This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Swiftyyyy
Advisor
‎2021-12-30 06:51 AM

Custom Push operation (Remote Command)

Hi!
I've put together a short Powershell script that adds additional Remote Access VPN sites to existing deployments through "update_config_tool.exe".

The script works fine when I push it to the Endpoint from Infinity Portal Endpoint management, but I can't seem to get it working when deploying through a custom operation with SmartEndpoint.

I followed How to execute PowerShell scripts on Harmony Endpoint client machines (checkpoint.com) but the push operations always get stuck on the "parameters" part & end up failing.

My script on Infinity Portal doesn't take any parameters or arguments, how do I specify those fields as empty with json?

Best regards

 

0 Kudos
4 Replies
Swiftyyyy
Advisor
‎2021-12-31 12:48 AM

And I may as well bundle this question into the forum post while I'm at it.
How exactly do you perform Quarantine restorations as a Push Operation?
Which filepath do you enter into the parameters?

I usually end up instructing users to use the RemediationManagerUI since I can't get pushes working.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-12-31 10:10 AM
In response to Swiftyyyy

I wish I could give you a good answer here, but not an endpoint guy myself, I know very basic stuff abut it. If you can maybe post any screenshots/errors, we can try assist more. Might be worth opening official TAC case too.

Best,
Andy
0 Kudos
Swiftyyyy
Advisor
‎2022-01-01 09:24 AM
In response to the_rock

Of course, here's what I got. First image is the output of a successful operation. The push was done on Infinity Portal with a "Remote Command" operation.

workingTracPS.png

The second image is a Custom Push.

NotWorkingTrac.png

Here's the script I used, though I'm ommitting the contents of the "trac.config" file to save space.

Set-Service -Name TracSrvWrapper -StartupType disabled
Get-Service -Name TracSrvWrapper | Stop-Service

echo HereSitTheContentsOfTrac.Config | Out-File -FilePath c:\trac.config -Encoding default -NoNewline
attrib +A C:\trac.config

cp "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.config" "C:\windows\temp\trac.config"
cp "C:\trac.config" "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.config"

cd "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\" ; .\update_config_tool.exe "C:\Windows\Temp\trac.config" "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect"


Set-Service -Name TracSrvWrapper -StartupType automatic
Get-Service -Name TracSrvWrapper | Start-Service

 

And here's the JSON I pushed through SmartEndpoint.

{
    "Description": "Remote command push",
    "Type": "powershellunsigned",
    "Arguments": "",
    "Parameters": "",
    "Command": "T3V0LVN0cmluZyAtSW5wd=="
}

The "Command" option was substituted with a base64 version of the script copied above, once again excluded to keep things down in size.
I got the base64 command by running, the operation was "type 109" as described by sk173414.

[Convert]::ToBase64String((gc C:\users\user.directory\Downloads\trac.ps1))

 

As far as restoring from quarantine goes, I performed the pushes through Infinity Portal, the file I was restoring was the EICAR test virus file, the original filepath of which was "C:\users\user.directory\Downloads\eicar.com".

I performed multiple restore operations using "C:\users\user.directory\Downloads\eicar.com" as the path, just "eicar.com" and finally "C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\quarantine\b3c2adbc28791f0f.klq" as the paths.

In all cases the result was a successful push operation, however the status was always "0 files restored, 0 still infected, 1 files not found."

I'm really not clear which file location I should be specifying here. I'll open a case with TAC in case we don't figure something out within the context of checkmates, but I see quite a few forum posts asking vaguely the same sorts of questions regarding push operations; I think some more clarity with documentation might be nice.

0 Kudos
jcortez
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-01-17 06:12 AM
In response to Swiftyyyy

@Swiftyyyy 

Please open a Ticket/Case/SR with TAC (endpoint team in TAC) to work on these issues further. You will need to open two separate Tickets/Cases/SRs for the issues.


Justin Cortez
Technology Leader | Workspace Cyber Security Products | Americas Workspace Security Team

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events