Endpoint Checkpoint

[Malcolm Lozada]

Asof yet, I have not heard what the official installation procedure should be considering the content of this Knowledgebase article, which indicates that Server 2019 no longer plays nice by disabling it's internal antivirus and firewall components when 3rd party security clients are installed.

I had not seen or heard of this behavior before installing CPEP on a windows server 2019 VM hosting our Blackberry UEM MDM platform, so CPEP went in on top of the MS components. I have since only disabled the Windows Defender Firewall for just "domain" network profile for that VM.)

The SK also mentions that this can be done "via GPO" but does not cover how. (caveat, I have yet to, but will fully read through the whole admin guide and whatever other documentation I can find for the latest releases of CPEP to see if it is covered there and will report back if I have a definitive answer)

Which somewhat ambiguously seems to state that you can uninstall windows defender completely using the add remove roles and features Wizard, after suggesting earlier in the post that removing the feature components only removes the user interface.

Anyway, would anyone from Check Point proper like to suggest the specific steps one should take if we intend to deploy CPEP to even a newly built Windows 2016 or 2019 server with nothing but the OS installed yet?

Also, regarding the aforementioned Blackberry UEM server: I deployed the client while actually working with CP support on a Zoom remote support session. I happened to notice that windows firewall was still running during the same remote session; I was told at that stage that the wscsvc service was removed in the OS and this is Microsoft's doing and by their design. At the end of the day I am therefore at a disadvantage in the case of this specific production server if I was supposed to turn off Windows Defender Anti-Malware BEFORE installing CPEP.

So, a specific question, did I break anything by having installed CPEP on a windows Server 2019 machine before "turning off" Windows Defender Anti-Malware? I would assume not if the TAC engineer did not indicate this, but I want to be sure. Once I know what the correct "turn off" method is for Defender per CP, I just hope there is nothing I need to worry about having done things in the wrong order.

I would be interested to hear anyone's experiences with CPEP and Windows Server 2016 / 2019 and whether you noticed any issues, or whether you realized that Windows Defender components were still running.

I have not tried removing the Windows Defender Feature yet. I will try that now, but if there is a best practice way of disabling any Windows based security client components that might interfere with any of the full set of CPEP blades (via GPO) I would like to know.

Disabling Windows Defender Anti-Malware and Windows Defender Firewall is needed for Windows Server 2016/2019 machines only, if you plan to install Endpoint Security client on it with Anti-Malware and Firewall Blades.

If you wish to mass disable Windows Defender Firewall\uninstall Windows Defender Anti-Malware - Powershell scripts can be used from the instructions above for all Windows Servers 2016\2019. The scripts can be applied via GPO.

Yes, on Windows 10 machines, in case Endpoint Security Firewall or\and Endpoint Security Anti-Malware blades are installed - Windows Defender (AV) or\and Firewall will be turned off (this is done with wscsvc (Windows Security Service) service that must be running, which is absent in Windows Server 2016 and 2019, as per Solution section in SK159373 mentioned above).

Hi Kiril, We've recently started pushing out endpoint client upgrades to users who are on older version to E84.00 and some users have reported they are getting windows security popup after the update any idea why it might be coming?

yes the popup is related to windows defender firewall and mitel connect application but is it not supposed to happen when endpoint client is installed? we thought windows firewall service is turned off by checkpoint endpoint client.

I have seen this behavior on Windows Server 2016 and 2019 because (from what both TAC and development has told me) Microsoft removed the API call to hand off control of firewall and antimalware to third party products at install time. You need to manually disable them. Windows 10 however still plays nice and the Windows Security panel will indicate who is providing firewall and antivirus services. Take a look at that and see if it mentions Check Point as providing firewall. If so, that is an even more strange occurrence considering the dialog box you saw.

To give some context here is what I'm trying to accomplish.

I want to create a config profile to push to my mac user's for the Checkpoint Endpoint VPN client without having it install the Checkpoint firewall app.

Whatever package I download from checkpoint (the pkg, the dmg, the zipp) it seems the checkpoint firewall app is bundled into the installer. I've tried going to composer route to run the installation of the endpoint vpn client, then deleting the firewall app but it looks like starting with version 84.30 the plist, configuration files don't push out so I can't replicate that install from the created pkg from composer to other machines.

I recognize this is a query from the summer, but I'm curious if you found any success? I'm in the exact same boat, and while I included commands to remove the Endpoint application, I now have users who are being tormented by a system extension message that appears every 5 minutes. I've opened a ticket with their support team, but I often find more complete answers here.

I have used this script and it worked flawlessly, great script. But somehow checkpoint agent is not taking the configurations deployed through Jamf Pro i.e., IP/Hostname it needs to connect. Any suggestion pl?

Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. Learn about Jamf.

This site contains User Content submitted by Jamf Nation community members. Jamf does not review User Content submitted by members or other third parties before it is posted. All content on Jamf Nation is for informational purposes only. Information and posts may be out of date when you view them. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Nation.

I am trying to pair a Phillips Heartstart MRX device to a Panasonic Toughbook cf-19, running windows 10, and endpoint 80.82. I have a third party bluetooth driver installed, due to the increased security settings in windows 10 and bluetooth sharing. The MRX is very old school, and they are no longer making them anymore. The MRX is the device that initiates the connection to the laptop, and sends a passcode to it. you get a prompt like you should, but the area when you can input the passcode, is simply stripped out. Media and Port Encryption is 100% not enabled in the application, but it still should be active at the driver level, and there in lies the possible problem. I don't think i am going to find much documentation on this. Does anyone know if this would be supported? I have not tested to confirm, but i believe this could work with windows 7 using the native bluetooth drivers, which does have the sharing built in. to block the connection is one thing, but to strip out a passcode like this, suggests to me that this is not supported, or there is a conflict/incompatibility of some kind. We have compliance, full sandblast suite, FDE, and anti-malware enable. Without the Checkpoint software installed, this does work as expected. My plan forward is as follows.

I am going to continue with this path, and disable each blade one by one in the policy (since in deployment if i disable sandblast, it shuts them all down at once, and see if it works.Then i guess i can also go to disable the blade in deployment as well, if the no policy idea does the trick. This would allow me to find the problem active blade, if it exists. If not, I am going to find out what driver is being used, and push this up to CP TAC and or R&D. I will probably have to engage them in either case. Anyone else have any thoughts/Ideas?

Hi Marina, you saved me the time of going though and disabling each blade one by one. it was an order of operations issue. the bluetooth drivers came along first. If you remove everything, and then install checkpoint, and then the bluetooth drivers, it works as expected.

Was the Bluetooth driver installed before or after Endpoint Client has been deployed to the machine? The direction to eliminate what Endpoint Blade can be related seems absolutely correct to me. I would suggest to open a Support ticket and get help from TAC team on investigation.

I dont work much on harmony endpoint, so figured would post customer's question here to see if anyone knows. We opened TAC case, but still waiting for response. I looked myself everywhere on the portal options and through policy, but could not find anything that would cover the request.

Does Check Point have the ability to track the software installed on our endpoints?

We're looking at having a list of allowed software, and then to have alerting set up when an endpoint is in violation of the allowed software policy.

Can you also generate a daily/periodic report on newly installed software? I don't know if this is feasible and/or if a list like this would be extremely large, but we would like to see if something like that is possible, to see if either a user or a malicious actor is installing software on any of our endpoints.

3a8082e126