Performing Push Operations

Push operations are operations that the server pushes directly to client computers with no policy installation required.

Note - If there is no response from the Endpoint Security client, the Push Operation will time out after 24 hours. You must reinitiate the Push Operation.

00:00: The Run Diagnostics push operation allows you to collect CPU and RAM usage information of an endpoint for your analysis. 00:09: Log in to the Infinity Portal, access Harmony Endpoint and click Asset Management. 00:15: Expand Organization and select computers. 00:19: Right click the endpoint for which you want to perform the Run Diagnostics push operation, select diagnostics, and then click Run Diagnostics. Note that the Run Diagnostics push operation can be executed only on one endpoint at a time. 00:34: To view the status of the operation, click push operation and view the status column. When the status is complete, click View Report. 00:42: The report shows a graphical representation of the CPU and RAM usage of the endpoint. 00:48: Thank you for watching the video.

To add a Push Operation:

  1. Go to the Push Operation view and click Add.

  2. Select the push operation and click Next.

    Category

    Push Operations

    Windows

    macOS

    Linux

    Anti-MalwareClosed A component of the Endpoint Security client that protects against known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers.

    Scan for Malware

    Yes

    Yes

    Yes

    Update Malware Signature Database

    Yes

    Yes

    Yes

    Restore Files from Quarantine

    Yes

    Yes

    Yes

    Forensics and Remediation

    Analyze by Indicator

    Yes

    Yes

    No

    File Remediation

    Yes

    Yes

    Yes

    Isolate Computer

    Yes

    Yes

    No

    Release Computer

    Yes

    Yes

    No

    Agent Settings

     

     

    Deploy New Endpoints

    Yes

    No

    No

    Collect Client Logs

    Yes

    Yes

    No

    Repair Client

    Yes

    No

    No

    Shutdown Computer

    Yes

    Yes

    No

    Restart Computer

    Yes

    Yes

    No

    Uninstall Client

    Yes

    Yes

    No

    Application Scan

    Yes

    Yes

    No

    Kill Process

    Yes

    Yes

    No

    Remote Command

    Yes

    Yes

    Yes

    Registry Actions

    Yes

    No

    No

    File Actions

    Yes

    Yes

    No

    Collect Processes

    Yes

    No

    No

  3. Select the devices on which you want to perform the push operation.

    Note - You can perform Run Diagnostics on only one device at a time.

  4. Click Next.

  5. Configure the operation settings.

    6. Push Operations

    Description

    2FA Required

    Scan for Malware

    Runs an Anti-Malware scan on the computer or computers, based on the configured settings.

    No

    Update Malware Signature Database

    Updates malware signatures on the computer or computers, based on the configured settings.

    No

    Restore Files from Quarantine

    Restores files from quarantine on the computer or computers, based on the configured settings.

    To restore files from quarantine:

    1. In the Full Path field, enter the path to file before it was quarantined including the file name. For example, c:\temp\eicar.txt

    2. Click OK.

    No

    Push Operations

    Description

    2FA Required

    Analyze by Indicator

    Manually triggers collection of forensics data for an endpoint device that accesses or executes the indicator. The indicator can be a URL, an IP, a path, a file name or an MD5.

    No

    File Remediation

    Quarantines malicious files and remediates them as necessary.

    To move or restore files from quarantine:

    1. Click and select the organization.

    2. Click Update Selection.

    3. Select the device and click Next.

    4. Add Comment, optional comment about the action.

    5. To move the files to quarantine, select Move the following files to quarantine.

    6. To restore the files from quarantine, select Restore the following files to quarantine.

    7. Click .

    8. From the drop-down:

      1. Select Full file path or Incident ID:

        1. In the Element field, enter the incident ID from the Harmony Endpoint Security client or enter the incident UID for the corresponding incident from the Logs menu in the Harmony Endpoint portal. To obtain the incident UID, open the log entry and expand the More section to view the incident UID.

        2. Click OK

      2. Select MD5 Hash:

        1. Enter or upload the Element.

        2. Click OK.

    9. Click Finish.

    		 No

    Isolate Computer

    Makes it possible to isolate a specific device that is under malware attack and poses a risk of propagation. This action can be applied on one or more devices. The Firewall component must be installed on the client in order to perform isolation. Only DHCP, DNS and traffic to the management server are allowed.

    		 No

    Release Computer

    Removes device from isolation. This action can be applied on one or more devices.

    		 No

    Push Operations

    Description

    2FA Required

    Deploy New Endpoints

    Installs the Initial Client on the target devices remotely using any device as the medium to run the push operation. This is suitable if do not have third party tools such as Microsoft System Center Configuration Manager (SCCM) or Intune to install the client.

    Field

    Description

    Comment

    Optional comment about the action.

    Select the deployment endpoint

    Select the target endpoint or device where you want to install the Initial Client from the organizational tree.

    Caution - The target device must not be the same as the source device.

    Endpoint version

    Select the Harmony Endpoint Security Client version to install on the target device.
    		No

    Collect Client Logs

    Collects CPInfo logs from an endpoint based on the configured settings.

    • For macOS, client logs are stored in the directory /Users/Shared/cplogs.

    Field

    Description

    Comment

    Optional comment about the action.

    Log set to collect

    Select the scope of information for the logs.

    Debug Info upload

    Select the location to upload the logs:

    • Upload CPInfo reports to Check Point servers

    • Upload CPInfo reports to Corporate server - Update the relevant corporate server information.
    		No

    Repair Client

    Repairs the Endpoint Security client installation. This requires a computer restart.

    Note - This push operation applies only to Harmony Endpoint Security clients that have been upgraded to a newer version at least once after the installation.
    		No

    Shutdown Computer

    Shuts down the computer or computers based on the configured settings.

    		 No

    Restart Computer

    Restarts the computer or computers based on the configured settings.

    		 No

    Uninstall Client

    Uninstalls the Endpoint Security client remotely on the selected devices. This feature is supported for E84.30 client and above.

    		 Yes

    Application Scan

    Collects all available applications in a certain folder on a set of devices and then adds them to the application repository of the "Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI." blade on that specific tenant.

    		 No

    Kill Process

    Remotely kills/ terminate the processes.

    		 No

    Remote Command

    • Allows administrators to run both signed (introduced by CP) and unsigned (ones the customer creates) scripts on the Endpoint Client devices.

    • Especially useful in a non-AD environment.

    • Supplies tools/fixes to customers without the need to create new EP client/server versions.

    • Saves passwords securely when provided.

    The Remote Command feature is supported only in Windows clients running version E85.30 and above
    		Yes

    Search and Fetch files

    Searches and uploads files to a server.

     

    Supported fields are:

    Field

    Description

    Comment

    Optional comment about the action.

    Search and Fetch files

    Locate the following files in the specific folders

    Searches for the files in the specified folders.

    1. In the File table, click .

    2. Enter the file name. For example, test.txt or test.zip and click OK.

    3. Repeat the steps 1 and 2 for additional files.

    4. In the Folder Path table, click

    5. Enter the path and click OK.

    6. Repeat the steps 4 and 5 for additional paths.

    Locate the following files by exact path

    Searches for the files in the specified path.

    1. In the File table, click .

    2. Enter the path where you ant to search for the file and click OK.

    3. Repeat the steps for additional paths.

    Files upload

    Select the Upload files to

    		 Select the checkbox to upload the files to a server.

    Corporate Server Info

    1. Specify these:

      1. Protocol

      2. Server address

      3. Path on server

      4. Server fingerprint

    2. If the server requires login to access it, select the Use specific credentials to upload checkbox, and enter Login and Password.

    Yes

    Registry Actions

    Add or remove a registry key.

     

    Supported fields:

    Field

    Description

    Comment

    Optional comment about the action.

    Action

    Select an action.

    • Add Key to Registry

    • Remove Key From Registry

      Caution - Removing a registry might impact the endpoint's operating system.

    Add Key to Registry

    Key

    Full path where you want to add the registry key.

    For example, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Endpoint Analysis

    Subkey

    Enter the key name to add in the registry. For example, ProductVersion.

    Value Type

    Select the registry type.

    Value

    Enter the registry value.

    Is redirected

    Indicates that virtualization is enabled and add the registry to 32-bit. By default, the registry is added for 64-bit.

    Remove Key From Registry

    Key

    Full path of registry key that you want to delete.

    For example, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Endpoint Analysis

    Caution - Removing a registry might impact the endpoint's operating system.

    Subkey

    Enter the key name to remove from the registry. For example, ProductVersion.

    Is redirected

    Indicates that virtualization is enabled and delete the registry in 32-bit. By default, the registry is deleted for 64-bit.

    To change the working hours to allow the Anti-Malware signature updates on a DHS compliant Endpoint Security client, see sk180559.

    No

    File Actions

    Copy, move or delete the file or folder.

    Supported fields:

    Note - The folder actions are supported only with the Endpoint Security Client version 87.20 and higher.

    Field

    Description

    Comment

    Optional comment about the action.

    Action

    Select an action.

    • Copy File

    • Move File

    • Delete File

      Caution - Deleting a file might impact Harmony Endpoint's protected files.

    Copy File

    File path

    Full path of the file or folder you want to copy, including the file or folder name.

    Example:

    • For File - C:\Users\<user_name>\Desktop\test.doc

    • For Folder - C:\Users\Username\Desktop\

    Target file path

    Full path where you want to paste the file or folder.

    Example:

    • For File - C:\Users\<user_name>\Documents

    • For Folder - C:\Users\Username2\

    Notes:

    • The file or folder name you specify is used to rename the copied file.

    • If you provide the folder path only, the file is copied with the original file name.

    • If the file or folder already exists, the file is not overwritten and the operation fails.

    • If the file path or target folder does not exist, it is created during the operation.

    Move File

    File path

    Full path of the file or folder you want to move, including the file or folder name.

    Example:

    • For File - C:\Users\<user_name>\Desktop\test.doc

    • For Folder - C:\Users\Username>\Desktop\

     

    Target file path

    Path where you want to move the file or folder.

    Example:

    • For File - C:\Users\<user_name>\Documents

    • For Folder - C:\Users\Username1\Documents\

    Notes:

    • If you provide the full file path, the is moved with the specified name.

    • If you provide the folder path only, the file is moved with the original file name.

    • If the file or folder already exists, the file or folder is not overwritten and the operation fails.

    • If the file path or target folder does not exist, it is created during the operation.

    Delete File

    File path

    Full path of the file you want to delete, including the file name.

    For example, C:\Users\<user_name>\Desktop\test.doc

    Caution - Deleting a file might impact Harmony Endpoint's protected files.

    Note - Delete folder action is not supported.

    No

    Collect Processes

    Collects information about the process running on the endpoint.

     

    Supported fields:

    Field

    Description

    Comment

    Optional comment about the action.

    Collect all processes

    Collects information about all the processes running on the endpoint.

    Collect process by name

    Collects information about a specific process on the endpoint.

    Process name

    Enter the process name. Case-sensitive.

    Additional output fields

    Select the additional information you want to view in the collected information.

    No

  6. Under User Notification:

    • To notify the user about the push operation, select the Inform user with notification checkbox.

    • To allow the user to post pone the push operation, select the Allow user to postpone operation checkbox.

  7. Under Scheduling:

    • To execute the push operation immediately, click Execute operation immediately.

    • To schedule the push operation, click Schedule operation for and click to select the date.

  8. For Push Operations that support 2FA authentication, you are prompted to enter the verification code.

    If you have not enabled 2FA authentication, a prompt appears to enable 2FA authentication:

  9. Click Finish.

  10. View the results of the operations on each endpoint in the Endpoint List section (in the Push Operations menu) at the bottom part of the screen.