topic Re: Software tracking on harmony endpoint client in Endpoint

Software tracking on harmony endpoint client

the_rock — Fri, 21 Oct 2022 16:50:27 GMT

Hey guys,

I dont work much on harmony endpoint, so figured would post customer's question here to see if anyone knows. We opened TAC case, but still waiting for response. I looked myself everywhere on the portal options and through policy, but could not find anything that would cover the request.

Question:

****************************

Does Check Point have the ability to track the software installed on our endpoints?

We're looking at having a list of allowed software, and then to have alerting set up when an endpoint is in violation of the allowed software policy.

Can you also generate a daily/periodic report on newly installed software? I don't know if this is feasible and/or if a list like this would be extremely large, but we would like to see if something like that is possible, to see if either a user or a malicious actor is installing software on any of our endpoints.

******************************

Any insight is greatly appreciated!!

Re: Software tracking on harmony endpoint client

skandshus — Fri, 21 Oct 2022 19:31:40 GMT

They do not unfortunately.. their Endpoint solution leaves a LOT to be desired 🙂

Re: Software tracking on harmony endpoint client

the_rock — Fri, 21 Oct 2022 20:13:49 GMT

I sort of figured, but lets wait for an official TAC answer : - )

Re: Software tracking on harmony endpoint client

Chris_Atkinson — Sat, 22 Oct 2022 00:28:27 GMT

The questions are more probably something for your SE.

Have a look at the Appscan tool / Application Control for app whitelisting it should yield some more useful hits in terms of SK articles etc.

Re: Software tracking on harmony endpoint client

Swiftyyyy — Sat, 22 Oct 2022 09:07:00 GMT

I suppose a 6 month time investment into fiddling with the Compliance blade might do the trick, but it'd be much nicer to have things done in the same sort of way Harmony Mobile does.
Just a nice list of applications and their versions.

This is a feature one of our potential customers missed when doing a POC, so I'd love to see it.
In general I feel like Harmony Endpoint isn't getting as much love as it should and it somewhat falling behind in terms of visibility the admin gets.
Threat Hunting is great, don't get me wrong, but it's Cloud exclusive and not all that practical for the more "general" overview. As the name says; it's "Threat" hunting, not "Inventory" hunting.

That said, pratically all the information is already being captured, it just needs to be placed in a usable UI or heck.. even just an export button for a CSV file with options like "Processes which ran on this system".

You can definitely produce such a list by extracting the data directly from the SQLite database on the Endpoint itself, though that's not really scalable (and supposedly it's possible to pipe data into an ELK stack the same way you would to Threat Hunting, though documentation regarding that of course doesn't exist)

Re: Software tracking on harmony endpoint client

the_rock — Sat, 22 Oct 2022 13:02:20 GMT

Thanks for your response, its very useful! I agree about threat hunting, but as you said, its not inventory hunting : ).