- CheckMates
- :
- Products
- :
- Harmony
- :
- Endpoint
- :
- Custom Push operation (Remote Command)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Custom Push operation (Remote Command)
Hi!
I've put together a short Powershell script that adds additional Remote Access VPN sites to existing deployments through "update_config_tool.exe".
The script works fine when I push it to the Endpoint from Infinity Portal Endpoint management, but I can't seem to get it working when deploying through a custom operation with SmartEndpoint.
I followed How to execute PowerShell scripts on Harmony Endpoint client machines (checkpoint.com) but the push operations always get stuck on the "parameters" part & end up failing.
My script on Infinity Portal doesn't take any parameters or arguments, how do I specify those fields as empty with json?
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And I may as well bundle this question into the forum post while I'm at it.
How exactly do you perform Quarantine restorations as a Push Operation?
Which filepath do you enter into the parameters?
I usually end up instructing users to use the RemediationManagerUI since I can't get pushes working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wish I could give you a good answer here, but not an endpoint guy myself, I know very basic stuff abut it. If you can maybe post any screenshots/errors, we can try assist more. Might be worth opening official TAC case too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course, here's what I got. First image is the output of a successful operation. The push was done on Infinity Portal with a "Remote Command" operation.
The second image is a Custom Push.
Here's the script I used, though I'm ommitting the contents of the "trac.config" file to save space.
Set-Service -Name TracSrvWrapper -StartupType disabled
Get-Service -Name TracSrvWrapper | Stop-Service
echo HereSitTheContentsOfTrac.Config | Out-File -FilePath c:\trac.config -Encoding default -NoNewline
attrib +A C:\trac.config
cp "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.config" "C:\windows\temp\trac.config"
cp "C:\trac.config" "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.config"
cd "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\" ; .\update_config_tool.exe "C:\Windows\Temp\trac.config" "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect"
Set-Service -Name TracSrvWrapper -StartupType automatic
Get-Service -Name TracSrvWrapper | Start-Service
And here's the JSON I pushed through SmartEndpoint.
{
"Description": "Remote command push",
"Type": "powershellunsigned",
"Arguments": "",
"Parameters": "",
"Command": "T3V0LVN0cmluZyAtSW5wd=="
}
The "Command" option was substituted with a base64 version of the script copied above, once again excluded to keep things down in size.
I got the base64 command by running, the operation was "type 109" as described by sk173414.
[Convert]::ToBase64String((gc C:\users\user.directory\Downloads\trac.ps1))
As far as restoring from quarantine goes, I performed the pushes through Infinity Portal, the file I was restoring was the EICAR test virus file, the original filepath of which was "C:\users\user.directory\Downloads\eicar.com".
I performed multiple restore operations using "C:\users\user.directory\Downloads\eicar.com" as the path, just "eicar.com" and finally "C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\quarantine\b3c2adbc28791f0f.klq" as the paths.
In all cases the result was a successful push operation, however the status was always "0 files restored, 0 still infected, 1 files not found."
I'm really not clear which file location I should be specifying here. I'll open a case with TAC in case we don't figure something out within the context of checkmates, but I see quite a few forum posts asking vaguely the same sorts of questions regarding push operations; I think some more clarity with documentation might be nice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please open a Ticket/Case/SR with TAC (endpoint team in TAC) to work on these issues further. You will need to open two separate Tickets/Cases/SRs for the issues.
Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
![](/skins/images/74119E49EB1AA30407316FFB9151D237/responsive_peak/images/icon_anonymous_message.png)