Secure Configuration Verification - Advanced

Advanced SCV Policy

Additional SCV Checks

The default SCV checks (plug-ins) are part of the Endpoint Security VPN and Check Point Mobile for Windows installation:

  • OS Monitor - Verifies Operating System version, Service Pack, and Screen Saver configuration (activation time, password protection, etc.).

  • HotFix Monitor - Verifies that operating system security patches are installed, or not installed.

  • Group Monitor - Verifies that the user logged into the operating system and is a member of specified Domain User Groups.

  • Process Monitor - Verifies that a process is running, or not running, on the endpoint computer (for example, that a file sharing application is not running, or that Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. is running).

  • Browser Monitor - Verifies Internet Explorer version and configuration settings, such as Java and ActiveX options.

  • Registry Monitor - Verifies System Registry keys, values, and their contents.

  • Anti-Virus Monitor - Verifies that an Anti-Virus is running and checks its version. Supported: Norton, Trend Office Scan, and McAfee.

  • SCVMonitor - Verifies the version of the SCV product, specifically the versions of the SCV DLLs installed on the client's machine.

  • HWMonitor - Verifies CPU type, family, and model.

  • ScriptRun - Runs a specified executable on the client machine and checks the return code of the executable. For example, a script can check if a certain file is present on the client machine. It can perform additional configuration checks that you choose.

  • Windows Security Monitor - Verifies that components monitored by Window Security Center are installed and enforced (for example, check if there is Anti-Virus installed and running). You can define which components you want to check.

SCV Checks for macOS Endpoint Computers

Starting from the standaloneClosed Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Client version E88.40, you can configure SCV checks for macOS endpoint computers in the local.scv configuration file on the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. The file syntax and functionality of an SCV check is the same for Windows and macOS. These sections of the file are relevant for macOS endpoint computer:

  • :SCVPolicyMac

  • :SCVNamesMac

  • :SCVGlobalParams (relevant for Windows and macOS)

To apply the SCV check on the macOS endpoint computer, you must change the value of a registry parameter.

Third Party SCV Checks

SCV checks can be written by third party vendors using Check Point's OPSEC SCV SDK.

Allowing Clients without SCV

The Allow non SCV clients option lets you allow Security Gateway connections from clients that do not have SCV, such as SecuRemote. The setting does not take effect if the endpoint client does have SCV. Therefore, if this option is configured, the Security Gateway still requires SCV compliance from Check Point Mobile for Windows or Endpoint Security VPN before they can access resources behind the Security Gateway. By default, this option is disabled.

To enable Allow non SCV Clients in the global parameters:

  1. On the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., edit the $FWDIR/conf/local.scv file.

  2. In the SCVGlobalParams section, set the value of the allow_non_scv_clients parameter to true.

  3. Install the Desktop Policy.

  4. The change occurs when a client connects.

Disconnect When Not Verified

This feature lets you disconnect the client if it becomes non-compliant while connected to the VPN.

  1. On the Security Management Server, edit the $FWDIR/conf/local.scv file.

  2. In the SCVGlobalParams section, set the value of the disconnect_when_not_verified parameter:

    • true - A connected, non-compliant client is automatically disconnected from the VPN. A notification is shown to the user.

    • false - A connected, non-compliant client stays connected to the VPN. This is default.

Not Verified Script

This feature lets you configure script-running if a client becomes non-compliant.

If you can run scripts on non-compliant clients, you can use them to send remediations.

For example, you can run a script that install an Anti-Virus, or a script that opens an HTML page with a link to the remediation.

  1. Edit the $FWDIR/conf/local.scv file on the Security Management Server.

  2. In the SCVGlobalParams section, find the not_verified_script.

  3. In the value, put the name of the script.

    • You must supply the script to the client computers.

    • If necessary, you must make sure it is in the search path.

  4. Set the value of the not_verified_script_run_show parameter:

    • true - The user will see the script running.

    • false - The script run will be hidden (default).

  5. Set the value of the not_verified_script_run_admin parameter:

    • true - The script will run under the Remote Access Clients Service account with administrator permissions, even if the user does not have these permissions.

    • false - The script will run under the local user account permissions (default). If administrator permissions are necessary, the script will fail.

  6. Set the value of the not_verified_script_run_always parameter:

    • true - The script runs every time the client becomes non-compliant.

    • false - The script runs the first time that the client becomes non-compliant. (default)

SCV Intervals

This feature lets you change the default interval after which the SCV checks run. By default, the interval is 20 seconds, so checks run at 20 second intervals.

To change the interval in the global parameters:

  1. On the Security Management Server, edit the $FWDIR/conf/local.scv file.

  2. In the SCVGlobalParams section, set the value of the scv_checks_interval parameter to a desired number of seconds.

    If you set the value to 0 or enter an invalid value, such as a letter, the interval will be the default 20 seconds.

  3. Install the Desktop Policy.

    The change takes effect when a client connects.

Configuring SCV Exceptions

Configure exceptions for hosts that can be accessed using selected services even if the client is not compliant.

You can allow a connection even if the client is non-compliant. For example, the client has to download the latest update or Anti-Virus version required by the SCV check.

To make exceptions for non-compliant remote clients:

  1. Select the Apply Secure Configuration Verification on Simplified mode Firewall Policies option.

  2. Click the Exceptions button.

    The Secure Configuration Verification Exceptions window opens.

  3. Click Add.

  4. Double-click None.

  5. Add the Hosts from the encryption domain you want to exclude from the SCV check and the specific services to communicate with them.

  6. Click OK.

  7. Install policy.

The Skip firewall enforcement option lets you allow gateway connections from clients that do not have a firewall enforced, such as Check Point Mobile for Windows. By default, this option is disabled so that firewall enforcement is required as part of the SCV check.

Notes -

This parameter is not related to the NetworkFirewallRequired parameter in the Window Security Monitor check.

Endpoint Security VPN ignores the parameter skip_firewall_enforcement_check. It always checks for firewall enforcement.

To enable Skip firewall enforcement in the global parameters:

  1. On the Security Management Server, edit the $FWDIR/conf/local.scv file.

  2. In the SCVGlobalParams section, set the value of the skip_firewall_enforcement_check parameter to true.

  3. Install the Desktop Policy.

    The change takes effect when a client connects.

Finding Exact Product Names

You can include lists of products in the WindowsSecurityMonitor check for these parameters:

  • NetworkFirewallInstalledPrograms

  • VirusProtectionInstalledPrograms

  • SpywareProtectionInstalledPrograms

You must write the names of the products the same as they are shown in the Windows Management Instrumentation Tester tool. The product only shows if it is installed on that computer.

To find names in the Windows Management Instrumentation Tester tool:

  1. Open the command prompt as an administrator and enter wbemtest.

    The Windows Management Instrumentation Tester opens.

  2. Click Connect.

  3. In the Namespace field, enter root\SecurityCenter and click Connect.

    In Windows 7 some of the products are registered in root\SecurityCenter2.

  4. Click Enum Instances.

  5. In the Class Info Window, enter the class of product without spaces:

    • AntiVirusProduct

    • FirewallProduct

  6. Double click an instance that shows in the Query Results.

  7. In the Object editor window, scroll down to the displayName property. Copy the name listed and use that in the parameters of the check.

Troubleshooting SCV

"file is corrupt"

Symptom

Client shows an error message: Compliance Policy file is corrupt. Please contact your system administrator.

Scenario

An SCV check defined in the SCVPolicy section is not defined in the local.scv policy, SCVNames section.

Solution

Make sure that the SCVNames section includes all the checks that are to be run on clients.

"unsupported format"

Symptom

Client shows an error message: Compliance Policy is in an supported format

Scenario

Can be one of these issues:

  • There is no SCVObject section in the local.scv policy file.

  • An SCV plug-in configured in the local.scv policy file does not exist on the client computer, or it has a functionality issue.

  • The SCV Check type as defined in the local.scv policy is not a plug-in.

  • The local.scv policy context has an incorrect format.

  • The local.scv file was edited on an operating system that is different than the Security GatewaySecurity Gateway operating system and the file was saved in an encoding that the Security Gateway cannot read.

Solution

See the SCV section in this Administration Guide and follow the instructions to edit and maintain the local.scv file.

"policy is not updated"

Symptom

Client shows an error message: Compliance policy is corrupt. Please connect again to update the policy.

Scenario

The policy enforced on the client computer is not updated with the latest security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. defined on the Security Gateway.

Solution

Connect the client computer again to the Security Gateway. The client pulls the latest security policy when it connects to the Security Gateway.