topic Re: Real World local.scv Example in SASE and Remote Access

Real World local.scv Example

Kevin_Orrison — Wed, 08 Apr 2020 22:10:13 GMT

As I am looking through the Remote Access Client admin guide and sk38702, I'm wondering if anyone is willing to share their local.scv files in production. The syntax isn't crazy easy to understand, but I'm most interested in the following if it's supported.

Checking if Windows 10 is >= 1903
Check if AV process is running - This looks supported
Check if client computer is joined to company domain

Re: Real World local.scv Example

PhoneBoy — Fri, 10 Apr 2020 23:20:34 GMT

Under OsMonitor, you'd need something like:

:major_os_version_number_10 (10)
:minor_os_version_number_10 (0)
:os_version_operand_10 ("==")

And yes, this should be in the documentation somewhere, but it's not.

AV is definitely supported, see example here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk38702

As for checking if domain-registered, this registry key seems to be the one to check for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain
However, you can also check for a specific registry entry that you add via GPO or similar.

Re: Real World local.scv Example

Kevin_Orrison — Mon, 13 Apr 2020 14:26:20 GMT

What does the minor version correspond to? Is there a way to reference the Windows 10 build? Like 1903 being 18362.753. Ultimately, it would be nice to do build >= 18362.753 is compliant and allowed to connect.

Re: Real World local.scv Example

PhoneBoy — Mon, 13 Apr 2020 14:40:02 GMT

Minor version in this case is most likely zero (as in Windows version 10.0).
Hotfix Monitor is probably what you want to use here, but not sure of the exact syntax.

Re: Real World local.scv Example

AndreiMe — Tue, 14 Apr 2020 12:52:09 GMT

Windows version information can be found in the registry on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Open this key in regedit and you'll see a lot of information.
Therefore, the check for version, build and whatever else can be done with RegMonitor.

Re: Real World local.scv Example

Kevin_Orrison — Tue, 14 Apr 2020 17:39:50 GMT

Thanks for all the input.

Re: Real World local.scv Example

Jean-Francois_G — Thu, 16 Apr 2020 17:51:38 GMT

Were you able to make this work im trying to do it and nothing seem to work

Im on Gaia R80.30 on both MGMT and Firewall

Thanks !

Re: Real World local.scv Example

Kevin_Orrison — Thu, 16 Apr 2020 18:44:02 GMT

No, I haven't got around to trying this yet.

Re: Real World local.scv Example

Jean-Francois_G — Thu, 16 Apr 2020 19:23:39 GMT

ok thanks

Re: Real World local.scv Example

AndreiMe — Fri, 17 Apr 2020 12:01:34 GMT

And here is an example of the Windows build check. Here we require Windows 10 version 1903 or newer:

		: (RegMonitor
			:type (plugin)
			:parameters (
				:begin_and (1)
					:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion=6.3")
					:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseId>=1903")
				:end (and1)
				:begin_admin (admin)
					:send_log (alert)
					:mismatchmessage ("Windows 10 version 1903 or newer is required.")
				:end (admin)
			)
		)

As an alternative, you can compare CurrentMajorVersionNumber with 10. In this case, replace

:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion=6.3")

with

:value ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentMajorVersionNumber=10")

Do not forget to include RegMonitor in SCVPolicy section:

	:SCVPolicy (
		: (RegMonitor)
	)

Save the local.scv file and install policy. If a separate gateway/management configuration is used, the local.scv file has to be configured on the management. I assume, you have SCV check turned on.

Re: Real World local.scv Example

AndreiMe — Fri, 17 Apr 2020 12:56:48 GMT

Refer to sk65267 for an example of how to check for the domain. In short, add a check to RegMonitor section, e.g.:

:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=your_company_domain")

Here we check string value "Domain" in the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"

Re: Real World local.scv Example

Jean-Francois_G — Fri, 17 Apr 2020 20:35:17 GMT

That's this part that was missing

Do not forget to include RegMonitor in SCVPolicy section:

	:SCVPolicy (
		: (RegMonitor)
	)

Thanks for your help !

Re: Real World local.scv Example

Ruan_Kotze — Sat, 18 Apr 2020 13:27:52 GMT

I was not even aware SCV was a thing in Checkpoint, always thought you needed the full endpoint security client to do stuff like domain checks. There's always something to learn:-)

Anyhow - this thread inspired me to build this up in my lab and test with just the Check Point Mobile client.

I got it working very nicely after a couple of false starts. I will post a full writeup on the forum also when I have a bit of time. In the meantime, here is my local.scv lab file (had to change extension otherwise I cannot upload to the forum) which checks for domain membership (lab domain is checkpoint.root).

These sources were very helpful:

sk65267
sk147416
https://community.checkpoint.com/t5/Remote-Access-Solutions/White-Paper-Check-Point-Compliance-Checking-with-Secure/m-p/57123#M1737

Re: Real World local.scv Example

PhoneBoy — Sun, 19 Apr 2020 02:53:17 GMT

SCV has been around since before Check Point offered a full Endpoint Security client.
While the Compliance checks in Endpoint Security are the preferred approach, SCV is still useful in cases where the full Endpoint client isn't needed.
Note that SCV is only applicable for Windows clients, it is not supported on Mac or on other platforms.

Re: Real World local.scv Example

Kevin_Orrison — Wed, 22 Apr 2020 13:35:18 GMT

It was my understanding that the full endpoint client still uses the local.scv file for its posture checks. Is this not the case? If so, how does the full endpoint client accomplish its posture checks?

Re: Real World local.scv Example

PhoneBoy — Wed, 22 Apr 2020 16:54:07 GMT

The full Endpoint client can use SCV, the configuration file for which is stored on the relevant gateway.
Compliance checks are configured in SmartEndpoint and stored on the Endpoint Management server.

Re: Real World local.scv Example

Jean-Francois_G — Wed, 22 Apr 2020 19:59:48 GMT

With the compliance check with the local.scv file or the SmartEndpoint server there is an option to check if a file exist. Ive create a dummy file and i would like to insert it in the MSI im giving to external user so they can install the VPN without knowing they need this file to connect to our server. How can i add this file to the EPS.MSI or the E82.50_CheckPointVPN.msi

Thanks for your help !

Re: Real World local.scv Example

PhoneBoy — Thu, 23 Apr 2020 17:39:57 GMT

An MSI is basically an archive.
Which means, you should be able to add a file to one of the folders that gets installed from the MSI.
Now whether that will actually work or not is a separate question.

There are better ways to check if the system is a trusted asset or not (e.g. registry checks).

Re: Real World local.scv Example

Jean-Francois_G — Thu, 23 Apr 2020 17:43:10 GMT

I know we can do this with registry too but it will still be the same thing i will need to add a registry key in the MSI because we have external user that are not part of the company that have VPN access to maintain some software. So i would prefer to keep the registry or file secret from them

Thanks !

Re: Real World local.scv Example

MrSaintz — Tue, 09 Feb 2021 19:37:29 GMT

This GPO check sounds cleverly neat to use, specially the tip on more specific registry entries we can makeup, thanks! TCPIP Parameter, sounds sneaky, as it's a dns suffix record that, non-domain devices can add it easily to cope with at not cost of the device regular functionality, no?