Happy to share some major new functionality for the Harmony Linux client
Check Point Harmony Endpoint Security Client 1.15.7 for Linux is now available as GA (General Availability). This release includes both enhancements and resolved issues.
Enhancements
Enhancements included in this release include the following:
- New Distributions / Kernel Support
- Support for additional versions of Red Hat Enterprise Linux (RHEL): 8.9 and 9.3. Current RHEL support covers 7.8-8.9, 9.0-9.3
- Support for new Linux distribution: Alma Linux. We are initially supporting versions 8.9,9.0-9.3
- Existing Ubuntu support has been expanded to include support of Kernel version 6.2
The full list of supported Linux distributions and versions can be found at sk170198
- Anti-Ransomware Support - Prevent
Anti-Ransomware (AR) support and corresponding blade was previously operational only in ‘Detect Mode’ and any detections were logged only. With this release, “Prevent Mode” can be enabled in the policy settings
Note that for Linux AR blade, exceptions should be defined as Legacy Exceptions and is not yet supported as part of the “Smart Exclusions” capability
- Anti-Malware Enhancements
There are multiple security enhancements in this release including the following:
- Enable reputation verification of files when performing an on-demand scan
- On-demand Anti-Malware scanning of archives
- Other Enhancements
- BG signature support enhancements. Additional detections that can be included in behavioral signatures
- Upgrade to libcurl 8.5.0 to resolve CVE-2023-38545
- Installation: Universal / Offline Package
There are major enhancements related to the installation procedures. There are some terms that are important to understand the full context of the enhancements:
- Universal Package: Harmony End Point Linux client supports multiple Linux distributions and versions. Previously there was a different package provided for each distribution. These different packages are now combined to one of two “Universal Packages”, depending on whether the underlying package manager is ‘.deb’ or ‘.rpm’ based
- Offline Package: There are two primary mechanisms for package installation; either using Software Deployment policies or leveraging the Export Package option. Exporting a package creates an “Offline Package” that can then be installed using third-party deployment software or manual methods
- Evergreen / “Latest”: When installing the Linux client there is an option to select a version called “latest”. Not only does this install the latest version, which in this case is 1.15.7, but also automatically upgrades client whenever a new Harmony End Point Linux version is available. When selecting “Latest” client requires internet connectivity to upgrade. This option should be confused with that for “1.15.7 (latest)” that installs 1.15.7 with no automatic upgrade
The following installation related enhancements are included in this release
- Full Offline package support. An offline package can be created with all Linux client related functionality included. Previously, only Anti-Malware functionality could be exported to a package. Note, that when functionality in addition to Anit-Malware is exported on disconnected machines, kernel headers need to be pre-installed by the admin
- Universal package. The Universal package is now used for Linux software distribution. Note that UI packages are still listed per distribution. This is to provide upgrade path from previous release.
- From release 1.15.7 and onwards will be able to select the specific release for installation in both the Software Deployment Policy and the exported package
If you have currently installed “Evergreen” / “Latest” version with automated updates, you can switch to non-automated upgrades by uninstalling the client and then installing the 1.15.7 version. We will provide further guidance on this subject prior to the release of the next Linux client version
If you are running with on-premises management, you will need a fix on the management to enable the export package capability. Please reach out to me directly if such a fix is needed. You may need to upgrade to latest version of R81.20 JHF first
There are some caveats on the Offline universal package, as follows:
- Alma Linux is not listed as a specific distribution, but any RHEL/CentOS package can be used for it since they use the same Universal Package
- AR is not yet listed as part of blade selection UI for export/deployment policy. As a result:
- For new installations AR will be enabled by default.
- For upgrade scenarios AR needs to be enabled manually in the policy following the upgrade
- AM: In order to download AM signature updates, the client is required to have access to TEADV server according to sk https://support.checkpoint.com/results/sk/sk116590. We are working to publish the procedure for offline signature updates
Additional Resolved Issues
Issues resolved in this release include the following:
- [AHTP-29389] install ca certificates in sandbox
- [AHTP-29574] Fix syscall handlers
- [AHTP-29697] ensure cpp crashdumps created outside sandbox. Provides for improved debugging
- [AHTP-29915] fix reputation policy parsing
- [AHTP-29678] don't unsubscribe from fanotify dirs added by others
- [AHTP-29679] cpla ar - wrong blade name in help 'detections'
Please see sk170198 for more comprehensive details of Harmony Endpoint for Linux including release history and supported distributions
This a major new release with extensive functionality and are happy to share these details. However, please feel free to reach out to me directly for any further information or clarifications
Regards
Jonny Rabinowitz | Harmony Endpoint Product Manager
Check Point Software Technologies Ltd. | M +972.54.4970073 | jonnyr@checkpoint.com