Managing Computers

Select the checkbox to the left of the applicable computers and right-click to perform these actions:

General Actions

You can view logs of computers based on it's IP address.

To view computer logs by it's IP address:

  1. Go to Asset Management > Computers.

  2. Select the applicable computer or user from the list.

  3. From the top toolbar, click .

  4. Select General Actions > View Computer Logs.

    The system opens the Logs menu and shows the computer logs.

You can create a virtual group. See Managing-Virtual-Groups.htm.

You can add computers to a new virtual group. See Managing-Virtual-Groups.htm.

You can add a computer to a virtual group. See Managing-Virtual-Groups.htm.

When the Endpoint client is installed on a computer, information about the computer is sent to and stored on the Endpoint Security Management ServerClosed A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data..

Resetting a computer means deleting all information about it from the server.

Resetting a computer does not remove the object from the Active Directory tree or change its position in the tree.

Important - You can only reset a computer if the Endpoint client is not installed. If you reset a computer that has Endpoint installed, important data is deleted and the computer can have problems communicating with the Endpoint Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Computer reset:

  • Removes all licenses from the computer.

  • Deletes the settings of users that can log on to it.

  • Removes the computer from Endpoint Security Monitoring.

  • Marks the computer as unregistered.

After you reset a computer, you must reformat it before it can connect again to the Endpoint Security service.

You may decide to reset a computer if:

  • The Endpoint client was uninstalled or the computer is re-imaged.

  • It is necessary to reset the computer's configuration before a new Endpoint client is installed. For example, if the computer is transferred to a different person.

Removes the asset from the Local or Active Directory and adds it to Deleted Entities in the Organizational Tree. This operation discards the assets license information. You can use this operation when you remove an asset from your domain.

Note - If the Endpoint Security client is still installed on the asset, the client continues to receive the updates from the Endpoint Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

To add the asset back to the Active Directory, see Recover.

Adds the deleted asset back to the Local or Active Directory from Deleted Entities in the Organizational Tree. The asset's status is not Active until its Endpoint Security client connects and synchronizes with the Endpoint Security Management Server. You can use this operation when you add an asset back to the domain.

Note - You can recover only a deleted asset.

Warning - Removes the asset from the Harmony Endpoint management permanently. You cannot recover a terminated asset. We recommend to terminate an asset only if it is discarded or disposed or the Endpoint Security client is uninstalled.

Harmony Endpoint can scan and import users, groups, Organizational units (OUs) and computers from multiple supported directory domains. See Managing Active Directory Scanners.

Push Operations

  1. Go to Asset Management > Computers.

  2. Right-click on a computer, select a category and select a push operation.

    Category

    Push Operations

    Windows

    macOS

    Linux

    Anti-MalwareClosed A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers.

    Scan for Malware

    Yes

    Yes

    Yes

    Update Malware Signature Database

    Yes

    Yes

    Yes

    Restore Files from Quarantine

    Yes

    Yes

    Yes

    Forensics and Remediation

    Analyze by Indicator

    Yes

    Yes

    No

    File Remediation

    Yes

    Yes

    Yes

    Isolate Computer

    Yes

    Yes

    No

    Release Computer

    Yes

    Yes

    No

    Agent Settings

    Deploy New Endpoints

    Yes

    No

    No

    Collect Client Logs

    Yes

    Yes

    No

    Collect Client Logs Offline

    Yes

    Yes

    No

    Repair Client

    Yes

    No

    No

    Shutdown Computer

    Yes

    Yes

    No

    Restart Computer

    Yes

    Yes

    No

    Uninstall Client

    Yes

    Yes

    No

    Application Scan

    Yes

    Yes

    No

    Kill Process

    Yes

    Yes

    No

    Remote Command

    Yes

    Yes

    Yes

    Search and Fetch files

    Yes

    Yes

    No

    Registry Actions

    Yes

    No

    No

    File Actions

    Yes

    Yes

    No

    VPN Site

    Yes

    Yes

    No

    Collect Processes

    Yes

    No

    No

    Run Diagnostics

    Yes

    Yes

    No

  3. Select the devices on which you want to perform the push operation.

    Note - You can perform Run Diagnostics on only one device at a time.

  4. Click Next.

  5. Configure the operation settings.

    6. Push Operations

    Description

    2FA Required

    Scan for Malware

    Runs an Anti-Malware scan on the computer or computers, based on the configured settings.

    No

    Update Malware Signature Database

    Updates malware signatures on the computer or computers, based on the configured settings.

    No

    Restore Files from Quarantine

    Restores files from quarantine on the computer or computers, based on the configured settings.

    To restore files from quarantine:

    1. In the Full Path field, enter the path to file before it was quarantined including the file name. For example, c:\temp\eicar.txt

    2. Click OK.

    No

    Push Operations

    Description

    2FA Required

    Analyze by Indicator

    Manually triggers collection of forensics data for an endpoint device that accesses or executes the indicator. The indicator can be a URL, an IP, a path, a file name or an MD5.

    No

    File Remediation

    Quarantines malicious files and remediates them as necessary.

    To move or restore files from quarantine:

    1. Click and select the organization.

    2. Click Update Selection.

    3. Select the device and click Next.

    4. Add Comment, optional comment about the action.

    5. To move the files to quarantine, select Move the following files to quarantine.

    6. To restore the files from quarantine, select Restore the following files to quarantine.

    7. Click .

    8. From the drop-down:

      1. Select Full file path or Incident ID:

        1. In the Element field, enter the incident ID from the Harmony Endpoint Security client or enter the incident UID for the corresponding incident from the Logs menu in the Harmony Endpoint portal. To obtain the incident UID, open the log entry and expand the More section to view the incident UID.

        2. Click OK

      2. Select MD5 Hash:

        1. Enter or upload the Element.

        2. Click OK.

    9. Click Finish.

    		 No

    Isolate Computer

    Makes it possible to isolate a specific device that is under malware attack and poses a risk of propagation. This action can be applied on one or more devices. The Firewall component must be installed on the client in order to perform isolation. Only DHCP, DNS and traffic to the management server are allowed.

    		 No

    Release Computer

    Removes device from isolation. This action can be applied on one or more devices.

    		 No

    Push Operations

    Description

    2FA Required

    Deploy New Endpoints

    Installs the Initial Client on the target devices remotely using any device as the medium to run the push operation. This is suitable if do not have third party tools such as Microsoft System Center Configuration Manager (SCCM) or Intune to install the client.

    Field

    Description

    Comment

    Optional comment about the action.

    Select the deployment endpoint

    Target endpoint or device where you want to install the Initial Client.

    Caution - The target device must not be the same as the source device.

    Endpoint version

    Select the Harmony Endpoint Security Client version to install onm the target device.
    		No

    Collect Client Logs

    Collects CPInfo logs from an endpoint based on the configured settings.

    • For Windows, client logs are stored in the directory C:\Windows\SysWOW64\config\systemprofile\CPInfo.

    • For macOS, client logs are stored in the directory /Users/Shared/cplogs.

    Field

    Description

    Comment

    Optional comment about the action.

    Log set to collect

    Select the scope of information for the logs.

    Debug Info upload

    Select the location to upload the logs:

    • Upload CPInfo reports to Check Point servers

    • Upload CPInfo reports to Corporate server - Update the relevant corporate server information.
    		No

    Repair Client

    Repairs the Endpoint Security client installation. This requires a computer restart.

    Note - This push operation applies only to Harmony Endpoint Security clients that have been upgraded to a newer version at least once after the installation.
    		No

    Shutdown Computer

    Shuts down the computer or computers based on the configured settings.

    		 No

    Restart Computer

    Restarts the computer or computers based on the configured settings.

    		 No

    Uninstall Client

    Uninstalls the Endpoint Security client remotely on the selected devices. This feature is supported for E84.30 client and above.

    		 Yes

    Application Scan

    Collects all available applications in a certain folder on a set of devices and then adds them to the application repository of the "Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI." blade on that specific tenant.

    		 No

    Kill Process

    Remotely kills/ terminate the processes.

    		 No

    Remote Command

    • Allows administrators to run both signed (introduced by CP) and unsigned (ones the customer creates) scripts on the Endpoint Client devices.

    • Especially useful in a non-AD environment.

    • Supplies tools/fixes to customers without the need to create new EP client/server versions.

    • Saves passwords securely when provided.

    The Remote Command feature is supported only in Windows clients running version E85.30 and above
    		Yes

    Search and Fetch files

    Searches and uploads files to a server.

     

    Supported fields are:

    Field

    Description

    Comment

    Optional comment about the action.

    Search and Fetch files

    Locate the following files in the specific folders

    Searches for the files in the specified folders.

    1. In the File table, click .

    2. Enter the file name. For example, test.txt or test.zip and click OK.

    3. Repeat the steps 1 and 2 for additional files.

    4. In the Folder Path table, click

    5. Enter the path and click OK.

    6. Repeat the steps 4 and 5 for additional paths.

    Locate the following files by exact path

    Searches for the files in the specified path.

    1. In the File table, click .

    2. Enter the path where you ant to search for the file and click OK.

    3. Repeat the steps for additional paths.

    Files upload

    Select the Upload files to

    		 Select the checkbox to upload the files to a server.

    Corporate Server Info

    1. Specify these:

      1. Protocol

      2. Server address

      3. Path on server

      4. Server fingerprint

    2. If the server requires login to access it, select the Use specific credentials to upload checkbox, and enter Login and Password.

    Yes

    Registry Actions

    Add or remove a registry key.

     

    Supported fields:

    Field

    Description

    Comment

    Optional comment about the action.

    Action

    Select an action.

    • Add Key to Registry

    • Remove Key From Registry

      Caution - Removing a registry might impact the endpoint's operating system.

    Add Key to Registry

    Key

    Full path where you want to add the registry key.

    For example, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Endpoint Analysis

    Subkey

    Enter the key name to add in the registry. For example, ProductVersion.

    Value Type

    Select the registry type.

    Value

    Enter the registry value.

    Is redirected

    Indicates that virtualization is enabled and add the registry to 32-bit. By default, the registry is added for 64-bit.

    Remove Key From Registry

    Key

    Full path of registry key that you want to delete.

    For example, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Endpoint Analysis

    Caution - Removing a registry might impact the endpoint's operating system.

    Subkey

    Enter the key name to remove from the registry. For example, ProductVersion.

    Is redirected

    Indicates that virtualization is enabled and delete the registry in 32-bit. By default, the registry is deleted for 64-bit.

    To change the working hours to allow the Anti-Malware signature updates on a DHS compliant Endpoint Security client, see sk180559.

    No

    File Actions

    Copy, move or delete the file or folder.

    Supported fields:

    Note - The folder actions are supported only with the Endpoint Security ClientClosed Application installed on end-user computers to monitor security status and enforce security policies. version 87.20 and higher.

    Field

    Description

    Comment

    Optional comment about the action.

    Action

    Select an action.

    • Copy File

    • Move File

    • Delete File

      Caution - Deleting a file might impact Harmony Endpoint's protected files.

    Copy File

    File path

    Full path of the file or folder you want to copy, including the file or folder name.

    Example:

    • For File - C:\Users\<user_name>\Desktop\test.doc

    • For Folder - C:\Users\Username\Desktop\

    Target file path

    Full path where you want to paste the file or folder.

    Example:

    • For File - C:\Users\<user_name>\Documents

    • For Folder - C:\Users\Username2\

    Notes:

    • The file or folder name you specify is used to rename the copied file.

    • If you provide the folder path only, the file is copied with the original file name.

    • If the file or folder already exists, the file is not overwritten and the operation fails.

    • If the file path or target folder does not exist, it is created during the operation.

    Move File

    File path

    Full path of the file or folder you want to move, including the file or folder name.

    Example:

    • For File - C:\Users\<user_name>\Desktop\test.doc

    • For Folder - C:\Users\Username>\Desktop\

     

    Target file path

    Path where you want to move the file or folder.

    Example:

    • For File - C:\Users\<user_name>\Documents

    • For Folder - C:\Users\Username1\Documents\

    Notes:

    • If you provide the full file path, the is moved with the specified name.

    • If you provide the folder path only, the file is moved with the original file name.

    • If the file or folder already exists, the file or folder is not overwritten and the operation fails.

    • If the file path or target folder does not exist, it is created during the operation.

    Delete File

    File path

    Full path of the file you want to delete, including the file name.

    For example, C:\Users\<user_name>\Desktop\test.doc

    Caution - Deleting a file might impact Harmony Endpoint's protected files.

    Note - Delete folder action is not supported.

    No

    VPN Site

    Adds or removes a VPN site.

     

    Limitations:

    • This is supported only with the Windows Endpoint Security client.

    • You cannot create separate VPN sites for each user that access the endpoint. The same VPN site applies to all users.

    • SoftID and challenge-response authentication methods are not tested.

    • The system does not validate the entries (for example, Server Name or Fingerprint) that you specify.

    • Only one fingerprint operation is supported at a time.

    • You cannot add a new VPN site or remove a VPN site if a VPN site is already connected in the Harmony Endpoint client. Disconnect the VPN site before you add a new VPN site.

    • This operation is not supported if the firewall policy for the client is configured through the on-premise Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Policy > Data Protection > Access & Compliance > Firewall > When using Remote Access, enforce Firewall Policy from is Remote Access Desktop Security Policy). To enable the operation on such a client:

      1. In the Security Gateway, change the parameter allow_disable_firewall to true in the $FWDIR/conf/trac_client_1.ttm file.

      2. Install the policy on the Security Gateway.

      3. Reboot the Harmony Endpoint client.

      4. Perform the push operation.

    Note - If the operation fails with timeout, see sk179798 for troubleshooting instructions.

     

    Supported fields:

    Field

    Description

    Comment

    Optional comment about the action.

    Action

    Select an action:

    • Add VPN Site

    • Remove VPN Site

    Add VPN Site

    Server Name

    Enter the IP address or FQDN of the remote access gateway.

    Note - Ensure the endpoint can resolve the FQDN to the IP address of the gateway.

    Use Custom Display Name

    Select the checkbox if you want to change the display name of the server in the Harmony Endpoint client.

    Display Name

    Server name displayed in the Harmony Endpoint client. By default, it uses the Server Name.

    To change the display name ,elect the Use Custom Display Name checkbox and enter a display name.

    Use Custom Login Option

    Select the checkbox if you want to use a custom login option.

    Login Option

    Login option for the server. By default, Standard login option is selected.

    To use a custom login option, select Use Custom Login Option checkbox, and enter the login option. This must match the Display Name specified in the GW properties > VPN Clients > Authentication > Multiple Authentication Clients Settings in the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For example, SAML IDP.

    For the Standard login option, make sure that the Authentication Method is Defined on User Record (Legacy). Otherwise, Standard: does not need authentication method error appears.

    Authentication Method

    Select an authentication method.

    The options displayed depend on the Login Option.

    Authentication methods for the Standard login option:

    • username-password

    • certificate (for a certificate stored in the CAPI store)

    • p12-certificate

    • securityIDKeyFob

    • securityIDPinPad

    • SoftID (not tested)

    • challenge-response (not tested)

    Authentication methods for the custom login option:

    • Select certificate from hardware or software token (CAPI)

    • Use certificate from Public-Key Cryptographic Standard (PKCS #12) file

    • Other

    Note - Select the relevant certificate authentication method if your custom login uses a certificate. Otherwise, select Other.

    Fingerprint

    Enter the fingerprint key.

    To get the fingerprint from SmartConsole:

    1. In SmartConsole, in the right pane, under Object Categories, click Servers > Trusted CA > internal ca.

      The Certificate Authority Properties window appears.

    2. Click the Local Security Management tab.

    3. Under Certificate, click View.

      The Certificate Authority Certificate View window appears.

    4. Scroll down to SHA-1 Fingerprints. The fingerprint is on line number 2.

    To get the fingerprint from the device:

    1. Manually add the VPN site in the client. For more information, see Endpoint Security Clients User Guide.

    2. After you add and connect to the VPN site successfully, In Registry Editor, go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn.

    3. It displays a folder with the display name of your VPN site.

    4. Double-click the folder.

    5. In the right pane, under Name, double-click -- Fingerprint--.

      The Edit String window appears.

    6. Copy the fingerprint key from the Value data field.

    7. Click Cancel to close the window.

    8. Paste the fingerprint key in the Fingerprint field.

    Remote Access Gateway Name

    Enter the remote access gateway name.

    To get the remote access gateway name from SmartConsole:

    1. In SmartConsole, go to Gateways and Servers.

    2. Double-click the gateway.

      The Check Point Gateway window appears.

    3. Double-click IPSec VPN.

    4. Under Repository of Certificates Available to the Gateway, in the table, expand the DN column. The value after CN= indicates the remote access gateway name.

    To get the remote access gateway name from the device:

    1. In Registry Editor, go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn.

    2. It shows a folder with the display name of your VPN site. Copy the folder name and paste it in the Remote Access Gateway Name field.

    Remove VPN Site

    Display Name

    Enter the display name for the server.

    No

    Collect Processes

    Collects information about the process running on the endpoint.

     

    Supported fields:

    Field

    Description

    Comment

    Optional comment about the action.

    Collect all processes

    Collects information about all the processes running on the endpoint.

    Collect process by name

    Collects information about a specific process on the endpoint.

    Process name

    Enter the process name. Case-sensitive.

    Additional output fields

    Select the additional information you want to view in the collected information.

    No

    Run Diagnostics

    Runs diagnostics on an endpoint to collect this information:

    • Total CPU and RAM usage in the last 12 hours.

    • CPU usage by processes initiated in the last 12 hours. For example, the CPU used by Anti-Malware to scan files.

      You can review the CPU usage data to identify processes (scans) that consume CPU more than the specified threshold and exclude such processes from future scans.

      Note - This is supported with Endpoint Security client version E86.80 and higher.

      Warning - Only exclude a process if you are sure that the file is not malicious and is not vulnerable to cyber-attacks.

      To view the latest diagnostics report, see Show Last Diagnostics Report.

     

  6. Under User Notification:

    • To notify the user about the push operation, select the Inform user with notification checkbox.

    • To allow the user to post pone the push operation, select the Allow user to postpone operation checkbox.

  7. Under Scheduling:

    • To execute the push operation immediately, click Execute operation immediately.

    • To schedule the push operation, click Schedule operation for and click to select the date.

  8. Specify the duration after which the system automatically terminates the unexecuted push operation (For example, if the Endpoint client is offline):

    • 7 days

    • Custom

    • Never

  9. For Push Operations that support 2FA authentication, you are prompted to enter the verification code.

    If you have not enabled 2FA authentication, a prompt appears to enable 2FA authentication:

  10. Click Finish.

  11. View the results of the operations on each endpoint in the Endpoint List section (in the Push Operations menu) at the bottom part of the screen.

Report

Description

Run Diagnostics

To see the diagnostics report:

  1. Go to Push Operations menu.

  2. Select the row of the Run Diagnostics push operation you performed.

  3. In the Endpoint List table, under Operation Output column, click View Report.

Note - This is supported with Endpoint Security client version E86.80 and higher.

By default, the report shows the data for Total Usage.

  • To view the report per capability, in the left pane, under Process, click the capability.

  • In the CPU widget:

    • To change the CPU usage threshold, in the Threshold list, set a value (in percentage). The default value is 10 percent.

    • To set the selected threshold as default, click Set Default.

    Note - After changing the threshold, Harmony EndpointAdministrator Portal re-evaluates to suggest processes that exceeded the new threshold.

To add a suggested exclusion to the exclusion list:

  1. In the Suggested Exclusions area, clear the checkboxes if you do not want to exclude the processes from future scans. By default, all the processes are selected for exclusion.

  2. Click View Selected Exclusions.

  3. To add the exclusions to all the rules, select Global Exclusions.

    1. Click Create & Review.

    2. Click Save.

    3. From the top, click Install Policy.

  4. To add the exclusions to a specific ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., select Device Exclusions Per Rule.

    1. Click Create & Review for the rule.

    2. Click OK.

    3. Click Save.

    4. From the top, click Install policy.

Diagnostics

Runs diagnostics on an endpoint to collect this information:

  • Total CPU and RAM usage in the last 12 hours.

  • CPU usage by processes initiated in the last 12 hours. For example, the CPU used by Anti-Malware to scan files.

    You can review the CPU usage data to identify processes (scans) that consume CPU more than the specified threshold and exclude such processes from future scans.

    Note - This is supported with Endpoint Security client version E86.80 and higher.

    Warning - Only exclude a process if you are sure that the file is not malicious and is not vulnerable to cyber-attacks.

    To view the latest diagnostics report, see Show Last Diagnostics Report.

To see the diagnostics report:

  1. Go to Push Operations menu.

  2. Select the row of the Run Diagnostics push operation you performed.

  3. In the Endpoint List table, under Operation Output column, click View Report.

Note - This is supported with Endpoint Security client version E86.80 and higher.

By default, the report shows the data for Total Usage.

  • To view the report per capability, in the left pane, under Process, click the capability.

  • In the CPU widget:

    • To change the CPU usage threshold, in the Threshold list, set a value (in percentage). The default value is 10 percent.

    • To set the selected threshold as default, click Set Default.

    Note - After changing the threshold, Harmony EndpointAdministrator Portal re-evaluates to suggest processes that exceeded the new threshold.

To add a suggested exclusion to the exclusion list:

  1. In the Suggested Exclusions area, clear the checkboxes if you do not want to exclude the processes from future scans. By default, all the processes are selected for exclusion.

  2. Click View Selected Exclusions.

  3. To add the exclusions to all the rules, select Global Exclusions.

    1. Click Create & Review.

    2. Click Save.

    3. From the top, click Install Policy.

  4. To add the exclusions to a specific rule, select Device Exclusions Per Rule.

    1. Click Create & Review for the rule.

    2. Click OK.

    3. Click Save.

    4. From the top, click Install policy.

Shows the latest diagnostics report. By default, Harmony Endpoint runs the diagnostics every four hours.

Note - This is supported with the Endpoint Security client version E86.80 and higher.

For more information about the diagnostics report, see Run Diagnostics in Performing Push Operations.

Full Disk Encryption

You can view, create, lock and unlock authorized Pre-boot users. See Authentication-before-OS-Loads-Pre-boot.htm.

Remote Help and Recovery

If the operating system does not start on a client computer due to system failure, you can recover your data from the computer:

You can recover removable media passwords remotely, using a challenge/response procedure. See Media Encryption Remote Help.

You can give access to users who are locked out of their Full Disk Encryption protected computers. See Giving Remote Help to Full Disk Encryption Users.