Secure Configuration Verification - Advanced

Advanced SCV Policy

Additional SCV Checks

The default SCV checks (plug-ins) are part of the Endpoint Security VPN and Check Point Mobile for Windows installation:

OS Monitor - Verifies Operating System version, Service Pack, and Screen Saver configuration (activation time, password protection, etc.).
HotFix Monitor - Verifies that operating system security patches are installed, or not installed.
Group Monitor - Verifies that the user logged into the operating system and is a member of specified Domain User Groups.
Process Monitor - Verifies that a process is running, or not running, on the endpoint computer (for example, that a file sharing application is not running, or that Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. is running).
Browser Monitor - Verifies Internet Explorer version and configuration settings, such as Java and ActiveX options.
Registry Monitor - Verifies System Registry keys, values, and their contents.
Anti-Virus Monitor - Verifies that an Anti-Virus is running and checks its version. Supported: Norton, Trend Office Scan, and McAfee.
SCVMonitor - Verifies the version of the SCV product, specifically the versions of the SCV DLLs installed on the client's machine.
HWMonitor - Verifies CPU type, family, and model.
ScriptRun - Runs a specified executable on the client machine and checks the return code of the executable. For example, a script can check if a certain file is present on the client machine. It can perform additional configuration checks that you choose.
Windows Security Monitor - Verifies that components monitored by Window Security Center are installed and enforced (for example, check if there is Anti-Virus installed and running). You can define which components you want to check.

Anti-Virus monitor

This check is for the type and signature of Anti-Virus. It does not support begin_or or begin_and.

Parameter	Description
`Type ("av_type")`	Type of Anti-Virus. For example, "Norton", "VirusScan", "McAfee", "OfficeScan", or "ZoneLabs".
`Signature(x)`	Required Virus definition file signature. The signature's format depends on the Anti-Virus type. Norton Antivirus example: ">=20031020" (format for Norton's AV signature is "yyyymmdd") TrendMicro Officescan example: "<650" McAfee VirusScan example: (">404291") for a signature greater than 4.0.4291 Zone Labs format: (">X.Y.Z") where X = Major Version, Y = Minor Version, and Z = Build Number of the .dat signature file

Parameter

Description

Type ("av_type")

Type of Anti-Virus. For example, "Norton", "VirusScan", "McAfee", "OfficeScan", or "ZoneLabs".

Signature(x)

Required Virus definition file signature. The signature's format depends on the Anti-Virus type.

Norton Antivirus example: ">=20031020" (format for Norton's AV signature is "yyyymmdd")
TrendMicro Officescan example: "<650"
McAfee VirusScan example: (">404291") for a signature greater than 4.0.4291
Zone Labs format: (">X.Y.Z") where X = Major Version, Y = Minor Version, and Z = Build Number of the .dat signature file

"BrowserMonitor"

This check is only for Internet Explorer version, or only the browser settings for a certain zone. If none of these parameters appear, BrowserMonitor will not check the security settings of the restricted zones:

restricted_download_signed_activex
restricted_run_activex
restricted_download_files
restricted_java_permissions

If the parameter "browser_major_version" does not appear or is equal to zero, the IE version number is not checked.

BrowserMonitor does not support the begin_or or begin_and, and does not support the admin parameters.

Parameter	Description
`browser_major_version (#)`	Major version number of Internet Explorer. If this field does not exist in the local.scv file, or if this value is 0, the IE version will not be checked as part of the BrowserMonitor check.
`browser_minor_version (#)`	Internet Explorer minor version number.
`browser_version_operand (">=")`	The operator used for checking the Internet Explorer's version number.
`browser_version_mismatchmessage ("Please upgrade your Internet Browser.")`	Message to be displayed for a non-verified configuration of Internet Explorer.
`intranet_download_signed_activex (enable)`	The maximum permission level that IE should have for downloading signed ActiveX controls from within the local Intranet.
`intranet_run_activex (enable)`	The maximum permission level that IE should have for running signed ActiveX controls from within the local Intranet.
`intranet_download_files (enable)`	The maximum permission level that IE should have for downloading files from within the local Intranet.
`intranet_java_permissions (low)`	The maximum security level that IE Explorer should have for running java applets from within the local Intranet.
`trusted_download_signed_activex (enable)`	The maximum permission level that IE should have for downloading signed ActiveX controls from trusted zones.
`trusted_run_activex (enable)`	The maximum permission level that IE should have for running signed ActiveX controls from trusted zones.
`trusted_download_files (enable)`	The maximum permission level that IE should have for downloading files from trusted zones.
`trusted_java_permissions (medium)`	The maximum security level that IE should have for running java applets from trusted zones.
`internet_download_signed_activex (disable)`	The maximum permission level that IE should have for downloading signed ActiveX controls from the Internet.
`Internet_run_activex (disable)`	The maximum permission level that IE should have for running signed ActiveX controls from the Internet.
`internet_download_files (disable)`	The maximum permission level that IE should have for downloading files from the Internet.
`internet_java_permissions (disable)`	The maximum security level that IE should have for running java applets from the Internet.
`restricted_download_signed_activex (disable)`	The maximum permission level that IE should have for downloading signed ActiveX controls from restricted zones.
`restricted_run_activex (disable)`	The maximum permission level that IE should have for running signed ActiveX controls from restricted zones.
`restricted_download_files (disable)`	The maximum permission level that IE should have for downloading files from restricted zones.
`restricted_java_permissions (disable)`	The maximum security level that IE should have for running java applets from restricted zones.
`send_log (type)`	Whether to send a log to Security Management server for specifying that the client is not verified: log or alert. Does not support begin_admin.
`internet_options_mismach_message ("Your Internet browser settings do not meet policy requirements")`	Mismatch message for the Internet Explorer settings.

"Groupmonitor"

This checks that the logged on user belongs to the expected domain user groups.

Parameter	Description
`"builtin\administrator" (false)`	A name of a user group. The user must belong to this group for the machine configuration to be verified.

"HotFixMonitor"

This check is for Check PointHotfixes. Some of these parameters may not appear at all, or may appear more than once in the local.scv file. These parameters can be in OR and AND sections.

Parameter	Description
`HotFix_Number (true)`	A number of a system HotFix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. to be checked. In order for the machine to be verified, the HotFix should be installed, for example: "823980(true)" verifies that Microsoft's RPC patch is installed on the operating system.
`HotFix_Name (true)`	The full name of a system HotFix to be checked. In order for the machine to be verified, the HotFix should be installed, for example: "KB823980(true)" verifies that Microsoft's RPC patch is installed on the operating system.

"HWMonitor"

This check is for CPU details. It does not support the begin_or or begin_and.

Parameter	Description
`cputype ("GenuineIntel")`	The CPU type as described in the vendor ID string. The string has to be exactly 12 characters long. For example: "GenuineIntel", or "AuthenticAMD", or "aaa bbb ccc " where spaces count as a character.
`cpufamily` (6)	The CPU family.
`cpumodel` (9)	The CPU model.

"SCVMonitor"

This check is for the version of SCV. It does not support begin_and or begin_or.

Parameter	Description
`scv_version(">=541000076")`	SCV build-version of the SCV DLLs. This is not the same as the build number of Endpoint Security VPN. The string is an operator followed by the DLL's version number in the format "vvshhhbbb". For example, if you want the DLL version to be at least 54.1.0.220, the syntax should be: `scv_version (">=541000220")`

Parameter

Description

scv_version(">=541000076")

SCV build-version of the SCV DLLs. This is not the same as the build number of Endpoint Security VPN.

The string is an operator followed by the DLL's version number in the format "vvshhhbbb". For example, if you want the DLL version to be at least 54.1.0.220, the syntax should be:

scv_version (">=541000220")

"ScriptRun"

This check lets you run a specified executable on the client machine and checks the return code of the executable. For example, a script can check if a certain file is present on the client machine. It can perform additional configuration checks that you choose. If you do not enter a real script name, no script runs.

Important - If you enter invalid values for any of the attributes, for example letters instead of numbers, the computer that runs the script is considered not compliant.

Parameter	Description
`exe ("c:\Users\nonadmin\script.exe')`	The name and full path of the executable script on users' machines. The extension can be any executable, for example, .pl, .bat.
`script_run_cycle (#)`	After how many cycles to run the script. A cycle is an interval defined in the gobal `scv_checks_interval.` It is 20 second by default and by default the script runs after every cycle (1).
`run_as_admin (no)`	Determines if the script runs with Administrator or User permissions. The default is "no". If the value is "yes" the script runs with Administrator permissions.
`run_timeout (#)`	Time in seconds to wait for the executable to finish running. If it does not finish in the set time, the machine is considered not compliant. The default value is 0, no timeout.

"user_policy_scv"

This check is for user behavior and user notifications.

Parameter	Description
`logged_on_to_policy_server` (`true` or `false`)	Specifies whether the user has to be logged on to a Policy Server to meet SCV.
`policy_refresh_rate` ("[`INTEGER`]")	Time, in hours, for which the desktop policy remains valid. After 168 hours the desktop policy is not considered valid, and the user does not meet SCV any longer. If this parameter is not specified, the policy is not checked for freshness.
`mismatchmessage` ("[`YOUR MESSAGE`]")	The message shown to the user of the endpoint computer when the user_policy_scv check fails.
`dont_enforce_while_connecting`	If this parameter is present, the user meets SCV while connecting to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The user meets SCV only for the duration of the connect process.

"SCVGlobalParams"

These parameters specify what the Remote Access client does when the endpoint computer is not compliant with the SCV policy.

Parameter	Description
`ect_when_not_verified(true`/`false`)	If "`true`", the Remote Access client stops the connection to the Security Gateway when the endpoint computer fails the SCV check.
`block_connections_on_unverified` (`true`/`false`)	If "true", the Remote Access client blocks the connection to the Security Gateway when the endpoint computer

Parameters:

Do not enclose boolean parameters (true or false) n quotation marks.

block_connections_on_unverified (true/false)
ip_forwarding_mismatchmessage ("Message string placed here")

The value is a string displayed when ip forwarding is enabled. For example: ip_forwarding_mismatchmessage ("Please....etc")

This is relevant only if IP Forwarding is part of the SCV checks, that is, if the parameter is defined as "True".
not_verified_script ("script_name.bat")

The name of executable that will be run when the Desktop does not meet SCV. The next three parameters provide more options related to the running of the executable.
not_verified_script_run_show (true/false)

If "true", the executable's progress will be displayed in an onscreen window.
not_verified_script_run_admin (true/false)

If "true", the executable will run with administrator privileges.
not_verified_script_run_always (true/false)

If "true", the executable will run every time the Desktop does not meet SCV. If "false", it will run once per the Remote Access client session.
:allow_non_scv_clients (true/false)

If "true", the client will send a verified state to the enforcing Security Gateway even if the OS does not support SCV.

SCV Checks for macOS Endpoint Computers

Starting from the standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Client version E88.40, you can configure SCV checks for macOS endpoint computers in the local.scv configuration file on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. The file syntax and functionality of an SCV check is the same for Windows and macOS. These sections of the file are relevant for macOS endpoint computer:

:SCVPolicyMac
:SCVNamesMac
:SCVGlobalParams (relevant for Windows and macOS)

To apply the SCV check on the macOS endpoint computer, you must change the value of a registry parameter.

Step 1: Management Server Configuration

Connect to the command line on the Management Server.
Log in to the Expert mode.
On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., switch to the context of the Domain Management Server:

[Expert@HostName]# mdsenv <Domain_Name>
Back up the $FWDIR/conf/local.scv file.

[Expert@HostName]# cp $FWDIR/conf/local.scv $FWDIR/conf/local.scv_ORIGINAL
Edit and configure the $FWDIR/conf/local.scv file:

[Expert@HostName]# vi $FWDIR/conf/local.scv

Add the :SCVNamesMac and :SCVPolicyMac sections to the file. In this example, an SCV policy checks if some applications are running:

							:SCVNamesMac (
							: (OsMonitor
							:type (plugin)
							:parameters (
							:major_os_version_number (13)
							:minor_os_version_number (2)
							:os_version_operand (">=")
							:begin_admin (admin)
							:send_log (alert)
							:mismatchmessage ("Check your OS version")
							:end (admin)
							)
							)
							: (ProcessMonitor
							:type (plugin)
							:parameters (
							:begin_or (or1)
							:begin_and (and1)
							:ping (true)
							:Weather (true)
							:end (and1)
							:begin_and (and2)
							:Calculator (true)
							:Calendar (true)
							:end (and2)
							:end (or1)
							:begin_admin (admin)
							:send_log (alert)
							:mismatchmessage ("Please check that the following processes are running: ping and Weather or calculator and calendar")
							:end (admin)
							)
							)
							: (groupmonitor
							:type (plugin)
							:parameters (
							:begin_and (or1)
							:"test_group" (true)
							:"everyone" (false)
							:end (or1)
							:begin_admin (admin)
							:send_log (alert)
							:mismatchmessage ("You are using SecureClient with a non-authorized user. Make sure you are logged on as an authorized user.")
							:securely_configured_no_active_user (false)
							:end (admin)
							)
							)
							: (AntiVirusMonitor
							:type (plugin)
							:parameters (
							:type ("CrowdStrike")
							:signature ("27.11.2023")
							:begin_admin (admin)
							:send_log (alert)
							:mismatchmessage ("Please update your AntiVirus (use the LiveUpdate option).")
							:end (admin)
							)
							)
							)
							:SCVPolicyMac (
							: (ProcessMonitor)
						)

Install the policy.

Step 2: macOS Endpoint Computer Configuration

This procedure requires superuser privileges on the macOS endpoint computer.

Open the Terminal on the macOS endpoint computer.

Stop the GUI process:

sudo launchctl bootout gui/$(id -u) /Library/LaunchAgents/com.checkpoint.eps.gui.plist

Stop the Check Point VPN service:

sudo launchctl bootout system /Library/LaunchDaemons/com.checkpoint.epc.service.plist

In a text editor, open the Remote Access VPN client registry file. This is the default file path:

/Library/Application Support/Checkpoint/Endpoint Connect/registry/HKLM_registry.data

Change the value of the "disable SCV" parameter:
- To enable the feature, set the value of the parameter to "0".
- To disable the feature, set the value of the parameter to "1".

Start the GUI process:

sudo launchctl bootstrap gui/$(id -u) /Library/LaunchAgents/com.checkpoint.eps.gui.plist

Start the Check Point VPN service:

sudo launchctl bootstrap system /Library/LaunchDaemons/com.checkpoint.epc.service.plist

Third Party SCV Checks

SCV checks can be written by third party vendors using Check Point's OPSEC SCV SDK.

Allowing Clients without SCV

The Allow non SCV clients option lets you allow Security Gateway connections from clients that do not have SCV, such as SecuRemote. The setting does not take effect if the endpoint client does have SCV. Therefore, if this option is configured, the Security Gateway still requires SCV compliance from Check Point Mobile for Windows or Endpoint Security VPN before they can access resources behind the Security Gateway. By default, this option is disabled.

To enable Allow non SCV Clients in the global parameters:

On the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., edit the $FWDIR/conf/local.scv file.
In the SCVGlobalParams section, set the value of the allow_non_scv_clients parameter to true.
Install the Desktop Policy.
The change occurs when a client connects.

Disconnect When Not Verified

This feature lets you disconnect the client if it becomes non-compliant while connected to the VPN.

On the Security Management Server, edit the $FWDIR/conf/local.scv file.
In the SCVGlobalParams section, set the value of the disconnect_when_not_verified parameter:
- true - A connected, non-compliant client is automatically disconnected from the VPN. A notification is shown to the user.
- false - A connected, non-compliant client stays connected to the VPN. This is default.

Not Verified Script

This feature lets you configure script-running if a client becomes non-compliant.

If you can run scripts on non-compliant clients, you can use them to send remediations.

For example, you can run a script that install an Anti-Virus, or a script that opens an HTML page with a link to the remediation.

Edit the $FWDIR/conf/local.scv file on the Security Management Server.
In the SCVGlobalParams section, find the not_verified_script.
In the value, put the name of the script.
- You must supply the script to the client computers.
- If necessary, you must make sure it is in the search path.
Set the value of the not_verified_script_run_show parameter:
- true - The user will see the script running.
- false - The script run will be hidden (default).
Set the value of the not_verified_script_run_admin parameter:
- true - The script will run under the Remote Access Clients Service account with administrator permissions, even if the user does not have these permissions.
- false - The script will run under the local user account permissions (default). If administrator permissions are necessary, the script will fail.
Set the value of the not_verified_script_run_always parameter:
- true - The script runs every time the client becomes non-compliant.
- false - The script runs the first time that the client becomes non-compliant. (default)

SCV Intervals

This feature lets you change the default interval after which the SCV checks run. By default, the interval is 20 seconds, so checks run at 20 second intervals.

To change the interval in the global parameters:

On the Security Management Server, edit the $FWDIR/conf/local.scv file.
In the SCVGlobalParams section, set the value of the scv_checks_interval parameter to a desired number of seconds.

If you set the value to 0 or enter an invalid value, such as a letter, the interval will be the default 20 seconds.
Install the Desktop Policy.

The change takes effect when a client connects.

Configuring SCV Exceptions

Configure exceptions for hosts that can be accessed using selected services even if the client is not compliant.

You can allow a connection even if the client is non-compliant. For example, the client has to download the latest update or Anti-Virus version required by the SCV check.

To make exceptions for non-compliant remote clients:

Select the Apply Secure Configuration Verification on Simplified mode Firewall Policies option.
Click the Exceptions button.

The Secure Configuration Verification Exceptions window opens.
Click Add.
Double-click None.
Add the Hosts from the encryption domain you want to exclude from the SCV check and the specific services to communicate with them.
Click OK.
Install policy.

The Skip firewall enforcement option lets you allow gateway connections from clients that do not have a firewall enforced, such as Check Point Mobile for Windows. By default, this option is disabled so that firewall enforcement is required as part of the SCV check.

Notes -

This parameter is not related to the NetworkFirewallRequired parameter in the Window Security Monitor check.

Endpoint Security VPN ignores the parameter skip_firewall_enforcement_check. It always checks for firewall enforcement.

To enable Skip firewall enforcement in the global parameters:

On the Security Management Server, edit the $FWDIR/conf/local.scv file.
In the SCVGlobalParams section, set the value of the skip_firewall_enforcement_check parameter to true.
Install the Desktop Policy.

The change takes effect when a client connects.

Finding Exact Product Names

You can include lists of products in the WindowsSecurityMonitor check for these parameters:

NetworkFirewallInstalledPrograms
VirusProtectionInstalledPrograms
SpywareProtectionInstalledPrograms

You must write the names of the products the same as they are shown in the Windows Management Instrumentation Tester tool. The product only shows if it is installed on that computer.

To find names in the Windows Management Instrumentation Tester tool:

Open the command prompt as an administrator and enter wbemtest.

The Windows Management Instrumentation Tester opens.
Click Connect.
In the Namespace field, enter root\SecurityCenter and click Connect.

In Windows 7 some of the products are registered in root\SecurityCenter2.
Click Enum Instances.
In the Class Info Window, enter the class of product without spaces:
- AntiVirusProduct
- FirewallProduct
Double click an instance that shows in the Query Results.
In the Object editor window, scroll down to the displayName property. Copy the name listed and use that in the parameters of the check.

Troubleshooting SCV

"file is corrupt"

Symptom	Client shows an error message: `Compliance Policy file is corrupt. Please contact your system administrator.`
Scenario	An SCV check defined in the SCVPolicy section is not defined in the local.scv policy, SCVNames section.
Solution	Make sure that the SCVNames section includes all the checks that are to be run on clients.

"unsupported format"

Symptom

Client shows an error message: Compliance Policy is in an supported format

Scenario

Can be one of these issues:

There is no SCVObject section in the local.scv policy file.
An SCV plug-in configured in the local.scv policy file does not exist on the client computer, or it has a functionality issue.
The SCV Check type as defined in the local.scv policy is not a plug-in.
The local.scv policy context has an incorrect format.
The local.scv file was edited on an operating system that is different than the Security GatewaySecurity Gateway operating system and the file was saved in an encoding that the Security Gateway cannot read.

Solution

See the SCV section in this Administration Guide and follow the instructions to edit and maintain the local.scv file.

"policy is not updated"

Symptom	Client shows an error message: `Compliance policy is corrupt. Please connect again to update the policy.`
Scenario	The policy enforced on the client computer is not updated with the latest security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. defined on the Security Gateway.
Solution	Connect the client computer again to the Security Gateway. The client pulls the latest security policy when it connects to the Security Gateway.