Performing Push Operations

Push operations are operations that the server pushes directly to client computers with no policy installation required.

Note - If there is no response from the Endpoint Security client, the Push Operation will time out after 24 hours. You must reinitiate the Push Operation.

00:00: The Run Diagnostics push operation allows you to collect CPU and RAM usage information of an endpoint for your analysis. 00:09: Log in to the Infinity Portal, access Harmony Endpoint and click Asset Management. 00:15: Expand Organization and select computers. 00:19: Right click the endpoint for which you want to perform the Run Diagnostics push operation, select diagnostics, and then click Run Diagnostics. Note that the Run Diagnostics push operation can be executed only on one endpoint at a time. 00:34: To view the status of the operation, click push operation and view the status column. When the status is complete, click View Report. 00:42: The report shows a graphical representation of the CPU and RAM usage of the endpoint. 00:48: Thank you for watching the video.

To add a Push Operation:

  1. Go to the Push Operation view and click Add.

  2. Select the push operation and click Next.

    Category

    Push Operations

    Windows

    macOS

    Linux

    Anti-Malware

    Scan for Malware

    Yes

    Yes

    Yes

    Update Malware Signature Database

    Yes

    Yes

    Yes

    Restore Files from Quarantine

    Yes

    Yes

    Yes

    Forensics and Remediation

    Analyze by Indicator

    Yes

    Yes

    No

    File Remediation

    Yes

    Yes

    Yes

    Isolate Computer

    Yes

    Yes

    No

    Release Computer

    Yes

    Yes

    No

    Agent Settings

     

     

    Deploy New Endpoints

    Yes

    No

    No

    Collect Client Logs

    Yes

    Yes

    No

    Repair Client

    Yes

    No

    No

    Shutdown Computer

    Yes

    Yes

    No

    Restart Computer

    Yes

    Yes

    No

    Uninstall Client

    Yes

    Yes

    No

    Application Scan

    Yes

    Yes

    No

    Kill Process

    Yes

    Yes

    No

    Remote Command

    Yes

    Yes

    Yes

    Registry Actions

    Yes

    No

    No

    File Actions

    Yes

    Yes

    No

    VPN Site

    Yes

    Yes

    No

    Collect Processes

    Yes

    No

    No

    Run Diagnostics

    Yes

    Yes

    No

  3. Select the devices on which you want to perform the push operation.

    Note - You can perform Run Diagnostics on only one device at a time.

  4. Click Next.

  5. Configure the operation settings.

    6. Push Operations

    Description

    Scan for Malware

    Runs an Anti-Malware scan on the computer or computers, based on the configured settings.

    Update Malware Signature Database

    Updates malware signatures on the computer or computers, based on the configured settings.

    Restore Files from Quarantine

    Restores files from quarantine on the computer or computers, based on the configured settings.

    To restore files from quarantine:

    1. In the Full Path field, enter the path to file before it was quarantined including the file name. For example, c:\temp\eicar.txt

    2. Click OK.

    Push Operations

    Description

    Analyze by Indicator

    Manually triggers collection of forensics data for an endpoint device that accesses or executes the indicator. The indicator can be a URL, an IP, a path, a file name or an MD5.

    File Remediation

    Quarantines malicious files and remediates them as necessary.

    To move or restore files from quarantine:

    1. Click and select the organization.

    2. Click Update Selection.

    3. Select the device and click Next.

    4. Add Comment, optional comment about the action.

    5. To move the files to quarantine, select Move the following files to quarantine.

    6. To restore the files from quarantine, select Restore the following files to quarantine.

    7. Click .

    8. From the drop-down:

      1. Select Full file path or Incident ID:

        1. In the Element field, enter the incident ID from the Harmony Endpoint Security client or enter the incident UID for the corresponding incident from the Logs menu in the Harmony Endpoint portal. To obtain the incident UID, open the log entry and expand the More section to view the incident UID.

        2. Click OK

      2. Select MD5 Hash:

        1. Enter or upload the Element.

        2. Click OK.

    9. Click Finish.

    Isolate Computer

    Makes it possible to isolate a specific device that is under malware attack and poses a risk of propagation. This action can be applied on one or more devices. The Firewall component must be installed on the client in order to perform isolation. Only DHCP, DNS and traffic to the management server are allowed.

    Release Computer

    Removes device from isolation. This action can be applied on one or more devices.

    Push Operations

    Description

    2FA Required

    Deploy New Endpoints

    Installs the Initial Client on the target devices remotely using any device as the medium to run the push operation. This is suitable if do not have third party tools such as Microsoft System Center Configuration Manager (SCCM) or Intune to install the client.

    Field

    Description

    Comment

    Optional comment about the action.

    Select the deployment endpoint

    Select the target endpoint or device where you want to install the Initial Client from the organizational tree.

    Caution - The target device must not be the same as the source device.

    Endpoint version

    Select the Harmony Endpoint Security Client version to install on the target device.
    		No

    Collect Client Logs

    Collects CPInfo logs from an endpoint based on the configured settings.

    • For Windows:

      • For Endpoint Security Client versions E88.31 and higher, client logs are stored in the directory C:\ProgramData\CheckPoint\Endpoint Security\Temp.

      • For Endpoint Security Client versions E88.30 and lower, client logs are stored in the directory C:\Windows\SysWOW64\config\systemprofile\CPInfo.

    • For macOS, client logs are stored in the directory /Users/Shared/cplogs.

    Field

    Description

    Comment

    Optional comment about the action.

    Log set to collect

    Select the scope of information for the logs.

    Debug Info upload

    Select the location to upload the logs:

    • Upload CPInfo reports to Check Point servers

    • Upload CPInfo reports to Corporate server - Update the relevant corporate server information.
    		No

    Repair Client

    Repairs the Endpoint Security client installation. This requires a computer restart.

    Note - This push operation applies only to Harmony Endpoint Security clients that have been upgraded to a newer version at least once after the installation.
    		No

    Shutdown Computer

    Shuts down the computer or computers based on the configured settings.

    		 No

    Restart Computer

    Restarts the computer or computers based on the configured settings.

    		 No

    Uninstall Client

    Uninstalls the Endpoint Security client remotely on the selected devices. This feature is supported for E84.30 client and above.

    		 Yes

    Application Scan

    Collects all available applications in a certain folder on a set of devices and then adds them to the application repository of the "Application Control" blade on that specific tenant.

    		 No

    Kill Process

    Remotely kills/ terminate the processes.

    		 No

    Remote Command

    • Allows administrators to run both signed (introduced by CP) and unsigned (ones the customer creates) scripts on the Endpoint Client devices.

    • Especially useful in a non-AD environment.

    • Supplies tools/fixes to customers without the need to create new EP client/server versions.

    • Saves passwords securely when provided.

    The Remote Command feature is supported only in Windows clients running version E85.30 and above
    		Yes

    Search and Fetch files

    Searches and uploads files to a server.

     

    Supported fields are:

    Field

    Description

    Comment

    Optional comment about the action.

    Search and Fetch files

    Locate the following files in the specific folders

    Searches for the files in the specified folders.

    1. In the File table, click .

    2. Enter the file name. For example, test.txt or test.zip and click OK.

    3. Repeat the steps 1 and 2 for additional files.

    4. In the Folder Path table, click

    5. Enter the path and click OK.

    6. Repeat the steps 4 and 5 for additional paths.

    Locate the following files by exact path

    Searches for the files in the specified path.

    1. In the File table, click .

    2. Enter the path where you ant to search for the file and click OK.

    3. Repeat the steps for additional paths.

    Files upload

    Select the Upload files to

    		 Select the checkbox to upload the files to a server.

    Corporate Server Info

    1. Specify these:

      1. Protocol

      2. Server address

      3. Path on server

      4. Server fingerprint

    2. If the server requires login to access it, select the Use specific credentials to upload checkbox, and enter Login and Password.

    Yes

    Registry Actions

    Add or remove a registry key.

     

    Supported fields:

    Field

    Description

    Comment

    Optional comment about the action.

    Action

    Select an action.

    • Add Key to Registry

    • Remove Key From Registry

      Caution - Removing a registry might impact the endpoint's operating system.

    Add Key to Registry

    Key

    Full path where you want to add the registry key.

    For example, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Endpoint Analysis

    Subkey

    Enter the key name to add in the registry. For example, ProductVersion.

    Value Type

    Select the registry type.

    Value

    Enter the registry value.

    Is redirected

    Indicates that virtualization is enabled and add the registry to 32-bit. By default, the registry is added for 64-bit.

    Remove Key From Registry

    Key

    Full path of registry key that you want to delete.

    For example, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Endpoint Analysis

    Caution - Removing a registry might impact the endpoint's operating system.

    Subkey

    Enter the key name to remove from the registry. For example, ProductVersion.

    Is redirected

    Indicates that virtualization is enabled and delete the registry in 32-bit. By default, the registry is deleted for 64-bit.

    To change the working hours to allow the Anti-Malware signature updates on a DHS compliant Endpoint Security client, see sk180559.

    No

    File Actions

    Copy, move or delete the file or folder.

    Supported fields:

    Note - The folder actions are supported only with the Endpoint Security Client version 87.20 and higher.

    Field

    Description

    Comment

    Optional comment about the action.

    Action

    Select an action.

    • Copy File

    • Move File

    • Delete File

      Caution - Deleting a file might impact Harmony Endpoint's protected files.

    Copy File

    File path

    Full path of the file or folder you want to copy, including the file or folder name.

    Example:

    • For File - C:\Users\<user_name>\Desktop\test.doc

    • For Folder - C:\Users\Username\Desktop\

    Target file path

    Full path where you want to paste the file or folder.

    Example:

    • For File - C:\Users\<user_name>\Documents

    • For Folder - C:\Users\Username2\

    Notes:

    • The file or folder name you specify is used to rename the copied file.

    • If you provide the folder path only, the file is copied with the original file name.

    • If the file or folder already exists, the file is not overwritten and the operation fails.

    • If the file path or target folder does not exist, it is created during the operation.

    Move File

    File path

    Full path of the file or folder you want to move, including the file or folder name.

    Example:

    • For File - C:\Users\<user_name>\Desktop\test.doc

    • For Folder - C:\Users\Username>\Desktop\

     

    Target file path

    Path where you want to move the file or folder.

    Example:

    • For File - C:\Users\<user_name>\Documents

    • For Folder - C:\Users\Username1\Documents\

    Notes:

    • If you provide the full file path, the is moved with the specified name.

    • If you provide the folder path only, the file is moved with the original file name.

    • If the file or folder already exists, the file or folder is not overwritten and the operation fails.

    • If the file path or target folder does not exist, it is created during the operation.

    Delete File

    File path

    Full path of the file you want to delete, including the file name.

    For example, C:\Users\<user_name>\Desktop\test.doc

    Caution - Deleting a file might impact Harmony Endpoint's protected files.

    Note - Delete folder action is not supported.

    No

    VPN Site

    Adds or removes a VPN site.

     

    Limitations:

    • This is not supported with Linux operating system.

    • You cannot create separate VPN sites for each user that access the endpoint. The same VPN site applies to all users.

    • SoftID and challenge-response authentication methods are not tested.

    • The system does not validate the entries (for example, Server Name or Fingerprint) that you specify.

    • Only one fingerprint operation is supported at a time.

    • You cannot add a new VPN site or remove a VPN site if a VPN site is already connected in the Harmony Endpoint client. Disconnect the VPN site before you add a new VPN site.

    • This operation is not supported if the firewall policy for the client is configured through the on-premise Security Gateway (Policy > Data Protection > Access & Compliance > Firewall > When using Remote Access, enforce Firewall Policy from is Remote Access Desktop Security Policy). To enable the operation on such a client:

      1. In the Security Gateway, change the parameter allow_disable_firewall to true in the $FWDIR/conf/trac_client_1.ttm file.

      2. Install the policy on the Security Gateway.

      3. Reboot the Harmony Endpoint client.

      4. Perform the push operation.

    Note - If the operation fails with timeout, see sk179798 for troubleshooting instructions.

     

    Supported fields:

    Field

    Description

    Comment

    Optional comment about the action.

    Action

    Select an action:

    • Add VPN Site

    • Remove VPN Site

    Add VPN Site

    Server Name

    Enter the IP address or FQDN of the remote access gateway.

    Note - Ensure the endpoint can resolve the FQDN to the IP address of the gateway.

    Use Custom Display Name

    Select the checkbox if you want to change the display name of the server in the Harmony Endpoint client.

    Display Name

    Server name displayed in the Harmony Endpoint client. By default, it uses the Server Name.

    To change the display name ,elect the Use Custom Display Name checkbox and enter a display name.

    Use Custom Login Option

    Select the checkbox if you want to use a custom login option.

    Login Option

    Login option for the server. By default, Standard login option is selected.

    To use a custom login option, select Use Custom Login Option checkbox, and enter the login option. This must match the Display Name specified in the GW properties > VPN Clients > Authentication > Multiple Authentication Clients Settings in the SmartConsole. For example, SAML IDP.

    For the Standard login option, make sure that the Authentication Method is Defined on User Record (Legacy). Otherwise, Standard: does not need authentication method error appears.

    Authentication Method

    Select an authentication method.

    The options displayed depend on the Login Option.

    Authentication methods for the Standard login option:

    • username-password

    • certificate (for a certificate stored in the CAPI store)

    • p12-certificate

    • securityIDKeyFob

    • securityIDPinPad

    • SoftID (not tested)

    • challenge-response (not tested)

    Authentication methods for the custom login option:

    • Select certificate from hardware or software token (CAPI)

    • Use certificate from Public-Key Cryptographic Standard (PKCS #12) file

    • Other

    Note - Select the relevant certificate authentication method if your custom login uses a certificate. Otherwise, select Other.

    Fingerprint

    Enter the fingerprint key.

    To get the fingerprint from SmartConsole:

    1. In SmartConsole, in the right pane, under Object Categories, click Servers > Trusted CA > internal ca.

      The Certificate Authority Properties window appears.

    2. Click the Local Security Management tab.

    3. Under Certificate, click View.

      The Certificate Authority Certificate View window appears.

    4. Scroll down to SHA-1 Fingerprints. The fingerprint is on line number 2.

    To get the fingerprint from the device:

    1. Manually add the VPN site in the client. For more information, see Endpoint Security Clients User Guide.

    2. After you add and connect to the VPN site successfully, In Registry Editor, go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn.

    3. It displays a folder with the display name of your VPN site.

    4. Double-click the folder.

    5. In the right pane, under Name, double-click -- Fingerprint--.

      The Edit String window appears.

    6. Copy the fingerprint key from the Value data field.

    7. Click Cancel to close the window.

    8. Paste the fingerprint key in the Fingerprint field.

    Remote Access Gateway Name

    Enter the remote access gateway name.

    To get the remote access gateway name from SmartConsole:

    1. In SmartConsole, go to Gateways and Servers.

    2. Double-click the gateway.

      The Check Point Gateway window appears.

    3. Double-click IPSec VPN.

    4. Under Repository of Certificates Available to the Gateway, in the table, expand the DN column. The value after CN= indicates the remote access gateway name.

    To get the remote access gateway name from the device:

    1. In Registry Editor, go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn.

    2. It shows a folder with the display name of your VPN site. Copy the folder name and paste it in the Remote Access Gateway Name field.

    Remove VPN Site

    Display Name

    Enter the display name for the server.

    No

    Collect Processes

    Collects information about the process running on the endpoint.

     

    Supported fields:

    Field

    Description

    Comment

    Optional comment about the action.

    Collect all processes

    Collects information about all the processes running on the endpoint.

    Collect process by name

    Collects information about a specific process on the endpoint.

    Process name

    Enter the process name. Case-sensitive.

    Additional output fields

    Select the additional information you want to view in the collected information.

    No

    Run Diagnostics

    Runs diagnostics on an endpoint to collect this information:

    • Total CPU and RAM usage in the last 12 hours.

    • CPU usage by processes initiated in the last 12 hours. For example, the CPU used by Anti-Malware to scan files.

      You can review the CPU usage data to identify processes (scans) that consume CPU more than the specified threshold and exclude such processes from future scans.

      Note - This is supported with Endpoint Security client version E86.80 and higher.

      Warning - Only exclude a process if you are sure that the file is not malicious and is not vulnerable to cyber-attacks.

     

  6. Under User Notification:

    • To notify the user about the push operation, select the Inform user with notification checkbox.

    • To allow the user to post pone the push operation, select the Allow user to postpone operation checkbox.

  7. Under Scheduling:

    • To execute the push operation immediately, click Execute operation immediately.

    • To schedule the push operation, click Schedule operation for and click to select the date.

  8. Click Finish.

  9. View the results of the operations on each endpoint in the Endpoint List section (in the Push Operations menu) at the bottom part of the screen.