0% found this document useful (0 votes)

90 views606 pages

CP Harmony Endpoint AdminGuide

Uploaded by

jolorkad

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

90 views606 pages

CP Harmony Endpoint AdminGuide

Uploaded by

jolorkad

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 606

25 June 2024

HARMONY ENDPOINT
EPMAAS

Administration Guide
Check Point Copyright Notice
© 2020 - 2024 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in
the preparation of this book, Check Point assumes no responsibility for errors or omissions.
This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party
licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-
date with the latest functional improvements, stability fixes, security
enhancements and protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

Document Title Description

Endpoint Security Client for Windows User Guide Provides the end-user instructions on
how to use the Endpoint Security
Client installed on Windows
endpoints.

Endpoint Security Clients for macOS User Guide Provides the end-user instructions on
how to use the Endpoint Security
Client installed on macOS endpoints.

Harmony Endpoint Security for Windows MDM Describes how to deploy the Endpoint
Deployment Guide Security Client on Windows endpoints
using a device management system.

Harmony Endpoint Security for macOS MDM Describes how to deploy the Endpoint
Deployment Guide Security Client on macOS endpoints
using a device management system.
Revision History

Date Description

24 June 2024 Added "Downloading Forensics Reports" on page 522.

19 June 2024 Added:

n "Data Loss Prevention" on page 409.
n Data Loss Prevention column in "Supported
Browsers for the Browser Extension" on page 63.

6 May 2024 Updated "Configuring Alerts" on page 104 to add

"Advanced Alerts" on page 107

2 May 2024 Added Client Language for Default Client User Interface.
See "User Interface" on page 390

26 April 2024 Added video tutorial for automatic patch updates. See
"Detecting Common Vulnerabilities and Exposures" on
page 384.

18 April 2024 Updated Disable Capabilities in "General" on page 395.

Added Advanced Capabilities. See "Web & Files

Protection" on page 224 and "Configuring the Threat
Prevention Policy" on page 213.

16 April Added:
2024
n Using Reconnect tool without uninstall password.
See "Without Client Uninstall Password
(Recommended) " on page 56
n Helpdesk Level 3. See "Specific Service Roles" on
page 48
n "Software Deployment Policy Template" on page 596
for MSSP.

19 March Added "Templates for Child Accounts" on page 590

2024 (MSSP).

13 March Added:
2024
n Enable patch updates (Automatic Patch Updates).
See Detecting Common Vulnerabilities and
Exposures.
n Admin Comment column. See "Viewing Computer
Information" on page 149.
Date Description

13 February Added "License Violation" on page 47.

2024

22 January Added:
2023
n "Managing Microsoft Entra ID Scanners" on
page 459.
n "Viewing Device Hardware Information" on page 158
n Chained exclusions in "Smart Exclusions" on
page 265

18 December Added "Custom Settings" on page 231.

2023

7 December Added:
2023
n Video tutorial for Run Diagnostics. See "Performing
Push Operations" on page 491.
n "Appendix B - Uninstalling the Harmony Endpoint
Security Client (For macOS and Windows)" on
page 605

20 November n Updated supported regions for "Threat Hunting" on

2023 page 514.
n Added video tutorial for "Viewing Endpoint Posture"
on page 187.

17 November Added "Smart Exclusions" on page 265.

2023

31 October Added video tutorials for:

2023
n Automatic Deployment of Endpoint Clients "Using
the Tiny Agent" on page 68.
n Creating a Custom Dashboard. See "Viewing
Operational Overview, Security Overview and
Reports" on page 123.
n Generating Reports. See "Viewing Operational
Overview, Security Overview and Reports" on
page 123.

26 October Updated Managing Licenses for AWS Marketplace.

2023

10 October Added Helpdesk Level 1 and Helpdesk Level 2 Specific

9 August Updated Policy Mode. See "Configuring the Threat

2023 Prevention Policy" on page 213.

1 August Added Disable Notification. See "Zero Phishing" on

2023 page 231.
Date Description

28 July 2023 Added deploying the Endpoint Security Client "Using the
Vanilla Client" on page 73.

24 July 2023 Added:

n Schedule Report. See "Viewing Operational
Overview, Security Overview and Reports" on
page 123.
n "Adding a New VPN Site to an Exported Package" on
page 90.

20 July 2023 Added:

n Anti-Malware License Expiration Date column. See
"Asset Management View" on page 149.
n Anti-Malware client's license is about to expire
alert. See "Configuring Alerts" on page 104.

17 July 2023 Added Unified and Custom Dashboard. See "Viewing

Operational Overview, Security Overview and Reports" on
page 123.

12 July 2023 Added Exporting Virtual Groups. See "Managing Virtual

Groups" on page 452.

28 June 2023 Added Browser Status to the Table Filters and Column
Description. See "Asset Management View" on page 149.

20 June 2023 Added:

n Customs View. See "Viewing Computer Information"
on page 149.
n "Override Default Files Actions" on page 230.
n "Supported Browsers for the Browser Extension" on
page 63.

5 June 2023 Added "Reports for MSSP" on page 587.

31 May 2023 Added Scan Targets and Scan Target Exclusions. See
"Scan" on page 240.

.23 May 2023 Reconnect Tool is now supported for macOS with client
version E87.50 or higher. See "Reconnect Tool" on
page 55.
Date Description

11 May 2023 n Updated "Viewing Endpoint Posture" on page 187

and "Configuring Posture Assessment Settings" on
page 385 for patch management.
Note - Patch Management feature is available
only for customers in the Early Availability (EA)
program.
n Added information on US-DHS and EU regulations
compliant Anti-Malware blade. See "Anti-Malware
Settings" on page 101.
n Added new fields:
o Low memory mode. See "Advanced

Behavioral Guard & Anti-Ransomware

Settings" on page 248.
o Scan On Idle. See "Scan" on page 240.

19 April 2023 Added information about moving a device or user from one
virtual group to another. See "Managing Virtual Groups" on
page 452.

18 April 2023 Updated the Policy Mode settings. See "Configuring the
Threat Prevention Policy" on page 213.

6 April 2023 Added "Capabilities of Offline Endpoint Security Client" on

page 442.

3 April 2023 Added new Reports. See "Viewing Operational Overview,

Security Overview and Reports" on page 123.

29 March n Connection Awareness now supports macOS. See

2023 "Connection Awareness" on page 396.
n Added "Working with the Computers Table" on
page 157.

13 March n Added new columns: Threat Hunting Status and

2023 Threat Hunting Error Description. See "Viewing
Computer Information" on page 149.
n Added support for folder actions to the File Actions
push operation. See "Performing Push Operations"
on page 491.

08 March Harmony Endpoint supports macOS Ventura 13 operating

2023 system for endpoints. See "Supported Operating Systems
for the Endpoint Client" on page 59
Date Description

27 February n Added new feature "Sending Security Reports" on

2023 page 490.
n Added file size for Upload and emulate files under.
See "Emulation Environments" on page 229.

13 February n Added Custom Rules support for the Application

2023 Control policy. See "Configuring Application
Permissions in the Application Control Policy" on
page 362.
n Added "Show Last Diagnostics Report" on page 186

7 February n Added Policy Modes to "Configuring the Threat

2023 Prevention Policy" on page 213
n Added Anti-Bot and Threat EmulationAnti-Exploit
exclusions. See Adding Exclusions to Rules.

6 February n Added "Creating User Overrides (UserCheck)" on

2023 page 315.
n Added "Viewing Events" on page 326.
n You can allow all, essential or custom select the
ports. See "Port Protection" on page 338

31 January n Added information about the new feature Scan local

2023 HTML files. See "Credential Protection" on page 231.
n Added information about the new event Accessing a
local HTML file. See "Customized Browser Block
Pages" on page 391.
n Added information about the new feature Browser
Settings. See "Web & Files Protection" on page 224.

20 January Added a new Appendix. See "Appendix A - Deploying

2023 Harmony Endpoint Security Client using SCCM" on
page 604.

18 January Added information about how to manage widgets in the

2023 Security Dashboard for MSSP. See Security Dashboard.
Added a Detect & Alert to Password Reuse Protection.
See "Credential Protection" on page 231.

11 January Added information about downloading reports. See

2023 "Viewing Operational Overview, Security Overview and
Reports" on page 123.
Date Description

10 January Added information about Posture Management. See

2023 "Detecting Common Vulnerabilities and Exposures" on
page 384 and Viewing Endpoint Posture.
Note - This feature is available only to customers in the
Early Availability program.

29 December n Added "Authenticated Proxy" on page 395 , "Disable

2022 Capabilities" on page 398, and "Push Operations" on
page 401.
n Updated "Managing Licenses" on page 43.

06 December Remote Command, Isolate Computer and Release

2022 Computer push operations are supported for macOS-
based endpoints. See "Performing Push Operations" on
page 491.

01 December Added Initial Encryption information in "Check Point Disk

2022 Encryption for Windows" on page 293.

11 November Added a new information on optimizing the Harmony

2022 Endpoint security clients for servers. See "Optimizing the
Harmony Endpoint Security Client for Servers and Profiles"
on page 287.

23 November n Added a note about supported version for Run

2022 Diagnostics. See "Performing Push Operations" on
page 491.
n Updated Windows syntax for Anti-Ransomware and
Behavioral GuardForensics exclusions. See
Forensics -> Anti-Ransomware and Behavioral
Guard Exclusions.
n Added information about extensive data collection.
See "Advanced Behavioral Guard & Anti-
Ransomware Settings" on page 248.

22 November Added the Harmony Endpoint Security Client versions and

2022 policy mode supported for Block Volume Encryption tools
(BitLocker and Similar Tools). See "Behavioral Protection"
on page 245.

11 November Added information about Operational Overview. See

2022 "Viewing Operational Overview, Security Overview and
Reports" on page 123.
Date Description

09 November n Files Threat Emulation supports Detect, Prevent and

2022 Off modes. See "Files Protection" on page 235. This
is supported with Endpoint Security client version
E86.80 and higher.
n Added how to install remotely using third-party tools.
See "Remote Installation of Initial Client" on page 92.
n Added information about Run Diagnostics. See
"Performing Push Operations" on page 491.
n Added a note to Randomize scan time in VDI. See
"Configuring Clients for Persistent Desktops" on
page 535.

4 November Added supported file types for Threat Emulation. See

2022 "Download (Web) Emulation & Extraction " on page 226.

21 October Added information about Security view for MSSP. See

2022 Security.

18 October n Added information about Token-Limited Installation.

2022 See "Manual Deployment" on page 80 and
"Installation Token" on page 67.
n You can export operational and threat analysis
reports to review and take appropriate counter
measure. See Exporting Reports.

14 October Updated Asset Management view. See "Viewing Computer

2022 Information" on page 149.

10 October Added support for the Endpoint Security client deployment

2022 on Linux. See "Automatic Deployment of Endpoint Clients"
on page 68 and "Manual Deployment" on page 80.

03 October Added a limitation related to Shared Signature Server for

2022 non-persistent desktops. See "Limitations" on page 549.

30 Updated"Files Protection" on page 235 for the supported

September archive file formats by the Anti-Malware scan in the E1 and
2022 E2 blades.

13 Added information about filters. See "Viewing Computer

September Information" on page 149.
2022
Date Description

01 Added information about Search and Fetch files, Registry

September Actions, File Actions, VPN Site, Collect Process push
2022 operations. See "Viewing Computer Information" on
page 149 and "Performing Push Operations" on page 491.

25 August n Added information that you can now share a

2022 download link with users to download the Tiny Agent.
See "Automatic Deployment of Endpoint Clients" on
page 68.
n Added a new method to add exclusions from Security
Overview. See Adding Exclusions from Security
Overview.

28 July 2022 Added information about Delete, Recover, and Terminate

computer actions. See "Viewing Computer Information" on
page 149.

27 July 2022 Updated "Viewing Computer Information" on page 149 for

2FA authentication to perform push operation.

26 July 2022 Added support for sending forensics data to third-party data
analytics tool. See "Sending Forensics Data to Third-Party
Analytics Tool" on page 522.

22 July 2022 Added supported for migrating an on-premise Harmony

Endpoint database to Harmony Endpoint on Infinity Portal.
"Migrating an On-premises Security Management Server to
Harmony Endpoint" on page 64.

18 July 2022 Updated Adding Exclusions to Rules for the new method to
add and edit an exclusion.

14 July 2022 Updated "Uninstalling Third-Party Anti-Virus Software

Products" on page 121
Date Description

13 July 2022 n Added information about the new "Web & Files
Protection" on page 224.
n Added three new options for "Web & Files Protection"
on page 224.
n Added information about the new Easy Unlock
feature. It allows you to Accept or Reject a Network
One-Time Logon request or a Network Password
Change request from a user who has forgotten the
login credentials of the endpoint or the endpoint is
locked due to invalid login attempts using incorrect
credentials.
Note - This feature is available only to customers in
the Early Availability program.

20 June 2022 Added automatic deployment information for macOS and

Linux. See "Automatic Deployment of Endpoint Clients" on
page 68.

07 June 2022 Updated "Configuring Clients for Non-Persistent Desktops"

on page 539

17 May 2022 Updated "Viewing Computer Information" on page 149

about viewing click logs by IP address.

17 May 2022 Updated Adding Exclusions to Rules

09 May 2022 Added information on Network URL Filtering in "Web &

Files Protection" on page 224

2021 Authentication before OS Loads Pre boot

14 October Updated: Deploying Endpoint Clients

2021

13 October Updated:
2021 Introduction

11 October Updated:"Configuring Media Encryption & Port Protection"

2021 on page 310
"Advanced Settings for Media Encryption" on page 331
Media Encryption Remote Help
Media Encryption Access Rules

10 October Added:
2021 "Recent Tasks" on page 602
Date Description

07 October Updated:
2021 "Known Limitations" on page 603
"Connected, Disconnected and Restricted Rules" on
page 402

01 October Updated:
2021
n Adding Exclusions to Rules
n "Automatic Deployment of Endpoint Clients" on
page 68
n "Remotely Installing the Initial Client" on page 97

26 Updated:
September
2021
n "Configuring Client Settings " on page 389

13 Updated:
September
2021
n "BitLocker Encryption for Windows Clients" on
page 299

02 Added:
September
2021
n "User Authentication to Endpoint Security Clients
(OneCheck)" on page 302
n "Configuring Client Settings " on page 389

31 August Added:
2021
n "Connected, Disconnected and Restricted Rules" on
page 402
Updated:
n "Web & Files Protection" on page 224

05 August Added:
2021
n "Installation Token" on page 67
Updated:
n "Manual Deployment" on page 80

14 July 2021 Updated:

n Managing Users in Harmony Endpoint EPMaaS
n "Developer Protection" on page 368
Date Description

22 April 2021 Rebranded the product name across the Administration

Guide - from SandBlast Agent to Harmony Endpoint

06 April 2021 Updated:

n "Exporting Logs" on page 487

29 March Added:
2021
n "Application Control" on page 356

22 March Updated:
2021
n "Configuring Client Settings " on page 389
n "Harmony Endpoint for Linux" on page 525

11 March Added:
2021
n "Configuring Media Encryption & Port Protection" on
page 310
Updated:
n "Viewing Computer Information" on page 149
n "Exporting Logs" on page 487

25 February Updated:
2021
n Registering to the Infinity Portal
n "Creating a New Endpoint Management Service" on
page 43
n "Managing Firewall Objects and Groups" on
page 346
n "Configuring Alerts" on page 104

23 February Rebranded the product name.

2021 Updated:
n "Configuring Client Settings " on page 389

22 February Added:
2021
n "Harmony Endpoint for Linux" on page 525
Date Description

08 February Updated:
2021
n Managing Licenses
n "BitLocker Encryption for Windows Clients" on
page 299
n "Configuring Alerts" on page 104
n "Performing Push Operations" on page 491

07 January Added
2021
n "Firewall" on page 352

11 November Added:
2020
n "Remote Installation of Initial Client" on page 92
n "Threat Hunting" on page 514
Updated:
n "Exporting Logs" on page 487

04 November First release of this document.

2020 The Harmony Endpoint service in the Infinity Portal was
updated.
This Harmony EndpointAdministration Guide replaces
these:
n Harmony Endpoint Management Platform
Administration Guide
n Harmony Endpoint Cloud Management Platform
Administration Guide
Table of Contents

Harmony Endpoint EPMaaS Administration Guide | 31

Table of Contents

Result 437
Specific Event 437
Result 437
Specific Event 437
Result 438
Specific Event 438
Result 438
Specific Event 439
Result 439
Specific Event 439
Result 439
Import or Export Policies 440
Overview 440
Limitations 440
Prerequisites 440
Exporting Policies 441
Importing Policies 441
Capabilities of Offline Endpoint Security Client 442
Performing Data Recovery 444
Check Point Full Disk Encryption Recovery 445
BitLocker Recovery 448
FileVault Recovery 449
Managing Virtual Groups 452
Managing Active Directory Scanners 457
Supported Directory 457
Prerequisite 457
Managing Microsoft Active Directory Scanner 457
Organization Distributed Scan 457
Full Active Directory Sync 458
Managing Microsoft Entra ID Scanners 459

Harmony Endpoint EPMaaS Administration Guide | 32

Table of Contents

Table of Contents

Contracts 583
Accounts Info 583
Accounts Contracts Distribution 584
Contracts by Accounts 584
Contract Details Table 584
Contract Status Report 585
Sending an Email to Account on Contract Status 586
Reports for MSSP 587
Global Exclusions 588
Adding Global Exclusions using Legacy Exclusion 588
Adding Global Exclusions using Smart Exclusion 589
Syncing Exclusions with Child Accounts 590
Templates for Child Accounts 590
Use Case 590
Benefits 591
Threat Prevention Policy Template 591
Creating a Threat Prevention Policy Template 591
Attaching the Threat Prevention Policy Template to a Child Account 592
Viewing the Accounts Attached to a Template 594
Software Deployment Policy Template 596
Creating a Software Deployment Policy Template 596
Attaching the Software Deployment Policy Template to a Child Account 597
Viewing the Accounts Attached to a Template 598
Smart App Control 601
Recent Tasks 602
Known Limitations 603
Appendix 604
Appendix A - Deploying Harmony Endpoint Security Client using SCCM 604
Step 1: Create the Harmony Endpoint Windows Application in SCCM 604
Step 2: Deploy the Harmony Endpoint Windows Application in SCCM 605

Harmony Endpoint EPMaaS Administration Guide | 37

Table of Contents

Appendix B - Uninstalling the Harmony Endpoint Security Client (For macOS and
Windows) 605

Harmony Endpoint EPMaaS Administration Guide | 38

Introduction to Harmony Endpoint EPMaaS

Introduction to Harmony Endpoint

EPMaaS
Harmony Endpoint EPMaaS (Endpoint Management as a Service) is the cloud service to
manage policies and deployments for Endpoint Security and Harmony Browse clients (for
more information on Harmony Browse, see Harmony Browse Administration Guide).
Harmony Endpoint supports the management of these components:
n Threat Prevention
n Data Protection
n Media Encryption & Port Protection
n Firewall
n Application Control
n Developer Protection
n Compliance
n Software Deployment
Harmony Endpoint supports up to 400,000 endpoint clients.

Note - Google Chrome is the recommended browser for the Harmony Endpoint
Administrator Portal.

Harmony Endpoint EPMaaS Administration Guide | 39

Getting Started

Getting Started
To get started with Harmony Endpoint:
1. Create an account in Infinity Portal
2. Assign Specific Service Roles to Users
3. Access the Harmony Endpoint Administrator Portal
4. License the product
5. Create a New Endpoint Management Service

6. Getting Started Walkthrough Wizard

7. Deploying Harmony Endpoint Client
8. Configuring Harmony Endpoint Policy

Creating an Account in the Infinity Portal

Check Point Infinity Portal is a web-based interface that hosts the Check Point security SaaS
services. With Infinity Portal, you can manage and secure your IT infrastructures: networks,
cloud, IoT, endpoints, and mobile devices.
To create an Infinity Portal account, refer to Infinity Portal Administration Guide.

MSSP Account
Harmony Endpoint supports an interface for Managed Security Service Providers (MSSP) to:
n Create and manage (pause, stop, start and restart) the service of their child accounts
n View general statistics about their child accounts
n View operational statistics about their child accounts
n View contract details of their child accounts
To convert an existing account to MSSP account, refer to Infinity Portal Administration Guide.
To create a new MSSP account and to add child accounts, refer to Infinity Portal
Administration Guide.
To manage your MSSP and its child accounts, see "Managed Security Service Providers
(MSSP)" on page 563.

Harmony Endpoint EPMaaS Administration Guide | 40

Accessing the Harmony Endpoint Administrator Portal

Accessing the Harmony Endpoint Administrator

Portal
Note - The Harmony Endpoint Administrator portal (in the Infinity Portal) is supported
only through the Google Chrome browser.

To access the Harmony Endpoint Administrator Portal:

1. Sign in to the Infinity Portal.

2. Click the Menu button ( ) in the top left corner.

3. Under Harmony, click Endpoint.

4. If you are accessing the portal for the first time, do one of these:

Harmony Endpoint EPMaaS Administration Guide | 41

Accessing the Harmony Endpoint Administrator Portal

n If you already have a Check Point contract, click Already have a contract? to
attach the contract to the product. For more information, see Associated Accounts
in the Infinity Portal Administration Guide.
n If you want to trial the product, click Start free trail.
If you have already attached the contract with the product, the Harmony Endpoint Getting
Started appears.

Harmony Endpoint EPMaaS Administration Guide | 42

Creating a New Endpoint Management Service

After you registered to Harmony Endpoint, you must set your Endpoint Management Service
to be able to manage your Endpoint clients. An administrator can create and deploy one virtual
Endpoint Management service per account.

To create a New Endpoint Management Service:

1. From the left navigation panel, click the Service Management view.
2. Click New Endpoint Management Service and enter the information in these fields:
n Connection Token - Select your Endpoint Management Service name for this
account. Use the Connection Token when you connect to SmartEndpoint
Management Console.
The Connection Token:
l Must consist of 2-16 characters: uppercase letters (A-Z), lowercase letters (a-
z), numbers (0-9), or hyphens (-).
l Must not start with a hyphen (-).
n Hosting Site - The cloud location where the Endpoint Management Service is
deployed. This information is derived from your selection of data residency region
when you created the account. See Creating an Account in the Infinity Portal.
3. Click Create.

The deployment process starts.

You can monitor the deployment process in the portal. The portal sends an email on
completion.

Managing Licenses
User Center
When you create an account in the Infinity Portal and access the service, you get a free 30-day
trial. After the 30-day trial period, you must purchase a software license to use the product. To
purchase a license, you must create a Check Point User Center account.
Once you create a User Center account, contact your Check Point sales representative to
purchase a license.

Harmony Endpoint EPMaaS Administration Guide | 43

Creating a New Endpoint Management Service

To extend the trial period

1. Log in to the Check Point User Center.

2. If you do not have a User Center account, go to My Check Point > My accounts and
create a new User Center account.
3. Go to My Check Point > Product Center.
4. In the Product Center, go to the Evaluations tab.
5. Select Other Evaluation Option and click Select a product.
The Other Evaluation Options window opens.
6. Select CP-HAR-EP-COMPLETE-EVAL or CP-HAR-EP-ADVANCED-EVAL from
the drop-down list and click Select.

7. Click Next
8. In the Provide Evaluation Info section that opens, fill in these details:
a. User Center Account
b. Email Address
c. Evaluation Product will be used by
d. Purpose of Evaluation
9. Click Get Evaluation.
A confirmation notice is received that the product was successfully added to your User
Center account.

Harmony Endpoint EPMaaS Administration Guide | 44

Creating a New Endpoint Management Service

Click the link in the confirmation notice to view the license in the Product Center.

10. In the Product Center, go to Selected Account and select the account to which the
license was added.
11. Select the license and click the License button above the list of the licenses.

12. Under License Information, select the License for Cloud Management checkbox.

Harmony Endpoint EPMaaS Administration Guide | 45

Creating a New Endpoint Management Service

13. If you have not subscribed to the VPN feature (Check Point Security Gateways are not
used for client VPN), then click License.
14. If you have subscribed to the VPN feature that uses Check Point Security Gateways
for client VPN, then in the IP Address field for CPSB-SB-EP-VPN, replace
164.100.1.8 with the IP address of the Gateway Security Management System and
then click License.

Amazon Web Services Marketplace

Use the Amazon Web Services credit to purchase the Harmony Endpoint license from
Amazon Web Services Marketplace.

Activating the License

To activate a license

1. In Harmony Endpoint Administrator Portal, go to Global Settings > Services and

Contracts.
At the upper-right of the screen, click Link a User Center Account.

The Attach Accounts window opens.

2. Enter your User Center credentials, select the Account and click Next.
3. Select the license to apply and click Finish.
Your license appears in the Service and Contracts page.

Note- If you already have an associated account and wish to add another
license, go to Global Settings > Service and Contracts. At the upper-right of
the screen, click Manage Accounts and use the sync option to refresh the
license.

4. To see your license information, go to the Endpoint Settings > Licenses.

5. To synchronize your license information, click Sync and then click CONFIRM.

Harmony Endpoint EPMaaS Administration Guide | 46

Creating a New Endpoint Management Service

License Violation
Harmony Endpoint notifies you about the license violations, such as expiry and exceeded
permitted seats.
Depending on the level of violation, the system sends these notifications and takes these
actions:
n Email and top banner
n Email, top banner and pop-up window
n Top banner, pop-up window and disables policy configuration¹
n Top banner, pop-up window, disables policy configuration¹ and disables new
installations²

¹ All the configuration in the Policy menu is read-only except Export Package and
Export/Import Policies. The Save button is disabled, however, previously saved changes can
be installed.
² All the configuration in the Policy menu is read-only except Export Package and
Export/Import Policies. The Save and Install buttons are disabled.

Harmony Endpoint EPMaaS Administration Guide | 47

Getting Started Walkthrough Wizard

After you successfully deploy a service, go to Overview > Getting Started and follow the
instructions on the screen.

Specific Service Roles

Harmony Endpoint supports specific service roles. The specific service roles are in addition to
the global rules and do not override them. For more information, see Specific Service Rules in
the Infinity Portal Administration Guide
To access Specific Service Roles, go to Global Settings > Users > New > Add User and
expand Specific Service Roles.

Role Description

Admin Full Read & Write access to all system aspects.

Read-Only Has access to all system aspects, but cannot make any changes.
User

Helpdesk Has Read-only access to the service and Data Protection.

Level 1 Has Read & Write access to computer actions and Logs.

Helpdesk Has the same access as Helpdesk Level 1 and, in addition, full access to
Level 2 Repair Client and Forensics and Remediation Push Operations.

Harmony Endpoint EPMaaS Administration Guide | 48

Getting Started Walkthrough Wizard

Role Description

Helpdesk Has the same access as Helpdesk Level 2 and, in addition, full access to
Level 3 Manage Virtual Groups and Read-Only access to Software Deployment
Policies.

Log Only Has full access to the Logs tab.

User Has no access to other features.

Power User Has full Read & Write access to the Harmony Endpoint EPMaaS service, but
cannot control the service.

Remote Helps Full Disk Encryption and Media Encryption users with access to
Help User encrypted media.

except ad & & & Permi Permi & ad-
Remedi & Write Write Write ssion ssion Write Onl
ation Writ y
e

Harmony Endpoint EPMaaS Administration Guide | 53

Getting Started Walkthrough Wizard

Ad Helpd Helpd Helpd Remo Re

Tab on Log
min esk esk esk te Power ad-
Left Section Only
Us Level Level Level Help User Onl
Panel User y
er 1 2 3 User

Endpoi All Re No No No No No Read Re

nt ad Permi Permi Permi Permi Permi & ad-
Setting & ssion ssion ssion ssion ssion Write Onl
s Writ y
e

Service All Re No No No No No Read Re

Manag ad Permi Permi Permi Permi Permi & ad-
ement & ssion ssion ssion ssion ssion Write Onl
Writ y
e

Service Re No No No No No No Re
Actions ad Permi Permi Permi Permi Permi Permi ad-
(Restart, & ssion ssion ssion ssion ssion ssion Onl
pause or Writ y
terminat e
e the
service)

Threat All Re No No No No No Read Re

The Reconnect tool runs and reconnects endpoints to the new Endpoint Management Server.

With Client Uninstall Password

To use the Reconnect tool using the uninstall password on the computer:

1. Log in to the Endpoint Manager Server to which you want to connect your Endpoint
Security clients.
2. Go to Service Management and under Reconnect Tool, click For macOS to download
the reconnect_tool_for_macOS.zip file.
3. Distribute the zip file to the endpoints.
4. On the endpoint, unzip the file.
The unzipped folder contains the EPReconnect tool.
5. Do one of these:
n To run the Reconnect tool on a terminal server, run:
<path to the Reconnect
tool>/EPReconnectTool.app/Contents/MacOS/EPReconnectTool --
enter-password

Harmony Endpoint EPMaaS Administration Guide | 57

Reconnect Tool

n Double-click the EPReconnect tool.

A prompt appears. Enter the uninstall password.
The Reconnect tool runs and reconnects endpoints to the new Endpoint Management Server.

Harmony Endpoint EPMaaS Administration Guide | 58

Reconnect Tool

Supported Operating Systems for

the Endpoint Client
Microsoft Windows
Microsoft Windows

Version Editions Supported starting from

11 23H2 Enterprise Pro Endpoint Security Client E87.62

11 22H2 Enterprise Pro Endpoint Security Client E86.70

11 21H2 Enterprise Pro Endpoint Security Client E85.40

10 22H2 Enterprise Pro EA support: Endpoint Security Client E86.80

GA support: Endpoint Security Client E87.00

10 LTSC (version 21H2) Enterprise Pro Endpoint Security Client E86.00

10 21H2 Enterprise Pro Endpoint Security Client E86.00

10 21H1 (version 2103) Enterprise Pro Endpoint Security Client E85.00

10 20H2 (version 2009) Enterprise Pro Endpoint Security Client E85.00

10 20H1 (version 2004) Enterprise Pro Endpoint Security Client E85.00

10 19H2 (version 1909) Enterprise Pro Endpoint Security Client E85.00

10 19H1 (version 1903) Enterprise Pro Endpoint Security Client E85.00

10 LTSC (version 1809) Enterprise Pro Endpoint Security Client E85.00

10 (version 1809) Enterprise Pro Endpoint Security Client E85.00

10 (version 1803) Enterprise Pro Endpoint Security Client E85.00

10 (version 1709) Enterprise Pro Endpoint Security Client E85.00

10 LTSB (version 1607) Enterprise Pro Endpoint Security Client E85.00

8.1 Update 1 Enterprise Pro Endpoint Security Client E85.00

7 SP1 Enterprise Endpoint Security Client E85.00

Microsoft update KB3033929 Professional

Harmony Endpoint EPMaaS Administration Guide | 59

Reconnect Tool

Notes:
n For existing Endpoint Security deployments, before upgrading your OS version,
you must first upgrade the Endpoint Security Client to a version that supports
the desired OS version based on the table above.
n For additional information on Windows 7 support, refer to sk164006.
n Windows Operating Systems are supported according to Check Point Client
Support life cycles, also on Virtual Machines. However, there is no dedicated
QA process for all possible variants of Windows. If you encounter a specific
issue related to a different edition of a supported Windows OS version, Check
Point will provide best-effort support through R&D assistance.

Microsoft Windows Server

Supported
Version Editions Supported Features
starting from

2022 64-bit All E85.40 Compliance, Anti-Malware, Firewall, Application Control, Forensics, Anti-
Ransomware, Anti-Bot, Threat Emulation, Capsule Docs (Standalone
Client), Media Encryption and Port Protection.

2019 64-bit All E85.00 Compliance, Anti-Malware, Firewall, Application Control, Forensics, Anti-
Ransomware, Anti-Bot, Threat Emulation, Capsule Docs (Standalone
Client), Media Encryption and Port Protection.

2016 64-bit All E85.00 Compliance, Anti-Malware, Firewall, Application Control, Forensics, Anti-
Ransomware, Anti-Bot, Threat Emulation, Capsule Docs (Standalone
Client).

2012 R2 64-bit All E85.00 Compliance, Anti-Malware, Firewall, Application Control, Forensics, Anti-
Ransomware, Anti-Bot, Threat Emulation, Capsule Docs (Standalone
Client)

2012 64-bit All E85.00 Compliance, Anti-Malware, Firewall, Application Control, Forensics, Anti-
Ransomware, Anti-Bot, Threat Emulation, Capsule Docs (Standalone
Client)

2008 R2 All E85.00 Compliance, Anti-Malware, Firewall, Application Control, Forensics, Anti-
32/64-bit Ransomware, Anti-Bot, Threat Emulation, Capsule Docs (Standalone
Client)

Notes:
n To support Endpoint Compliance rules for Windows Server 2016 on versions
older than R80.20, see sk122136.
n Windows Server CORE is not supported.
n If you install a client package with features that are not supported on the server,
the installation succeeds but only the supported features are installed.

Harmony Endpoint EPMaaS Administration Guide | 60

Reconnect Tool

macOS
macOS Version Supported starting from

macOS Sonoma (14) EA support: Endpoint Security Client E87.60

GA support: Endpoint Security Client E87.70

macOS Ventura (13) EA support: Endpoint Security Client E86.80

GA support: Endpoint Security Client E87.00

macOS Monterey (12) EA support: Endpoint Security Client E85.30

GA support: Endpoint Security Client E86.20

macOS Big Sur (11) Endpoint Security Client E84.30

macOS Catalina (10.15) Endpoint Security Client E82.00

Notes:
n For existing Endpoint Security deployments, before upgrading your OS version,
you must first upgrade the Endpoint Security Client to a version that supports
the desired OS version based on the table above.
n Support for macOS 10.15 (Catalina) is declared as "End of Engineering".
Starting from E88.30, new features do not include support for macOS 10.15.
Any version released after September 30, 2024, will not be supported on
macOS 10.15.

Linux
Operating System Version

Amazon Linux 2

CentOS 7.8 - 8.5

Debian 9.12 - 11.7

OpenSUSE* 15.3

42.3

Oracle Linux 7.9 - 8.7

RHEL 7.8 - 8.7

9.0 - 9.2

Harmony Endpoint EPMaaS Administration Guide | 61

Reconnect Tool

Operating System Version

SUSE Linux Enterprise Server (SLES)* 12 SP5

15 SP3

Ubuntu 16.04

18.04

20.04

22.04 - 22.04.3

* Supported only with the Anti-Malware blade.

Harmony Endpoint EPMaaS Administration Guide | 62

Reconnect Tool

Supported Browsers for the

Browser Extension
The browser extension of Harmony Endpoint is supported for these browsers:

Threat Malici
Data
URL Extrac Zero Passw Safe Search ous
Brow Loss
OS Filteri tion & Phish ord Sear Reputa Script
ser Preven
ng Emula ing Reuse ch tion Protec
tion
tion tion

Windo Chrome Yes Yes Yes Yes Yes Yes Yes Yes
ws
Edge Yes Yes Yes Yes Yes Yes Yes Yes
Chromiu
m

Firefox Yes Yes Yes Yes No Yes Yes No

Brave3,4 Yes Yes Yes Yes Yes Yes Yes Yes

Internet No Yes Yes Yes No No No No

Explorer1

macOS Chrome Yes Yes Yes Yes Yes Yes Yes No

Firefox Yes Yes Yes Yes No Yes Yes No

Safari2 Yes No Yes Yes No No No No

Brave4, 5 Yes Yes Yes Yes Yes Yes Yes No

Edge 5 Yes Yes Yes Yes Yes Yes Yes No

Chrom Chrome 6 Yes Yes Yes Yes Yes Yes Yes Yes
eOS

Notes -
1 By default, the extension is disabled. To enable the extension, see Deploying
Harmony Browse Clients.
2 Browser extension is supported in Safari version 14 and higher.
3 Browser extension is supported in Brave version 1.43.89 and higher.
4 Brave for Windows is supported only with the Endpoint Security client version
E86.70 and higher.
5 Brave and Edge for macOS is supported only with the Endpoint Security client
version E87.40 and higher.
6 ChromeOS is supported only with the Harmony Browse client.

Harmony Endpoint EPMaaS Administration Guide | 63

Migrating an On-premises Security Management Server to Harmony Endpoint

Migrating an On-premises Security

Management Server to Harmony
Endpoint
With Harmony Endpoint, you can migrate from an on-premises Security Management Server
to a Harmony Endpoint cloud tenant in the Infinity Portal.

Use Case
You are using the on-premises Security Management Server to manage Harmony Endpoint
Security clients installed on the endpoints. You wish to use the Harmony Endpoint cloud
service on the Infinity Portal for management.

Prerequisites
Make sure that the Security Management Server and the Harmony Endpoint EPMaaS are
running the same versions.
n If the versions are not the same, upgrade the Security Management Server to match the
Harmony Endpoint EPMaaS version.
n To know the Harmony Endpoint EPMaaS version, click Service Management and see
Service Version.
Notes:
n Migration of Security Management Server from an environment with High Availability and
Secondary server to Harmony Endpoint is not supported. For more details, contact
Check Point Support.
n During the import process, the Harmony Endpoint Administrator Portal is locked for use.

Known Limitations
See sk179713.

Harmony Endpoint EPMaaS Administration Guide | 64

Migrating an On-premises Security Management Server to Harmony Endpoint

Migrating to Harmony Endpoint

To migrate an on-premises Security Management Server to Harmony Endpoint:
1. Log in to Infinity Portal and access the Harmony Endpoint Administrator Portal.
2. Go to Endpoint Settings > Migration Tool.
3. Click Download.
The system downloads the migration script.
4. In the Harmony Endpoint Administrator Portal, copy the commands from the Migration
Tool page Export Data.

5. Transfer the downloaded migration script to a directory on the Security Management

Server.
6. On the Security Management Server, open the command line and run the commands
you copied.
The system generates encrypted_export.tgz file.
7. Transfer the encrypted_export.tgz file to the local computer.
8. In the Migration Tool page Import Data, click Browse and select the encrypted_
export.tgz file.
9. Click Upload & Start.

Note - Infinity Portal supports the upload of files up to 5 GB. If the export file size exceeds
5 GB, contact Check Point Support.
You receive a confirmation mail when the import is complete.

10. Continue with the post-migration steps. For more information, see sk179687.
11. Run the Reconnect tool on all the endpoints to reconnect to the Harmony Endpoint
service on the Infinity Portal. For more information, see "Reconnect Tool" on page 55.

Harmony Endpoint EPMaaS Administration Guide | 65

Deploying Endpoint Clients

Notes:
n Check Point does not support both the Harmony Endpoint Security client and
the Check Point Remote Access VPN client on the same endpoint. Uninstall the
Check Point Remote Access VPN client before you deploy the Harmony
Endpoint Security client
n During the upgrade, you cannot remove the Full Disk Encryption component.

To deploy Harmony Endpoint clients to Windows devices:

1. Click Overview and then click Download on the top banner.

2. Click Download button under Windows or macOS, depending on the destination system.

To install the Initial Client:

1. Do any of these to download the Initial Client:
a. From the left navigation panel, click Service Management and then in the
Download Initial Client section, click on the Download button.
b. From the left navigation panel, click Overview.and then click on the Download
button on the top banner.
2. Deploy the Initial Client to all your Endpoint devices, using a third party deployment tool.
n Automatic - Use deployment rules to automatically download and install pre-configured
packages on Endpoint devices (see "Automatic Deployment of Endpoint Clients" on
page 68).
n Manual - Export component packages to the endpoint devices, using third party
deployment software, a shared network path, email, or other method (see "Manual
Deployment" on page 80).

Notes:
n Admins are recommended not to pre-install Harmony Endpoint when using cloning
utilities like Acronis. It is recommended to install Harmony Endpoint after the clone is
created, or at least to block the initial registration before creating the clone.
n If you have initiated to deploy the Harmony Endpoint Security client on an endpoint
that is not yet added to the domain, see the sk18127 to complete the deployment.

Harmony Endpoint EPMaaS Administration Guide | 66

Installation Token

Installation Token
Token-limited installation protects against sending unauthorized copies of exported packages
and installation of packages on computers which do not belong to the organization that created
the packages.

Note - Installation token is not supported on macOS and Linux endpoints.

The administrator is responsible for enabling the token-limited installation feature and creating
the token.
If token-limited installation is enabled, then you must enter the token during the registration of
the Endpoint Security server with the Harmony Endpoint Management Server.

The token is limited in time. If the token is expired, the registration is rejected.

To enable token-limited registration:

1. Go to Endpoint Settings > Authentication Settings > Installation Token.
2. Select Enable installation token checkbox.

3. Click to generate a token.

The token appears in the Value field.

4. To set an expiration date, select Enable Expiration and in the Valid until field, click
to select the date for the token expiry.
5. Click Save.

To copy the token, click .

Harmony Endpoint EPMaaS Administration Guide | 67

Automatic Deployment of Endpoint Clients

Software deployment rules are supported for Windows, macOS and Linux.
Use deployment rules to automatically download and install pre-configured packages on
endpoint devices.
To manage your Endpoint Security clients and install Endpoint Security Policy on them, you
must first deploy the Initial Client to them.
The Initial Client is the Endpoint Agent that communicates with the Endpoint Security
Management Server.

Notes- You can deploy the Initial Client to all your endpoint devices, using a third-
party deployment tool, manually or remotely (see "Remote Installation of Initial Client"
on page 92).
Important - If you want to switch to a US-DHS and EU compliant Anti-Malware blade,
make sure to switch to a complaint Endpoint Security Client before deploying the
client. See "Anti-Malware Settings" on page 101.
Caution - Windows Server 2016 and higher requires that you turn off Microsoft
Windows Defender before you install the Harmony Endpoint Security Client. Perform
the instructions in the sk159373 before you install or contact Check Point Support to
request assistance with the installation.

Automatic Deployment of Endpoint Clients

Using the Tiny Agent
The Tiny Agent is supported with Windows, macOS, and Linux. It is an enhancement to the
current Initial Client package (which is a very thin client, without any blade, used for software
deployment purposes).

The Initial Client is the Endpoint Agent that communicates with the Endpoint Security
Management Server.
You can extract the Initial Client from the Tiny Agent.
The improvements include:
n The Tiny Agent has a very small executable (smaller than 1MB).
n Consolidates all the connection parameters in a single executable.
n It can be shared in various forms, enabling fast, easy and seamless first-time
deployment.
n Once combined with the Dynamic Package, it installs only what is necessary for each
machine.
n It is agnostic to the client version.

Harmony Endpoint EPMaaS Administration Guide | 68

Automatic Deployment of Endpoint Clients

n It passes Smart Screen validation - no more download warnings.

n It reduces network traffic for installing selected blades.
It is available for cloud deployments and for on-premises deployments running Endpoint
Security Management ServerR81 or higher.

Harmony Endpoint EPMaaS Administration Guide | 69

Automatic Deployment of Endpoint Clients

To deploy the Endpoint Security Client using the Tiny Agent:

1. Do any one of these:

Click Steps

Policy > a. Select a Download version and a Virtual group.

Deployment b. Do one of these:
Policy > n To download the file immediately, click Download for the
Software relevant OS and transfer the file to the endpoints.
Deployment
and then click Client OS Downloaded file
Download
Endpoint Windows EPS_<Year>_
Endpoint on
<Version>.exe
the top
banner. macOS EPS_TINY.zip

Linux installScript.sh

Browse Windows BrowserSetup.exe

macOS BrowserSetup.zip

ChromeOS BrowserSetup_
Overview, and chromeos_Laptop.exe
then click or BrowserSetup_
Download chromeos_
Endpoint on Desktop.exe
the top
banner. n
To download the file using a download link, click and
click Copy download link.
When the download link is ready, the Send the Link by
Email window appears.
a. Click to copy to the link.
b. Share the download link with users (for example,
by email) to download the file.

Overview > a. In the Download & Install Endpoint agent widget, click
Getting Download.
Started > Let's The Download & Install Endpoint Agent window appears.
Start Connect b. Click Online Install.
Your First c. From the Operating System list, select the OS.
Agent d. From the Version list, select the client version.

2. For Windows:

Harmony Endpoint EPMaaS Administration Guide | 70

Automatic Deployment of Endpoint Clients

n Run the exe file to install the Harmony Endpoint Security client.
n If you want to use the msi file, then convert the exe file into a msi file:
a. Open the Command Prompt window by selecting Run as administrator.
b. Run:
cd <Path where you have downloaded the exe file>

For example, cd C:\Users\User\Downloads

c. Run:
EndpointSetup.exe /CreateMSI

d. Transfer the msi file to the endpoints and run the msi file to install the
Harmony Endpoint Security client.

Note - For silent installation, run msiexec.exe /i <path to

msi file>\EPS.msi /qn SILENTINSTALL=1.

3. For macOS:
a. Unzip the file and open the EPS_TINY folder.
b. To install the Harmony Endpoint Security client, do one of these:
n Run the EPNano.app file.
n In the terminal window, run:
./EPNano.app/Contents/MacOS/EPNano

4. For Linux:
n If you downloaded the installScript.sh file, run the file on the endpoint to install the
Harmony Endpoint Security client.
n If you copy the download link, on the Linux machine, run:
a. curl "paste_downlowd_link" -o install.sh
b. chmod+ x install.sh
c. sudo ./install.sh install

5. Continue with "Deployment Rules" on page 77.

Note - You can deploy the Initial Client to all your endpoint devices, using a third-party
deployment tool, manually or remotely (see "Remote Installation of Initial Client" on
page 92).

Harmony Endpoint EPMaaS Administration Guide | 71

Automatic Deployment of Endpoint Clients

Troubleshooting Issues with the Tiny Agent on Windows OS

The Tiny Agent shows simple error messages in cases of network issues (connectivity
problems, proxy issue, and so on).
Error messages and Remediation

Console Error Description Remediation

Endpoint Setup Exception occurred (either Download the file again and
failed! allocation failed on any check its signature (it could
internal component, or be corrupted), and make
another type of abnormal sure you have enough free
termination) RAM.

Failed to initialize Either we cannot verify our Make sure you have
Endpoint Setup! own signature, or map the enough memory.
installer in the memory.

Failed to parse Failed to parse the URL for File downloaded from the
internal data! downloading eps.msi Management Server
from CDN is corrupted. Contact Check
Point Support.

Failed to download Failed to verify downloaded Make sure that your

or verify Windows EPS.msi Security Gateway, or any
Installer package network security
(EPS.msi)! component, does not
corrupt the installer.

Failed to find Failed to get program files Make sure your OS is

program files folder from Microsoft. updated.

Failed to create our Either there is some Check Make sure that the
program files folder Point product installed, or Endpoint Security Client is
for config.dat the Administrator cannot not already installed.
create folders in the
Program Files folder

Failed to save Either there is some Check Make sure that the
config.dat Point product installed, or Endpoint Security Client is
the Administrator cannot not already installed.
create folders in program
files folder

Failed to install Cannot run Windows Make sure Windows

the product Installer to install EPS.msi Installer is enabled.

Harmony Endpoint EPMaaS Administration Guide | 72

Automatic Deployment of Endpoint Clients

Console Error Description Remediation

Failed to download Failed to download Make sure you have access

Windows Installer eps.msi to CDN:
package (EPS.msi)! sc1.checkpoint.com

Failed to Data corruption occurred, Make sure the file is not

authenticate or data added to the file is corrupted, and/or that you
EndpointSetup! corrupted downloaded it from the
correct location.

Failed to parse Failed to find the server Make sure you downloaded
configuration data config information. the file from the portal.

Setup failed another Another installation is Reboot the machine, or

installation is stuck, or has not finished. fix/complete any pending
currently in installation.
progress

Log File Location

The log file is located here:

C:\Windows\System32\LogFiles\WMI\EndpointSetup.etl

Silent Installation
Run:

PsExec.exe -accepteula -nobanner -s "C:\Users\<Administrator

Username>\Desktop\EndpointSecurity.exe"

Endpoint Security Component Package

This package includes the specified components to be installed on the endpoint device.
You can distribute it automatically with deployment rules.
You can configure the policies for the components before or after you deploy the component
package.
Deploy the Endpoint Security component package with deployment rules.

Using the Vanilla Client

Note - The Vanilla client is supported only for Windows-based endpoints.

Harmony Endpoint EPMaaS Administration Guide | 73

Automatic Deployment of Endpoint Clients

The Vanilla client is similar to the Tiny Agent but receives the connection parameters
separately that prevents unauthorized clients to connect to the Harmony Endpoint
Management Server.

To deploy the Endpoint Security Client using the Vanilla Client:

1. Go to Overview > Getting Started > Let's Start Connect Your First Agent.

2. In the Download & Install Endpoint agent widget, click Download.

The Download & Install Endpoint Agent window appears.

Harmony Endpoint EPMaaS Administration Guide | 74

Automatic Deployment of Endpoint Clients

3. Click Copy Installation link.

4. Click .

The download link appears in the field on the left.

5. Click to copy the link.

6. Do one of these:

Harmony Endpoint EPMaaS Administration Guide | 75

Automatic Deployment of Endpoint Clients

To Do

Install the Vanilla client directly on the a. On the endpoint where you want to
endpoint install the client, open the link in a
browser.
Note - Make sure that the user
has Administrator role in the
endpoint.

b. In the Download Endpoint Agent

widget, click Download.
The system downloads the
EndpointSetup.exe file.
c. Run the EndpointSetup.exe to register
the client.
The Ready to connect dialog box
appears.
d. Click OK.
e. In the Connect to Harmony Endpoint
widget, click Connect.
The Endpoint Security dialog box
appears that shows the client
installation status.

Install the Vanilla client remotely on the On the endpoint where you want to install
endpoint the client, run this command as the
Administrator:
EndpointSetup.exe /url <link>
The system downloads the Vanilla client,
installs it and then connects to the Harmony
Endpoint Management Server.

Harmony Endpoint EPMaaS Administration Guide | 76

Automatic Deployment of Endpoint Clients

To Do

Install the Vanilla client remotely on the a. Run this command as the
endpoint using third-party distribution Administrator:
applications, for example, Microsoft EndpointSetup.exe /createmsi
InTune /url <link>
The system downloads the EPS.msi
file.
b. Distribute the EPS.msi file using third-
party MDM application. For more
information, see "Remote Installation
of Initial Client" on page 92.

7. When the installation is complete, the Harmony Endpoint Security Client is installed on
the endpoint and connected to the Harmony Endpoint Management Server.
8. Continue with "Deployment Rules" below.

Deployment Rules
Deployment rules let you manage Endpoint Security Component Package deployment and
updates.
Deployment rules work on both Windows OS and macOS. Linux OS is not supported yet.
The Default Policy rule applies to all Endpoint devices for which no other rule in the Rule Base
applies.

You can change the default policy as necessary.

You can define more rules to customize the deployment of components to groups of Endpoint
devices with different criteria, such as:
n Specific Organizational Units (OUs) and Active Directory nodes.
n Specific computers.
n Specific Endpoint Security Virtual Groups, such as the predefined Virtual Groups ("All
Laptops", "All Desktops", and others.). You can also configure your own Virtual Groups.
Deployment rules do not support user objects.
Mixed groups (that include both Windows OS and macOS objects) intersect only with the
applicable members in each rule.

Harmony Endpoint EPMaaS Administration Guide | 77

Automatic Deployment of Endpoint Clients

To create new deployment rules for automatic deployment

1. From the left navigation panel, click the Policy view.

2. Click Deployment Policy > Software Deployment.
3. From the top toolbar, click Clone Above or Clone Below.
The Clone Rule window opens.
4. Configure the rule:
n Enter the rule name
n Select the groups to which the rule applies.
Mixed groups (that include both Windows OS and macOS objects) intersect only
with the applicable members in each rule.
n Select the applicable parts of the organization.
n Select the affected devices.
5. Click OK to create the new rule.
6. Click the new rule to select it.
7. In the right section Capabilities & Exclusions:
a. Click Windows, macOS or Linux.
b. Select the Version.

For Linux, click distros to view the supported distributable and version. For
example, CentOS or Ubuntu.

Note - You can use the Do not install option to temporarily halt
enforcing software deployment rules to the endpoints, for example,
during maintenance or internal testing of Harmony Endpoint Security
client.

c. Select Capabilities.
n For Linux, only the Anti-Malware blade is supported with the exported
package.
n For capabilities supported by Windows, macOS and Linux, see sk169996.

Note - If the Harmony Endpoint Anti-Malware capability is

installed, the third-party Anti-Malware status in the Harmony
Endpoint Security Client is not displayed.
n For general limitations on macOS, see sk110975.
8. Configure the deployment settings:

Harmony Endpoint EPMaaS Administration Guide | 78

Automatic Deployment of Endpoint Clients

a. Select the applicable package version.

Caution - The Endpoint Security client package version must match the
client package version selected in the exported package. Otherwise,
the system discards the capabilities selected in the Software
Deployment rule.

b. Select the package capabilities.

9. Click Save.
10. Above the right section Capabilities & Exclusions, click Install Policy.

See "Installation and Upgrade Settings" on page 394 for local deployment options.

Harmony Endpoint EPMaaS Administration Guide | 79

Manual Deployment

Manual Deployment
You can export a package of Harmony Endpoint or Harmony Browse from the Endpoint
Security Management Server to Endpoint devices using a third-party deployment software, a
shared network path, email or other method.
When you download a package for manual deployment, the Initial Client is already included in
the package for Harmony Endpoint and there is no need to install it separately.

Note - Initial Client is not supported for Harmony Browse.

Important - If you want to switch to a US-DHS and EU compliant Anti-Malware blade,

n Dependencies Settings
Select the dependencies to include in the package:
l .NET Framework 4.6.1 Installer (60MB) - Recommended for
Windows 7 computers without .NET installed.
l 32-bit support (40MB) - Selected by default. Recommended
for 32-bit computers.
l Visual Studio Tools for Office Runtime 10.050903 (40 MB) -
Recommended if the package includes Capsule Docs.
l Smart preboot (190MB) - Enables the Easy Unlock feature. It
allows you to Accept or Reject a Network One-Time Logon
request or a Network Password Change request from a user
that has forgotten the login credentials of the endpoint or the
endpoint is locked due to invalid login attempts using incorrect
credentials. Such requests are indicated by the icon in the
Asset Management > Computers table. See "Viewing
Computer Information" on page 149. It is supported:
o Only with Endpoint Security client version 86.50 or
higher.
o Only on endpoints running Windows OS.
o Only if the Full Disk Encryption is Check Point
encryption. For more information, see "Configuring Full
Disk Encryption" on page 291.
Note - This feature is available only to customers in the Early
Availability program.

Harmony Endpoint EPMaaS Administration Guide | 84

Manual Deployment

l Smart preboot (190MB) - Enables the Easy Unlock and Self

Unlock features.
Easy Unlock allows you to Accept or Reject a Network One-
Time Logon request or a Network Password Change request
from a user that has forgotten the login credentials of the
endpoint or the endpoint is locked due to invalid login attempts
using incorrect credentials. Such requests are indicated by the
icon in the Asset Management > Computers table. See
Viewing Computer Information. It is supported:
o Only with Endpoint Security client version 86.50 or
higher.
o Only on endpoints running Windows OS.
o Only if the Full Disk Encryption is Check Point
encryption.
Self-Unlock allows users to unlock their endpoint by scanning
a QR code using their mobile device, without your
(Administrator) intervention. It is supported:
o Only with Endpoint Security client version 86.60 or
higher.
o Only on endpoints running Windows OS.
Note - If the endpoint is connected remotely (not in the LAN),
then ensure that your Endpoint Security Management Server is
accessible over internet. Otherwise, you must set up a reverse
proxy and specify the Hide behind IP address under NAT in
the SmartConsole. For more information, see the
SmartConsole Help.
Additional settings for the Self-Unlock feature:
i. Specify Self-Unlock Settings in Computer Actions.
ii. Enable Self-Unlock for Full Disk Encryption. See
Advanced Pre-boot Settings.
Note - Smart pre-boot is available only to customers in the
Early Availability program.

Harmony Endpoint EPMaaS Administration Guide | 85

Manual Deployment

n Anti-Malware Settings
Select the signature to include in the package.
This sets the level of Anti-Malware protection from the time that a
client gets the package until it gets the latest Anti-Malware
signatures from the signature provider:
l Full - Recommended for installing on devices without high-
speed connectivity to the Anti-Malware server.
l Minimum - Selected by default. Recommended for a clean
installation on devices that are connected to the Anti-Malware
server.
l None - Recommended for upgrades only.

ii. Optional: To download the package automatically after the system creates
the package, select the Download package when saved checkbox.
j. Click Finish.
The system starts to create the package. It can take several minutes depending
on the package size. When the package is ready, the system shows Exported
Package created message.

Note - You can duplicate the package configuration for future use. Click the
icon.

2. Export the package or file

In the export package tile, click to download the package or file.

Client OS Downloaded file

Endpoint Windows EPS_<Year>_<Version>.exe

macOS EPS_TINY.zip

Linux installScript.sh

Browse Windows BrowserSetup.exe

macOS BrowserSetup.zip

ChromeOS BrowserSetup_chromeos_Laptop.exe or
BrowserSetup_chromeos_Desktop.exe

Note - Dynamic package is not supported for Harmony Browse.

Harmony Endpoint EPMaaS Administration Guide | 86

Manual Deployment

3. Continue with "Installing the Exported Package or Client" on page 89.

Using the Offline Installation

Note - This procedure applies only to Windows and macOS-based endpoints.

1. Go to Overview > Getting Started > Let's Start Connect Your First Agent.

2. In the Download & Install Endpoint agent widget, click Download.

The Download & Install Endpoint Agent window appears.

Harmony Endpoint EPMaaS Administration Guide | 87

Manual Deployment

3. Click Offline install.

4. From the Operating System list, select the OS.

5. From the Version list, select the client version.

6. Select Threat Prevention or Full package.

7. Click Download.
The system prepares the package for download.

8. Once the package is ready for download, click Download.

9. Once the download is complete, continue with "Installing the Exported Package or
Client" on the next page.

Harmony Endpoint EPMaaS Administration Guide | 88

Manual Deployment

Installing the Exported Package or Client

You can also use a third-party deployment software, a shared network path, email, or some
other method to distribute the package or file.
Endpoint Client
1. For Windows, distribute the downloaded package or file to users' endpoint or run the
EPS_<Year>_<Version>.exe /CreateMSI on the users' endpoint.
On Windows 8.1 and higher, right-click the exe file and click Run as administrator to
install the client.
The EPS_<Year>_<Version>/CreateMSI command is supported only with the Endpoint
Security Client E85.20 or higher. It is supported for both 32-bit and 64-bit Windows.

You can install the Endpoint Security client using the EPS.msi file through the Command
Line Interface (CLI). To install:
a. Transfer the EPS.msi file to the endpoints.
b. In the endpoint's CLI, run:
msiexec.exe /i <path to msi file>\EPS.msi

For example, msiexec.exe /i C:\users\admin\EPS.msi

Output
USERINSTALLMODE=<blades' mask>
Generating MSIs. It will take a few minutes.

Please wait...
===> <location>\EPS.msi

===> <location>\32\EPS.msi

The system creates the msi files for both 64-bit and 32-bit and opens Windows
Explorer windows where the msi files are created.
c. Make a note of the path where msi files are created.
d. In the Command Prompt window, press any key to close.
e. Transfer the msi file to the endpoints and run the msi file to install the Harmony
Endpoint Security client.
For more information, see sk179668.
2. For macOS, distribute the package or file to users' endpoint.
3. For Linux, run the sh script in the users' endpoint.
Browse Client

Harmony Endpoint EPMaaS Administration Guide | 89

Manual Deployment

1. For Windows, distribute the downloaded package or file to users' endpoint or run the
EndpointSetup.exe /CreateMSI on the users' endpoint.
2. For macOS, distribute the package or file to users' endpoint.
3. For ChromeOS, see sk173974.
You can only see the deployment status after the package is successfully installed.
Time Limit Installation

If you have enabled "Installation Token" on page 67, a prompt appears during the Endpoint
Security client installation. The user must enter the Server Authentication Token.
If the server authentication fails, create a new server authentication token with the
appropriate validity period and share it with your users.

Adding a New VPN Site to an Exported Package

When you use an exported package, you can configure each package to connect to a default
VPN site which you create.
By default, no VPN site is configured for a new package.

To add a new VPN site to an exported package:

1. Create a package or edit an export package. See "Manual Deployment" on page 80.
2. In the Capabilities screen of the Create Export Package wizard, select the Remote
Access VPN checkbox.

3. In the Virtual Groups and VPN Sites screen, in the VPN site section:

Harmony Endpoint EPMaaS Administration Guide | 90

Manual Deployment

a. To add a VPN site manually, select Manual:

i. Click New and enter these:
n Name - Unique name for this VPN site.
n Site Address - Site IP address.
n Authentication Method - One of these:
l Username-password - Endpoint users authenticate using their
VPN user name and password.
l CAPI certificate - Endpoint users authenticate using the
applicable certificate.
l P12 certificate - Endpoint users authenticate using the applicable
certificate.
l SecurID KeyFob - Endpoint users authenticate using a KeyFob
hard token.
l SecurID PinPad -Endpoint users authenticate using the an
SDTID token file and PIN.
l Challenge-response - Endpoint users authenticate using an
administrator supplied response string in response to the
challenge prompt.
ii. Click OK.
b. To add a VPN site by importing a .config file, select Import from file:

i. Click Upload and select the .config file you want to upload.

Note - Only .config file with a maximum file size of 1000 KB is supported.

ii. Click Next and continue with step i in Create an export package. See
"Manual Deployment" on page 80.

Harmony Endpoint EPMaaS Administration Guide | 91

Remote Installation of Initial Client

The Initial Client is the Endpoint Security agent that communicates with the Harmony
Endpoint.
You install the Initial Client on Endpoint devices before you use automatic software
deployment to deploy components.
The remote installation is the installation of an Initial Client on an Endpoint Security component
package.
You can install the Initial Client remotely using:
n Third-party tools
n Push Operation in the Harmony EndpointAdministrator Portal

Important - If you want to switch to a US-DHS and EU compliant Anti-Malware blade,

make sure to switch to a complaint Endpoint Security Client before deploying the
client. See "Anti-Malware Settings" on page 101.

Using Third-Party Tools

You can install the HarmonyEndpoint Security Client on endpoints using third-party tools:
n To install the client on Windows-based endpoints:
l Using Mobile Device Management (MDM), see Harmony Endpoint Security for
Windows MDM Deployment Guide.
l Using System Center Configuration Manager (SCCM), see "Appendix A -
Deploying Harmony Endpoint Security Client using SCCM" on page 604.
n To install the client on macOS-based endpoints, see Harmony Endpoint Security for
macOS MDM Deployment Guide.

Using Push Operation

From Endpoint Security Client E84.40 and higher, using Push Operation, you can install the
Initial Client remotely.
The Push Operation mechanism extends to devices that do not have the Initial Client installed
yet.

Harmony Endpoint EPMaaS Administration Guide | 92

Remote Installation of Initial Client

To install the Initial Client using Push Operation, see "Remotely Installing the Initial Client" on
page 97.

Setting the Deployment Agent

The Deployment Agent is the cornerstone of the remote push feature. The agent is a domain-
joined device that you select as an initiator for remote installation requests on target
workstations in the same Active Directory domain.

Best Practice - We recommend that the Deployment Agent has good hardware
specs, network connectivity, availability and a "remote install" compatible Endpoint
Security Client (E83.30 and higher).

You can configure multiple devices in each domain as Deployment Agents with no limitation
on the total count. All devices qualify as an agent for an installation bundle.

Harmony Endpoint EPMaaS Administration Guide | 93

Remote Installation of Initial Client

Certificates and DNS

To add Active Directory Credentials to the Deployment Agent on the Endpoint Security
Client Screen:
1. Open the Endpoint Security client screen, click Menu and select Advanced.

2. In the Remote Deployment section, click Configure.

Harmony Endpoint EPMaaS Administration Guide | 94

Remote Installation of Initial Client

3. Enter the Domain Administrator credentials with ad.com\administratoad as the User

Name.

Note -You must be in the Domain Administrators group in the Active Directory.

Harmony Endpoint EPMaaS Administration Guide | 95

Remote Installation of Initial Client

Privileges
User must have permission to connect from the Deployment agent computer to the target
computer and create the scheduled task on the target computer.
For additional references, please see Microsoft's guide here: https://docs.microsoft.com/en-
us/windows/win32/api/taskschd/nf-taskschd-itaskservice-connect

Setting the Target Devices

Windows Defender
n Windows 10 regards the remote execution of msiexec.exe through the Task Scheduler
as malicious activity. Windows blocks this on the target computer.
n To disable Windows Defender's Anti-Malware with a PowerShell command on the target
devicer: (For Windows server only)
1. Open PowerShell as Administrator.
2. Run:
Uninstall-WindowsFeature -Name Windows-Defender
3. Reboot the computer after the Windows Defender Anti-Malware uninstalls.
n If the remote installation procedure fails, the Windows Defender enables after a restart.
Disable the Windows Defender's Real-Time Protection again.

Other AV Solutions
n We recommend that you disable the Windows Defender and disable or uninstall third-
party anti-virus software on the target computer.
n An attempt to run remote software triggers a notification. The remote deployment
procedure fails.

Enable Access to the Task Scheduler Through the Windows Firewall in a Domain Profile
n When the Windows Firewall blocks the remote connection to the target's Task
Scheduler, run this PowerShell command on the target computer:
Get-NetFirewallProfile -Name Domain | Get-NetFirewallRule | ?
Name -like *RemoteTask-In-TCP-NoScope* | Enable-NetFirewallRule
n Configure these settings on the computer:
1. Navigate to Control Panel > Network and Internet > Network and sharing center
> Advanced sharing settings.

Harmony Endpoint EPMaaS Administration Guide | 96

Remote Installation of Initial Client

2. In the Network discovery section, select Turn on network discovery.

3. In the File and printer sharing section, select Turn on file and printer sharing.
n Allow user to access the %windir%\Tasks directory.
n Navigate to Local Security Policy > Local Policies > User Rights assignment and verify
that the Log on as a batch job and Log on a service are configured.
n Navigate to Windows Defender Firewall with Advanced Security > Windows Defender
Firewall with Advanced Security - Local Group Policy Object > Inbound Rules and
verify that the:
o Remote Scheduled Tasks Management (RPC) is enabled.
o Remote Event Log Management (RPC) is enabled.
n Verify that the Remote Registry service is running.

Remotely Installing the Initial Client

You remotely install the Initial Client from the Push Operations view or from the Asset
Management view.
To install the Initial Client remotely from the "Push Operations" view

1. From the left navigation panel, click Push Operations.

2. From the top toolbar, click (+) Add.
The Add Push Operation window opens.

3. On the Select push operation page:

a. From the menu, select Agent Settings.

b. In the list of options, click Deploy New Endpoints.

c. At the bottom, click Next.
4. On the Select devices page:

Harmony Endpoint EPMaaS Administration Guide | 97

Remote Installation of Initial Client

a. Click (+).
b. Select devices that do not have Endpoint installed and are not in the process of
deployment.

Notes:
n To select several non-adjacent entries, press and hold

the CTRL key while you click the applicable entries.

n To select several adjacent entries, press and hold the

SHIFT key, click the applicable top entry, and then, click
the applicable bottom entry.
n To clear a selection, press and hold the CTRL key while

click the applicable entry again.

n You can select up to 5,000 entries.

c. At the bottom, click Update Selection.

d. In the table with the entries, select the checkboxes of applicable devices.
e. At the bottom, click Next.
5. On the Configure Operation page:
a. In the Comment field, enter the applicable text.
b. In the Select deployment agent field, select one device for this push operation.
c. In the Endpoint version menu, select the applicable version.Only devices with
Windows 7 and higher are supported.

d. In the Scheduling section, configure one of the applicable settings:

n Execute operation immediately
n Schedule operation for, and click the calendar icon to configure the date
and time
e. Click Finish.

To install the Initial Client remotely from the "Asset Management" view

1. From the left navigation panel, click Asset Management.

2. Select the checkboxes of applicable devices (up to 5,000).
3. From the top toolbar, click Push Operation > from the menu that appears click Agent
Settings > Deploy New Endpoints.
The Push Operation Creation Dialog window opens.
4. Enter the required values:

Harmony Endpoint EPMaaS Administration Guide | 98

Remote Installation of Initial Client

a. In the Comment field, enter the applicable text.

b. In the Select deployment endpoint field, select one device for this push
operation.
c. In the Endpoint version menu, select the applicable version.Only devices with
Windows 7 and higher are supported.
d. In the Scheduling section, configure one of the applicable settings:
n Execute operation immediately
n Schedule operation for, and click the calendar icon to configure the date
and time
5. Click Create.

Windows Task Scheduler on endpoint devices

1. After a connection to the Task Scheduler service on Windows OS, the Deployment
Agent registers a new task: "CP_Deployment_{unique ID}".
2. The Deployment Agent runs the task from the domain administrator's account on the
target computer.
3. The Task Scheduler spawns the msiexec.exe to download the client installer and
launch it in silent mode.
4. The installation proceeds with the MSI script instructions.

Security Considerations
n The Deployment Agent does not store the administrator password in clear text.
n The client UI collects the credentials and passes them to the device agent to store in
separate values of a registry key under EP root.
n The password stores as an encryption and the principal name stores in plain text.
n Administrator accounts have access permissions of FULL CONTROL for the registry
key.
n The SYSTEM account has READONLY access permissions for the registry key.
n The user and password never pass to the target devices. They establish the Task
Scheduler connection.

Progress of Installation and Error Handling

The installation status shows at the bottom page of the Push Operation view.

Harmony Endpoint EPMaaS Administration Guide | 99

Remote Installation of Initial Client

Target devices that fail to install and download the Initial Client, set their status accordingly. In
case of a connection failure, the Deployment Agent tries to connect to the target service three
more times with increasing interval between attempts. The default is ten seconds. This
mechanism increases the success rate in case of network-related issues.

The Deployment Agent Cannot Reach the Remote Task Scheduler

If the Deployment Agent cannot reach the remote task scheduler on the target device, the
specific installation procedure fails. The target device's Operation Status changes to "Failed
to access remote task scheduler".

The Target Device Fails to Download the Initial Client

If the target device cannot download the Initial Client, the target device's Operation Status
changes to "Failed to download client".

Invalid Credentials
If the domain administrator credentials are invalid, the Deployment Agent stops connecting to
remote targets, and the target device's Operation Status changes to "Access denied due to
Invalid credentials".

Missing Credentials
If the domain administrator credentials are missing, the Deployment Agent stops connecting to
remote targets, and the target device's Operation Status changes to "Deployment agent is not
configured".

Failed to Install Initial Client on Target Device

If the target device fails to install the Initial Client, the target device's Operation Status
changes to "Failed to install agent on target device".

Target Device Already Has an Agent installed

If the target device has an agent already installed, the Initial Client installation fails. The target
device's Operation Status changes to "Agent already installed".

The Deployment Agent is Not Available to Deploy Targets

If the Deployment Agent cannot be reached while a push operation takes place, the push
operation aborts, fails and sets the entire push-operation status to "The deploying Agent is not
available to deploy targets".

Harmony Endpoint EPMaaS Administration Guide | 100

Remote Installation of Initial Client

Ports and Permissions

For installations that traverse a perimeter Firewall, enable this port: Port 135 for RPC over TCP
traffic.

Upgrades
Upgrades are seamless to our users. A new type of Push Operation are rolled out and added
to all Harmony Endpoint users.

Anti-Malware Settings
Harmony Endpoint allows you to switch to a United States Domestic Homeland of Security
(DHS) and European (EU) regulations compliant Anti-Malware blade. After you successfully
switch, you must redeploy the compliant Endpoint Security Client on the endpoints either
through Deployment Rules or other methods.

To change to a US DHS and EU regulations compliant Anti-Malware blade:

1. Navigate to:
n Overview > Getting Started and click > in the Configure US-DHS and EU
compliant method icon.
n Policy > Deployment Policy > Anti-Malware Settings.
2. Click Switch To DHS Compliant Version.

A warning message appears.

3. Click OK.

Harmony Endpoint applies the changes instantly.

4. Redeploy the Endpoint Security Client on all endpoints. For more information, see:
n "Automatic Deployment of Endpoint Clients" on page 68

Harmony Endpoint EPMaaS Administration Guide | 101

Remote Installation of Initial Client

n "Manual Deployment" on page 80

n "Remote Installation of Initial Client" on page 92

After you redeploy the clients, the system automatically restarts the endpoints.

Note - To switch back from the DHS compliant Anti-Malware engine to a non-DHS
compliant Anti-Malware engine, contact Check Point Support.

Harmony Endpoint EPMaaS Administration Guide | 102

Heartbeat Interval

Heartbeat Interval
Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to
check the connectivity status and report updates. The time between heartbeat messages is
known as the heartbeat interval. For more information, see Endpoint Security Server and
Client Communication.

Note - The default heartbeat interval is 60 seconds. A shorter heartbeat interval can
cause additional load on the management. A longer heartbeat interval may lead to
less up-to-date logs and reports.

Harmony Endpoint EPMaaS Administration Guide | 103

Configuring Alerts

Configuring Alerts
You can configure alerts to receive a notification whenever an event occurs on an endpoint.
Harmony Endpoint supports two types of alerts:
n "Basic Alerts" below
n "Advanced Alerts" on page 107

Note - The Overview view > Operational Overview page has the Active Alerts pane
on the right. This page shows which endpoint computers are in violation of critical
security rules.

Basic Alerts
Basic alerts allows you to receive email notifications for these events:
n Compliance warning
n Failed deployment
n Encryption problem
n Anti-Malware issues
n Policy server out-of-sync
n Anti-Malware License Expiration Date

Configuring Basic Alert Messages

To define security alerts

1. Go to the Endpoint Settings view > Alerts > Basic Alerts, and select a security
violation.
2. Select the applicable alert from the list.
3. In the right section Alert Configuration:
a. Select ON in the top line:
The computer is restricted or about to the restricted

Harmony Endpoint EPMaaS Administration Guide | 104

Configuring Alerts

b. Configure these settings:

n Threshold Settings - Select how the amount of endpoints that trigger
alerts are measured, by percentage or number.
n Notification Settings - Select the notification type you receive when an
alert is triggered:
l Notify on alert activation - Sends a notification when an alert the
number of Endpoint devices with violations exceeds the configured
threshold.
l Notify on alert resolution - Sends a notification when an alert the
number of Endpoint devices with violations decreases below the
configured threshold.
l Remind me every - Sends a notification repeatedly according to a
specified frequency, as long as the number of Endpoint devices with
security violations exceeds the configured threshold.
l Recipients - Enter the email addresses of the message recipients
(separated by comma).
n Email Template Settings - You can configure a unique email template to
be sent to you when an alert is triggered. The email Subject and Body
contain dynamic tags. Dynamic tags are replaced by the server with the
relevant information during email sending. Remove the tags you do not
wish to include in the email.
l Attach report to mail notification - If selected, a CSV report with all
the device details related to a particular alert will be attached to
email. If there are no affected devices, nothing is attached
l Subject - Contains these dynamic tags: type (alert activation, alert
resolution or alert reminder), alert name, and tenant name.
l Body - Contains these dynamic tags: type(alert activation, alert
resolution or alert reminder), alert name, affected-count, and total-
count.
l Send Test Report - If selected, a notification email according to the
configured template is sent for a particular alert.
To send emails for alerts, you must follow the steps in the "Configuring an
E-mail Server" on the next page section below.
4. Click Save.

Harmony Endpoint EPMaaS Administration Guide | 105

Configuring Alerts

Note - Alerts are reevaluated every 10 minutes.

When the alerting criteria are updated, the alerting is reevaluated on the next
iteration.
When alerting is (re)enabled, it forces the alerting mechanism to immediately
(re)start and (re)evaluate.

Configuring an E-mail Server

You must configure your email server setting for Endpoint Security to send you alert email
messages.
If you use Capsule Docs it is also important to configure this.
The settings include the network and authentication parameters necessary for access to the
email server.

You can only configure one email server.

To configure the email server

1. In Endpoint Settings > Alerts > at the top, click Email Service Settings.
The Email Service Settings window opens.
2. Enter these details:
n Host Name - Email serve host name.
n From Address - Email address from which you want to send the alerts.
n User Authentication is Required - If email server authentication is necessary,
select this option and enter the credentials in the User Name and the Password
fields.
n Enable TLS Encryption - Select this option if the email server requires a TLS
connection.
n Port - Enter the port number on the email server.
n Test Email - Enter an email address to send the test to, and click Send Test:
l If the verification succeeds, an email is sent to the email address entered
and a success message shows in the Email Service Settings window.
l If the verification fails, an error message shows in the Email Service
Settings window.
Correct the parameters errors or resolve network connectivity issues.
Stand on the error message to see a description of the issue.
3. Click OK to save the email server settings and close the window.

Harmony Endpoint EPMaaS Administration Guide | 106

Configuring Alerts

Advanced Alerts
Advanced alerts allows you to receive notifications for security and operational events. The
notification is sent through preferred communication channels configured in Infinity
Playblocks:
n SMS
n Email
n Slack
n Microsoft Teams

Note - Make sure that you have configured Connectors and Notifications profiles in
Infinity Playblocks. For more information, see Infinity Playblocks Administration
Guide.

Configuring Advanced Alerts

1. Go to Endpoint Settings > Alerts > Advanced Alerts.

Threshold (Minimum
Alert
Alert Title number to trigger the
Description
action)

Security Alerts

Alert on a phishing The automation

attempt detected by notifies upon
Harmony Endpoint detection of
phishing attack. a. Severity
(Minimum) -
Select minimum
Alert on exploit attempt The automation severity level of
detected by Harmony notifies upon the event to
Endpoint detection of initiate the alert.
exploit attack. b. Count events in
time duration
c. Threshold
(minimum
Alert on access to The automation
number of
malicious site detected notifies upon
events)
by Harmony Endpoint detection of
d. Threshold
access to
(minimum
malicious sites.
number of
events)

Alert on password The automation a. Count events in

reuse attempt detected notifies upon time duration
by Harmony Endpoint reuse of the b. Threshold
password. (minimum
number of
events)
c. Threshold
(minimum
number of
events)

Harmony Endpoint EPMaaS Administration Guide | 110

Configuring Alerts

Threshold (Minimum
Alert
Alert Title number to trigger the
Description
action)

Alert on malicious file The automation a. Attack status -

detected by Harmony notifies upon Status of attack
Endpoint detection of that must be
malicious files. considered for
the alerts
b. Severity
(Minimum) -
Select minimum
severity level of
the event to
initiate the alert
Alert on ransomware The automation c. Count events in
attack detected by notifies upon time duration
Harmony Endpoint detection of d. Threshold
ransomware (minimum
attack. number of
events)
e. Threshold
(minimum
number of
events)

Notify on bulk The automation a. Number of

uninstallation of notifies upon uninstalled
Harmony Endpoint uninstallation of Harmony
clients Harmony Endpoint clients
Endpoint clients b. In time duration
on number of
devices.

Notify on Harmony The automation None

Endpoint client notifies upon
uninstall password change in
change Harmony
Endpoint client
uninstall
password.

Harmony Endpoint EPMaaS Administration Guide | 111

Configuring Alerts

Threshold (Minimum
Alert
Alert Title number to trigger the
Description
action)

Notify on repeated The automation a. Number of

login failures to user notifies upon repeated failed
Windows device detecting login attempts
repeated login b. Select Count
failures by the failures for each
user on user individually
Windows to count the
devices. failures for each
user individually
c. In time duration

Operational Alerts

Harmony Endpoint EPMaaS Administration Guide | 112

Configuring Alerts

Threshold (Minimum
Alert
Alert Title number to trigger the
Description
action)

Alert if Harmony The automation

Endpoint client notifies if one or
capabilities stop more
running capabilities on
the Harmony
Endpoint
Security client
stops running or
the client is a. Number of
unable to report
devices found
the capability with this event
status.
b. Notify on alert
Alert on Harmony The automation activation
Endpoint deployment notifies if the c. Notify on alert
failure Harmony resolution
Endpoint d. Remind every
Security Client (Minutes) - Set
deployment interval for
failed on the reminder
device. notifications

Alert on outdated The automation

Harmony Endpoint notifies if the
Anti-Malware harmony a. Number of
Endpoint Anti- devices found
Malware with this event
capability is b. Outdated -
outdated. Minimum time a
capability is
Alert on outdated The automation outdated to
Harmony Endpoint notifies if the initiate the alert
Offline-Reputation Harmony c. Notify on alert
capability Endpoint activation
Offline- d. Notify on alert
Reputation resolution
capability is
e. Remind every
outdated.
(Minutes) - Set
Alert on the outdated The automation interval for
Harmony Endpoint notifies if the reminder
Static Analysis Harmony notifications
capability Endpoint Static
Analysis
capability is
outdated.

Alert on the outdated The automation

Harmony Endpoint notifies if the
Behavioral Guard Harmony
capability Endpoint
Behavioral
Guard capability
is outdated.

d. On the Messages tab, you can view the Subject and Message of the alert.
e. Click Save.

Duplicating an Advanced Alert

You can duplicate an alert and customize to use different thresholds and notification profiles.

Harmony Endpoint EPMaaS Administration Guide | 116

Configuring Alerts

1. Select the applicable alert from the list.

2. From the taskbar, click Duplicate button.

3. In the Alert name field, enter the alert name.

4. Click Duplicate.

Editing or Creating a Notification Profile

Notification profiles are created in Infinity Playblocks and are automatically displayed in
Harmony Endpoint. You can edit a notification either from Infinity Playblocks or Harmony
Endpoint.

Note - To create and edit a notification profile in Infinity Playblocks, see Notifications
section in the Infinity Playblocks Administration Guide.

To edit a notification profile

1. From the taskbar, click Notification profiles.

The Notification profiles window appears.

Harmony Endpoint EPMaaS Administration Guide | 117

Configuring Alerts

2. From the Profile name list, select a profile.

3. Select a channel and turn on the toggle button.

4. Edit or specify these:

n To - Recipients to receive the notification.
n To create a new group, click Create new group.
a. In the Group name field, enter the group name.
b. Update the recipient information as follows:
l Emails - For Email
l Phone numbers - For SMS
l URL - For Slack and Microsoft Teams
c. Click Save.
n When - Time interval between notifications.
5. To create a new notification profile, click Save As.

Harmony Endpoint EPMaaS Administration Guide | 118

Configuring Alerts

a. In the Profile name field, enter a profile name.

b. Click Save.
6. To save changes to the current profile, click Save.

Harmony Endpoint EPMaaS Administration Guide | 119

How to Verify that Harmony Endpoint can Access Check Point Servers

How to Verify that Harmony Endpoint can

Access Check Point Servers
See article in the following link:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_
doGoviewsolutiondetails=&solutionid=sk116590

Harmony Endpoint EPMaaS Administration Guide | 120

Uninstalling Third-Party Anti-Virus Software Products

Uninstalling Third-Party Anti-Virus Software

Products
Note - We recommend that you test this procedure on a test environment before you
implement it on a live environment.

The EPS.msi file contains the Products.json file that has a pre-configured list of Anti-Virus
software products that are automatically deleted when you install the Endpoint Security client
E84.70 or higher. By default, this list contains Symantec, McAfee, and Kaspersky.
You can also uninstall Symantec, McAfee, and Kaspersky manually.

To uninstall Symantec, McAfee or Kaspersky manually:

Open the command prompt window and run:
msiexec /i EPS.msi REMOVEPRODUCTS="Product", where Product is Symantec,
McAfee or Kaspersky.
For example, to uninstall Symantec, run:
msiexec /i EPS.msi REMOVEPRODUCTS="Symantec"

To uninstall Symantec, McAfee and Kaspersky together manually:

Open the command prompt window and run:
msiexec /i EPS.msi REMOVEPRODUCTS="Symantec, McAfee, Kaspersky"

To uninstall any other Anti-Virus software manually:

Open the command prompt window and run:

msiexec /i EPS.msi REMOVEPRODUCTS="{Product code or upgrade code of
Product1} {Product code or upgrade code of Product2}"

For example, to uninstall multiple Anti-Virus softwares, run:

msiexec /i EPS.msi REMOVEPRODUCTS="{8D92DEB1-A516-4B03-8731-
60974682B69C} {9BE518E6-ECC6-35A9-88E4-87755C07200F}"

Tip - To find the product code, do any of these:

n In the Registry Editor, navigate to the Uninstall folder under
HKEY_LOCAL_MACHINE\SOFTWARE\.
For example, HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall.

Harmony Endpoint EPMaaS Administration Guide | 121

Uninstalling Third-Party Anti-Virus Software Products

n In PowerShell, run:
Get-WmiObject win32_product -Filter "name like '%any part of the product name%”
n To find the upgrade code using the product code, run:
gwmi -Query "SELECT Value FROM Win32_Property WHERE Property='UpgradeCode'
AND ProductCode='{YourGuid}”
Note - With the Endpoint Security client 86.50 and higher, you can uninstall a product that is
not listed in the default Products.json file by using an updated Products.json that contains the
product. To get the updated Products.json file, contact Check Point Customer Support.
To uninstall a product using the updated Products.json file, open the command prompt window
and run:
msiexec /i EPS.msi REMOVEPRODUCTS="Product"
RPCONFIG="c:\users\admin\downloads\Products.json", where Product is the
Anti-Virus software that you want to uninstall.

Notes -
n Symantec.cloud is not supported by this command. To remove
Symantec.cloud, navigate to
C:\Program Files\Symantec.cloud\PlatformAgent\ and run Uninstall.exe.
n You cannot uninstall software products whose cached msi is not found on your
computer.

Harmony Endpoint EPMaaS Administration Guide | 122

Uninstalling Third-Party Anti-Virus Software Products

Viewing Operational Overview,

Security Overview and Reports
The Overview page shows a graphical summary of important information about the Endpoint
clients in your organization.

Unified Dashboard
The Unified Dashboard shows a consolidated view of the preselected widgets from the
Operational Overview and Security Overview, in addition to Announcement widget. The
Announcement widget shows the latest news in the cyber security industry.

Custom Dashboard
The Custom Dashboard allows you to create personalized dashboards with widgets of your
preference and specify whether the dashboard should be private or public. Private
dashboards are available only for you to view whereas, Public dashboards are available for all
the users with access to the Overview page. However, only the owner of the dashboard can
edit it.
Blank dashboard allows you to create a new dashboard with available widgets. Unified
template allows you to customize the Unified Dashboard.

Harmony Endpoint EPMaaS Administration Guide | 123

Uninstalling Third-Party Anti-Virus Software Products

Creating a Custom Dashboard

1. Go to Overview and click next to Custom Dashboard.

Harmony Endpoint EPMaaS Administration Guide | 124

Uninstalling Third-Party Anti-Virus Software Products

2. To create a new custom dashboard from scratch:

a. Hover over the Blank dashboard widget and click Add.

b. In the Dashboard name field, enter a name.

c. Click Add Your First Widget.
The Add Widget window appears.
3. To create a custom Unified Dashboard:
a. Hover over the Unified template widget and click Duplicate.
b. In the Dashboard name field, enter a name.

c. Click Add Widget.

The Add Widget window appears.
4. From the left pane, select the widget and click Add.

Harmony Endpoint EPMaaS Administration Guide | 125

Uninstalling Third-Party Anti-Virus Software Products

Note - The Add button is disabled if the widget is already added to the dashboard.

5. To add more widgets, click Add Widget and repeat step 4.

6. To delete a widget, on the widget, click and click Delete.

7. By default, all custom dashboards you create are set as Private. To make the custom
dashboard available to all users with access to the Overview page, from the Private list
on the upper-right corner, click Public. The system adds the dashboard under Public
dashboards for other users.

8. Click Save.
The dashboard appears under Custom Dashboard on the left navigation pane, and it is also
listed under My dashboards in the Custom Dashboard page.

Harmony Endpoint EPMaaS Administration Guide | 126

Uninstalling Third-Party Anti-Virus Software Products

Managing a Custom Dashboard

1. Click Overview.

2. To edit a dashboard:
a. Expand Custom Dashboard.

b. Click for the dashboard you want to edit and click Edit.

c. Make the necessary changes and click Save.

Note - You cannot edit dashboards created by other users.

3. To delete a dashboard, expand Custom Dashboard, click for the dashboard you want
to delete and click Delete.

Note - You cannot delete dashboards created by other users.

4. To hide a dashboard, expand Custom Dashboard, click for the dashboard you want to
hide and click Hide. The dashboard is removed from the list under Custom Dashboard
on the left navigation pane.
5. To unhide a dashboard, click , hover over the dashboard you want to unhide and click
Add. The dashboard is added to the list under Custom Dashboard on the left navigation
pane.
6. To duplicate a dashboard, click , hover over the dashboard and click Duplicate.

Harmony Endpoint EPMaaS Administration Guide | 127

Uninstalling Third-Party Anti-Virus Software Products

Operational Overview
The Operational Overview page shows the deployment status of Endpoint clients in your
organization, their health status, client versions and operating systems on the clients.
To view the Operational Overview page, click Overview > Operational Overview.
To export the Operation Overview data to a pdf, click Export PDF.

Active Endpoints

The Active Endpoints widget shows the number of active and inactive endpoints.
Click the numbers in the widget to view the endpoints in the "Asset Management View" on
page 149 tab.

Harmony Endpoint EPMaaS Administration Guide | 128

Uninstalling Third-Party Anti-Virus Software Products

Desktops

The Desktops widget shows the number of desktops by Operating System (Windows, macOS,
Linux, and ChromeOS) that have the Endpoint Security client installed.

Laptops

The Laptops widget shows the number of laptops by Operating System (Windows, macOS,
Linux, and ChromeOS) that have the Endpoint Security client installed.

Harmony Endpoint EPMaaS Administration Guide | 129

Uninstalling Third-Party Anti-Virus Software Products

Deployment Status

The Deployment Status widget shows the number of endpoints by deployment status.

Pre-boot Status

The Pre-boot Status widget shows the number of endpoints by pre-boot status.

Harmony Endpoint EPMaaS Administration Guide | 130

Uninstalling Third-Party Anti-Virus Software Products

Encryption Status

The Encryption Status widget shows the number of endpoints by encryption status.

Anti-Malware Update

The Anti-Malware Update widget shows the number of endpoints that had the Anti-Malware
blade updated over different time periods.
Harmony Endpoint Version

Harmony Endpoint EPMaaS Administration Guide | 131

Uninstalling Third-Party Anti-Virus Software Products

The Harmony Endpoint Version widget shows the number of endpoints running a particular
Endpoint Security client version.

Operating System

The Operating System widget shows the number of endpoints running a particular Operating
System.

Alerts

The Alerts widget shows the active alerts on all the endpoints in the account.

Harmony Endpoint EPMaaS Administration Guide | 132

Uninstalling Third-Party Anti-Virus Software Products

Security Overview
Shows the attack statistics of the Endpoint Security clients.
The information is presented in these widgets:
n Hosts Under Attack
n Active/Dormant Attacks
l Active Attacks - Malicious process was executed and the system was infected.
Termination and quarantine of the process or other elements of the attack is
disabled in the policy.
l Dormant Attack - No malicious process was executed but the system was infected.
Quarantine of one of the detected files failed.
n Cleaned/Blocked Attacks
l Cleaned Attack - Malicious process was executed and the system was infected.
Termination and quarantine of all attack elements succeeded.
l Blocked Attack - No malicious process was executed. Quarantine of all detected
files succeeded.
n Infected Hosts
n Attacks Timeline

Note - The Active, Dormant and Cleaned attacks are based on Forensics and
Remediation capability:
n If there is no remediation or the remediation capability is turned off, then attack
status is either Dormant or Blocked.
n If remediation capability is turned on:
l If the process is actively running and the remediation is Terminate, then

the status is Active.

l If the remediation failed, then status is Dormant.

l If the remediation was successful, then the status is Cleaned.

Reports
On the Reports page, you can download the reports in the pdf format:
n Threat Analysis Report - Shows the latest security events.
n Threat Analysis Report Anonymized - Shows the latest security events without specific
user names.

Harmony Endpoint EPMaaS Administration Guide | 133

Uninstalling Third-Party Anti-Virus Software Products

n High Risks Cyber Attack Report - Shows the analysis of all the Endpoint Security
events by statuses of the attack pillars.
n Web Activity Checkup - Shows the web activity in the organization.
n Threat Emulation Report - Shows a report about scanned and malicious files.
n Threat Extraction Report - Shows the insights on the downloaded files.
n Software Deployment Report - Shows the deployment status in the organization.
n Policies Report - Shows policies status.
n Vulnerability Management -Shows the detected vulnerabilities.

Note - Available only to customer subscribed to this feature and with server
version R81.10.x and higher.
n Posture Management - Shows Vulnerability Management and patches information.

Note - Available only to customer subscribed to this feature and with server
version R81.10.x and higher.
n Operational Report - Shows the operational status of the endpoints.
n Compliance Report - Shows the compliance status in the organization.
n Check Point Cyber Security Report - Shows the latest security trends as per Check
Point.

Generate Report

Harmony Endpoint EPMaaS Administration Guide | 134

Uninstalling Third-Party Anti-Virus Software Products

To generate a report:
1. Go to Overview > Reports > Generate Report.

2. Select a report, click and select Export Report.

The Export Report window appears.

3. In the Time Frame list, select Last day, Last 7 days, or Last 30 days.
4. Click Export.

Harmony Endpoint EPMaaS Administration Guide | 135

Uninstalling Third-Party Anti-Virus Software Products

Scheduled Reports
Scheduled Reports allows you to automatically generate reports at the specified date and
time, and email it to the specified recipients.

Notes:
n The report becomes effective 24 hours after you schedule it. For example, if you
schedule for a new report today for 02:00 PM, then it is enforced from the next day at
02:00 PM.
n This feature is not supported for Check Point Cyber Security Reports.
n For performance reasons, it is recommended to schedule reports to run in off-peak
hours. For example, during non-business hours.
n The default time zone for the schedule report is Coordinated Universal Time (UTC).
For example, to schedule the report at 1:00 AM EST, specify the time as 6:00 AM
(depending on Daylight Savings Time).

Harmony Endpoint EPMaaS Administration Guide | 136

Uninstalling Third-Party Anti-Virus Software Products

To schedule a report:
1. Navigate to Overview> Reports and do one of these:
n From the Scheduled Reports page, click Add and from the Name list, select the
report.

Harmony Endpoint EPMaaS Administration Guide | 137

Uninstalling Third-Party Anti-Virus Software Products

n From the Generate Report page, select the report, click and select Schedule
Report.

2. From the Name list, select the report.

3. From the Time Frame list, select the period for the report:
n Last day
n Last 7 days
n Last 30 days
4. From the Frequency list, select the frequency to generate the report:

Harmony Endpoint EPMaaS Administration Guide | 138

Uninstalling Third-Party Anti-Virus Software Products

n To generate the report everyday, select the day of the week.

n To generate the report weekly, select the day of the week.
n To generate the report every month, select the date.
5. In the Time field, specify the time for the system to generate the report and send it to the
recipients. By default, the time is in UTC. For example, if you want to generate the report
at 01.00 AM Eastern Standard Time (EST), you must specify the time as 06.00 AM UTC.
6. In the Recipients field, enter the recipients for the report.
7. Click Schedule.
The schedule is added to the table. The report becomes effective 24 hours after you
schedule it.

8. To edit a scheduled report, select the report in the table and click Edit.
9. To delete a scheduled report, select the report in the table and click Delete.

Announcements
The Announcements page shows the latest news and enhancements in Harmony Endpoint.

Harmony Endpoint EPMaaS Administration Guide | 139

Browser Settings

Browser Settings
Disabling Incognito Mode, BrowserGuest Mode,
and InPrivate Mode
Overview
The browser extension is not installed automatically if the Incognito, Guest or InPrivate mode
is enabled in your browser. We recommend that you disable these modes to secure your
users.

Chrome on Windows

To disable Incognito mode and BrowserGuest mode:

1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.
The Command Prompt window appears.
3.
To disable Run

Incognito mode REG ADD HKLM\SOFTWARE\Policies\Google\Chrome /v

IncognitoModeAvailability /t REG_DWORD /d 1

BrowserGuest REG ADD HKLM\SOFTWARE\Policies\Google\Chrome /v

mode BrowserGuestModeEnabled /t REG_DWORD /d 0

Firefox on Windows

To disable InPrivate mode:

1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.
The Command Prompt window appears
3.
To disable Run

InPrivate REG ADD HKLM\SOFTWARE\Policies\Mozilla\Firefox /v

mode DisablePrivateBrowsing /t REG_DWORD /d 1

Harmony Endpoint EPMaaS Administration Guide | 140

Browser Settings

Microsoft Edge on Windows

To disable BrowserGuest mode and InPrivate mode:

1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.
The Command Prompt window appears
3.
To disable Run

BrowserGuest REG ADD HKLM\SOFTWARE\Policies\Microsoft\Edge /v

mode BrowserGuestModeEnabled /t REG_DWORD /d 0

InPrivate mode REG ADD HKLM\SOFTWARE\Policies\Microsoft\Edge /v

InPrivateModeAvailability /t REG_DWORD /d 1

Brave on Windows

To disable Incognito mode, Incognito mode with Tor and BrowserGuest mode:
1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.
The Command Prompt window appears

3.
To disable Run

Incognito mode REG ADD

HKLM\SOFTWARE\Policies\BraveSoftware\Brave /v
IncognitoModeAvailability /t REG_DWORD /d 1

BrowserGuest REG ADD

mode HKLM\SOFTWARE\Policies\BraveSoftware\Brave /v
BrowserGuestModeEnabled /t REG_DWORD /d 0

Incognito mode REG ADD

with Tor HKLM\SOFTWARE\Policies\BraveSoftware\Brave /v
TorDisabled /t REG_DWORD /d 1

Harmony Endpoint EPMaaS Administration Guide | 141

Browser Settings

Chrome on macOS

To disable incognito mode and BrowserGuest mode:

1. In the Finder, click Go > Utilities.
2. Open the Terminal app.
The Terminal app window appears.
3.
To disable Run

Incognito mode defaults write com.google.chrome

IncognitoModeAvailability -integer 1z

BrowserGuest defaults write com.google.Chrome

mode BrowserGuestModeEnabled -bool false

Firefox on macOS

To disable InPrivate mode:

1. In the Finder, click Go > Utilities.
2. Open the Terminal app.
The Terminal app window appears.

3.
To disable Run

InPrivate defaults write

mode /Library/Preferences/org.mozilla.firefox
DisablePrivateBrowsing -bool TRUE

Microsoft Edge on macOS

To disable BrowserGuest mode and InPrivate mode:

1. In the Finder, click Go > Utilities.
2. Open the Terminal app.
The Terminal app window appears.

Harmony Endpoint EPMaaS Administration Guide | 142

Browser Settings

3.
To disable Run

BrowserGuest defaults write com.microsoft.edge

mode BrowserGuestModeEnabled -integer 0

InPrivate mode defaults write com.microsoft.edge

InPrivateModeAvailability -integer 1

Enabling the Browser Extension on a Browser

with Incognito or InPrivate Mode
You can enable Harmony Browse extension on your browser in Incognito or InPrivate mode.

To enable the Harmony Browse extension on Chrome in the Incognito mode:

1. In your browser's address bar, type chrome://extensions/ and locate the Harmony
Browse extension.
2. Click Details and enable Allow in Incognito.

To enable the Harmony Browse extension on Edge in the InPrivate mode:

1. In your browser's address bar, type Edge://extensions/ and locate Harmony
Browse extension.
2. Click Details and select Allow in Private checkbox.

To enable the Harmony Browse extension on Firefox in the InPrivate mode:

1. In your browser's address bar, type about:addons and select Extensions.
2. Click the Harmony Browse Extension.
3. In Run in Private Windows, select Allow.

Ending the Browser Process Running in the

Background
When you close Chrome and Edge browsers with the Harmony Browse extension installed,
the browser process continues to run in the background. You can perform these procedures to
end the browser process running in the background.

To end the Chrome browser process running in the background:

1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.

Harmony Endpoint EPMaaS Administration Guide | 143

Browser Settings

The Command Prompt window appears.

3. Run:
REG ADD HKLM\SOFTWARE\Policies\Google\Chrome /v
BackgroundModeEnabled /t REG_DWORD /d 0

4. Press Enter.

To end the Edge browser process running in the background:

1. Select Start and type CMD.
2. Right-click Command Prompt and select Run as administrator.
The Command Prompt window appears.

3. Run:
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Edge /v
BackgroundModeEnabled /t REG_DWORD /d 0

4. Press Enter.

Browser Extension Pinning

For more information, see Browser Settings in "Web & Files Protection" on page 224.

Harmony Endpoint EPMaaS Administration Guide | 144

Managing Endpoint Components in SmartEndpoint Management Console

Managing Endpoint Components

in SmartEndpoint Management
Console
In addition to Harmony Endpoint, you can also manage the Endpoint components through a
cloud-based SmartEndpoint management console.
To manage the Endpoint components through the SmartEndpoint console:
1. Download SmartConsole from the Service Management view:

Note - Before you download SmartConsole, you must change your SmartConsole
administrator password.

2. In the SmartEndpoint Login window:

a. Enter the username, password and connection token that you entered when you
created the New Endpoint Management Service.
See "Creating a New Endpoint Management Service" on page 43.
b. Select Cloud Server.

Harmony Endpoint EPMaaS Administration Guide | 145

Managing Endpoint Components in SmartEndpoint Management Console

c. Click Login.

The SmartEndpoint console manages all Endpoint components, whereas the Harmony
Endpoint manages only Harmony components.
Harmony Endpoint does not support all of SmartEndpoint features. Therefore, there can be
conflicts between configurations in the two platforms. For more information, see "Backward
Compatibility" on page 404.

Harmony Endpoint EPMaaS Administration Guide | 146

Managing Accounts in the Infinity Portal

Managing Accounts in the Infinity

Portal
You can create additional accounts for the same user.
To create an additional account for an user

1. Go to the registration page:

https://portal.checkpoint.com/register/endpoint
2. For each new account, use a different account name (Company Name).

To switch between accounts

At the upper-middle of your screen, near the name Harmony Endpoint, click the current
account and select the required account from the drop-down menu.

To add an administrators to an account

1. From the left navigation panel, click Global Settings (at the bottom of the panel).
2. In the top left section, click Users.
The list of currently defined users appears.
3. From the top toolbar, click New.

The Add User window opens.

4. Configure the required details:
n Name
n Email
n Phone
n User Groups
n Global Roles - select Admin or User Admin

Note - If the administrator you wish to add is not registered in Harmony Endpoint,
they receive a registration invitation to establish login credentials for the portal.

5. Click Add.

Harmony Endpoint EPMaaS Administration Guide | 147

Managing Harmony Browse

Overview
You can install and manage the Harmony Browse lightweight client through Harmony
Endpoint. This is suitable when you want to provide only the Harmony Browse service to users
and manage it's policy through Harmony Endpoint. For more information on Harmony Browse,
see Harmony Browse Administration Guide.
After you install the Harmony Browse client:
n You can apply same Client Setting and Threat Prevention policies to both Harmony
Browse and Harmony Endpoint clients.

n
in Asset Management > Computers indicates a Harmony Browse client. You can
filter for clients using the Agent Installed filter.
n The Overview and Logs menu show the information for both Harmony Browse and
Harmony Endpoint clients.

To manage Harmony Browse client through Harmony Endpoint:

1. Install the Harmony Browse client from Harmony Endpoint. For more information, see
"Manual Deployment" on page 80
2. Apply an existing Threat Prevention policy or configure a new Threat Prevention policy
for the Harmony Browse client.
3. Apply an existing Client Setting policy or configure a new Client Setting policy for the
Harmony Browse client.

Limitations
Harmony Browse does not support Push Operations and Threat Hunting.

Harmony Endpoint EPMaaS Administration Guide | 148

Viewing Computer Information

Asset Management View
The Asset Management view shows information on each computer, such as deployment
status, active components on the computer, client version installed on the computer and more.

Note - The General > Description at bottom pane shows the text entered in the
Active Directory for the asset. If no text is entered, it is blank.

Select a View
From the View drop-down on the top left, select a preconfigured view:
n Deployment
n Compliance
n Health
n Full Disk Encryption
n Anti-Malware
n Host Isolation
n Anti-Bot
n Policy Information
n Custom

Harmony Endpoint EPMaaS Administration Guide | 149

Viewing Computer Information

Creating a Custom View

You can create a custom view with the filters and table column you specify.

To create a custom view:

1. Apply the filters and select the required columns for the table and click Update. For more
information, see "Table Filters and Column Description" on page 152.
2. From the View drop-down, click Save View.
The Save New View window appears.
3. In the View name field, enter a name for the view. For example, Active Laptops.

4. In the Select what will be saved in this view section, select the required checkbox:
n Filters
n Table Columns
5. Click OK.
6. To delete a Custom View:
a. From the View drop-down, go to Custom Views.

b. Hover over the custom view and click .

Status Icon
The icon in the Status column shows the client or computer status.

Status
Description
Icon

Indicates Harmony Endpoint client.

Indicates Harmony Browse client.

Indicates that the client connection is active.

Indicates that a new computer was discovered that has no client installed.

Indicates that the computer was deleted from the Active Directory or from the
Organizational Tree.

Harmony Endpoint EPMaaS Administration Guide | 150

Viewing Computer Information

Status
Description
Icon

Indicates a pending Network One-Time Logon or Network Password Change

request from a user. For more information, see the Easy Unlock feature.
1. Click the icon.
The Respond to Request dialog box appears.
2. Click Accept or Reject.
Notes:
n You must refresh the table or the browser to view the icon.
n This feature is available only to customers in the Early Availability
program.

Filters
Use the Filters pane on the top of the screen to filter the information in the table.

To add filters:
1. In the Filters pane, click +.
2. Select the required filter or search for the filter using the Search bar. For information on
the filters, see "Table Filters and Column Description" on the next page.
3. Click Update.

The system updates the table automatically for the added filters.

To modify the table:

1. Click on the top left header of the table.

2. To select the columns for the table, search and select the columns.
3. To change the column position in the table, drag and drop the column to the required
position.
4. Click Update.
Tip - The URL in the address bar of the web browser captures the filters you specify for the
table. You can bookmark the URL to go to the Asset Management > Computers page and
view the table with the specified filters.

Harmony Endpoint EPMaaS Administration Guide | 151

Viewing Computer Information

Table Filters and Column Description

Filter/Column
Description
Name

Status Status of the connected computer. For more information, see "Status
Icon" on page 150.

Computer Name Name of the connected computer.

Active Active computers. Computers that have communicated with

Harmony Endpoint in the last 30 days.

Deleted Deleted computers.

Domain Name Domain name of the connected computer.

Agent Installed Endpoint Security client or Browse client installed on the computer.

Endpoint version Harmony Endpoint Security client or browser extension version

installed on the computer.

Operating Operating System version installed on the computer.

System

Device Type Type of the computer (Desktop or Laptop).

Compliance Compliance status of the computer.

Status

Admin Comment Comment for the device. For example, This computer is used by Bob
and Jane.

Deployment Deployment status of the computer.

Status

Deploy Time Time when the client was installed on the computer.

Inactive Capabilities that are not active on the computer.

Capabilities Reasons can be any of these:
n Security blade is inactive
n Security blade has stopped
n Status of the security blade is missing

Deployment Error code of the failed deployment.

Error Code

Harmony Endpoint EPMaaS Administration Guide | 152

Viewing Computer Information

Filter/Column
Description
Name

Deployment Error description of the failed deployment.

Error Description

OS Build Operating System build number of the computer.

Organizational Active directory tree of your organization.

Unit

FDE Status Full Disk Encryption status of the computer.

FDE Version Full Disk Encryption engine version.

Pre-boot Status Full Disk EncryptionPre-boot screen status of the computer.

Pre-boot Status Full Disk EncryptionPre-boot screen status last update time.
Updated On

TPM Id Trusted Platform Module (TPM) Manufacturer ID of the computer.

TPM Status TPM status of the computer.

TPM Version TPM specification version implemented in the computer.

Isolation Status Isolation status of the computer.

Last Connection Last connection date of the computer.

Synced On Sync date of the computer.

Last Logged In Last logged in user name on the computer.

User

Last Logged In Last logged in user name on the Full Disk Encrypted computer.
FDE User

Anti-Malware Anti-Malware blade status of the computer.

Status

Anti-Malware Last update time of the Anti-Malware blade.

Updated on

Virtual Groups Pre-defined and custom virtual groups of the computer.

Remote Help Full Disk Encryption locked users that are pending for help (One-
Requests Time Logon or Password Change)

Harmony Endpoint EPMaaS Administration Guide | 153

Viewing Computer Information

Filter/Column
Description
Name

Anti-Malware Dat version of the Anti-Malware.

Dat Version

Dat Date Dat date in a human readable format (Example: 09 Apr 2018 10:52
AM)

Total Infected Number of files infected on the computer as detected by Anti-

Malware.

Anti-Malware Anti-Malware name of infections found on the computer.

Infections

Package Name Software Deployment package name (Example: Check

PointEndpoint Total Security x64)

Package Version Client version installed on the computer (Example: 86.25.5060)

Software Deployment policy name installed on the computer.

Deployment
Policy Name

Software Deployment policy version installed on the computer.

Deployment
Policy Version

Anti-Bot State Anti-Bot blade status on the computer.

Protection Name Anti-Bot protection name.

Scanned on Anti-Malware last scan time.

Total Number of files quarantined by Anti-Malware.

Quarantined

Compliance Name of compliance violation on the computer.

Violations

Smart Card Smart Card blade status on the computer.

Status

Enforced & Enforced and installed policy name.

Installed Policy
Name

Harmony Endpoint EPMaaS Administration Guide | 154

Viewing Computer Information

Filter/Column
Description
Name

Enforced & Enforced and installed policy version.

Installed Policy
Version

Threat Emulation Threat Emulation availability status.

Status

Threat Emulation Threat Emulation reputation status.

Reputation
Status

Static Analysis Last time when the Threat Emulation Static Analysis was updated.
Update

Offline Last time when the Threat Emulation Offline Reputation was
Reputation updated.
Update

Behavioral Last update time of Behavioral Guard.

Guard Update

Installed Patch Installed DA Windows patch version.

For information on patch upgrade, see "Local Deployment Options"
on page 394.

Policy Profile Profiles available for each blade in the policy.

Threat Hunting Threat Hunting status on the Harmony Endpoint Security Client. The
Status supported statuses are:
n Available - Threat Hunting is installed and running.
n Not Available - Threat Hunting is installed but not running due
to an error. For the error description, see the Threat Hunting
Error Description column.
n Not installed - Threat Hunting is supported by the client but not
installed.
n N/A - Threat Hunting is not supported by the client. Upgrade to
the client version 87.20 or higher.

Harmony Endpoint EPMaaS Administration Guide | 155

Viewing Computer Information

Filter/Column
Description
Name

Threat Hunting Threat Hunting describes the reason why Threat Hunting is not
Error Description running on the Harmony Endpoint Security Client. The supported
values are:
n Available
n Not installed
n Authentication Failed
n Data Uploading Failed
n Fetching Settings Failed
n URL Creating Failed
n Connection Failed
Note - Threat Hunting Error Description is not supported
by "Filters" on page 151.

Anti-Malware Shows the expiry date and time of the Anti-Malware license.
License
Expiration Date

Browser Status Shows the browser and the Harmony Browse extension status on the
endpoint.
The supported statuses are:
n Not Installed -
o The browser is not installed.
o The browser is installed but not used since the last

reboot.
o The browser is used but the extension is disabled by the

policy.
For example, indicates that the Chrome browser is not
installed.
n Running - The browser is active and the extension was

detected. For example, indicates that the Edge browser is

active and the extension on it was detected.
n Not Running - The browser is active but the browser extension

is not detected. For example, indicates that the Brave

browser is active but the extension is not detected. Contact
Check Point Support.
n N/A - The installed Endpoint Security client version does not
support Browser Status.

Note - This is supported only with the Windows Endpoint

Security Client version E86.10 and higher.

Harmony Endpoint EPMaaS Administration Guide | 156

Viewing Computer Information

Filter/Column
Description
Name

Anti-Bot Last Shows the date and time when the signatures of the Anti-Bot blade
Update were last updated. For example, 07 Jun 2023 04:53 PM. The other
statuses are:
n N/A - The Anti-Bot signatures are not updated.
n Not Installed - The Anti-Bot blade is not installed.

Note -This is supported only with the Endpoint Security Client

version E87.30 or higher .

Posture Last Shows the status of the latest scan. The statuses are:
Scan Status
n Timed Out
n Waiting For Client
n Blade Not Installed
n Starting Scan - Scan initiated.
n Scan Started - Scan in progress.
n Succeeded
n Failed
n Not Scanned
n Aborted

Working with the Computers Table

1. Hover over the column and click .

2. From the drop-down :

n To freeze the column, click Pin.
n To unfreeze the column, click Unpin.
n Open the filter for the current column, click Filter and select the values.
n To hide the column, click Hide.
n To insert another column, click Add Column.
3. To adjust the column position in the table, drag and drop the column to the required
position.
4. To copy the value of a cell to the clipboard, hover over a cell and click Copy.
5. To copy the values of a row to the clipboard, hover over a row and click Copy row.

Harmony Endpoint EPMaaS Administration Guide | 157

Viewing Computer Information

Viewing Device Hardware Information

You can view the hardware information of each device in your organization, such as, CPU
configurations, network connection, disk usage and RAM.

Note -
n For Windows clients, this feature is supported with Harmony Endpoint Security
client version E88.00 and higher.
n For macOS clients, this feature is supported with Harmony Endpoint Security client
version E88.40 and higher.

To view the device hardware information:

1. Navigate to Asset Management, expand Organization and select Computers.

2. Click the device.

The device information is displayed in the Hardware section.

Managing Computers
Select the checkbox to the left of the applicable computers and right-click to perform these
actions:

General Actions
View Computer Logs

You can view logs of computers based on it's IP address.

Harmony Endpoint EPMaaS Administration Guide | 158

Viewing Computer Information

To view computer logs by it's IP address:

1. Go to Asset Management > Computers.
2. Select the applicable computer or user from the list.
3. From the top toolbar, click .

4. Select General Actions > View Computer Logs.

The system opens the Logs menu and shows the computer logs.

Create Virtual Group

You can create a virtual group. See Managing-Virtual-Groups.htm.

Create and Add to Virtual Group

You can add computers to a new virtual group. See Managing-Virtual-Groups.htm.

Add to Virtual Group

You can add a computer to a virtual group. See Managing-Virtual-Groups.htm.

Reset Computer Data

When the Endpoint client is installed on a computer, information about the computer is sent
to and stored on the Endpoint Security Management Server.
Resetting a computer means deleting all information about it from the server.

Resetting a computer does not remove the object from the Active Directory tree or change
its position in the tree.

Important - You can only reset a computer if the Endpoint client is not installed. If
you reset a computer that has Endpoint installed, important data is deleted and the
computer can have problems communicating with the Endpoint Security
Management Server.

Computer reset:
n Removes all licenses from the computer.
n Deletes Full Disk Encryption Recovery data.
n Deletes the settings of users that can log on to it.
n Removes the computer from Endpoint Security Monitoring.
n Deletes the Pre-boot settings.
n Marks the computer as unregistered.

Harmony Endpoint EPMaaS Administration Guide | 159

Viewing Computer Information

After you reset a computer, you must reformat it before it can connect again to the Endpoint
Security service.
You may decide to reset a computer if:
n The Endpoint client was uninstalled or the computer is re-imaged.
n It is necessary to reset the computer's configuration before a new Endpoint client is
installed. For example, if the computer is transferred to a different person.

Delete

Removes the asset from the Local or Active Directory and adds it to Deleted Entities in the
Organizational Tree. This operation discards the assets license information. You can use
this operation when you remove an asset from your domain.

Note - If the Endpoint Security client is still installed on the asset, the client continues to
receive the updates from the Endpoint Security Management Server.
To add the asset back to the Active Directory, see Recover.

Recover

Adds the deleted asset back to the Local or Active Directory from Deleted Entities in the
Organizational Tree. The asset's status is not Active until its Endpoint Security client
connects and synchronizes with the Endpoint Security Management Server. You can use
this operation when you add an asset back to the domain.
Note - You can recover only a deleted asset.

Terminate

Warning - Removes the asset from the Harmony Endpoint management permanently. You
cannot recover a terminated asset. We recommend to terminate an asset only if it is
discarded or disposed or the Endpoint Security client is uninstalled.

Directory Scanner

Harmony Endpoint can scan and import users, groups, Organizational units (OUs) and
computers from multiple supported directory domains. See Managing Active Directory
Scanners.

Harmony Endpoint EPMaaS Administration Guide | 160

Viewing Computer Information

Push Operations

Harmony Endpoint EPMaaS Administration Guide | 161

Viewing Computer Information

Perform Push Operation

Harmony Endpoint EPMaaS Administration Guide | 162

Viewing Computer Information

1. Go to Asset Management > Computers.

2. Right-click on a computer, select a category and select a push operation.

Push
Category Windows macOS Linux
Operations

Anti-Malware Scan for Yes Yes Yes

Malware

Update Yes Yes Yes

Malware
Signature
Database

Restore Files Yes Yes Yes

from
Quarantine

Forensics and Analyze by Yes Yes No

Remediation Indicator

File Yes Yes Yes

Remediation

Kill Process Yes Yes No

Remote Yes Yes Yes

Command

Search and Yes Yes No

Fetch files

Registry Yes No No
Actions

File Actions Yes Yes No

VPN Site Yes Yes No

Collect Yes No No
Processes

Run Yes Yes No

Diagnostics

3. Select the devices on which you want to perform the push operation.

Harmony Endpoint EPMaaS Administration Guide | 164

Viewing Computer Information

Note - You can perform Run Diagnostics on only one device at a time.

4. Click Next.
5. Configure the operation settings.
Anti-Malware

2FA
Push Operations Description
Required

Scan for Malware Runs an Anti-Malware scan on the No

computer or computers, based on the
configured settings.

Update Malware Updates malware signatures on the No

Signature computer or computers, based on the
Database configured settings.

Restore Files Restores files from quarantine on the No

from Quarantine computer or computers, based on the
configured settings.

To restore files from quarantine:

a. In the Full Path field, enter the path to
file before it was quarantined
including the file name. For example,
c:\temp\eicar.txt
b. Click OK.

Forensics and Remediation

Push 2FA
Description
Operations Required

Analyze by Manually triggers collection of forensics No

Indicator data for an endpoint device that
accesses or executes the indicator. The
indicator can be a URL, an IP, a path, a
file name or an MD5.

Harmony Endpoint EPMaaS Administration Guide | 165

Push 2FA
Operati Description Requi
ons red

Collect Collects CPInfo logs from an endpoint based on the No

Client configured settings.
Logs n For Windows, client logs are stored in the directory

C:\Windows\SysWOW64\config\systemprofile\CPInfo.
n For macOS, client logs are stored in the directory

/Users/Shared/cplogs.
Field Description

Comment Optional comment about the action.

Log set to Select the scope of information for the

collect logs.

Debug Info Select the location to upload the logs:

upload n Upload CPInfo reports to Check

Point servers
n Upload CPInfo reports to Corporate

server - Update the relevant

corporate server information.

Repair Repairs the Endpoint Security client installation. This No

Client requires a computer restart.
Note - This push operation applies only to Harmony
Endpoint Security clients that have been upgraded to a
newer version at least once after the installation.

Shutdo Shuts down the computer or computers based on the No

wn configured settings.
Compu
ter

Restart Restarts the computer or computers based on the No

Compu configured settings.
ter

Uninsta Uninstalls the Endpoint Security client remotely on the Yes

ll Client selected devices. This feature is supported for E84.30 client
and above.

Harmony Endpoint EPMaaS Administration Guide | 168

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Applica Collects all available applications in a certain folder on a set No

tion of devices and then adds them to the application repository
Scan of the "Application Control" blade on that specific tenant.

Kill Remotely kills/ terminate the processes. No

Proces
s

Remote n Allows administrators to run both signed (introduced Yes

Comm by CP) and unsigned (ones the customer creates)
and scripts on the Endpoint Client devices.
n Especially useful in a non-AD environment.
n Supplies tools/fixes to customers without the need to

create new EP client/server versions.

n Saves passwords securely when provided.

The Remote Command feature is supported only in

Windows clients running version E85.30 and above

Harmony Endpoint EPMaaS Administration Guide | 169

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Search Searches and uploads files to a server. Yes

and
Fetch Supported fields are:
files
Field Description

Comment Optional comment about the action.

Search and Fetch files

Locate the Searches for the files in the specified

following files folders.
in the specific a. In the File table, click .
folders b. Enter the file name. For example,
test.txt or test.zip and click OK.
c. Repeat the steps 1 and 2 for
additional files.
d. In the Folder Path table, click
e. Enter the path and click OK.
f. Repeat the steps 4 and 5 for
additional paths.

Locate the Searches for the files in the specified

following files path.
by exact path a. In the File table, click .
b. Enter the path where you ant to
search for the file and click OK.
c. Repeat the steps for additional
paths.

Files upload

Select the Select the checkbox to upload the files to

Upload files a server.
to

Harmony Endpoint EPMaaS Administration Guide | 170

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Field Description

Corporate a. Specify these:

Server Info i. Protocol
ii. Server address
iii. Path on server
iv. Server fingerprint
b. If the server requires login to
access it, select the Use specific
credentials to upload checkbox,
and enter Login and Password.

Harmony Endpoint EPMaaS Administration Guide | 171

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Registr Add or remove a registry key. No

y
Actions Supported fields:
Field Description

Comment Optional comment about the action.

Action Select an action.

n Add Key to Registry
n Remove Key From Registry

Caution - Removing a registry

might impact the endpoint's
operating system.

Add Key to Registry

Key Full path where you want to add the

registry key.
For example, Computer\HKEY_
LOCAL_
MACHINE\SOFTWARE\Citrix\Secure
Access Endpoint Analysis

Subkey Enter the key name to add in the

registry. For example, ProductVersion.

Value Type Select the registry type.

Value Enter the registry value.

Is redirected Indicates that virtualization is enabled

and add the registry to 32-bit. By default,
the registry is added for 64-bit.

Remove Key From Registry

Harmony Endpoint EPMaaS Administration Guide | 172

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Field Description

Key Full path of registry key that you want to

delete.
For example, Computer\HKEY_
LOCAL_
MACHINE\SOFTWARE\Citrix\Secure
Access Endpoint Analysis
Caution - Removing a registry might
impact the endpoint's operating system.

Subkey Enter the key name to remove from the

registry. For example, ProductVersion.

Is redirected Indicates that virtualization is enabled

and delete the registry in 32-bit. By
default, the registry is deleted for 64-bit.

To change the working hours to allow the Anti-Malware

signature updates on a DHS compliant Endpoint Security
client, see sk180559.

Harmony Endpoint EPMaaS Administration Guide | 173

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

File Copy, move or delete the file or folder. No

Actions Supported fields:

Note - The folder actions are supported only with the

Endpoint Security Client version 87.20 and higher.
Field Description

Comme Optional comment about the action.

Action Select an action.

n Copy File
n Move File
n Delete File

Caution - Deleting a file might impact

Harmony Endpoint's protected files.

Copy File

File path Full path of the file or folder you want to copy,
including the file or folder name.
Example:
n For File - C:\Users\<user_

name>\Desktop\test.doc
n For Folder -

C:\Users\Username\Desktop\

Harmony Endpoint EPMaaS Administration Guide | 174

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Field Description

Target Full path where you want to paste the file or

file path folder.
Example:
n For File - C:\Users\<user_

name>\Documents
n For Folder - C:\Users\Username2\

Notes:
n The file or folder name you specify

is used to rename the copied file.

n If you provide the folder path only,

the file is copied with the original file

name.
n If the file or folder already exists, the

file is not overwritten and the

operation fails.
n If the file path or target folder does

not exist, it is created during the

operation.

Move File

File path Full path of the file or folder you want to move,
including the file or folder name.
Example:
n For File - C:\Users\<user_

name>\Desktop\test.doc
n For Folder -

C:\Users\Username>\Desktop\

Harmony Endpoint EPMaaS Administration Guide | 175

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Field Description

Target Path where you want to move the file or folder.

file path Example:
n For File - C:\Users\<user_

name>\Documents
n For Folder -

C:\Users\Username1\Documents\
Notes:
n If you provide the full file path, the is

moved with the specified name.

n If you provide the folder path only,

the file is moved with the original file

name.
n If the file or folder already exists, the

file or folder is not overwritten and

the operation fails.
n If the file path or target folder does

not exist, it is created during the

operation.

Delete File

File path Full path of the file you want to delete,

including the file name.
For example, C:\Users\<user_
name>\Desktop\test.doc

Caution - Deleting a file might impact

Harmony Endpoint's protected files.
Note - Delete folder action is not
supported.

Harmony Endpoint EPMaaS Administration Guide | 176

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

VPN Adds or removes a VPN site. No

Site
Limitations:
n This is supported only with the Windows Endpoint

Security client.
n You cannot create separate VPN sites for each user

that access the endpoint. The same VPN site applies

to all users.
n SoftID and challenge-response authentication

methods are not tested.

n The system does not validate the entries (for example,

Server Name or Fingerprint) that you specify.

n Only one fingerprint operation is supported at a time.
n You cannot add a new VPN site or remove a VPN site

if a VPN site is already connected in the Harmony

Endpoint client. Disconnect the VPN site before you
add a new VPN site.
n This operation is not supported if the firewall policy for

the client is configured through the on-premise

Security Gateway (Policy > Data Protection > Access
& Compliance > Firewall > When using Remote
Access, enforce Firewall Policy from is Remote
Access Desktop Security Policy). To enable the
operation on such a client:
a. In the Security Gateway, change the parameter
allow_disable_firewall to true in the
$FWDIR/conf/trac_client_1.ttm file.
b. Install the policy on the Security Gateway.
c. Reboot the Harmony Endpoint client.
d. Perform the push operation.
Note - If the operation fails with timeout, see sk179798 for
troubleshooting instructions.

Supported fields:

Harmony Endpoint EPMaaS Administration Guide | 177

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Field Description

Commen Optional comment about the action.

Action Select an action:

n Add VPN Site
n Remove VPN Site

Add VPN Site

Server Enter the IP address or FQDN of the remote

Name access gateway.
Note - Ensure the endpoint can resolve the
FQDN to the IP address of the gateway.

Use Select the checkbox if you want to change

Custom the display name of the server in the
Display Harmony Endpoint client.
Name

Display Server name displayed in the Harmony

Name Endpoint client. By default, it uses the Server
Name.
To change the display name ,elect the Use
Custom Display Name checkbox and enter a
display name.

Use Select the checkbox if you want to use a

Custom custom login option.
Login
Option

Harmony Endpoint EPMaaS Administration Guide | 178

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Field Description

Login Login option for the server. By default,

Option Standard login option is selected.
To use a custom login option, select Use
Custom Login Option checkbox, and enter
the login option. This must match the Display
Name specified in the GW properties > VPN
Clients > Authentication > Multiple
Authentication Clients Settings in the
SmartConsole. For example, SAML IDP.

For the Standard login option, make sure that

the Authentication Method is Defined on
User Record (Legacy). Otherwise,
Standard: does not need authentication
method error appears.

Harmony Endpoint EPMaaS Administration Guide | 179

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Field Description

Authentic Select an authentication method.

ation The options displayed depend on the Login
Method Option.
Authentication methods for the Standard
login option:
n username-password
n certificate (for a certificate stored in the

CAPI store)
n p12-certificate
n securityIDKeyFob
n securityIDPinPad
n SoftID (not tested)
n challenge-response (not tested)

Authentication methods for the custom login

option:
n Select certificate from hardware or

software token (CAPI)

n Use certificate from Public-Key

Cryptographic Standard (PKCS #12)

file
n Other

Note - Select the relevant certificate

authentication method if your custom login
uses a certificate. Otherwise, select Other.

Harmony Endpoint EPMaaS Administration Guide | 180

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Harmony Endpoint EPMaaS Administration Guide | 181

Viewing Computer Information

Push 2FA
Operati Description Requi
ons red

Collect Collects information about the process running on the No

Proces endpoint.
ses
Supported fields:
Field Description

Comment Optional comment about the action.

Collect all Collects information about all the

processes processes running on the endpoint.

Collect Collects information about a specific

process by process on the endpoint.
name

Process Enter the process name. Case-sensitive.

name

Additional Select the additional information you

output fields want to view in the collected information.

Run Runs diagnostics on an endpoint to collect this information:

Diagno n Total CPU and RAM usage in the last 12 hours.
stics n CPU usage by processes initiated in the last 12 hours.

For example, the CPU used by Anti-Malware to scan

files.
You can review the CPU usage data to identify
processes (scans) that consume CPU more than the
specified threshold and exclude such processes from
future scans.
Note - This is supported with Endpoint Security
client version E86.80 and higher.
Warning - Only exclude a process if you are sure
that the file is not malicious and is not vulnerable
to cyber-attacks.
To view the latest diagnostics report, see "Show Last
Diagnostics Report" on page 186.

6. Under User Notification:

Harmony Endpoint EPMaaS Administration Guide | 182

Viewing Computer Information

n To notify the user about the push operation, select the Inform user with
notification checkbox.
n To allow the user to post pone the push operation, select the Allow user to
postpone operation checkbox.
7. Under Scheduling:
n To execute the push operation immediately, click Execute operation
immediately.
n To schedule the push operation, click Schedule operation for and click to select
the date.
8. Specify the duration after which the system automatically terminates the unexecuted
push operation (For example, if the Endpoint client is offline):
n 7 days
n Custom
n Never
9. For Push Operations that support 2FA authentication, you are prompted to enter the
verification code.
If you have not enabled 2FA authentication, a prompt appears to enable 2FA
authentication:
n To enable 2FA authentication for your profile, click Profile Setting, and follow
the instructions. For more information, see Infinity Portal Administration Guide.
n To enable 2FA authentication for the current tenant, click Global Settings, and
follow the instructions. For more information, see Infinity Portal Administration
Guide.
10. Click Finish.
11. View the results of the operations on each endpoint in the Endpoint List section (in the
Push Operations menu) at the bottom part of the screen.

Harmony Endpoint EPMaaS Administration Guide | 183

Viewing Computer Information

Report Description

Run Diagnostics To see the diagnostics report:

1. Go to Push Operations menu.
2. Select the row of the Run Diagnostics push
operation you performed.
3. In the Endpoint List table, under Operation
Output column, click View Report.

Note - This is supported with Endpoint

Security client version E86.80 and higher.
By default, the report shows the data for Total
Usage.
n To view the report per capability, in the left
pane, under Process, click the capability.
n In the CPU widget:
l To change the CPU usage threshold,

in the Threshold list, set a value (in

percentage). The default value is 10
percent.
l To set the selected threshold as

default, click Set Default.

Note - After changing the threshold,
Harmony EndpointAdministrator Portal
re-evaluates to suggest processes that
exceeded the new threshold.

To add a suggested exclusion to the exclusion

list:
1. In the Suggested Exclusions area, clear
the checkboxes if you do not want to
exclude the processes from future scans.
By default, all the processes are selected
for exclusion.
2. Click View Selected Exclusions.
3. To add the exclusions to all the rules, select
Global Exclusions.
a. Click Create & Review.
b. Click Save.
c. From the top, click Install Policy.
4. To add the exclusions to a specific rule,
select Device Exclusions Per Rule.
a. Click Create & Review for the rule.

Harmony Endpoint EPMaaS Administration Guide | 184

Viewing Computer Information

Report Description

b. Click OK.
c. Click Save.
d. From the top, click Install policy.

Diagnostics
Run Diagnostics

Runs diagnostics on an endpoint to collect this information:

n Total CPU and RAM usage in the last 12 hours.
n CPU usage by processes initiated in the last 12 hours. For example, the CPU used by
Anti-Malware to scan files.
You can review the CPU usage data to identify processes (scans) that consume CPU
more than the specified threshold and exclude such processes from future scans.

Note - This is supported with Endpoint Security client version E86.80 and higher.

Warning - Only exclude a process if you are sure that the file is not malicious
and is not vulnerable to cyber-attacks.

To view the latest diagnostics report, see "Show Last Diagnostics Report" on the next
page.

To see the diagnostics report:

1. Go to Push Operations menu.

2. Select the row of the Run Diagnostics push operation you performed.
3. In the Endpoint List table, under Operation Output column, click View Report.

Note - This is supported with Endpoint Security client version E86.80 and higher.

By default, the report shows the data for Total Usage.

n To view the report per capability, in the left pane, under Process, click the capability.
n In the CPU widget:
l To change the CPU usage threshold, in the Threshold list, set a value (in
percentage). The default value is 10 percent.
l To set the selected threshold as default, click Set Default.

Harmony Endpoint EPMaaS Administration Guide | 185

Viewing Computer Information

Note - After changing the threshold, Harmony EndpointAdministrator Portal

re-evaluates to suggest processes that exceeded the new threshold.

To add a suggested exclusion to the exclusion list:

1. In the Suggested Exclusions area, clear the checkboxes if you do not want to exclude
the processes from future scans. By default, all the processes are selected for
exclusion.
2. Click View Selected Exclusions.
3. To add the exclusions to all the rules, select Global Exclusions.
a. Click Create & Review.

b. Click Save.
c. From the top, click Install Policy.
4. To add the exclusions to a specific rule, select Device Exclusions Per Rule.
a. Click Create & Review for the rule.
b. Click OK.
c. Click Save.
d. From the top, click Install policy.

Show Last Diagnostics Report

Shows the latest diagnostics report. By default, Harmony Endpoint runs the diagnostics
every four hours.

Note - This is supported with the Endpoint Security client version E86.80 and higher.

For more information about the diagnostics report, see Run Diagnostics in "Performing
Push Operations" on page 491.

Full Disk Encryption

Preboot User Assignment

You can view, create, lock and unlock authorized Pre-boot users. See Authentication-
before-OS-Loads-Pre-boot.htm.

Harmony Endpoint EPMaaS Administration Guide | 186

Viewing Computer Information

Remote Help and Recovery

Recovery

If the operating system does not start on a client computer due to system failure, you can
recover your data from the computer:
n "Check Point Full Disk Encryption Recovery" on page 445
n "BitLocker Recovery" on page 448
n "FileVault Recovery" on page 449

Media Encryption

You can recover removable media passwords remotely, using a challenge/response

procedure. See "Media Encryption Remote Help" on page 337.

Full Disk Encryption

You can give access to users who are locked out of their Full Disk Encryption protected
computers. See "Giving Remote Help to Full Disk Encryption Users" on page 471.

Viewing Endpoint Posture

After the scan is complete, Harmony Endpoint shows the detected Common Vulnerability and
Exposures (CVE) and its Common Vulnerability Scoring System (CVSS).

For the supported applications for scan and patch management, see sk181034.

Note - End-users can also initiate the scan and view the vulnerable CVEs from the
Endpoint Security client (Compliance and Posture).

To view the posture for endpoints, click Asset Management > Posture Management.
If you see the following screen, make sure to configure the posture assessment settings. See
"Configuring Posture Assessment Settings" on page 385.

Harmony Endpoint EPMaaS Administration Guide | 187

Viewing Computer Information

Vulnerabilities by Severity

The Vulnerabilities by Severity widget shows the total number of vulnerable CVEs by
severity.

Top 5 Risky Apps

The Top 5 Risky Apps widget shows the top five applications with vulnerable CVEs and their
average CVSS score.
For example, if Visual C++ 2008 has different CVEs, then the average CVSS score is 9.3.

Harmony Endpoint EPMaaS Administration Guide | 188

Viewing Computer Information

Top Vulnerable Devices

The Top Vulnerable Devices widget shows the top five vulnerable endpoints (most vulnerable
CVEs detected).
The number to the left of the machine name indicates the total number of CVEs detected in the
machine.
To view vulnerable CVEs in the machine, click the machine name. It shows the details in the
"Vulnerability Assessment Table" on the next page.
There are two three types of View available for risk assessment:
n Vulnerabilities view - Shows all the vulnerable CVEs and their CVSS score detected in
the endpoints. See "Vulnerability Assessment Table" on the next page
n Devices view - Shows devices that have at least one CVE detected.

Patches By Status

The Patches By Status widget shows the total number of patches by the status.
Click the status to filter the "Vulnerability Assessment Table" on the next page by the status.

Harmony Endpoint EPMaaS Administration Guide | 189

Viewing Computer Information

Vulnerability Assessment Table

The Vulnerability Assessment table shows the details about the detected CVE and its CVSS
score.

Item Description

Exports the table information. Supported exports are:

n CSV Files
Export n Vulnerability Report
n Posture Report
For more information on vulnerability and posture reports, see Reports
in the"Viewing Operational Overview, Security Overview and Reports"
on page 123.

Refresh Refresh the table information.

Search Enter the required search options.

Opens the Filters widget. You must specify the filter criteria.

Toggle Filters

Scan All Scans all devices for CVEs. See "Scanning Devices" on page 195.

Scan Now Scans selected devices for CVEs. See "Scanning Devices" on
page 195.

Patch Updates patches to the specified CVEs. See "Applying the Patch for
CVEs" on page 196.

Push Operations Perform any of these Push Operations:

n Isolate Device - See "Isolating a Device" on page 195.
n Release Device - See "Verifying the Applied Patch" on page 197.
n Reboot Device - See "Verifying the Applied Patch" on page 197.

Add Filter Allows you to filter the columns by a specific value.

Vulnerabilities View

Lists CVEs by group.

Group by CVE

Harmony Endpoint EPMaaS Administration Guide | 190

Viewing Computer Information

Item Description

Lists CVEs by application.

Group by
Application

Expands CVEs listed by application.

Expand All

Collapses CVEs listed by application.

Collapse all

CVSS Score CVSS score of the detected CVE.

CVE Number Click the CVE number to view "CVE Details Widget" on page 194 and all
impacted devices:
n Device Name
n OS
n OS Version
n Last Scanned
n Comment - Add a comment. For example, do not patch this
application.

App Name Application name.

App Version Application version number.

Last Detected Date and time the CVE was last detected.

First Detected Date and time the CVE was first detected.

Affected Number of machines with vulnerable CVEs.

Devices

Comments Add a comment. For example, do not patch this device.

Device View

Harmony Endpoint EPMaaS Administration Guide | 191

Viewing Computer Information

Item Description

Device Name Click the device name to view the "Device Details Widget" on page 194
and all CVEs in the device:
n CVSS Score
n CVE Number
n App Name
n App Version
n Last Detected
n First Detected
n Patch Name
n Patch Size
n Patch Status
o Available - Patch is available for the CVE.
o Cancelled - Deployment is cancelled before patch

installation is completed.
o Not Available
o Update not available - Patch updates are not available.

You must manually search, download and apply the

patch.
o In progress
o Downloaded
o Executing
o Checking
o Pending
o Update available - Patch updates are available for the

CVEs.
o Downloading - System is downloading the patch.
o Pending execution - Waiting for other patches in the

bulk to be installed.
o Pending scan - Patch installed successfully. Waiting

for the scan.

o Pending reboot - Patch installed successfully. Waiting

for device reboot.

o End user approval
o Failed
o Timeout - Connection to the Harmony Endpoint

Security Client timed out.

o Download failed
o Replaced
o Not installed

Harmony Endpoint EPMaaS Administration Guide | 192

Viewing Computer Information

Item Description

Updated
o
o Interrupted - The patch installation by Harmony

Endpoint is interrupted by other services, such as

Windows update, that is either installing or installed the
patch.
n Comment

OS Operating System name.

OS Version Operating System version.

Last Scan Shows the status of the latest scan. The supported statuses are:
Status
n Timed Out
n Waiting For Client
n Blade Not Installed
n Starting Scan
n Scan Started
n Succeeded
n Failed
n Not Scanned
n Aborted

Last Scanned Date and time the machine was last scanned.

Number of Number of vulnerabilities detected in the machine.

Vulnerabilities

Number of Apps Number of applications in the machine with vulnerable CVEs.

At Risk

Comments Add a comment. For example, do not patch this device.

Harmony Endpoint EPMaaS Administration Guide | 193

Viewing Computer Information

Device Details Widget

To view the Device Details widget, in the "Vulnerability Assessment Table" on page 190,
under the Device Name column, click a device name.
The Device Details widget shows:
n Operating System name.
n Operating System version.
n Date and time the device was last scanned.
n Number of vulnerabilities detected in the device.
n Number of applications at risk.
n Comment

CVE Details Widget

To view the CVE Details widget, in the "Vulnerability Assessment Table" on page 190, under
the Vulnerabilities view, click a CVE number.
n CVSS score of the device.
n The application with the CVE.
n The version of the application with the CVE.
n Date and time the CVE was last detected.

Harmony Endpoint EPMaaS Administration Guide | 194

Viewing Computer Information

n Date and time the CVE was first detected.

n Patch name available for update.
n Size of the patch available for update.
n Comment

Scanning Devices
You can scan devices for vulnerable CVEs or to verify if the patch has been applied or not.

Note - To start the scan for the first time:

To scan the devices:

1. Go to Asset Management > Posture Management.
2. To scan specific devices:
a. From the View list, select Devices.

b. Select the devices and click .

3. To scan all the devices affected by the CVE:

a. From the View list, select Vulnerabilities.

b. Select the CVE and click .

Mitigating Vulnerable CVEs

You can mitigate vulnerable CVEs by either isolating or applying the patch.

Isolating a Device
You can isolate a device from the network until you patch its vulnerable CVEs.

To isolate devices:
1. Go to Asset Management > Posture Management.
2. To isolate specific devices:

Harmony Endpoint EPMaaS Administration Guide | 195

Viewing Computer Information

a. From the View list, select Devices.

b. Select the devices and click Push Operation > Isolate Device.
3. To isolate all the devices affected by the CVE:
a. From the View list, select Vulnerabilities.
b. Click the vulnerability.
c. Select the devices and click Push Operation > Isolate Device.
Harmony Endpoint initiates the Isolate Device push operation. For more information,
see "Push Operations" on page 190.

Applying the Patch for CVEs

Notes:
n Make sure that the Enable patch updates & reboot enforcement checkbox is
selected for the policy. Otherwise, the patch is not applied to the endpoint. For
more information, see "Configuring Posture Assessment Settings" on page 385.
n A single patch can fix multiple CVEs.

To apply a patch for CVE:

1. Go to Asset Management > Posture Management.
2. To apply patches for specific vulnerabilities:
a. From the View list, select Vulnerabilities.

b. Select the CVEs and click .

The Patch Details window appears.

c. Click Update Patch.

3. To apply the patches for specific device:
a. From the View list, select Devices.
b. Select and click the specific Device Name.
The Device Details window appears.

c. Select the CVEs and click .

The Patch Details window appears.

d. Click Update Patch.

Harmony Endpoint EPMaaS Administration Guide | 196

Viewing Computer Information

Verifying the Applied Patch

1. Scan the device to verify that all CVEs are patched.
2. If all the CVEs are patched and if the device is isolated (To verify, go to Asset
Management > Organization > Computers, from the View list, select Host Isolation,
and then view the Isolation Status column) from the network, then add the device back
to network. To add:
a. Go to Asset Management > Posture Management.
b. From the View list, select Devices.
c. Select the devices and click Push Operations > Release Device.
3. If required, reboot the device. To reboot:

a. Go to Asset Management > Posture Management.

b. From the View list, select Devices.
c. Select the devices and click Push Operations > Reboot Device.

Managing Devices
You can configure custom settings for specified devices or device types. These device settings
are typically used as exceptions to settings defined in Media Encryption & Port Protection
rules.
There are two types of devices:
n Storage Device - Removable media device on which users can save data files.
Examples include: USB storage devices, SD cards, CD/DVD media and external disk
drives.
n Peripheral Device - Devices on which users cannot save data and that cannot be
encrypted.

Click the icon to filter your view.

New devices are added manually or are automatically discovered by the Endpoint Server.
You can view Manually added devices or Discovered devices. In the Device Type column,
you can see if the device is a storage device or a peripheral device.

Harmony Endpoint EPMaaS Administration Guide | 197

6. Assign Groups (relevant for storage devices only):

7. Click Finish.

Managing Storage Device Groups

You can create groups for storage devices. Using device groups facilitates policy management
because you can create exclusion rules for an entire group of devices instead of per one
device each time.
To create a new device group, or click Asset Management > Media Devices > Storage
Device Groups. You can create new groups or edit existing groups.

Note - You cannot delete groups that are in use.

To create a Storage Device Group:

1. Click Asset Management > Media Devices > Storage Device Groups.
2. Click New.

The Create Storage Device Group window appears.

Harmony Endpoint EPMaaS Administration Guide | 205

Viewing Computer Information

3. In the Group Name field, enter a name.

4. (Optional) In the Comments field, enter your comments.
For example, USB storage device.

5. To add devices to the group, click .

6. Select the devices and click OK.

7. To delete the device, select the device and click .

Using Wild Card Characters

You can use wild card characters in the Serial Number field to apply a definition to more than
one physical device. This is possible when the device serial numbers start with the same
characters.
For example: If there are three physical devices with the serial numbers 1234ABC, 1234BCD,
and 1234EFG, enter 1234* as the serial number. The device definition applies to all three
physical devices. If you later attach a new physical device with the serial number 1234XYZ,
this device definition automatically applies the new device.
The valid wild card characters are:
The '*' character represents a string that contains one or more characters.

Harmony Endpoint EPMaaS Administration Guide | 206

Viewing Computer Information

The '?' character represents one character.

Examples:

Serial Number with

Matches Does Not Match
Wildcard

1234* 1234AB, 1234BCD, 12345 1233

1234??? 1234ABC, 1234XYZ, 1234AB, 1234x,

1234567 12345678

Because definitions that use wildcard characters apply to more endpoints than those without
wildcards, rules are enforced in this order of precedence:

1. Rules with serial numbers containing * are enforced first.

2. Rules with serial numbers containing ? are enforced next.
3. Rules that contain no wildcard characters are enforced last.
For example, rules that contain serial numbers as shown here are enforced in this order:
1. 12345*
2. 123456*
3. 123????
4. 123456?

5. 1234567

Viewing Events
Harmony Endpoint allows you to monitor activities related to storage and peripheral devices as
events and if required, change the device details and status. For example, if a device that
should be allowed was blocked and vice versa.

Harmony Endpoint EPMaaS Administration Guide | 207

Viewing Computer Information

Column Description

Event Time Date and time when the device was connected to the endpoint.

Status Whether the device was blocked or allowed.

Device Name Name of the device.

Device Type Type of device.

Category Category of the device.

Serial Number Serial number of the device.

User Name Name of the user.

Computer Name Name of the computer.

To modify the device details and status:

1. Click Asset Management > Media Devices > Events.
2. Right-click the event and select Exclude.

Harmony Endpoint EPMaaS Administration Guide | 208

Viewing Computer Information

The Device Override Settings window opens.

3. Enter these:

Harmony Endpoint EPMaaS Administration Guide | 209

Viewing Computer Information

n Name - Enter a unique device display name, which cannot contain spaces or
special characters (except for the underscore and hyphen characters).
n Applies to – This setting is valid for peripheral devices only.
n Connection Type- Select the connection type Internal, External or Unknown
(required).
n Category - Select a device category from the list.
n Serial Number - Enter the device serial number. You can use wild card characters
in the serial number to apply this device definition to more than one physical
device. See "Using Wild Card Characters" on page 206.
n Extra Information - Configure whether the device shows as fixed disk device (Hard
Drive with Master Boot Record), a removable device (Media without Master Boot
Record) or None.
n Device ID Filter - Enter a filter string that identifies the device category (class).
Devices are included in the category when the first characters in a Device ID match
the filter string. For example, if the filter string is My_USB_Stick, these devices are
members of the device category:
l My_USB_Stick_40GB
l My_USB_Stick_80GB
n Supported Capabilities:
l Log device events - Select this option to create a log entry when this device
connects to an endpoint computer (Event ID 11 or 20 only).
l Allow encryption - Select this option if the device can be encrypted (storage
devices only).

4. Assign Groups (relevant for storage devices only):

a. To assign the device to an existing group, from the existing group list, select a
group.
b. To assign the device to a new group, in the create a new group field, enter the new
group name.
c. If you do not want to add the device to any group, select do not add to group.
5. Configure the required Read Policy and Write Policy (relevant to storage devices only).
For more information on the configuration options, see "Configuring the Read Action" on
page 311 and "Configuring the Write Action" on page 313.
6. Define Behavior (relevant for peripheral devices only):

Harmony Endpoint EPMaaS Administration Guide | 210

Viewing Computer Information

a. From the Rule(s) list, select a rule.

b. From the Access type list, select Accept or Block.
c. From the Log type list, select a log.
d. Add details in the Description field.
7. Click Finish.

Harmony Endpoint EPMaaS Administration Guide | 211

Configuring the Endpoint Policy

The Harmony Endpoint security policy contains these components:
n Threat Prevention - which includes Web & Files Protection, Behavioral Protection and
Analysis & Remediation. The Threat Prevention policy is unified for all the Threat
Prevention components. This is different than the Policy Rule Base in SmartEndpoint,
where each Harmony component has its own set of rules.
n Data Protection - which includes Full Disk Encryption and Media Encryption & Port
Protection.
n Access Policy - Includes Firewall, Application Control, Developer Protection,
Deployment Policy and Client Settings.

When you plan the security policy, think about the security of your network and convenience
for your users. A policy should permit users to work as freely as possible, but also reduce the
threat of attack from malicious third parties.
You can add more rules to each Rule Base and edit rules as necessary. Changes are enforced
after the policy is installed.

Harmony Endpoint EPMaaS Administration Guide | 212

Configuring the Threat Prevention Policy

Note - For Managed Security Service Providers (MSSP), Harmony Endpoint allows
you to create Threat Prevention policy templates and attach them to the child
accounts. For more information, see "Templates for Child Accounts" on page 590.

Unified Policy
Harmony Endpoint introduces the unified policy for the Endpoint components.
The unified policy lets you control all security components in a single policy. The policy is
composed of a set of rules. Each rule in the policy defines the scope which the rule applies to
and the activated components. This is different from the policy Rule Base in SmartEndpoint,
where each component has its own set of rules.
A Default Policy rule which applies to the entire organization is predefined in your Policy
tab.Policy > Threat Prevention > Policy Capabilities.
Each new rule you create, has pre-defined settings, which you can then edit in the right section
of the screen.
The Threat Prevention policy contains these capabilities which you can edit:
n "Web & Files Protection" on page 224
n "Behavioral Protection" on page 245
n "Analysis & Remediation" on page 250
The Threat Prevention policy contains device rules and user rules.
n You can use user objects only in the user policy, and you can use device objects only in
the device policy.
n There is no default rule for the user policy.
n User rules override device rules.
n You can use the same group in user and device rules at the same time.
n If a group contains both users and devices, the rule is implemented according to the
policy in which the rule is included.
To enable user policy, go to the Endpoint Settings view > Policy Operation Mode, and select
Mixed mode.

Harmony Endpoint EPMaaS Administration Guide | 213

Configuring the Threat Prevention Policy

Parts of the Policy Rule Base

Column Description

Rule Number The sequence of the rules is important because the first rule that matches
traffic according to the protected scope is applied.

Rule Name Give the rule a descriptive name.

Applied to The protected scope, to which the rule applies.

Mode The policy mode applicable to the rule.

Web & Files The configurations that apply to Download Protection, Credential
Protection Protection and Files Protection.

Behavioral The configurations apply to Anti-Bot, Anti-Ransomware and Anti-Exploit

Protection protections.

Analysis & The configurations that apply to attack analysis and Remediation.
Response

Client Version number of the Initial Client that you downloaded.

Version

Threat Prevention Policy Toolbar

To do this Click this

Clone, copy, paste, and delete rules

Save, view, and discard changes

Note - The View Changes
functionality shows the policy
type that was changed and the
date of the change.

Policy Mode
Policy mode allows you to:

Harmony Endpoint EPMaaS Administration Guide | 214

Configuring the Threat Prevention Policy

n Quickly configure a Threat Prevention policy by selecting a predefined policy mode

(Detect only, Tuning and Optimized). Check Point automatically sets the appropriate
operation mode (Detect, Prevent, Off) and Advanced Settings options for each
capability.
n Manually set the operation mode (Detect, Prevent, Off) and Advanced Settings options
for each capability (Custom).

Notes:
n The Detect only mode provides the basic protection. We recommend that you
use the Detect only policy mode for the first few days to gather, monitor and
analyze the data. Based on the analysis, you must switch to Tuning, Optimized
or configure a Custom policy mode for enhanced protection. If you use the
Detect only policy mode for the Default settings for the entire organization
rule (default) for more than two days, the system shows a banner as a reminder
to configure a stricter policy mode.

If you click Dismiss, the system stops the notification only for you while it
continues to appears for other users.

n If you modify a predefined policy mode, it automatically changes to Custom.

To select a mode for a policy:

1. Go to Policy > Threat Prevention > Policy Capabilities.
2. Select the policy in the table.
3. In the Capabilities and Exclusion pane, from the Policy Mode list:

Harmony Endpoint EPMaaS Administration Guide | 215

Configuring the Threat Prevention Policy

n Select a predefined mode:

o Detect only
o Tuning
o Optimized
The table shows the appropriate operation mode set for each capability for a policy
mode.
Web & File Protection

Policy Mode
Capability
Tuning Detect only Optimized

URL Filtering Detect Detect Prevent

Download Detect Detect Prevent

Protection

Zero Phishing Detect Detect Prevent

Password Detect Detect Prevent

Reuse

Search Off Off On

Reputation

Force Off Off On

Safe
Search

Anti-Malware Prevent Detect Detect

Mode

Files Threat Prevent Off Prevent

Emulation
Mode

Advanced
Capabilities

Advanced Settings

Harmony Endpoint EPMaaS Administration Guide | 216

Configuring the Threat Prevention Policy

Policy Mode
Capability
Tuning Detect only Optimized

URL Filtering Allow user to dismiss the URL Allow user to dismiss
Filtering alert and access the the URL Filtering alert
website is disabled. and access the
Under Categories, Service is website is selected.
selected. Under Categories,
Under Malicious Script Protection: Service is selected.
o Block websites where Under Malicious Script
Malicious Scripts are found Protection:
embedded in the HTML is o Block websites

selected. where Malicious

o Allow user to dismiss the Scripts are
Malicious Scripts alert and found embedded
access the website is in the HTML is
disabled. selected.
o Allow user to

dismiss the
Malicious
Scripts alert and
access the
website is
selected.

Harmony Endpoint EPMaaS Administration Guide | 217

Configuring the Threat Prevention Policy

Policy Mode
Capability
Tuning Detect only Optimized

Download Under Supported files, Emulate Under Supported files:

Protection original file without suspending o Get extracted

access is selected. copy before

Under Unsupported files, Allow emulation
Download is selected. completes is
Under Emulation Environments: selected.
o Upload and emulate files o Extract potential

under 50 MB is selected. malicious

o Use Check Point elements is
recommended emulation selected.
environments is selected. Under Unsupported
files, Allow Download
is selected.
Under Emulation
Environments:
o Upload and

emulate files
under 50 MB is
selected.
o Use Check Point

recommended
emulation
environments is
selected.

Credential Under Zero Protection, Allow user Under Zero

Protection to dismiss the phishing alert and Protection, Allow user
access the website is disabled. to dismiss the
Under Password Reuse, Allow phishing alert and
users to dismiss the password access the website is
reuse alert and access the website selected.
is disabled. Under Password
Reuse, Allow users to
dismiss the password
reuse alert and
access the website is
selected.

Harmony Endpoint EPMaaS Administration Guide | 218

Configuring the Threat Prevention Policy

Policy Mode
Capability
Tuning Detect only Optimized

Files Under Malware Treatment, Quarantine file if cure failed is

Protection - selected.
General Under Riskware Treatment, Treat as malware is selected.
Under Threat Cloud Knowledge Sharing, Allow sending
infection info and statistics to Check Point servers for
analysis is selected.
Under Scan on Access:
o Enable reputation service for files, web resources and

processes is selected.
o Connection timeout 600 ms.

Files Under Frequency: Under Under Frequency:

Protection -
o Update Frequency: o Update

Signature signatures o Update signatures every

every 10 signatures 2 hours.
hours. every 11 o Signature update
o Signature hours. will fail after every
update will o Signature 60 seconds
fail after update will without server
every 60 fail after response.
seconds every 60
without seconds
server without
response. server
response.
Under Signature Sources:
o First Priority: External CheckPoint Signature Server.
o Second Priority: N/A
o Third Priority: N/A

Harmony Endpoint EPMaaS Administration Guide | 219

Configuring the Threat Prevention Policy

Policy Mode
Capability
Tuning Detect only Optimized

Files Run initial scan after Anti-Malware Run initial scan after
Protection - blades installation is selected. Anti-Malware blades
Scan Allow user to cancel scan is installation is selected.
selected. Under Scan targets:
Prohibit cancel scan if more than o Critical areas is

30 Days passed since last selected.

successful scan is selected. o Local drives is

Under Scan targets: selected.

o Critical areas is selected. o Mail messages
o Local drives is selected. is selected.
o Mail messages is selected. Under Scan Target
Under Scan Target Exclusions: Exclusions:
o Skip archives and non o Skip archives

executables is selected. and non

o Do not scan files larger than executables is
20 MB is selected. selected.
o Do not scan files

larger than 20
MB is selected.

Advanced
Capabilities

Behavioral Protection

Policy Mode
Capability
Tuning Detect only Optimized

Anti Bot Prevent Detect Detect

Behavioral Off Detect Prevent

Guard & Anti
Ransomware

Anti Exploit Off Detect Prevent

Advanced Settings

Harmony Endpoint EPMaaS Administration Guide | 220

Configuring the Threat Prevention Policy

Policy Mode
Capability
Tuning Detect only Optimized

Anti Bot Under Background Protection Mode, Background -

connections are allowed until threat check is complete is
selected.
Hours to suppress logs for same bot protection is set to 1.
Days to remove bot reporting after is set to 3.
Under Confidence Level:
o High Confidence is set to Detect.
o Medium Confidence is set to Detect.
o Low Confidence is set to Detect.

Behavioral Anti-Ransomware Anti-Ransomware Maximum

Guard & Anti Maximum backup size on backup size on disk is set to
Ransomware disk is disabled. 1025 MB.
Backup Time Interval is Backup Time Interval is set
disabled. to 60 Minutes.
Under Disk Usage, Under Disk Usage, Maximum
Maximum Forensics Forensics Database size on
Database size on disk is disk is set to 1 GB.
disabled.

Analysis & Remediation

Policy Mode
Capability
Detect
Tuning Optimized
only

Protection Mode Always Always Always

Enable Threat Hunting On On On

Behavioral Guard & Anti
Ransomware

Remediation & Response Never Never Medium & High

Advanced Settings

Harmony Endpoint EPMaaS Administration Guide | 221

Configuring the Threat Prevention Policy

Policy Mode
Capability
Detect
Tuning Optimized
only

File Quarantine Under File Quarantine: Under File

o File Quarantine is Quarantine:
set to Never. o File
o Allow users to Quarantine is
delete items from set to Medium
quarantine is & High.
disabled. o Choose
o Allow users to location is
restore items from disabled.
quarantine is o Enter the

disabled. location of the

o Copy quarantine Quarantine
files to central folder name.
location is
disabled.
o Choose location is

disabled.
o Quarantine folder

name is disabled.

File Remediation Under File Remediation: Under File

o Malicious Files is Remediation:
set to Quarantine. o Malicious Files
o Suspicious Files is is set to
set to Quarantine. Quarantine.
o Unknown Files is o Suspicious

set to Quarantine. Files is set to

o Trusted Files is set Quarantine.
to Ignore. o Unknown Files

is set to
Quarantine.
o Trusted Files is

set to
Terminate.

n Select Custom and set the operation mode manually. For more information, see
"Web & Files Protection" on page 224.
4. Click Save.
5. Click Save & Install.

Harmony Endpoint EPMaaS Administration Guide | 222

Configuring the Threat Prevention Policy

Updating a Predefined Policy Mode

Based on internal analysis and research, Check Point may suitably modify the operation mode
or Advanced Settings of a predefined policy mode. If a predefined mode is updated, a
notification appears.

n Click Align to accept the updates. The system automatically updates to the new settings
for the predefined mode.
n Click Keep to retain the current settings. The policy mode changes to Custom.

Harmony Endpoint EPMaaS Administration Guide | 223

Web & Files Protection

This category includes URL Filtering, Download (web) Emulation & Extraction, Credential
Protection, Safe Search and Files Protection.

URL Filtering
URL Filtering rules define which sites you can access in your organization. The URL Filtering
policy is composed of the selected sites and the mode of operation applied to them.

Note: URL Filtering is not supported with SmartEndpoint.

To create the URL Filtering policy:

1. Go to Policy > Threat Prevention > Policy Capabilities. In the Capabilities &
Exclusions pane, select Web & Files Protection.
2. In the Web & Files Protection tab, scroll-down to URL Filtering.
3. Select the URL Filtering Mode of operation:
n Prevent - Currently supported only in Hold mode. The request to enter a site is
suspended until a verdict regarding the site is received.
n Detect - Allows access if a site is determined as malicious, but logs the traffic.
n Off - URL Filtering is disabled.

4. Select the categories to which the URL Filtering policy applies:

a. Go to Web & Files Protection > Advanced Settings > URL Filtering > Categories.

b. Select the required categories:

Note - For each category, click Edit to see the sub-categories you can select.

c. Click OK.
5. Optional: You can select specific URLs to which access is denied. See "Blacklisting" on
the next page.
6. If you want Harmony Endpoint to verify and filter all the URLs accessed by an application
or a process, select the Enable Network URL Filtering checkbox. Otherwise, URL
filtering is applied only to the URLs accessed through a browser.
The selected mode of operation now applies to the selected categories.
The user can access any site which was not selected in one of the categories or which was not
blacklisted.

Harmony Endpoint EPMaaS Administration Guide | 224

Web & Files Protection

You can Allow user to dismiss the URL Filtering alert and access the website - This option
is selected by default. This lets you access a site determined as malicious, if you think that the
verdict is wrong. To do this, go to Advanced Settings > URL Filtering.

Blacklisting

You can define specific URLs or domains as blacklisted. These URLs/domains will be blocked
automatically, while other traffic will be inspected by the URL Filtering rules. You can add the
URLs/domain names manually or upload a CSV file with the URLs/domain names you want to
include in the blacklist.

To add a URL to the blacklist:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. In the URLs pane, for each required URL, enter the URL and click the + sign
3. click OK.

Notes:
You can use * and ? as wildcards for blacklisting.
n * is supported with any string. For example: A* can be ADomain or AB or
AAAA.
n ? is supported with another character. For example, A? can be AA or AB
or Ab.

To search for a URL:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. In the search box, enter the required URL.

The search results appear in the URLs pane.

You can edit or delete the URL.

To import URLs from an external source:

1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. Next to the search box, click the sign (import domains list from a 'csv' file).

3. Find the required file and click Open.

4. Click OK.

Harmony Endpoint EPMaaS Administration Guide | 225

Web & Files Protection

To export a list of URLs to from the Endpoint Security Management Server to an external
source:
1. Go to Advanced Settings > URL Filtering > Blacklist > Edit.

2. Next to the search box, click the sign (export domains list to a 'csv' file).

3. Click OK.

Download (Web) Emulation & Extraction

Harmony Endpoint browser protects against malicious files that you download to your device.
For the browsers supported with the Harmony Endpoint Browser extension, see Harmony
Browse Administration Guide.

Threat Emulation detects zero-day and unknown attacks. Files on the endpoint computer are
sent to a sandbox for emulation to detect evasive zero-day attacks. The following files types
are supported:

Harmony Endpoint EPMaaS Administration Guide | 226

Web & Files Protection

Threat Emulation Supported File Types

7z lnk slk

aspx3 msi1 swf

app1 msg1 tar

arj O1 tbz2

tbz
bat one2

bz2 tb2
pif
CAB tgz
pdf
csv udf
pkg1
com uue
ppt
cpl wim
pptx
dll wsf2
pps
doc xar2
pptm
docx xlt
potx
dot xls
potm
dotx xlsx
ppam
dotm xlm
ppsx
docm xltx
ppsm
dmg1 xlsm
ps1
dylib1 qcow21
xltm

exe xlsb
rar
gz xla
rtf
hwp xlam
sh1
iso xll
scr

Harmony Endpoint EPMaaS Administration Guide | 227

Web & Files Protection

Threat Emulation Supported File Types

img1 sldx xlw

iqy sldm xz

jar zip

Notes:
n 1 These file types are supported only with Harmony Endpoint Security Client version
E87.40 and higher.
n 2 These file types are supported only with Harmony Endpoint Security Client version
E87.60 and higher.
n 3 These file types are supported only with Harmony Endpoint Security Client version
E88.10 and higher.

Threat Extraction proactively protects users from malicious content. It quickly delivers safe
files while the original files are inspected for potential threats.
To see the list of file types which are supported by Threat Emulation and Threat Extraction:
1. Go to Policy > Threat Prevention > Policy Capabilities. In the Capabilities &
Exclusions pane, select Web & Files Protection.
2. In the Web & Files Protection tab, go to Advanced Settings > Threat Emulation >
Override Default File Actions > Edit.
These are the configuration options for supported file types:
n Prevent - Send files for emulation and extraction. For further configuration for
supported files, go to Advanced Settings > Supported Files:
l Get extracted copy before emulation completes - You can select one of
these two options. The system appends .cleaned to the file name. For
example, xxx.cleaned.
o Extract potential malicious elements - The file is sent in its original file
type but without malicious elements. Select which malicious parts to
extract. For example, macros, Java scripts and so on.
o Convert to PDF - Converts the file to PDF, and keeps text and
formatting.

Best Practice - If you use PDFs in right-to-left languages or

Asian fonts, preferably select Extract files from potential
malicious parts to make sure that these files are processed
correctly.

Harmony Endpoint EPMaaS Administration Guide | 228

Web & Files Protection

l Suspend download until emulation completes - The user waits for Threat
Emulation to complete. If the file is benign, the gateway sends the original file
to the user. If the file is malicious, the gateway presents a Block page and the
user does not get access to the file. This option gives you more security, but
may cause time delays in downloading files. The system downloads the file
with the original file name.
l Emulate original file without suspending access - The gateway sends the
original file to the user (even if it turns out eventually that the file is malicious).
l Allow - All supported files are allowed without emulation. This setting
overrides the Prevent setting selected in the main page.
n Detect - Emulates original file without suspending access to the file and logs the
incident. The file is blocked if it is malicious or blocked by file extension (Advanced
Settings > Download Protection). If not, the file is downloaded before the emulation is
complete.
n Off - Allow file. No emulation or extraction is done. The download of all supported files is
allowed.

Unsupported Files

File types which are not supported by Threat Emulation and Threat Extraction. Unsupported
files types can be allowed or blocked. To configure, go to Advanced Settings > Download
Protection > Unsupported Files. The settings selected here override the settings selected in
the main page.

Additional Emulation Settings:

Emulation Environments

To define the maximum size of files that are sent for emulation, go to Advanced Settings >
Download Protection > Emulation Environments and specify the file size for Upload and
emulate files under.

Notes -
n Only the Endpoint Security Client version E86.40 and higher support a
maximum file size up to 100 MB. Client versions lower than E86.40
support a maximum file size up to 15 MB.
n Increasing the file size increases the client processing and network
traffic required to process large files.

To select the operating system images on which the emulation is run, go to Advanced
Settings > Download Protection > Emulation Environments, and select one of these options:

Harmony Endpoint EPMaaS Administration Guide | 229

Web & Files Protection

n Use Check Point recommended emulation environments

n Use the following emulation environments - Select other images for emulation, that are
closest to the operating systems for the computers in your organization. This is
supported only if configured from the SmartConsole. For more information, see
"Managing Endpoint Components in SmartEndpoint Management Console" on
page 145.

Override Default Files Actions

Harmony Endpoint allows you to override the default file action for the supported and
unsupported files.
To override the default file actions, navigate to Advanced Settings > Download Protection >
Override default file actions (download).

To override the file action for supported files:

1. In the Supported Files section, click Edit.
2. Select the File action and Extraction Mode.
3. Click OK.

To override the file action for unsupported files:

1. In the Unsupported Files section, click Edit.

a. To add a file type, click and enter the File type.

b. To edit a file type, select the file type and click .

c. To delete a file type, select the file type and click .

2. Select the Download action for the file:

n Default - The action specified in "Unsupported Files" on the previous page.
n Allow
n Block
3. (Optional) In the Comments field, enter a comment.
4. Click OK.

Harmony Endpoint EPMaaS Administration Guide | 230

Web & Files Protection

Custom Settings

Download Emulation and Extraction

n Block downloads when emulation fails due to size limit or connectivity problem -
Select the checkbox to block download of a file if the Threat Emulation of the file fails due
to technical reasons, such as file size limit, no internet connectivity and invalid licenses.
n Block downloads when emulation fails due to file encryption - Select the checkbox to
block download of a file if the Threat Emulation of the file fails to extract the file due to the
file encryption.

Credential Protection
To configure the credential protection policy:

Zero Phishing

Phishing prevention checks different characteristics of a website to make sure that a site does
not pretend to be a different site and use personal information maliciously.
There are three configuration options for this protection:
n Prevent - If the site is determined to be a phishing site, users cannot access the site. A
log is created for each malicious site.
n Detect - When a user uses a malicious site, a log is created.
n Off - Phishing prevention is disabled.
For further configuration of the Zero Phishing protection, go to Advanced Settings >
Credential Protection:
n Allow user to dismiss the phishing alert and access the website - Users can select to
use a site that was found to be malicious.
n Send log on each scanned site - Send logs for each site that users visit, whether
malicious or not.
n Allow user to abort phishing scans - Users can stop the phishing scan before it is
completed.

Harmony Endpoint EPMaaS Administration Guide | 231

Web & Files Protection

n Scan local HTML files - By default, the Harmony Endpoint extension in Chromium-
based browsers (Chrome, Microsoft Edge, and Brave) cannot access the local HTML
files opened by the browser to scan them for phishing attacks. This setting prompts users
to grant permission to Chromium-based browsers to access and scan local HTML files
on your PC.

Notes:
l You can customize the prompt page. For more information, see"Customized

Browser Block Pages" on page 391.

l This feature is not supported with Safari and Internet Explorer browser

extensions.
l This feature is supported with the Endpoint Security Client version E86.50 and

higher.

To grant permission to access and scan the local HTML files:

1. When a user opens a local HTML file, the Harmony Browse request access to file
URLs prompt appears. Click Click to copy.
2. Paste the copied path in the address bar of the Chrome browser and press Enter.
3. Scroll down and turn on Allow access to file URLs.
4. If the HTML file has an input field, Harmony Browse scans the file and blocks it, if
identified as phishing.
n Disable notifications - Allows you to disable the browser zero-phishing scan notification
that appears when users try to enter in an input field.

Note - Only the notification is disabled but the browser zero-phishing scan is
performed in the background indicated by the yellow highlight around the input
field.

Password Reuse Protection

Alerts users not to use their corporate password in non-corporate domains.

To set the Password Reuse mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.
2. Select the rule.
3. In the Capabilities & Exclusions pane, select Web & Files Protection.
4. In the Web & Files Protection tab, scroll-down to Credential Protection.
5. In the Credential Protection section, under Password Reuse, select a mode:

Harmony Endpoint EPMaaS Administration Guide | 232

Web & Files Protection

n Prevent mode - Blocks the user from entering the corporate password and opens
the blocking page in a new tab. If you enable Allow users to dismiss the password
reuse alert and access the website, then it allows the user to dismiss the blocking
page and continue to enter the corporate password.
n Detect & Alert - Blocks the user from entering the corporate password and opens
the blocking page in a new tab and allows the user to dismiss the blocking page
and continue to enter the corporate password.

Notes:
l This option is available only in older releases of Harmony Endpoint.

In the newer releases, it is deprecated by Prevent mode.

l If you enable this option, then Harmony Endpoint automatically

disables Allow users to dismiss the password reuse alert and

access the website.
n Detect mode - The system does not block the user from entering the corporate
password. If a user enters the corporate password, it is captured in the Harmony
Browse logs.
n Off - Turns off password reuse protection.
6. For Advanced Settings, see "Credential Protection" on page 231.
For further configuration options for password reuse protection, go to Advanced Settings >
Credential Protection > Password Reuse Protection > Edit > Protected Domains:
Add domains for which Password Reuse Protection is enforced.Harmony Endpoint keeps a
cryptographic secure hash of the passwords used in these domains and compares them to
passwords entered outside of the protected domains.

Safe Search
Search Reputation

Search Reputation is a feature added to search engines that classifies search results based on
URL's reputation.

Notes:
n It is supported only with Google, Bing, and Yahoo search engines.
n To enable this feature, ensure that you set URL Filtering Mode to either
Prevent or Detect.

To set the Search Reputation mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.
2. Select the rule.
3. In the Capabilities & Exclusions pane, select Web & Files Protection.

Harmony Endpoint EPMaaS Administration Guide | 233

Web & Files Protection

4. In the Web & Files Protection tab, scroll-down to Search Reputation section and select
a mode:
n On - Turns on the feature.
n Off -Turns off the feature.
When you enable this feature, the icon across the URL in the search results indicate the
classification:

Icon Classification

The website is safe.

Example:

The website is not safe.

Example:

The website is blocked by the Administrator.

Example:

Note - If the Search Reputation cannot classify a URL, then it does not display an icon
across the URL. If you want such URLs to be classified and blocked, then enable the
Uncategorized checkbox in URL Filtering > Categories > General Use. The Search
Reputation classifies Uncategorized URLs as The website is blocked by the
Administrator.

Force Safe Search

Force Safe Search is a feature in search engines that acts as an automated filter for potentially
offensive and inappropriate content.

To set the Force Search Reputation mode:

1. Go to Policy > Threat Prevention > Policy Capabilities.
2. Select the rule.

Harmony Endpoint EPMaaS Administration Guide | 234

Web & Files Protection

3. In the Web & Files Protection tab, under Force Safe Search, select a mode:
n On - Hides explicit content from the search results.
n Off - User sees the most relevant results for their search, which may include
explicit content like images consisting of violence.
Main features:
n When ‘Force Safe Search’ is on, Harmony Browse turns on Safe Search on the
supported search engines.
n It is supported with Google, Bing, and Yahoo search engines.
n Force Safe Search is off by default.
n Force Safe Search is supported with Google Chrome, and Microsoft Edge browsers.

Files Protection
Protects the files on the file system. To configure the Files Protection policy:
1. Go to Policy > Threat Prevention > Policy Capabilities. In the Capabilities &
Exclusions pane, select Web & Files Protection.
2. In the Web & Files Protection tab, scroll-down to Files Protection.
This protection has two components:
n Anti-Malware Mode - Protection of your network from all kinds of malware threats,
ranging from worms and Trojans to adware and keystroke loggers. Use Anti-Malware to
manage the detection and treatment of malware on your endpoint computers.
There are three configuration options for this protection:
l Prevent - Protects your files from malware threats.
l Detect - Detects the threats, so they appear in the logs, although the virus or
malware are still executable. Use this mode with caution.
l Off - No protection from malware.

Harmony Endpoint EPMaaS Administration Guide | 235

Web & Files Protection

Notes -
l Starting from the Endpoint Security Client E83.20, Check Point certified

the E2 client version (the Anti-Malware engine is DHS compliant) for

Cloud deployments.
l The E1 Anti-Malware blade can scan these archive file formats:

o ZIP
o Z
o LZIP
o 7Z
o RAR
o ISO
o CAB
o JAR
o BZIP2
o GZIP
o DMG
o XAR
o TAR
o ACE

l The E2 DHS Anti-Malware blade can scan these archive file formats:

o ZIP
o Z
o 7Z
o RAR
o ISO
o CAB
o JAR
o BZIP2
o GZIP
o DMG
o XAR
o TAR
o ACE

n Files Threat Emulation Mode - Emulation of files on the system.

There are three configuration options for this protection:
l Prevent - Detects a malicious file, logs the event and deletes the file.
l Detect - Detects a malicious file and logs the event.
l Off - Files Threat Emulation mode is off. Does not run the Threat Emulation on the
file.
This is supported with Endpoint Security client version E86.80 and higher.

Harmony Endpoint EPMaaS Administration Guide | 236

Web & Files Protection

n Advanced Capabilities - You can set an action for each of these capabilities separately:

Note - This is supported only with the Harmony Endpoint Security client version
E88.30 and higher.

Advanced
Description
Capability

ThreatCloud Verifies the reputation of files based on their hash in Check Point
Reputation Cloud-Based Database. This feature is supported from E88.50 and
later.

Offline Verifies file reputation by hash using local data. When connected to
Reputation the network, the data gets updated with ThreatCloud's common
hashes for offline verification.

Office Files Performs static analysis¹ on Microsoft Office files.

Executables Performs static analysis¹ on executable files.

Files

DDL Files Performs static analysis¹ on DLL files.

¹Analyzes files without executing them against data models to identify potentially
malicious files.
The supported actions are:
l Prevent - Detects a malicious file, logs the event and quarantines the file.
l Detect - Detects a malicious file and logs the event.
l Off - No protection from malicious file.

For more information, see "Advanced Capabilities" on page 243.

To enable Advanced Capabilities:

1. Go to Policy > Threat Prevention > Policy Capabilities.
2. Select a rule.

Harmony Endpoint EPMaaS Administration Guide | 237

Web & Files Protection

3. In the Web & Files Protection tab, in the Advanced Capabilities list, select On.

Note - To view the set action for each capability, click See status.

Advanced Settings
To configure the advanced settings of the threat prevention policy:
1. Go to Policy > Threat Prevention > Policy Capabilities. In the Capabilities &
Exclusions pane, select Web & Files Protection.
2. In the Web & Files Protection tab, click Advanced Settings.
3. Use the following sections to modify the respective settings.

Files Protection

To configure the advanced settings for files protection, go to Advanced Settings > Files
Protections.

General

n Malware Treatment - The malware treatment options let you select what happens to
malware that is detected on a client computer:
l Quarantine file if cure failed - If Endpoint Security cannot repair the file, it is
deleted and put in a secure location from where it can be restored if necessary.
l Delete file if cure failed - If Endpoint Security cannot repair the file, it is deleted.
n Riskware Treatment - Riskware is a legal software that might be dangerous.

Harmony Endpoint EPMaaS Administration Guide | 238

Web & Files Protection

l Treat as malware - Use the option selected for Malware.

l Skip file - Do not treat riskware files.
l Detect unusual activity - Use behavior detection methods to protect computers
from new threats whose information were not added to the databases yet. It does
not monitor trusted processes.
l Enable reputation service for files, web resources & processes - Use cloud
technologies to improve precision of scanning and monitoring functions. If you
enable or disable this setting, it takes affect after the client computer restarts.
Connection timeout - Change the maximum time to get a response from
Reputation Services (in milliseconds). Default is 600.

Note - If you decrease this value, it can improve the performance of the Anti-
Malware component but reduces security, as clients might not get a reputation
status that shows an item to be zero-day malware.
l Enable web protection - Prevents access to suspicious sites and execution of
malicious scripts Scans files, and packed executables transferred over HTTP, and
alerts users if malicious content is.found.
n Threat Cloud Knowledge Sharing - To share infected information, statistics and
infected file samples with Check Point for analysis, select any of these:
l Allow sending infection info and statistics to Check Point servers for analysis
l Allow sending infected file samples to Check Point servers for analysis

Note - This is supported only with a DHS compliant Harmony Endpoint Security
client.
n Mail Protection - Enable or disable scans of email messages when they are passed as
files across the file system.

Signature

n Frequency
Anti-Malware gets malware signature updates at regular intervals to make sure that it
can scan for the newest threats. These actions define the frequency of the signature
updates and the source:
l Update signatures every [x] hours - Signature updates occur every [x] hours from
the Endpoint Policy Server and the External Check Point Signature Server.
l Signature update will fail after [x] seconds without server response - The
connection timeout, after which the update source is considered unavailable.

Harmony Endpoint EPMaaS Administration Guide | 239

Web & Files Protection

n Signature Sources
l External Check point Signature Server - Get updates from a dedicated, external
Check Point server through the internet.
l Other External Source - Get updates from an external source through the internet.
Enter the URL.
n Shared signature source - Get updates from a shared location on an Endpoint Security
client that acts as a Shared Signature Server. This solution is curated for Virtual Desktop
Infrastructure (VDI) environments, but can be leveraged for other scenarios as well. This
makes it possible to protect non-persistent virtual desktops in Virtual Desktop
Infrastructure (VDI) environments. Each non-persistent virtual desktop runs an Endpoint
Security, and gets Anti-Malware and Threat Prevention signatures from a shared folder
on the Shared Signature Server that is a persistent virtual machine.
l Second Priority - Set a fallback update source to use if the selected update source
fails. Select a different option than the first signature source.
l Third Priority - Set a fallback update source to use if the other sources fail.

Note - If only update from local Endpoint Servers is selected, clients that are
disconnected from an Endpoint Security server cannot get updates.
n Shared Signature Server - To set the server as a Shared Signature Server, select the
Set as shared signature server checkbox and enter the local path of the folder. For
example, C:\Signatures. For more information, see "Shared Signatures Server" on
page 540.

Scan

Anti-Malware scans computers for malware at regular intervals to make sure that suspicious
files are treated, quarantined, or deleted.
n Perform Periodic Scan - Select one of these options to define the frequency of the
scans:
l Every Month- Select the day of the month on which the scan takes place and the
Scan start hour.
l Every Week - Select the day of the week on which the scan takes place and the
Scan start hour.
l Every Day - Select the scan start hour.

Harmony Endpoint EPMaaS Administration Guide | 240

Web & Files Protection

l Scan on Idle - Specify the idle time duration for the endpoint. The Harmony
Endpoint Security client initiates the initial or periodic Anti-Malware scan only when
the endpoint remains idle for the specified duration. If the device is not idle, the
scan is postponed for 24 hours. After this 24-hour period, the Harmony Endpoint
Security client initiates the initial or periodic Anti-Malware scan, irrespective of
whether the device is idle or in use.

Note - Scan on Idle is not supported with the DHS compliant Anti-Malware blade.

Optional :
l Randomize scan time - Mandatory for Virtual Desktop Infrastructure (VDI). Select
this option to make sure that not all computers do a scan for malware at the same
time. This makes sure that network performance is not affected by many
simultaneous scans. In Start scan and End scan, specify the time range during
which the scan can start and end.
l Run initial scan after the Anti-Malware blades installation.
l Allow user to cancel scan.
l Prohibit cancel scan if more than X Days passed since last successful scan.
n Scan Targets - Select the target for the Anti-Malware scan:
l Critical areas
l Optical drives
l Local drives
l Mail messages
l Removable drives
l Unrecognized devices
l Network devices

Notes:
n Mail messages is not supported with the DHS compliant Anti-Malware blade

in macOS.
n Critical areas is supported with the DHS compliant Anti-Malware blade from

E88.00 and higher.

n Scan Target Exclusions - Select the checkboxes to skip scanning of certain files.

Harmony Endpoint EPMaaS Administration Guide | 241

Web & Files Protection

l Skip archives and non executables - Skips scanning of archive file formats (for
example, .zip, 7zip, tar.gz, rar, and so on) and non-executable files (files without
the execute permission).

Note - Skip archives and non executables are not supported with the DHS
compliant Anti-Malware blade.
l Do not scan files larger than - Specify the file size limit. If the file size is larger than
the specified limit, then the system skips scanning the file. The default file size limit
is 20 MB.

Note - The maximum supported file size for the Anti-Malware scan depends
on the endpoint's system specifications, such as CPU, RAM and so on.

Threat Emulation

You can define the default file action for threat emulation.

To override the default file actions:

1. In the Override Default Files Actions section, click Edit.

2. From the File action list, select an action.

Harmony Endpoint EPMaaS Administration Guide | 242

Web & Files Protection

3. Click OK.

Advanced Capabilities

In the Advanced Capabilities window, select an action for these capabilities:

n ThreatCloud Reputation
n Offline Reputation
n Static Analysis:
l Office Files
l Executables Files
l DDL Files

Harmony Endpoint EPMaaS Administration Guide | 243

Web & Files Protection

Browser Settings

Starting from the Harmony Endpoint Security client E87.10, the extension is pinned to the
browser by default for users.

Note - You can unpin the extension only on Chromium browsers, such as Chrome,
Edge and Brave. You cannot unpin an extension in Firefox.

To allow users to unpin the browser extension, clear Always pin the browser extension to the
tool bar under Pin Extension.

Harmony Endpoint EPMaaS Administration Guide | 244

Behavioral Protection

Behavioral Protection
Behavioral protection includes Anti-Bot, Behavioral Guard and Anti-Ransomware protections.

The Anti-Bot Component

There are two emerging trends in today's threat landscape:
n A profit-driven cybercrime industry that uses different tools to meet its goals. This
industry includes cyber-criminals, malware operators, tool providers, coders, and affiliate
programs. Their "products" can be easily ordered online from numerous sites (for
example, do-it-yourself malware kits, spam sending, data theft, and denial of service
attacks) and organizations are finding it difficult to fight off these attacks.
n Ideological and state driven attacks that target people or organizations to promote a
political cause or carry out a cyber-warfare campaign.
Both trends are driven by bot attacks.
A bot is malicious software that can invade your computer. There are many infection methods.
These include opening attachments that exploit a vulnerability and accessing a website that
results in a malicious download.
When a bot infects a computer, it:
n Takes control over the computer and neutralizes its Anti-Virus defenses. Bots are difficult
to detect because they hide within your computer and change the way they appear to the
Anti-Virus software.
n Connects to a Command and Control (C&C) center for instructions from cyber criminals.
The cyber criminals, or bot herders, can remotely control it and instruct it to execute
illegal activities without your knowledge. These activities include:
l Data theft (personal, financial, intellectual property, organizational)
l Sending SPAM
l Attacking resources (Denial of Service Attacks)
l Bandwidth consumption that affects productivity
In many cases, a single bot can create multiple threats. Bots are often used as tools in attacks
known as Advanced Persistent Threats (APTs) where cyber criminals pinpoint individuals or
organizations for attack. A botnet is a collection of compromised computers.
The Check Point Endpoint Anti-Bot component detects and prevents these bot threats
The Anti-Bot component:
n Uses the ThreatCloud repository to receive updates, and queries the repository for
classification of unidentified IP, URL, and DNS resources.

Harmony Endpoint EPMaaS Administration Guide | 245

Behavioral Protection

n Prevents damage by blocking bot communication to C&C sites and makes sure that no
sensitive information is stolen or sent out of the organization.
The Endpoint Anti-Bot component uses these procedures to identify bot infected computers:
n Identify the C&C addresses used by criminals to control bots
n These web sites are constantly changing and new sites are added on an hourly basis.
Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge
to know which sites are legitimate and which are not.
The ThreatCloud repository contains more than 250 million addresses that were analyzed for
bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect
engine uses this information to classify bots and viruses.

Configuring Anti-Bot

There are three configuration options for the Anti-Bot protection:

n Prevent - Blocks bots.
n Detect - Logs information about bots, but does not block them.
n Off - Ignores bots (does not prevent or detect them)

Advanced Anti-Bot Settings:

n Background Protection Mode:

l Background - This is the default mode. Connections are allowed while the bots are
checked in the background.
l Hold - Connections are blocked until the bot check is complete.
n Hours to suppress logs for same bot protection - To minimize the size of the Anti-Bot
logs, actions for the same bot are only logged one time per hour. The default value is 1
hour. To change the default log interval , select a number of hours.
n Days to remove bot reporting after - If a bot does not connect to its command and
control server after the selected number of days, the client stops reporting that it is
infected. The default value is 3 days.
n Confidence Level - The confidence level is how sure Endpoint Security is that an activity
is malicious. High confidence means that it is almost certain that the activity is malicious.
Medium confidence means that it is very likely that the activity is malicious. You can
manually change the settings for each confidence level. Select the action for High
confidence, medium confidence and low confidence bots:

Harmony Endpoint EPMaaS Administration Guide | 246

Behavioral Protection

l Prevent - Blocks bots

l Detect - Logs information about bots, but does not block them.
l Off - Ignores bots (does not prevent or detect them).

The Behavioral Guard & Anti-Ransomware Component

Behavioral Guard constantly monitors files and network activity for suspicious behavior.

Note - Behavioral Guard also parses the email (through an add-in to Microsoft
Outlook) to include the details in the forensics report in the event of a malicious attack
through an email.

The Anti-Ransomware creates honeypot files on client computers, and stops the attack
immediately after it detects that the ransomware modified the files.

The Anti-Ransomware creates the honeypot files in these folders:

n C:\Users\Public\Music
n C:\Users\<User>\Music (MyMusic)
n C:\Users\Public\Documents
n C:\Users\<User>\Documents (MyDocuments)
n C:\Users\Public\Videos
n C:\Users\<User>\Videos (MyVideos)
n C:\Users\Public\Pictures
n C:\Users\<User>\Pictures (MyPictures)
n C:\Program Files (x86)
n C:\ProgramData
n C:\Users\<User>\AppData\Roaming
n C:\Users\<User>\AppData\Local
n C:\Users\<User>\Downloads

You can identify these folders by the lock icon that is associated with the name of the folder.
For example:

The file names include these strings, or similar:

n CP
n CheckPoint

Harmony Endpoint EPMaaS Administration Guide | 247

Behavioral Protection

n Check Point
n Check-Point
n Sandblast Agent
n Sandblast Zero-Day
n Endpoint
Before ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe
location. After the attack is stopped, it deletes files involved in the attack and restores the
original files from the backup location.
n Prevent - The attack is remediated. Logs, alerts and a forensic report are created.
n Detect - Logs, alerts and a forensic report are created.
n Off - Nothing is done on the detection, a log is not created

Advanced Behavioral Guard & Anti-Ransomware Settings

n Enable network share protection - Enables the protection of shared folders on the
network. All shared folders are protected, regardless of the protocol. Remote devices are
not protected.
n Block Volume Encryption tools (BitLocker and Similar Tools): As many ransomwares
use volume encryption software, such as BitLocker to encrypt drives.

Note - This feature is supported with the Harmony Endpoint Security Client
version E86.30 with the default client mode as Detect. With the Harmony
Endpoint Security Client version E86.50 and higher, the default client mode is
Prevent.

You can block such programs from:

l Encrypting unencrypted drives
l Modifying the encryption of encrypted drives (such as changing password)
If you want to encrypt your drive with BitLocker or a similar software:
l Encrypt the drive before you install the Harmony Endpoint Security Client, or
l Disable this protection, encrypt and resume this protection
n Allow extensive data collection: Allow Harmony Endpoint to collect extended
information from endpoints.

Note - This may increase the resources used.

Harmony Endpoint EPMaaS Administration Guide | 248

Behavioral Protection

n Low memory mode: Significantly reduces memory utilization by retaining only the most
recently matched signatures. However, there is a slight drop in the detection rate. It is
recommended to enable this setting only for system with low memory capacity. This is
supported only with the Endpoint Security Client version E87.30 and higher.

Backup Settings

When Anti-Ransomware is enabled, it constantly monitors files and processes for unusual
activity. Before a ransomware attack can encrypt files,Anti-Ransomware backs up your files to
a safe location. After the attack is stopped, it deletes files involved in the attack and restores
the original files from the backup location.
n Restore to selected location - - By default, files are restored to their original location. To
restore files to a different location, select this option and enter the location to which you
want to restore the files in the Choose location field. Each time files are automatically
restored, they will be put in the selected location.
n Anti-Ransomware maximum backup size on disk - Set the maximum amount of
storage for Anti-Ransomware backups. The default value is 1 GB.
n Backup time interval - Within this time interval, each file is only backed up one time,
even if it is changed multiple times. The default value is 60 minutes.
n Backup Settings - Change default types to be backed up - Click this to see a list of file
types that are included in the Anti-Ransomware backup files. You can add or remove file
types from the list and change the Maximum Size of files that are backed up.
n Disk Usage - By default, Forensics uses up to 1 GB of disk space on the client computer
for data.

The Anti-Exploit Component

Harmony Endpoint Anti-Exploit detects zero-day and unknown attacks, and provides
protection to vulnerable processes from exploitation. Files on your computer are sent to a
testing area for emulation to detect malicious files and content.
There are three configuration options for the Anti-Exploit protection:
n Prevent - Prevents the attack and suspends the application under attack.
n Detect - Detects and logs the attack information. Does not prevent the attack.
n Off - The Anti-Exploit protection is disabled.

Harmony Endpoint EPMaaS Administration Guide | 249

Analysis & Remediation

Automated Attack Analysis (Forensics)
Harmony Endpoint Forensics analyzes attacks detected by other detection features like Anti-
Ransomware or Behavioral Guard, and some third-party security products.
On detection of a malicious event or file, Forensics is informed and a Forensics analysis is
automatically initiated. After the analysis is completed, the entire attack sequence is presented
as a Forensics Analysis Report. If Endpoint Security Management Servers do not have
internet connectivity, Forensics information is stored and sent for evaluation immediately when
a server connects to the internet.
Use the Forensics Analysis Report to prevent future attacks and to make sure that all affected
files and processes work correctly.

Protection mode - Define in which confidence level the incident is analyzed: Always, High,
Medium & High, or Never. The confidence level is how sure Endpoint Security is that a file is
malicious. High confidence means that it is almost certain that a file is malicious. Medium
confidence means that it is very likely that a file is malicious. The default value is Always.
Enable Threat Hunting - Threat Hunting is enabled by default. To learn more about Threat
Hunting, see "Threat Hunting" on page 514.

Remediation & Response

The Harmony Endpoint File Remediation component applies Remediation to malicious files.
When Harmony Endpoint components detect malicious files, they can quarantine those files
automatically based on policy, and remediate them if necessary.
You can manually define the confidence level in which Remediation is performed: Always,
High, Medium & High, or Never. The confidence level is how sure Endpoint Security is that a
file is malicious. High confidence means that it is almost certain that a file is malicious. Medium
confidence means that it is very likely that a file is malicious. The default value is Medium &
High.

Advanced Remediation & Response Settings

File Quarantine

Define the settings for files that are quarantined. By default, items are kept in quarantine for 90
days and users can delete items from quarantine.
n File quarantine - Select the confidence level in which Remediation is performed: Always
High, Medium & High, Never. The default value is Medium & HIgh.
n Allow users to delete items from quarantine - When selected, users can permanently
delete items from the quarantine file on their computers.

Harmony Endpoint EPMaaS Administration Guide | 250

Analysis & Remediation

n Allow users to restore items from quarantine - When selected, users can restore items
from the quarantine file on their computers.
n Copy quarantine files to central location -Enter a central location to which the
quarantined files from the client computers are copied.

File Remediation

Define what happens to the components of an attack that is detected by Forensics. When files
are quarantined, they are deleted and put in a secure location from which they can be restored,
if necessary.
You can manually edit the treatment for each category of file: Malicious, Suspicious, or
Unknown. For each category, you can select:
n Quarantine - Files are deleted and put in a secure location from which they can be
restored, if necessary.
n Delete - Files are permanently deleted.
n Backup -- Delete the file and create an accessible duplicate.
n None -- No action is taken.
Trusted files s are those defined as trusted by the Check Point Reputation Service. The
Remediation options for Trusted Files are:
n Terminate - stop the suspicious process.
n Ignore - Do not terminate processes. Activity is monitored.

Adding Exclusions to Rules

You can use either Legacy Exclusions and Smart Exclusions to add your exclusions. However,
we recommend that you use Smart Exclusions for the easy of managing exclusions.

Note - Smart Exclusions is supported only with Endpoint Security Client version
E87.40 and higher.

Legacy Exclusions
You can exclude specific objects (exclusions) from inspection by Harmony Endpoint. You can
add exclusions to a rule or create global exclusions that apply to all rules.

Adding Exclusions to a Specific Rule

To add exclusions to a specific rule:

1. Go to Policy > Threat Prevention > Policy Capabilities.
2. Select the rule for which you want to create the exclusion

Harmony Endpoint EPMaaS Administration Guide | 251

Analysis & Remediation

3. In the Capabilities & Exclusions pane, click Exclusions Center.

4. Expand an exclusion category. For example, Anti-Bot -> URL Filtering Exclusions.
Note - Global Exclusions is read-only. To add Global Exclusions, see "Adding Global
Exclusions" below.
5. Expand Rule Exclusions.
6. Select the exclusions you want to add to the rule.
7. Click OK.
8. In the bottom right corner of the policy configuration pane, click Save.
9. From the top, click Install Policy.

Adding Global Exclusions

To add global exclusions that apply to all the rules:

1. Go to Policy > Threat Prevention > Global Exclusions.
2. Expand an exclusion category. For example, Anti-Bot -> URL Filtering Exclusions.
3. Select the exclusions you want to add to the rule.
4. Click Save.
5. From the top, click Install Policy.

Adding Exclusions from Security Overview

To add exclusions from Security Overview:

1. Go to Overview > Security Overview.

2. Right-click the security event and select Drill Down.
3. Right-click the event and select one of these options:
n Create Exclusion for Effective Rule
The Edit Exclusions Center window appears and automatically adds the
exclusion.

Harmony Endpoint EPMaaS Administration Guide | 252

Anti Bot -> URL Filtering Exclusions

You can exclude specific domains from a rule. Click + to add the required domain you want
to exclude from the rule.
Syntax

Harmony Endpoint EPMaaS Administration Guide | 255

Analysis & Remediation

n * indicates a string or a character. For example, A* can be ADomain or AB or AAAA.

n ? indicates a character. For example, A? can be AA or AB or Ab.
For example:

If you enter It excludes these It does not exclude these

www.domain.com n https://www.domain.com n https://domain.com

n http://www.domain.com n http://domain.com
n https://sub.domain.com
n http://sub.domain.com

domain.com n https://www.domain.com -
n http://www.domain.com
n https://domain.com
n http://domain.com
n https://sub.domain.com
n http://sub.domain.com

sub.domain.com n https://sub.domain.com https://sub2.domain.com

n http://sub.domain.com

*.domain.com Sub-domain of domain.com

such as:
n https://sub1.domain.com
n http://sub2.domain.com

Anti-Malware -> Process Exclusions (on-access only)

Harmony Endpoint scans files when you create, open, or close them.
When you exclude a trusted process from inspection, it's file or network operation is not
scanned. Exclude a process only if you are sure, it is not Malware.

Best Practice - We recommend excluding a process if:

n It's behaviour is abnormal.
n It's performance is slow after you installed the Anti-Malware
blade.
n A false-positive is detected.

Windows
You can exclude only .EXE files.
Syntax:

Harmony Endpoint EPMaaS Administration Guide | 256

Analysis & Remediation

Fully qualified paths or an environment variable for the trusted executable.

Examples:
n C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe
n %programdata%\MytrustedProgram.exe

macOS
Syntax:
Fully qualified path for the trusted executable file.
Example:
/Applications/FileZilla.app/Contents/MacOS/filezilla

Anti-Malware -> Files and Folders Exclusion (system, scheduled and on-demand)

Files and Folder Exclusions are applied to all types of scans except contextual scan. The
reason for configuring exclusions is to reduce the CPU usage of Anti-Malware.

Note - Files and folders must be excluded only if they are located in a Trusted zone
or are considered a low-risk target for viruses.

Windows
Syntax:
Directory paths must end with a backlash.

Examples:
n Directory:
l C:\Program Files\MyTrustedDirectory\
l %programdata%\MyTrustedDirectory\
n Specific file:
l C:\ProgramFiles\MyTrustedDirectory\excludeMe.txt
l %programdata%\MyTrustedDirectory\excludeMe.txt
n File type:
l *.exe
l \\ServerName\Share\folder\file.txt or \\ip_
addres\Share\folder\file.txt depending on a way file is attached.

Harmony Endpoint EPMaaS Administration Guide | 257

Analysis & Remediation

l C:\Program Files\MyTrustedDirectory**.exe(recursive exclusion -

applies for all .exe in C:\Program Files\MyTrustedDirectory\ and all
subfolders)
n For Harmony Endpoint client version E80.80 or higher, you can exclude MD5 hash
from the scheduled malware scan. For example:
l md5:0123456789012345
o Exclude by hash in any folder
l md5:0123456789012345:app.exe
o Exclude by hash and exact file name
l md5:0123456789012345:c:\folder\app.exe
o Exclude by hash and full path
l md5:0123456789012345:%ENV%\app.exe
o Exclude by hash and environment variable
n For Harmony Endpoint client version E86.10 or higher, you can exclude URL from the
scheduled malware scan. For example:
l url:*.example.com
l url:http://*.example.com
l url:http://example.com/*
l url:www.example.com/abc/123
l url:*192.168.*
l url:http://192.168.*

Notes for URL exclusions-

n The * character replaces any sequence that contains zero or more
characters.
n The www. character sequence at the beginning of an exclusion mask is
interpreted as a *. sequence.
n If an exclusion mask does not start with the * character, the content of the
exclusion mask is equivalent to the same content with the *. prefix.
n If an exclusion mask ends with a character other than / or *, the content of the
exclusion mask is equivalent to the same content with the /* postfix.
n If an exclusion mask ends with the / character, the content of the exclusion
mask is equivalent to the same content with the /*. postfix.
n The character sequence /* at the end of an exclusion mask is interpreted as
/* or an empty string.
n URLs are verified against an exclusion mask, taking into account the protocol
(http or https).

Harmony Endpoint EPMaaS Administration Guide | 258

Analysis & Remediation

Note - For Windows, files and folder names are not case-sensitive.

macOS
Syntax:
Directory path, a specific file, or a file type. Environment variables are not supported.
Example:
Trusted directory
n /Users/Shared/MyTrustedDirectory/

Specific file
n /Users/*/Documents/excludeMe.txt

File type
n *.txt

Note - For macOS, files and folder names are case-sensitive.

Anti-Malware -> Exclude Infection by name

You can exclude some riskware files and infections from the scheduled malware scan on
your computer.

Best Practice:
n Exclude when the specific software is allowed.
n As a temporary exclusion when there is a false positive
detection.

Syntax
Infection name and protection name in your log.
Example:
n EICAR-Test-File

Notes -
n The infection name is case-sensitive.
n If you get a file protection detection, share the file with Check Point to resolve
the file protection.

Harmony Endpoint EPMaaS Administration Guide | 259

Analysis & Remediation

Threat Emulation, Threat Extraction, and Zero-Phishing Exclusions

You can exclude specific folders, domains or SHA1 hashes from the Threat Emulation,
Threat Extraction and Zero-Phishing protection.
Domain exclusions
n Relevant only for Harmony Endpoint extension for Browsers.
n To exclude an IP, in the Element field, enter IP address followed by subnet mask in
the format <X.X.X.X>/ <subnet mask >. For example, to exclude a computer with IP
address 192.168.100.30, enter 192.168.100.30/24.
n Domain exclusions must be added without http, https or any other special characters
except asterisk (*).

Domain exclusions can be added with or without www.

n Sub-domain exclusions are supported.
Exclusion of a domain will exclude all its subdomains as well.
For example:

If you enter It excludes these It does not exclude these

www.domain.com n https://www.domain.com n https://domain.com

n http://www.domain.com n http://domain.com
n https://sub.domain.com
n http://sub.domain.com

sub.domain.com n https://sub.domain.com https://sub2.domain.com

n http://sub.domain.com

*.domain.com Sub-domain of domain.com

such as:
n https://sub1.domain.com
n http://sub2.domain.com

SHA1 exclusions -

Harmony Endpoint EPMaaS Administration Guide | 260

Analysis & Remediation

n Relevant only for Threat Emulation blade (File system monitoring).

For Harmony Endpoint version E86.40, SHA1 exclusion is supported on Harmony
Endpoint extension for browsers as well (not including Internet Explorer). SHA1 can
be used to exclude downloaded files from File Protection and local HTML files from
"Zero Phishing" on page 231.
n It is not supported with Internet Explorer.
n File Reputation exclusions are set by SHA1.
n Macro exclusion - To exclude the office files which includes a macro, set exclusions
for the SHA1 hash of the macro.
For example, if an exclusion is set to SHA1 hash of the macro, all the files which
includes this macro are excluded.

Notes -
l This is supported with Endpoint Security Client version E88.00 or

higher.
l To view the hash of a macro, see the Description in the Forensic

Details section in the Card of the event. For more information see,
Adding Exclusions from Logs.

Folder exclusions -
n Relevant only for Threat Emulation blade (File system monitoring).
n Folder path cannot contain environment variables.
n When you exclude a folder, enter the folder as a windows path. For example:
C:\Program Files\MyTrustedDirectory\
n If the path of created file begins with exclusion, it will be excluded.
n Folder exclusions support wildcards. These wildcards are supported:
? - Each question mark masks one character.
* - Each star masks zero or more characters.

Harmony Endpoint EPMaaS Administration Guide | 261

Analysis & Remediation

n It is not advised to add * in the middle of path exclusions, as it may hurt the
performance.
n Exclude network files by path \\ServerName\Share\folder\.This excludes all
files located under \ServerName\Share\folder\\.

Threat Emulation -> Anti-Exploit Exclusions

You can exclude these elements from the Anti-Exploit protection:

n Protection Name - Predefined malware signature
n Process - To exclude an executable
Currently there are five different Anti-Exploit protections available. Following is a list of the
protections per-name.

Syntax for exclusions:

Protection Protection Rule Name

Import-Export Address Table Parsing Gen.Exploiter.IET

Return Oriented Programming Gen.Exploiter.ROP

VB Script God Mode Gen.Exploiter.VBS

Stack Pivoting Gen.Exploiter.SP

RDP Vulnerability (CVE-2019-0708) Gen.Exploiter.CVE_2019_0708

RCE Vulnerability (CVE-2019-1181) Gen.Exploiter.CVE_2019_1181/2

Excluding a protection means that files will not be monitored by Anti-Exploit.

n Process and protection
l C:\Program Files\MyTrustedDirectory\excludeMe.exe
l Gen.Exploiter.ROP
n Protection
l Gen.Exploiter.ROP

Forensics -> Anti-Ransomware and Behavioral Guard

You can exclude these elements from the Anti-Ransomware and Behavioral Guard
protection:
n Folder – To exclude a folder or non-executable files

Harmony Endpoint EPMaaS Administration Guide | 262

Analysis & Remediation

n Process - To exclude an executable by element, MD5, and signer.

n Certificate - To exclude processes based on the company that signs the certificate.
n Protection - To exclude signature by it's name.

Notes:
n Excluded process will be monitored but not
triggered.
n Excluded protection will not be triggered.

Syntax:
n Folder can contain environment variables
n Folder cannot contain wildcards (*)
n By default, sub-folders are included.
Excluding a Certificate / Process means that files modified / created by a certain process
will not be backed up, or monitored by Anti-Ransomware and Behavioral Guard.
Windows
Syntax:
n You must specify the process name or full path to the process
n Exclusion can contain environment variables
n Wildcards are supported.

Note - This is supported with Endpoint Security client version E86.70 and higher.
Examples:
n Full path
l C:\Program Files\MyTrustedDirectory\
n Process
l C:\Program Files\MyTrustedDirectory\ExcludeMe.exe
n Certificate
l Microsoft
n md5: 0123456789012345
n Protection: win.blocker
macOS
Syntax:

Harmony Endpoint EPMaaS Administration Guide | 263

Analysis & Remediation

n You must specify full path or wildcard

n Path or file name can contain wildcards
n Paths are case sensitive
Examples:
n Full path or Xcode exclusion:
:/Appliations/Xcode.app/Contents?MacOS/Xcode
n To cover all Xcode-related executables (not only GUI app):
/Applicatoins/Xcode.app/*

Excluding a Certificate / Process means that files modified / created by a certain process
will not be backed up, or monitored by Anti-Ransomware and Behavioral Guard.

Forensics -> Monitoring Exclusions

You can exclude these elements from monitoring:

n Process - To exclude an executable by element, MD5 and signer.
n Certificate - To exclude processes based on the company that signs the certificate.
Syntax:
n Process can be excluded by name only, or by full path.
For example C:\Program Files\MyTrustedDirectory\excludeMe.exe
n Full path can contain environment variables.
n Full path CANNOT contain wildcards
n Certificate
l Microsoft
n md5:0123456789012345
l Exclude a process by hash.
n Excluding a Certificate / Process means that files modified / created by a certain
process will not be backed up, or monitored by Anti-Ransomware and Behavioral
Guard.

Forensics -> Quarantine Exclusions

You can exclude a file or process from quarantine. You can define the exclusion by these
criteria: certificate, file, folder, MD5 hash, SHA1 hash, and file extension. When an element
is excluded from quarantine, even if there is a detection of malware, the file is not
quarantined.

Harmony Endpoint EPMaaS Administration Guide | 264

Analysis & Remediation

Smart Exclusions
Smart Exclusions allows you to add exclusions to one or more capabilities and types easily,
whereas the Legacy Exclusions allows you to add exclusion only for one capability at a time.
With Smart Exclusions, you can:
n Set exclusions to all capabilities and operating systems at once.
n Use standard syntax across all exclusion types.
n Use wider range of wildcard characters for nuanced and customized exclusion patterns.
n Easily enable or disable exclusions with a simple toggle button without the need to delete
exclusions temporarily.

Note - Smart Exclusions is supported only with Endpoint Security Client version
E87.52 and higher for Windows and E87.50 and higher for macOS.

Adding Exclusions to a Specific Rule

To add a new exclusion to a specific rule:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule for which you want to create the exclusion.
3. In the Capabilities & Exclusions pane, click Exclusions Center.
4. Click Go to Smart Exclusions.

Harmony Endpoint EPMaaS Administration Guide | 265

Analysis & Remediation

5. Click or click Create New Exclusion.

6. To add an exclusion for only one exclusion type:

Harmony Endpoint EPMaaS Administration Guide | 266

Analysis & Remediation

a. Click Single-method exclusion.

A wizard appears.

b. In the Exclusion name field, enter a name for exclusion.

c. To enable the exclusion, toggle Status to Enabled.
d. From the Exclusion Type list, select the exclusion type.

Harmony Endpoint EPMaaS Administration Guide | 267

Analysis & Remediation

e. From the Operating system list, select the operating system to which you want
to apply the exclusion. For example, endpoints running Windows operating
system only. It is not available if you select All supported in the Apply to the
following capabilities section.

Caution - If you make exclusions in the Forensics Monitoring

capability, the activities of the excluded processes are omitted from
forensic analysis. As a result, you cannot query for these activities in
Threat Hunting and they are excluded from Horizon XDR/XPR
analysis, detections, and the creation of security incidents related to
sophisticated attacks.

f. In the Apply to the following capabilities section:

Notes:
n Capabilities not relevant to the selected group are not

available.
n For supported syntax and capabilities for exclusion types,

see sk181679.

Harmony Endpoint EPMaaS Administration Guide | 268

Analysis & Remediation

g.
If the
Exclusion Then
Type is

Process a. In the Process path field, enter the path of the process.
path For example, C:\windows\system\cmd.exe.
b. To specify additional criteria, expand Process path
options, and select:
n Case sensitive
n Trusted process
n Argument and if required, select Regex, and in the

Argument value field, enter the value.

Process a. From the Process hash type list, select the hash type:
hash n MD5
n SHA1
n SHA2
n cdhash (for macOS only)

b. In the Process hash value, enter the value.

Process In the Process signer value field, enter the process signer
signer value. For example, Check Point Ltd.

File path a. In the File path field, enter the path of the file. For
example, C:\windows\system\.
b. To specify additional criteria, expand File path options,
and select Case sensitive.

File hash a. From the File hash type list, select the hash type:
n MD5
n SHA1
n SHA2
n cdhash (for macOS only)

b. In the File hash value, enter the value.

File signer In the File signer value field, enter the process signer value.
For example, Check Point Ltd.

IP Range In the IP Range fields, enter the IP address range.

For example, to enter IPv4 range, enter 192.168.1.30-
192.168.1.198.
For example, to enter IPv6 range, enter 2001::1-2001::254.

Url In the URL field, enter the URL.

Harmony Endpoint EPMaaS Administration Guide | 269

Analysis & Remediation

If the
Exclusion Then
Type is

Domain In the Domain field, enter the domain. For example,

checkpoint.com.

Infection In the Infection/Protection field, enter the infection (for

example, not-a-virus:Adware.Win32.BroAssist.a) or a
protection (for example, Gen.Exploiter.ROP).

h. (Optional) In the Comment field, enter comments.

i. Click Save.

7. To add exclusions for multiple types of exclusions:

a. Click Multi-method exclusion.

A wizard appears.

b. In the Exclusion name field, enter a name for exclusion.

c. To enable the exclusion, toggle Status to Enabled.
d. From the Exclusion Group list, select the exclusion type.

Harmony Endpoint EPMaaS Administration Guide | 270

Analysis & Remediation

Caution - If you make exclusions in the Forensics Monitoring

f. In the Apply to the following capabilities section:

n To apply the exclusion to all capabilities, select All supported.
n To apply the capabilities to specific capabilities, select Select specific and
from the Capabilities list, select the capabilities. "To enable Chained
Exclusions, in the Chained Exclusion are available for section, turn on the
Inherit exclusion to child processes button. It automatically excludes all the
child processes of the excluded process." on the next page

Notes:
l Capabilities not relevant to the selected group are not

available.
l Anti-Exploit capability supports only Process path and

Infection/Protection exclusions.

Harmony Endpoint EPMaaS Administration Guide | 271

Analysis & Remediation

g. To enable Chained Exclusions, in the Chained Exclusion are available for

section, turn on the Inherit exclusion to child processes button. It automatically
excludes all the child processes of the excluded process.

Notes:
n Chained exclusion is supported only with the Exclusion group of the

type System and to these specific exclusions:

l Process path

l Process original name

l Process hash

l Process signer

n With the Harmony Endpoint Security Client version E88 and higher, it

supports only the Forensics Monitoring capability.

n With the Harmony Endpoint Security Client version E88.20 and

higher, it additionally supports Threat Emulation, Anti-Bot, Anti-

Malware (DHS compliant), SSLi and URL Filtering capabilities.

h. (Optional) In the Comment field, enter comments.

i. Click Next.

Note - For supported syntax and capabilities for exclusion types, see
sk181679.

Harmony Endpoint EPMaaS Administration Guide | 272

Analysis & Remediation

j.
If the Exclusion Exclusion
Then
Group is Type

System Process a. In the Process path field, enter

path the path of the process. For
example,
C:\windows\system\cmd.exe.
b. To specify additional criteria,
expand Process path options,
and select:
n Case sensitive
n Trusted process
n Argument and if required,

select Regex, and in the

Argument value field,
enter the value.

Process Enter the name of the process. For

original example, cmd.exe.
name Supported only for Windows-based
endpoints.

Process a. From the Process hash type

hash list, select the hash type:
n MD5
n SHA1
n SHA2
n cdhash (for macOS only)

b. In the Process hash value,

enter the value.

Process In the Process signer value field,

signer enter the process signer value. For
example, Check Point Ltd.

File path a. In the File path field, enter the

path of the file. For example,
C:\windows\system\.
b. To specify additional criteria,
expand File path options, and
select Case sensitive.

Harmony Endpoint EPMaaS Administration Guide | 273

Analysis & Remediation

If the Exclusion Exclusion

Then
Group is Type

File hash a. From the File hash type list,

select the hash type:
n MD5
n SHA1
n SHA2
n cdhash (for macOS only)

b. In the File hash value, enter the

value.

File signer In the File signer value field, enter

the process signer value. For
example, Check Point Ltd.

Web Asset IP Range In the IP Range fields, enter the IP

address range.
For example, to enter IPv4 range,
enter 192.168.1.30-192.168.1.198.
For example, to enter IPv6 range,
enter 2001::1-2001::254.

Url In the URL field, enter the URL.

Domain In the Domain field, enter the domain.

For example, checkpoint.com.

Infection/Detection Infection In the Infection/Protection field, enter

the infection (for example, not-a-
virus:Adware.Win32.BroAssist.a) or a
protection (for example,
Gen.Exploiter.ROP).

k. Click Finish.

8. Click OK.
9. Click Save & Install.

Note - You can change Single-method exclusion to Multi-method exclusion.

See Managing Exclusions.

Harmony Endpoint EPMaaS Administration Guide | 274

Analysis & Remediation

Adding Global Exclusions

To add global exclusions that apply to all the rules:

1. Go to Policy > Threat Prevention > Global Exclusions.
2. Click Go to Smart Exclusions.

3. Click or click Create New Exclusion.

4. To add an exclusion for only one exclusion type:

Harmony Endpoint EPMaaS Administration Guide | 275

Analysis & Remediation

a. Click Single-method exclusion.

A wizard appears.

b. In the Exclusion name field, enter a name for exclusion.

c. To enable the exclusion, toggle Status to Enabled.
d. From the Exclusion Type list, select the exclusion type.

Harmony Endpoint EPMaaS Administration Guide | 276

Analysis & Remediation

Caution - If you make exclusions in the Forensics Monitoring

f. In the Apply to the following capabilities section:

Notes:
n Capabilities not relevant to the selected group are not

available.
n For supported syntax and capabilities for exclusion types,

see sk181679.

Harmony Endpoint EPMaaS Administration Guide | 277

Analysis & Remediation

g.
If the
Exclusion Then
Type is

Argument value field, enter the value.

Process a. From the Process hash type list, select the hash type:
hash n MD5
n SHA1
n SHA2
n cdhash (for macOS only)

b. In the Process hash value, enter the value.

Process In the Process signer value field, enter the process signer
signer value. For example, Check Point Ltd.

File path a. In the File path field, enter the path of the file. For
example, C:\windows\system\.
b. To specify additional criteria, expand File path options,
and select Case sensitive.

File hash a. From the File hash type list, select the hash type:
n MD5
n SHA1
n SHA2
n cdhash (for macOS only)

b. In the File hash value, enter the value.

File signer In the File signer value field, enter the process signer value.
For example, Check Point Ltd.

IP Range In the IP Range fields, enter the IP address range.

For example, to enter IPv4 range, enter 192.168.1.30-
192.168.1.198.
For example, to enter IPv6 range, enter 2001::1-2001::254.

Url In the URL field, enter the URL.

Harmony Endpoint EPMaaS Administration Guide | 278

Analysis & Remediation

If the
Exclusion Then
Type is

Domain In the Domain field, enter the domain. For example,

checkpoint.com.

Infection In the Infection/Protection field, enter the infection (for

example, not-a-virus:Adware.Win32.BroAssist.a) or a
protection (for example, Gen.Exploiter.ROP).

h. (Optional) In the Comment field, enter comments.

i. Click Save.

5. To add exclusions for multiple types of exclusions:

a. Click Multi-method exclusion.

A wizard appears.

b. In the Exclusion name field, enter a name for exclusion.

c. To enable the exclusion, toggle Status to Enabled.
d. From the Exclusion Group list, select the exclusion type.

Harmony Endpoint EPMaaS Administration Guide | 279

Analysis & Remediation

Caution - If you make exclusions in the Forensics Monitoring

f. In the Apply to the following capabilities section:

Notes:
l Capabilities not relevant to the selected group are not

available.
l Anti-Exploit capability supports only Process path and

Infection/Protection exclusions.

Harmony Endpoint EPMaaS Administration Guide | 280

Analysis & Remediation

g. To enable Chained Exclusions, in the Chained Exclusion are available for

section, turn on the Inherit exclusion to child processes button. It automatically
excludes all the child processes of the excluded process.

Notes:
n Chained exclusion is supported only with the Exclusion group of the

type System and to these specific exclusions:

l Process path

l Process original name

l Process hash

l Process signer

n With the Harmony Endpoint Security Client version E88 and higher, it

supports only the Forensics Monitoring capability.

n With the Harmony Endpoint Security Client version E88.20 and

higher, it additionally supports Threat Emulation, Anti-Bot, Anti-

Malware (DHS compliant), SSLi and URL Filtering capabilities.

h. (Optional) In the Comment field, enter comments.

i. Click Next.

Note - For supported syntax and capabilities for exclusion types, see
sk181679.

Harmony Endpoint EPMaaS Administration Guide | 281

Analysis & Remediation

j.
If the Exclusion Exclusion
Then
Group is Type

System Process a. In the Process path field, enter

select Regex, and in the

Argument value field,
enter the value.

Process Enter the name of the process. For

original example, cmd.exe.
name Supported only for Windows-based
endpoints.

Process a. From the Process hash type

hash list, select the hash type:
n MD5
n SHA1
n SHA2
n cdhash (for macOS only)

b. In the Process hash value,

enter the value.

Process In the Process signer value field,

signer enter the process signer value. For
example, Check Point Ltd.

File path a. In the File path field, enter the

path of the file. For example,
C:\windows\system\.
b. To specify additional criteria,
expand File path options, and
select Case sensitive.

Harmony Endpoint EPMaaS Administration Guide | 282

Analysis & Remediation

If the Exclusion Exclusion

Then
Group is Type

File hash a. From the File hash type list,

select the hash type:
n MD5
n SHA1
n SHA2
n cdhash (for macOS only)

b. In the File hash value, enter the

value.

File signer In the File signer value field, enter

the process signer value. For
example, Check Point Ltd.

Web Asset IP Range In the IP Range fields, enter the IP

address range.
For example, to enter IPv4 range,
enter 192.168.1.30-192.168.1.198.
For example, to enter IPv6 range,
enter 2001::1-2001::254.

Url In the URL field, enter the URL.

Domain In the Domain field, enter the domain.

For example, checkpoint.com.

Infection/Detection Infection In the Infection/Protection field, enter

the infection (for example, not-a-
virus:Adware.Win32.BroAssist.a) or a
protection (for example,
Gen.Exploiter.ROP).

k. Click Finish.

6. Click Save.
The exclusions are automatically enforced on the client without installing the policy.

Note - You can change Single-method exclusion to Multi-method exclusion.

See Managing Exclusions.

Harmony Endpoint EPMaaS Administration Guide | 283

Analysis & Remediation

Migrating Legacy Exclusions

Best Practice - Check Point recommends to follow these steps before migrating to Smart
Exclusions:
1. Go to Policy > Threat Prevention > Policy Capabilities
2. Pick a rule to test the migration and clone the rule.
3. Place the newly created rule at the top.
4. Under Applied To, select a test group.
5. Click Exclusion Center for the newly created rule and export the legacy exclusions
for backup purposes.
6. For the newly created rule, migrate to Smart Exclusions. See "To migrate legacy
exclusions to smart exclusions:" below.
7. Click Save and Install.
8. Go to Logs and filter the logs for the computer in the test group. Verify that there are
no false positives and all the detections are excluded correctly. If there are issues,
contact Check Point Support.
9. Perform the steps 1 through 8 for each rule at a time.
10. Repeat the process for Global Exclusions.

To migrate legacy exclusions to smart exclusions:

1. To migrate legacy exclusions for a rule:
a. Go to Policy > Threat Prevention > Policy Capabilities.
b. Select the rule.

c. In the Capabilities & Exclusions pane, click Exclusions Center.

2. To migrate legacy global exclusions, go to Policy > Threat Prevention > Global
Exclusions.

3. Click Go to Smart Exclusions.

4. To migrate all legacy exclusions:
a. Click Migrate from Legacy Exclusions (available only if there are no exclusions) or
click and click All exclusions from legacy.

The Import All Legacy Exclusions window appears.

b. (Recommended) To remove all the legacy exclusions after you migrate to smart
exclusions, select Remove all the imported exclusions from legacy.
c. Click Import.
5. To migrate specific exclusions:

Harmony Endpoint EPMaaS Administration Guide | 284

Analysis & Remediation

a. Click and Select exclusions from legacy.

The Transfer from Legacy - Select Exclusions window appears.

b. Select the exclusions.
c. Click OK.
The exclusions are added to smart exclusions.
6. For specific rule, click OK and Save & Install.
7. For global exclusions, click Save.
The exclusions are automatically enforced on the client without installing the policy.

Importing and Exporting Exclusions

To import or export exclusions:

1. To import or export exclusions for a rule:
a. Go to Policy > Threat Prevention > Policy Capabilities.
b. Select the rule.
c. In the Capabilities & Exclusions pane, click Exclusions Center.
2. To import or export global exclusions, go to Policy > Threat Prevention > Global
Exclusions.

3. Click Go To Smart Exclusions.

4. To import exclusions:

a. Click and click Import Files.

b. Browse and select the import file in the JSON format.

c. For specific rule, click OK and Save & Install.
d. For global exclusions, click Save.
The exclusions are automatically enforced on the client without installing the policy.

5. To export exclusions, click .

The file is exported in the JSON format.

Harmony Endpoint EPMaaS Administration Guide | 285

Analysis & Remediation

Managing Exclusions

To manage exclusions:
1. To manage smart exclusions for a rule:
a. Go to Policy > Threat Prevention > Policy Capabilities.
b. Select the rule.
c. In the Capabilities & Exclusions pane, click Exclusions Center.
2. To manage global smart exclusions, go to Policy > Threat Prevention > Global
Exclusions.
3. Click Go To Smart Exclusions.

4. To edit an exclusion:

n
Select the exclusion and click .
n Right-click the row and click Edit.
To a change Single-method exclusion to Multi-method exclusion, click Edit in
multi-value wizard at the bottom of the wizard.
Refer to "Adding Exclusions to a Specific Rule" on page 265 to edit the exclusion.
5. To delete exclusions:

n
Select the exclusions and click .

n
Click the row and at the end of the row, click .
n Select the exclusions, right-click and click Delete.
6. To duplicate exclusions:

n
Select the exclusion and click .

n
Click the row and at the end of the row, click .
n Select the exclusion, right-click and click Duplicate.
7. To enable or disable the exclusion, toggle the button in the Status column.
8. To edit Name, Capabilities and Comment:

Harmony Endpoint EPMaaS Administration Guide | 286

Analysis & Remediation

a. Click the row.

b. At the end of the row, click .

To permanently delete an item:

1. Open the Harmony Endpoint Quarantine Manager for Administrators.

2. Select one or more items.
3. Click Delete.

To send a file to quarantine from outside of the utility:

1. Open the Harmony Endpoint Quarantine Manager for Administrators.
2. Click Quarantine.
3. In the window that opens, browse to select the file to move to quarantine.

To import a suspicious file to the utility:

1. Open the Harmony Endpoint Quarantine Manager for Administrators.

2. Click Import.
3. In the window that opens, browse to select the quarantined file to import.
The file, with its metadata, is imported to the quarantine database from where the utility
is run.

Configuring the Data Protection Policy

Configuring the Data Protection Policy includes:
n "Configuring Full Disk Encryption" on the next page
n "Configuring Media Encryption & Port Protection" on page 310

Harmony Endpoint EPMaaS Administration Guide | 290

Analysis & Remediation

Configuring Full Disk Encryption

Full Disk Encryption gives you the highest level of data security for Endpoint Security client
computers.
It combines boot protection and strong disk encryption to ensure that only authorized users
can access data stored in desktop and laptop PCs.
Check Point's Full Disk Encryption has two main components:
n "Check Point Disk Encryption for Windows" on page 293 - Ensures that all volumes of
the hard drive and hidden volumes are automatically fully encrypted. This includes
system files, temporary files, and even deleted files. There is no user downtime because
encryption occurs in the background without noticeable performance loss. The encrypted
disk is inaccessible to all unauthorized people.
n "Authentication before the Operating System Loads (Pre-boot)" on page 294 - Requires
users to authenticate to their computers before the computer boots. This prevents
unauthorized access to the operating system using authentication bypass tools at the
operating system level or alternative boot media to bypass boot protection.
Full Disk Encryption also supports "BitLocker Encryption for Windows Clients" on page 299
and "FileVault Encryption for macOS" on page 301
The Full Disk Encryption policy contains a pre-defined Default Policy rule, which applies to the
entire organization.
Each new rule you create, has pre-defined settings, which you can then edit in the right section
of the screen.

The Policy Rule Base consists of these parts:

Column Description

Rule Number The sequence of the rules is important because the first rule that matches
traffic according to the protected scope is applied.

Rule Name Give the rule a descriptive name.

Applied to The protected scope to which the rule applies.

Full Disk The configurations that apply to data encryption.

Encryption

The Policy toolbar includes these options:

Harmony Endpoint EPMaaS Administration Guide | 291

Analysis & Remediation

To do this Click this

Create a new rule

Save, view, or discard changes

Duplicate a rule

Install Policy

Search for entity

Delete a rule

For Crypto-Shredding a computer, see sk179911.

Harmony Endpoint EPMaaS Administration Guide | 292

Check Point Disk Encryption for Windows

Ensures that all volumes of the hard drive and hidden volumes are automatically fully
encrypted. This includes system files, temporary files, and even deleted files. There is no user
downtime because encryption occurs in the background without noticeable performance loss.
The encrypted disk is inaccessible to all unauthorized people.

Configuration Options

n Algorithms used
Go to Advanced Settings > Encryption > Choose Algorithm.
Full Disk Encryption can use these encryption algorithms:
l AES-CBC 256 bit (Default)
l XTS-AES 128 bit
l XTS-AES 256 bit
n Volumes encrypted
By default, all drives that are detected after the installation and all visible disk volumes
are encrypted. IRRT are not encrypted.
Go to Advanced Settings > Encryption > Allow Self-Encrypting Drives (SED)
hardware functionality.
Full Disk Encryption probes and uses SED disks that comply with the OPAL standard. If
a compatible system and disk are detected, Full Disk Encryption uses the hardware
encryption on the disk instead of the traditional software encryption.
When using SED drives, leave Encrypt hidden disk volumes checked (which is the
default setting):
l AES encryption is always used with SED drives
l Manage SED drives in the same way as software-encrypted drives.
n Initial Encryption
l Encrypt entire drive - Recommended for computers that are in production and
already have user data, such as documents and emails.
l Encrypt used disk space only - Encrypts only the data. Recommended for fresh
Windows installations.

Harmony Endpoint EPMaaS Administration Guide | 293

Authentication before the Operating System Loads (Pre-boot)

Protection requires users to authenticate to their computers before the operating system
loads. This prevents unauthorized access to the operating system using authentication bypass
tools at the operating system level or alternative boot media to bypass boot protection.

To enable Pre-boot:
Go to the Policy view > Data Protection > General >.Capabilities and Exclusions > Full Disk
Encryption > click Enable Pre-boot.

Best Practice - We recommend to enable Pre-boot. When Pre-boot is disabled, the

user can bypass the Pre-boot authentication at the cost of reducing the security to a
level below encryption strength. Users authenticate to their computers only at the
operating system level. If Pre-boot is disabled, consider using SSO or enable bypass
pre-boot when connected to LAN.

Temporary Pre-boot Bypass Settings

Temporary Pre-boot Bypass lets the administrator disable Pre-boot protection temporarily, for
example, for maintenance. It was previously called Wake on LAN (WOL). You enable and
disable Temporary Pre-boot Bypass for a computer, group, or OU from the computer or group
object. The Pre-boot settings in the Full Disk Encryption policy determine how Temporary Pre-
boot Bypass behaves when you enable it for a computer.
Temporary Pre-boot Bypass reduces security. Therefore use it only when necessary and for
the amount of time that is necessary. The settings in the Full Disk Encryption policy set when
the Temporary Pre-boot Bypass turns off automatically and Pre-boot protection is enabled
again.
You can configure the number of minutes the Pre-boot login is displayed before automatic OS
logon.

There are different types of policy configuration for Temporary Pre-boot Bypass:
n Allow OS login after temporary bypass
n Allow bypass script
If you run scripts to do unattended maintenance or installations (for example, SCCM) you
might want the script to reboot the system and let the script continue after reboot. This
requires the script to turn off Pre-boot when the computer is rebooted . Enable this
feature in the Temporary Pre-boot Bypass Settings windows. The Temporary Pre-boot
Bypass script can only run during the timeframe configured in Temporary Pre-boot
Bypass Settings.

Harmony Endpoint EPMaaS Administration Guide | 294

Authentication before the Operating System Loads (Pre-boot)

Running a temporary bypass script:

In a script you execute the FdeControl.exe utility to enable or disable Pre-boot at the
next restart:
l To disable Temporary Pre-boot Bypass, run:

FDEControl.exe set-wol-off

l To enable Temporary Pre-boot Bypass, run:

FDEControl.exe set-wol-on

The above commands fail with code "13 ( UNAUTHORIZED )" if executed outside the
timeframe specified in the policy.
You can select the Temporary Pre-boot Bypass duration:
n On demand, Once, or Weekly,
n Disable after X automatic logins - Bypass turns off after the configured number of logins
to a computer.
n Disable after X days or hours - Bypass turns off after the configured days or hours
passed.

Note - If you select both Disable after X automatic logins and Disable after X days
or hours, bypass turns off when any of these options occurs.
Best Practice - Select a small number so that you do not lower the security by
disabling the Pre-boot for a long time.

Advanced Pre-boot Settings

Action Description

Display last The username of the last logged on user shows in the Pre-boot logon
logged on user in window.
Pre-boot That user only needs to enter a password or Smart Card pin to log in

Reboot after [x] n If active, specify the maximum number of failed logons allowed
failed logon before a reboot takes place.
attempts were n This setting does not apply to smart cards. Smart Cards have
made their own thresholds for failed logons.

Verification text Select to notify the user that the logon was successful, halting the boot-
for a successful up process of the computer for the number of seconds that you specify
logon will be in the Seconds field.
displayed for

Harmony Endpoint EPMaaS Administration Guide | 295

Authentication before the Operating System Loads (Pre-boot)

Action Description

Enable USB Select to use a device that connects to a USB port. If you use a USB
devices in Pre- Smart Card you must have this enabled.
boot environment If you do not use USB Smart Cards, you might need this enabled to
use a mouse and keyboard during Pre-boot.

Enable TPM two- Select to use the TPM security chip available on many PCs during pre-
factor boot in conjunction with password authentication or Dynamic Token
authentication authentication.
(password & The TPM measures Pre-boot components and combines this with the
dynamic tokens) configured authentication method to decrypt the disks.
If Pre-boot components are not tampered with, the TPM lets the
system boot.
See sk102009 for more details.

Firmware update Disables TPM measurements on Firmware/BIOS level components.

friendly TPM This makes updates of these components easier but reduces the
measurements security gained by the TPM measurements because not all
components used in the boot sequence are measured.
If this setting is enabled on UEFI computers, the Secure Boot setting is
included in the measurement instead of the firmware.

Enable remote Select to enable remote help without the need of assigning any Pre-
help without pre- boot user to the computer. When giving remote help, select the Pre-
boot user Boot Bypass Remote Help type that performs a One-Time logon. The
setting is only available if Pre-boot is configured to be disabled.

Remote Help Users can use Remote Help to get access to their Full Disk Encryption
protected computers if they are locked out.
Here you configure the number of characters in the Remote Help
response that users must enter.

User Authorization before Encryption

Full Disk Encryption policy settings enable user acquisition by default. If user acquisition is
disabled, the administrator must assign at least one Pre-boot user account to each client
computer before encryption can start. You can require one or more users to be acquired
before encryption can start. You can also configure clients to continue user acquisition after
Pre-boot is already enabled. This might be useful if a client computer is used by many users,
also called roaming profiles.
Usually a computer has one user and only one user must be acquired. If the computer has
multiple users, it is best if they all log on to the computer for Full Disk Encryption to collect their
information and acquire them.
User acquisition settings

Harmony Endpoint EPMaaS Administration Guide | 296

Authentication before the Operating System Loads (Pre-boot)

n Enable automatic user acquisition

n Amount of users to acquire before Pre-boot is enabled - Select the number of users to
acquire before the Harmony Endpoint enforces Pre-boot on acquired users.
n Enable Pre-boot if at least one user has been acquired after X days - Select the
number of days to wait before Pre-boot is enforced on acquired users. This setting limits
the number of days when user acquisition is active for the client. If the limit expires and
one user is acquired, Pre-boot is enforced and encryption can start. If no users are
acquired, user acquisition continues. Pre-boot is enforced on acquired users after one of
the criteria are met.
To configure the advanced settings for user acquisition, go to Advanced Settings > User
Acquisition:
n Continue to acquire users after Pre-boot has been enforced - Pre-boot is active for
users who were acquired and user acquisition continues for those who were not
acquired.
n User acquisition will stop after having acquired additional X users - User acquisition
continues until the selected number of additional users are acquired.

Note - If you need to terminate the acquisition process, for example, if the client fails
to acquire users although an unlimited time period is set, define a new automatic
acquisition policy.

User Assignment

You can view, create, lock and unlock authorized Pre-boot users.

To add a user to the list of users authorized to access a device:

1. Go to Asset Management > Organization > Computers.

2. Click and select Full Disk Encryption > Preboot User Assignment.

The Authorize Pre-Boot Users window opens. You can see the authorized users for
each device you search.

3. Click the icon.

The Create New Pre-boot User window opens.

4. Enter these details:
n Logon Name
n Password

Harmony Endpoint EPMaaS Administration Guide | 297

Authentication before the Operating System Loads (Pre-boot)

n Account Details
l Lock user for Pre-boot
l Require change password after first logon - Applies only to password
authentication. Select this option to force users to change their password
after the first pre-boot logon.
n Expiration Settings - Select an expiration date for the user authorization.

To lock or unlock a user:

1. Go to Asset Management > Organization > Computers.
2. Click and select Full Disk Encryption > Preboot User Assignment.

The Authorize Pre-Boot Users window opens. You can see the authorized users for
each device you search.
3. In the search box, search for the applicable device.
The list of authorized users to access the device appears.
4. Click on the user on the list to select it and click on the lock icon above the list to lock or
unlock the user.

Harmony Endpoint EPMaaS Administration Guide | 298

BitLocker Encryption for Windows Clients

BitLocker encrypts the hard drives on a Windows computer, and is an integral part of
Windows.
Check Point BitLocker uses the Endpoint Security Management Server, Client Agent and the
Harmony Endpoint UI to manage BitLocker.
BitLocker Management is implemented as a Windows service component called Check Point
BitLocker Management.
It runs on the client together with the Client Agent (the Device Agent).
Check Point BitLocker Management uses APIs provided by Microsoft Windows to control and
manage BitLocker.

Configuration options:

Setting Description

Initial n Encrypt entire drive - Recommended for computers that are in

Encryption production and already have user data, such as documents and
emails.
n Encrypt used disk space only - Encrypts only the data.
Recommended for fresh Windows installations.

Drives to n All drives - Encrypt all drives and volumes.

encrypt n OS drive only - Encrypt only the OS drive (usually, C:\). This is the
default.

Encryption n Windows Default - This is recommended. On Windows 10 or later,

algorithm unencrypted disks are encrypted with XTS-AES-128. On encrypted
disks, the encryption algorithm is not changed.
n XTS-AES-128
n XTS-AES-256

Note - To take control of a BitLocker-encrypted device, the target device must have a
Trusted Platform Module (TPM) module installed.

Taking Control of Unmanaged BitLocker Devices

You can do a takeover of BitLocker-encrypted devices that are not managed by Harmony
Endpoint, and make them centrally managed. You can do this using BitLocker Management or
Check Point Full Disk Encryption.

To take control of unmanaged BitLocker devices using BitLocker Management:

Define and install a Full Disk Encryption policy with BitLocker Management. Follow these
guidelines:

Harmony Endpoint EPMaaS Administration Guide | 299

BitLocker Encryption for Windows Clients

n Define a Full Disk Encryption rule that applies to the entire organization or only to the
entities that need BitLocker Management.
n In BitLocker Encryption Settings, select Windows Default as the Encryption Algorithm.
This is important because it leaves the existing BitLocker encryption in place. Selecting
another algorithm explicitly may result in a re-encryption, if the existing algorithm does
not match the algorithm in the policy. It is a good idea to avoid re-encryption because it
can take a long time. The time it takes depends on the disk size, disk speed and PC
hardware.

To take control of unmanaged BitLocker devices using Check Point Full Disk Encryption:
1. Follow the procedure for "To take control of unmanaged BitLocker devices using
BitLocker Management:" on the previous page.
2. After the devices are under Check Point BitLocker Management, define a rule with
Check Point Full Disk Encryption that applies to the Entire Organization or only to the
entities that need Check Point Full Disk Encryption. See "Check Point Disk Encryption
for Windows" on page 293

Best Practice - When you change the encryption policy for clients from
BitLocker Management to Check Point Full Disk Encryption, the disk on the
client is decrypted and then encrypted. This causes the disk to be in an
unencrypted state for some time during the process. We recommend that
you do not change the encryption policy for entire organization in one
operation. Make the change for one group of users at a time.

Harmony Endpoint EPMaaS Administration Guide | 300

FileVault Encryption for macOS

FileVault encrypts the hard drive on a Mac computer, and is an integral part of macOS. The
Harmony Endpoint automatically starts to manage the disk encrypted with FileVault without
disabling the encryption.

Harmony Endpoint EPMaaS Administration Guide | 301

User Authentication to Endpoint Security Clients (OneCheck)

OneCheck User Settings define how users authenticate to Endpoint Security client computers.
OneCheck User Settings include:
n How users authenticate to Endpoint Security.
n If users can access Windows after they are authenticated to Endpoint Security or if they
must also log on to Windows.
n What happens when a user enters invalid authentication details.
n A limit for how many times a user can access a computer.
n If Remote Help is permitted. This lets users get help from an administrator, for example if
their computers become locked after too many failed authentication attempts.
When OneCheck Logon is enabled, a different logon window opens that looks almost the
same as the regular Windows authentication window. The logon credentials are securely
stored internally. These actions define if you enable OneCheck Logon:
To configure OneCheck Logon properties, go to the Policy view > Data Protection > General
> Full Disk Encryption > Advanced Settings > Windows Authentication:
n Enable lock screen authentication (OneCheck) - Users log on one time to authenticate
to the operating system, Full Disk Encryption, and other Endpoint Security components.
To configure the password properties for the single sign-on, go to Policy > Data
Protection > OneCheck > Password Constraints.
n Enable Check Point Endpoint Security screen saver - The screen saver is active only
after a Full Disk Encryption policy was installed on the client. After selecting the Check
Point Endpoint Security screen saver option, enter the text that appears when the screen
saver is active, and the number of minutes the client remains idle before the screen
saver activates.
n Only allow authorized Pre-boot users to log into the operating system - If selected,
only users that have permission to authenticate to the Pre-boot on that computer can log
on to the operating system.
n Use Pre-boot account credentials in OS lock screen - If selected, users authenticate in
the regular Operating System login screen but with the credentials configured for Pre-
boot.

Best Practice - Best practice is to only use this feature when there is no Active
Directory available. For customers that use Active Directory, we recommend a
combination of User Acquisition, OneCheck Logon, and Password
Synchronization that will let users use the same credentials for Pre-boot and
Windows login.

Harmony Endpoint EPMaaS Administration Guide | 302

Pre-boot Authentication Methods

If the Pre-boot is required on a computer as part of Full Disk Encryption, users must
authenticate to their computers in the Pre-boot, before the computer boots. Users can
authenticate to the Pre-boot with these methods:
n Password - Username and password. This is the default method.
The password can be the same as the Windows password or created by the user or
administrator.
n Smart Card - A physical card that you associate with a certificate. Users must have a
physical card, an associated certificate, and Smart Card drivers installed.

To configure the authentication method:

1. Go to the Policy view > Data Protection > SmartCards > Pre-boot Authentication.
2. Select one of these options:
a. Password - Users can only authenticate with a username and password.
b. Smart Card (requires certificate) - Users can only authenticate with a Smart Card.
Change authentication method only after user successfully authenticates with a
Smart Card - If you select this option, users can authenticate with a password until
all of the requirements for Smart Card authentication are set up correctly. After
users successfully authenticate one time with a Smart Card, they must use their
Smart Card to authenticate. If you configure a user for Smart Card only and do not
select this, that user is not able to authenticate to Full Disk Encryption with a
password
c. Either SmartCard or Password - Users can authenticate with a user name and
password or a SmartCard.

Before You Configure Smart Card:

n Users must have the physical Smart Card in their possession.

n Users' computers must have a Smart Card reader driver and token driver installed for
their specific Smart Card. Install these drivers as part of the "To configure the Smart Card
options:" on the next page.
n Each user must have a certificate that is active for the Smart Card. The Directory
Scanner can scan user certificates from the Active Directory. Configure this as part of the
"To configure the Smart Card options:" on the next page
n In the Full Disk Encryption Policy rule > Advanced Settings > Pre-boot Authentication,
make sure that Enable USB devices in pre-boot environment is selected

Harmony Endpoint EPMaaS Administration Guide | 303

Pre-boot Authentication Methods

To configure the Smart Card options:

1. In the Format used in your organization area, select the Smart Card protocol that your
organization uses:
n Not Common Access Card (Not CAC) - all other formats
n Common Access Card (CAC) - the CAC format
2. In the Smart Card driver deployment area, select the drivers for your Smart Card and
Reader. All selected drivers will be installed on endpoint computers when they receive
policy updates.
If you do not see a driver required for your Smart Card, you can:
n Enter a text string in the Search field.
n Click Import to import a driver from your computer. If necessary, you can download
drivers to import from the Check Point Support Center.
3. In the Directory Scanner area, select Scan user certificates from Active Directory if you
want the Directory Scanner to scan user certificates.
4. If you selected to scan user certificates, select which certificates the Directory Scanner
will scan:
n Scan all user certificates
n Scan only user certificates containing the Smart Card Logon OID - The OIDs
are: 1.3.6.1.4.1.311.20.2.2.

Harmony Endpoint EPMaaS Administration Guide | 304

Password Complexity and Security

To configure the password for OneCheck Logon, go to Policy > Data Protection > OneCheck
> Password Constraints. These actions define the requirements for the OneCheck password:

Action Description

Use Windows complexity The standard Windows password requirements are

requirements enforced:
The password must:
n Have at least six characters
n Have characters from at least 3 of these
categories: uppercase, lowercase, numeric
characters, symbols.

Use custom requirements If you select this, select the requirements for which
type of characters the password must contain or not
contain:
n Consecutive identical characters, for example,
aa or 33
n Require special characters. These can be: ! "
#$%&'()*+,-./:<=>?@{
n Require digits, for example 8 or 4.
n Require lower case characters, for example g
or t.
n Require upper case characters, for example F
or G.
n Password must not contain user name or full
name.

Minimum length of password Enter the minimum number of characters for a valid
password.

Password can be changed only Enter the minimum number of days that a password
after must be valid before the user can change it.

Password expires after Enter the maximum number of days that a password
can be valid before the user must change it.

Number of passwords before a Enter the minimum number of password changes

previously used password may be needed before a previously used password can be
used again used again.

Harmony Endpoint EPMaaS Administration Guide | 305

User Account Lockout Settings

You can configure Full Disk Encryption to lock user accounts after a specified number of
unsuccessful Pre-boot login attempts:
n Temporarily - If an account is locked temporarily, users can try to log on again after a
specified time.
n Permanently - If the account is locked permanently, it stays locked until an administrator
unlocks it.

To configure an Account Lock Action:

1. Go to the Policy view > Data Protection > OneCheck > User Account Lockout
Settings.

2. Configure the settings as necessary:

Option Description

Number of failed logins Maximum number of failed logon attempts before an

before a user account is account is temporarily locked out.
temporarily locked

Number of failed logins Maximum number of failed logon attempts allowed before
before a user account is an account is permanently locked. The account is locked
permanently locked until an administrator unlocks it.

Duration for a temporary Duration of a temporary lockout period, in minutes.

user lockout

Harmony Endpoint EPMaaS Administration Guide | 306

Remote Help Permissions

Remote Help lets users access their Full Disk Encryption protected computers if they are
locked out. The user calls the designated Endpoint Security administrator and does the
Remote Help procedure.
There are two types of Full Disk Encryption Remote Help:
n One Time Login - One Time Login allows access as an assumed identity for one
session, without resetting the password.
If users lose their Smart Cards, they must use this option.
n Remote password change - This option is for users who use fixed passwords and forgot
them.

For devices protected by Media Encryption & Port Protection policies, only remote password
change is available.

To let users work with Remote Help:

1. Go to the Policy view > Data Protection > OneCheck > Remote Help
2. Select the allowed type(s) of Remote Help:

Option Description

Allow account to receive Let users get help from an administrator to reset the
remote password change account password (for example, if the user forgets the
help password).

Allow account to receive Let the user get help from an administrator to log on, one
One-Time Logon help time.
One-time logon is for users who have lost their Smart
Card.
It is also useful if the user made too many failed
attempts but does not want to change the password.

Harmony Endpoint EPMaaS Administration Guide | 307

Logon Settings

OneCheck Logon Settings define additional settings for how users can access computers.
To configure Logon Settings, go to the Policy view > Data Protection > OneCheck > Logon:

Option Description

Allow logon Lets a different user than the logged on user authenticate in Pre-boot to a
to system system in hibernate mode.
hibernated
by another
user

Allow use of Let user authenticate to use recovery media to recover and decrypt data
recovery from an encrypted system.
media Note: In E80.20 and higher, if this is not selected, users can still access
recovery media that is created with a temporary user and password.

Allow user to Let users change the password on an endpoint client during the Pre-boot.
change his
credentials
from the
endpoint
client

Allow Single Let users use Single Sign On to log on to Pre-boot and Windows when
Sign-On use OneCheck Logon is disabled. Single Sign on applies only to Pre-boot and
Windows and not to different components, such as VPN or Media
Encryption. Users are always allowed to use Single Sign On when
OneCheck Logon is running.

Harmony Endpoint EPMaaS Administration Guide | 308

Bi-Directional Password Sync Settings

OneCheck Bi-Directional Password Sync Settings define additional settings password

sychronization.

Options Description

Allow OS password reset upon Pre- Reset the OS password after a successful Pre-
boot password reset boot password reset.

Harmony Endpoint EPMaaS Administration Guide | 309

Configuring Media Encryption & Port Protection

Media Encryption & Port Protection protects data stored in the organization by encrypting
removable media devices and allowing tight control over computer ports (USB, Bluetooth, and
so on). Removable devices are for example: USB storage devices, SD cards, CD/DVD media
and external disk drives.
On the client-side, Media Encryption & Port Protection protects sensitive information by
encrypting data and requiring authorization for access to storage devices and other
input/output devices.
Media Encryption lets users create encrypted storage on removable storage devices that
contain business-related data. Encrypted media is displayed as two drives in Windows
Explorer. One drive is encrypted for business data. The other drive is not encrypted and can be
used for non-business data. Rules can apply different access permissions for business data
and non-business data.
Port Protection controls, according to the policy, device access to all available ports including
USB and Firewire (a method of transferring information between digital devices, especially
audio and video equipment). Policy rules define access rights for each type of removable
storage device and the ports that they can connect to. The policy also prevents users from
connecting unauthorized devices to computers.
Media Encryption & Port Protection functionalities are available in both Windows and macOS
clients (for macOS starting at client version E85.30).

Best Practice - We recommend to not encrypt non-computer external devices such

as: digital cameras, smartphones, MP3 players, and the like. Do not encrypt
removable media that can be inserted in or connected to such devices.

For instructions on how to encrypt, see sk166110.

The Media Encryption and Port Protection can be configured in the Infinity Portal.

To configure Media Encryption:

1. Navigate to Policy > Data Protection > General.
2. In the Capabilities and Exclusion pane, click Media Encryption.

Harmony Endpoint EPMaaS Administration Guide | 310

Configuring the Read Action

The Read action defines the default settings for read access to files on storage devices. For
each action, you can define different settings for specified device types. The default predefined
actions are:
n Allow encrypted data - Users can read encrypted data from storage devices (typically
business-related data).
n Allow unencrypted data - Users can read unencrypted data from storage devices
(typically non business-related data).
You can configure these actions for specific devices.

To configure the Read action:

1. In the Media Encryption tab, click View Exclusions.

2. Click New to create a new exclusion or configure an existing exclusion on the list.
3. Configure the options as necessary for: Read Encrypted, Read Unencrypted:
n Read Encrypted
l Accept - Allow reading only encrypted data from the storage device. Users
cannot read unencrypted data from the storage device.
l According to Policy - According to the default Media Encryption & Port
Protection rule.
l Block - Block all reading from the storage device.
n Read Unencrypted
l Accept - Allow reading of unencrypted files from the storage device.
l According to Policy - According to the default Media Encryption & Port
Protection rule
l Block - Block reading of unencrypted files from the storage device.

To import exclusions:
You can import an exported exclusion file in the JSON format.
a. In the Media Encryption tab, click View Exclusions.
b. Click Import and select the JSON file.

Harmony Endpoint EPMaaS Administration Guide | 311

Configuring the Read Action

To export exclusions:
a. In the Media Encryption tab, click View Exclusions.
b. Select the exclusion from the list.
c. Click Export.

Harmony Endpoint EPMaaS Administration Guide | 312

Configuring the Write Action

The Write action lets users:
n Create new files
n Copy or move files to devices
n Delete files from devices
n Change file contents on devices
n Change file names on devices
The default predefined write actions are:
n Data Type - Encrypt business-related data on storage devices - All Files that are
defined as business-related data must be written to the encrypted storage. Non-business
related data can be saved to the device without encryption. See "Configuring Business-
Related File Types" on the next page.
n Allow writing data on storage devices:
l Allow encryption - Users can write only encrypted files to storage devices.
l Enable deletion of file on read-only media - Allow users to delete files on devices
with read-only permissions.
You can configure these settings for specific devices.

To configure the Write action:

1. In the Media Encryption tab, click View Exclusions.

2. Click New to create a new exclusion or configure an existing exclusion on the list.

3. Per each device, configure the options as necessary for: Data Type and Write
Encrypted:
n Data Type - Select one of these options:
l Allow any data - Users can write all file types to storage devices.
l Encrypt business-related data - Users must encrypt all business-related
files written to storage devices. Other files can be written without encryption.
See "Configuring Business-Related File Types" on the next page.
l Encrypt all data - Users must encrypt all files written to storage devices.
l Block any data - Users cannot write any files to storage devices.

Harmony Endpoint EPMaaS Administration Guide | 313

Configuring the Write Action

n Write Encrypted - Select one of these options:

l Accept - Users must encrypt files written to storage devices.
l According to Policy - According to the default Media Encryption & Port
Protection rule.
l Block - Block all writing to storage devices.

Notes:
n If no read policy is allows, the write policy is disabled automatically.
n If Block any Data is selected, Allow encryption and Configure File
Types are disabled.

To import exclusions:
You can import an exported exclusion file in the JSON format.
1. In the Media Encryption tab, click View Exclusions.
2. Click Import and select the JSON file.

To export exclusions:
1. In the Media Encryption tab, click View Exclusions.
2. Select the exclusion from the list.
3. Click Export.

Configuring Business-Related File Types

The organization's policy defines access to business and non-business related data.
Business-related files are confidential data file types that are usually encrypted in the
business-related drive section of storage devices. These files are defined as business-related
file types by default:
n Multimedia - QuickTime, MP3, and more.
n Executable - Exe, shared library and more.
n Image - JPEG, GIF, TIF and more.
These files are defined as non-business related file types by default:
n Spreadsheet - Spreadsheet files, such as Microsoft Excel.
n Presentation - Presentation files, such as Microsoft Power Point.
n Email - Email files and databases, such as Microsoft Outlook and MSG files.
n Word - Word processor files, such as Microsoft Word.

Harmony Endpoint EPMaaS Administration Guide | 314

Configuring the Write Action

n Database - Database files, such as Microsoft Access or SQL files.

n Markup - Markup language source files, such as HTML or XML.
n Drawing - Drawing or illustration software files, such as AutoCAD or Visio.
n Graphic - Graphic software files such as Photoshop or Adobe Illustrator.
n Viewer - Platform independent readable files, such as PDF or Postscript.
n Archive - Compressed archive files, such as ZIP or SIT.

To see the list of business-related file types and non-business related file types:
In Harmony Endpoint, go to the Policy view > Data Protection > Capabilities and Exclusions
pane > Media Encryption > Write Policy > Configure File Types > View Mode. Select Non-
Business-Related or Business-Related to see the relevant file types.

To configure business and non-business related file types:

1. In Harmony Endpoint, go to the Policy view > Data Protection > Capabilities and
Exclusions pane > Media Encryption > Write Policy > Configure File Types.
2. You can:
n Add or delete files from the business-related or non-business related file list. In
View Mode, select Business-related or Non-business related. Add or delete the
required files. A file type which is not in the business-related file list, is
automatically included in the non business-related file type list.
n Create new file types in the business-related or non-business related file type list.
Click the Create new file type button. The File type add/edit window opens.
Configure Name, File Extension and File Signatures and click OK.

Creating User Overrides (UserCheck)

You can allow users to override the Media Encryption policy.

To allow users to override the Media Encryption policy:

1. In the Media Encryption tab , click Write Policy > User Overrides.
2. Select the Allow user to override company policy checkbox.
3. From the User can gain the following permission list, select:
n Encrypt business-related data
n Encrypt all data
n Ask user

Harmony Endpoint EPMaaS Administration Guide | 315

Configuring the Write Action

Configuring Authorization Settings

You can configure a Media Encryption & Port Protection rule to require scans for malware and
unauthorized file types when a storage device is attached. You also can require a user or an
administrator to authorize the device. This protection makes sure that all storage devices are
malware-free and approved for use on endpoints.
On Windows E80.64 and higher clients, CDs and DVDs (optical media) can also be scanned.
After a media device is authorized:
n If you make changes to the contents of the device in a trusted environment with Media
Encryption & Port Protection, the device is not scanned again each time it is inserted.
n If you make changes to the contents of the device in an environment without Media
Encryption & Port Protection installed, the device is scanned each time it is inserted into
a computer with Media Encryption & Port Protection.
You can select one of these predefined options for a Media Encryption & Port Protection rule:
Require storage devices to be scanned and authorized -
n Scan storage devices and authorize them for access - Select to scan the device when
inserted. Clear to skip the scan.
l Enable self-authorization - If this option is selected, users can scan the storage
device manually or automatically. If this setting is cleared, users can only insert an
authorized device.
o Manual media authorization - The user or administrator must manually
authorize the device.
Allow user to delete unauthorized files - The user can delete unauthorized
files detected by the scan. This lets the user or administrator authorize the
device after the unauthorized files are deleted.
o Automatic media authorization -The device is authorized automatically.
Allow user to delete unauthorized files - The user can delete unauthorized
files detected by the scan. This lets the user or administrator authorize the
device after the unauthorized files are deleted.
n Exclude optical media from scan - Exclude CDs and DVDs from the scan.

Harmony Endpoint EPMaaS Administration Guide | 316

Managing Devices

Click the icon to filter your view.

Managing Storage and Peripheral Devices

To manually add a new device:

1. Click Asset Management > Media Devices > Storage & Peripheral.
2. From the View list, select Manually added devices.

3. Click .

4. Select :

Harmony Endpoint EPMaaS Administration Guide | 317

Managing Devices

n Storage Device
The New Storage Device window appears.

Harmony Endpoint EPMaaS Administration Guide | 318

Managing Devices

n Peripheral Device
The New Peripheral Device window appears.

5. Enter these:
n Name - Enter a unique device display name, which cannot contain spaces or
special characters (except for the underscore and hyphen characters).
n Applies to – This setting is valid for peripheral devices only.
n Connection Type- Select the connection type Internal, External or Unknown
(required).
n Category - Select a device category from the list.
n Serial Number - Enter the device serial number. You can use wild card characters
in the serial number to apply this device definition to more than one physical
device. See "Using Wild Card Characters" on page 325.
n Extra Information - Configure whether the device shows as fixed disk device (Hard
Drive with Master Boot Record), a removable device (Media without Master Boot
Record) or None.

Harmony Endpoint EPMaaS Administration Guide | 319

Managing Devices

6. Assign Groups (relevant for storage devices only):

To add an exclusion to a device:

1. Click Asset Management > Media Devices > Storage & Peripheral.
2. Right-click the applicable device and select Exclude.

Harmony Endpoint EPMaaS Administration Guide | 320

Managing Devices

The Device Override Settings window appears.

c. From the Log type list, select a log.

d. Add details in the Description field.
5. Click Finish.

Note - If a device has an exclusion already in place, the new exclusion

overrides an existing exclusion.

The Discovered devices view lists the details of the devices automatically discovered by the
Endpoint server.

To edit a device:
1. Click Asset Management > Media Devices > Storage & Peripheral.
2. Right-click the applicable device and select Edit.

Harmony Endpoint EPMaaS Administration Guide | 321

Managing Devices

The Edit Peripheral Device window opens.

Harmony Endpoint EPMaaS Administration Guide | 322

Managing Devices

n Connection Type- Select the connection type Internal, External or Unknown

(required).
n Category - Select a device category from the list.
n Serial Number - Enter the device serial number. You can use wild card characters
in the serial number to apply this device definition to more than one physical
device. See "Using Wild Card Characters" on page 325.
n Extra Information - Configure whether the device shows as fixed disk device (Hard
Drive with Master Boot Record), a removable device (Media without Master Boot
Record) or None.
n Device ID Filter - Enter a filter string that identifies the device category (class).
Devices are included in the category when the first characters in a Device ID match
the filter string. For example, if the filter string is My_USB_Stick, these devices are
members of the device category:
l My_USB_Stick_40GB
l My_USB_Stick_80GB
n Supported Capabilities:
l Log device events - Select this option to create a log entry when this device
connects to an endpoint computer (Event ID 11 or 20 only).
l Allow encryption - Select this option if the device can be encrypted (storage
devices only).
4. Assign Groups (relevant for storage devices only):

a. To assign the device to an existing group, from the existing group list, select a
group.

Harmony Endpoint EPMaaS Administration Guide | 323

Managing Devices

7. Click Finish.

Managing Storage Device Groups

Note - You cannot delete groups that are in use.

To create a Storage Device Group:

1. Click Asset Management > Media Devices > Storage Device Groups.
2. Click New.

The Create Storage Device Group window appears.

Harmony Endpoint EPMaaS Administration Guide | 324

Managing Devices

3. In the Group Name field, enter a name.

4. (Optional) In the Comments field, enter your comments.
For example, USB storage device.

5. To add devices to the group, click .

6. Select the devices and click OK.

7. To delete the device, select the device and click .

Using Wild Card Characters

Harmony Endpoint EPMaaS Administration Guide | 325

Managing Devices

The '?' character represents one character.

Examples:

Serial Number with

Matches Does Not Match
Wildcard

1234* 1234AB, 1234BCD, 12345 1233

1234??? 1234ABC, 1234XYZ, 1234AB, 1234x,

1234567 12345678

Because definitions that use wildcard characters apply to more endpoints than those without
wildcards, rules are enforced in this order of precedence:

1. Rules with serial numbers containing * are enforced first.

5. 1234567

Viewing Events

Harmony Endpoint allows you to monitor activities related to storage and peripheral devices as
events and if required, change the device details and status. For example, if a device that
should be allowed was blocked and vice versa.

Harmony Endpoint EPMaaS Administration Guide | 326

Managing Devices

Column Description

Event Time Date and time when the device was connected to the endpoint.

Status Whether the device was blocked or allowed.

Device Name Name of the device.

Device Type Type of device.

Category Category of the device.

Serial Number Serial number of the device.

User Name Name of the user.

Computer Name Name of the computer.

To modify the device details and status:

The File type Add / Edit window appears.

Harmony Endpoint EPMaaS Administration Guide | 331

Advanced Settings for Media Encryption

b. Enter the Name, Comments and File Extension.

c. To add a File Signature:
i. Click .

The Add new file signature window appears.

ii. Select the Offset.
iii. In the Signature field, enter the file signature.
iv. Click OK.

v. To delete a File Signature, select the file signature and click .

d. Click OK.

4. To edit a file, select the file and click .

5. To delete a file, select the file and click .

UserCheck Messages

UserCheck for Media Encryption & Port Protection tells users about policy violations and
shows them how to prevent unintentional data leakage. When a user tries to do an action that
is not allowed by the policy, a message shows that explains the policy.
For example, you can optionally let users write to a storage device even though the policy does
not allow them to do so. In this case, users are prompted to give justification for the policy
exception. This justification is sent to the security administrator, who can monitor the activity.
Select any of these checkboxes to enable the UserCheck message:
n Suggest to encrypt device when encryption is not mandatory
n Suggest to encrypt device in order to get write access when inserting
n Suggest to encrypt device in order to get write access when writing
n Notify user that device has been blocked
n Notify user that device has read only access
n Notify when encrypting business related data

Harmony Endpoint EPMaaS Administration Guide | 332

Advanced Settings for Media Encryption

Advanced Encryption

n Allow user to choose owner during encryption - Lets users manually define the device
owner before encryption. This lets users create storage devices for other users. By
default, the device owner is the user who is logged into the endpoint computer. The
device owner must be an Active Directory user.
n Allow user to change the size of encrypted media - Lets users change the percentage
of a storage device that is encrypted, not to be lower than Minimum percentage of media
capacity used for encrypted storage or Default percentage of media capacity used for
encrypted storage. .
n Allow users to remove encryption from media - Lets users decrypt storage devices.
n When encrypting, unencrypted data will be - Select one of these actions for
unencrypted data on a storage device upon encryption:
l Copied to encrypted section - Unencrypted data is encrypted and moved to the
encrypted storage device. We recommend that you back up unencrypted data
before encryption to prevent data loss if encryption fails. For example, if there is
insufficient space on the device.
l Deleted - Unencrypted data is deleted.
l Untouched - Unencrypted data is not encrypted or moved.
n Secure format media before encryption - Run a secure format before encrypting the
storage device. Select the number of format passes to do before the encryption starts.
n Change device name and icon after encryption - When selected, after the device is
encrypted, the name of the non-encrypted drive changes to Non Business Data and the
icon changes to an open lock. When cleared, the name of the non-encrypted drive and
the icon do not change after the device is encrypted.
n When encrypting media, file system should be:
l As already formatted -According to the original format.
l ExFAT
l FAT32
l NTFS
Allow user to change the file system of the encrypted storage - After storage was
encrypted in a specific format, the user can change this format to another format.

Harmony Endpoint EPMaaS Administration Guide | 333

Advanced Settings for Media Encryption

Site Configuration

Site Actions control when to allow or prevent access to encrypted devices that were encrypted
by different Endpoint Security Management Servers. Each Endpoint Security Management
Server (known as a Site) has a Universally Unique Identifier (UUID). When you encrypt a
storage device on an Endpoint Security client, the Endpoint Security Management Server
UUID is written to the device. The Site action can prevent access to devices encrypted on a
different Endpoint Security Management Server or from another organization. The Site action
is enabled by default.
When a user attaches a storage device, Media Encryption & Port Protection makes sure that
the device matches the UUID the Endpoint Security Management Server UUID or another
trusted Endpoint Security Management Server. If the UUIDs match, the user can enter a
password to access the device. If the UUID does not match, access to the device is blocked.

Allow access to storage devices encrypted at any site - Endpoint Security clients can access
encrypted devices that were encrypted at any site.
Allow access to storage devices encrypted at current site only - Media Encryption Site
(UUID) verification is enabled. Endpoint Security clients can only access encrypted devices
that were encrypted by the same Endpoint Security Management Server.

Lockout Settings

You can configure Media Encryption & Port Protection in the Lockout Settings to lock a device
after a specified number of unsuccessful log in attempts.

To configure lockout settings:

1. Select Lock storage device after failed authentication attempts.

2. To lock the storage device temporarily:

a. Select Temporarily lock device.

b. In the Temporarily lock device after authentication failed field, enter the failed log
in attempts after which the system should lock the device.

Notes:
n If a device is locked temporarily, users can try to authenticate again after

the specified time.

n A temporary lock only occurs when its value is less than the permanent

lock.

3. To lock the storage device permanently:

Harmony Endpoint EPMaaS Administration Guide | 334

Advanced Settings for Media Encryption

a. Select Permanently lock device.

b. In the Permanently lock device after authentication failed field, enter the failed
log in attempts after which the system should permanently lock the device. This
should be greater than the value specified in Temporarily lock device after
authentication failed field.

Note - If the device is locked permanently, users can request to unlock

through Remote Help. For more information, see "Media Encryption
Remote Help" on page 337.

4. In the Duration for temporary storage device lock field, enter the duration after the
failed log in attempts the system should unlock the device.

Offline Access

Password protect media for access in offline mode - Lets users assign a password to access
a storage device from a computer that is not connected to an Endpoint Security Management
Server. Users can also access the storage device with this password from a non-protected
computer
Allow user to recover their password using remote help - Lets user recover passwords using
remote help.
Copy utility to media to enable media access in non-protected environments - Copies the
Explorer utility to the storage device. This utility lets users access the device from computers
that are not connected to an Endpoint Security Management Server.

Password Constraints

You can specify the password requirements for users to follow to log in to the device.

To configure the password constraints, select one of these:

n Use Windows Complexity Requirements
n Use Custom Requirements
l Consecutive identical characters are not allowed
l Require special characters
l Require digits
l Require lower case characters
l Require upper case characters
l Password must not contain user name or full name

Harmony Endpoint EPMaaS Administration Guide | 335

Advanced Settings for Media Encryption

l In the Minimum length of password field, enter the number of characters required
in the password. The minimum supported length is four characters.

Harmony Endpoint EPMaaS Administration Guide | 336

Media Encryption Remote Help

Media Encryption & Port Protection lets administrators recover removable media passwords
remotely, using a challenge/response procedure. Always make sure that the person
requesting Remote Help is an authorized user of the storage device before you give
assistance.

To recover a Media Encryption & Port Protection password with Remote Help assistance
from Harmony Endpoint:
1. Go to Asset Management > Organization > Computers.
2. Click and select Remote Help & Recovery > Media Encryption.

The Media Encryption Remote Help window opens.

3. Do these:
a. Select the user.
b. In the Challenge field, enter the challenge code that the user gives you. Users get
the Challenge from the Endpoint client.
c. Click Generate Response.
Media Encryption & Port Protection authenticates the challenge code and
generates a Response code..
d. Give the Response code to the user.

e. Make sure that the user can access the storage device successfully.

Harmony Endpoint EPMaaS Administration Guide | 337

Port Protection

Port Protection
Port Protection protects the physical port when using peripheral devices.
Peripheral devices are for example, keyboards, screens, blue tooth, Printers, Smart Card,
network adapters, mice and so on.

To create a new Port Protection rule:

1. In the Data Protection policy, go to the right pane, Capabilities & Exclusions > Port
Protection.
2. From the Port Protection Policy list:

Harmony Endpoint EPMaaS Administration Guide | 338

Port Protection

n To allow all the devices, select Allow all.

n To allow only essential devices, select Allow essential.
l The essential ports for Windows are:
o Smart Card Readers
o Keyboard
o Network Adaptors
o Modems
o Mouse
l The essential ports for macOS are:

Note - The device names of macOS ports are prefixed with "MAC_".

o USB Network
o USB Video
o USB HID
o USB Health
o USB Audio
o USB Wireless controller
o USB SmartCard (Supported only with the Endpoint Security Client
version E86.20 and higher.)
o Bluetooth Audio
o Bluetooth Computer
o Bluetooth Health
o Bluetooth HID
o Bluetooth Imaging
o Bluetooth Phone
o Bluetooth Toy
o Bluetooth Wearable
o Printers
n To customize device settings, click Custom and then click Edit.
3. Click New.

Harmony Endpoint EPMaaS Administration Guide | 339

Port Protection

The New Port Protection Rule window opens.

4. Select a device from the list or click New to create a new device (see Managing Devices
for details on how to create a new device).
5. Select the Access Type from the list:
n Accept - Allow connecting the peripheral device.
n Block - Do not allow connecting the peripheral device.
6. In the Log Type field, select the log settings:
n Log - Create log entries when a peripheral device is connected to an endpoint
computer (Action IDs 11 and 20).
n None - Do not create log entries.

7. Click Create.

To import exclusions:
You can import an exported exclusion file in the JSON format.
1. In the Port Protection tab, select the Port Protection Policy.
2. Click Edit.
3. Click Import and select the JSON file.

To export exclusions:

1. In the Port Protection tab, select the Port Protection Policy.

2. Click Edit.

3. Select the device that you want to export from the list.
4. Click Export.

Harmony Endpoint EPMaaS Administration Guide | 340

Media Encryption Access Rules

You can select a global action that defines automatic access to encrypted devices. This has an
effect on all Media Encryption & Port Protection rules, unless overridden by a different rule or
action.
Make sure that the Read Policy allows access to the specified users or devices.
In the Policy view > Data Protection > Access Rules > Preset > click the list menu. You can
select one of these settings or create your own custom rules for automatic access to encrypted
devices:
n Encrypted storage devices are fully accessible by all users - All users can read and
change all encrypted content.
n All users in the organization can read encrypted storage devices, only owners can
modify - All users can read encrypted files on storage devices. Only the media owner
can change encrypted content.
n Only owners can access encrypted storage devices - Only media owners can read
and/or change encrypted content.
n Access to encrypted storage devices requires password authentication - Users must
enter a password to access the device. Automatic access in not allowed.
n Custom - Create a customized automatic access rule to encrypted devices. There are
two predefined action rules in this window. You cannot delete these rules or change the
media owner or media user. But, you can change the access permissions. The two
predefined actions are defaults that apply when no other custom action rules override
them. The Any/Media Owner action rule is first by default and the Any/Any action rule is
last by default. We recommend that you do not change the position of these rules.

Harmony Endpoint EPMaaS Administration Guide | 341

Media Encryption Access Rules

To create a new customized automatic access rule to encrypted devices:

1. Configure these settings:
l In the Encrypted Media Owner field, select one of these options:
o Rule applies to any encrypted media owner - This action applies to
any user.
o Choose a user/group/ou from your organization - Select the
applicable user, group or OU to which this action applies.
l In the Encrypted Media User field, select one of these options:
o Rule applies to any encrypted media user - This action applies to any
user.
o Select the media owner as the encrypted media user - The media
owner is also defined as the user.
o Choose a user/group/ou from your organization - Select the
applicable user, group or OU to which this action applies.
2. Click the field in the Access Allowed column, and select one of these parameters:
l Full Access
l No Automatic Access
l Read-Only

Harmony Endpoint EPMaaS Administration Guide | 342

Configuring Inbound/Outbound Rules

The Endpoint client checks the firewall rules based on their sequence in the Rule Base. Rules
are enforced from top to bottom.
The last rule is usually a Cleanup Rule that drops all traffic that is not matched by any of the
previous rules.

Important - When you create Firewall rules for Endpoint clients, create
explicit rules that allow all endpoints to connect to all the domain controllers
on the network.

Note - The Endpoint client do not support DNS over HTTPS.

Inbound Traffic Rules

Inbound traffic rules define which network traffic can reach Endpoint computers (known as
localhost).
The Destination column in the Inbound Rule Base describes the Endpoint devices to which the
rules apply (you cannot change these objects).
These four inbound rules are configured by default:

No. Name Source Service Action Track Comment

1 Allow Trusted Trusted_ Any Allow None

Zone Zone

2 Allow IP Internet_ bootp Allow None

obtaining Zone dhcp-relay
dhcp-req-
local
dhcp-rep-
local

3 Allow PPTP Internet_ gre Allow None

Zone pptp-tcp
L2TP

4 Cleanup rule Any Any Block Log

Outbound Traffic Rules

Outbound traffic rules define which outgoing network traffic is allowed from Endpoint
computers.
The Source column in the outbound Rule Base describes the Endpoint devices to which the
rules apply.

Harmony Endpoint EPMaaS Administration Guide | 343

Configuring Inbound/Outbound Rules

This outbound rule is configured by default:

No. Name Destination Service Action Track Comment

1 Allow any Any Any Allow None

outbound

Parts of Rules
As opposed to SmartEndpoint GUI, Harmony Endpoint has a unified Rule Base, which
enables the user to view the entire Rule Base at a glance - both inbound and outbound. Both
are sections of the same Rule Base.
These are the parts of the Firewall inbound/outbound rules:

Column Description

# Rule priority number.

Rule name Name of the Firewall rule.

Source Source location of the network traffic.

For an outbound rule, the source is always set to the local
computer/user/group.

Destination Destination location of the network traffic.

For an inbound rule, the destination is always set to the local
computer/user/group.

Service Network protocol or service used by the traffic.

Action The action that is done on the traffic that matches the rule - Allow or Block.

Track The tracking and logging action that is done when traffic matches the rule:
n Log - Records the rule enforcement in the Endpoint Security Client
Log Viewer.
n Alert - Shows a message on the endpoint computer and records the
rule enforcement in the Endpoint Security Client Log Viewer.
n None - Logs and Alert messages are not created.

Editing a Rule
1. From the left navigation panel, click Policy > Access & Compliance.
2. Click the rule to select it.
When you edit a rule, a purple indication is added next to it (on the left of the rule).

Harmony Endpoint EPMaaS Administration Guide | 344

Configuring Inbound/Outbound Rules

3. In the right pane, in the section Capabilities & Exclusions, click the Firewall tab.
4. Click the Edit Inbound/Outbound Rulebase button.
5. Make the required changes.
To add a new rule, do one of these:
n From the top toolbar, the applicable option (New Above or New Below)
n Right-click the current rule and select the applicable option (New Above or New
Below)
6. Click OK in the bottom right corner.
7. Click Save in the bottom right corner.

You can click Cancel to revert the changes.

8. Above the rule base, click Install Policy.

Deleting a Rule
1. Click the rule to select it.
2. From the top toolbar, click the garbage can icon ("Delete rule").
If you are inside the Edit Inbound/Outbound Rulebase view, then a red indication is
added next to it (on the left of the rule).
3. If you are inside the Edit Inbound/Outbound Rulebase view, then click OK in the bottom
right corner.

4. If your are in the Firewall policy view, click Delete to confirm.

5. Click Save in the bottom right corner.

6. Above the rule base, click Install Policy.

Harmony Endpoint EPMaaS Administration Guide | 345

Managing Firewall Objects and Groups

Objects defined in Harmony Endpoint and stored in the object database, represent physical
and virtual network components (such as Endpoint devices and servers), and logical
components (such as IP address ranges). You can create new objects to be used in the policy.

Supported Object Categories

Harmony Endpoint supports the object categories described below.

Hosts

A host can have multiple interfaces, but no routing takes place. It is an Endpoint device that
receives traffic for itself through its interfaces. (In comparison, a Security Gateway routes
traffic between its multiple interfaces). For example, if you have two unconnected networks
that share a common Endpoint Security Management Server and a Log Server, configure
the common server as a host object.
A host has no routing mechanism, it is not capable of IP forwarding, and cannot be used to
implement Anti-Spoofing.
The Endpoint Security Management Server object is a host.
Enter these properties data to define a host
n Name - A name for the host. The name must start with a letter and can include capital
and small letters, numbers and '_'. All other characters are prohibited
n IPv4 and/or IPv6 addresses of the host you want to use.
n Description (Optional) - A description of the host object.

Networks

A network is a group of IP addresses defined by a network address and a net mask. The net
mask indicates the size of the network.
A Broadcast IP address is an IP address which is destined for all hosts on the specified
network. If this address is included, the Broadcast IP address is considered as part of the
network.
Enter these properties to define a network:
n Name - A name for the network. The name must start with a letter and can include
capital and small letters, numbers and '_'. All other characters are prohibited.
n Network Address (IPv4) and Netmask (IPv4) of the network object you want to use.
or

Harmony Endpoint EPMaaS Administration Guide | 346

Managing Firewall Objects and Groups

Network Address (IPv6) and Prefix (IPv6) of the network object you want to use.
n Description (optional)- A description of the network object.

Network Groups

A network group is a collection of hosts, networks, or other groups. The use of groups
facilitates and simplifies network management. When you have the same set of objects
which you want to use in different places in the Rule Base, you can create a group to include
such set of objects and reuse it. Modifications are applied to the group instead of to each
member of the group.
Groups are also used where Harmony Endpoint lets you select only one object, but you
need to work with more than one.

Enter these properties to define a network group object:

n Name - A name for the network object. The name must start with a letter and can
include capital and small letters, numbers and '_'. All other characters are prohibited
n Click the + icon to add the required objects to your group.
n Description (Optional) - A description of the group.

Domains and Domain Groups

A Domain object lets you define a host or a DNS domain by its name only. It is not
necessary to have the IP address of the site. You can use the Domain object in the source
and destination columns of the Firewall Policy.

Enter these properties to define a Domain:

n Name - A name for the Domain. The name must start with a letter and can include
capital and small letters, numbers and '_'. All other characters are prohibited.
n Host name - Use the Fully Qualified Domain Name (FQDN). Use the format .x.y.z
(with a dot "." before the FQDN). For example: www.example.com
Sub-sites must be added separately, if you want to apply the rule to them as well.
Wildcard symbols like * are not allowed. Non-Qualified Domain Names are not
supported.

Note - The DNS resolution is executed only once the policy is applied, or
following a reboot.
n Description (Optional) - A description of the Domain or Domain group object.
Enter these properties to define a Domain group:
n Name - A name for the Domain. The name must start with a letter and can include
capital and small letters, numbers and '_'. All other characters are prohibited.

Harmony Endpoint EPMaaS Administration Guide | 347

Managing Firewall Objects and Groups

n Click the + icon to add the required Domains to the Domain group.
n Description - A description of the Domain group

Address Ranges

An address range is a range of IP addresses on the network, defined by the lowest and the
highest IP addresses. Use an Address Range object when you cannot define a range of IP
addresses by a network IP and a net mask. The Address Range objects are also necessary
for the implementation of NAT and VPN.
Enter these properties to define an address range object:
n Name
n From IP address (IPv4) - To IP address (IPv4) - First and last IPv4 addresses of the
range.
or
From IP address (IPv6) - To IP address (IPv6) - First and last IPv6 addresses of the
range.
n Description (Optional) - A description of the address range.

Security Zones

See "Configuring Security Zones" on page 353.

Services and Service Groups

Data transmission services, such as UDP and TCP.

The Endpoint identifies (matches) a service according to IP protocol, TCP and UDP port
number, and protocol signature.

Harmony Endpoint EPMaaS Administration Guide | 348

Managing Firewall Objects and Groups

Creating Objects

Create objects for areas that programs must have access to, or areas that programs must be
prevented from accessing.
Configure objects for each policy or define objects before you create a policy. After you
configure an object, you can use again it in other policies.

To create an object:
1. In the Access view, go to Manage > Manage Firewall Objects > Manage Objects and
Groups
(or, in the in the Access view > go to Edit Inbound/Outbound Rule Base).

The Manage Objects and Groups window opens.

2. Click this icon:
3. Configure the relevant properties and click OK.
When you create a new network object, the name must start with a letter and can include
capital and small letters, numbers and "_ / -". All other characters are prohibited.

Harmony Endpoint EPMaaS Administration Guide | 349

Managing Firewall Objects and Groups

Used In

You can check in which rule each object is used.

To check in which rule an object is used:

1. In the Access view, go to Manage > Manage Firewall Objects > Manage Objects and
Groups.
2. Select the object and look at the right corner of the window to see the rules in which the
object is used.
For example:

Harmony Endpoint EPMaaS Administration Guide | 350

Configuring Access & Compliance Policy

n "Firewall" on page 352
l "Configuring Security Zones" on page 353
l "Configuring Firewall Rule Advanced Settings" on page 355
n "Application Control" on page 356
l "Creating the List of Applications on the Reference Device" on page 357
l "Uploading the Appscan XML File to the Endpoint Security Management Server"
on page 361
l "Configuring Application Permissions in the Application Control Policy" on
page 362
l "Disabling or Enabling Windows Subsystem for Linux (WSL)" on page 367
n "Developer Protection" on page 368
n "Compliance" on page 370
l "Planning for Compliance Rules" on page 371
l "Configuring Compliance Policy Rules" on page 372
l "Monitoring Compliance States" on page 388

Harmony Endpoint EPMaaS Administration Guide | 351

Firewall

Firewall
The Firewall guards the "doors" to your devices, that is, the ports through which Internet traffic
comes in and goes out.
It examines all the network traffic and application traffic arriving at your device, and asks these
questions:
n Where did the traffic come from and what port is it addressed to?
n Do the firewall rules allow traffic through that port?
n Does the traffic violate any global rules?
The answers to these questions determine whether the traffic is allowed or blocked.

When you plan a Firewall Policy, think about the security of your network and convenience for
your users.
A policy must let users work as freely as possible, but also reduce the threat of attack from
malicious third parties.
Firewall rules accept or drop network traffic to and from Endpoint computers, based on
connection information, such as IP addresses, Domains, ports and protocols.

Harmony Endpoint EPMaaS Administration Guide | 352

Configuring Security Zones

Security Zones let you create a strong Firewall policy that controls the traffic between parts of
the network.
A Security Zone object represents a part of the network (for example, the internal network or
the external network).
There are two types of Security Zones:
n Trusted Zone - The Trusted Zone contains network objects that are trusted. Configure
the Trusted Zone to include only those network objects with which your programs must
interact. You can add and remove network objects from a Trusted Zone. A device can
only have one Trusted Zone. This means that if the Firewall policy has more than one
rule, and more than one Trusted Zone applies to a device, only the last Trusted Zone is
enforced.
These two network elements are defined as Trusted Zones by default:
l All_Internet - This object represents all legal IP addresses.
l LocalMachine_Loopback - Endpoint device's loopback address: 127.0.0.1. The
Endpoint device must always have access to its own loopback address. Endpoint
users must not run software that changes or hides the local loopback address. For
example, personal proxies that enable anonymous internet surfing.
n Internet Zone - All objects that are not in the Trusted Zone are automatically in the
Internet Zone.
Objects in the Trusted Zone:

These object types can be defined as Trusted Zones:

n Hosts
n Networks
n Network Groups
n Domains
n Address Ranges

To configure a Trusted Zone:

1. In the Access policy view, go to the right pane - Firewall Rule Settings, and click
Manage Trusted Zone.
2. Click the + icon to see the list of objects you can define as a Trusted Zone.

Harmony Endpoint EPMaaS Administration Guide | 353

Configuring Security Zones

Note - To add objects to the list , go to the Access view > Manage >
Manage Firewall Objects, and click Create.

3. Select the required object.

4. Click OK.

Harmony Endpoint EPMaaS Administration Guide | 354

Configuring Firewall Rule Advanced Settings

To configure the advanced settings for a Firewall rule:

1. From the left navigation panel, click Policy > Access & Compliance.
2. Click the rule to select it.
3. In the right pane, in the section Capabilities & Exclusions, click the Firewall tab.
4. In the Advanced Settings section, select the applicable options:
n Allow wireless connections when connected to the LAN - This protects your
network from threats that can come from wireless networks.
If you select this checkbox, users can connect to wireless networks while they are
connected to the LAN.
If you clear this checkbox, users cannot connect to wireless networks while they
are connected to the LAN.
n Allow hotspot registration - Controls whether users can connect to your network
from hotspots in public places, such as hotels or airports.
If you select this checkbox, the Firewall is bypassed to let users connect to your
network from a hotspot.
If you clear this checkbox, users are not able to connect to your network from a
hotspot.
n Block IPv6 network traffic - Controls whether to block IPv6 traffic to endpoint
devices. Clear this checkbox to allow IPv6 traffic to endpoint devices.
n From the When using Remote Access, enforce Firewall policy from menu, select
the applicable option:
l Above Endpoint Firewall policy (this is the default)
l Remote Access Desktop Security Policy
If your environment had Endpoint Security VPN and then moved to the
complete Endpoint Security solution, select this option to continue using the
Desktop Policy configured in the legacy SmartDashboard.
To learn how to configure a Desktop Policy, see the Remote Access Clients
for Windows Administration Guide.
5. Click Save in the bottom right corner.

Note - For more information about Firewall, see sk164253.

Harmony Endpoint EPMaaS Administration Guide | 355

Application Control

Application Control
The Application Control component of Endpoint Security restricts network access for specified
applications. The Endpoint Security administrator defines policies and rules that allow, block
or terminate applications and processes. The administrator can also configure that an
application is terminated when it tries to access the network, or as soon as the application
starts.
This is the workflow for configuring Application Control:

Windows:
1. Set up a Windows device with the typical applications used on protected Endpoint
computers in your organization. This is your reference device. If you have several
different standard images, set up a reference device for each.

2. Generate the list of applications on the computer by running the Appscan tool. This
generates an XML file that contains the details of all the applications on the computer.
3. Upload the Appscan XML file to the Endpoint Security Management Server using
Harmony Endpoint.
4. Configure the action for each application in the Application Control policy. You can
configure which applications are allowed, blocked, or terminated.
5. Install policy.

macOS:
1. Run the Application Scan Push Operation. See "Performing Push Operations" on
page 491.
2. Configure the action for each application in the Application Control policy. You can
configure which applications are allowed, blocked, or terminated.
3. Install policy.

Harmony Endpoint EPMaaS Administration Guide | 356

Creating the List of Applications on the Reference Device

You need to generate a list of the applications on your reference device. This is a Windows
device with a tightly-controlled disk image that contains the typical applications used on
protected Endpoint devices in your organization. If you have several different standard
images, set up a reference device for each.

Important - The reference device must be free of malware.

To generate the list of applications, run the Appscan command on the reference device. This
generates an XML file that contains the details of all the applications and operating system
files on the device. In the XML file, each application, and each application version, is uniquely
identified by a checksum. A checksum is a unique identifier for programs that cannot be
forged. This prevents malicious programs from masquerading as other, innocuous programs.

To collect a list of applications on the reference device:

1. Go to Policy > Access & Compliance > Manage > Manage Applications.

2. Under Manage Applications, click Upload Applications.

Harmony Endpoint EPMaaS Administration Guide | 357

Creating the List of Applications on the Reference Device

The Upload Applications window appears.

3. Under Download Appscan, click Download.

4. Run the Appscan application on your target device with the applicable parameters. See
"Appscan Command Syntax" below.
This creates an Appscan XML file for each disk image used in your environment. When
the scan is complete, an output file is created in the specified directory. The default file
name is scanfile.xml.

Appscan Command Syntax

Description
Scans the host device and creates an XML file that contains a list of executable programs and
their checksums.

Harmony Endpoint EPMaaS Administration Guide | 358

Creating the List of Applications on the Reference Device

Syntax

C:\>Appscan [/o <filename> /s <target directory> /x <extension

strung /e /a /p /verbose /warnings /?

Parameters

Parameter Description

/o Sends output to the specified file name. If no file name is specified,

Appscan uses the default file name (scanfile.xml) in the current
folder.

file name Output file name and path.

/s <target Specifies the directory, including all subdirectories, to scan.

directory>
n You must enclose the directory/path string in double quotes.
n If no directory is specified, the scan runs in the current directory
only.

/x Specifies the file extension(s) to include in the scan.

<extension
string>
n The extension string can include many extensions, each separated
by a semi-colon.
n You must put a period before each file extension.
n You must enclose full extension string in double quotes.
n You must specify a target directory using the /s switch.
n If you do not use the /x parameter only .exe executable files are
included in the scan.

/e Include all executable files in the specified directory regardless of the

extension. Do not use /e together with /x.

/a Includes additional file properties for each executable.

/p Shows progress messages during the scan.

/verbose Shows progress and error messages during the scan.

/warnings Shows warning messages during the scan.

/? Shows the command syntax and help text.

or
/help

Harmony Endpoint EPMaaS Administration Guide | 359

Creating the List of Applications on the Reference Device

Examples
n C:\>appscan /o scan1.xml

This scan, by default, includes .exe files in the current directory and is saved as
scan1.xml.
n C:\>appscan /o scan2.xml /x ".exe;.dll" /s "C:\"

This scan includes all .exe and .dll files on drive C and is saved as scan2.xml.
n C:\>appscan /o scan3.xml /x ".dll" /s c:\program files

This scan includes all .dll files in c:\program files and all its subdirectories. It is
saved as scan3.xml.
n C:\>appscan /s "C:\program files" /e

This scan includes all executable files in c:\program files and all its subdirectories.
It is saved as the default file name scanfile.xml.

Harmony Endpoint EPMaaS Administration Guide | 360

Uploading the Appscan XML File to the Endpoint Security Management Server

Uploading the Appscan XML File to the Endpoint Security Management

Server
After you generate the Appscan XML file, upload it to the Endpoint Security Management
Server.

Note - Before you upload the Appscan XML file, remove all special
characters, such as trademarks or copyright symbols, from the Appscan XML
.

To upload the Appscan XML file:

1. In the Policy view, go to Access and Compliance > Application Control> Manage >
Manage applications > Upload Applications.

The Upload Applications window opens.

2. In the Upload XML section, click Upload.

3. Search for the Appscan XML file and click Open.

Harmony Endpoint EPMaaS Administration Guide | 361

Configuring Application Permissions in the Application Control Policy

Applications that were uploaded with the Appscan XML file are allowed by default. You cannot
change the default action for the uploaded applications.
Depending on whether the application is secure or not, you can set the Action (network
access) to Allow, Block or Terminate:
n For each application in the Application Control policy.
n For specific applications that match the wildcard character supported string in its name,
publisher, version and so on.

Supported Actions

The supported actions for the applications are:

Action Description

Allow Allows network access to the application.

Block Blocks network access to the application.

Terminate Terminates the application if it tries to access the network or immediately

when it runs.

To configure terminate settings:

1. In the Policy view, go to Access and Compliance > Application Control > Application
Management.
2. Select one of these options:
n Terminate on execution - Selected by default. Makes sure that all terminated
applications terminate immediately when they run.
n Terminate on connection - Terminate an application when the application tries to
access the network

App Rules

To review the policy for each application and its versions:

1. In the Policy view, go to Access and Compliance > Application Control > Application
Management > Edit Application Control Policy.
2. Click App Rules.

Harmony Endpoint EPMaaS Administration Guide | 362

Configuring Application Permissions in the Application Control Policy

The Action column shows the permission for each application. Left-click the Action
column to select the action.
The Version column shows the details for each version of the application, including a
unique hash value that identifies the signer of the application version. You can block or
allow specific versions of the same program. Each version has a unique Version
number, Hash, and Created On date.

Custom Rules

Note - Custom Rules is supported only for Windows.

To review the policy for specific applications:

1. In the Policy view, go to Access and Compliance > Application Control > Application
Management > Edit Application Control Policy.
2. Click Custom Rules.
3. Click New.
4. Enter a Rule Name.
5. Enter at least one of these details:

Notes:
n Use the wildcard character (*) to match a specific string.
l Enter *abc* to apply the rule for all applications that contain the string

abc in its details. For example, *abc* matches abc, xyzabc, abcxyz,
xyzabcxyz.
l Enter *abc to apply the rule for all applications ending with the string abc

in its details. For example, *abc matches abc, xyzabc.

l Enter abc* to apply the rule for all applications starting with the string

abc in its details. For example, abc* matches abc, abcxyz.

n Enter abc to apply the rule for all applications that contain only the string abc

in its details. For example, abc matches abc.

n Application Name
For example, the application name of Chrome is Google Chrome.
To find the application name of Chrome, on a Windows PC, navigate to C:\Program
Files\Google\Chrome\Application, right-click chrome and click Properties. Click
the Details tab and see Product name.

Harmony Endpoint EPMaaS Administration Guide | 363

Configuring Application Permissions in the Application Control Policy

n Publisher
For example, the publisher of Chrome is Google LLC.
To find the publisher of Chrome, on a Windows PC, navigate to C:\Program
Files\Google\Chrome\Application and see the name listed under the Company
column for chrome.
n Version
For example, the version of Chrome is 107.0.5304.107.
To find the version of Chrome, on a Windows PC, navigate to C:\Program
Files\Google\Chrome\Application, right-click chrome and click Properties. Click
the Details tab and see File version.
n File Name
For example, the file name of Chrome is chrome.exe.
To find the file name of Chrome, on a Windows PC, navigate to C:\Program
Files\Google\Chrome\Application.

Note - Do not enter the path or directory to the file.

n Issued By
For example, the issuer of Chrome is DigiCert Trusted G4 Code Signing
RSA4096 SHA384 2021 CAI.

To find the certificate issuer for Chrome, on a Windows PC:

a. Navigate to C:\Program Files\Google\Chrome\Application.
b. Right-click chrome and click Properties.

c. Click the Digital Signatures tab.

d. In the General tab, click View Certificate and see Issued by.

Note:
l If the file has several signatures, the Endpoint Security client checks
all the signatures and applies the rule only if anyone of the
signatures match the specified signature.
l Only certificates with printable ASCII characters are supported.

Harmony Endpoint EPMaaS Administration Guide | 364

Configuring Application Permissions in the Application Control Policy

n Issued To
For example, the issued to for Chrome is Google LLC.
To find the certificate issued to for Chrome, on a Windows PC:
a. Navigate to C:\Program Files\Google\Chrome\Application.
b. Right-click chrome and click Properties.
c. Click the Digital Signatures tab.
d. Click Details.
e. In the General tab, click View Certificate and see Issued to.

Notes:
l If the file has several signatures, the Harmony Endpoint Security

client checks all the signatures and applies the rule only if at least
one of the signatures match the specified signature.
l Only certificates with printable ASCII characters are supported.

n Command Line
For example, the command line of Chrome is C:\Program
Files\Google\ChromeApplication\chrome.exe.
To find the command line for Chrome, on a Windows PC, open Task Manager.
Click the Details tab and see the Command line column for the chrome.exe. If the
Command line column is not visible in the table, right-click the header row, click
Select columns and select Command line checkbox.

6. To review the policy for an application with specific Hash:

n In the Hash field, enter the MD5 hash key of the application.
n Click Calculate and select the binary file of the application. The system
automatically retrieves the hash and enters it in the Hash field.
7. Click OK.
8. Left-click the Action column to select the action.

Application Control in Backward Compatibility Mode

Default Action for Unidentified Applications

Changing the default action for unidentified applications is only supported in backward
compatibility mode.

Harmony Endpoint EPMaaS Administration Guide | 365

Configuring Application Permissions in the Application Control Policy

To enable backward compatibility mode:

1. Go to Endpoint Settings > Policy Operation Mode.
2. Go to the required policy and select Mixed mode.

To change the default action for uploaded applications:

1. In the Policy view, go to Access and Compliance > Application Control > Application
Management > Default action.
2. Select the required default action.

Configuring the Application Control Policy

In addition to Allow, Block and Terminate, there are two more actions that you can configure in
backward compatibility mode:
Unidentified (Allow) - The application is allowed because the default setting for applications
that are imported from the Appscan XML is
Allow, and the administrator did not change this action.
Unidentified (Block) - The application is blocked because the default setting for applications
that are imported from the Appscan XML is Block, and the administrator did not change this
action.

Harmony Endpoint EPMaaS Administration Guide | 366

Disabling or Enabling Windows Subsystem for Linux (WSL)

Windows Subsystem for Linux (WSL) is the scripting language in Windows 10 and higher. It
makes it possible to run Linux binary executables under Windows. WSL has the potential for
compromising security.

To enable or disable Windows Subsystem for Linux (WSL) on Endpoint Security client
computers:
1. In the Policy view, go to Access and Compliance > Application Control > Windows
Sub-systms for Linux (WSL) Traffic
2. Select Allow Windows Sub-systms for Linux (WSL) Traffic or leave this option cleared.

Harmony Endpoint EPMaaS Administration Guide | 367

Developer Protection

Developer Protection
Developer Protection prevents developers leaking sensitive information such as RSA keys,
passwords, and access tokens through the Git version control system. It also detects and warn
the developer when using packages with known vulnerabilities.
Developer Protection intercepts git commit commands issued by the developer, and scans
all modified files in a Git repository. It prevents the uploading of private information in plain text
and vulnerable dependencies from Endpoint Security client computers to public locations.
Developer protection is supported on Endpoint Security Client release E84.60 and higher.

To configure Developer protection:

1. In the Policy view, go to Developer Protection.

2. Select the Developer Protection mode:

Option Explanation

Off Developer Protection is disabled. This is the default.

Detect n Information leakage is detected and a log message is generated,

but the Commit is allowed.
n The administrator can examine the audit log Detect messages of
the Application Control component.
n The developer sees a notification on the client computer.

Prevent n Information leakage is detected, a log message is generated, and

the Commit is blocked.
n The administrator can examine the audit log Prevent messages of
the Application Control component.
n The developer sees a warning notification on the client computer.
The developer can decide to override the notification and allow the
traffic (with or without giving a justification).
n The notification message suggests how to fix the problem. For
example, by adding a file to .gitignore, or updating the version
in package.json

3. Click Save.
4. Install Policy.

Exclusions to Developer Protection

You can define exclusion to developer protection based on the SHA256 hash of the files.
To define an exclusion to developer protection:

Harmony Endpoint EPMaaS Administration Guide | 368

Developer Protection

1. Click Edit Exclusion.

The Developer Protection Exclusion window opens.
2. Click the + sign.
3. In the SHA256 Hash field enter the SHA256 hash of the file.
4. Optional: Enter a Description.
5. Optional: Select Copy to all rules, to copy this exclusion to all existing Developer
Protection rules.
6. Click OK.

Harmony Endpoint EPMaaS Administration Guide | 369

Compliance

Compliance
The Compliance component of Endpoint Security makes sure that endpoint computers comply
with security rules that you define for your organization. Computers that do not comply show
as non-compliant and you can apply restrictive policies to them.
The Compliance component makes sure that:
n All assigned components are installed and running on the endpoint computer.
n Anti-Malware is running and that the engine and signature databases are up to date.
n Required operating system service packs and Windows Server updates are installed on
the endpoint computer through WIndows Servers Update Services.

Note - This is not supported through Windows Settings > Update & Security
on your endpoint computer.
n Only authorized programs are installed and running on the endpoint computer.
n Required registry keys and values are present.

Note - For macOS limitations, see sk110975.

If an object (for example an OU or user) in the organizational tree violates its assigned policy,
its compliance state changes, and this affects the behavior of the endpoint computer:
n The compliant state is changed to non-compliant.
n The event is logged, and you can monitor the status of the computer and its users.
n Users receive warnings or messages that explain the problem and give a solution.
n Policy rules for restricted computers apply. See "Connected, Disconnected and
Restricted Rules" on page 402.

Harmony Endpoint EPMaaS Administration Guide | 370

Planning for Compliance Rules

Before you define and assign compliance rules, do these planning steps:
1. Identify the applications, files, registry keys, and process names that are required or not
permitted on endpoint computers.
2. Collect all information and Remediation files necessary for user compliance. Use this
information when you create Remediation objects to use in compliance rules.
Compliance rules can prevent users from accessing required network resources when
they are not compliant. Think about how to make it easy for users to become compliant.
3. Make sure that the Firewall rules gives access to Remediation resources. For example,
sites from which service packs or Anti-virus updates can be downloaded.

Note - In Windows 7, make sure the Interactive Service Detection service is

running. This is necessary for Remediation files (running with system
credentials) that must interact with the user.

4. Define rule alerts and login policies to enforce the rules after deployment.

Harmony Endpoint EPMaaS Administration Guide | 371

Configuring Compliance Policy Rules

Harmony Endpoint EPMaaS Administration Guide | 372

Ensuring Alignment with the Deployed Profile

This action makes sure that all installed components are running and defines what happens if
they are not running. The action options are:

Action Description

Inform if assigned Software Send a warning message if one or more Endpoint

Blades are not running Security components are not running.

Restrict if assigned Software Restrict network access if one or more Endpoint Security
Blade are not running components are not running.

Monitor if assigned Software Create log entries if one or more Endpoint Security
Blades are not running components are not running. No messages are sent.

Do not check if assigned No check is made whether Endpoint Security

Software Blades are not components are running.
running

Harmony Endpoint EPMaaS Administration Guide | 373

Remote Access Compliance Status

Remote Access Compliance Status selects the procedure used to enforce the upon
verification failure from Policy > Access & Compliance > Remote Access Compliance
Status.
The options available are:
n Endpoint Security Compliance - Uses the Endpoint Security policy to control access to
organizational resources.
n VPN SCV Compliance - Uses SCV (Security Configuration verification) settings from
the Security Gateway to control access to organization resources. SCV checks, which
are defined in the Local.scv policy, always run on the client. This option is described in
the "Secure Configuration Verification (SCV)" section of the Remote Access VPN Client
for Windows Administration Guide.

Note - Endpoint Security clients on macOS always get their compliance status
from Endpoint SecurityCompliance, even if VPN Client verification process
will use VPN SCV Compliance is selected.

Harmony Endpoint EPMaaS Administration Guide | 374

Compliance Action Rules

Many of the Compliance Policy actions contain Action Rules that include these components:
n Check Objects (Checks) - Check objects define the actual file, process, value, or
condition that the Compliance component looks for.
n One of these Action options - What happens when a computer violates the rule:

Action Definition

Observe Log endpoint activity without further action. Users do not know that they
are non-compliant. Non-compliant endpoints show in the Observe state
in the Reporting tab.

Warn Alerts the user about non-compliance and automatically does the
specified Remediation steps.
Send a log entry to the administrator.

Restrict Alerts the user about non-compliance and automatically does the
specified Remediation steps.
Send a log entry to the administrator.
Changes applicable policies to the restricted state after a pre-defined
number of heartbeats (default =5). Before this happens, the user is in
the about to be restricted state. On the monitoring tab, the user is shown
as pre-restricted.

n One or more Remediation objects - A Remediation object runs a specified application or

script to make the endpoint computer compliant. It can also send alert messages to
users.
The Compliance component runs the rules. If it finds violations, it runs the steps for
Remediation and does the Action in the rule.
Some Action Rules are included by default. You can add more rules for your environment.

Basic Workflow for defining additional compliance rules:

1. Click Policy > Access & Compliance > Compliance > Compliance Rulebase.
2. Click New Above or New Below to create new Action Rules as necessary:
a. In the Name field, enter the Action rule name.
b. Click Check to add Check objects to add to the Action "Compliance Check
Objects" on page 377.
c. Select an Action from the list.

Harmony Endpoint EPMaaS Administration Guide | 375

Compliance Action Rules

d. Click the Remediation tab to add Remediation objects to the "Compliance

Remediation Objects" on page 381. If the selected Action is Observe, the rule
does not require a Remediation object.
e. Optional: In the Comment field, enter a comment for the action rule.
Do these steps again to create additional Action rules as necessary.

Harmony Endpoint EPMaaS Administration Guide | 376

Compliance Check Objects

Each Compliance Action Rule contains a Check object that defines the actual file, process,
value or condition that the Compliance component looks for.

To create a new or change an existing Check object:

1. In the Checks column or in the manage objects in your toolbar, click the relevant Check
object.

Note: To edit the existing check object, click the existing check object.

2. Click New to create a new Check object.

3. For System/Application/File Checks, fill in these fields.

Option Description

Name Unique name for this Check Object.

Comment Optional: Free text description.

Operating Select the operating system that this Check object is enforced on.
System

Registry Enter the registry key.

value name Enabled only if the Modify and check registry checkbox is selected.
To detect Log4j vulnerability, in the Registry value name field
enter:
HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Compliance\Log4jScan and in the Registry value
field, enter 1.
Applies only to Windows.

Registry Enter the registry value to match.

value Enabled only if the Modify and check registry checkbox is selected.
Applies only to Windows.

Harmony Endpoint EPMaaS Administration Guide | 377

Compliance Check Objects

Option Description

Modify Select an action:

registry key o Add

and value o Replace

o Update
o Remove

Enabled only if the Modify and check registry checkbox is selected.

Applies only to Windows.

Reg type Select a registry type:

o REG_SZ
o REG_DWORD

Enabled only if the Modify and check registry checkbox is selected.

Applies only to Windows.

Check Select one of these options to enable the registry check or clear to
registry key disable it:
and value Registry key and value exist - Find the registry key and value.
If the registry key exists, the endpoint computer is compliant for the
required file.
Registry key and value do not exist - Make sure the registry key and
value do not exist.
If the key does not exist, the endpoint computer is compliant for an
application that is prohibited.

Check File Select one of these options to check if an application is running or if a

file exists:
File is running at all times - For example, make sure that client is
always running.
File exists - For example, make sure that the user browsing history is
always kept.
File is not running - For example, make sure that DivX is not used.
File does not exist - For example, make sure that a faulty DLL file is
removed.

File name Enter the name of the file or executable to look for. To see if this file is
running or not, you must enter the full name of the executable,
including the extension (either .exe or .bat).

Harmony Endpoint EPMaaS Administration Guide | 378

Compliance Check Objects

Option Description

File path Enter the path without the file name.

Select the Use environment variables of logged in user option to
include paths defined in the system and user variables.
Do not add the "\" character at the end of the path.macOS uses "/" and
file PATH is case sensitive. For more information on macOS
limitations, see sk110975.

Check files Additional options to check for an existing or non-existing file.

Properties

Match the Make sure that a specific version or range of versions of the file or
file version application complies with the file check.

Match MD5 Find the file by the MD5 Checksum. Click Calculate to compare the
checksum checksum on the endpoint with the checksum on the server.

File is not Select this option and enter the maximum age, in days, of the target
older than file. If the age is greater than the maximum age, the computer is
considered to be compliant. This parameter can help detect recently
installed, malicious files that are disguised as legitimate files.

Check Enable Check domain in order to specify the domain. Select a domain:
Domain
oAny Domain
o Specific Domain

Applies only to macOS.

Download Path n Enter the temporary directory on the local computer to

download the program or script to. This path must be a full
path that includes the actual file and extension (*.bat or
*.exe).
n This parameter is required.
n The endpoint client first tries to access the file from the
specified path. If the client fails, it downloads the file from
the URL to the temporary directory and runs it from there.
n To run multiple files, use one of the popular compression
programs such as WinRAR to produce a self-extracting
executable that contains a number of .exe or .bat files.

URL n Enter the URL of an HTTP or file share server where the file
is located.
n Enter the full path that includes the actual file with one of the
supported extensions (*.bat or *.exe).
n This field can be left empty.
n Make sure the file share is not protected by a username or
password.

Harmony Endpoint EPMaaS Administration Guide | 381

Compliance Remediation Objects

Option Description

Parameters If the executable specified in the URL runs an installation

process, make sure that the executable holds a parameter that
specifies the directory where the program should be installed. If
the executable does not hold such a parameter, enter one here.

MD5 Checksum Click Calculate to generate a MD5 Checksum, a compact digital

fingerprint for the installed application or the Remediation files.

Run as System Apply system rights for running the executable file. Not all
processes can run with user rights. System rights may be
required to repair registry problems and uninstall certain
programs.

Run as User Apply user rights and local environment variables for running the
executable file.

Messages

Automatically Run the executable file without displaying a message on the

execute endpoint computer.
operation
without user
notification

Execute Run the executable file only after a user message opens and the
operation only user approves the Remediation action. This occurs when Warn
after user or Restrict is the selected action on a compliance check.
notification

Use same Select that the same text be used for both messages.
message for A Non-Compliant message tells the user that the computer is not
both Non- complaint and shows details of how to become compliant.
Compliant and A Restricted message tells the user that the computer is not
Restricted compliant, shows details of how to achieve compliance, and
messages restricts computer use until compliance is achieved.

Message Box Displays selected non-compliant and restricted messages. The

message box is available only by selecting the Execute only after
user notification setting. Click Add, Remove, or Edit to add a
message, and remove or revise a selected message.
Note: User cannot prevent the Remediation application or
file from running.

Harmony Endpoint EPMaaS Administration Guide | 382

Service Packs for Compliance

The Service Packs Compliance check makes sure that computers have the most recent
operating system service packs and updates installed. The default settings show in the Latest
Service Packs Installed Action Rules.
For more information, see "Compliance Action Rules" on page 375.

Harmony Endpoint EPMaaS Administration Guide | 383

Ensuring that Windows Server Updates Are Installed

Windows Server Update Services (WSUS) allows administrators to deploy the latest Microsoft
product updates.The WSUS compliance check ensures that Windows update are installed on
the Endpoint Security client computer. You can restrict network access of the client computer if
Windows updates have not been installed within a specified number of days. Alternatively, you
can warn the user by means of a pop-up message without restricting access, or log the non-
compliance event without restricting or informing the user

To configure the WSUS compliance check:

Under Windows Server Update Services action, select a preset action. The action is applied
if Windows updates have not been installed on the Endpoint Security client computer for a
specified number of days (default is 90 days):

Preset Action Meaning

Restrict if Windows Server Updates are Restrict the network access of the user.
not installed

Observe Windows Server Update Create a log, and show a warning message
Services to the user.

Monitor Windows Server Update Services Create a log. The user is not notified.

Do not check Windows Server Update No compliance check. This is the default.
Services

1. Optional: The compliance check makes sure that the Windows updates have been
installed within a specified number of days (default is 90 days).

To change the number of days,

a. Click Compliance and under Windows Server Update Services , select the
Enable Windows software update services check checkbox.
b. Change the number of days in Windows updates must be installed within.

Detecting Common Vulnerabilities and Exposures

With Harmony Endpoint, you can perform custom scans on endpoints for Common
Vulnerabilities and Exposures (CVE) in applications.

Notes:
n Supported only for Windows and macOS-based endpoints.
n Supported with the Endpoint Security client version E87.10 and
higher.

Harmony Endpoint EPMaaS Administration Guide | 384

Ensuring that Windows Server Updates Are Installed

Configuring Posture Assessment Settings

Harmony Endpoint periodically scans endpoints against the list of applications specified on the
signature server and detects vulnerable CVEs in applications.

To configure the Posture Assessment Settings:

1. Go to Policy > Access & Compliance.
2. In the Capabilities & Exclusions pane on the right, click the Compliance & Posture tab.
3. Scroll-down to Posture Assessment Settings.
4. Select the Enable Vulnerability assessment checkbox.
5. Select the scan type:
n To manually start the scan, click Manual.

Note - To start the scan for the first time:

a. Go to Asset Management > Computers.
b. Select the devices for which you want to scan.
c. Right-click and select Vulnerabilities > Scan Now.
You can start subsequent manual scans by clicking Scan Now in Asset
Management > Posture Management or by using the Run Diagnostics
push operation.
n To automatically start the scan, click Automated and specify the Interval (Weekly
or Monthly), at (time) and every (frequency in days).
6. Under Update server type, select the signature server:
n External Check Point Signature Server
n Other External Source
l Under Path, enter the URL of the external source.
7. To enforce the patch updates and reboot the endpoint immediately, select the Enable
patch updates & reboot enforcement checkbox. To apply patch manually, see
"Applying the Patch for CVEs" on page 196.

Harmony Endpoint EPMaaS Administration Guide | 385

Ensuring that Windows Server Updates Are Installed

n To allow users to postpone patch updates, specify Max user delay in patch
update and Force patch update after in hours or days.
8. To enforce the patch updates, select the Enable patch updates checkbox:

Note - To apply patch manually, see "Applying the Patch for CVEs" on page 196.

n To allow users to postpone patch updates, select the Enable patch updates &
reboot enforcement checkbox and specify Max user delay in patch update and
Force patch update after in hours or days.
n To enable automatic patch updates, click Advanced Settings and select the
Enable automated patch management checkbox:

Note - This is supported only with Harmony Endpoint Security Client

version E88.20 and higher.

a. To specify the interval for patch updates, from the Set automated patch on
list, select Interval, Weekly or Monthly and specify the interval.
b. In the Applications section, specify the application to which you want to apply
the patch and select:
l All applications
l Select specific applications. Search and select one or more
applications.
c. In the Severities section, specify the severities to which you want to apply the
patch and select:
l All Severities
l Select specific severity. Search and select one or more severities.

d. To exclude an application from applying the patch, in the Exclude

applications section, search and select one or more applications.
9. Click Save.
10. At the top, click Install Policy.
After you enable Posture Assessment settings and install the policy, you can view the detected
CVE and its CVSS score in the Viewing Endpoint Posture .

Harmony Endpoint EPMaaS Administration Guide | 386

Anti-Virus for Compliance

The Anti-Virus check makes sure that computers have an anti-malware program installed and
updated. The default settings show in the Anti-Virus Compliance Action Rules.
For more information, see "Compliance Action Rules" on page 375.

Harmony Endpoint EPMaaS Administration Guide | 387

Monitoring Compliance States

Monitor the compliance state of computers in your environment from:
1. Click Asset Management > Computers.
2. Select the Compliance view in the Columns profile selector in your toolbar.
These compliance states are used in the Security Overview and Compliance reports:
n Compliant - The computer meets all compliance requirements.
n About to be restricted - The computer is not compliant and will be restricted if steps are
not done to make it compliant. See ""About to be Restricted" State" below.
n Restricted - The computer is not compliant and has restricted access to network
resources.
n N/A – Compliance policy is not applicable for the computer.
n Warn - The computer is not compliant but the user can continue to access network
resources. Do the steps necessary to make the computer compliant.
n Not Running – Compliance policy is not running on the computer.
n Unknown – Compliance status is unknown.
n Not Installed – Compliance policy is not installed on the computer.
The endpoint computer Compliance state is updated at each heartbeat. The heartbeat interval
also controls the time that an endpoint client is in the About to be restricted state before it is
restricted.
It is possible to create restricted policies that will automatically be enforced once the endpoint
client enters a restricted state

"About to be Restricted" State

The About to be restricted state sends users one last warning and gives an opportunity to
immediately correct compliance issues before an endpoint computer is restricted.
The formula for converting the specified time period to minutes is:
<number of heartbeats > * <heartbeat interval (in seconds)> * 60.

Harmony Endpoint EPMaaS Administration Guide | 388

Configuring Client Settings

Client Settings define:
n General user interface settings
n If users can postpone installations and for how long.
n The client uninstall password
n When log files are uploaded to the server
n Specified Network Protection settings
To configure these settings go to the Policy view > Client Settings.

Harmony Endpoint EPMaaS Administration Guide | 389

User Interface

User Interface
Default Client User Interface
You can select the default Harmony Endpoint Security Client interface settings or edit them to
customize the Endpoint Security client interface on user computers.
You can change these settings:
n Display client icon - When selected, the client icon shows in the windows notification
area when the Endpoint Security client is installed.
n New client User Interface - Select an interface for the client.
l Default - Applies the default interface specified in the client. Default is the new UI.
l On - Applies the new interface.
l Off - Applies the legacy interface.
n Client language - Select the default language for client. OS Locale indicates the default
OS language.

Note - If the default language is not supported by the client, then system uses
the English language for the client.
n Notification level - You can decide which type of messages can be shown to the user,
and which must not be visible. The administrator can select one of three options:
l Critical only - Do not show any messages unless critical (e.g. system boot
warning) or user interface messages (yes/no questions).
l When-affecting user experience (recommended) - Only show messages related
to operation flows affecting user activity, or requiring user interaction (e.g.
"Malware was detected and removed").
l All - Show all messages.
Note: This change applies to the Endpoint Security Client only. Events are still being
logged on the server, and the administrator can still see everything on the management
interface.

Pre-Boot Images
For each of these graphics, you can select to upload a new image or Revert to Default image:

Size of
Item Description
Image

Pre-boot Background Image Image on Pre-boot screen behind the 800 x 600
smaller logon window pixels

Harmony Endpoint EPMaaS Administration Guide | 390

User Interface

Size of
Item Description
Image

Pre-boot Background Image Pre-boot background image high 3840×2160

high resolution resolution

Pre-boot Screen Saver Image that shows when the system is 260 x 128
idle pixels

Pre-boot Banner Image The banner image on the smaller logon 447 x 98
window pixels

Windows Image in the background of the Windows 256 KB or

Background Image logon window smaller
if OneCheck Logon is enabled

Windows Background Image

Description Size of Image

Image in the background of the Windows logon window 256 KB or smaller

if OneCheck Logon is enabled

Customized Client Image

Description Size of Image

Icon in the top-right of a Client Notification (UserCheck) 134 x 46 pixels

Customized Browser Block Pages

Browser extension uses block pages to warn the end users about security incidents and
prompts for additional permissions. There are four events which trigger a blocking page:
1. Accessing a site that is blocked by URL Filtering policy – The block page blocks access to
the site and warns the end user that attempted to enter the site that it is blocked by the
policy.
2. Providing credentials in a phishing site – The block page warns the end user that it is a
phishing site and the user is therefore blocked from providing credentials there.
3. Using corporate password in a non-corporate domain - End users are warned that use of
corporate password in a non-corporate domain is prohibited, and that his/her corporate
password was just exposed.
4. Accessing a local HTML file without the permission by the browser extension.

Harmony Endpoint EPMaaS Administration Guide | 391

User Interface

The blocking pages above are customizable. The following can be changed per each of them:
1. Company logo (replacing the Check Point logo).
2. Blocking page title.
3. Blocking page description.
The user may preview the change before saving the policy by pressing the preview button.

Note - The preview only works in the Chrome or Edge browsers, when the browser
extension is installed.

Harmony Endpoint EPMaaS Administration Guide | 392

Log Upload

Log Upload
The components upload logs to the Endpoint Policy Server.
These log upload options are available:

Option Description

Enable Log Upload Select to enable log upload (this is the default).
Clear to disable log upload.

Log upload interval Frequency in minutes between logged event uploads.

The clients upload logs only if the number of logs is more
than the Minimum number of events before attempting an
upload.
The default is 3 minutes.

Minimum number of Upload logged events to the server only after the specified
events before attempting number of events occur.
an upload The default is 1.

Maximum number of Maximum number of logged events to upload to the server.

events to upload The default is 100.

Maximum age of event Optional: Upload only logged events that are older than the
before upload specified number of days.
The default is 5 days.

Discard event if older than Optional: Do not upload logged events if they are older than
the specified number of days.
The default is 90 days.

Harmony Endpoint EPMaaS Administration Guide | 393

Installation and Upgrade Settings

The default installation and upgrade setting is that users can postpone the Endpoint Security
Client installation or upgrade.
You can change these settings:
n Default reminder interval - Set the time, in minutes, after which users are reminded to
install the client.
n Force Installation and automatically restart after - Set the time, in hours, after which
the installation starts automatically.
n Maximum delay in download of packages - Set the maximum time, in hours, by which
to postpone the download.

Agent Uninstall Password

You can allow a user to uninstall the Endpoint Security client on their remote Windows
computer.
Agent Uninstall Password is the password you use to uninstall the client. The password
protects the client from unauthorized removal. The password can only contain English letters
in lower or upper case, and these special characters: 0-9 ~ = + - _ ( ) ' $ @ , .
The default uninstall password is "secret".

Best Practice - For security reasons, we strongly recommend that you change the default
uninstall password.

Local Deployment Options

When you use Automatic Deployment, you can configure clients to use local storage to
upgrade Endpoint Security clients. This lets administrators use Automatic Deployment, without
the need for each Endpoint Security client to download a package from the Endpoint Security
Management Server
This is only supported on Windows clients.

Note - If local deployment is enabled for a client, the administrator can still choose whether
clients try to download packages from the Endpoint Security Management Server if packages
are not found in local storage. This option is called: Enable Deployment from server when no
MSI was found in local paths.

To enable Deployment with a locally stored package:

1. Upload each package to the Package Repository of the Endpoint Security Management
Server.

Harmony Endpoint EPMaaS Administration Guide | 394

Installation and Upgrade Settings

2. Put the same packages in local storage location on client computers, for example:
C:\TEMP\EPS\32bit\EPS.msi

3. Go to the Policy view > Client Settings > Installation > Deployment from Local Paths
and URLs
4. Select Allow to install software deployment packages from local folders and URLs.
5. Optional: Select Enable Deployment from Server when no MSI was found in local
paths. When selected, if no MSI file is in the local paths or URLs, the client checks the
Endpoint Security Management Server for packages.
6. Click Deployment Paths and add the package or patch location.
7. Click OK.

8. Go to Deployment Policy > Software Deployment, and create or edit a deployment rule
which includes the package version.
9. Click Save
10. Install Policy to deploy the rule to the clients.

Note - If the version of the Endpoint Security client in the Deployment rule and in the local
file path is not the same, the client is not deployed. If the version on the server and in the local
file path are not the same, an error shows.

General
Authenticated Proxy

If you have a proxy server to authenticate access to a resource:

1. Go to Policy > Client Settings > General > Authenticated Proxy.

2. Enter:
n Proxy - Proxy server address in the format address:host. For example,
192.168.79.157:3128
n Username - User name for the proxy server.
n Password - Password for the proxy server.
3. Click Save.

Sharing Data with Check Point

Clients can share information about detected infections and bots with Check Point.
The information goes to ThreatCloud, a Check Point database of security intelligence that is
dynamically updated using a worldwide network of threat sensors.

Harmony Endpoint EPMaaS Administration Guide | 395

Installation and Upgrade Settings

ThreatCloud helps to keep Check Point protection up-to-date with real-time information.

Note - Check Point does not share any private information with third parties.

To share the data with Check Point ThreatCloud:

1. Go to Policy > Client Settings > General > Sharing Data with Check Point.
2. Enable anonymized telemetry - Select to enable sharing information with Check Point.
Select or clear any of these options:
n Anonymized forensics reports - Forensics reports include a lot of private
identifiable information. This option lets customers anonymize this information.
n Files related to detection - Select to allow Check Point learn more about the
attacks through metadata.
n Memory dumps related to detections - Select to allow sharing memory dumps
from the RAM with Check Point.
3. Click Save.

Connection Awareness
Connection Awareness - Connection awareness controls how an endpoint enforces its
Connected or Disconnected policy. By default, the client checks connectivity to the Endpoint
Management Server to determine its connectivity state. Alternatively, the administrator can
configure the client's connection status by checking its connectivity to a different network
component, for example, a web server or a router, through ICMP packets or
HTTP/HTTPS/IPv4 requests. If the client can connect to the network component, then its
connection status is Connected. Otherwise, its connection status is Disconnected.

To configure the connection awareness setting:

1. Go to the Policy > Client Settings > General > Connection Awareness.
The Connection Awareness feature allows the administrator to choose between two
options:
a. Connected to management - The client's status is Connected if it is connected to
the Endpoint Security Management Servers. This is the default mode.

Harmony Endpoint EPMaaS Administration Guide | 396

Installation and Upgrade Settings

b. Connected to a list of specified targets - The client's status is Connected if it is

connected to the specified target (network component) regardless of its connection
to the Endpoint Security Management Servers.
If you do not specify a disconnected policy for these addresses, the user is
automatically considered connected.
2. Click Save.

Notes:
n The client triggers HTTP GET requests to the server for connected or disconnected
status in intervals of 30 seconds.
n Connection Awareness is supported with Endpoint Security Client version E85.30
and higher for windows and E87.30 and higher for macOS.
n Some capabilities, such as Full Disk Encryption (FDE) remain active even if the
client's status is disconnected. However, it cannot perform operations that require
connection to the server, such as acquire users from the server or send recovery data
to the server.

Super-Node
What is a Super Node?
A Super Node is a machine running a specially configured Endpoint Security Client that also
consists of server-like and proxy-like capabilities, and which listens on port 4434 by default.
Super Node is a light-weight proxy (based on NGNIX) that allows admins to reduce their
bandwidth consumption and enable offline updates, where only the Super Node needs
connectivity to the update servers.

Note - Super Node is not suitable for offline environments. Endpoint Security clients
must be online and connected to the Harmony Endpoint Management server.

Primary Advantages:
n Reduces site bandwidth usage.
n Reduces server workload.
n Reduces customer expense on server equipment, as there is no need for a local
appliance.
n Improved scale.

Note - Super-Node is available in both Domain and Workgroup environments.

To configure a Super Node:

For Management Servers supporting Manage Super Nodes capability:

Harmony Endpoint EPMaaS Administration Guide | 397

Installation and Upgrade Settings

1. Go to Policy > Client Settings.

2. From the toolbar, click Manage Super Nodes.
3. Click + and select the devices you want to define as Super Nodes and then click Add.

Note - You can also use the search bar to search for a device or devices that you want
to define as Super Nodes.
Widgets are created for each entities selected as super nodes.
4. When required devices are added, click Save, as promoting a machine to a Super Node
does not require policy installation. To revert all changes, click Discard.
5. Go to Client Settingsand select the required rule. In the CAPABILITIES &
EXCLUSIONS pane, click General and scroll-down to Super Nodes section.

6. Click + and add Super Nodes with all its specific devices to the relevant Client Settings
rule.
7. Click Save and install the rule.

Note - Super Node settings are rule dependent. It means that Super Nodes defined in the
General tab will be applied only to devices which are related to a specific rule.
Supported Features
Starting in version E86.10, Super Node supports Anti-Malware, Behavioral-Guard & Static
Analysis signature updates. Additionally, software upgrades for Dynamic (EXE) and Windows
installer (MSI) packages, client policies and policy changes are all relayed through Super
Node.

Limitations
n Proxy configuration is not supported.
n By default, the cache max size is 4 GB and will automatically purge files after 7 days of
inactivity. Files stored for a longer time without access are removed from cache.
n Super Node requires an addition of approximately 350 MB to operate properly.

Disable Capabilities
Disable Capabilities allows users to turn on or turn off capabilities, such as Threat Prevention,
Compliance, and so on in the Endpoint Security client.

Harmony Endpoint EPMaaS Administration Guide | 398

Installation and Upgrade Settings

To allow users to disable capabilities:

1. Go to Policy > Client Settings > General > Disable Capabilities.

2. Select the capabilities that can be disabled by the user on the client.
3. To enable the disabled capabilities automatically after a set interval of time:

Note - This is supported only on Windows with Endpoint Security client version
E88.30 and higher.

a. Select the Set timeout checkbox.

b. In the timeout field, enter the time in minutes.

4. To allow users to disable the capabilities only after entering a password, select the
Protect by password checkbox.

Note - This is supported only on Windows with Endpoint Security client version
E88.30 and higher.

Harmony Endpoint EPMaaS Administration Guide | 399

Installation and Upgrade Settings

a. Click Manage Disable Capabilities Protect Password.

Note - Optionally, from the taskbar, click Manage and select the Manage
Disable Capabilities Protect Password from the list.

b. In the Password field, enter a password and re-enter the password in the Confirm
Password field.

Note - Make sure the password is at least eight characters long, without
spaces, and includes:
n An uppercase letter
n A lower case letter
n A number.

c. Click OK.
5. Click Save & Install.

Network Protection
You can let users disable network protection on their computers.
Network Protection includes these components:
n Firewall
n Application Control

To configure network protection alerts:

1. Go to the Policy > Client Settings > General > Network Protection.
2. You may select Allow users to disable network protection on their computers - To
disable network protection.
3. In the Network Protection section, select or clear these options for each Firewall and
Application Control:

Harmony Endpoint EPMaaS Administration Guide | 400

Installation and Upgrade Settings

n Allow Log - To generate logs for events.

n Allow Alert - To generate alerts for events. You must also select this to use Alert in
the Track column of Firewall rules.
4. Click Save.

Push Operations
Push Operations are operations that the server pushes directly to client computers with no
policy installation required. You can set the minimum time interval between status updates of
Push Operations.
For more information, see "Performing Push Operations" on page 491.

To set the minimum time interval between status updates of Push Operations:
1. Go to the Policy > Client Settings > General > Push Operation.
2. Set the Minimum interval between status updates of Push Operations.
3. Click Save.

Harmony Endpoint EPMaaS Administration Guide | 401

Connected, Disconnected and Restricted Rules

Endpoint Security can enforce policy rules on computers and users based on their connection
and compliance state.
When you create a policy rule, you select the connection and compliance states for which the
rule is enforced. You can define rules with these states:
n Connected state rule is enforced when a compliant endpoint computer has a connection
to the Harmony Endpoint Security Management Server. This is the default rule for a
component policy. It applies if there is no rule for the Disconnected or Restricted states of
the component. All components have a Connected Rule.
n Disconnected state rule is enforced when an endpoint computer is not connected to the
Harmony Endpoint Security Management Server. For example, you can enforce a more
restrictive policy if users are working from home and are not protected by organizational
resources. You can define a Disconnected policy for only some of the Endpoint Security
components.
n Restricted state rule is enforced when an endpoint computer is not in compliance with
the enterprise security requirements. In this state, you usually choose to prevent users
from accessing some, if not all, network resources. You can define a Restricted policy for
only some of the Endpoint Security components.

Harmony Endpoint EPMaaS Administration Guide | 402

Connected, Disconnected and Restricted Rules

Harmony Endpoint EPMaaS Administration Guide | 403

Backward Compatibility

Backward Compatibility
You can manage Endpoint components both through Harmony Endpoint and SmartEndpoint
management console (see "Managing Endpoint Components in SmartEndpoint Management
Console" on page 145). Harmony Endpoint does not support all of the SmartEndpoint
functionalities. Therefore, when you manage Endpoint components both through Harmony
Endpoint and SmartEndpoint, conflicts can arise. When you do an action in SmartEndpoint
that is not supported by Harmony Endpoint, the policy display view in Harmony Endpoint
changes to the policy display view in SmartEndpoint (backward compatible mode).
For example, this is an example of backward compatibility display for the Threat Prevention
policy:

The display view changes back from the backward compatible mode to the regular Harmony
Endpoint view only when the policy enables it.

Harmony Endpoint EPMaaS Administration Guide | 404

Policy Operation

Policy Operation
The new policy operation mode allows greater flexibility to the user by proving him with a
choice of capability rule applicability. While under the old policy calculation the rule type of
each capability determined whether the capability can work on user or computer, under the
new policy the user has the ability to define for himself which method he wants the capability to
work in (except in cases where it only makes sense for the capability to apply to users or
computers, but not both).
In this new operation mode, most capabilities are "mixed", which means they can function per
users or computers, according to the user’s choice. In each capability, the rules are ordered
both by their assigned environment, from the specific down to the general, as well as by
user/computer applicability: the first rule applies to the users, and if no match is found, the
following rules apply to computers/devices as well.
To view the Policy Operations Mode page, click Endpoint Settings > Policy Operations
Mode.
Old Policy Calculation Mode

Component Rule Type

Full Disk Encryption Computer only
Media Encryption & Port Protection Computer (default) /
User
Onecheck User only

Anti-Malware Computer (default) /

User
Anti-Ransomware, Behavioral Guard & Computer only
Forensics
Anti-Bot & URL Filtering Computer (default) /
User
Threat Emulation, Threat Extraction & Computer (default) /
Anti-Exploit User
Compliance Computer (default) /
User
Firewall Computer (default) /
User
Access Zones Computer (default) /
User

Harmony Endpoint EPMaaS Administration Guide | 405

Policy Operation

Application Control Computer (default) /

User
Client Settings Computer (default) /
User

Harmony Endpoint EPMaaS Administration Guide | 406

Policy Operation

Harmony Endpoint EPMaaS Administration Guide | 407

IOC Management

IOC Management
IoC stands for Indicators of Compromise. These indicators arrive from various sources, such
as Internet, personal research and so on. Such indicators are not identified by default and you
can block them manually.
For example, if a user receives an indication that a particular URL is malicious, the user can
contact their System Administrator to block access to this URL. The System Administrator tags
this URL as an Indication of Compromise IoC and the policy is enforced on all the endpoints
through the Harmony Endpoint client or the browser extension.

Notes:
n This is supported with the Endpoint Security Client version E86.20 and higher.
n The browser extension that can enforce the IoC policy is supported with the
Endpoint Security Client version E86.50 and higher for Windows and E86.80
and higher for macOS.
n Files with digital signature by trusted signer is not blocked using IoC.

To configure an IoC:
1. In Infinity Portal, go to Policy > Threat Prevention.
2. In the toolbar, select Manage IoC. No need to install policy.
3. In the table that appears, manually add new Indicators of Compromise by type:

IoC Type Example

Domain checkpoint.com

IP Address 192.168.1.1

URL checkpoint.com/test.htm

MD5 Hash 2eb040283b008eee17aa2988ece13152

SHA1 Hash 510ce67048d3e7ec864471831925f12e79b4d70f

4. Hover over the icon next to Type to view the capabilities required for each type:
n URL, Domain and IP require Anti-Bot and URL Filtering capabilities.
n SHA1 and MD5 Hashes require Threat Extraction and Threat Emulation
capabilities.
5. The user can also upload his own manually-created CSV list of indicators.

Harmony Endpoint EPMaaS Administration Guide | 408

IOC Management

6. To verify, on the endpoint, access the IoC (for example, a URL). The system blocks the
access to the IoC.

Data Loss Prevention

Data Loss Prevention (DLP) detects and prevents unauthorized transmission of confidential
information, such as social security numbers, credit card numbers, bank account numbers and
so on.
Browser-Based DLP capabilities allow you to enforce DLP by associating data types with a
DLP rule.
In the Data Loss Prevention tab, you can set rules based on specific events, data types and
actions.

These actions are available within the DLP rules:

n Detect - Performs the DLP scan but does not block the data.
n Prevent - Performs the DLP scan and prevents data transfer if it finds a match to a data
type.
n Allow - Acts as exclusions, allowing data transfer in certain events.
n Block - Blocks the data without the DLP scan.

DLP Logs
n Logs are sent for Block, Prevent, and Detect actions.
n File upload and File download events generate log for each handled file, regardless of
whether the event is blocked, prevented, detected, or allowed.
n Text control and Paste events send logs for blocked, prevented, or detected incidents.

Use Case
You are a financial organization aiming to prevent the upload or download of files containing
confidential and sensitive data, such as bank account numbers, tax and revenue details, by
unauthorized users.

Harmony Endpoint EPMaaS Administration Guide | 409

IOC Management

Known Limitations
n This feature is supported in EU and US regions only.
n DLP is not applied if the file size is greater than 10 MB.
n DLP is not applied when you drag and drop a folder to upload files, and in such cases,
the upload of the folder gets blocked.
n If the downloaded file is scanned by DLP, it is not sent to Threat Emulation.

Sample Data Type

For supported data and file types, see sk181662.

Legends Description

1 Name of the data type.

2 Date and time (in MM/DD/YY, HH:MM:SS XM format) when the data type
was last modified.

3 Brief description of the data type.

4 Custom tags (category) for the data type. Helps in searching for data types.

Harmony Endpoint EPMaaS Administration Guide | 410

IOC Management

Legends Description

5 Matching criteria:
n Pattern
n Keyword
n Dictionary
n Weighted Words
n Template
n File attribute
n Compound (Combination of data types with a logical separator)
n Group (Data type group)

6 The minimum number of times the matching criteria must be present in the
file to trigger the DLP action specified in the policy capability rule. For
example, if the matching criteria is Keyword, the value is credit and the
Matching Threshold is 5, then the system takes the action specified by the
policy capability rule if the file contains the term credit five times or more.

7 Policy capability rules where the data type is used.

8 Groups associated with the data type.

9 Add the data type to a group.

10 Duplicate the data type.

11 Edit the data type.

12 Comment.

13 Filter data type by category.

14 Search for a data type.

Harmony Endpoint EPMaaS Administration Guide | 411

IOC Management

Creating a Custom Data Type

To create a custom data type:

1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

2. Click New and select Data type.

The Add data type wizard appears.

Harmony Endpoint EPMaaS Administration Guide | 412

IOC Management

3. Enter the data type name, object comment (optional) and description.
4. From the Data type recognition method list, select a recognition method:

Recognition method Description Action

Pattern Applies the action specified In the Patterns section,

in the policy capability rule if enter the pattern and click
the file contents match the .
threshold for the pattern. For
example, 5523-2342.

Keyword Applies the action specified In the Keywords section,

in the policy capability rule if enter the keywords and
the file contents match the click .
threshold for the keyword.
For example, Confidential,
Secret.

Harmony Endpoint EPMaaS Administration Guide | 413

IOC Management

Recognition method Description Action

Dictionary Applies the action specified Upload the dictionary file.

in the policy capability rule if
the file contents match the
threshold for the terms in the
dictionary. For example,
Spain, China, United
Kingdom.

Each keyword must be

specified in a single line in
the UTF-8 format.

Note - The
recommended file
formats are Microsoft
Word and .txt.

Harmony Endpoint EPMaaS Administration Guide | 414

IOC Management

Recognition method Description Action

Weighted Words Applies the action specified a. Click New.

in the policy capability rule if
the file contains keywords
and the cumulative weight
matches or exceeds the
threshold.

Use this method to specify

multiple keywords.

For example, consider two b. Enter these:

keywords: n Keyword
n credit with Weight=1 n Weight -

and Max. Weight=3 Weight for

n transaction with each
Weight=2 and Max. occurrence of
Weight=30 the keyword.
and Matching n Max. Weight -

Threshold=15. Maximum
allowed for
If the file contains six weight for the
occurrences of credit, each keyword.
contributing a Weight of 1. c. If the keyword is a
That is, 1x6=6. As the Max. regular expression,
Weight=3, the final weight is turn on the Regex
3. toggle button.
d. Click Add.
If the file contains eight e. Repeat steps a
occurrences of transaction, through d to add the
each contributing a Weight of next keyword.
2. That is, 2x8=16. As the
Max. Weight=30, the final
weight is 16.

As the sum of final weights of

credit and transaction, that
is, 16+3=19 is greater than
the Matching Threshold, the
system applies the specified
action in the policy capability
rule.

Harmony Endpoint EPMaaS Administration Guide | 415

IOC Management

Recognition method Description Action

If the sum of the final weights

of the keywords is less than
the Matching Threshold,
then the file is uploaded or
downloaded.

Template Applies the action specified Upload the template file.

in the policy capability rule if
the file contents match the
threshold for the terms in the
template. For example, a
template with a set header,
footer and logo.
If the template contains
images, the DLP is triggered
only if the file contains the
images in the same format as
in the specified template.

File attribute Applies the action specified Select any of these and
in the policy capability rule if enter a value:
the file: n File name. For
n Matches the specified example, Account
file name. Numbers, Employee
n Size is equal to or Details.
greater than the n File size. File size in

specified file size. Byte, KB, MB or GB.

n Type matches the n File type.

specified file type. l

Click and
select the file
type(s) from
the list.

5. Click Next.

Note - This step does not apply to Template and File attribute recognition
methods.

6. Select the matching threshold.

The minimum number of times the matching criteria must be present in the file to trigger
the DLP. For example, if the matching criteria is Keyword, the value is credit and the
Matching Threshold is 5, then the system takes the action specified by the policy
capability rule if the file contain the term credit five times or more.

Harmony Endpoint EPMaaS Administration Guide | 416

IOC Management

Note - This step does not apply to Template and File attribute recognition
methods.

7. Click Finish.
The new custom data type is listed under Custom Data Types.
8. To permanently save all the changes to the database, click Save at the top.
The change detected window appears.

9. Click Confirm.
10. To discard all the changes, click Discard at the top.
The change detected window appears.

Harmony Endpoint EPMaaS Administration Guide | 417

IOC Management

11. Click Confirm.

Creating a Custom Data Type Group

To create a custom data type group:

1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

2. Click New and select Group.

Harmony Endpoint EPMaaS Administration Guide | 418

Adding an Existing Data Type to a Group

To add an existing data type to a group:

1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

2. In the Data Type Name list, expand Custom Data Types or Predefined Data Types and
select the data type.

3. Click Add to group.

4. Select the group(s) from the list.
5. Click Add.

Harmony Endpoint EPMaaS Administration Guide | 421

IOC Management

6. To permanently save all the changes to the database, click Save at the top.
The change detected window appears.

7. Click Confirm.
8. To discard all the changes, click Discard at the top.
The change detected window appears.

9. Click Confirm.

Editing a Data Type or Group

Note - If you edit a data type, the changes are reflected in all the groups that contain
this data type.

Harmony Endpoint EPMaaS Administration Guide | 422

IOC Management

To edit a data type or group:

1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

2. In the Data Type Name list, expand the DLP group and select the data type or the group.

3. Click Edit.

Harmony Endpoint EPMaaS Administration Guide | 423

IOC Management

4. Make the required changes.

Note - In the Check Point Recommended and Predefined Data Types DLP
groups, you can edit only Matching level and Add object comment.

5. Click OK.
6. To permanently save all the changes to the database, click Save at the top.
The change detected window appears.

7. Click Confirm.
8. To discard all the changes, click Discard at the top.
The change detected window appears.

Harmony Endpoint EPMaaS Administration Guide | 424

9. Click Confirm.

Deleting a Data Type or a Group

Note - Before you delete a data type, make sure to remove the data type from the
group(s) and policy capability rules.

To delete a data type or group:

1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

2. In the Data Type Name list, expand the DLP group and select the data type or the group
within.

Harmony Endpoint EPMaaS Administration Guide | 427

IOC Management

3. Click Delete.
The Deleting a data type window appears.

4. Click Delete Data Type.

5. To permanently save all the changes to the database, click Save at the top.
The change detected window appears.

6. Click Confirm.
7. To discard all the changes, click Discard at the top.

Harmony Endpoint EPMaaS Administration Guide | 428

IOC Management

The change detected window appears.

8. Click Confirm.

Creating a DLP Rule and Associating with an Event

1. Go to Policy > Data Loss Prevention.
2. Add a rule:

Harmony Endpoint EPMaaS Administration Guide | 429

IOC Management

a. Select a rule.
b. Click Clone and click Clone Above or Clone Below.

Note - If you have selected the default rule, select Clone Above.

The Clone Rule window appears.

c. In the Name field, enter a rule name.

d. From the Applied to list, select a device(s) to which you want to apply the rule.
e. Click OK.
3. Click one of these tabs:

Harmony Endpoint EPMaaS Administration Guide | 430

IOC Management

n Outbound events - Outbound data refers to transferring content to external

resources.
Examples:
l Uploading file to a file sharing website.
l Entering text in a text box of an external resource, such as ChatGPT.
l Pasting text in a text box of an external resource, such as ChatGPT.

Note - Enforcement of DLP for Paste and Text Control events is only
supported for Generative AI sites.
n Inbound events - Inbound data refers to downloading data and sharing content
within internal corporate resources.

Example - Downloading file from a file sharing website.

4. Click Add.
The Data Protection - New Event window appears.

Harmony Endpoint EPMaaS Administration Guide | 431

IOC Management

5. By default, the event is enabled. To disable, turn off the Status toggle button.
6. From the Event type list, select one of these:
n File upload - To apply the DLP rule when you upload a file to an external resource.
n Text control - To apply the DLP rule when you type text in an external resource text
box. For example, in ChatGPT.
n Paste - To apply the DLP rule when you paste content into an external resource.
For example, ChapGPT.
n File download - To apply the DLP rule when you download a file from an internal
resource.
Note - Enforcement of DLP for Paste and Text Control events is only supported
for Generative AI sites.

7. From the Destination type list, select one of these type to which you want to apply the
rule:

Harmony Endpoint EPMaaS Administration Guide | 432

IOC Management

Destination
Enter these
type

All N/A

Url In the URL field, enter the web addresses to which you want to apply
the rule.

Domain In the Domain field, enter the domain to which you want to apply the
rule.

Category From the Categories & sub categories list, select one or more
categories.

Notes:
n In Inbound events, you can only choose a URL or Domain.
n In Inbound events, if a source is added for DLP scanning, files

downloaded from that source are not scanned by Threat Emulation.

8. From the Action list, select one of these:

n Detect - Performs the DLP scan but does not block the data.
n Prevent - Performs the DLP scan and prevents data transfer if it finds a match to a
data type.
n Allow - Acts as exclusions, allowing data transfer in certain events.
n Block - Blocks the data without the DLP scan.

9. To associate data types with an event, in the Data types section, click and select the
data type or a group.

Note - This step is applicable only if the Action is Detect or Prevent.

10. Click Save.

The events are displayed in the Outbound events and Inbound events columns in the
DLP rule.

Harmony Endpoint EPMaaS Administration Guide | 433

IOC Management

11. To delete an event, select the event that you want to delete and click Delete.
12. To edit an event, select the event that you want to edit, click Edit, make the required
changes and click OK.
13. To disable all events, turn off the Disable all toggle button.

14. Click Save & Install.

The Install Policy window appears.

Harmony Endpoint EPMaaS Administration Guide | 434

IOC Management

15. Click Install.

Rule Configuration Logic

The rule configuration logic offers a systematic method for applying policy rules to events. The
system prioritizes the most specific events and progresses through four levels of specificity:
1. URL
2. Domain
3. Category
4. All

Note - The Paste and Text control events, only have access to the Category level.

Harmony Endpoint EPMaaS Administration Guide | 435

IOC Management

Harmony Endpoint EPMaaS Administration Guide | 436

IOC Management

Result

Result

When multiple events are relevant for the same incident, the events with the strict action is
selected.

Harmony Endpoint EPMaaS Administration Guide | 438

IOC Management

Scenario 7: User attempts to upload a file from https://domain5.com/url.html

Specific Event

The Category of domain5.com are Computers / Internet and Education.

Since there are no events for the URL or Domain, only two events for the Category are
relevant, and the system selects the event with stricter action.

Result

Scenario 8: User attempts to upload a file from https://domain1.com

Specific Event

Since there are no events for the URL, only two events for the Domain domain1.com are
relevant.

Result

Harmony Endpoint EPMaaS Administration Guide | 439

Import or Export Policies

Overview
You can import or export all or specific policies in the JSON format for backup purposes or
import policies to a new management server.
The supported policies for export and import are:
n Threat Prevention
l Policy Capabilities
l Global Exclusions
n Data Protection
l General
l OneCheck
n Data Protection
n Access & Compliance
n Client Settings
n Deployment Policy > Software Deployment

Limitations
n We recommend that you avoid modifying policies when you perform this procedure.
n If an export or import fails, you must export or import the file again.
n The import file must be in JSON format.
n If you cancel an import in progress, then the system stops the import but does not revert
the files that were imported prior to canceling the import..

Prerequisites
n You must be an Administrator or a Power user to perform this procedure. The Help-desk
and Read-only users have read-only access to the Export / Import your policy page. All
the other users have no access view the Export / Import your policy page.
n If you are importing policies, ensure that the package or blade version on the target
server and in the import file are the same. Otherwise, the system sets the rules as Do
Not Install.

Harmony Endpoint EPMaaS Administration Guide | 440

Import or Export Policies

Exporting Policies

To export all policies:

1. Go to Policy > Export/Import Policies.
2. Click Export.
The system initiates the export and shows the status of the export. When the export is
complete, the system shows the 100% Exported successfully message and downloads the
export file to the default downloads folder. The default name of the export file is export_all_
DD_MM_YYYY_HH_MM.json.

To export a specific policy:

1. Click Policy and go to any one of these pages:

n Threat Prevention
l Policy Capabilities
l Global Exclusions
n Data Protection
l General
l OneCheck
n Access & Compliance
n Client Settings
n Deployment Policy > Software Deployment

2. Click .

The system initiates the export. When the export is complete, the system downloads the
export file to the default downloads folder. The default name of the export file is export_all_
DD_MM_YYYY_HH_MM.json.

Importing Policies

To import all policies:

1. Go to Policy > Export/Import Policies.
2. Click Browse To Import and select the file.

Note - You can edit the file (for example, Notepad++) to import only policies or rules
you want..

Harmony Endpoint EPMaaS Administration Guide | 441

Import or Export Policies

The system initiates the import and shows the status of the import. When the import is
complete, the system shows the 100% Imported successfully message.

To import a specific policy:

1. Click Policy and go to any one of these pages:
n Threat Prevention
l Policy Capabilities
l Global Exclusions
n Data Protection
l General
l OneCheck
n Access & Compliance
n Client Settings
n Deployment Policy > Software Deployment

2. Click and select the file.

Note - You can edit the file to import partial policies or rules.You can edit the file (for
example, Notepad++) to import only policies or rules you want.

The system initiates the import.

Capabilities of Offline Endpoint Security Client

This table shows the status of capabilities when the Endpoint Security Client is offline, that is,
when it is not connected to the Management Server.

Does it work
Capability Comments
offline?

Anti-Malware Yes Signatures are not updated.

Anti-Bot and URL No -

Filtering

Anti-Ransomware, Yes n Signatures are not updated.

Behavioral Guard, and n The data is not uploaded to Threat
Forensics Hunting.
n The forensic report is not uploaded.

Harmony Endpoint EPMaaS Administration Guide | 442

Import or Export Policies

Does it work
Capability Comments
offline?

Threat Emulation and Yes, with the use Communication with the Threat
Anti-Exploit of a local Emulation cloud service is blocked.
appliance.

Remote Access VPN No -

Compliance and Posture Yes n The database of vulnerabilities is

not updated.
n Not supported if the client has pre-
defined rules that require web
access.

Firewall and Application Yes -

Control

Media Encryption and Yes Passwords are not updated if the

Port Protection Management Server is not on the same
network.

Full Disk Encryption Yes n Self-unlock is not supported if the

Management Server is not on the
same network.
n Passwords are not updated if the
Management Server is not on the
same network.

Harmony Endpoint EPMaaS Administration Guide | 443

Performing Data Recovery

If the operating system does not start on a client device due to system failure, you can recover
your data from the device.

Harmony Endpoint EPMaaS Administration Guide | 444

Check Point Full Disk Encryption Recovery

If the operating system does not start on a client computer due to system failure, Check Point
Full Disk Encryption offers these recovery options:
Full Recovery with Recovery Media

Client computers send recovery files to the Endpoint Security Management Server so that
you can create recovery media if necessary.
After the recovery, the files are restored as decrypted, like they were before the Full Disk
Encryption installation, and the operating system can run without the Pre-boot.
Full recovery with recovery media decrypts the failed disk and recovers the data. This takes
more time than Full Disk Encryption Drive Slaving Utility and Dynamic Mount Utility that let
you access data quickly.
Recovery Media:
n Is a snapshot of a subset of the Full Disk Encryption database on the client.
n Contains only the data required to do the recovery.
n Updates if more volumes are encrypted or decrypted.
n Removes only encryption from the disk and boot protection.
n Does not remove Windows components.
n Restores the original boot procedure.

Users must authenticate to the recovery media with a username and password. These are
the options for the credentials to use:
n Using SmartEndpoint - Users that are assigned to the computer and have the Allow
use of recovery media permission can authenticate with their regular username and
password. In SmartEndpoint, go to the OneCheck User Settings rule > Advanced >
Default logon settings.
n When you create the recovery media, you can create a temporary user who can
authenticate to it. A user who has the credentials can authenticate to that recovery
media. Users do not require Allow use of recovery media permission to use the
recovery media. Smart Card users must use this option for recovery.
To perform full recovery with recovery media

1. Go to Asset Management > Organization > Computers.

2. From the top toolbar, click and select Remote Help & Recovery > Recovery >
Full Disk Encryption Recovery.

Harmony Endpoint EPMaaS Administration Guide | 445

Check Point Full Disk Encryption Recovery

3. Search for the computer which you want to decrypt.

The OS Name and OS version of the computer are displayed.
4. User List - This list shows the users who have permission to use recovery media
for the computer. There must be at least two users on the list to perform recovery.
n If there are two users or more on the list, continue to the next step.
n If there are less than two users on the list:
a. Click the + sign to create a temporary user or temporary users who can
use the recovery media.
b. In the window that opens add a username and a password that the
users use to access the file.

5. Download the recovery file.

6. Create the recovery media:

Step Description

1 On the Endpoint Security client, go to folder:

C:\Program Files(x86)\CheckPoint\Endpoint
Security\Full Disk Encryption\

2 Double-click UseRec.exe to start the external recovery media tool.

3 Follow instructions in the tool to create the recovery media.

Note - During the decryption process, the client cannot run other programs.

Full Disk Encryption Drive Slaving Utility

Use this to access specified files and folders on the failed, encrypted disk that is connected
from a different "host" system.
The Drive Slaving Utility is hardware independent.
Full Disk Encryption Drive Slaving Utility replaces older versions of Full Disk Encryption
drive slaving functionality, and supports R73 and all E80.x versions. You can use the Full
Disk Encryption Drive Slaving Utility instead of disk recovery.

Harmony Endpoint EPMaaS Administration Guide | 446

Check Point Full Disk Encryption Recovery

Notes:
n On an E80.x client computer with 2 hard disk drives, the Full Disk Encryption
database can be on a second drive. In this case, you must have a recovery
file to unlock the drive without the database.
n Remote Help is available only for hard disk authentication. It is not available
for recovery file authentication.

To use the Drive Slaving Utility:

1. On a computer with Check Point Full Disk Encryption installed, run this command in
Windows Command Prompt to start the Full Disk Encryption Drive Slaving Utility:

<DISK:>\Program files(x86)\CheckPoint\Endpoint Security\Full

Disk Encryption\fde_drive_slaving.exe

The Full Disk Encryption - Drive Slaving window opens.

Note - To unlock a protected USB connected hard disk drive, you must first
start the Drive Slaving Utility, and then connect the disk drive.

2. Select a Full Disk Encryption protected disk to unlock.

The Unlock volume(s) authentication window opens.
3. Enter User account name and Password.
4. Click OK.

After successful authentication, use Windows Explorer to access the disk drive. If you fail to
access the locked disk drive, use the Full Disk Encryption recovery file, then run the Drive
Slaving Utility again.

Note - To prevent data corruption, shut down the system or use a safe removal
utility before you disconnect the USB connected drive.

Harmony Endpoint EPMaaS Administration Guide | 447

BitLocker Recovery

BitLocker Recovery
BitLocker recovery is the process by which you can restore access to a BitLocker-protected
drive in the event that you cannot unlock the drive normally.
You can use the Recovery Key ID for a computer to find the Recovery Key for an encrypted
client computer.
With the Recovery Key, the user can unlock encrypted drives and perform recoveries.

Important - Treat the Recovery Key like a password. Only share it using trusted and
confirmed channels.

To get the recovery key for a client computer:

1. Go to Asset Management > Organization > Computers.

2. From the top toolbar, click and select Remote Help & Recovery > Recovery >
BitLocker Recovery.
The BitLocker Management Recovery window opens.
3. Select By Recovery Key ID and enter the Computer's Recovery Key ID of the client.
The Recovery Key ID is a string of numbers and letters that looks like this:

C9F38106-9E7C-46AE-8E88-E53948F11776

After you type a few characters, the Recovery Key ID fills automatically.
4. Click Get Recovery Key.
The recovery key appears. It is a string of numbers that looks like this:

409673-073722-568381-219307-302434-260909-651475-146696

5. On the client computer, type the recovery key.

Harmony Endpoint EPMaaS Administration Guide | 448

FileVault Recovery

FileVault Recovery
You can help users recover FileVault-encrypted data if they cannot log in to their macOS.
You can help users recover their data or reset their password using a personal recovery key
that is unique to the client computer. You can reset the password remotely.
Password Reset using a Personal Key

If a user forgets the login password, the administrator can send a personal recovery key to
the remote user, to allow them to log in.
The key is a string of letters and numbers separated by dashes.
1. The user locates the serial number of the locked device.

Step Description

1 Find the serial number of the locked device. It is usually printed on the
back of the device.

2 Give the serial number to the support representative.

2. The Administrator gives a recovery key to the user.

Step Description

1 Get the serial number of the locked device from the user.

2 Go to Asset Management > Organization > Computers.

3 From the top toolbar, click and select Remote Help & Recovery >
Recovery > FileVault Recovery.

4 In the Computer's Serial Number field, enter the serial number.

5 Click Get Recovery Key.

6 Give the recovery key to the user.

3. User resets their password.

Step Description

1 Get the Recovery Key from the support representative.

2 Restart the macOS.

Harmony Endpoint EPMaaS Administration Guide | 449

FileVault Recovery

Step Description

3 In the FileVault pre-boot screen, click the ? button

A message shows: If you forgot your password you can reset it using
your Recovery Key.

4 Enter the recovery key and click the right arrow.

A progress bar shows.

5 For Local Users:

a. In the Reset Password window, the user enters a new password,
and optionally, a password hint.
b. Click Reset Password.

For more information, see sk138352.

A personal key is unique to the client macOS-based computer or device. The key is a string of
letters and numbers separated by dashes.
To recover a user's FileVault-encrypted macOS using the personal key, the administrator
reads the key to the user, and uses the key to decrypt and unlock the computer.
Decrypting and recovering the user's FileVault-encrypted macOS

n For a volume formatted as APFS on macOS Mojave 10.14 and higher

1. Show the disk volumes on the macOS:

diskutil apfs list

The volume to recover is the OS Volume. It has a name similar to disk2s1.

2. Unlock the volume:

diskutil apfs unlockVolume <Disk Name> -passphrase

3. Get the list of apfs cryptousers:

diskutil apfs listcryptousers <Disk Name>

For example:

diskutil apfs listcryptousers disk2s1

For a local user, select the UUID of the user that has:
Type: Local Open Directory User

Harmony Endpoint EPMaaS Administration Guide | 450

FileVault Recovery

4. Decrypt the volume:

diskutil apfs decryptVolume <diskname> -user <user

UUID>

5. Enter the password of the local user.

6. Monitor the progress of the decryption:

diskutil apfs list

n For a volume formatted as CoreStorage on macOS 10.12 or higher

1. Unlock the volume:

diskutil cs unlockVolume <Logical Volume UUID> -

passphrase <Personal Recovery Key>

2. The user interface shows a prompt to allow access. Enter the keychain
password.
The volume is now unlocked.
3. Start the decryption:

diskutil cs decryptVolume <Logical Volume UUID>

4. When prompted, enter the password for the local user.

5. Monitor progress of the decryption:

diskutil cs list

The user can now reboot the macOS normally. They do not see the FileVault pre-boot
screen.

Harmony Endpoint EPMaaS Administration Guide | 451

Managing Virtual Groups

Virtual Groups manage groups of users and devices.
You can use Virtual Groups with Active Directory for added flexibility or as an alternative to
Active Directory.
Objects can be members of more than one virtual group.
The benefits of using Virtual Groups include:
n Using the Active Directory without using it for Endpoint Security.
For example: Different administrators manage the Active Directory and Endpoint
Security.
n Your Endpoint Security requirements are more complex than the Active Directory
groups. For example, you want different groups for laptop and desktop computers.
n Using a non-Active Directory LDAP tool.
n Working without LDAP.
Some virtual groups are pre-defined with users and devices assigned to them automatically.

To create a virtual group:

1. Access Harmony Endpoint and click Asset Management.

2. Go to Organization > Organizational Tree and select Virtual Groups.

3. To create a virtual group for a group, right-click a group.
4. To create a virtual group for a specific device or a user, click the group and right-click the
device or user.
5. Select Create Virtual Group.
The Create Virtual Group window appears.

Harmony Endpoint EPMaaS Administration Guide | 452

Managing Virtual Groups

6. In the Name field, enter a group name.

7. (Optional) In the Comment field, enter a comment.

Notes:
n A user or a device can belong to multiple virtual groups.
n Selecting a certain user or device shows the Active Directory information

collected about them.

n You cannot edit Active Directory groups but you can view their content.
n You can create a group and then assign the users or devices to the group,

or select users or devices first and then create a group from them.

8. Click OK.

Note - You can also perform this procedure from Asset Management >
Organization > Computers. See "Managing Computers" on page 158.

To add a group, device or a user to a virtual group:

1. Access Harmony Endpoint and click Asset Management.
2. Go to Organization > Organizational Tree and select Virtual Groups.
3. To add a group to a virtual group, right-click a group.
4. To add a specific device or a user to a virtual group, click the group and right-click the
device or user.
5. Select Add to Virtual Group.
The Add Members to Virtual Group window appears.

Harmony Endpoint EPMaaS Administration Guide | 453

Managing Virtual Groups

6. Select the applicable virtual group.

7. Click OK.

Note - You can also perform this procedure from Asset Management >
Organization > Computers. See "Managing Computers" on page 158.

To create and add to virtual group:

1. Access Harmony Endpoint and click Asset Management.

2. Go to Organization > Organizational Tree and select Virtual Groups.
3. To create and add a group to a virtual group, right-click a group.

4. To create and add a specific device or a user to a virtual group, click the group and right-
click the device or user.
5. Select Create and Add to Virtual Group.
The Add Members to Virtual Group window appears.

Harmony Endpoint EPMaaS Administration Guide | 454

Managing Virtual Groups

6. In the Name field, enter a group name.

7. (Optional) In the Comment field, enter a comment.
8. In the Members section search box, search and select the member.

9. Click OK.

Note - You can also perform this procedure from Asset Management >
Organization > Computers. See "Managing Computers" on page 158.

To move devices from one virtual group to another:

1. In the left navigation panel, click Asset Management.
2. In the left pane, click Organization > Organizational Tree.
3. Click Virtual Groups.
4. Move the devices:
n To move all the devices from a virtual group, select the virtual group.
n To move specific devices from a virtual group, click the virtual group, and select the
devices.
5. Right-click the virtual group or devices and select Move to Virtual Group.

Harmony Endpoint EPMaaS Administration Guide | 455

Managing Virtual Groups

The Move Members to Virtual Group window appears.

6. Select the virtual group where you want to move the devices.
7. Click OK.

To export the list of devices in a virtual group to an excel file:

1. From the left navigation panel, click Asset Management > Organization > Organization
Tree.
2. From the list, click Virtual Group.
3. Right-click the virtual group and select Export Virtual Group Report.
The system exports the list of devices to an excel file. If the virtual group contains child
virtual groups, then the devices in those virtual groups are also included in the exported
file.

Harmony Endpoint EPMaaS Administration Guide | 456

Managing Active Directory Scanners

Managing Active Directory

Scanners
Harmony Endpoint can scan and import users, groups, Organizational units (OUs) and
computers from multiple supported directory domains. After the objects are imported, you can
assign policies.

Notes:
n Harmony Endpoint does not scan groups of the type Distribution in Microsoft
Active Directory.
n If a device belongs to both Microsoft Active Directory and Microsoft Entra ID
domains, then the Microsoft Active Directory takes precedence.
n To move a device from the Microsoft Active Directory domain to Microsoft Entra
ID domain:
a. Disconnect the device from Microsoft Active Directory domain.
b. Register the device with Microsoft Entra ID.

Supported Directory
n Microsoft Active Directory
n Microsoft Entra ID

Prerequisite
Harmony Endpoint requires permissions to scan the directory. Ensure that the directory
account has the following permissions for each directory scanner:
n The Active Directory root
n Child containers and objects
n Deleted objects container - Deleted objects in directory are stored in the Deleted objects
temporarily. Harmony Endpoint compares the objects in the directory with the Deleted
objects container to know the objects that have changed since the last scan.

Managing Microsoft Active Directory Scanner

Organization Distributed Scan
Organization Distributed Scan is enabled by default. You can see its configured settings in the
Endpoint Settings view > Default Scanner.
Each Endpoint client sends its path to the Security Management Server.

Harmony Endpoint EPMaaS Administration Guide | 457

Managing Active Directory Scanners

By default, each Endpoint client sends its path every 120 minutes. In this method, only devices
with Harmony Endpoint installed report their paths, other devices with do not report their
information.

Full Active Directory Sync

In the Full Active Directory Sync, one Endpoint client is defined as the Active Directory
scanner, it collects the information and sends it to the Security Management Server.

To configure the AD scanner:

1. From the left navigation panel, click Asset Management.
2. In the left pane, click Computers.

3. From the top toolbar, click (General Actions) and click Directory Scanner.

The Scanner window opens.

4. Fill in this information:

Section Required Information

Connect from n Computer name - Select a computer as your AD scanner.

computer

AD Login n User name (AD) - Enter the user name to access the Active
details Directory.
n Domain name - Enter the domain of the Active Directory.
n Password (AD) - Enter the password to access the Active
Directory.

AD n Domain controller - Enter the name of the Domain controller.

Connection n Port - Enter the number of the listening port on the Domain
controller.
n Use SSL communication (recommended) - Select this
checkbox if you want the connection between the AD scanner
to the Domain Controller to be over SSL.
n LDAP Path - The address of the scanned directory server.
n Sync AD every - Specify the time interval in minutes for the
system to initiate the scan. Supported range is 120 (min) to 240
(max) minutes.
Note - If you set a value outside the supported range (for
example 119 or 241), the system resets the value to the closest
threshold value.

When you create a new AD scanner, the Organization Directory Scan is automatically
disabled.

Harmony Endpoint EPMaaS Administration Guide | 458

Managing Active Directory Scanners

To see information on your activated AD scanners, go to the Endpoint Settings view.

Note - You can also reach scanner configuration form through the Endpoint Settings
view > Setup full Active Directory sync.

Managing Microsoft Entra ID Scanners

Harmony Endpoint can scan and import users, groups, administrative units and computers
from multiple Microsoft Entra ID into the Harmony Endpoint. After the objects are imported,
you can assign policies.

Note - Harmony Endpoint does not scan groups of the type Distribution in Microsoft
Entra ID.

Limitations
n The Microsoft Entra ID scanner supports Windows only. For macOS devices, use
Microsoft Intune.
n User SmartCard is not supported.
n The user, device or group can be member of only one Administrative unit.
n The maximum characters supported for Display Name is 45.
n Microsoft Entra ID scanner sync stops if the Harmony Endpoint Security server is down
for a duration of 30 days and above. To restart, contact Check Point Support.
n If you have enabled Full Disk Encryption and if the user changes the password, the user
must lock and unlock the device for the new password to take effect.

Configuring the Settings in the Microsoft Entra ID Portal

Before you can add Microsoft Entra ID to Harmony Endpoint, it is necessary to create the
Microsoft Entra ID credentials.

Step 1: Register the Application

1. Log in to the Microsoft Entra ID.
2. From the toolbar select Azure Active Directory.
3. Select App registrations > click New Registration.
4. Below the Owned applications tab, enter the application's Name > select an Account

Harmony Endpoint EPMaaS Administration Guide | 459

Managing Active Directory Scanners

type > click Register.

Step 2: Add Permissions to the Application

1. Add the necessary permissions to the application.

a. Go to the API permissions section and click Add a permission.

Harmony Endpoint EPMaaS Administration Guide | 460

Managing Active Directory Scanners

b. In the window that opens, select Microsoft Graph > Application permissions.

2. Select these permissions:

n Groups.Read.All

Harmony Endpoint EPMaaS Administration Guide | 461

Managing Active Directory Scanners

n API Permissions:
o Device.Read.All

o Directory.Read.All

o GroupMember.Read.All

o AdministrativeUnit.Read.All

Harmony Endpoint EPMaaS Administration Guide | 462

Managing Active Directory Scanners

o User.Read.All

3. Give admin consent to the selected permissions.

Harmony Endpoint EPMaaS Administration Guide | 463

Managing Active Directory Scanners

Step 3: Finish Configuration in Microsoft Entra ID:

1. Create a secret key for the application.
a. Go to the section Certificates & secrets > click New client secret.

b. In the Add a client secret window, enter a Description and the date it Expires >
click Add.

2. Copy the value of the secret key and keep it in a secure place. This key is necessary for
the Harmony Endpoint portal integration with Microsoft Entra ID.

Harmony Endpoint EPMaaS Administration Guide | 464

Managing Active Directory Scanners

3. Go to the Overview section, copy these two values, and keep them in a secure place.
n Application (client) ID
n Directory (tenant) ID

Importing Objects from Microsoft Entra ID

To import objects from Microsoft Entra ID:

1. Go to Endpoint Settings.
2. Expand AD Scanner and click Entra ID Scanners.

Harmony Endpoint EPMaaS Administration Guide | 465

Managing Active Directory Scanners

Section Description

Directory Name of the directory.

Name

Directory Tenant ID from your Microsoft Entra ID portal.

(Tenant) ID

Status Status of the Microsoft Entra ID directory scan.

Sync Period Frequency at which Harmony Endpoint initiates the scan to fetch the
data from Microsoft Entra ID.

Last Sync Date and time when Harmony Endpoint last synced with Microsoft
Entra ID.

Last Full Scan Date and time of the last full scan of the Microsoft Entra ID.

3. In the top right corner, click .

The Add Entra ID Scanner window appears.

Harmony Endpoint EPMaaS Administration Guide | 466

Managing Active Directory Scanners

4. Enter these:
a. Directory (Tenant) ID
b. Application Client ID
You can obtain these from your Microsoft Entra ID portal.

Harmony Endpoint EPMaaS Administration Guide | 467

Managing Active Directory Scanners

c. Secret ID

You can obtain the Secret ID from your Microsoft Entra ID portal.
5. Click Verify.

Note - Make sure that the information you copy from the Microsoft Entra ID
portal are entered accurately. If the verification fails, the following dialog box
appears:

6. Click Next.

7. In the Root Name field, enter a name for the root directory.
8. In the Sync Interval field, specify the interval (in minutes) for the sync between Harmony
Endpoint and Microsoft Entra ID.
9. Click Add.

Harmony Endpoint EPMaaS Administration Guide | 468

Managing Active Directory Scanners

The Microsoft Entra ID directory is added to the table.

10. To edit a directory, select the directory and at the top right pane, click .

11. To delete a directory, select the directory and at the top right pane, click .

12. To verify whether the Microsoft Entra ID is successfully imported:

Harmony Endpoint EPMaaS Administration Guide | 469

Managing Active Directory Scanners

a. Go to Asset Management.
b. Expand Organization> Organizational Tree > Directories.
The root Microsoft Entra ID should be listed in the table.

Harmony Endpoint EPMaaS Administration Guide | 470

Giving Remote Help to Full Disk Encryption Users

Giving Remote Help to Full Disk

Encryption Users
Use this challenge/response procedure to give access to users who are locked out of their Full
Disk Encryption protected computers.
1. Go to Asset Management > Organization > Computers.
2. Click and select Remote Help & Recovery > Full Disk Encryption.

3. Select the type of assistance the end-user needs:

n One-Time Logon - Provides access as an assumed identity for one session
without resetting the password.
n Remote Password Change - Resets the user's password. This option is for users
who have forgotten their fixed passwords.
n Pre-Boot Bypass Remote Help - Provides One-Time Logon assistance for
computers that are configured to disable pre-boot, and uses the option to give
remote help without pre-boot user.
4. Search for the locked computer.
5. Select the applicable user from the list (this step is not applicable in the case of Pre-Boot
Bypass Remote Help).
6. Tell the user to enter the Response one text string in the Remote Help window on the
locked computer.
The endpoint computer shows a challenge code.

7. In the Challenge (from user) field, enter the challenge code that the user gives you.
8. Click Generate Response.
Remote Help authenticates the challenge code and generates a response code.
9. Tell the user to enter the Response Two (to user) text string in the Remote Help window
on the locked computer.
10. Make sure that the user changes the password or has one-time access to the computer
before ending the Remote Help session.

Harmony Endpoint EPMaaS Administration Guide | 471

Active Directory Authentication

Endpoint Security Active Directory
Authentication
When an Endpoint Security client connects to the Endpoint Security Management Server, an
authentication process identifies the endpoint client and the user currently working on that
computer.
The Endpoint Security system can function in these authentication modes:
n Unauthenticated mode - Client computers and the users on those computers are not
authenticated when they connect to the Endpoint Security Management Server. They
are trusted "by name". This operation mode is recommended for evaluation purposes
only.
n Strong Authentication mode - Client computers and the users on those computers are
authenticated with the Endpoint Security Management Server when they connect to the
Endpoint Security Management Server. The authentication is done by the Active
Directory server using the industry-standard Kerberos protocol. This option is only
available for endpoints that are part of Active Directory.
The authentication process:

1. The Endpoint Security client (1) requests an authentication ticket from

the Active Directory server (2).

2. The Active Directory server sends the ticket (3) to the client (1).

3. The client sends the ticket to the Endpoint Security Management

Server (4).

4. The Endpoint Security Management Server returns an

acknowledgment of authentication to the Endpoint Security client (1).

Important - If you use Active Directory Authentication, then Full Disk

Encryption and Media Encryption & Port Protection are only supported on
endpoint computers that are part of Active Directory.
Note - Full Disk Encryption and Media Encryption & Port Protection are not
supported on endpoint computers in your environment that are not part of the
Active Directory.

Harmony Endpoint EPMaaS Administration Guide | 472

Active Directory Authentication

Configuring Active Directory Authentication

Make sure you configure Strong Authentication for your production environment. Do not set up
Strong Authentication before you are ready to move to production. When you are ready to
move to production, follow this process.

Workflow for Configuring Strong Authentication:

Step 1 of 3: Configuring the Active Directory Server for Authentication

Endpoint Security Strong Authentication uses the Kerberos network authentication protocol.
To enable the Active Directory server to validate the identity of clients that authenticate
themselves through Kerberos, run the ktpass.exe command on the Active Directory
Server. By running the ktpass command, you create a user that is mapped to the ktpass
service. This creates a Principal Name for the AD server. The Principal Name must have
this format: ServiceName/realm@REALM

Important - After you create the user that is mapped to the ktpass
service, do not make changes to the user. For example, do not change the
password. If you do change the user, the key version increases and you
must update the Version Key in the New Authentication Principal window
in Harmony Endpoint.

To prepare the Active Directory Server for authentication:

1. Go to Start menu > All Programs > Administrative Tools > Active Directory Users
and Computers.
2. Create a domain user and clear the option User must change password at next
logon.

3. Open an elevated Windows Command Prompt.

4. In Windows Command Prompt, go to this folder:

cd %WinDir%\System32\

5. Map a service to a user with this command:

ktpass princ <Service Name>/<realm name>@<REALM NAME>

mapuser <Username>@<REALM NAME> pass <Password> out <Name of
Output File>

Example:

Harmony Endpoint EPMaaS Administration Guide | 473

Active Directory Authentication

ktpass princ tst/[email protected] mapuser auth-

[email protected] pass 123456 out outfile.keytab

Parameters:

Syntax Example Value Explanation

<Service Name> tst Name of the service.

<realm name> nac1.com Domain name of the Active

<REALM NAME> NAC1.COM Directory server.
The first instance is in lower
case.
The second instance in upper
case.

<Username> auth-user The Active Directory domain

user.

<Password> 123456 Password for user.

<Name of Output outfile.keytab Name of the encrypted keytab

File> file.

6. Save the console output to a text file.

See the version number (vno) and encryption type (etype).

Sample output:
Targeting domain controller: nac1-dc.nac1.com
Successfully mapped tst/nac1.com to auth-user.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to outfile.log:
Keytab version: 0x502
keysize 74 tst/[email protected] ptype 0 (KRB5_NT_UNKNOWN) vno 7 etype 0x17 (RC4-HMAC) keylength 16
(0x32ed87bdb5fdc5e9cba88547376818d4)

Important - We recommend that you do not use DES-based

encryption for the Active Directory Domain Controller server, as it is
not secure. If you choose to use DES encryption and your
environment has Windows 7 clients, see sk64300
Notes:
n Make sure that the clock times on the Endpoint Security

servers and the Kerberos server are less than 5 minutes apart.
If the difference in the clock times is more than 5 minutes, a
runtime exception shows and Active Directory authentication
fails. On Gaia, use NTP or a similar service.
n To use Capsule Docs with Single Sign-On, disable the User

Access Control (UAC) on Windows Active Directory Servers.

Harmony Endpoint EPMaaS Administration Guide | 474

Active Directory Authentication

Step 2 of 3: Configuring Authentication Settings

Configure the settings in Harmony Endpoint for client to server authentication.

Important - Use the Unauthenticated mode only for evaluation purposes. Never
use this mode for production environments. Configure the authentication settings
before moving to production.

How the Authentication Settings are Used in Deployment Packages

When you configure client package profiles, you select an authentication account. The SSO
Configuration details are included in the client deployment package, which allows the server
to authenticate the client.

To configure authentication settings:

1. In Harmony Endpoint, go to the Endpoint Settings view > the Authentication Settings
tab.
2. Click Add.
The New Authentication Principal window opens.
3. Enter the details from the output of ktpass.exe, that you configured in "Step 1 of 3:
Configuring the Active Directory Server for Authentication" on page 473:

Field Description

Domain Active Directory domain name.

name For example: nac1.com

Principle Authentication service name in the format:

Name ServiceName/realm@REALM
This value must match the name that was configured in Active
Directory > New Object.
For example: tst/[email protected]

Version Key Enter the version number according to the Active Directory output
in the vno field.
For example: 7

Encryption Select the encryption method according to the Active Directory

method output in the etype field.
For example: RC4-HMAC

Harmony Endpoint EPMaaS Administration Guide | 475

Active Directory Authentication

Field Description

Password Enter (and confirm) the password of the Active Directory Domain
Admin user you created for Endpoint Security use.
For example: 123456

4. Click Add.
5. When you are ready to work in Strong Authentication mode, select Work in
authenticated mode in the Authentication Settings tab.

Important - After you turn on Strong Authentication, wait one minute before you
initiate any client operations.
It takes time for the clients and the Endpoint Security Management Server to
synchronize. During this time, the environment remains unauthenticated, and
some operations fail. The exact amount of time depends on the Active Directory
scanner (see "Managing Active Directory Scanners" on page 457).

Step 3 of 3: Save Changes

After you finished configuring strong authentication for Active Directory, save your changes.
1. In Harmony Endpoint, go to the Policy tab.
2. On the Policy Toolbar, click Save All Changes.

UPN Suffixes and Domain Names

The User Principal Name (UPN) is the username in "email format" for use in Windows Active
Directory (AD). The user's personal username is separated from a domain name by the "@"
sign.

UPN suffixes are part of AD logon names. For example, if the logon name is
[email protected], the part of the name to the right of the ampersand is
known as the UPN suffix. In this case, ad.example.com
When you configure a new user account in AD, you are given the option to select a UPN suffix,
which by default will be the DNS name for your AD domain. It can be useful to have a selection
of UPN suffixes available. If your AD domain name is ad.example.com, it might be more
convenient to assign users a UPN suffix of example.com. To make additional UPN suffixes
available, you need to add them to AD.

Configuring Alternative Domain Names

When you configure Strong Authentication for Active Directory communication between the
Endpoint Security client and the Endpoint Security Management Server, you can configure
multiple UPN suffixes for the Active Directory domain name.

Harmony Endpoint EPMaaS Administration Guide | 476

Active Directory Authentication

To Configure Additional UPN Suffixes for Active Directory Authentication

1. In Harmony Endpoint, go to Endpoint Settings > Authentication Settings.
2. Click Add.
The New Authentication Principal window opens.
3. In the Domain name field, enter the alternative Active Directory domain name. For
example, if the previously configured domain name is nac1.com add an alternative
domain name such as ad.nac1.com
4. Configure the other fields with the same values as the previously configured
authentication settings:
n Principle Name
n Version Key
n Encryption Method
n Password
5. Click OK.
6. Go to the Policy tab and click Save All Changes.

Harmony Endpoint EPMaaS Administration Guide | 477

Active Directory Authentication

Troubleshooting Authentication in Client Logs

The authentication log file for each Endpoint Security client is located on the client computer:
%DADIR%\logs\Authentication.log

A normal log looks like this:

[KERBEROS_CLIENT(KerberosLogger_Events)] : Credentials acquired

for [email protected]
[KERBEROS_MESSAGE(KerberosLogger_Events)] : Message is Empty.
[KERBEROS_CLIENT(KerberosLogger_Events)] : Security context is not
yet established.continue needed.

n If the Authentication.log file on the client shows:

No authority could be contacted for authentication.

The Endpoint Agent cannot find a Domain Controller to supply credentials.

To fix this:
1. Make sure that the client is in the domain and has connectivity to your Domain
Controller.
2. To authenticate with user credentials, log off and then log in again.
To authenticate with device credentials, restart the computer.
n If the Authentication.log file on the client shows:

The specified target is unknown or unreachable.

Check the service name. Make sure that there are no typing errors and that the format is
correct.
If there was an error, correct it on the Check Point Endpoint Security Management
Server.

Harmony Endpoint EPMaaS Administration Guide | 478

Harmony Endpoint Logs

Harmony Endpoint Logs menu allows you to customize logs and views to effectively monitor all
your systems from one location.
From the New Tab Catalog, select what you want to show in this tab:

Catalog
Description
Item

Favorites Select one of the Logs or View that you marked with the Favorite icon ( )

Recent Select one of the Logs or Views that you opened recently

Shared Select a view that was shared with you

Logs Select one of the widgets with logs collected from all Harmony Endpoint
clients
Note - Though the interface shows support to export up to one million
logs, you can export a maximum of 10000 entries to a .csv file.

Views Select one of the Views with data from all available blades, services, and
applications

Reports Select one of the available reports

Note - For custom views and reports through SmartView, see the Logging and
Monitoring Administration Guide.

You can open as many tabs as you want providing they show different views.

Use the toolbar on the top to open views, create new views and reports, export them to PDF
and perform relevant actions.
See all collected logs in the Harmony Endpoint Logs view:

Harmony Endpoint EPMaaS Administration Guide | 479

Harmony Endpoint Logs

Use the time filter (1) and select the relevant options on the Statistics pane (3) to set specific
criteria and customize the search results. Alternatively, you can enter your query in the search
bar. For more details about the Query Language, see "Query Language Overview" on
page 481.

Item Description

1 Time period - Search with predefined custom time periods or define another time
period for the search.

2 Query search bar - Enter your queries in this field.

3 Statistics pane - Shows statistics of the events by Blades, Severity of the event
and other parameters.

4 Card - Log information and other details.

5 Results pane - Shows log entries for the most recent query.

6 Options - Hide or show a client identity in the Card, and export the log details to
CSV.

The information recorded in logs can be useful in these cases:

n To identify the cause of technical problems.
n To monitor traffic more closely.
n To make sure that all features function properly.

Note - You can forward logs to expansion (SIEM). For more information, see Event
Forwarding.

Harmony Endpoint EPMaaS Administration Guide | 480

Query Language Overview

A powerful query language lets you show only selected records from the log files, according to
your criteria.
To create complex queries, use Boolean operators, wildcards, fields, and ranges.
This section refers in detail to the query language.
When you use Harmony Endpoint to create a query, the applicable criteria appear in the Query
search bar.
The basic query syntax is:

[<Field>:] <Filter Criterion>

To put together many criteria in one query, use Boolean operators:

[<Field>:] <Filter Criterion> {AND | OR | NOT} [<Field>:] <Filter

Criterion> ...

Most query keywords and filter criteria are not case sensitive, but there are some exceptions.
For example, "source:<X>" is case sensitive ("Source:<X>" does not match).
If your query results do not show the expected results, change the case of your query criteria,
or try upper and lower case.

When you use queries with more than one criteria value, an AND is implied automatically, so
there is no need to add it. Enter OR or other boolean operators if needed.

Criteria Values
Criteria values are written as one or more text strings.
You can enter one text string, such as a word, IP address, or URL, without delimiters.
Phrases or text strings that contain more than one word must be surrounded by quotation
marks.
One-word string examples

n John
n inbound
n 192.168.2.1
n some.example.com

Harmony Endpoint EPMaaS Administration Guide | 481

Query Language Overview

n dns_udp

Phrase examples

n "John Doe"
n "Log Out"
n "VPN-1 Embedded Connector"

IP Addresses

IPv4 and IPv6 addresses used in log queries are counted as one word.
Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons.

Example:
n 192.0.2.1
n 2001:db8::f00:d

You can also use the wildcard '*' character and the standard network suffix to search for
logs that match IP addresses within a range.
Examples:
n src:192.168.0.0/16

Shows all records for the source IP 192.168.0.0 to 192.168.255.255 inclusive

n src:192.168.1.0/24

Shows all records for the source IP 192.168.1.0 to 192.168.1.255 inclusive

n src:192.168.2.*

Shows all records for the source IP 192.168.2.0 to 192.168.2.255 inclusive

n 192.168.*

Shows all records for 192.168.0.0 to 192.168.255.255 inclusive

Harmony Endpoint EPMaaS Administration Guide | 482

Query Language Overview

NOT Values
You can use NOT <field> values with Field Keywords in log queries to find logs for which the
value of the field is not the value in the query.

Syntax:

NOT <field>: <value>

Example:

NOT src:10.0.4.10

Wildcards
You can use the standard wildcard characters (* and ?) in queries to match variable
characters or strings in log records.
You can use more than the wildcard character.

Wildcard syntax:
n The ? (question mark) matches one character.
n The * (asterisk) matches a character string.

Examples:
n Jo? shows Joe and Jon, but not Joseph.
n Jo* shows Jon, Joseph, and John Paul.
If your criteria value contains more than one word, you can use the wildcard in each word.
For example, 'Jo* N*' shows Joe North, John Natt, Joshua Named, and so on.

Note - Using a single '*' creates a search for a non-empty value string. For example
asset name:*

Harmony Endpoint EPMaaS Administration Guide | 483

Query Language Overview

Field Keywords
You can use predefined field names as keywords in filter criteria.
The query result only shows log records that match the criteria in the specified field.
If you do not use field names, the query result shows records that match the criteria in all fields.
This table shows the predefined field keywords. Some fields also support keyword aliases that
you can type as alternatives to the primary keyword.

Keyword
Keyword Description
Alias

severity Severity of the event

app_risk Potential risk from the application, of the event

protection Name of the protection

protection_ Type of protection

type

confidence_ Level of confidence that an event is malicious

level

action Action taken by a security rule

blade product Software Blade

destination dst Traffic destination IP address, DNS name or Check

Point network object name

origin orig Name of originating Security Gateway

service Service that generated the log entry

source src Traffic source IP address, DNS name or Check Point

network object name

user User name

Harmony Endpoint EPMaaS Administration Guide | 484

Query Language Overview

Syntax for a field name query:

Where:
n <field name> - One of the predefined field names
n <values> - One or more filters
To search for rule number, use the Rule field name.
For example:

rule:7.1

If you use the rule number as a filter, rules in all the Layers with that number are matched.
To search for a rule name, you must not use the Rule field. Use free text.
For example:

"Block Credit Cards"

Best Practice - Do a free text search for the rule name. Make sure rule names are
unique and not reused in different Layers.

Examples:
n source:192.168.2.1
n action:(Reject OR Block)

You can use the OR Boolean operator in parentheses to include multiple criteria values.

Important - When you use fields with multiple values, you must:
n Write the Boolean operator, for example AND.
n Use parentheses.

Harmony Endpoint EPMaaS Administration Guide | 485

Query Language Overview

Boolean Operators
You can use the Boolean operators AND , OR, and NOT to create filters with many different
criteria.
You can put multiple Boolean expressions in parentheses.
If you enter more than one criteria without a Boolean operator, the AND operator is implied.
When you use multiple criteria without parentheses, the OR operator is applied before the
AND operator.

Examples:

n blade:"application control" AND action:block

Shows log records from the Application and URL Filtering Software Blade where traffic
was blocked.
n 192.168.2.133 10.19.136.101

Shows log entries that match the two IP addresses. The AND operator is presumed.
n 192.168.2.133 OR 10.19.136.101

Shows log entries that match one of the IP addresses.

n (blade: Firewall OR blade: IPS OR blade:VPN) AND NOT

action:drop

Shows all log entries from the Firewall, IPS or VPN blades that are not dropped.

The criteria in the parentheses are applied before the AND NOT criterion.
n source:(192.168.2.1 OR 192.168.2.2) AND destination:17.168.8.2

Shows log entries from the two source IP addresses if the destination IP address is
17.168.8.2.
This example also shows how you can use Boolean operators with field criteria.

Harmony Endpoint EPMaaS Administration Guide | 486

Exporting Logs

Exporting Logs
Check Point Log Exporter is an easy and secure method to export Check Point logs over
syslog. Log Exporter is a multi-threaded daemon service which runs on a log server. Each log
that is written on the log server is read by the Log Exporter daemon. It is then transformed into
the applicable format and mapping and sent to the end target.
For more information, see sk122323.

To export logs from Harmony Endpoint:

1. Go to Endpoint Settings > Export Events.

openssl pkcs12 -inkey cp_
client.key -in cp_client.crt -
export -out cp_client.p12

Note - The challenge phrase

used in this conversion is
required in the cp_client TLS
configuration.

3. Create a server (target) certificate

Step Description

1 Generate a server key:

openssl genrsa -out server.key
2048

2 Generate a server certificate sign request:

openssl req -new -key server.key
-out server.csr

3 Sign the certificate using the CA certificate files:

openssl x509 -req -in server.csr
-CA ca.pem -CAkey ca.key -
CAcreateserial -out server.crt -
days 2048 -sha256

Note - Some SIEM applications require the server certification to be

in a specific format. For more information, refer to SIEM Specific
Instructions section (sk122323).

Harmony Endpoint EPMaaS Administration Guide | 489

Exporting Logs

Sending Security Reports

You can send weekly and monthly security report to all the administrators by email. The
security report contains a summary of events detected and prevented by Harmony Endpoint.

To send weekly and monthly security reports to all administrators by email:

1. Click Endpoint Settings > General Settings:
n To send weekly reports, toggle Send weekly security report by email to all
administrators to ON.
n To send monthly reports, toggle Send monthly security report by email to all
administrators to ON.

Harmony Endpoint EPMaaS Administration Guide | 490

Performing Push Operations

Push operations are operations that the server pushes directly to client computers with no
policy installation required.

Note - If there is no response from the Endpoint Security client, the Push Operation
will time out after 24 hours. You must reinitiate the Push Operation.

To add a Push Operation:

1. Go to the Push Operation view and click Add.
2. Select the push operation and click Next.

Harmony Endpoint EPMaaS Administration Guide | 491

Performing Push Operations

Push
Category Windows macOS Linux
Operations

Anti-Malware Scan for Yes Yes Yes

Malware

Update Yes Yes Yes

Malware
Signature
Database

Restore Files Yes Yes Yes

from
Quarantine

Forensics and Analyze by Yes Yes No

Remediation Indicator

File Yes Yes Yes

Remediation

Isolate Yes Yes No

Uninstall Client Yes Yes No

Application Yes Yes No

Scan

Kill Process Yes Yes No

Remote Yes Yes Yes

Command

Search and Yes Yes No

Fetch files

Registry Yes No No
Actions

File Actions Yes Yes No

VPN Site Yes Yes No

Collect Yes No No
Processes

Run Yes Yes No

Diagnostics

3. Select the devices on which you want to perform the push operation.

Note - You can perform Run Diagnostics on only one device at a time.

4. Click Next.

Harmony Endpoint EPMaaS Administration Guide | 493

Performing Push Operations

5. Configure the operation settings.

Anti-Malware

2FA
Push Operations Description
Required

Scan for Malware Runs an Anti-Malware scan on the computer No

or computers, based on the configured
settings.

Update Malware Updates malware signatures on the computer No

Signature or computers, based on the configured
Database settings.

Restore Files Restores files from quarantine on the No

from Quarantine computer or computers, based on the
configured settings.

To restore files from quarantine:

a. In the Full Path field, enter the path to
file before it was quarantined including
the file name. For example,
c:\temp\eicar.txt
b. Click OK.

Forensics and Remediation

Push 2FA
Description
Operations Required

Analyze by Manually triggers collection of forensics No

Indicator data for an endpoint device that accesses
or executes the indicator. The indicator can
be a URL, an IP, a path, a file name or an
MD5.

Harmony Endpoint EPMaaS Administration Guide | 494

Performing Push Operations

Push 2FA
Description
Operations Required

File Quarantines malicious files and remediates No

Remediation them as necessary.

To move or restore files from quarantine:

a. Click and select the organization.
b. Click Update Selection.
c. Select the device and click Next.
d. Add Comment, optional comment
about the action.
e. To move the files to quarantine,
select Move the following files to
quarantine.
f. To restore the files from quarantine,
select Restore the following files to
quarantine.
g. Click .
h. From the drop-down:
i. Select Full file path or Incident
ID:
I. In the Element field, enter
the incident ID from the
Harmony Endpoint
Security client or enter the
incident UID for the
corresponding incident
from the Logs menu in the
Harmony Endpoint portal.
To obtain the incident
UID, open the log entry
and expand the More
section to view the
incident UID.
II. Click OK
ii. Select MD5 Hash:
I. Enter or upload the
Element.
II. Click OK.
i. Click Finish.

Harmony Endpoint EPMaaS Administration Guide | 495

Performing Push Operations

Push 2FA
Description
Operations Required

Isolate Makes it possible to isolate a specific No

Computer device that is under malware attack and
poses a risk of propagation. This action can
be applied on one or more devices. The
Firewall component must be installed on
the client in order to perform isolation. Only
DHCP, DNS and traffic to the management
server are allowed.

Release Removes device from isolation. This action No

Computer can be applied on one or more devices.

Agent Settings

Push 2FA
Operati Description Requi
ons red

Comment Optional comment about the action.

Select the Target endpoint or device where you want

deployment to install the Initial Client.
endpoint Caution - The target device must not
be the same as the source device.

Endpoint Select the Harmony Endpoint Security

version Client version to install onm the target
device.

Harmony Endpoint EPMaaS Administration Guide | 496

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Collect Collects CPInfo logs from an endpoint based on the configured No

Client settings.
Logs n For Windows, client logs are stored in the directory

C:\Windows\SysWOW64\config\systemprofile\CPInfo.
n For macOS, client logs are stored in the directory

/Users/Shared/cplogs.
Field Description

Comment Optional comment about the action.

Log set to Select the scope of information for the logs.

collect

Debug Info Select the location to upload the logs:

upload n Upload CPInfo reports to Check

Point servers
n Upload CPInfo reports to Corporate

server - Update the relevant corporate

server information.

Repair Repairs the Endpoint Security client installation. This requires No

Client a computer restart.
Note - This push operation applies only to Harmony
Endpoint Security clients that have been upgraded to a
newer version at least once after the installation.

Shutdo Shuts down the computer or computers based on the No

wn configured settings.
Comput
er

Restart Restarts the computer or computers based on the configured No

Comput settings.
er

Uninstal Uninstalls the Endpoint Security client remotely on the Yes

l Client selected devices. This feature is supported for E84.30 client
and above.

Harmony Endpoint EPMaaS Administration Guide | 497

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Applicat Collects all available applications in a certain folder on a set of No

ion devices and then adds them to the application repository of the
Scan "Application Control" blade on that specific tenant.

Kill Remotely kills/ terminate the processes. No

Process

Remote n Allows administrators to run both signed (introduced by Yes

Comma CP) and unsigned (ones the customer creates) scripts on
nd the Endpoint Client devices.
n Especially useful in a non-AD environment.
n Supplies tools/fixes to customers without the need to

create new EP client/server versions.

n Saves passwords securely when provided.

The Remote Command feature is supported only in

Windows clients running version E85.30 and above

Harmony Endpoint EPMaaS Administration Guide | 498

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Search Searches and uploads files to a server. Yes

and
Fetch Supported fields are:
files
Field Description

Comment Optional comment about the action.

Search and Fetch files

Locate the Searches for the files in the specified

Locate the Searches for the files in the specified path.

following files a. In the File table, click .
by exact path b. Enter the path where you ant to
search for the file and click OK.
c. Repeat the steps for additional
paths.

Files upload

Select the Select the checkbox to upload the files to a

Upload files to server.

Harmony Endpoint EPMaaS Administration Guide | 499

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Field Description

Corporate a. Specify these:

Server Info i. Protocol
ii. Server address
iii. Path on server
iv. Server fingerprint
b. If the server requires login to access
it, select the Use specific
credentials to upload checkbox, and
enter Login and Password.

Harmony Endpoint EPMaaS Administration Guide | 500

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Registry Add or remove a registry key. No

Actions
Supported fields:
Field Description

Comment Optional comment about the action.

Action Select an action.

n Add Key to Registry
n Remove Key From Registry

Caution - Removing a registry

might impact the endpoint's
operating system.

Add Key to Registry

Key Full path where you want to add the

registry key.
For example, Computer\HKEY_
LOCAL_
MACHINE\SOFTWARE\Citrix\Secure
Access Endpoint Analysis

Subkey Enter the key name to add in the

registry. For example, ProductVersion.

Value Type Select the registry type.

Value Enter the registry value.

Is redirected Indicates that virtualization is enabled

and add the registry to 32-bit. By default,
the registry is added for 64-bit.

Remove Key From Registry

Harmony Endpoint EPMaaS Administration Guide | 501

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Field Description

Key Full path of registry key that you want to

delete.
For example, Computer\HKEY_
LOCAL_
MACHINE\SOFTWARE\Citrix\Secure
Access Endpoint Analysis
Caution - Removing a registry might
impact the endpoint's operating system.

Subkey Enter the key name to remove from the

registry. For example, ProductVersion.

Is redirected Indicates that virtualization is enabled

and delete the registry in 32-bit. By
default, the registry is deleted for 64-bit.

To change the working hours to allow the Anti-Malware

signature updates on a DHS compliant Endpoint Security
client, see sk180559.

Harmony Endpoint EPMaaS Administration Guide | 502

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

File Copy, move or delete the file or folder. No

Actions Supported fields:

Note - The folder actions are supported only with the

Endpoint Security Client version 87.20 and higher.
Field Description

Comme Optional comment about the action.

Action Select an action.

n Copy File
n Move File
n Delete File

Caution - Deleting a file might impact

Harmony Endpoint's protected files.

Copy File

File path Full path of the file or folder you want to copy,
including the file or folder name.
Example:
n For File - C:\Users\<user_

name>\Desktop\test.doc
n For Folder - C:\Users\Username\Desktop\

Harmony Endpoint EPMaaS Administration Guide | 503

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Field Description

Target Full path where you want to paste the file or

file path folder.
Example:
n For File - C:\Users\<user_

name>\Documents
n For Folder - C:\Users\Username2\

Notes:
n The file or folder name you specify is

used to rename the copied file.

n If you provide the folder path only, the

file is copied with the original file

name.
n If the file or folder already exists, the

file is not overwritten and the

operation fails.
n If the file path or target folder does not

exist, it is created during the

operation.

Move File

File path Full path of the file or folder you want to move,
including the file or folder name.
Example:
n For File - C:\Users\<user_

name>\Desktop\test.doc
n For Folder -

C:\Users\Username>\Desktop\

Harmony Endpoint EPMaaS Administration Guide | 504

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Field Description

Target Path where you want to move the file or folder.

file path Example:
n For File - C:\Users\<user_

name>\Documents
n For Folder -

C:\Users\Username1\Documents\
Notes:
n If you provide the full file path, the is

moved with the specified name.

n If you provide the folder path only, the

file is moved with the original file

name.
n If the file or folder already exists, the

file or folder is not overwritten and the

operation fails.
n If the file path or target folder does not

exist, it is created during the

operation.

Delete File

File path Full path of the file you want to delete, including
the file name.
For example, C:\Users\<user_
name>\Desktop\test.doc

Caution - Deleting a file might impact

Harmony Endpoint's protected files.
Note - Delete folder action is not
supported.

Harmony Endpoint EPMaaS Administration Guide | 505

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

VPN Adds or removes a VPN site. No

Site
Limitations:
n This is supported only with the Windows Endpoint

Security client.
n You cannot create separate VPN sites for each user that

access the endpoint. The same VPN site applies to all

users.
n SoftID and challenge-response authentication methods

are not tested.

n The system does not validate the entries (for example,

Server Name or Fingerprint) that you specify.

n Only one fingerprint operation is supported at a time.
n You cannot add a new VPN site or remove a VPN site if a

VPN site is already connected in the Harmony Endpoint

client. Disconnect the VPN site before you add a new
VPN site.
n This operation is not supported if the firewall policy for

the client is configured through the on-premise Security

Gateway (Policy > Data Protection > Access &
Compliance > Firewall > When using Remote Access,
enforce Firewall Policy from is Remote Access
Desktop Security Policy). To enable the operation on
such a client:
a. In the Security Gateway, change the parameter
allow_disable_firewall to true in the
$FWDIR/conf/trac_client_1.ttm file.
b. Install the policy on the Security Gateway.
c. Reboot the Harmony Endpoint client.
d. Perform the push operation.
Note - If the operation fails with timeout, see sk179798 for
troubleshooting instructions.

Supported fields:
Field Description

Comment Optional comment about the action.

Harmony Endpoint EPMaaS Administration Guide | 506

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Field Description

Action Select an action:

n Add VPN Site
n Remove VPN Site

Add VPN Site

Server Enter the IP address or FQDN of the remote

Name access gateway.
Note - Ensure the endpoint can resolve the
FQDN to the IP address of the gateway.

Use Select the checkbox if you want to change the

Custom display name of the server in the Harmony
Display Endpoint client.
Name

Display Server name displayed in the Harmony

Name Endpoint client. By default, it uses the Server
Name.
To change the display name ,elect the Use
Custom Display Name checkbox and enter a
display name.

Use Select the checkbox if you want to use a

Custom custom login option.
Login
Option

Harmony Endpoint EPMaaS Administration Guide | 507

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Field Description

Login Login option for the server. By default,

Option Standard login option is selected.
To use a custom login option, select Use
Custom Login Option checkbox, and enter the
login option. This must match the Display
Name specified in the GW properties > VPN
Clients > Authentication > Multiple
Authentication Clients Settings in the
SmartConsole. For example, SAML IDP.

For the Standard login option, make sure that

the Authentication Method is Defined on User
Record (Legacy). Otherwise, Standard: does
not need authentication method error
appears.

Harmony Endpoint EPMaaS Administration Guide | 508

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Field Description

Authentic Select an authentication method.

ation The options displayed depend on the Login
Method Option.
Authentication methods for the Standard login
option:
n username-password
n certificate (for a certificate stored in the

CAPI store)
n p12-certificate
n securityIDKeyFob
n securityIDPinPad
n SoftID (not tested)
n challenge-response (not tested)

Authentication methods for the custom login

option:
n Select certificate from hardware or

software token (CAPI)

n Use certificate from Public-Key

Cryptographic Standard (PKCS #12)

file
n Other

Note - Select the relevant certificate

authentication method if your custom login
uses a certificate. Otherwise, select Other.

Harmony Endpoint EPMaaS Administration Guide | 509

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Harmony Endpoint EPMaaS Administration Guide | 510

Performing Push Operations

Push 2FA
Operati Description Requi
ons red

Collect Collects information about the process running on the No

Process endpoint.
es
Supported fields:
Field Description

Comment Optional comment about the action.

Collect all Collects information about all the

processes processes running on the endpoint.

Collect Collects information about a specific

process by process on the endpoint.
name

Process Enter the process name. Case-sensitive.

name

Additional Select the additional information you want

output fields to view in the collected information.

Run Runs diagnostics on an endpoint to collect this information:

Diagno n Total CPU and RAM usage in the last 12 hours.
stics n CPU usage by processes initiated in the last 12 hours.

For example, the CPU used by Anti-Malware to scan

files.
You can review the CPU usage data to identify
processes (scans) that consume CPU more than the
specified threshold and exclude such processes from
future scans.
Note - This is supported with Endpoint Security
client version E86.80 and higher.
Warning - Only exclude a process if you are sure
that the file is not malicious and is not vulnerable to
cyber-attacks.
To view the latest diagnostics report, see "Show Last
Diagnostics Report" on page 186.

6. Under User Notification:

Harmony Endpoint EPMaaS Administration Guide | 511

Performing Push Operations

n To notify the user about the push operation, select the Inform user with
notification checkbox.
n To allow the user to post pone the push operation, select the Allow user to
postpone operation checkbox.
7. Under Scheduling:
n To execute the push operation immediately, click Execute operation immediately.
n To schedule the push operation, click Schedule operation for and click to select
the date.
8. Specify the duration after which the system automatically terminates the unexecuted
push operation (For example, if the Endpoint client is offline):
n 7 days
n Custom
n Never
9. For Push Operations that support 2FA authentication, you are prompted to enter the
verification code.
If you have not enabled 2FA authentication, a prompt appears to enable 2FA
authentication:
n To enable 2FA authentication for your profile, click Profile Setting, and follow the
instructions. For more information, see Infinity Portal Administration Guide.
n To enable 2FA authentication for the current tenant, click Global Settings, and
follow the instructions. For more information, see Infinity Portal Administration
Guide.
10. Click Finish.

11. View the results of the operations on each endpoint in the Endpoint List section (in the
Push Operations menu) at the bottom part of the screen.

Harmony Endpoint EPMaaS Administration Guide | 512

Performing Push Operations

Certificate Management
Certificate Management allows you to use your certificates to sign the export package. By
default, Check Point certificate is used.

To add a new certificate:

1. Go to Endpoint Settings > Certificate Management.
2. Click .

The New Certificate window appears.

3. Click Browse and select the certificate.

4. (Optional) In the Comments field, enter a comment.

5. Click Save.

6. To delete a certificate, click and then Delete.

Harmony Endpoint EPMaaS Administration Guide | 513

Forensics Data

Forensics Data
Harmony Endpoint collects forensics data from endpoints that you can export to a data
analytics tool for analysis and create policies accordingly to prevent attacks. For more
information on forensics, see Automated Attack analysis.
You can perform following actions with the forensics data:
n Exporting to Check Point's Threat Hunting
n "Sending Forensics Data to Third-Party Analytics Tool" on page 522
n "Downloading Forensics Reports" on page 522

Note - Harmony Endpoint exports the forensic data only in the JSON format. Make
sure that the third-party data analytics tool accepts the data in the JSON format.

Threat Hunting
Threat Hunting is an investigative tool which allows for advanced querying on all malicious and
benign forensics events collected from the organization's endpoints with Harmony Endpoint
installed.

The information collected lets you to:

n Investigate the full scope of an attack.
n Discover stealth attack by observation of a suspicious activity.
n Remediate the attack before it causes further damage.

Harmony Endpoint EPMaaS Administration Guide | 514

Forensics Data

n Proactively hunt for advanced attacks by searching for anomalies, and using hunting
leads and enrichment.
Threat Hunting supports:
n Data collection and enrichment - All events are collected through multiple sensors and
sent to a unified repository and enhanced by ThreatCloud, MITRE mapping and alerts
from all the prevention engines.
n Rich toolset for custom queries, drill down and pivoting to suspicious activity.
n Predefined queries and a MITRE dashboard which map all activity and allow a quick start
to proactive hunting.
n Remediation actions per result or a bulk operation integrated in the Threat Hunting flow
(such as file quarantine and kill process).

The data is saved for 7 days, unless you purchased an extended retention license.

Supported Regions
Threat Hunting is supported only for the Infinity Portal tenants (accounts) residing in these
regions:
n Australia
n EU
n India
n United Kingdom
n United Arab Emirates
n US

Supported Versions
n Endpoint Security Client version E84.10 and higher.
n Management version:
l Cloud-only, web management.
l On-premises Management Server - R80.40 and higher.

Enabling Threat Hunting

By default, Threat Hunting is disabled in Harmony Endpoint.

Harmony Endpoint EPMaaS Administration Guide | 515

Forensics Data

To enable Threat Hunting:

1. Go to Policy > Policy Capabilities.
2. Click the Analysis & Remediation tab.
3. From the Enable Threat Hunting list, select On.
4. Click Save & Install.
5. After the policy is pushed to the agents, wait a few minutes until data is sent by the
agents.
Then you can go to the Threat Hunting view to start searching through events.

Using Threat Hunting

Item Description

1 Last Day - Time filter for the query. Users can choose between Last Day, Last
2 Days, Last Week and a Custom time period.

2 Process - Refine your query results according to the activity type.

3 Let the hunt begin - Click + and define the values to search in the logs. You
can add multiple values and fields at a time.

4 Menu for predefined queries.

Harmony Endpoint EPMaaS Administration Guide | 516

Forensics Data

Item Description

5 Predefined - Check Point's predefined queries, divided by category.

Note - Leads in Detections, Leads and Alerts are lead detections or
signatures. If an incident is raised under this category, the term Lead. is
prefixed to its protection name. For example,
Lead.Win.BrwsrPassThft.B. It does NOT indicate an attack and we
recommend that you ignore these incidents.
This is used by Check Point to analyze if a protection has to be developed.
For example, create a new signature.

6 MITRE ATT&CK - Shows the MITRE ATT&CK framework of tactics and

techniques. Each technique includes one or more queries, pre-defined by
Check Point Research.

7 Bookmarks - Shows the custom queries saved as bookmarks, either as global

(available for all users in the account) or private (available only for the user).
Users can also define email notifications for these saved queries, currently
limited to 10. For more information, see "Saving a Query as a Bookmark" on
page 520.

8 History - See all the queries that you used.

9 Settings - Change the UI look and feel.

To hunt for threats, you can use predefined queries or by proactively creating your own
queries.
n To use predefined queries:
1. Go to Predefined Hunting Queries or

Click the icon next to the search box and select Predefined.

You can quickly find all active attacks and browse through different malicious
events detected by Endpoint clients.

Harmony Endpoint EPMaaS Administration Guide | 517

Forensics Data

2. Click the icon next to the search box and select MITRE ATT&CK.

The MITRE ATT&CK dashboard provides real-time visibility on all the techniques
observed by Harmony Endpoint across your endpoints. It maps all raw events to
MITRE Tactics, Techniques, and Procedures (TTPs) regardless of status.
The MITRE ATT&CK dashboard is divided into 12 categories and each category is
a stage in an attack. Each category includes multiple attack techniques.

When you click a technique, a window opens with an explanation about the
technique and a list of predefined queries. Run a query to get a list of the events in
which the specific technique implementation was used.

n To search for specific events by proactively creating your own queries:

Harmony Endpoint EPMaaS Administration Guide | 518

Forensics Data

1. Go to Threat Hunting.
2. Click the + sign next to Let the hunt begin.
3. From the Indicator list, select the filter.
4. From the Operator list, select the condition.
5. In the Add a single value field, enter a value for the indicator.

6. Click Add.
It shows the search results in a timeline. The timeline provides behavioral insights
that indicate anomalies or attacks.
7. To add another filter to the same query, repeat steps 2 to 6.

Note - If you have multiple filters, the system applies the logical AND
operator between the filters.

8. To filter events based on the timeline, click the required hexagon.

It shows detailed information about the event, together with intelligent enrichment,
such as attack classification, malware family and MITRE technique details.

9. To create a bookmark for a query, see "Saving a Query as a Bookmark" on the next
page.
10. You can also filter the results by date and process.
11. To take remediation action for the filtered results, click Actions and choose any of
these:
l Terminate Process
l Quarantine File
l Trigger Forensic Analysis
l Isolate Machine
12. To export the results to a CSV file, click Actions > Export to CSV.

Harmony Endpoint EPMaaS Administration Guide | 519

Forensics Data

Saving a Query as a Bookmark

You can add filters to a query and save it as a bookmark. You can also send email notifications
to users if Threat Hunting activity matches the query.

To save a query as a bookmark:

1. Create a query.
2. Click from the top right corner of the page.

The Create Shared/Private Bookmark pop-up appears.

3. To make the bookmark public, select Shared - available to all system users.
4. To make the bookmark private, select Private - available only to you.
5. In the Name field, enter a query name.
6. From the Importance list, select an importance level for the query detection.

Harmony Endpoint EPMaaS Administration Guide | 520

Forensics Data

7. In the Select or create tag name field, enter the tag name or select the tag name if
available.
Tags create folders to store bookmarked queries.
8. In the Description field, enter a description for the bookmark.
9. To send email notifications if new activity matches the bookmarked query, select Send
E-mail notifications to mailing list for any new hits checkbox.
Infinity XDR/XPR sends email notifications to the recipients added to the Threat Hunting
Notifications page.
10. Click Save.

To add recipients to Threat Hunting email notifications:

1. Go to Threat Hunting.

2. Click the icon next to the search box and select Notifications.

3. From the Recipients list, select the users or enter the email address.

Use Case - Maze Ransomware Threat Hunting

You want to investigate the maze ransomware attack. You read about it in the internet and you
are afraid it may already have infiltrated your organization.
1. In the MITRE ATT&CK website: Search for Maze ransomware.

2. From the list of techniques that Maze ransomware uses, select the applicable technique.
For example: Windows Management Instrumentation

3. From the Infinity Portal > Threat Hunting, click the icon on the right side of the search
box, and go to MITRE ATT&CK.
4. In the MITRE ATT&CK dashboard, search for the technique you copied from the Maze
website.
5. Click the technique to see all the events in your organization in which this technique was
used.

Harmony Endpoint EPMaaS Administration Guide | 521

Sending Forensics Data to Third-Party Analytics Tool

Sending Forensics Data to Third-Party Analytics

Tool
You can send the forensics data to a third-party data analytics tool, such as Elastic that
accepts the data in the JSON format.

To send forensics report to the Third-Party analytics tool:

1. Navigate to Threat Prevention > Manage > Manage Data Tube.
2. In the URL field. enter the URL of the third-party data analytics tool.

Note - Harmony Endpoint does not support to enter user credentials for the
third-party analytics tool for authentication.

3. Click Save.
The system applies the policy to all endpoints.
Endpoints send the forensic data in JSON format to the third-party data analytics tool.

Downloading Forensics Reports

The Forensic Report shows a comprehensive analysis of the entire sequence of an attack, as
analyzed by the Forensics software blade in Harmony Endpoint.

It provides information about attacks and suspicious behavior. The report includes:
n Entry Point - How did the suspicious file enter your system?
n Business Impact - Which files were affected and what was done to them?
n Remediation - Which files were treated and what is their status?
n Suspicious Activity - What unusual behavior occurred that is a result of the attack?
n Incident Details - A complete visual picture of the paths of the attack in your system.

To download the forensics report of an event:

1. Go to Logs and from the New Tab Catalog, select Logs.
2. Expand the Statistics pane and in the Blade section, select Forensics. For more
information, see "Harmony Endpoint Logs" on page 479 .

Harmony Endpoint EPMaaS Administration Guide | 522

Sending Forensics Data to Third-Party Analytics Tool

Note - To search the Forensics event using the machine name, enter the
machine name in the search field and click Enter.

3. From the list, double-click the event for which you want to download the report.
The Card window with the log details appears.
4. Scroll-down to Forensics Report section and click Download the Forensics Report.

Note - To view the Forensics Report without downloading, click Open the
Forensics Report.

The report file is downloaded to the computer in the JSON format.

Harmony Endpoint EPMaaS Administration Guide | 523

Two-Factor Authentication

Two-Factor Authentication
Check Point recommends you to configure two-factor authentication for Harmony Endpoint. To
configure, see Two-Factor Authentication.

Harmony Endpoint EPMaaS Administration Guide | 524

Harmony Endpoint for Linux

This chapter describes the installation and use of Harmony Endpoint in Linux operating
systems.

Harmony Endpoint EPMaaS Administration Guide | 525

Harmony Endpoint for Linux Overview

By default, this list contains Symantec, McAfee, and Kaspersky.
Check Point Harmony Endpoint for Linux protects Linux Endpoint devices from malware, and
provides Threat Hunting / Endpoint Detection and Response capabilities.
For supported Linux versions and limitations, see sk170198.

Key Threat Prevention technologies:

Technology Description

Anti-Malware Harmony Linux Anti-Malware engine detects trojans, viruses, malware,

and other malicious threats.
The engine is implemented as a multi-threaded flexible scanner
daemon. It is managed centrally through a web-console.
In addition, it supports command line utilities for on-demand file scans,
access functionality, and automatic signature updates.

Threat Hunting / An Endpoint Linux device deployed with Harmony Linux, constantly
Endpoint updates Check Point Cloud with Indicator of Compromise (IoC) and
Detection and Indicator of Attack (IoA) events.
Response The Threat Hunting technology lets the user proactively search for cyber
(EDR) threats that made it through the first line of defense to the Linux Endpoint
device.
Threat Hunting uses advanced detection capabilities, such as queries
and automation, to find malicious activities and extract hunting leads of
data.

Behavioral Dynamic analysis of malwares executed on the Endpoint Client, based

guard on the behavioral patterns of many types of attacks, such as
ransomwares, cryptominers and trojans.

Prerequisites
n Available Internet access for the protected device.
n For RHEL/CentOS, it is necessary to have access to EPEL (Extra Packages for
Enterprise Linux) repository.
n If the device has no internet access, you must enable access to certain URLs. For more
information, see sk116590.

Harmony Endpoint EPMaaS Administration Guide | 526

Harmony Endpoint for Linux Overview

Minimum Hardware Requirements

n x86 processor, 64-bit (32-bit is not supported)
n 2 GHz Dual-core CPU
n 4 GB RAM
n 10 GB free disk space

Harmony Endpoint EPMaaS Administration Guide | 527

Deploying Harmony Endpoint for Linux

This section explains how to install Harmony Endpoint on Linux operating systems for
Endpoint cloud users.

To install Harmony Endpoint for Linux for Endpoint Cloud Users:

1. Navigate to Policy > Export Package
2. Download the Linux installation script:
3. Copy/Download the installation script to the target device. Run one of these options:
n To allow execution permission to the file, run:

chmod +x ./<Name of Install Script>

n To deploy both Anti-Malware and Threat Hunting, run:

sudo ./<Name of Install Script> install

n To deploy Anti-Malware only, run:

sudo ./<Name of Install Script> install --product am

n To deploy Threat Hunting only, run:

sudo ./<Name of Install Script> install --product edr

n To deploy Behavioral Guard only, run:

sudo ./<Name of Install Script> install --

product bg

Harmony Endpoint EPMaaS Administration Guide | 528

Deploying Harmony Endpoint for Linux

n To enable the Threat Hunting function, make sure that Threat Hunting is enabled in
the applicable policy rule. Navigate to Policy > Threat Prevention > Analysis &
Remediation and ensure Threat Hunting is set to ON.
Notes:
l If Strong/Kerberos authentication is enabled, then HTTP 401 is in the
/var/log/checkpoint/cpla/cpla.log.
l It is necessary to put the keytab file used for authentication set up in the file
/var/lib/checkpoint/cpmgmt/auth.keytab (the file is generated by the ktpass
utility).

sudo ./<install script name> install --product edr

Harmony Endpoint EPMaaS Administration Guide | 529

Harmony Endpoint for Linux CLI Commands

Help & Information Commands

To show a list of all the help commands with their descriptions, run:

cpla --help

To show the help for available Anti-Malware commands, run:

cpla am --help

To show information about the product and the security modules installed (Anti-Malware,
EDR) run:

cpla info

To show the information about the installed Anti-Malware module, run:

cpla am info

To show the help for available commands for the installed EDR module, run:

cpla bg --help

To show information about the installed EDR, run:

cpla edr info

To show the help for available Behavioral Guard commands, run:

cpla bg--help

To show information about the installed Behavioral Guard, run:

cpla bg info

Harmony Endpoint EPMaaS Administration Guide | 530

Harmony Endpoint for Linux CLI Commands

Quarantine Commands

To see a list of all current quarantined files, run:

cpla am quarantine list

To add a file to quarantine, run:

sudo cpla am quarantine add <path_to_file>

To remove a file from quarantine, and restores the file to its original place, run:

sudo cpla am quarantine restore <path_to_file>

To show the help for available Anti-Malware quarantine commands, run:

cpla am quarantine --help

Scans & Detections

To trigger a scan of files in the provided path by the Anti-Malware module, run:

cpla am scan <path_to_scan>

To show detections of Anti-Malware, run:

cpla am detections
Note - To limit the number of detections displayed, use the parameter --limit
<number_of_detections>. Default is 100.

To show the latest detections of Behavioral Guard, run:

cpla bg detections
Note - To limit the number of detections displayed, use the parameter --limit
<number_of_detections>. Default is 100.

Logs

To collect the logs of the product:

cpla collect-logs

Harmony Endpoint EPMaaS Administration Guide | 531

Harmony Endpoint for Linux CLI Commands

Note - When you use this command, it prepares a Zip file which you can send to the
support manually.

Uninstall Harmony Endpoint for Linux

To uninstall Harmony Endpoint from Linux, run:

sudo ./ <install script name> uninstall

To uninstall EDR only, run:

sudo ./ <install script name> uninstall --product edr

To uninstall BG only, run:

sudo ./ <install script name> uninstall --

product bg

Harmony Endpoint EPMaaS Administration Guide | 532

Harmony Endpoint for Linux Additional Information

Harmony Endpoint for Linux Additional

Information
n After the first installation, wait two to three minutes for the Anti-Malware service to
complete the signature package. When complete, the service button shows as running
mode. This procedure take up to 15 minutes, depending on your network connectivity.
n For information about Threat Hunting, go to the Threat Hunting tab. Threat Hunting lets
you threat hunt files, processes, and domains accessed by the protected Virtual
Machines.

Best Practice - We recommend that you remove any other 3rd party Anti-
Malware solution before you install Harmony Endpointfor Linux.

Harmony Endpoint EPMaaS Administration Guide | 533

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Harmony Endpoint for Windows

Virtual Desktop Infrastructure
(VDI)
Virtual Desktop Infrastructure (VDI) is the technology to create and manage virtual desktops.
VDI is available as a feature in Check Point's Endpoint Security Client releases.
n VMware Horizon is supported in E81.00 (and higher) for Persistent Mode and as a
feature on E83.10 (and higher) for Non-Persistent Mode.
n Citrix XenDesktop is supported in E84.20 (and higher).

A virtual machine monitor (the hypervisor) controls the virtual machine that creates the virtual
desktops. All the activity on the deployed virtual desktops occurs on the centralized server.
The "Golden Image" is the base ("Master") desktop image and the model for clone images.
Desktop Pools define the server resources for the virtual desktops and solutions to hold the
latest Anti-Malware signatures on all the virtual desktops.
Virtual desktop software applications support two modes.
n Persistent Mode:
l Each user has a single specific desktop for their solitary use.
l Each user's desktop retains data on the desktop itself between logins and reboots.
l The user's machine is not "refreshed" for other users.
n Non-Persistent Mode:
l Each user has a desktop from a pool of resources. The desktop contains the user's
profile.
l Each user's desktop reverts to its initial state when the user logs out.
l The user's machine is fresh in each instance.

Important - Non-Persistent virtual desktops access Anti-Malware signatures in a

shared folder in the Shared Signatures Solution.

The tested versions are:

n VMware Horizon 7 version 7.6 and 7.10 (E81.00 for Persistent Mode, E83.10 for Non-
Persistent Mode)
n VMware Horizon 7 version 7.13 (E86.60 for both Persistent Mode and Non-Persistent
Mode)

Harmony Endpoint EPMaaS Administration Guide | 534

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

n VMware Horizon 8 version 8.3 (E86.60 for both Persistent Mode and Non-Persistent
Mode)
n Citrix Virtual Apps and Desktops 7 1912
The software environments between and after these versions should work. Earlier versions
may work. Contact Check Point Support for assistance with earlier versions.

Important - AD Scanner feature must be enabled in VDI environments.

Minimal Requirements for Virtual Machines:

For information on minimal requirements for virtual machines, see Client Requirements.

Configuring Clients for Persistent Desktops

Software Blades for Persistent Desktops
Persistent virtual desktops have the same Endpoint Security client capabilities as non-virtual
desktops.

Creating a Basic Golden Image for Persistent Desktops

See "Basic Golden Image Settings" on page 546 for the procedure to create a basic golden
image.

Harmony Endpoint EPMaaS Administration Guide | 535

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Client Machine Configuration for Persistent Desktops

Configurations for client machines are part of the creation of the Golden Image.
We recommend that you disable Periodic Scan to avoid "Scan Storms".
"Anti-Malware Scan Storms" can occur when anti-virus scans run at the same time on multiple
virtual machines on the same physical server. A degradation of system performance is
possible that can affect disk I/O and CPU usage.

Setting up the Client Machine for Persistent Desktops

1. Disable the Anti-Malware Periodic Scan.
See "Appendix" on page 549.

2. If you did not disable the Anti-Malware Periodic Scan, then enable the Anti-Malware
Randomized Scan.
Procedure

a. From the left navigation panel, click Policy.

b. In the left pane, click Threat Prevention.
c. In the policy, click the applicable rule.
d. In the right pane, click the Web & Files Protection tab.
e. Scroll down and click the Advanced Settings button.

f. From the left tree, click Files Protection > Scan.

g. Select Randomize scan time.

Note - On the VDI environment, you can configure Harmony Endpoint

to randomize the Periodic Scan according to the scanning period. For
example, if the Scan Periodic is set as Every Week, Harmony
Endpoint further randomizes the scan within the week.

h. Configure the applicable schedule.

i. Click OK.
j. At the bottom, click Save.
k. At the top, click Install Policy.

Creating a Pool for Persistent Desktops

Best Practice - We recommend to use a different naming pattern for each machine in
each pool.

Harmony Endpoint EPMaaS Administration Guide | 536

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

VMware Horizon Key Points

This procedure is mandatory to create supported Horizon pools for Persistent Virtual
Desktops.
Procedure

1. In VMware Horizon, select Automated Desktop Pool in the Type panel of Add
Desktop Pool.

2. In the User Assignment panel, select Dedicated.

Check Enable automatic assignment.

Harmony Endpoint EPMaaS Administration Guide | 537

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

3. In the vCenter Server panel, select Instant Clones or View Composer Linked Clone.
Full Clones are not currently supported.

4. In Guest Customization panel, select Allow reuse of pre-existing computer

account.

Citrix XenDesktop Key Points

n When you select the Operating System type, use Single-Session OS.
n When you select User Experience, use a dedicated desktop experience.

Harmony Endpoint EPMaaS Administration Guide | 538

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Configuring Clients for Non-Persistent Desktops

General

The Solution:
n One or more Signature Servers responsible to store the latest Anti-Malware signatures in
a shared location.
n Many specially configured clients that load signatures from the shared folder.
n If the shared signatures server is not available, the client uses signatures from the
golden image.

Note - All endpoints connected to the Shared Signature Server must be on the same
domain.

Harmony Endpoint EPMaaS Administration Guide | 539

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Recommended Steps:
1. Configure a signature server machine.
2. Configure a client machine (golden image).
3. Create a test pool.
4. Deploy the production pool.

Shared Signatures Server

A Shared Signatures Server:
n Installs as a regular Endpoint Security Client and becomes a "signature server" later.
n Responsible for holding the latest Anti-Malware signatures.
The signatures store in a read-only shared folder and update according to policy.
n Must run on a persistent virtual machine, preferably on the same storage as the clients.
n Must connect to the Internet to update signatures.

Harmony Endpoint EPMaaS Administration Guide | 540

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Configuring the Signatures Server

For the Endpoint Security Clients version E84.20 (and higher), you can configure the
Signature Server with a policy.
Procedure

1. Create a new Virtual Group.

2. Assign a Golden Image machine to the new group.
3. From the left navigation panel, click Policy.
4. In the left pane, click Threat Prevention.
5. In the policy, clone the applicable Threat Prevention rule.

6. Assign the new Threat Prevention rule to the new Virtual Group.
7. In the right pane, click the Web & Files Protection tab.
8. Scroll down and click the Advanced Settings button.
9. From the left tree, click Files Protection > Signature.
10. In the Shared Signature Server section, select the “Set as shared signature server”
and enter the local path of the folder.
Example: C:\Signatures

Note - If the folder does not exist, the endpoint creates it automatically.

11. Configure the applicable frequency in the Frequency section.

12. Click OK.

13. At the bottom, click Save.

14. At the top, click Install Policy.

Setup Validation
Wait 20 minutes to make sure:
n Anti-Malware Signatures version is current.
n Shared Signatures folder exists with Anti-Malware signatures.
Important - If the folder is empty, the setup is not valid.

Harmony Endpoint EPMaaS Administration Guide | 541

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Client Machine Configuration for Non-Persistent Desktops

Creating a Basic Golden Image for Non-Persistent Desktops
See "Basic Golden Image Settings" on page 546 for the procedure to create a basic golden
image.

Configuring the Client Machine

For the Endpoint Security Clients version E84.20 (and higher), you can configure up the client
machines (the golden image) by policy.
1. Disable the Anti-Malware Periodic Scan.
See "Appendix" on page 549.

2. Configure signature source for the VDI client.

Procedure

a. Create a new Virtual Group.

b. Assign a Golden Image machine to the new group.
c. From the left navigation panel, click Policy.
d. In the left pane, click Threat Prevention.
e. In the policy, clone the applicable Threat Prevention rule.
f. Assign the new Threat Prevention rule to the new Virtual Group.

g. In the right pane, click the Web & Files Protection tab.
h. Scroll down and click the Advanced Settings button.

i. From the left tree, click Files Protection > Signature.

j. In the Shared Signature Server section, enter the UNC of the shared folder.
Example: \\192.168.18.5\Signatures
k. Configure the applicable frequency.
l. Click OK.
m. At the bottom, click Save.
n. At the top, click Install Policy.

Important:
n When you apply VDI settings through Policy to Golden Image, you must apply
VDI settings through Policy to cloned Virtual Machines.

Harmony Endpoint EPMaaS Administration Guide | 542

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Post Setup Actions

n Make sure the Shared Signatures folder is accessible from the golden image and the
folder has signatures.
n Make sure the Anti-Malware signatures are current.
n Scan for malwares with the latest signatures.

Creating a Pool for Non-Persistent Desktops

Note - Check Point recommends that each created pool will use a different machine
naming pattern. This will prevent situations where Management Server has duplicate
machine entries from different pools.

VMware Horizon Key Points

This procedure is mandatory to create supported Horizon pools for Non-Persistent Virtual
Desktops.
Procedure

1. In VMware Horizon, choose Automated Desktop Pool in the Type panel of Add
Desktop Pool.

Harmony Endpoint EPMaaS Administration Guide | 543

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

2. In the User Assignment panel, choose Floating.

3. In the vCenter Server panel, choose Instant Clones or Linked Clones.

4. In the Guest Customization panel, select Allow reuse of pre-existing computer

account.

Citrix Xen-Desktop Key Points

n When you select the Operating System type, use Single-Session OS.
n When you select the User Experience type, use a non-dedicated desktop experience.

Harmony Endpoint EPMaaS Administration Guide | 544

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Pool Validation
Access a few cloned machines and make sure that:
n Machines connect to the Endpoint Security Management Server.
n Applicable Software Blades run.
n Anti-Malware Signatures are current.
n Machines appear on the Server User Interface.

Disabling the Anti-Malware Periodic Scan

"Anti-Malware Scan Storms" can occur when several anti-virus scans run simultaneously on
multiple virtual machines on the same physical server. In such situation, a degradation of
system performance is possible, which can affect disk I/O and CPU usage. It is then
recommended that you disable the Anti-Malware periodic scan:
1. Go to the Policy Page.
2. In the right pane, click the Web & Files Protection tab.
3. Scroll down and click the Advanced Settings button.
4. From the left tree, select Files Protection > Scan.
5. In the Perform Periodic Scan Every field, select Never.

Software Blades for Non-Persistent Desktops

The Endpoint Security client capabilities for non-persistent virtual desktops are:
n Anti-Malware
l Fully supported when configured with the Shared Signatures Server.
n Compliance, Firewall and Application Control, Remote Access VPN, and URL
Filtering
l Fully supported.
n Forensics
l Partially supported.
o The Forensics database contains data for the current session.
o Forensics Reports generate as usual.

Harmony Endpoint EPMaaS Administration Guide | 545

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

n Threat Emulation and Anti-Exploit

l Partially supported.
o Signatures are not in cache.
o Signatures download for each new instance.
n Anti-Bot
l Partially supported.
o Signatures are not in cache.
o Signatures download for each new instance.
o Cached data (such as the URLs checked against Threat-Cloud and
Detection List) are lost on logoff.
n Ransomware "Honeypots"
l Partially supported.
o Part of the Golden Image.
n Behavioral Guard
l Partially supported.
o Signatures are not in cache.
o Signatures download for each new instance.
n Full Disk Encryption and Capsule Docs
l Not supported for non-persistent desktops.
n Media Encryption & Port Protection
l Fully supported with VMware Horizon running the Harmony Endpoint client version
E86.40 and higher.
l Fully supported with Citrix Provisioning Services (PVS) running the Harmony
Endpoint client version E86.50 and higher.

Basic Golden Image Settings

A "Golden Image" is the base ("Master") desktop image. It is the model for clone images.

Harmony Endpoint EPMaaS Administration Guide | 546

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

To create the Golden Image:

1. Install the Windows OS.
2. Configure the network settings:
a. Configure the network settings to match your environment settings (DNS, Proxy).
b. To verify that the configuration is correct, add it to your domain.
c. Make sure you can ping Domain FQDN.
d. Make sure you can ping Connection Server FQDN.
3. Install the required software and tools.

4. Install the latest Windows updates.

5. Optimize the Guest machine in one of these ways:
a. Optimize the master image according to the Microsoft VDI Recommendation.
b. Use the Vendor's specific optimization tool:
n VMware - VMware OS Optimization Tool.
n Citrix - Citrix Optimizer.

Important - Make sure that you do not disable the Windows Security Center
service.

6. Install the Virtual Delivery Agent (VDA).

n VMware Horizon:
l Version 7.10 supports up to 19H1.
l Make sure that during installation you choose the correct settings (Linked
clones or Instant Clones).
n Citrix:
l Make sure that during installation you choose the correct settings (MCS /
PVS).

Notes for Citrix PVS:

l Before the first Endpoint installation, boot the machine from the

network using the relevant vDisk in Read / Write mode.

l When upgrading Endpoint in maintenance mode, make sure that

you upgrade the vDisk through the golden image and not one of the
clones.
l The transfer of a clone back to the golden image is not supported.

Harmony Endpoint EPMaaS Administration Guide | 547

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

7. Configure Trust with the Domain Controller:

n Make sure that the golden image has a Trust Relationship with the Domain
Controller.
n You can use this PowerShell command:
Test-ComputerSecureChannel

8. Install an Endpoint Security Client:

a. Create an exported Endpoint client package.
b. Install the Endpoint client package as administrator.
c. Get the latest Anti-Malware signatures.

Best Practice - Update manually with Update Now from the Endpoint tray
icon at least once a day.

d. Scan for malware.

Best Practice - Scan manually with Scan System Now from the Endpoint
tray icon for every signature update.

9. Shut down the Virtual Machine.

10. Save the snapshot.

Assigning Policies to VDI Pools

To assign specific behaviors to blades, you must configure policies.
Some policies assign by default to users, not machines.

Two options are available for assigning a policy to VDI machines:

n Assignment prior to pool creation

Assignment to a pre-defined Virtual Group occurs during the Export Package phase.
All clones from this Exported Package enter the computer group upon registration to
the Endpoint Security Management Server.
1. Create a new Virtual Group.
2. Export the applicable packages.
From the left navigation panel, click Policy.
In the Deployment Policy section, click Export Package.

Harmony Endpoint EPMaaS Administration Guide | 548

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

3. Assign the new Virtual Group to a relevant policy.

4. Install the exported package on the Golden Image.

n Assignment after pool creation

Provision all VDI machines. Once the machines exist, assign them to a policy.
1. Create a new Virtual Group and add all the relevant machines.
2. Create a policy and assign it to the Virtual Group.

Limitations
n VDI Clients must be part of a domain. Workgroup configurations are not supported.
n FDE capability is not supported. Do not enable FDE in packages for Non-Persistent VDI
machines.
n "Anti-Malware Scanning Storms" may occur when the Anti-Virus scan runs at the same
time on multiple Virtual Machines on the same physical server. A serious degradation of
the system performance is possible that can affect disk I/O and CPU utilization.
n The "Repair" push operation does not work for VDI machines.
n The Shared Signature Server does not share signatures with non-persistent desktops if
you clear and select the Set as shared signature server checkbox in the Policy > Web
& Files Protection > Advanced Settings > Files Protection > Signature window. To
resolve this issue, uninstall and redeploy the Endpoint Security client on the Shared
Signature Server.

Appendix
Disabling the Anti-Malware Periodic Scan
"Anti-Malware Scan Storms" can occur when anti-virus scans run at the same time on multiple
virtual machines on the same physical server.
A degradation of system performance is possible that can affect disk I/O and CPU usage.
We recommend that you disable the Anti-Malware periodic scan in one of these ways:

Harmony Endpoint EPMaaS Administration Guide | 549

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

In Endpoint Web Management Console

1. Go to the Policy Page.

2. In the right pane, click Web & Files Protection.
3. In the Perform periodic scan every field, select Never.

4. Click Save.
5. Install policy.

In SmartEndpoint

1. In the Select action field, select Perform periodic anti-malware can every month.
2. Clear the "Perform Periodic Scan option.

3. Install policy.

Harmony Endpoint EPMaaS Administration Guide | 550

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

In the Database Tool (GuiDBEdit Tool)

1. Connect with the Database Tool (GuiDBEdit Tool) (sk13009) to the Endpoint Security
Management Server.
2. Configure the value false for the attribute enable_schedular_scan.
3. In SmartEndpoint, install policy.

Harmony Endpoint EPMaaS Administration Guide | 551

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Configure the Windows Registry settings on the client machine

1. In Windows Registry, configure the value 0x0b for the AVSchedOf key:
n On 64-bit operating system:

HKEY_LOCAL_
MACHINE\SOFTWARE\Wow6432Node\CheckPoint\EndPoint
Security\Anti-Malware\AVSchedOf=(DWORD)0x0b

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\EndPoint
Security\Anti-Malware\AVSchedOf=(DWORD)0x0b

2. Restart the machine to restore Self-Protection.

Use the Compliance Software Blade to change the registry. See sk132932.

Harmony Endpoint EPMaaS Administration Guide | 552

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Advanced Settings Non-Persistent Desktops

This section shows how to configure clients manually for the Non-Persistent VDI solution in the
Signature Server and Signature Server Consumers roles.
Use this approach if the "Policy Approach" is not available.

Configuring the Shared Signatures Server

You can configure the Signature Server manually or with a script.

Harmony Endpoint EPMaaS Administration Guide | 553

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Manual Configuration

Create a Shared Folder

1. Create a folder to store the shared signatures.
2. Share the folder and grant read access to members of the Domain Computers' group.

Note - On Workgroup machines, the "SYSTEM" account does not have network
login rights. This configuration is not supported.

Configure the Windows Registry Keys

1. Configure the value 0x01 for the key VdiSignatureServer (to configure the
machine as "Shared Signatures Server"):
n On 64-bit operating system:

HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Anti-Malware\VdiSignatureServer=(DWORD)0x01

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint
Security\Anti-Malware\VdiSignatureServer=(DWORD)0x01

2. Configure the path to the shared signatures folder in the key AVSharedBases:
n On 64-bit operating system:

HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Anti-Malware\AVSharedBases=
(SZ)"DISK:\\Path\\To\\Shared\\Folder"

Harmony Endpoint EPMaaS Administration Guide | 554

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint
Security\Anti-Malware\AVSharedBases=
(SZ)"DISK:\\Path\\To\\Shared\\Folder"
Notes:
n If you do not configure the path, then the default shared

folder is:
C:\ProgramData\CheckPoint\Endpoint
Security\Anti-Malware\bases\shared
n The default shared folder exists after the first successful
update.

3. Reboot the machine to restart the Anti-Malware blade.

Configuration with the Script

1. Download the Shared Signatures Server Configuration script file.

2. Execute the script on the Signature Server and follow the instructions.
3. Make sure the script finishes successfully.
4. Make sure you reboot the machine to restart the Anti-Malware blade.

Configuring the Client Machine

You can configure the Client Machine (the Golden Image) manually or with a script.

Harmony Endpoint EPMaaS Administration Guide | 555

Harmony Endpoint for Windows Virtual Desktop Infrastructure (VDI)

Manual Configuration

1. Disable the Anti-Malware Periodic Scan. See the instructions above.

2. In Windows Registry, configure the value 0x01 for the key AVBasesScheme (to
enable the "Shared Signatures" scheme):
n On 64-bit operating system:

HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Anti-Malware\AVBasesScheme=(DWORD)0x01

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint
Security\Anti-Malware\AVBasesScheme=(DWORD)0x01

3. In Windows Registry, configure the path to the shared signatures folder in the key
AVSharedBases:
n On 64-bit operating system:

HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security\Anti-Malware\AVSharedBases=
(SZ)"\\Server\FolderWithSharedSignatures"

n On 32-bit operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint
Security\Anti-Malware\AVSharedBases=
(SZ)"\\Server\FolderWithSharedSignatures"
Notes:
n If you do not configure the path, then the default shared folder is:

C:\ProgramData\CheckPoint\EndpointSecurity\Anti-
Malware\bases\shared
n The default shared folder exists after the first successful update.

4. Reboot the machine or restart the Anti-Malware process.

Configuration with the Script

1. Download the Golden Image Configuration script file.

2. Execute the script on the Golden Image and follow the instructions.
3. Make sure the machine is rebooted.

Harmony Endpoint EPMaaS Administration Guide | 556

Harmony Endpoint for Terminal Server / Remote Desktop Services

Harmony Endpoint for Terminal

Server / Remote Desktop Services
Terminal Server / Remote Desktop Service is a physical server that allows multiple users to
log on and access desktops remotely (For example, from a PC).
Check Point Harmony Endpoint supports these servers through the Endpoint Security client
E86.20 or higher:
n Microsoft Terminal Services
n Microsoft Remote Desktop Services
n Citrix Xen App (Formerly known as Virtual app)
n VMware Horizon App

Software Blades for Terminal Servers

n Anti-Malware
n Firewall and Application Control
n URL Filtering
n Anti-Bot
n Anti-Ransomware
n Behavioral Guard
n Forensics
n Threat Emulation and Extraction
n Anti-Exploit

Licensing
Licensing is per user. Each user is counted as a seat (using existing SKUs).

Harmony Endpoint EPMaaS Administration Guide | 557

Limitations

Limitations
n User-based policy is not supported. By default, computers will receive the entire
organization policy unless you create a computer-based rule.
n By default, the Endpoint Security client icon is turned off in the notification area (system
tray) for all the users logged on to the server. This is to prevent client notifications
triggered by a specific user action sent to all users. User checks (For example, Malware
detections, upgrade process and push operations) are not displayed. To turn on the
Endpoint Security client icon in the notification area for a specific user, see step 3 in the
procedure below.
n The Logs menu does not show user details. The Terminal Server shows all logged on
users as ntlocal.
n Compliance Remediation Run as User is not supported. For more information, see
"Compliance" on page 370.
n For the Anti-Malware capability:
l Terminal Server exclusions does not support User Environment Variables.
l Scanning and quarantine are supported only for a directory that can be accessed
by the System Account.
l Reporting - When infections are found, the Network Drive appears as "unknown"
when a network drive cannot be accessed by System Account.
n Configure proxy settings for the Windows Server machine in the System Account.
n The Full Disk Encryption blade is not supported.
n The Media Encryption blade is not be supported.
n Windows Subsystem for Linux (WSL) is not be supported.
n Internet Explorer extension is not supported.

Harmony Endpoint EPMaaS Administration Guide | 558

Deploying the Harmony Endpoint Client on a Terminal Server / Remote Desktop Service

Deploying the Harmony Endpoint Client on a

Terminal Server / Remote Desktop Service
Prerequisites
n Disable Windows Defender manually on the Terminal Server. For more information, see
sk159373.
n Make sure you have the uninstall password for the Endpoint Security client. For more
information, see "Installation and Upgrade Settings" on page 394.

Procedure
1. Install the Endpoint Security client package version E86.20 or higher to the Terminal
Server. For more information, see "Deploying Endpoint Clients" on page 66.
2. Enable the Terminal Server mode on the Endpoint Security client through one of these
methods:
n Use the export package or Tiny Agent/ Initial Client:
a. Open the Command Prompt window in Administrator mode and run:
msiexec /i eps.msi TS=1 OR EndpointSetup.exe TS=1.

b. Once Client is installed, open the Registry Editor and navigate to

[HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security] and make sure that the value of the TSM key is
dword:00000001.
n Manually change the registry:
a. Navigate to C:\Windows\Temp\<GUID> and run passdialog.exe file.
b. When prompted, enter the uninstall password.
c. Open Registry Editor and navigate to
[HKEY_LOCAL_
MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint
Security. Add a new TSM key with the value dword:00000001.
d. Reboot the server.

Harmony Endpoint EPMaaS Administration Guide | 559

Deploying the Harmony Endpoint Client on a Terminal Server / Remote Desktop Service

3. Optional - By default,the Endpoint Security client is turned off in the notification area
(system tray) for all the users logged on to the server. This is to prevent sending
notifications for a specific user action. To turn on the Endpoint Security client icon in the
notification area for a specific user:
a. Remove Self-Protection: Run the passdialog.exe file.
b. When prompted, enter the uninstall password.
c. Navigate to C:\Program Files (x86)\CheckPoint\Endpoint
Security\UIFramework\Bin\WUI and run the cptrayUI.exe file.

Harmony Endpoint EPMaaS Administration Guide | 560

Best Practice to Enable Software Blades

We recommend you to enable the Software Blade and the operating modes in the order shown
in the table below.
n Add exclusions before you enable a Software Blade.
n Enable the Software Blade on a test group before you enable it on the organization level.

Operating Applicable Group

Order Software Blade
Mode Level

1.1 Anti-Malware 1,2,3 Prevent Test

1.2 Prevent Organization

2.1 Forensics 4 Prevent Test

2.2 Off Organization

3.1 Anti-Ransomware and Behavioral Detect Test

Guard1,4
3.2 Detect Organization

3.3 Prevent Test

3.4 Prevent Organization

4.1 Threat Emulation 1,4 Prevent Test

4.2 Prevent Organization

5.1 Anti-Exploit 1,4 Detect Test

5.2 Detect Organization

5.3 Prevent Test

5.4 Prevent Organization

6.1 Anti-Bot 1,4 and URL Filtering 1 Detect Test

6.2 Detect Organization

6.3 Prevent Test

6.4 Prevent Organization

Harmony Endpoint EPMaaS Administration Guide | 561

Best Practice to Enable Software Blades

Operating Applicable Group

Order Software Blade
Mode Level

7.1 Analysis and Remediation 1 High Test

7.2 High Organization

7.3 Always Test

7.4 Always Organization

1 Add exclusions before enabling the blade.

n For Citrix Anti-Malware, click here.

n For Microsoft Terminal Server Anti-Virus, click here.
n For FSLogix Anti-Virus, click here.
2 Schedule the scan during non-active period.

3 To add exclusions, see sk122706.

4 To add exclusions, see sk128472.

Harmony Endpoint EPMaaS Administration Guide | 562

Managed Security Service Providers (MSSP)

Managed Security Service

Providers (MSSP)
Viewing Statistics for MSSP
Harmony Endpoint provides an interface for Managed Security Service Providers (MSSP) to:
n Create and manage (pause, stop, start and restart) the service of their child accounts
n View general statistics about their child accounts
n View operational statistics about their child accounts
n View contract details of their child accounts

Important - MSSP View is only available for customers who are part of the Early
Availability program.

Service Management
On the Service Management page, you can view and manage the service of the MSSP and
their child accounts.
To view the Service Management page, click Overview > MSSP View > Service
Management.

To refresh the information, click Refresh.

Accounts Info

The Accounts Info widget shows:

n Total number of accounts (includes MSSP accounts and child accounts).
n Number of deployed accounts (accounts with valid license).

Harmony Endpoint EPMaaS Administration Guide | 563

Managed Security Service Providers (MSSP)

Click Deployment to view the deployed accounts in the "Account Details Table" on the
next page.
n Number of accounts under evaluation (accounts with evaluation license).
Click Evaluation to view the accounts under evaluation in the "Account Details Table" on
the next page.
n Number of active endpoints. It also shows the change in the number of active endpoints
by percentage in the last 24 hours.

Service Status

The Service Status widget shows the service status of the accounts:
n Running
n Initializing
n Stopped
n Error
n N/A

To sort the accounts by status, click Status. For more details, see "Account Details Table" on
the next page.

Hosting Sites

The Hosting Sites widget shows the number of accounts residing in different data regions.

Harmony Endpoint EPMaaS Administration Guide | 564

Managed Security Service Providers (MSSP)

Account Details Table

The Account Details table shows the details of the account.

Item Description

Create a new service (a new Endpoint Security Management Server).

Create
Service

Starts the service for the account selected in the table.

Start

Restarts the service for the accounts selected in the table.

Restart

Actions Perform these actions:

n Export to CSV – Exports the data to an excel file in CSV format.
n Manage account – Opens the General Settings page. For more
information on managing an account, see the Infinity Portal
Administration Guide.

Search Enter the account name to search.

Opens the Filters widget. Specify the filter criteria.

Toggle
Filters

Account Name Name of the account.

Service Status Service status of the accounts:

n Running
n Initializing
n Stopped
n Error
n N/A

Purpose Purpose of the child account:

n Product Evaluation
n Product Deployment
n N/A

Harmony Endpoint EPMaaS Administration Guide | 565

Managed Security Service Providers (MSSP)

Item Description

Connection Token used for the connection.

Token The token is automatically generated when the service is created. You
can use this token to connect to the tenant from the SmartConsole.

Hosting Site Data region where the account is hosted.

Launch Time Date and time the service was created.

MSSP Essentials
The MSSP Essentials page shows the essential details about the MSSP and child accounts.

To view the MSSP Essentials page, click Overview > MSSP View > MSSP Essentials.

To view the details specific to a child account, on the right pane, click , select the account
and click OK.

MSSP Total Endpoints

The MSSP total endpoints widget shows the total number of accounts, including MSSP
accounts, child accounts and active / inactive endpoints.
Click View Accounts to view the MSSP and child account information. For more information,
see "Accounts Info" on page 580.

Harmony Endpoint EPMaaS Administration Guide | 566

Managed Security Service Providers (MSSP)

Account with Issues

The Account with issues widget shows the total number of Operational issues and Outdated
capabilities across accounts that have at least one device.

Hover over the widget, click View Accounts to view the details of the account, and their issues.
For more information, see "Issues by Accounts" on page 580.

Service Status

The Service Status widget shows the number of accounts categorized by their Harmony
Endpoint Security client service status.
To view the account by status, click the status. For more information, see "Service Status" on
page 581.

Harmony Endpoint EPMaaS Administration Guide | 567

Managed Security Service Providers (MSSP)

Contracts by Type

The Contracts by type widget shows the number of contracts categorized by their type.

Click the widget to view the number of contracts for each account.

Contracts by Status

The Contracts by status widget shows the number of contracts categorized by their status.
Click the widget to see the validity status of the contracts.

Active Endpoints Trend

Harmony Endpoint EPMaaS Administration Guide | 568

Managed Security Service Providers (MSSP)

The Active endpoints trend widget shows the line graph of active Harmony Endpoint Security
clients for each account (up to five) over time.

Top 5 Attacked Accounts

The Top 5 attacked accounts widget shows the top five attacked accounts categorized by
their status.
The statuses are:
n Active - A malicious process attacked and infected the device. Termination and
quarantine of the process or other elements of the attack is failed or disabled in the
policy.
n Blocked - A malicious process does not attack the device as all the infected files are
blocked immediately and quarantined.
n Cleaned - A malicious process attacked and infected the device. The device is cleaned
as the infected files are terminated and quarantined.
n Dormant - A malicious process does not attack, but the device is infected as the
quarantine of one of the infected file fails.

Top 5 Ransomware Attacked Accounts

The Top 5 ransomware attacked accounts widget shows the top five accounts targeted by
ransomware attacks.
The statuses are:

Harmony Endpoint EPMaaS Administration Guide | 569

Managed Security Service Providers (MSSP)

n Active - A malicious process attacked and infected the device. Termination and
quarantine of the process or other elements of the attack is failed or disabled in the
policy.
n Cleaned - A malicious process attacked and infected the device. The device is cleaned
as the infected files are terminated and quarantined.

Top 5 Phishing Attacked Accounts

The Top 5 phishing attacked accounts widget shows the top five accounts targeted by
phishing attacks.

Top 5 Accounts with Exploit Attack Attempts

The Top 5 accounts with exploit attack attempts widget shows the top five accounts that
have been subject to exploit attack attempts.

Harmony Endpoint EPMaaS Administration Guide | 570

Managed Security Service Providers (MSSP)

Alerts

The Alerts widget shows the active alerts on all the endpoints in the account.

MSSP Custom Dashboard

The MSSP Custom Dashboard allows you to create personalized dashboards for child
accounts and MSSP accounts with widgets of your preference and specify whether the
dashboard should be private or public. Private dashboards are available only for you to view,
whereas Public dashboards are available for all the users with access to the MSSP View
page. However, only the owner of the dashboard can edit it.

MSSP Dashboard
The MSSP dashboard allows you to create personalized dashboards for the MSSP and child
accounts.
n The Blank dashboard allows you to create a new dashboard with the available widgets.
n The MSSP Essentials template dashboard allows you to customize the "MSSP
Essentials" on page 566 dashboard.

To create a MSSP dashboard:

1. Go to Overview > MSSP View, click next to Custom Dashboard and click MSSP
dashboard.

Harmony Endpoint EPMaaS Administration Guide | 571

Managed Security Service Providers (MSSP)

2. To create a new custom dashboard from scratch:

a. Hover over the Blank dashboard widget and click Add.
b. Click Add Your First Widget.

The Add Widget window appears.

Harmony Endpoint EPMaaS Administration Guide | 572

Managed Security Service Providers (MSSP)

c. From the left pane, select the widget and click Add.

Note - The Add button is disabled if the widget is already added to the
dashboard.

d. To add more widgets, click Add Widget and repeat step c.

3. To create a new custom MSSP essentials template dashboard:
a. Hover over the MSSP essentials template widget and click Duplicate.

The dashboard appears under Custom Dashboard on the left navigation pane,
and it is also listed under My dashboards in the MSSP Dashboard page.

4. In the Dashboard name field, enter a name.

5. Click Save.

6. To delete a widget, on the widget, click and click Delete.

7. By default, all custom dashboards you create in MSSP Account are set as Private. To
make the custom dashboard available to all users with access to the MSSP Account
page, from the Private list on the upper-right corner, click Public. The system adds the
dashboard under Public dashboards for other users.

Account Dashboard
The Account dashboard allows you to create personalized dashboards for the MSSP account.

Harmony Endpoint EPMaaS Administration Guide | 573

Managed Security Service Providers (MSSP)

n Blank dashboard allows you to create a new dashboard with available widgets.
n Unified template allows you to customize the Unified Dashboard. For more information,
see Unified Dashboard in "Viewing Operational Overview, Security Overview and
Reports" on page 123.

To create an account dashboard:

1. Go to Overview > MSSP View, click next to Custom Dashboard and click Account
dashboard.

2. To create a new custom dashboard from scratch:

Harmony Endpoint EPMaaS Administration Guide | 574

Managed Security Service Providers (MSSP)

a. Hover over the Blank dashboard widget and click Add.

b. Click Add Your First Widget.

The Add Widget window appears.

c. From the left pane, select the widget and click Add.

Note - The Add button is disabled if the widget is already added to the
dashboard.

d. To add more widgets, click Add Widget and repeat step c.

3. To create a custom Unified template dashboard:

Harmony Endpoint EPMaaS Administration Guide | 575

Managed Security Service Providers (MSSP)

a. Hover over the Unified template widget and click Duplicate.

The dashboard appears under Custom Dashboard on the left navigation pane,
and it is also listed under My dashboards in the Account Dashboard page.
4. In the Dashboard name field, enter a name.

5. To delete a widget, on the widget, click and click Delete.

6. Click Save.
7. To share the Account dashboard with other child accounts, on the right pane, click
Share With Accounts, select the account and click Share

The dashboard appears in the Public Dashboard of the child account.

Harmony Endpoint EPMaaS Administration Guide | 576

Managed Security Service Providers (MSSP)

Managing a Custom Dashboard

1. Go to Overview > MSSP View.

2. To edit a dashboard:
a. Expand Custom Dashboard.

b. Click for the dashboard you want to edit and click Edit.

c. Make the necessary changes and click Save.

Note - You cannot edit dashboards created by other users.

3. To delete a dashboard, expand Custom Dashboard, click for the dashboard you want
to delete and click Delete.

Note - You cannot delete dashboards created by other users.

Harmony Endpoint EPMaaS Administration Guide | 577

Managed Security Service Providers (MSSP)

Optional Widgets
You can customize the Custom dashboard by adding these widgets:

Password Reuse Attacks

The Password reuse attacks by events widget shows the number of password reuse attacks
by their status.
Use the drop down to view the attacks by events, accounts or devices.

Phishing Attacks

The Phishing attacks by events widget shows the number of phishing attacks by their status.
Use the drop down to view the attacks by events, accounts or devices.

Ransomware Attacks

Harmony Endpoint EPMaaS Administration Guide | 578

Managed Security Service Providers (MSSP)

The Ransomware attacks by events widget shows the number of ransomware attacks by
their status.
Use the drop down to view the attacks by events, accounts or devices.

Exploit Attacks

The Exploit attack attempts by events shows the number of exploit attack attempts by their
status.
Use the drop down to view the attacks by events, accounts or devices.

Malicious Site Attacks

The Malicious site attacks by events widget shows the number of malicious site attacks by
their status.
Use the drop down to view the attacks by events, accounts or devices.

Service Management
You can use the Service Management page to view the overall status of your accounts.
To view the Service Management page, click Overview > MSSP View > Services > Service
Management.

Harmony Endpoint EPMaaS Administration Guide | 579

Managed Security Service Providers (MSSP)

Accounts Info

The Accounts Info widget shows:

n Total number of accounts (includes MSSP accounts and child accounts).
n Number of deployed accounts (accounts with valid license).
Click Deployment to view the deployed accounts in the "Account Details Table" on
page 565.
n Number of accounts under evaluation (accounts with evaluation license).
Click Evaluation to view the accounts under evaluation in the "Account Details Table" on
page 565.
n Number of active endpoints. It also shows the change in the number of active endpoints
by percentage in the last 24 hours.

Issues by Accounts

The Issues by Accounts widget shows the:

n Number of accounts with endpoints with blades that are not running or are inactive in the
Endpoint Security client.
n Number of accounts with endpoints where Endpoint Security client deployment failed.
n Number of accounts with endpoints where the Anti-Malware signature is not updated in
the last 72 hours.
To view more information, click View Accounts. A new page appears that shows the details of
issues in a table.

Harmony Endpoint EPMaaS Administration Guide | 580

Managed Security Service Providers (MSSP)

Item Description

Search Enter the account name to search.

Opens the Filters widget. Specify the filter criteria.

Toggle
Filters

Account Name Name of the account.

Protected Number of endpoints protected.

Endpoints

Failed Number of failed Endpoint Security client deployments.

On Over 72h Number of accounts whose last Anti-Malware signature update was more
Ago than 72 hours ago.

Not Running Number of blades that are not running on the Endpoint Security client.
Blades

To export the issues to an Excel file, click Export to CSV.

Service Status

The Service Status widget shows the service status of the accounts:
n Running
n Initializing
n Stopped
n Error
n N/A
To sort the accounts by status, click Status. For more details, see "Account Details Table" on
page 565.

Harmony Endpoint EPMaaS Administration Guide | 581

Managed Security Service Providers (MSSP)

Hosting Sites

The Hosting Sites widget shows the number of accounts residing in different data regions.

Account Details Table

The Account Details table shows the details of the account.

Item Description

Create a new service (a new Endpoint Security Management Server).

Create
Service

Starts the service for the account selected in the table.

Start

Restarts the service for the accounts selected in the table.

Restart

Actions Perform these actions:

Search Enter the account name to search.

Opens the Filters widget. Specify the filter criteria.

Toggle
Filters

Account Name Name of the account.

Harmony Endpoint EPMaaS Administration Guide | 582

Managed Security Service Providers (MSSP)

Item Description

Service Status Service status of the accounts:

n Running
n Initializing
n Stopped
n Error
n N/A

Purpose Purpose of the child account:

n Product Evaluation
n Product Deployment
n N/A

Connection Token used for the connection.

Token The token is automatically generated when the service is created. You
can use this token to connect to the tenant from the SmartConsole.

Hosting Site Data region where the account is hosted.

Launch Time Date and time the service was created.

Contracts
You can use the Contracts page to view the contract details of the MSSP and the child
accounts.
To view the Contracts page, click Overview > MSSP View > Contracts.

To refresh the information, click Refresh.

Accounts Info

The Accounts Info widget shows:

Harmony Endpoint EPMaaS Administration Guide | 583

Managed Security Service Providers (MSSP)

n Total number of accounts (includes MSSP accounts and child accounts).

n Number of deployed accounts (accounts with valid license).
Click Deployment to view the deployed accounts in the "Account Details Table" on
page 565.
n Number of accounts under evaluation (accounts with evaluation license).
Click Evaluation to view the accounts under evaluation in the "Account Details Table" on
page 565.
n Number of active endpoints. It also shows the change in the number of active endpoints
by percentage in the last 24 hours.

Accounts Contracts Distribution

The Accounts Contract Distribution widget shows the number of contracts of each type.

Contracts by Accounts

The Contracts by Accounts widget shows the accounts that expired or expire soon.
Click the links to see the related accounts in the "Contract Details Table" below.

Contract Details Table

The Contract Details table shows the contract details of all the accounts:

Harmony Endpoint EPMaaS Administration Guide | 584

Managed Security Service Providers (MSSP)

Item Description

Action Perform any of these actions:

n Export to CSV – Exports the data to an Excel file in CSV format.
n Send Email – Sends an email to the account owner about the
contract expiration status. To customize the email, see "Sending an
Email to Account on Contract Status" on the next page.
n Manage account – Opens the General Settings page. For more
information on managing an account, see Global Settings >
Account Management in the Infinity Portal Administration Guide.

Search Enter the account name to search.

Renew Renew an expired contract.

Opens the Filters widget. Specify the filter criteria.

Toggle
Filters

1. Select the account from the "Contract Details Table" on page 584.
2. Click Action > Send Email.
3. Under Type, select the contract type.
n All Contracts
n Contracts Expiring Soon
n Contracts Expire
n Contracts Exceeded
n Custom
4. Enter the Recipients, Subject, and Body of the email.
5. Click Ok.

Harmony Endpoint EPMaaS Administration Guide | 586

Managed Security Service Providers (MSSP)

The system sends the email to the recipients.

Reports for MSSP

On the Reports page, you can download these reports in the pdf format:
n Threat Analysis Report - A comprehensive report with the latest security events.
n Threat Analysis Report Anonymized - A comprehensive report with the latest security
events without specific user names.
n High Risks Cyber Attack Report - Shows the analysis of all the Endpoint Security
events by statuses of the attack pillars.
n Web Activity Checkup - Shows the web activity in the organization.
n Threat Emulation Report - A comprehensive report about scanned and malicious files.
n Threat Extraction - Shows the insights on the downloaded files.
n Software Deployment - Shows the deployment status in the organization.

Harmony Endpoint EPMaaS Administration Guide | 587

Managed Security Service Providers (MSSP)

n Vulnerability Management - A comprehensive report of vulnerabilities detected by

Harmony Endpoint.

Note - Available only to customer subscribed to this feature and with server
version R81.10.x and higher.
n Posture Management - Shows Vulnerability Management and patches information.

Note - Available only to customer subscribed to this feature and with server
version R81.10.x and higher.
n Policies Reports - A comprehensive report on Threat Prevention capabilities.
n Operational Report - Shows the insights about the operational status of the deployed
endpoints.
n Compliance Report - Shows the compliance status in the organization.
n Check Point Cyber Security Report 2023 - Shows the insights to help your organization
stay secure.

To download a report:
1. Select the report and click Export Report.
The Export Report window appears.
2. In the Time Frame list, select Last day, Last 7 days, or Last 30 days.
3. From the Tenant list, select the required tenant for which you want to download the
report.

4. Click Export.

Global Exclusions
With Global Exclusions in a Managed Security Service Provider (MSSP) account, you can
create exclusions (using Legacy or Smart Exclusions) at one place and sync them with the
child accounts.
To access Global Exclusions, go to Overview > MSSP View > Global Exclusions.

Adding Global Exclusions using Legacy Exclusion

For information on how to add exclusions using Legacy Exclusion, see Adding Global
Exclusions"Adding Global Exclusions" on page 252
After you add exclusions, click Save. The exclusions are installed on the Endpoint
Management Server and enforced on the endpoint through the Harmony Endpoint Security
Client.

Harmony Endpoint EPMaaS Administration Guide | 588

Managed Security Service Providers (MSSP)

Caution - When you click Save, in addition to the exclusion changes, all the policy
changes that have been saved for the corresponding capability in the child accounts
are also installed on the Endpoint Management Server. For example, if you have
added Anti-Malware exclusions, then all the saved changes related to the Anti-
Malware policy in the child accounts are installed to the Endpoint Management
Server.

Adding Global Exclusions using Smart Exclusion

For information on how to add exclusions using Smart Exclusion, see "Adding Global
Exclusions" on page 275.
After you add exclusions, click Save. The exclusions are installed on the Endpoint
Management Server and enforced on the endpoint through the Harmony Endpoint Security
Client.

Harmony Endpoint EPMaaS Administration Guide | 589

Managed Security Service Providers (MSSP)

Syncing Exclusions with Child Accounts

If the Harmony Endpoint service status in child accounts is Running, then the exclusions are
automatically synchronized with the Global Exclusions configured in the MSSP server. If the
service status is Stopped or Paused, then the system shows a banner notification when the
service in the child accounts is Running again.

Click Sync All to sync the exclusions with the child accounts.

Templates for Child Accounts

Harmony Endpoint allows Managed Security Service Providers (MSSP) to create custom
templates and attach them to child accounts. The template consists of predefined settings, for
example, for Threat Prevention policy. The supported templates are:
n "Threat Prevention Policy Template" on the next page
n "Software Deployment Policy Template" on page 596

Use Case
You are an MSSP with several child accounts that require unique policy settings and frequent
updates:
n You want to assign these unique policy settings to child accounts easily without having to
manually define them for each child account.
n You want to manage policy updates from the parent account and propagate the updates
to child accounts automatically.

Harmony Endpoint EPMaaS Administration Guide | 590

Managed Security Service Providers (MSSP)

Benefits
n Centralized policy management
n Consistent enforcement in policy settings
n Customized policy settings for unique requirements
n Ensures all child accounts are compliant.

Threat Prevention Policy Template

The template consists of predefined settings for Threat Prevention policy capabilities, such as
Web & Files Protection, Behavioral Protection and so on.

Creating a Threat Prevention Policy Template

1. Access the Harmony Endpoint EPMaaS Administrator Portal with the MSSP account.
2. Click Policy > MSSP View > Template Repository > Threat Prevention.

3. Select the Default template and click Clone.

4. Select the cloned template and in the Capabilities and Exclusions pane, do these:

Harmony Endpoint EPMaaS Administration Guide | 591

Managed Security Service Providers (MSSP)

a. In the Name field, edit the name. For example, Default Settings for All Customers.
b. (Optional) In the Description field, enter a description.
c. To add exclusions, click Exclusions Center. See "Adding Exclusions to Rules" on
page 251.
d. Configure these capabilities, including Advanced Settings:
n "Web & Files Protection" on page 224
n "Behavioral Protection" on page 245
n "Analysis & Remediation" on page 250
5. Click Save.

Attaching the Threat Prevention Policy Template to a Child Account

1. Access the Harmony Endpoint EPMaaS Administrator Portal with the child account.
2. Go to Policy > Threat Prevention > Policy Capabilities.
3. Select the policy in the table.

Harmony Endpoint EPMaaS Administration Guide | 592

Managed Security Service Providers (MSSP)

Note - Make sure the rule is for devices only and it is Connected. To view
device specific rules, change the policy operation mode to Mixed. For more
information, see "Unified Policy" on page 213.

4. In the Capabilities and Exclusion pane, from the MSSP template list, select All
templates.

The MSSP Templates window appears.

Harmony Endpoint EPMaaS Administration Guide | 593

Managed Security Service Providers (MSSP)

5. Select the template from the left pane and click Select.

6. Click Save & Install.

After the policy is installed, the policy capability settings are disabled (Read-only) and the
changes to the template from the MSSP account are automatically applied to the child
account.

Viewing the Accounts Attached to a Template

1. Access the Harmony Endpoint EPMaaS Administrator Portal with the MSSP account.
2. Click Policy > MSSP View > Template Repository > Threat Prevention.
Used by shows the number of child accounts attached to the template.

Harmony Endpoint EPMaaS Administration Guide | 594

Managed Security Service Providers (MSSP)

3. To view the child accounts, click the number. The MSSP Templates pop-up appears
and shows the details:

Column Name Description

Account name Child account name.

Rule name Policy rule name that uses the template in the child
account.

Harmony Endpoint EPMaaS Administration Guide | 595

Managed Security Service Providers (MSSP)

Column Name Description

Status date Last date and time in the server when the child account
checked for the template updates.

Status Status of the last update.

n Success - The child account received the latest

updates from the template.

n Failed - The child account failed to receive the

latest updates from the template.

Software Deployment Policy Template

The template consists of predefined settings for Software Deployment policy.

Creating a Software Deployment Policy Template

1. Access the Harmony Endpoint EPMaaS Administrator Portal with the MSSP account.
2. Click Policy > MSSP View > Template Repository > Software Deployment.
3. Select the Default template and click Clone.

4. Select the cloned template and in the Capabilities and Exclusions pane, do these:

Harmony Endpoint EPMaaS Administration Guide | 596

Managed Security Service Providers (MSSP)

a. In the Name field, edit the name. For example, Default Settings for All Customers.
b. (Optional) In the Description field, enter a description.

c. Configure the deployment for WINDOWS, MACOS, and LINUX:

i. Version - From the list, select the necessary version that must be deployed
on the endpoints.

ii. Capabilities - From the tree, select the necessary capabilities that must be
deployed in the endpoints.

Note - Select All to deploy all the capabilities.

5. Click Save.

Attaching the Software Deployment Policy Template to a Child Account

1. Access the Harmony Endpoint EPMaaS Administrator Portal with the child account.
2. Go to Policy > Deployment Policy > Software Deployment.
3. Select the policy in the table.

Harmony Endpoint EPMaaS Administration Guide | 597

Managed Security Service Providers (MSSP)

4. In the Capabilities and Exclusion pane, from the MSSP template list, select All
templates.

The MSSP Templates window appears.

5. Select the template from the left pane and click Select.
6. Click Save & Install.
After the policy is installed, the policy capability settings are disabled (Read-only) and the
changes to the template from the MSSP account are automatically applied to the child
account.

Viewing the Accounts Attached to a Template

1. Access the Harmony Endpoint EPMaaS Administrator Portal with the MSSP account.
2. Click Policy > MSSP View > Template Repository > Software Deployment.

Harmony Endpoint EPMaaS Administration Guide | 598

Managed Security Service Providers (MSSP)

Used by shows the number of child accounts attached to the template.

3. To view the child accounts, click the number. The MSSP Templates pop-up appears
and shows the details:

Column Name Description

Account name Child account name.

Harmony Endpoint EPMaaS Administration Guide | 599

Managed Security Service Providers (MSSP)

Column Name Description

Rule name Policy rule name that uses the template in the child
account.

Status date Last date and time in the server when the child account
checked for the template updates.

Status Status of the last update.

n Success - The child account received the latest

updates from the template.

n Failed - The child account failed to receive the

latest updates from the template.

Harmony Endpoint EPMaaS Administration Guide | 600

Managed Security Service Providers (MSSP)

Smart App Control

Smart App Control is a Windows 11 native feature that blocks malicious, untrusted, or
potentially unwanted apps from running on your device. For more information, see Smart App
Control.
The Smart App Control feature is compatible only with the Harmony Endpoint Security Client
E87.50 and higher, with these limitations:
n Only these installations are supported:
o Tiny Agent
o Vanilla Client
o Export Package
n Reconnect Tool - Perform steps 1 to 7 for Windows in the "Reconnect Tool" on page 55
topic and then do one of these steps to use the Reconnect tool:
l Sign the reconnect_utility.exe file with your certificate and then continue with step 8
for Windows in the "Reconnect Tool" on page 55 topic.
l Run the reconnect_utility.exe file.
It creates the Reconnect folder.
a. Transfer the Reconnect folder to the endpoints.
b. On the endpoint, open the Reconnect folder, and run the ReRegister.exe file.

Harmony Endpoint EPMaaS Administration Guide | 601

Recent Tasks

Recent Tasks
The running and the queued tasks appear in the Recent Tasks window at the top right of your
screen.

Harmony Endpoint EPMaaS Administration Guide | 602

Known Limitations

Known Limitations
These are the current known limitations for Harmony Endpoint:
n You cannot perform any action in SmartEndpoint during the download of the Endpoint
Security client package until the download is complete.
n Capsule Docs and Endpoint URL Filtering are not supported.
n When you create a new administrator, you cannot use the "Change password on next
login" option.
n In SmartEndpoint reports, the IP address of the client may be wrong due to network
hops.
n Use SmartEndpoint to switch to SmartConsole and SmartUpdate:

n Distributed Active Directory Scanner: The deletion of a user from an Active Directory is
not detected by the automatic scan and it is not reflected in the organizational tree.
n Unlock On LAN is not working. During Pre-boot, the client device cannot communicate
correctly with the server.
n These versions are not supported with Harmony Endpoint:
l E80.64 Endpoint Security client for macOS
l E80.71 Endpoint Security client for macOS
l E80.89 Endpoint Security client for macOS
n You cannot upgrade from E80.64, E80.71, E80.89 Endpoint Security for macOS clients
to these versions:
l E82.00 Endpoint Security client for macOS
l E82.50 Endpoint Security client for macOS
n When you create a new AD scanner, you cannot scan user certificates from Active
Directory.
n In order to use WSL2 on Windows 10 and 11 with Harmony Endpoint installed you must
alter your firewall configuration. These changes apply only when you use the firewall
blade. For additional information please see sk177207

Harmony Endpoint EPMaaS Administration Guide | 603

Known Limitations

Appendix
n "Appendix A - Deploying Harmony Endpoint Security Client using SCCM" below
n "Appendix B - Uninstalling the Harmony Endpoint Security Client (For macOS and
Windows)" on the next page

Appendix A - Deploying Harmony Endpoint

Security Client using SCCM
Use the Microsoft System Center Configuration Manager (SCCM) to install and deploy
Harmony Endpoint Security Client.

Use Case
If you already use SCCM to manage your organization’s endpoints, you can use it to deploy
Check Point's Harmony Endpoint on these managed endpoints.

Prerequisites
A System Center Configuration Manager (SCCM) account.

Step 1: Create the Harmony Endpoint Windows Application

in SCCM
Follow these steps to create and upload Harmony Endpoint application to the SCCM service.
1. Open the Microsoft Endpoint Configuration Manager (SCCM).

2. From the top toolbar, select Create Application.

3. Click Browse.
a. Upload the EPS.MSI file created in Preparing the Harmony Endpoint Client
Windows Package for Deployment.
b. Click Open.
c. Click Next.
4. In the General Information window, enter the Name, Additional Comments, and
Publisher information.
5. Click Next.
6. Review the Summary information and click Next.

Harmony Endpoint EPMaaS Administration Guide | 604

Known Limitations

Step 2: Deploy the Harmony Endpoint Windows Application

in SCCM
Follow these steps to install and deploy the Harmony Endpoint application created in Step 1.
1. Open SCCM and from the top toolbar > click Deploy.
2. Go to the General page > select Collection > click Browse.
3. Click Device Collections and select the collection of devices > click Next.
4. Select Content, click Add > Next.
5. In Deployment settings, set the Action to Install and set Purpose to Required.
6. Go to User Experience and set your preferences > click Next.

7. Select Alerts and set your alerts > click Next.

8. Review the information and click Next.
The number of deployments is updated in the SCCM application.
9. To make sure the deployment is successful, open the Software Center on the target
device.

Appendix B - Uninstalling the Harmony

Endpoint Security Client (For macOS and
Windows)
To uninstall the Harmony Endpoint Security Client, perform the Uninstall Client Push
Operation. The system sends the uninstall request to the endpoint. The operation is executed
automatically after the scheduled duration or the end-user can click Start Now to start the
operation immediately.

Harmony Endpoint EPMaaS Administration Guide | 605

Known Limitations

Notes -
n The system automatically reboots the endpoint after uninstalling the client
successfully.
n The system deletes the client information on the Endpoint Management Server
after the configured period of time (default is 30 days).

For more information on the Uninstall Client Push Operation, see "Performing Push
Operations" on page 491.

Harmony Endpoint EPMaaS Administration Guide | 606

CheckPoint Harmony Endpoint AdminGuide
100% (1)
CheckPoint Harmony Endpoint AdminGuide
442 pages
CP Harmony Endpoint AdminGuide
No ratings yet
CP Harmony Endpoint AdminGuide
254 pages
HVR User Manual 5.7.cec91698
No ratings yet
HVR User Manual 5.7.cec91698
715 pages
CP R81.20 Harmony Endpoint Server AdminGuide
No ratings yet
CP R81.20 Harmony Endpoint Server AdminGuide
465 pages
Oracle Database 19c Administration Track
100% (1)
Oracle Database 19c Administration Track
7 pages
Oracle DBA 1
100% (1)
Oracle DBA 1
17 pages
Mq92 Install
100% (1)
Mq92 Install
304 pages
Lab Answer Key: Module 1: SQL Server Security Lab: Authenticating Users
No ratings yet
Lab Answer Key: Module 1: SQL Server Security Lab: Authenticating Users
10 pages
CP Harmony Endpoint AdminGuide
No ratings yet
CP Harmony Endpoint AdminGuide
375 pages
SQL (Structured Query Language)
No ratings yet
SQL (Structured Query Language)
101 pages
Harmony Endpoint WebManagement AdminGuide
No ratings yet
Harmony Endpoint WebManagement AdminGuide
320 pages
Module 1 - Oracle 12c Linux Silent Installation
100% (1)
Module 1 - Oracle 12c Linux Silent Installation
15 pages
Data Base Administration IT-242: Birkinesh
No ratings yet
Data Base Administration IT-242: Birkinesh
59 pages
Backing Up SQL Server Databases
No ratings yet
Backing Up SQL Server Databases
27 pages
CP ES E80.40 AdminGuide Octubre 2012 PDF
No ratings yet
CP ES E80.40 AdminGuide Octubre 2012 PDF
151 pages
SQL Server Automation (Maintenance Plan)
100% (1)
SQL Server Automation (Maintenance Plan)
18 pages
Oracle RMAN
No ratings yet
Oracle RMAN
33 pages
Introduction To Oracle Sharding
100% (1)
Introduction To Oracle Sharding
13 pages
Check List After Pull Down
No ratings yet
Check List After Pull Down
11 pages
Advanced Performance Tuning..
No ratings yet
Advanced Performance Tuning..
135 pages
Mysql 8.0 en 31 60
No ratings yet
Mysql 8.0 en 31 60
30 pages
Automating SQL Server Management
No ratings yet
Automating SQL Server Management
20 pages
Installing The Forefront Threat Management Gateway (Forefront TMG) Sysnetadmin - Co.nr
100% (2)
Installing The Forefront Threat Management Gateway (Forefront TMG) Sysnetadmin - Co.nr
37 pages
Lab 1 - Accessing and Preparing Data
No ratings yet
Lab 1 - Accessing and Preparing Data
36 pages
Dbms New
No ratings yet
Dbms New
156 pages
XAL External Interface For Alert Management
No ratings yet
XAL External Interface For Alert Management
76 pages
CP E80.61 EndpointSecurity AdminGuide
No ratings yet
CP E80.61 EndpointSecurity AdminGuide
196 pages
E Book Simplify Your Database Migrations and Upgrades Ebook 22085 PDF
No ratings yet
E Book Simplify Your Database Migrations and Upgrades Ebook 22085 PDF
30 pages
Windows 11 Security Book
No ratings yet
Windows 11 Security Book
66 pages
Best Computer Tricks and Hacks You Didn
100% (1)
Best Computer Tricks and Hacks You Didn
21 pages
Setting Up The Oracle 19c RAC Database From The OVA File
No ratings yet
Setting Up The Oracle 19c RAC Database From The OVA File
5 pages
Recovery Models and Backup Strategies
No ratings yet
Recovery Models and Backup Strategies
23 pages
ORAchk User Guide
No ratings yet
ORAchk User Guide
51 pages
Applies To:: Performance Impact of TDE. (Doc ID 1303412.1)
100% (2)
Applies To:: Performance Impact of TDE. (Doc ID 1303412.1)
3 pages
CP R77.30.01 EndpointSecurity AdminGuide PDF
No ratings yet
CP R77.30.01 EndpointSecurity AdminGuide PDF
241 pages
How To Optimize A Data Guard Configuration
100% (1)
How To Optimize A Data Guard Configuration
12 pages
Zapdoc - Tips Oracle e Business Suiter122 Troubleshooting
No ratings yet
Zapdoc - Tips Oracle e Business Suiter122 Troubleshooting
20 pages
PerconaMonitoringAndManagement-1 15 0 PDF
No ratings yet
PerconaMonitoringAndManagement-1 15 0 PDF
265 pages
Oracle Exadata
100% (1)
Oracle Exadata
6 pages
PMCMD in Informatica
No ratings yet
PMCMD in Informatica
19 pages
Oracle DBA Code Examples
No ratings yet
Oracle DBA Code Examples
644 pages
How To Install Entrprisedb Server On Linux
No ratings yet
How To Install Entrprisedb Server On Linux
15 pages
DB2 9 DBA Certification Exam 731 Prep, Part 1:: Server Management
No ratings yet
DB2 9 DBA Certification Exam 731 Prep, Part 1:: Server Management
44 pages
Migrate From Oracle To Postgresql With Azure: Webinar Series
No ratings yet
Migrate From Oracle To Postgresql With Azure: Webinar Series
21 pages
Oracle To Postgres Conversion
No ratings yet
Oracle To Postgres Conversion
6 pages
Testing Pentest
No ratings yet
Testing Pentest
53 pages
Ibm Redbook - Db2 Web Query
No ratings yet
Ibm Redbook - Db2 Web Query
606 pages
Weblogic Admin Responsibilities
No ratings yet
Weblogic Admin Responsibilities
2 pages
Cursor Trigger
No ratings yet
Cursor Trigger
7 pages
6292A-En - Student Companion Content
No ratings yet
6292A-En - Student Companion Content
790 pages
Lab01
No ratings yet
Lab01
5 pages
2011NoCOUG - HistOPA 2
No ratings yet
2011NoCOUG - HistOPA 2
24 pages
ES-Microsoft Intune
No ratings yet
ES-Microsoft Intune
9 pages
TUT - SQL Server Transaction Logs
No ratings yet
TUT - SQL Server Transaction Logs
19 pages
Azure Virtual Datacenter
100% (1)
Azure Virtual Datacenter
41 pages
Office 365 SMB Pitch Deck
No ratings yet
Office 365 SMB Pitch Deck
49 pages
Bitlocker: Microsoft Encryption Solution
No ratings yet
Bitlocker: Microsoft Encryption Solution
18 pages
Oracle Essbase 11.1.1.2 For System Administrator
No ratings yet
Oracle Essbase 11.1.1.2 For System Administrator
3 pages
Windows 7 Sample QP
No ratings yet
Windows 7 Sample QP
10 pages
6822 Protecting Your Data With Windows 10 BitLocker
No ratings yet
6822 Protecting Your Data With Windows 10 BitLocker
6 pages
Election Precinct Procedures Binder
No ratings yet
Election Precinct Procedures Binder
409 pages
CheatSheet WLSEssentials
No ratings yet
CheatSheet WLSEssentials
2 pages
Cheatsheet Wlsessentials PDF
No ratings yet
Cheatsheet Wlsessentials PDF
2 pages
Oracle Backup Recovery
No ratings yet
Oracle Backup Recovery
18 pages
CH 06 I C
No ratings yet
CH 06 I C
105 pages
SystemInfo v2
No ratings yet
SystemInfo v2
12 pages
Guidelines For Application-Specific Indexes: See Also
No ratings yet
Guidelines For Application-Specific Indexes: See Also
10 pages
Azure 303 Practice Test 01
No ratings yet
Azure 303 Practice Test 01
74 pages
SCH Tasks 71524
No ratings yet
SCH Tasks 71524
12 pages
Aindumps AZ-301 v2019-06-29 by Eric 69q
No ratings yet
Aindumps AZ-301 v2019-06-29 by Eric 69q
66 pages
Microsoft Testking 70-697 v2018-09-17 by Carter 165q
No ratings yet
Microsoft Testking 70-697 v2018-09-17 by Carter 165q
134 pages
Administrative Support Guide Conducting Speaking Assessments 2020 SERIES
No ratings yet
Administrative Support Guide Conducting Speaking Assessments 2020 SERIES
31 pages
Windows 7 Privacy Statement en
No ratings yet
Windows 7 Privacy Statement en
61 pages
Nov2023 Hdin Studentname A201in CW Ms
No ratings yet
Nov2023 Hdin Studentname A201in CW Ms
9 pages
98-368 Test Bank Lesson 01
No ratings yet
98-368 Test Bank Lesson 01
7 pages
M206971 - Installing and Configuring Windows 10
No ratings yet
M206971 - Installing and Configuring Windows 10
5 pages
Business Continuity For EBS Using Oracle 11g Physical Standby DB (Oracle E-Business Suite Technology)
No ratings yet
Business Continuity For EBS Using Oracle 11g Physical Standby DB (Oracle E-Business Suite Technology)
7 pages
Bitlocker Deployment Guide
No ratings yet
Bitlocker Deployment Guide
80 pages
1101 Chapter 09 Implementing Mass Storage - Slide Handouts
No ratings yet
1101 Chapter 09 Implementing Mass Storage - Slide Handouts
22 pages
Oracle Unified and Internet Directory
No ratings yet
Oracle Unified and Internet Directory
7 pages
Sophos Endpoint For Windows
No ratings yet
Sophos Endpoint For Windows
18 pages
Lab Project Portfolio Report
No ratings yet
Lab Project Portfolio Report
29 pages
Configuring and Troubleshooting Network File and Print Services
No ratings yet
Configuring and Troubleshooting Network File and Print Services
31 pages
Fujitsu Siemens Lifebook A544 BIOS Downgrade
No ratings yet
Fujitsu Siemens Lifebook A544 BIOS Downgrade
5 pages
New DBA
No ratings yet
New DBA
8 pages
Simplified EasyBuild Guide - English
No ratings yet
Simplified EasyBuild Guide - English
3 pages
TestOut LabSim - PDF 8-03
No ratings yet
TestOut LabSim - PDF 8-03
2 pages
Oracle Essbase 9 Implementation Guide
From Everand
Oracle Essbase 9 Implementation Guide
Joseph Sydney Gomez
No ratings yet
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
ORACLE 12C Complete Self-Assessment Guide
From Everand
ORACLE 12C Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet