This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BarYassure
Employee
Employee
‎2025-12-22 06:53 AM
Jump to solution

Harmony Endpoint Security Client E89.10 for Windows is now available as GA

Harmony Endpoint - Banner.jpg

 

Hi,

Check Point Harmony Endpoint Security Client E89.10 for Windows is now available as GA (General Availability). 

 

Main Enhancements:

  • Performance & Stability:

    General performance and stability improvements across Anti-Bot, URL Filtering, Anti-Malware, and Threat Emulation Blades for a faster and more efficient user experience.

  • Semi-Isolated Environments:
    Super Node Server now supports upstream proxy configuration.

  • TE Appliance Load Balancing:
    When multiple Threat Emulation appliances are configured, the Endpoint client now intelligently distributes file emulation tasks across all available appliances. 
    This ensures optimal utilization and prevents load concentration on individual appliances.

  • Threat Hunting:
    Threat Hunting d    ata is now enriched with additional informationץ

  • Troubleshooting Tool:
    “hepctrl.exe",  the debugging utility, now includes a new Interactive Mode that helps find the root cause faster and also includes automatic log collection.
 
 

End of Support:

  • Capsule Docs:
    Capsule Docs reached its End of Support.
    To upgrade to E89.10 Windows with managed Capsule Docs, you must first uninstall Capsule Docs from the machine.

  • Legacy Operating Systems:
    E89.10 is the last version to support the following Legacy Microsoft Operating Systems:
    • Windows 7
    • Windows 8
    • Windows Server 2008  
    • Windows Server 2012.


Please see sk183132 for the complete list of enhancements and resolved issues in this release.

Please feel free to reach out with any questions!

1 Solution

Accepted Solutions
joesternna
Participant
Friday
In response to joesternna
Jump to solution

The issue turned out to be correlated with Harmony SASE. When the SASE connection was on, laptops could not retrieve malware updates. 

  • This explains why updates might have succeeded right after a reboot -- the SASE connection is the last to load.

SASE comes with a default bypass rule for Check Point Harmony domains, but it needs to be updated to include teadv.checkpoint.com

After adding that domain, 89.10 updates are working correctly for us.

View solution in original post

0 Kudos
14 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-23 07:37 PM
Jump to solution

Will install it tomorrow in the lab and update.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-24 06:05 AM
Jump to solution

Just installed it in the lab, so far, all good!

Hey @BarYassure Happy holidays to you and family, be well.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Alex-
MVP Silver
MVP Silver
‎2025-12-24 08:03 AM
Jump to solution

One of our customers experienced complete disconnection of all clients to the Infinity EDR service, regardless of location, behind a firewall or not.

For those facing the issue, consider sk183612 - Hardening certificate validation in Harmony Endpoint for Windows E89.10, which immediately solved the issue.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-24 08:18 AM
In response to Alex-
Jump to solution

Goot to know Alex!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
lluner
Advisor
‎2025-12-24 11:06 AM
In response to the_rock
Jump to solution

@BarYassure @the_rock @Alex- 

We have a problem here. Regarding the environment that uses WSUS, I don't know if Windows Update updates certificates. I believe we can use PowerShell to include this certificate chain in the clients. I'll test it and let you know here in the group.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-24 11:12 AM
In response to lluner
Jump to solution

Might be worth TAC case to verify. I tested in the lab, connected to client's site, worked fine.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
joesternna
Participant
‎2026-01-05 01:14 PM
Jump to solution

All our pilot users upgraded to 89.10 have experienced the same issue: definition updates fail following the update until a manual "update now" from the HEP client followed by a reboot.

Until both those things (and not just a reboot) malware definition updates don't happen. The log doesn't show any failures, just an absence of Update events.

I'm stopping the rollout of 89.10 until we can figure out a way to correct this issue.

lluner
Advisor
‎2026-01-05 03:04 PM
In response to joesternna
Jump to solution

@joesternna 

I believe this problem is related to a version of Windows that lacks the certificate chain.

https://support.checkpoint.com/results/sk/sk183612

Which version of Windows are you using?

0 Kudos
joesternna
Participant
‎2026-01-06 05:28 AM
In response to lluner
Jump to solution

All the computers in my pilot group are running Windows 11 25H2, and are fully up-to-date with Microsoft updates.

Unlike the SK description, these computers are not cut off from other Check Point services. 

0 Kudos
Alex-
MVP Silver
MVP Silver
‎2026-01-06 07:36 AM
In response to joesternna
Jump to solution

The SK has nothing to do with access to Check Point services, but instead installing a certificate in the trusted store.

In our case, this fixed the issues on all computers.

joesternna
Participant
Friday
In response to joesternna
Jump to solution

The issue turned out to be correlated with Harmony SASE. When the SASE connection was on, laptops could not retrieve malware updates. 

  • This explains why updates might have succeeded right after a reboot -- the SASE connection is the last to load.

SASE comes with a default bypass rule for Check Point Harmony domains, but it needs to be updated to include teadv.checkpoint.com

After adding that domain, 89.10 updates are working correctly for us.

0 Kudos
ccsjnw
Contributor
yesterday
Jump to solution


I was disappointed to find that it is still necessary to use a Registry Hack to force the Windows Remote Access VPN Client to use IKEv2, rather than IKEv1.

The Capsule Connect for iOS client has no such restrictions and can use IKEv2 if it is available on the Security Gateway and falls back to IKEv1 if it’s not. Why can’t the Windows client work in exactly the same way?

Also, the setting is misleading because if IKEv2 is enabled, a fallback connection using IKEv1 is not possible. It’s not clear from the SK article that enabling IKEv2 support, disables IKEv1. 

At CPX 2025 (Vienna) in February 2025, I discussed this issue and I was told the Registry Hack requirement would be removed ‘soon’. But it’s still a requirement in the latest, recommended release.

Is there in timeline on this - is it definitely on the roadmap to make this behave transparent in the Windows Client as it is in Capsule Connect?

0 Kudos
PhoneBoy
Admin
Admin
an hour ago
In response to ccsjnw
Jump to solution

The SK should definitely note this fact about IKEv2 disabling IKEv1...I'll ask that it be updated.

ccsjnw
Contributor
22m ago
In response to PhoneBoy
Jump to solution

Thanks - but when will the requirement to use this Registry hack to enable IKEv2 be removed?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events