > Software Deployment, and create or edit a deployment rule which
includes the package version.
9. Click Save
10. Install Policy to deploy the rule to the clients.

Note - If the version of the Endpoint Security client in the Deployment rule and in the local file path is
not the same, the client is not deployed. If the version on the server and in the local file path are not the
same, an error shows.

Harmony Endpoint Administration Guide | 163

 Sharing Data with Check Point

Sharing Data with Check Point

Clients can share information about detected infections and bots with Check Point.
The information goes to ThreatCloud, a Check Point database of security intelligence that is dynamically
updated using a worldwide network of threat sensors.
ThreatCloud helps to keep Check Point protection up-to-date with real-time information.

Note - Check Point does not share any private information with third parties.

To configure data ThreatCloud sharing:

1. Go to the Policy view > Client Settings > the General tab > Sharing Data with Check Point.
2. Enable anonymized telemetry - Select to enable sharing information with Check Point.
Select or clear any of these options:
n Anonymized forensics reports - Forensics reports include a lot of private identifiable
information. This option lets customers anonymize this information.
n Files related to detection - Select to allow Check Point learn more about the attacks through
metadata.
n Memory dumps related to detections - Select to allow sharing memory dumps from the RAM
with Check Point.
3. Click Save.

Harmony Endpoint Administration Guide | 164

 Users Disabling Network Protection

Users Disabling Network Protection

You can let users disable network protection on their computers.

Note - Check Point does not share any private information with third parties.

Network Protection includes these components:

n Firewall
n Application Control

To configure the Network Protection Alerts :

1. Go to the Policyview > Client Settings > General > Network Protection.
2. In the Network Protection section, select or clear these options for each Firewall and Application
Control:
n Allow Log - To generate logs for events.
n Allow Alert - To generate alerts for events. You must also select this to use Alert in the Track
column of Firewall rules.

Harmony Endpoint Administration Guide | 165

 Connection Awareness

Connection Awareness
Connection Awareness - Connection awareness controls whether an endpoint enforces its "Connected" or
"Disconnected" policy. By default, the client checks connectivity to the Endpoint Management Server to
determine its connectivity state. In some cases, an administrator may prefer that the client verify the
reachability of a different network component, for example, a web server or a router. The administrator can
configure the client to trigger the check through ICMP packets or HTTP/S requests.
The Connection Awareness feature allows the administrator to choose between two options:
1. Connected to management - the administrator considers the client as connected, which is the default
mode.
2. Connected to a list of specified targets - if the client cannot automatically connect to the Endpoint
Management Server, the administrator can also allow the user to verify its connectivity through a
different network component which uses the HTTP/IPv4 protocols, whose address he manually
specifies.
n If no disconnected policy was specified for these addresses, the user is automatically considered
connected.
Notes -
n The client triggers HTTP GET requests to the server for connected/disconnected status in
intervals of 30 seconds.
n Connection Awareness is supported in Endpoint Client version E85.30 and above.

Harmony Endpoint Administration Guide | 166

 Super-Node

Super-Node
What is a Super-Node?
A Super Node is a machine running a specially configured Endpoint Security Client that also consists of
server-like and proxy-like capabilities, and which listens on port 4434 by default. Super Node is a light-
weight proxy (based on NGNIX) that allows admins to reduce their bandwidth consumption and enable
offline updates, where only the Super Node needs connectivity to the update servers.
Primary Advantages:
n Reduces site bandwidth usage.
n Reduces server workload.
n Reduces customer expense on server equipment, as there is no need for a local appliance.
n Improved scale.

Note - Super-Node is available in both Domain and Workgroup environments.

How to Configure a Super Node

For Management Servers supporting "Manage Super Nodes" capability:
1. Navigate to Policy page-> Client Settings-> Manage Super Nodes (in the toolbar).
2. Click “+” and search for a device or devices that you want to define as Super Nodes in your
environment.
3. When required devices are added, click “Save”, as promoting a machine to a Super Node does not
require policy installation. To revert all changes, click “Discard”.
4. Navigate to Client Settings-> Select the required rule-> General tab-> Super Nodes.
5. Click “+” and add Super Nodes with all its specific devices to the relevant Client Settings rule. Save
and install the rule.

Note - Super Node settings are rule dependent. It means that Super Nodes defined in the General tab
will be applied only to devices which are related to a specific rule.
Supported Features
Starting in version E86.10, Super Node supports Anti-Malware, Behavioral-Guard & Static Analysis
signature updates. Additionally, software upgrades for Dynamic (EXE) packages, client policies and policy
changes are all relayed through Super Node.
n Limitations
l Endpoint firewall blade must be installed, as Windows Firewall is not supported.
l Proxy configuration is not supported.
l By default, the cache max size is 4GB and will automatically purge files after 7 days of
inactivity. Files stored for a longer time without access are removed from cache.
l Super Node requires an addition of approximately 350MB to operate properly.

Harmony Endpoint Administration Guide | 167

 Connected, Disconnected and Restricted Rules

Connected, Disconnected and Restricted Rules

Endpoint Security can enforce policy rules on computers and users based on their connection and
compliance state.
When you create a policy rule, you select the connection and compliance states for which the rule is
enforced. You can define rules with these states:
n Connected state rule is enforced when a compliant endpoint computer has a connection to the
Harmony Endpoint. This is the default rule for a component policy. It applies if there is no rule for the
Disconnected or Restricted states of the component. All components have a Connected Rule.
n Disconnected state rule is enforced when an endpoint computer is not connected to the Harmony
Endpoint. For example, you can enforce a more restrictive policy if users are working from home and
are not protected by organizational resources. You can define a Disconnected policy for only some of
the Endpoint Security components.
n Restricted state rule is enforced when an endpoint computer is not in compliance with the enterprise
security requirements. In this state, you usually choose to prevent users from accessing some, if not
all, network resources. You can define a Restricted policy for only some of the Endpoint Security
components.

Harmony Endpoint Administration Guide | 168

 Backward Compatibility

Backward Compatibility
You can manage Endpoint components both through Harmony Endpoint and SmartEndpoint management
console (see "Managing Endpoint Components in SmartEndpoint Management Console" on page 49).
Harmony Endpoint does not support all of the SmartEndpoint functionalities. Therefore, when you manage
Endpoint components both through Harmony Endpoint and SmartEndpoint, conflicts can arise. When you
do an action in SmartEndpoint that is not supported by Harmony Endpoint, the policy display view in
Harmony Endpoint changes to the policy display view in SmartEndpoint (backward compatible mode).
For example, this is an example of backward compatibility display for the Threat Prevention policy:

The display view changes back from the backward compatible mode to the regular Harmony Endpoint view
only when the policy enables it.

Harmony Endpoint Administration Guide | 169

 Policy Operation

Policy Operation
The new policy operation mode allows greater flexibility to the user by proving him with a choice of capability
rule applicability. While under the old policy calculation the rule type of each capability determined whether
the capability can work on user or computer, under the new policy the user has the ability to define for
himself which method he wants the capability to work in (except in cases where it only makes sense for the
capability to apply to users or computers, but not both).
In this new operation mode, most capabilities are "mixed", which means they can function per users or
computers, according to the user’s choice. In each capability, the rules are ordered both by their assigned
environment, from the specific down to the general, as well as by user/computer applicability: the first rule
applies to the users, and if no match is found, the following rules apply to computers/devices as well.
Old Policy Calculation Mode

Component Rule Type

Full Disk Encryption Computer only

Media Encryption & Port Protection Computer (default) /

User

Onecheck User only

Anti-Malware Computer (default) /

User

Anti-Ransomware, Behavioral Guard & Computer only

Forensics

Anti-Bot & URL Filtering Computer (default) /

User

Threat Emulation, Threat Extraction & Anti- Computer (default) /

Exploit User

Compliance Computer (default) /

User

Firewall Computer (default) /

User

Access Zones Computer (default) /

User

Application Control Computer (default) /

User

Client Settings Computer (default) /

User

Harmony Endpoint Administration Guide | 170

 Policy Operation

Harmony Endpoint Administration Guide | 171

 IOC Management

IOC Management
IoC stands for Indicators of Compromise. These indicators arrive from various sources: the Internet,
personal research, etc. Such indicators are not identified by default, and still, the user may wish to initiate a
block on them. For example, if he receives an indication that a particular URL is malicious, he may want his
system to block access to this URL. The user would then tag this URL as an Indication of Compromise (IoC).
Often there are IoC clouds that update the organization's endpoints automatically, so the user does not
need to define these indicators manually.

To configure an IoC:
1. In Infinity Portal, go to Policy > Threat Prevention.
2. In the toolbar, select Manage IoC. No need to install policy.
3. In the table that appears, manually add new Indicators of Compromise by type: URL, Domain, IP,
SHA1 Hash, MD5 Hash.
Examples:

IoC Type Example

Domain checkpoint.com

IP Address 192.168.1.1

URL checkpoint.com/test.htm

MD5 Hash 2eb040283b008eee17aa2988ece13152

SHA1 Hash 510ce67048d3e7ec864471831925f12e79b4d70f

4. Hover over the icon next to Type to view the capabilities required for each type:
n URL, Domain and IP require Anti-Bot and URL Filtering capabilities.
n SHA1 and MD5 Hashes require Threat Extraction and Threat Emulation capabilities.
5. The user can also upload his own manually-created CSV list of indicators.

Note - To use IoC Management, your client version must be higher than E86.20.

Harmony Endpoint Administration Guide | 172

 Import or Export Policies

Import or Export Policies

Overview
You can import or export all or specific policies in the JSON format for backup purposes or import policies to
a new management server.
The supported policies for export and import are:
n Threat Prevention
n Data Protection > General
n Data Protection > OneCheck
n Access & Compliance
n Client Settings
n Deployment Policy > Software Deployment

Limitations
n We recommend that you avoid modifying policies when you perform this procedure.
n If an export or import fails, you must export or import the file again.
n The import file must be in JSON format.
n If you cancel an import in progress, then the system stops the import but does not revert the files that
were imported prior to canceling the import..

Prerequisites
n You must be an Administrator or a Power user to perform this procedure. The Help-desk and Read-
only users have read-only access to the Export / Import your policy page. All the other users have no
access view the Export / Import your policy page.
n If you are importing policies, ensure that the package or blade version on the target server and in the
import file are the same. Otherwise, the system sets the rules as Do Not Install.

Exporting Policies
To export all policies:
1. Go to Policy > Export/Import Policies.
2. Click Export.
The system initiates the export and shows the status of the export. When the export is complete, the system
shows the 100% Exported successfully message and downloads the export file to the default downloads
folder. The default name of the export file is export_all_DD_MM_YYYY_HH_MM.json.

To export a specific policy:

1. Click Policy and go to any one of these pages:

Harmony Endpoint Administration Guide | 173

 Import or Export Policies

n Threat Prevention
n Data Protection > General
n Data Protection > OneCheck
n Access & Compliance
n Client Settings
n Deployment Policy > Software Deployment

2. Click .
The system initiates the export. When the export is complete, the system downloads the export file to the
default downloads folder. The default name of the export file is export_all_DD_MM_YYYY_HH_MM.json.

Importing Policies
To import all policies:
1. Go to Policy > Export/Import Policies.
2. Click Browse To Import and select the file.

Note - You can edit the file (for example, Notepad++) to import only policies or rules you want..

The system initiates the import and shows the status of the import. When the import is complete, the system
shows the 100% Imported successfully message.

To import a specific policy:

1. Click Policy and go to any one of these pages:
n Threat Prevention
n Data Protection > General
n Data Protection > OneCheck
n Access & Compliance
n Client Settings
n Deployment Policy > Software Deployment

2. Click and select the file.

Note - You can edit the file to import partial policies or rules.You can edit the file (for
example, Notepad++) to import only policies or rules you want.

The system initiates the import.

Harmony Endpoint Administration Guide | 174

 Performing Data Recovery

Performing Data Recovery

If the operating system does not start on a client device due to system failure, you can recover your data
from the device.

Harmony Endpoint Administration Guide | 175

 Check Point Full Disk Encryption Recovery

Check Point Full Disk Encryption Recovery

If the operating system does not start on a client computer due to system failure, Check Point Full Disk
Encryption offers these recovery options:
Full Recovery with Recovery Media

Client computers send recovery files to the Endpoint Security Management Server so that you can create
recovery media if necessary.
After the recovery, the files are restored as decrypted, like they were before the Full Disk Encryption
installation, and the operating system can run without the Pre-boot.
Full recovery with recovery media decrypts the failed disk and recovers the data. This takes more time
than Full Disk Encryption Drive Slaving Utility and Dynamic Mount Utility that let you access data quickly.
Recovery Media:
n Is a snapshot of a subset of the Full Disk Encryption database on the client.
n Contains only the data required to do the recovery.
n Updates if more volumes are encrypted or decrypted.
n Removes only encryption from the disk and boot protection.
n Does not remove Windows components.
n Restores the original boot procedure.
Users must authenticate to the recovery media with a username and password. These are the options for
the credentials to use:
n Using SmartEndpoint - Users that are assigned to the computer and have the Allow use of
recovery media permission can authenticate with their regular username and password. In
SmartEndpoint, go to the OneCheck User Settings rule > Advanced > Default logon settings.
n When you create the recovery media, you can create a temporary user who can authenticate to it.
A user who has the credentials can authenticate to that recovery media. Users do not require
Allow use of recovery media permission to use the recovery media. SmartCard users must use
this option for recovery.
To perform full recovery with recovery media

1. From the left navigation panel, click Asset Management.

2. In the left pane, click Computers.
3. From the top toolbar, click Computer Actions > in the section Remote Help & Recovery, click
Recovery > Full Disk Encryption Recovery.
4. Search for the computer which you want to decrypt.
The OS Name and OS version of the computer are displayed.
5. User List - This list shows the users who have permission to use recovery media for the
computer. There must be at least two users on the list to perform recovery.

Harmony Endpoint Administration Guide | 176

 Check Point Full Disk Encryption Recovery

n If there are two users or more on the list, continue to the next step.
n If there are less than two users on the list:
a. Click the + sign to create a temporary user or temporary users who can use the
recovery media.
b. In the window that opens add a username and a password that the users use to
access the file.
6. Download the recovery file.
7. Create the recovery media:

Step Description

1 On the Endpoint Security client, go to folder:

C:\Program Files(x86)\CheckPoint\Endpoint
Security\Full Disk Encryption\

2 Double-click UseRec.exe to start the external recovery media tool.

3 Follow instructions in the tool to create the recovery media.

Note - During the decryption process, the client cannot run other programs.

Full Disk Encryption Drive Slaving Utility

Use this to access specified files and folders on the failed, encrypted disk that is connected from a
different "host" system.
The Drive Slaving Utility is hardware independent.
Full Disk Encryption Drive Slaving Utility replaces older versions of Full Disk Encryption drive slaving
functionality, and supports R73 and all E80.x versions. You can use the Full Disk Encryption Drive
Slaving Utility instead of disk recovery.
Notes:
n On an E80.x client computer with 2 hard disk drives, the Full Disk Encryption
database can be on a second drive. In this case, you must have a recovery file
to unlock the drive without the database.
n Remote Help is available only for hard disk authentication. It is not available
for recovery file authentication.

To use the Drive Slaving Utility:

1. On a computer with Check Point Full Disk Encryption installed, run this command in Windows
Command Prompt to start the Full Disk Encryption Drive Slaving Utility:

<DISK:>\Program files(x86)\CheckPoint\Endpoint Security\Full Disk

Encryption\fde_drive_slaving.exe

The Full Disk Encryption - Drive Slaving window opens.

Harmony Endpoint Administration Guide | 177

 Check Point Full Disk Encryption Recovery

Note - To unlock a protected USB connected hard disk drive, you must first
start the Drive Slaving Utility, and then connect the disk drive.

2. Select a Full Disk Encryption protected disk to unlock.

The Unlock volume(s) authentication window opens.
3. Enter User account name and Password.
4. Click OK.
After successful authentication, use Windows Explorer to access the disk drive. If you fail to access the
locked disk drive, use the Full Disk Encryption recovery file, then run the Drive Slaving Utility again.

Note - To prevent data corruption, shut down the system or use a safe removal utility
before you disconnect the USB connected drive.

Harmony Endpoint Administration Guide | 178

 BitLocker Recovery

BitLocker Recovery
BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the
event that you cannot unlock the drive normally.
You can use the Recovery Key ID for a computer to find the Recovery Key for an encrypted client computer.
With the Recovery Key, the user can unlock encrypted drives and perform recoveries.

Important - Treat the Recovery Key like a password. Only share it using trusted and
confirmed channels.

To get the recovery key for a client computer:

1. From the left navigation panel, click Asset Management.
2. In the left pane, click Computers.
3. From the top toolbar, click Computer Actions > in the section Remote Help & Recovery, click
Recovery > BitLocker Recovery.
The BitLocker Management Recovery window opens.
4. Enter the Computer's Recovery Key ID of the client.
The Recovery Key ID is a string of numbers and letters that looks like this:

C9F38106-9E7C-46AE-8E88-E53948F11776

After you type a few characters, the Recovery Key ID fills automatically.
5. Click Get Recovery Key.
The recovery key appears. It is a string of numbers that looks like this:

409673-073722-568381-219307-302434-260909-651475-146696

6. On the client computer, type the recovery key.

Harmony Endpoint Administration Guide | 179

 FileVault Recovery

FileVault Recovery
You can help users recover FileVault-encrypted data if they cannot log in to their macOS.
You can help users recover their data or reset their password using a personal recovery key that is unique to
the client computer. You can reset the password remotely.
Password Reset using a Personal Key

If a user forgets the login password, the administrator can send a personal recovery key to the remote
user, to allow them to log in.
The key is a string of letters and numbers separated by dashes.
1. The user locates the serial number of the locked device.

Step Description

1 Find the serial number of the locked device. It is usually printed on the back of the
device.

2 Give the serial number to the support representative.

2. The Administrator gives a recovery key to the user.

Step Description

1 Get the serial number of the locked device from the user.

2 From the left navigation panel, click Asset Management.

3 In the left pane, click Computers.

4 From the top toolbar, click Computer Actions > in the section Remote Help &
Recovery, click Recovery > FileVault Recovery.

5 In the Computer's Serial Number field, enter the serial number.

6 Click Get Recovery Key.

7 Give the recovery key to the user.

3. User resets their password.

Step Description

1 Get the Recovery Key from the support representative.

2 Restart the macOS.

Harmony Endpoint Administration Guide | 180

 FileVault Recovery

Step Description

3 In the FileVault pre-boot screen, click the ? button

A message shows: If you forgot your password you can reset it using your
Recovery Key.

4 Enter the recovery key and click the right arrow.

A progress bar shows.

5 For Local Users:

a. In the Reset Password window, the user enters a new password, and
optionally, a password hint.
b. Click Reset Password.

For more information, see sk138352.

A personal key is unique to the client macOS-based computer or device. The key is a string of letters and
numbers separated by dashes.
To recover a user's FileVault-encrypted macOS using the personal key, the administrator reads the key to
the user, and uses the key to decrypt and unlock the computer.
Decrypting and recovering the user's FileVault-encrypted macOS

n For a volume formatted as APFS on macOS Mojave 10.14 and higher

1. Show the disk volumes on the macOS:

diskutil apfs list

The volume to recover is the OS Volume. It has a name similar to disk2s1.

2. Unlock the volume:

diskutil apfs unlockVolume <Disk Name> -passphrase <Personal

Recovery Key>

3. Get the list of apfs cryptousers:

diskutil apfs listcryptousers <Disk Name>

For example:

diskutil apfs listcryptousers disk2s1

For a local user, select the UUID of the user that has:
Type: Local Open Directory User

4. Decrypt the volume:

diskutil apfs decryptVolume <diskname> -user <user UUID>

Harmony Endpoint Administration Guide | 181

 FileVault Recovery

5. Enter the password of the local user.

6. Monitor the progress of the decryption:

diskutil apfs list

n For a volume formatted as CoreStorage on macOS 10.12 or higher

1. Unlock the volume:

diskutil cs unlockVolume <Logical Volume UUID> -passphrase

<Personal Recovery Key>

2. The user interface shows a prompt to allow access. Enter the keychain password.
The volume is now unlocked.
3. Start the decryption:

diskutil cs decryptVolume <Logical Volume UUID>

4. When prompted, enter the password for the local user.

5. Monitor progress of the decryption:

diskutil cs list

The user can now reboot the macOS normally. They do not see the FileVault pre-boot screen.

Harmony Endpoint Administration Guide | 182

 Managing Virtual Groups

Managing Virtual Groups

Virtual Groups manage groups of users and devices.
You can use Virtual Groups with Active Directory for added flexibility or as an alternative to Active Directory.
Objects can be members of more than one virtual group.
The benefits of using Virtual Groups include:
n Using the Active Directory without using it for Endpoint Security.
For example: Different administrators manage the Active Directory and Endpoint Security.
n Your Endpoint Security requirements are more complex than the Active Directory groups. For
example, you want different groups for laptop and desktop computers.
n Using a non-Active Directory LDAP tool.
n Working without LDAP.
Some virtual groups are pre-defined with users and devices assigned to them automatically.
To create, edit, or delete a virtual group:
1. From the left navigation panel, click Asset Management.
2. In the left pane, click Organizational Tree.
3. Click Virtual Groups.
4. From the top toolbar, click the Actions menu and select the required operation.
Notes:
n A user or a device can belong to multiple virtual groups.
n Selecting a certain user or device shows the Active Directory information
collected about them.
n You cannot edit Active Directory groups but you can view their content.
n You can create a group and then assign the users or devices to the group, or
select users or devices first and then create a group from them.

To add a device or a user to a virtual group:

1. From the left navigation panel, click Asset Management.
2. In the left pane, click Computers.
3. Select the applicable device or user from the list.
4. From the top toolbar, click Computer Actions > in the section General Actions, click Add to Virtual
Group.
5. Select the applicable Virtual Group.
6. Click OK.

Harmony Endpoint Administration Guide | 183

 Managing Active Directory Scanners

Managing Active Directory Scanners

If your organization uses Microsoft Active Directory (AD), you can import users, groups, Organizational units
(OUs) and computers from multiple AD domains into the Harmony Endpoint. After the objects are imported,
you can assign policies.
When you first log in to Harmony Endpoint, the AD tree is empty. To populate the tree with computers from
the Active Directory, you must configure the Directory Scanner.
The Directory Scanner scans the defined Active Directory and fills the AD table in the Asset Management
view, copying the existing Active Directory structure to the server database.
Harmony Endpoint supports the use of multiple AD scanners per Active Directory domain, and multiple
domains per service.

Required Permissions to Active Directory:

For the scan to succeed, the user account related to each Directory Scanner instance requires full read
permissions to:
n The Active Directory root.
n All child containers and objects.
n The deleted objects container.
An object deleted from the Active Directory is not immediately erased, but moved to the Deleted Objects
container.
Comparing objects in the AD with those in the Deleted objects container gives a clear picture of network
resources (computers, servers, users, groups) that have changed since the last scan.
The Active Directory Scanner does not scan Groups of type "Distribution".

Organization Distributed Scan

Organization Distributed Scan is enabled by default. You can see its configured settings in the Endpoint
Settings view > AD Scanners.
Each Endpoint client sends its path to the Security Management Server.
By default, each Endpoint client sends its path every 120 minutes. In this method, only devices with
Harmony Endpoint installed report their paths, other devices with do not report their information.

Full Active Directory Sync

In the Full Active Directory Sync, one Endpoint client is defined as the Active Directory scanner, it collects
the information and sends it to the Security Management Server.

To configure the AD scanner:

1. From the left navigation panel, click Asset Management.
2. In the left pane, click Computers.

Harmony Endpoint Administration Guide | 184

 Managing Active Directory Scanners

3. From the top toolbar, click Computer Actions > in the section General Actions, click Directory
Scanner.
The Scanner window opens.
4. Fill in this information:

Section Required Information

Connect from n Computer name - Select a computer as your AD scanner.

computer

AD Login n User name (AD) - Enter the user name to access the Active Directory.
details n Domain name - Enter the domain of the Active Directory.
n Password (AD) - Enter the password to access the Active Directory.

AD n Domain controller - Enter the name of the Domain controller.

Connection n Port - Enter the number of the listening port on the Domain controller.
n Use SSL communication (recommended) - Select this checkbox if you
want the connection between the AD scanner to the Domain Controller to
be over SSL.
n LDAP Path - The address of the scanned directory server.
n Sync AD every - Configure the interval at which the scanning will be
performed

When you create a new AD scanner, the Organization Directory Scan is automatically disabled.
To see information on your activated AD scanners, go to the Endpoint Settings view.

Note - You can also reach scanner configuration form through the Endpoint Settings
view > Setup full Active Directory sync.

Harmony Endpoint Administration Guide | 185

 Giving Remote Help to Full Disk Encryption Users

Giving Remote Help to Full Disk

Encryption Users
Use this challenge/response procedure to give access to users who are locked out of their Full Disk
Encryption protected computers.
1. Go to the Asset Management view > Data Protection Actions > Full Disk Encryption Remote Help.
The Full Disk Encryption Remote Help window opens.
2. Select the type of assistance the end-user needs:
n One-Time Logon - Provides access as an assumed identity for one session without resetting
the password.
n Remote Password Change - Resets the user's password. This option is for users who have
forgotten their fixed passwords.
n Pre-Boot Bypass Remote Help - Provides One-Time Logon assistance for computers that are
configured to disable pre-boot, and uses the option to give remote help without pre-boot user.
3. Search for the locked computer.
4. Select the applicable user from the list (this step is not applicable in the case of Pre-Boot Bypass
Remote Help).
5. Tell the user to enter the Response one text string in the Remote Help window on the locked
computer.
The endpoint computer shows a challenge code.
6. In the Challenge (from user) field, enter the challenge code that the user gives you.
7. Click Generate Response.
Remote Help authenticates the challenge code and generates a response code.
8. Tell the user to enter the Response Two (to user) text string in the Remote Help window on the
locked computer.
9. Make sure that the user changes the password or has one-time access to the computer before ending
the Remote Help session.

Harmony Endpoint Administration Guide | 186

 Active Directory Authentication

Active Directory Authentication

Endpoint Security Active Directory
Authentication
When an Endpoint Security client connects to the Endpoint Security Management Server, an authentication
process identifies the endpoint client and the user currently working on that computer.
The Endpoint Security system can function in these authentication modes:
n Unauthenticated mode - Client computers and the users on those computers are not authenticated
when they connect to the Endpoint Security Management Server. They are trusted "by name". This
operation mode is recommended for evaluation purposes only.
n Strong Authentication mode - Client computers and the users on those computers are authenticated
with the Endpoint Security Management Server when they connect to the Endpoint Security
Management Server. The authentication is done by the Active Directory server using the industry-
standard Kerberos protocol. This option is only available for endpoints that are part of Active
Directory.
The authentication process:

1. The Endpoint Security client (1) requests an authentication ticket from the
Active Directory server (2).

2. The Active Directory server sends the ticket (3) to the client (1).

3. The client sends the ticket to the Endpoint Security Management Server (4).

4. The Endpoint Security Management Server returns an acknowledgment of

authentication to the Endpoint Security client (1).

Important - If you use Active Directory Authentication, then Full Disk Encryption and
Media Encryption & Port Protection are only supported on endpoint computers that are
part of Active Directory.
Note - Full Disk Encryption and Media Encryption & Port Protection are not supported
on endpoint computers in your environment that are not part of the Active Directory.

Configuring Active Directory Authentication

Make sure you configure Strong Authentication for your production environment. Do not set up Strong
Authentication before you are ready to move to production. When you are ready to move to production,
follow this process.

Workflow for Configuring Strong Authentication:

Step 1 of 3: Configuring the Active Directory Server for Authentication

Endpoint Security Strong Authentication uses the Kerberos network authentication protocol.

Harmony Endpoint Administration Guide | 187

 Active Directory Authentication

To enable the Active Directory server to validate the identity of clients that authenticate themselves
through Kerberos, run the ktpass.exe command on the Active Directory Server. By running the
ktpass command, you create a user that is mapped to the ktpass service. This creates a Principal
Name for the AD server. The Principal Name must have this format: ServiceName/realm@REALM
Important - After you create the user that is mapped to the ktpass service, do not
make changes to the user. For example, do not change the password. If you do
change the user, the key version increases and you must update the Version Key in
the New Authentication Principal window in Harmony Endpoint.

To prepare the Active Directory Server for authentication:

1. Go to Start menu > All Programs > Administrative Tools > Active Directory Users and
Computers.
2. Create a domain user and clear the option User must change password at next logon.
3. Open an elevated Windows Command Prompt.
4. In Windows Command Prompt, go to this folder:

cd %WinDir%\System32\

5. Map a service to a user with this command:

ktpass princ <Service Name>/<realm name>@<REALM NAME> mapuser

<Username>@<REALM NAME> pass <Password> out <Name of Output File>

Example:

ktpass princ tst/[email protected] mapuser [email protected] pass

123456 out outfile.keytab

Parameters:

Syntax Example Value Explanation

<Service Name> tst Name of the service.

<realm name> nac1.com Domain name of the Active Directory

<REALM NAME> NAC1.COM server.
The first instance is in lower case.
The second instance in upper case.

<Username> auth-user The Active Directory domain user.

<Password> 123456 Password for user.

<Name of Output outfile.keytab Name of the encrypted keytab file.

File>

6. Save the console output to a text file.

See the version number (vno) and encryption type (etype).
Sample output:

Harmony Endpoint Administration Guide | 188

 Active Directory Authentication

Targeting domain controller: nac1-dc.nac1.com

Successfully mapped tst/nac1.com to auth-user.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to outfile.log:
Keytab version: 0x502
keysize 74 tst/[email protected] ptype 0 (KRB5_NT_UNKNOWN) vno 7 etype 0x17 (RC4-HMAC) keylength 16 (0x32ed87bdb5fdc5e9cba88547376818d4)

Important - We recommend that you do not use DES-based encryption for the
Active Directory Domain Controller server, as it is not secure. If you choose to
use DES encryption and your environment has Windows 7 clients, see
sk64300
Notes:
n Make sure that the clock times on the Endpoint Security servers and the
Kerberos server are less than 5 minutes apart. If the difference in the
clock times is more than 5 minutes, a runtime exception shows and
Active Directory authentication fails. On Gaia, use NTP or a similar
service.
n To use Capsule Docs with Single Sign-On, disable the User Access
Control (UAC) on Windows Active Directory Servers.

Step 2 of 3: Configuring Authentication Settings

Configure the settings in Harmony Endpoint for client to server authentication.

Important - Use the Unauthenticated mode only for evaluation purposes. Never use
this mode for production environments. Configure the authentication settings before
moving to production.

How the Authentication Settings are Used in Deployment Packages

When you configure client package profiles, you select an authentication account. The SSO
Configuration details are included in the client deployment package, which allows the server to
authenticate the client.

To configure authentication settings:

1. In Harmony Endpoint, go to the Endpoint Settings view > the Authentication Settings tab.
2. Click Add.
The New Authentication Principal window opens.
3. Enter the details from the output of ktpass.exe, that you configured in "Step 1 of 3: Configuring
the Active Directory Server for Authentication" on page 187:

Field Description

Domain Active Directory domain name.

name For example: nac1.com

Principle Authentication service name in the format: ServiceName/realm@REALM

Name This value must match the name that was configured in Active Directory >
New Object.
For example: tst/[email protected]

Harmony Endpoint Administration Guide | 189

 Active Directory Authentication

Field Description

Version Key Enter the version number according to the Active Directory output in the vno
field.
For example: 7

Encryption Select the encryption method according to the Active Directory output in the
method etype field.
For example: RC4-HMAC

Password Enter (and confirm) the password of the Active Directory Domain Admin user
you created for Endpoint Security use.
For example: 123456

4. Click Add.
5. When you are ready to work in Strong Authentication mode, select Work in authenticated mode in
the Authentication Settings tab.
Important - After you turn on Strong Authentication, wait one minute before you
initiate any client operations.
It takes time for the clients and the Endpoint Security Management Server to
synchronize. During this time, the environment remains unauthenticated, and some
operations fail. The exact amount of time depends on the Active Directory scanner
(see "Managing Active Directory Scanners" on page 184).
Step 3 of 3: Save Changes

After you finished configuring strong authentication for Active Directory, save your changes.
1. In Harmony Endpoint, go to the Policy tab.
2. On the Policy Toolbar, click Save All Changes.

UPN Suffixes and Domain Names

The User Principal Name (UPN) is the username in "email format" for use in Windows Active Directory (AD).
The user's personal username is separated from a domain name by the "@" sign.
UPN suffixes are part of AD logon names. For example, if the logon name is
[email protected], the part of the name to the right of the ampersand is known as the
UPN suffix. In this case, ad.example.com
When you configure a new user account in AD, you are given the option to select a UPN suffix, which by
default will be the DNS name for your AD domain. It can be useful to have a selection of UPN suffixes
available. If your AD domain name is ad.example.com, it might be more convenient to assign users a
UPN suffix of example.com. To make additional UPN suffixes available, you need to add them to AD.

Configuring Alternative Domain Names

When you configure Strong Authentication for Active Directory communication between the Endpoint
Security client and the Endpoint Security Management Server, you can configure multiple UPN suffixes for
the Active Directory domain name.

Harmony Endpoint Administration Guide | 190

 Active Directory Authentication

To Configure Additional UPN Suffixes for Active Directory Authentication

1. In Harmony Endpoint, go to Endpoint Settings > Authentication Settings.
2. Click Add.
The New Authentication Principal window opens.
3. In the Domain name field, enter the alternative Active Directory domain name. For example, if the
previously configured domain name is nac1.com add an alternative domain name such as
ad.nac1.com

4. Configure the other fields with the same values as the previously configured authentication settings:
n Principle Name
n Version Key
n Encryption Method
n Password
5. Click OK.
6. Go to the Policy tab and click Save All Changes.

Harmony Endpoint Administration Guide | 191

 Active Directory Authentication

Troubleshooting Authentication in Client Logs

The authentication log file for each Endpoint Security client is located on the client computer:
%DADIR%\logs\Authentication.log

A normal log looks like this:

[KERBEROS_CLIENT(KerberosLogger_Events)] : Credentials acquired for

[email protected]
[KERBEROS_MESSAGE(KerberosLogger_Events)] : Message is Empty.
[KERBEROS_CLIENT(KerberosLogger_Events)] : Security context is not yet
established.continue needed.

n If the Authentication.log file on the client shows:

No authority could be contacted for authentication.

The Endpoint Agent cannot find a Domain Controller to supply credentials.

To fix this:
1. Make sure that the client is in the domain and has connectivity to your Domain Controller.
2. To authenticate with user credentials, log off and then log in again.
To authenticate with device credentials, restart the computer.
n If the Authentication.log file on the client shows:

The specified target is unknown or unreachable.

Check the service name. Make sure that there are no typing errors and that the format is correct.
If there was an error, correct it on the Check Point Endpoint Security Management Server.

Harmony Endpoint Administration Guide | 192

 Harmony Endpoint Logs

Harmony Endpoint Logs

Harmony Endpoint Logs menu allows you to customize logs and views to effectively monitor all your
systems from one location.
From the New Tab Catalog, select what you want to show in this tab:

Catalog Item Description

Favorites Select one of the Logs or View that you marked with the Favorite icon ( )

Recent Select one of the Logs or Views that you opened recently

Shared Select a view that was shared with you

Logs Select one of the widgets with logs collected from all Harmony Endpoint clients

Views Select one of the Views with data from all available blades, services, and applications

Reports Select one of the available reports

You can open as many tabs as you want providing they show different views.
Use the toolbar on the top to open views, create new views and reports, export them to PDF and perform
relevant actions.
See all collected logs in the Harmony Endpoint Logs view:

Use the time filter (1) and select the relevant options on the Statistics pane (3) to set specific criteria and
customize the search results. Alternatively, you can enter your query in the search bar. For more details
about the Query Language, see "Query Language Overview" on page 195.

Harmony Endpoint Administration Guide | 193

 Harmony Endpoint Logs

Item Description

1 Time period - Search with predefined custom time periods or define another time period for
the search.

2 Query search bar - Enter your queries in this field.

3 Statistics pane - Shows statistics of the events by Blades, Severity of the event and other
parameters.

4 Card - Log information and other details.

5 Results pane - Shows log entries for the most recent query.

6 Options - Hide or show a client identity in the Card, and export the log details to CSV.

The information recorded in logs can be useful in these cases:

n To identify the cause of technical problems
n To monitor traffic more closely
n To make sure that all features function properly

Harmony Endpoint Administration Guide | 194

 Query Language Overview

Query Language Overview

A powerful query language lets you show only selected records from the log files, according to your criteria.
To create complex queries, use Boolean operators, wildcards, fields, and ranges.
This section refers in detail to the query language.
When you use Harmony Endpoint to create a query, the applicable criteria appear in the Query search bar.
The basic query syntax is:

[<Field>:] <Filter Criterion>

To put together many criteria in one query, use Boolean operators:

[<Field>:] <Filter Criterion> {AND | OR | NOT} [<Field>:] <Filter

Criterion> ...

Most query keywords and filter criteria are not case sensitive, but there are some exceptions.
For example, "source:<X>" is case sensitive ("Source:<X>" does not match).
If your query results do not show the expected results, change the case of your query criteria, or try upper
and lower case.
When you use queries with more than one criteria value, an AND is implied automatically, so there is no
need to add it. Enter OR or other boolean operators if needed.

Criteria Values
Criteria values are written as one or more text strings.
You can enter one text string, such as a word, IP address, or URL, without delimiters.
Phrases or text strings that contain more than one word must be surrounded by quotation marks.
One-word string examples

n John
n inbound
n 192.168.2.1
n some.example.com
n dns_udp

Phrase examples

n "John Doe"
n "Log Out"
n "VPN-1 Embedded Connector"

Harmony Endpoint Administration Guide | 195

 Query Language Overview

IP Addresses

IPv4 and IPv6 addresses used in log queries are counted as one word.
Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons.
Example:
n 192.0.2.1
n 2001:db8::f00:d

You can also use the wildcard '*' character and the standard network suffix to search for logs that match
IP addresses within a range.
Examples:
n
src:192.168.0.0/16

Shows all records for the source IP 192.168.0.0 to 192.168.255.255 inclusive

n
src:192.168.1.0/24

Shows all records for the source IP 192.168.1.0 to 192.168.1.255 inclusive

n
src:192.168.2.*

Shows all records for the source IP 192.168.2.0 to 192.168.2.255 inclusive

n
192.168.*

Shows all records for 192.168.0.0 to 192.168.255.255 inclusive

NOT Values
You can use NOT <field> values with Field Keywords in log queries to find logs for which the value of the
field is not the value in the query.

Syntax:

NOT <field>: <value>

Example:

NOT src:10.0.4.10

Wildcards
You can use the standard wildcard characters (* and ?) in queries to match variable characters or strings in
log records.
You can use more than the wildcard character.

Harmony Endpoint Administration Guide | 196

 Query Language Overview

Wildcard syntax:
n The ? (question mark) matches one character.
n The * (asterisk) matches a character string.

Examples:
n Jo? shows Joe and Jon, but not Joseph.
n Jo* shows Jon, Joseph, and John Paul.
If your criteria value contains more than one word, you can use the wildcard in each word.
For example, 'Jo* N*' shows Joe North, John Natt, Joshua Named, and so on.

Note - Using a single '*' creates a search for a non-empty value string. For example asset name:*

Harmony Endpoint Administration Guide | 197

 Query Language Overview

Field Keywords
You can use predefined field names as keywords in filter criteria.
The query result only shows log records that match the criteria in the specified field.
If you do not use field names, the query result shows records that match the criteria in all fields.
This table shows the predefined field keywords. Some fields also support keyword aliases that you can type
as alternatives to the primary keyword.

Keyword
Keyword Description
Alias

severity Severity of the event

app_risk Potential risk from the application, of the event

protection Name of the protection

protection_ Type of protection

type

confidence_ Level of confidence that an event is malicious

level

action Action taken by a security rule

blade product Software Blade

destination dst Traffic destination IP address, DNS name or Check Point network
object name

origin orig Name of originating Security Gateway

service Service that generated the log entry

source src Traffic source IP address, DNS name or Check Point network
object name

user User name

Harmony Endpoint Administration Guide | 198

 Query Language Overview

Syntax for a field name query:

<field name>:<values>

Where:
n <field name> - One of the predefined field names
n <values> - One or more filters
To search for rule number, use the Rule field name.
For example:

rule:7.1

If you use the rule number as a filter, rules in all the Layers with that number are matched.
To search for a rule name, you must not use the Rule field. Use free text.
For example:

"Block Credit Cards"

Best Practice - Do a free text search for the rule name. Make sure rule names are
unique and not reused in different Layers.

Examples:
n source:192.168.2.1
n action:(Reject OR Block)

You can use the OR Boolean operator in parentheses to include multiple criteria values.

Important - When you use fields with multiple values, you must:
n Write the Boolean operator, for example AND.
n Use parentheses.

Harmony Endpoint Administration Guide | 199

 Query Language Overview

Boolean Operators
You can use the Boolean operators AND , OR, and NOT to create filters with many different criteria.
You can put multiple Boolean expressions in parentheses.
If you enter more than one criteria without a Boolean operator, the AND operator is implied.
When you use multiple criteria without parentheses, the OR operator is applied before the AND operator.

Examples:
n
blade:"application control" AND action:block

Shows log records from the Application and URL Filtering Software Blade where traffic was blocked.
n
192.168.2.133 10.19.136.101

Shows log entries that match the two IP addresses. The AND operator is presumed.
n
192.168.2.133 OR 10.19.136.101

Shows log entries that match one of the IP addresses.

n
(blade: Firewall OR blade: IPS OR blade:VPN) AND NOT action:drop

Shows all log entries from the Firewall, IPS or VPN blades that are not dropped.
The criteria in the parentheses are applied before the AND NOT criterion.
n
source:(192.168.2.1 OR 192.168.2.2) AND destination:17.168.8.2

Shows log entries from the two source IP addresses if the destination IP address is 17.168.8.2.
This example also shows how you can use Boolean operators with field criteria.

Harmony Endpoint Administration Guide | 200

 Exporting Logs

Exporting Logs
Check Point Log Exporter is an easy and secure method to export Check Point logs over syslog. Log
Exporter is a multi-threaded daemon service which runs on a log server. Each log that is written on the log
server is read by the Log Exporter daemon. It is then transformed into the applicable format and mapping
and sent to the end target.
For more information, see sk122323.

To export logs from Harmony Endpoint:

1. Go to Endpoint Settings > Export Events.
2. Click Add.
The New Logging Service window opens.
3. Fill in the export details:
n Name - Enter a name for the exported information.
n IP Address - Enter the IP Address of the target to which the logs are exported.
n Protocol - Select the protocol over which to export the logs: TCP or UDP.
n Format - Select the export format.
n Port - Select the port over which to export the logs. Only these ports are supported for outgoing
communication: 514, 6514, 443.
n TLS/SSL - Select this checkbox if you want log information to be TLS/SSL encrypted. The only
allowed authentication method through TLS is mutual authentication. For mutual
authentication, the log exporter needs these certificates:
l A *.pem Certificate Authority certificate (must contain only the certificate of the CA that
signed the client/server certificates, not the parent CA).
l A *.p12 format client certificate (log exporter side).
For instructions on how to create the certificates, see "Creating Security Certificates for TLS
Mutual Authentication" below.
4. Click Add.

Creating Security Certificates for TLS Mutual

Authentication
This section explains how to create self-signed security certificates for mutual authentication.
Notes:
n Make sure to run the openssl commands on a 3rd party CA server (not on the
log exporter device). The log exporter device must have a connectivity to the CA
server.
n The commands are not supported on a Check Point Security Management Server
or a Multi-Domain Server.

Harmony Endpoint Administration Guide | 201

 Exporting Logs

Procedure
1. Create a CA certificate

Step Description

1 Generate the self-signed root CA key:

openssl genrsa -out ca.key 2048

2 Generate the root CA certificate file in the PEM format:

openssl req -x509 -new -nodes -key ca.key -days 2048 -out ca.pem

Enter the information regarding the certificate.

This information is known as a Distinguished Name (DN).
An important field in the DN is the Common Name(CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host,
with which you intend to use the certificate.
Apart from the Common Name, all other fields are optional and you can skip it.
If you purchase an SSL certificate from a certificate authority, it is often required that these additional fields, such as "Organization",
accurately reflect your organization's details.

Best Practice - We recommend to use the device IP address as the Common Name.

2. Create a client certificate

Step Description

1 Generate a client key:

openssl genrsa -out cp_

client.key 2048

2 Generate a client certificate sign request:

openssl req -new -key cp_

client.key -out cp_client.csr

3 Sign the certificate using the CA certificate files:

openssl x509 -req -in cp_

client.csr -CA ca.pem -CAkey
ca.key -CAcreateserial -out
cp_client.crt -days 2048 -
sha256

4 Convert the certificate to the P12 format:

openssl pkcs12 -inkey cp_

client.key -in cp_client.crt -
export -out cp_client.p12

Note - The challenge phrase

used in this conversion is
required in the cp_client
TLS configuration.

Harmony Endpoint Administration Guide | 202

 Exporting Logs

3. Update the security parameters on the Check Point exporting server

Step Description

1 On a Multi-Domain Server or Multi-Domain Log Server, go to the context of the

applicable Domain Management Server or Domain Log Server:
If you run on a Multi-Domain Log Server/Multi-Domain Log Server, run this
command to switch to the required domain:
mdsenv <Name or IP Address of Domain Management Server or
Domain Log Server>

2 Go to the deployment directory:

cd $EXPORTERDIR/targets/<Deployment Name>/

3 Create a directory for the certificate files:

mkdir -v certs

4 Copy the ca.pem and cp_client.p12 certificate files to the

$EXPORTERDIR/targets/<Deployment Name>/certs/ directory.

Note - The ca.key must not be published.

5 Assign the read permissions to the ca.pem and cp_client.p12 certificate files:
chmod -v +r ca.pem
chmod -v +r cp_client.p12

6 Update the secured target:

cp_log_export set name <Name> domain-server <Domain-
Server> encrypted true ca-cert <Full Path to CA
Certificate *.pem File> client-cert <Full Path to *.p12
Certificate File> client-secret <Challenge Phrase for the
*.p12 File>

4. Create a server (target) certificate

Step Description

1 Generate a server key:

openssl genrsa -out server.key
2048

2 Generate a server certificate sign request:

openssl req -new -key
server.key -out server.csr

Harmony Endpoint Administration Guide | 203

 Exporting Logs

Step Description

3 Sign the certificate using the CA certificate files:

openssl x509 -req -in
server.csr -CA ca.pem -CAkey
ca.key -CAcreateserial -out
server.crt -days 2048 -sha256

Note - Some SIEM applications require the server certification to be in a

specific format. For more information, refer to SIEM Specific Instructions
section (sk122323).

Harmony Endpoint Administration Guide | 204

 Performing Push Operations

Performing Push Operations

Push operations are operations that the Endpoint Security Management Server pushes directly to client
computers with no policy installation required.

To add a Push Operation:

1. Go to the Push Operation view and click Add.
2. Select the push operation and click Next.

Push
Windo macO Linu
Category Operation Description
ws S x
s

Anti- Scan for Runs an Anti-Malware scan on the Yes Yes Local
Malware Malware computer or computers, based on the CLI
configured settings. only

Update Updates malware signatures on the Yes Yes Local

Malware computer or computers, based on the CLI
Signature configured settings. only
Database

Restore Restores files from quarantine on the Yes Yes Yes

Files from computer or computers, based on the
Quarantin configured settings.
e

Harmony Endpoint Administration Guide | 205

 Performing Push Operations

Push
Windo macO Linu
Category Operation Description
ws S x
s

Forensics Analyze Manually triggers collection of forensics Yes Yes No

and by data for an endpoint device that
Remediati Indicator accesses or executes the indicator. The
on indicator can be a URL, an IP, a path, a
file name or an MD5.

File Quarantines malicious files and Yes Yes Yes

Remediati remediates them as necessary.
on In the Elements field, enter the incident
ID from the Harmony Endpoint Security
client or enter the incident UID for the
corresponding incident from the Logs
menu in the Harmony Endpoint portal.
To obtain the incident UID, open the log
entry and expand the More section to
view the incident UID.

Isolate Makes it possible to isolate a specific Yes No No

Computer device that is under malware attack and
poses a risk of propagation. This action
can be applied on one or more devices.
The Firewall component must be
installed on the client in order to perform
isolation. Only DHCP, DNS and traffic to
the management server are allowed.

Release Removes device from isolation. This Yes No No

Computer action can be applied on one or more
devices.

Harmony Endpoint Administration Guide | 206

 Performing Push Operations

Push
Windo macO Linu
Category Operation Description
ws S x
s

Agent Deploy Installs the Initial Client remotely without Yes No No

Settings New third party tools such as Microsoft
Endpoints System Center Configuration Manager
(SCCM) or Intune. The Push Operation
mechanism extends to devices that do
not have the Initial Client installed yet.

Harmony Endpoint Administration Guide | 207

 Performing Push Operations

Push
Windo macO Linu
Category Operation Description
ws S x
s

Collect Collects logs from a device or devices Yes Yes No

Client based on the configured settings.
Logs For Windows, client logs are stored in
the directory
C:\Windows\SysWOW64\config\system
profile\CPInfo.
For macOS, client logs are stored in the
directory /Users/Shared/cplogs.

Repair Repairs the Endpoint Security client Yes No No

Client installation. This requires a computer
restart.

Shutdown Shuts down the computer or computers Yes Yes No

Computer based on the configured settings.

Restart Restarts the computer or computers Yes Yes No

Computer based on the configured settings.

Uninstall Uninstalls the Endpoint Security client Yes Yes No

Client remotely on the selected devices. This
feature is supported for E84.30 client
and above.

Applicatio Collects all available applications in a Yes No No

n Scan certain folder on a set of devices and
then adds them to the application
repository of the "Application Control"
blade on that specific tenant.

Kill Remotely kills/ terminate the processes. Yes Yes No

Process

Remote n Allows administrators to run both Yes No No

Command signed (introduced by CP) and
unsigned (ones the customer
creates) scripts on the Endpoint
Client devices.
n Especially useful in a non-AD
environment.
n Supplies tools/fixes to customers
without the need to create new
EP client/server versions.
n Saves passwords securely when
provided.
The Remote Command
feature is supported in
Windows clients running
version E85.30 and above

Harmony Endpoint Administration Guide | 208

 Performing Push Operations

3. Select the devices on which you want to perform the push operation.
4. Click Next.
5. Configure the operation settings.
6. Click Finish.
Notes:
n See the results of the operations on each endpoint in the Endpoint List section at
the bottom part of the screen.
n You can push operations from the Asset Management view as well - select the
applicable device and click Push Operation.

Harmony Endpoint Administration Guide | 209

 Threat Hunting

Threat Hunting
Threat Hunting is an investigative tool which collects attack information on the organization's endpoints. The
complexity of attacks is ever growing. Because no prevention is 100% and the average dwell time of
advanced attacks is 280 days, the need arises for visibility and investigation tools. Threat Hunting collects
information on all malicious and benign events in the organizations' endpoint with Harmony Endpoint
installed.
The information collected lets the analyst:
n Investigate the full scope of an attack.
n Discover a stealth attack through watching a suspicious activity.
n Remediate the attack before it causes further damage.
n Proactively hunt for advanced attacks by searching for anomalies, using hunting leads and
enrichment
Threat Hunting has these capabilities:
n Data collection and enrichment - All events are collected through multiple sensors on the Harmony
Endpoint, sent to a unified repository and enriched by ThreatCloud, MITRE mapping and alerts from
all Harmony Endpoint prevention engines.
n Rich toolset for custom queries, drill down and pivoting to suspicious activity.
n Predefined queries and a MITRE dashboard which map all activity and allow a quick start to proactive
hunting.
n Remediation actions per result or a bulk operation integrated in the Threat Hunting flow (such as file
quarantine and kill process).
The data is saved for 7 days, unless an extended retention license is purchased.

Enabling Threat Hunting

Threat Hunting is disabled by default.

To enable Threat Hunting:

1. Go to the Policy view > Threat Prevention > Analysis & Remediation
2. Toggle Enable Threat Hunting to On
3. Save and click Install Policy.
4. After the policy is pushed to the agents, wait a few minutes until data is sent by the agents. Then you
can go to the Threat Hunting view to start searching through events.
For troubleshooting information, see sk170052.

Harmony Endpoint Administration Guide | 210

 Threat Hunting

Using Threat Hunting

Item Description

1 Last Day, Process - Filters your search results by date or process.

2 Let the hunt begin - Here you can actively create search queries.

3 Menu for predefined queries.

4 Predefined - Check Point's predefined queries.

5 MITRE ATT&CK - Mitre Corporation's predefined queries

6 Bookmarks - Here you can save all the queries that you ran.

7 History - Here you can see all the queries that you used.

8 Settings - Here you can changes the UI look and feel

You can hunt for threats using predefined queries or by proactively creating the queries.
n To use predefined queries:
l Go to Predefined Hunting Queries or click the ellipsis icon next to the search box and select
Predefined. Here you can quickly find all active attacks and browse through different malicious
events detected by Endpoint clients.

Harmony Endpoint Administration Guide | 211

 Threat Hunting

l Click the ellipsis icon next to the search box and select MITRE ATT&CK - This leads you to the
MITRE ATT&CK Dashboard. The MITRE ATT&CK dashboard provides real-time visibility on
all the techniques observed by Harmony Endpoint across your endpoint devices. It maps all
raw events to MITRE TTPs regardless of malicious, suspicious or benign. The MITRE
ATT&CK dashboard is divided into 12 categories, each category is a stage in an attack. Each
category includes multiple attack techniques. When you click a technique, a window opens
with an explanation about the technique and a list of predefined queries. Run a query to get a
list of the events in which the specific technique implementation was used.
n To proactively search for events, go to Let the hunt begin and click the + sign. Select the required
filter, enter the applicable information for the search, and click Add.
The search results are arranged in a timeline. The timeline provides behavioral insights that can indicate
anomalies or attack peaks. You can filter events based on the timeline by clicking the hexagon. Detailed
information about the event is available, together with intelligent enrichment, such as attack classification,
malware family and Mitre technique details.
You can filter the results by date and process.
When data is returned from a query, these are the available remediation options: single or bulk quarantine,
and process termination. Full forensics analysis is also available.

Use Case - Maze Ransomware Threat Hunting

You want to investigate the maze ransomeware attack. You read about it in the internet and you are afraid it
might be in your organization and not discovered yet.
1. In the MITRE ATT&CK website: Search for Maze ransomeware.
2. From the list of techniques that Maze ransomware uses, select the applicable technique. For
example: Windows Management Instrumentation
3. In the Infinity Portal > Threat Hunting, click the ellipsis sign on the right hand side of the search box,
and go to MITRE ATT&CK.
4. In the MITRE ATT&CK dashboard, search for the technique you copied from the Maze website.
5. Click the technique to see all the events in your organization in which this technique was used.

Supported Versions
n Agent version:
l Recommended version - E84.10 and above.
n Management version
l Cloud only, web management.
l Management version - R80.40 and above

Harmony Endpoint Administration Guide | 212

 Two Factor Authentication

Two Factor Authentication

We recommend to configure two factor authentication when working with Harmony Endpoint. See
sk163292.

Harmony Endpoint Administration Guide | 213

 Harmony Endpoint for Linux

Harmony Endpoint for Linux

This chapter describes the installation and use of Harmony Endpoint in Linux operating systems.

Harmony Endpoint Administration Guide | 214

 Harmony Endpoint for Linux Overview

Harmony Endpoint for Linux Overview

Check Point Harmony Endpoint for Linux protects Linux Endpoint devices from malware, and provides
Threat Hunting / Endpoint Detection and Response capabilities.

Key Threat Prevention technologies:

Technology Description

Anti-Malware SandBlast Linux Anti-Malware engine detects trojans, viruses, malware, and other
malicious threats.
The engine is implemented as a multi-threaded flexible scanner daemon. It is
managed centrally through a web-console.
In addition, it supports command line utilities for on-demand file scans, access
functionality, and automatic signature updates.

Threat Hunting / An Endpoint Linux device deployed with SandBlast Linux, constantly updates
Endpoint Check Point Cloud with Indicator of Compromise (IoC) and Indicator of Attack (IoA)
Detection and events.
Response (EDR) The Threat Hunting technology lets the user proactively search for cyber threats
that made it through the first line of defense to the Linux Endpoint device.
Threat Hunting uses advanced detection capabilities, such as queries and
automation, to find malicious activities and extract hunting leads of data.

Behavioral guard Dynamic analysis of malwares executed on the Endpoint Client, based on the
behavioral patterns of many types of attacks, such as ransomwares, cryptominers
and trojans.

* Only the Anti-Malware blade is supported.

Prerequisites
n Available Internet access for the protected device.
n For RHEL/CentOS, it is necessary to have access to EPEL (Extra Packages for Enterprise
Linux) repository.
n If the device has no internet access, you must enable access to certain URLs. For more information,
see sk116590.

Minimum Hardware Requirements

n x86 processor, 64-bit (32-bit is not supported)
n 2 GHz Dual-core CPU
n 4 GB RAM
n 10 GB free disk space

Harmony Endpoint Administration Guide | 215

 Deploying Harmony Endpoint for Linux

Deploying Harmony Endpoint for Linux

This section explains how to install Harmony Endpoint on Linux operating systems for Endpoint cloud users.

To install Harmony Endpoint for Linux for Endpoint Cloud Users:

1. Navigate to Policy > Export Package
2. Download the Linux installation script:
3. Copy/Download the installation script to the target device. Run one of these options:
n To allow execution permission to the file, run:

chmod +x ./<Name of Install Script>

n To deploy both Anti-Malware and Threat Hunting, run:

sudo ./<Name of Install Script> install

n To deploy Anti-Malware only, run:

sudo ./<Name of Install Script> install --product am

n To deploy Threat Hunting only, run:

sudo ./<Name of Install Script> install --product edr

n To deploy Behavioral Guard only, run:

sudo ./<Name of Install Script> install --product bg

n To enable the Threat Hunting function, make sure that Threat Hunting is enabled in the
applicable policy rule. Navigate to Policy > Threat Prevention > Analysis & Remediation and
ensure Threat Hunting is set to ON.
Notes:
l If Strong/Kerberos authentication is enabled, then HTTP 401 is in the
/var/log/checkpoint/cpla/cpla.log.
l It is necessary to put the keytab file used for authentication set up in the file
/var/lib/checkpoint/cpmgmt/auth.keytab (the file is generated by the ktpass utility).

sudo ./<install script name> install --product edr

Harmony Endpoint Administration Guide | 216

 Harmony Endpoint for Linux CLI Commands

Harmony Endpoint for Linux CLI Commands

Help & Information Commands
To show a list of all the help commands with their descriptions, run:

cpla --help

To show the help for available Anti-Malware commands, run:

cpla am --help

To show information about the product and the security modules installed (Anti-Malware, EDR) run:

cpla info

To show the information about the installed Anti-Malware module, run:

cpla am info

To show the help for available commands for the installed EDR module, run:

cpla bg --help

To show information about the installed EDR, run:

cpla edr info

To show the help for available Behavioral Guard commands, run:

cpla bg--help

To show information about the installed Behavioral Guard, run:

cpla bg info

Quarantine Commands
To see a list of all current quarantined files, run:

cpla am quarantine list

Harmony Endpoint Administration Guide | 217

 Harmony Endpoint for Linux CLI Commands

To add a file to quarantine, run:

sudo cpla am quarantine add <path_to_file>

To remove a file from quarantine, and restores the file to its original place, run:

sudo cpla am quarantine restore <path_to_file>

To show the help for available Anti-Malware quarantine commands, run:

cpla am quarantine --help

Scans & Detections

To trigger a scan of files in the provided path by the Anti-Malware module, run:

cpla am scan <path_to_scan>

To show detections of Anti-Malware, run:

cpla am detections

Note - To limit the number of detections displayed, use the parameter --limit <number_
of_detections>. Default is 100.

To show the latest detections of Behavioral Guard, run:

cpla bg detections

Note - To limit the number of detections displayed, use the parameter --limit <number_
of_detections>. Default is 100.

Logs
To collect the logs of the product:

cpla collect-logs

Note - When you use this command, it prepares a Zip file which you can send to the
support manually.

Harmony Endpoint Administration Guide | 218

 Harmony Endpoint for Linux CLI Commands

Uninstall Harmony Endpoint for Linux

To uninstall Harmony Endpoint from Linux, run:

sudo ./ <install script name> uninstall

To uninstall EDR only, run:

sudo ./ <install script name> uninstall --product edr

To uninstall BG only, run:

sudo ./ <install script name> uninstall --product bg

Harmony Endpoint Administration Guide | 219

 Harmony Endpoint for Linux Additional Information

Harmony Endpoint for Linux Additional

Information
n After the first installation, wait two to three minutes for the Anti-Malware service to complete the
signature package. When complete, the service button shows as running mode. This procedure take
up to 15 minutes, depending on your network connectivity.
n For information about Threat Hunting, go to the Threat Hunting tab. Threat Hunting lets you threat
hunt files, processes, and domains accessed by the protected Virtual Machines.

Best Practice - We recommend that you remove any other 3rd party Anti-Malware
solution before you install Harmony Endpointfor Linux.

Harmony Endpoint Administration Guide | 220

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Harmony Endpoint for Windows

Virtual Desktop Infrastructure (VDI)
Virtual Desktop Infrastructure (VDI) is the technology to create and manage virtual desktops. VDI is
available as a feature in Check Point's Endpoint Security Client releases.
n VMware Horizon is supported in E81.00 (and higher) for Persistent Mode and as a feature on E83.10
(and higher) for Non-Persistent Mode.
n Citrix XenDesktop is supported in E84.20 (and higher).
A virtual machine monitor (the hypervisor) controls the virtual machine that creates the virtual desktops. All
the activity on the deployed virtual desktops occurs on the centralized server.
The "Golden Image" is the base ("Master") desktop image and the model for clone images. Desktop Pools
define the server resources for the virtual desktops and solutions to hold the latest Anti-Malware signatures
on all the virtual desktops.
Virtual desktop software applications support two modes.
n Persistent Mode:
l Each user has a single specific desktop for their solitary use.
l Each user's desktop retains data on the desktop itself between logins and reboots.
l The user's machine is not "refreshed" for other users.
n Non-Persistent Mode:
l Each user has a desktop from a pool of resources. The desktop contains the user's profile.
l Each user's desktop reverts to its initial state when the user logs out.
l The user's machine is fresh in each instance.

Important - Non-Persistent virtual desktops access Anti-Malware signatures in a shared

folder in the Shared Signatures Solution.

The tested versions are:

n VMware Horizon 7 version 7.6 and 7.10
n Citrix Virtual Apps and Desktops 7 1912
The software environments between and after these versions should work. Earlier versions may work.
Contact Check Point Support for assistance with earlier versions.
Important:
n Only Desktop publishing is supported. Publishing applications (Xen-Apps,
Horizon Apps) are not officially supported at this time.
n AD Scanner feature must be enabled in VDI environments.

Minimal Requirements for Virtual Machines:

The Microsoft Windows image must be optimal for VDI.

Harmony Endpoint Administration Guide | 221

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

See How to Find Windows 10 Computer Specifications & Systems Requirements

Best Practice - Use an extra 1 GHz "CPU Power" for each scanning machine.

Configuring Clients for Persistent Desktops

Software Blades for Persistent Desktops
Persistent virtual desktops have the same Endpoint Security client capabilities as non-virtual desktops.

Creating a Basic Golden Image for Persistent Desktops

See "Basic Golden Image Settings" on page 233 for the procedure to create a basic golden image.

Harmony Endpoint Administration Guide | 222

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Client Machine Configuration for Persistent Desktops

Configurations for client machines are part of the creation of the Golden Image.
We recommend that you disable Periodic Scan to avoid "Scan Storms".
"Anti-Malware Scan Storms" can occur when anti-virus scans run at the same time on multiple virtual
machines on the same physical server. A degradation of system performance is possible that can affect disk
I/O and CPU usage.

Setting up the Client Machine for Persistent Desktops

1. Disable the Anti-Malware Periodic Scan.
See "Appendix" on page 235.
2. If you did not disable the Anti-Malware Periodic Scan, then enable the Anti-Malware Randomized
Scan.
Procedure

a. From the left navigation panel, click Policy.

b. In the left pane, click Threat Prevention.
c. In the policy, click the applicable rule.
d. In the right pane, click the Web & Files Protection tab.
e. Scroll down and click the Advanced Settings button.
f. From the left tree, click Files Protection > Scan.
g. Select Randomize scan time.
h. Configure the applicable schedule.
i. Click OK.
j. At the bottom, click Save.
k. At the top, click Install Policy.

Creating a Pool for Persistent Desktops

Best Practice - We recommend to use a different naming pattern for each machine in each pool.

VMware Horizon Key Points

This procedure is mandatory to create supported Horizon pools for Persistent Virtual Desktops.

Harmony Endpoint Administration Guide | 223

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Procedure

1. In VMware Horizon, select Automated Desktop Pool in the Type panel of Add Desktop Pool.

2. In the User Assignment panel, select Dedicated.

Check Enable automatic assignment.

Harmony Endpoint Administration Guide | 224

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

3. In the vCenter Server panel, select Instant Clones or View Composer Linked Clone.
Full Clones are not currently supported.

4. In Guest Customization panel, select Allow reuse of pre-existing computer account.

Citrix XenDesktop Key Points

n When you select the Operating System type, use Single-Session OS.
n When you select User Experience, use a dedicated desktop experience.

Harmony Endpoint Administration Guide | 225

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Configuring Clients for Non-Persistent Desktops

General
The Solution:
n One or more Signature Servers.
Responsible for the store of the latest Anti-Malware signatures in a shared location.
n Many specially configured clients that load signatures from the shared folder.
n If the shared signatures server is not available, the client uses signatures from the golden image.

Harmony Endpoint Administration Guide | 226

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Recommended Steps:
1. Configure a signature server machine.
2. Configure a client machine (golden image).
3. Create a test pool.
4. Deploy the production pool.

Shared Signatures Server

A Shared Signatures Server:
n Installs as a regular Endpoint Security Client and becomes a "signature server" later.
n Responsible for holding the latest Anti-Malware signatures.
The signatures store in a read-only shared folder and update according to policy.
n Must run on a persistent virtual machine, preferably on the same storage as the clients.
n Must connect to the Internet to update signatures.

Harmony Endpoint Administration Guide | 227

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Configuring the Signatures Server

For the Endpoint Security Clients version E84.20 (and higher), you can configure the Signature Server with
a policy.
Procedure

1. Create a new Virtual Group.

2. Assign a Golden Image machine to the new group.
3. From the left navigation panel, click Policy.
4. In the left pane, click Threat Prevention.
5. In the policy, clone the applicable Threat Prevention rule.
6. Assign the new Threat Prevention rule to the new Virtual Group.
7. In the right pane, click the Web & Files Protection tab.
8. Scroll down and click the Advanced Settings button.
9. From the left tree, click Files Protection > Signature.
10. In the Shared Signature Server section, select the “Set as shared signature server” and enter the
local path of the folder.
Example: C:\Signatures

Note - If the folder does not exist, the endpoint creates it automatically.

11. Configure the applicable frequency in the Frequency section.

12. Click OK.
13. At the bottom, click Save.
14. At the top, click Install Policy.

Setup Validation
Wait 20 minutes to make sure:
n Anti-Malware Signatures version is current.
n Shared Signatures folder exists with Anti-Malware signatures.
Important - If the folder is empty, the setup is not valid.

Client Machine Configuration for Non-Persistent Desktops

Creating a Basic Golden Image for Non-Persistent Desktops
See "Basic Golden Image Settings" on page 233 for the procedure to create a basic golden image.

Harmony Endpoint Administration Guide | 228

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Configuring the Client Machine

For the Endpoint Security Clients version E84.20 (and higher), you can configure up the client machines (the
golden image) by policy.
1. Disable the Anti-Malware Periodic Scan.
See "Appendix" on page 235.
2. Configure signature source for the VDI client.
Procedure

a. Create a new Virtual Group.

b. Assign a Golden Image machine to the new group.
c. From the left navigation panel, click Policy.
d. In the left pane, click Threat Prevention.
e. In the policy, clone the applicable Threat Prevention rule.
f. Assign the new Threat Prevention rule to the new Virtual Group.
g. In the right pane, click the Web & Files Protection tab.
h. Scroll down and click the Advanced Settings button.
i. From the left tree, click Files Protection > Signature.
j. In the Shared Signature Server section, enter the UNC of the shared folder.
Example: \\192.168.18.5\Signatures
k. Configure the applicable frequency.
l. Click OK.
m. At the bottom, click Save.
n. At the top, click Install Policy.

Important:
n When you apply VDI settings through Policy to Golden Image, you must apply
VDI settings through Policy to cloned Virtual Machines.

Post Setup Actions

n Make sure the Shared Signatures folder is accessible from the golden image and the folder has
signatures.
n Make sure the Anti-Malware signatures are current.
n Scan for malwares with the latest signatures.

Creating a Pool for Non-Persistent Desktops

Note - Check Point recommends that each created pool will use a different machine
naming pattern. This will prevent situations where Management Server has duplicate
machine entries from different pools.

Harmony Endpoint Administration Guide | 229

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

VMware Horizon Key Points

This procedure is mandatory to create supported Horizon pools for Non-Persistent Virtual Desktops.
Procedure

1. In VMware Horizon, choose Automated Desktop Pool in the Type panel of Add Desktop Pool.

2. In the User Assignment panel, choose Floating.

3. In the vCenter Server panel, choose Instant Clones or Linked Clones.

Harmony Endpoint Administration Guide | 230

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

4. In the Guest Customization panel, select Allow reuse of pre-existing computer account.

Citrix Xen-Desktop Key Points

n When you select the Operating System type, use Single-Session OS.
n When you select the User Experience type, use a non-dedicated desktop experience.

Pool Validation
Access a few cloned machines and make sure that:
n Machines connect to the Endpoint Security Management Server.
n Applicable Software Blades run.
n Anti-Malware Signatures are current.
n Machines appear on the Server User Interface.

Disabling the Anti-Malware Periodic Scan

"Anti-Malware Scan Storms" can occur when several anti-virus scans run simultaneously on multiple virtual
machines on the same physical server. In such situation, a degradation of system performance is possible,
which can affect disk I/O and CPU usage. It is then recommended that you disable the Anti-Malware
periodic scan:
1. Go to the Policy Page.
2. In the right pane, click the Web & Files Protection tab.
3. Scroll down and click the Advanced Settings button.
4. From the left tree, select Files Protection > Scan.
5. In the Perform Periodic Scan Every field, select Never.

Harmony Endpoint Administration Guide | 231

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Software Blades for Non-Persistent Desktops

The Endpoint Security client capabilities for non-persistent virtual desktops are:
n Anti-Malware
l Fully supported when configured with the Shared Signatures Server.
n Compliance, Firewall and Application Control, Remote Access VPN, and URL Filtering
l Fully supported.
n Forensics
l Partially supported.
o The Forensics database contains data for the current session.
o Forensics Reports generate as usual.
n Threat Emulation and Anti-Exploit
l Partially supported.
o Signatures are not in cache.
o Signatures download for each new instance.
n Anti-Bot
l Partially supported.
o Signatures are not in cache.
o Signatures download for each new instance.
o Cached data (such as the URLs checked against Threat-Cloud and Detection List) are
lost on logoff.
n Ransomware "Honeypots"
l Partially supported.
o Part of the Golden Image.
n Behavioral Guard
l Partially supported.
o Signatures are not in cache.
o Signatures download for each new instance.
n Full Disk Encryption and Capsule Docs
l Not supported for non-persistent desktops.
n Media Encryption & Port Protection
l Fully supported with VMware Horizon running the Harmony Endpoint client version E86.40 and
higher.

Harmony Endpoint Administration Guide | 232

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

l Fully supported with Citrix Provisioning Services (PVS) running the Harmony Endpoint client
version E86.50 and higher.

Basic Golden Image Settings

A "Golden Image" is the base ("Master") desktop image. It is the model for clone images.

To create the Golden Image:

1. Install the Windows OS.
2. Configure the network settings:
a. Configure the network settings to match your environment settings (DNS, Proxy).
b. To verify that the configuration is correct, add it to your domain.
c. Make sure you can ping Domain FQDN.
d. Make sure you can ping Connection Server FQDN.
3. Install the required software and tools.
4. Install the latest Windows updates.
5. Optimize the Guest machine in one of these ways:
a. Optimize the master image according to the Microsoft VDI Recommendation.
b. Use the Vendor's specific optimization tool:
n VMware - VMware OS Optimization Tool.
n Citrix - Citrix Optimizer.

Important - Make sure that you do not disable the Windows Security Center service.

6. Install the Virtual Delivery Agent (VDA).

n VMware Horizon:
l Version 7.10 supports up to 19H1.
l Make sure that during installation you choose the correct settings (Linked clones or
Instant Clones).
n Citrix:
l Make sure that during installation you choose the correct settings (MCS / PVS).

Notes for Citrix PVS:

l Before the first Endpoint installation, boot the machine from the

network using the relevant vDisk in Read / Write mode.

l When upgrading Endpoint in maintenance mode, make sure that

you upgrade the vDisk through the golden image and not one of the
clones.
l The transfer of a clone back to the golden image is not supported.

Harmony Endpoint Administration Guide | 233

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

7. Configure Trust with the Domain Controller:

n Make sure that the golden image has a Trust Relationship with the Domain Controller.
n You can use this PowerShell command:
Test-ComputerSecureChannel

8. Install an Endpoint Security Client:

a. Create an exported Endpoint client package.
b. Install the Endpoint client package as administrator.
c. Get the latest Anti-Malware signatures.

Best Practice - Update manually with Update Now from the Endpoint tray
icon at least once a day.

d. Scan for malware.

Best Practice - Scan manually with Scan System Now from the Endpoint
tray icon for every signature update.

9. Shut down the Virtual Machine.

10. Save the snapshot.

Assigning Policies to VDI Pools

To assign specific behaviors to blades, you must configure policies.
Some policies assign by default to users, not machines.
Two options are available for assigning a policy to VDI machines:
n Assignment prior to pool creation

Assignment to a pre-defined Virtual Group occurs during the Export Package phase.
All clones from this Exported Package enter the computer group upon registration to the Endpoint
Security Management Server.
1. Create a new Virtual Group.
2. Export the applicable packages.
From the left navigation panel, click Policy.
In the Deployment Policy section, click Export Package.
3. Assign the new Virtual Group to a relevant policy.
4. Install the exported package on the Golden Image.

Harmony Endpoint Administration Guide | 234

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

n Assignment after pool creation

Provision all VDI machines. Once the machines exist, assign them to a policy.
1. Create a new Virtual Group and add all the relevant machines.
2. Create a policy and assign it to the Virtual Group.

Limitations
n VDI Clients must be part of a domain. Workgroup configurations are not supported.
n FDE capability is not supported. Do not enable FDE in packages for Non-Persistent VDI machines.
n "Anti-Malware Scanning Storms" may occur when the Anti-Virus scan runs at the same time on
multiple Virtual Machines on the same physical server. A serious degradation of the system
performance is possible that can affect disk I/O and CPU utilization.
n The "Repair" push operation does not work for the Non-Persistent VDI machines.

Appendix
Disabling the Anti-Malware Periodic Scan
"Anti-Malware Scan Storms" can occur when anti-virus scans run at the same time on multiple virtual
machines on the same physical server.
A degradation of system performance is possible that can affect disk I/O and CPU usage.
We recommend that you disable the Anti-Malware periodic scan in one of these ways:
In Endpoint Web Management Console

1. Go to the Policy Page.

2. In the right pane, click Web & Files Protection.
3. In the Perform periodic scan every field, select Never.

4. Click Save.
5. Install policy.

Harmony Endpoint Administration Guide | 235

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

In SmartEndpoint

1. In the Select action field, select Perform periodic anti-malware can every month.
2. Clear the "Perform Periodic Scan option.

3. Install policy.

Harmony Endpoint Administration Guide | 236

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

In the GuiDBedit Tool

1. Connect with the GuiDBedit Tool (sk13009) to the Endpoint Security Management Server.
2. Configure the value false for the attribute enable_schedular_scan.
3. In SmartEndpoint, install policy.

Configure the Windows Registry settings on the client machine

1. In Windows Registry, configure the value 0x0b for the AVSchedOf key:
n On 64-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\EndPoint
Security\Anti-Malware\AVSchedOf=(DWORD)0x0b

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\EndPoint Security\Anti-
Malware\AVSchedOf=(DWORD)0x0b

2. Restart the machine to restore Self-Protection.

Use the Compliance Software Blade to change the registry. See sk132932.

Harmony Endpoint Administration Guide | 237

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Advanced Settings Non-Persistent Desktops

This section shows how to configure clients manually for the Non-Persistent VDI solution in the Signature
Server and Signature Server Consumers roles.
Use this approach if the "Policy Approach" is not available.

Configuring the Shared Signatures Server

You can configure the Signature Server manually or with a script.

Harmony Endpoint Administration Guide | 238

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Manual Configuration

Create a Shared Folder

1. Create a folder to store the shared signatures.
2. Share the folder and grant read access to members of the Domain Computers' group.

Note - On Workgroup machines, the "SYSTEM" account does not have network
login rights. This configuration is not supported.

Configure the Windows Registry Keys

1. Configure the value 0x01 for the key VdiSignatureServer (to configure the machine as
"Shared Signatures Server"):
n On 64-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Anti-Malware\VdiSignatureServer=(DWORD)0x01

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-
Malware\VdiSignatureServer=(DWORD)0x01

2. Configure the path to the shared signatures folder in the key AVSharedBases:
n On 64-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Anti-Malware\AVSharedBases=
(SZ)"DISK:\\Path\\To\\Shared\\Folder"

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-
Malware\AVSharedBases=(SZ)"DISK:\\Path\\To\\Shared\\Folder"
Notes:
n If you do not configure the path, then the default shared
folder is:
C:\ProgramData\CheckPoint\Endpoint
Security\Anti-Malware\bases\shared
n The default shared folder exists after the first successful
update.

3. Reboot the machine to restart the Anti-Malware blade.

Harmony Endpoint Administration Guide | 239

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Configuration with the Script

1. Download the Shared Signatures Server Configuration script file.

2. Execute the script on the Signature Server and follow the instructions.
3. Make sure the script finishes successfully.
4. Make sure you reboot the machine to restart the Anti-Malware blade.

Configuring the Client Machine

You can configure the Client Machine (the Golden Image) manually or with a script.
Manual Configuration

1. Disable the Anti-Malware Periodic Scan. See the instructions above.

2. In Windows Registry, configure the value 0x01 for the key AVBasesScheme (to enable the
"Shared Signatures" scheme):
n On 64-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Anti-Malware\AVBasesScheme=(DWORD)0x01

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-
Malware\AVBasesScheme=(DWORD)0x01

3. In Windows Registry, configure the path to the shared signatures folder in the key
AVSharedBases:
n On 64-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Anti-Malware\AVSharedBases=
(SZ)"\\Server\FolderWithSharedSignatures"

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-
Malware\AVSharedBases=(SZ)"\\Server\FolderWithSharedSignatures"
Notes:
n If you do not configure the path, then the default shared folder is:

C:\ProgramData\CheckPoint\EndpointSecurity\Anti-
Malware\bases\shared
n The default shared folder exists after the first successful update.
4. Reboot the machine or restart the Anti-Malware process.

Harmony Endpoint Administration Guide | 240

 Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Configuration with the Script

1. Download the Golden Image Configuration script file.

2. Execute the script on the Golden Image and follow the instructions.
3. Make sure the machine is rebooted.

Harmony Endpoint Administration Guide | 241

 Harmony Endpoint for Terminal Server / Remote Desktop Services

Harmony Endpoint for Terminal

Server / Remote Desktop Services
Terminal Server / Remote Desktop Service is a physical server that allows multiple users to log on and
access desktops remotely (For example, from a PC).
Check Point Harmony Endpoint supports these servers through the Endpoint Security client E86.20 or
higher:
n Microsoft Terminal Services
n Microsoft Remote Desktop Services
n Citrix Xen App (Formerly known as Virtual app)
n VMware Horizon App

Software Blades for Terminal Servers

n Anti-Malware
n Firewall and Application Control
n URL Filtering
n Anti-Bot
n Anti-Ransomware
n Behavioral Guard
n Forensics
n Threat Emulation and Extraction
n Anti-Exploit

Licensing
Licensing is per user. Each user is counted as a seat (using existing SKUs).

Harmony Endpoint Administration Guide | 242

 Limitations

Limitations
n User-based policy is not supported. By default, computers will receive the entire organization policy
unless you create a computer-based rule.
n By default, the Endpoint Security client icon is turned off in the notification area (system tray) for all
the users logged on to the server. This is to prevent client notifications triggered by a specific user
action sent to all users. User checks (For example, Malware detections, upgrade process and push
operations) are not displayed. To turn on the Endpoint Security client icon in the notification area for a
specific user, see step 3 in the procedure below.
n The Logs menu does not show user details. The Terminal Server shows all logged on users as
nlocal.
n Compliance remediation Run as User is not supported. For more information, see "Compliance" on
page 143.
n For the Anti-Malware capability:
l Terminal Server exclusions does not support User Environment Variables.
l Scanning and quarantine are supported only for a directory that can be accessed by the
System Account.
l Reporting - When infections are found, the Network Drive appears as "unknown" when a
network drive cannot be accessed by System Account.
n Configure proxy settings for the Windows Server machine in the System Account.
n The Full Disk Encryption blade is not supported.
n The Media Encryption blade is not be supported.
n Windows Subsystem for Linux (WSL) is not be supported.
n Internet Explorer extension is not supported.

Harmony Endpoint Administration Guide | 243

 Deploying the Harmony Endpoint Client on a Terminal Server / Remote Desktop Service

Deploying the Harmony Endpoint Client on a

Terminal Server / Remote Desktop Service
Prerequisites
n Disable Windows Defender manually on the Terminal Server. For more information, see sk159373.
n Make sure you have the uninstall password for the Endpoint Security client. For more information,
see "Installation and Upgrade Settings" on page 162.

Procedure
1. Install the Endpoint Security client package version E86.20 or higher to the Terminal Server. For
more information, see "Deploying Endpoint Clients" on page 22.
2. Enable the Terminal Server mode on the Endpoint Security client through one of these methods:
n Use the export package or Tiny Agent/ Initial Client:
a. Open the Command Prompt window in Administrator mode and run:
msiexec /i eps.msi TS=1 OR EndpointSetup.exe TS=1.
b. Once Client is installed, open the Registry Editor and navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security] and make sure that the value of the TSM key is dword:00000001.
n Manually change the registry:
a. Navigate to C:\Windows\Temp\<GUID> and run passdialog.exe file.
b. When prompted, enter the uninstall password.
c. Open Registry Editor and navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security. Add a new TSM key with the value dword:00000001.
d. Reboot the server.
3. Optional - By default,the Endpoint Security client is turned off in the notification area (system tray) for
all the users logged on to the server. This is to prevent sending notifications for a specific user action.
To turn on the Endpoint Security client icon in the notification area for a specific user:
a. Remove Self-Protection: Run the passdialog.exe file.
b. When prompted, enter the uninstall password.
c. Navigate to C:\Program Files (x86)\CheckPoint\Endpoint Security\UIFramework\Bin\ and run
the cptrayUI.exe file.

Harmony Endpoint Administration Guide | 244

 Best Practice to Enable Software Blades

Best Practice to Enable Software Blades

We recommend you to enable the Software Blade and the operating modes in the order shown in the table
below.
n Add exclusions before you enable a Software Blade.
n Enable the Software Blade on a test group before you enable it on the organization level.

Order Software Blade Operating Mode Applicable Group Level

1.1 Anti-Malware 1,2,3 Prevent Test

1.2 Prevent Organization

2.1 Forensics 4 Prevent Test

2.2 Off Organization

3.1 Anti-Ransomware and Behavioral Guard1,4 Detect Test

3.2 Detect Organization

3.3 Prevent Test

3.4 Prevent Organization

4.1 Threat Emulation 1,4 Prevent Test

4.2 Prevent Organization

5.1 Anti-Exploit 1,4 Detect Test

5.2 Detect Organization

5.3 Prevent Test

5.4 Prevent Organization

6.1 Anti-Bot 1,4 and URL Filtering 1 Detect Test

6.2 Detect Organization

6.3 Prevent Test

6.4 Prevent Organization

Harmony Endpoint Administration Guide | 245

 Best Practice to Enable Software Blades

Order Software Blade Operating Mode Applicable Group Level

7.1 Analysis and Remediation 1 High Test

7.2 High Organization

7.3 Always Test

7.4 Always Organization

1 Add exclusions before enabling the blade.

n For Citrix Anti-Malware, click here.

n For Microsoft Terminal Server Anti-Virus, click here.
n For FSLogix Anti-Virus, click here.
2 Schedule the scan during non-active period.

3 To add exclusions, see sk122706.

4 To add exclusions, see sk128472.

Harmony Endpoint Administration Guide | 246

 Recent Tasks

Recent Tasks
The running and the queued tasks appear in the Recent Tasks window at the top right of your screen.

Harmony Endpoint Administration Guide | 247

 Known Limitations

Known Limitations
These are the current known limitations for Harmony Endpoint:
n You cannot perform any action in SmartEndpoint during the download of the Endpoint Security client
package until the download is complete.
n Capsule Docs and Endpoint URL Filtering are not supported.
n When you create a new administrator, you cannot use the "Change password on next login" option.
n In SmartEndpoint reports, the IP address of the client may be wrong due to network hops.
n Use SmartEndpoint to switch to SmartConsole and SmartUpdate:

n Distributed Active Directory Scanner: The deletion of a user from an Active Directory is not detected
by the automatic scan and it is not reflected in the organizational tree.
n Unlock On LAN is not working. During Pre-boot, the client device cannot communicate correctly with
the server.
n These versions are not supported with Harmony Endpoint:
l E80.64 Endpoint Security client for macOS
l E80.71 Endpoint Security client for macOS
l E80.89 Endpoint Security client for macOS
n You cannot upgrade from E80.64, E80.71, E80.89 Endpoint Security for macOS clients to these
versions:
l E82.00 Endpoint Security client for macOS
l E82.50 Endpoint Security client for macOS

n When you create a new AD scanner, you cannot scan user certificates from Active Directory.
n In order to use WSL2 on Windows 10 and 11 with Harmony Endpoint installed you must alter your
firewall configuration. These changes apply only when you use the firewall blade. For additional
information please see sk177207

Harmony Endpoint Administration Guide | 248

 Revision History

Revision History
Date Description

07 June 2022 Updated "Configuring Clients for Non-Persistent Desktops" on page 226

17 May 2022 Updated "Viewing Computer Information" on page 61 about viewing click logs by IP
address.

17 May 2022 Updated "Adding Exclusions to Rules" on page 83

09 May 2022 Added information on Network URL Filtering in "Web & Files Protection" on page 71

4.May 2022 Added Disabling Incognito Mode, BrowserGuest Mode, and InPrivate Mode

31 March Added "Supported Operating Systems for the Endpoint Client" on page 20.
2022

07 March Added "Compliance" on page 143.

2022

04 March Added "Uninstalling Third-Party Anti-Virus Software Products" on page 41.

2022

03 March Added "Harmony Endpoint for Terminal Server / Remote Desktop Services" on
2022 page 242.

03 March SUSE Linux enterprise server (SLES) and OpenSUSE are supported only with the Anti-
2022 Malware blade. Refer "Harmony Endpoint for Linux Overview" on page 215.

25 February Added Managing Harmony Browse.

2022

25 February Updated "Configuring Clients for Non-Persistent Desktops" on page 226

2022

07 February Added "Customized Browser Block Pages" on page 160 to the "Client User Interface
2022 Settings" on page 159 topic.

28 January n Updated Managing Licenses.

2022 n Updated Web and Files Protection.

21 January Updated Helpdesk User roles.

2022

19 January Updated: Password Synchronization

2022

18 January Updated: Adding Exclusions to Rules

2022 Forensics, Anti-Ransomware, Anti-Bot, Threat Emulation Exclusions

Harmony Endpoint Administration Guide | 249

 Revision History

Date Description

11 January Updated: Client User Interface Settings

2022 Configuring the Threat Prevention Policy

9 January Updated: VDI Configure Clients for Non Persistent Desktops

2022

6 January Added: IOC Management

2022 Updated: Harmony Endpoint for Linux Overview
Harmony Endpoint for Linux Commands

5 January Updated: Getting Started

2022

4 January Removed: VDI-Appendix

2022 Updated: VDI-Assigning-Policies-to-VDI-Pools
VDI-Basic-Golden-Image-Settings
VDI Configure Clients for Non Persistent Desktops
VDI-Configure-Clients-for-Persistent-Desktops
VDI-Limitations
VDI-Overview
Introduction

3 January Updated: FileVault Encryption for

2022

2 January Updated: Policy Operation

2022

30 December Updated: Harmony Endpoint for Linux Overview

2021 Deploying Harmony Endpoint for Linux
Harmony Enpoint for Linux CLI Commands

22 December Updated: Configuring the Treat Prevention Policy

2021` Connected, Disconnected and Restricted Rules

21 December Updated: Harmony Endpoint for Linux Overview

2021

19 December Updated: Password Synchronization

2021

15 December Updated: Authentication before the Loads (Pre boot)

2021

13 December Added: Super Node

2021

12 December Added: VDI Overview

2021

11 December Updated: Adding Exclusions to Rules

2021

Harmony Endpoint Administration Guide | 250

 Revision History

Date Description

9 December Added: Policy Operation

2021

9 December Updated: Deploying Harmony Endpoint for Linux

2021

2 December Updated: Introduction

2021 Updated: Performing Push Operations
Updated: Deploying Endpoint Clients

29 November Updated: Performing Push Operations

2021

14 November Updated: Configuring Client Settings

2021 Updated: Connected, Disconnected and Restricted Rules
Added: Connection Awareness

10 November Updated: "Connected, Disconnected and Restricted Rules" on page 168

2021

07 November Updated: Active Directory Authentication

2021

04 November Updated: Client User Interface Settings

2021

03 November Updated: Introduction

2021 Updated: Setting Deployment Agent

02 November Updated: "Configuring the Endpoint Policy" on page 68

2021

01 November The Computer Management view on the left navigation panel was renamed to Asset
2021 Management
Updated: "Configuring the Endpoint Policy" on page 68

31 October Updated: "Configuring the Endpoint Policy" on page 68

2021

31 October Updated: "Client User Interface Settings" on page 159

2021

28 October Updated: "Configuring Full Disk Encryption" on page 92

2021

21 October Updated: Giving Remote Help to FDE Users

2021 Authentication before OS Loads Pre boot

14 October Updated: Deploying Endpoint Clients

2021

Harmony Endpoint Administration Guide | 251

 Revision History

Date Description

13 October Updated:
2021 Introduction

11 October Updated:"Configuring Media Encryption & Port Protection" on page 109

2021 "Advanced Settings for Media Encryption" on page 116
Media Encryption Remote Help
Media Encryption Access Rules

10 October Added:
2021 "Recent Tasks" on page 247

07 October Updated:
2021 "Known Limitations" on page 248
"Connected, Disconnected and Restricted Rules" on page 168

01 October Updated:
2021
n Adding Exclusions to Rules
n "Automatic Deployment of Endpoint Clients" on page 24
n "Remotely Installing the Initial Client" on page 36

26 Updated:
September
2021
n "Configuring Client Settings " on page 158

13 Updated:
September
2021
n "BitLocker Encryption for Windows Clients" on page 98

02 Added:
September
2021
n "User Authentication to Endpoint Security Clients (OneCheck)" on page 101
n "Configuring Client Settings " on page 158

31 August Added:
2021
n "Connected, Disconnected and Restricted Rules" on page 168
Updated:
n "Web & Files Protection" on page 71

05 August Added:
2021
n "Token-Limited Installation" on page 23
Updated:
n "Manual Deployment" on page 28

14 July 2021 Updated:

n "Managing Users in Harmony Endpoint" on page 54
n "Developer Protection" on page 141

Harmony Endpoint Administration Guide | 252

 Revision History

Date Description

22 April 2021 Rebranded the product name across the Administration Guide - from SandBlast Agent
to Harmony Endpoint

06 April 2021 Updated:

n "Exporting Logs" on page 201

29 March Added:
2021
n "Application Control" on page 133

22 March Updated:
2021
n "Configuring Client Settings " on page 158
n "Harmony Endpoint for Linux" on page 214

11 March Added:
2021
n "Configuring Media Encryption & Port Protection" on page 109
Updated:
n "Viewing Computer Information" on page 61
n "Exporting Logs" on page 201

25 February Updated:
2021
n Registering to the Infinity Portal
n "Creating a New Endpoint Management Service" on page 17
n "Managing Firewall Objects and Groups" on page 127
n "Monitoring Harmony Endpoint Deployment and Policy" on page 42

23 February Rebranded the product name.

2021 Updated:
n "Configuring Client Settings " on page 158

22 February Added:
2021
n "Harmony Endpoint for Linux" on page 214

08 February Updated:
2021
n "Managing Licenses" on page 51
n "BitLocker Encryption for Windows Clients" on page 98
n "Monitoring Harmony Endpoint Deployment and Policy" on page 42
n "Performing Push Operations" on page 205

07 January Added
2021
n "Firewall" on page 123

Harmony Endpoint Administration Guide | 253

 Revision History

Date Description

11 November Added:
2020
n "Remote Installation of Initial Client" on page 33
n "Threat Hunting" on page 210
Updated:
n "Exporting Logs" on page 201

04 November First release of this document.

2020 The Harmony Endpoint service in the Infinity Portal was updated.
This Harmony Endpoint Administration Guide replaces these:
n Harmony Endpoint Management Platform Administration Guide
n Harmony Endpoint Cloud Management Platform Administration Guide

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments to our Technical Writers.

Harmony Endpoint Administration Guide | 254