Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Swiftyyyy
Advisor

Custom Push operation (Remote Command)

Hi!
I've put together a short Powershell script that adds additional Remote Access VPN sites to existing deployments through "update_config_tool.exe".

The script works fine when I push it to the Endpoint from Infinity Portal Endpoint management, but I can't seem to get it working when deploying through a custom operation with SmartEndpoint.

I followed How to execute PowerShell scripts on Harmony Endpoint client machines (checkpoint.com) but the push operations always get stuck on the "parameters" part & end up failing.

My script on Infinity Portal doesn't take any parameters or arguments, how do I specify those fields as empty with json?

Best regards

 

0 Kudos
4 Replies
Swiftyyyy
Advisor

And I may as well bundle this question into the forum post while I'm at it.
How exactly do you perform Quarantine restorations as a Push Operation?
Which filepath do you enter into the parameters?

I usually end up instructing users to use the RemediationManagerUI since I can't get pushes working.

0 Kudos
the_rock
Legend
Legend

I wish I could give you a good answer here, but not an endpoint guy myself, I know very basic stuff abut it. If you can maybe post any screenshots/errors, we can try assist more. Might be worth opening official TAC case too.

0 Kudos
Swiftyyyy
Advisor

Of course, here's what I got. First image is the output of a successful operation. The push was done on Infinity Portal with a "Remote Command" operation.

workingTracPS.png

The second image is a Custom Push.

NotWorkingTrac.png

Here's the script I used, though I'm ommitting the contents of the "trac.config" file to save space.

Set-Service -Name TracSrvWrapper -StartupType disabled
Get-Service -Name TracSrvWrapper | Stop-Service

echo HereSitTheContentsOfTrac.Config | Out-File -FilePath c:\trac.config -Encoding default -NoNewline
attrib +A C:\trac.config

cp "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.config" "C:\windows\temp\trac.config"
cp "C:\trac.config" "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.config"

cd "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\" ; .\update_config_tool.exe "C:\Windows\Temp\trac.config" "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect"


Set-Service -Name TracSrvWrapper -StartupType automatic
Get-Service -Name TracSrvWrapper | Start-Service

 

And here's the JSON I pushed through SmartEndpoint.

{
  "Description": "Remote command push",
"Type": "powershellunsigned",
  "Arguments": "",
  "Parameters": "",
  "Command": "T3V0LVN0cmluZyAtSW5wd=="
}

The "Command" option was substituted with a base64 version of the script copied above, once again excluded to keep things down in size.
I got the base64 command by running, the operation was "type 109" as described by sk173414.

[Convert]::ToBase64String((gc C:\users\user.directory\Downloads\trac.ps1))

 

As far as restoring from quarantine goes, I performed the pushes through Infinity Portal, the file I was restoring was the EICAR test virus file, the original filepath of which was "C:\users\user.directory\Downloads\eicar.com".

I performed multiple restore operations using "C:\users\user.directory\Downloads\eicar.com" as the path, just "eicar.com" and finally "C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\quarantine\b3c2adbc28791f0f.klq" as the paths.

In all cases the result was a successful push operation, however the status was always "0 files restored, 0 still infected, 1 files not found."

I'm really not clear which file location I should be specifying here. I'll open a case with TAC in case we don't figure something out within the context of checkmates, but I see quite a few forum posts asking vaguely the same sorts of questions regarding push operations; I think some more clarity with documentation might be nice.

0 Kudos
jcortez
Employee
Employee

@Swiftyyyy 

Please open a Ticket/Case/SR with TAC (endpoint team in TAC) to work on these issues further. You will need to open two separate Tickets/Cases/SRs for the issues.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events