Slides are posted below the Q&A, which is below the video.
What Linux Distributions are Supported for Harmony Endpoint?
Refer to: https://support.checkpoint.com/results/sk/sk170198
Ubuntu 24.04 Support?
Planned for Q4 2024
Alma Linux 9.10?
Not at present, please contact your local Check Point office.
What versions of Windows Are Supported?
Currently we support as far back as Windows 7 and Windows Server 2008 R82. Refer to the release notes for a complete list: https://sc1.checkpoint.com/documents/E88.x/EN/Endpoint_Security_Clients_for_Windows_RN/Content/Topic...
Does this support partition wise encryption?
Yes, the encryption is based on our FDE solution. On Windows, you can also integrate with Bitlocker. On the Mac, we use FileVault.
Are there any plans to limit cpu usage during malware scans by EPS in future?
Not planned because we know that during attack the CPU will spike. We don't want to take a security risk. Having said that, in the upcoming E88.70 release, we will introduced major improvements in CPU consumption.
When the engine is first installed and it is in observe mode, is it like whitelisting?
All engines are installed as configured in the “software deployment” rules. You can start with any and add later the other engines. Detect mode will tigger alert logs but will not stop the the files/operations.
Is an integration with IBM QRadar SOAR on your roadmap and if so, when can we expect it?
We don't currently have integration plans, but you can export the data and to use it on QRadar.
Do the mass deployment methods include a way to uninstall previous endpoint agent from other vendors in the same process?
For some products, yes. See: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...
Is it possible to create separate administrators for each pilot group?
No, you can choose RBAC based on the different roles we have on the Infinity Portal.
Any options on on-premesis server ?
Yes, you can deploy HEP on Cloud / On-Prem / Hybrid / Semi-Isolated environments.
Do the same deployment methods apply for usage as an MSSP?
In addition to what's been presented here, there are some other tricks for MSSPs, as we have introduced our new MSSP Platform, which includes a policy templates you can use.
Should we remove Windows Defender on installation of Harmony Endpoint?
Yes. For Windows Servers, it must be stopped manually. For Windows clients, we will attempt to stop it during installation.
For existing customers who run the Endpoint Management on-prem, is there any cost to migrate to Endpoint MaaS ? Can the policy be migrated from on-prem to MaaS easily?
No additional cost is needed. We also have a migration tool to make the transition as easy as possible.
Is there a tool to remove Harmony Endpoint from a system?
You can uninstall the agent directly from the management console using a Push operation.
Can you get the same features on on-prem that you get with the cloud-managed option?
Yes, 3 months after Cloud for most features.
Are there any plans to support blocking file uploads per domain or application as it is possible with Harmony Browse or Quantum firewalls?
Yes, it is part of our Roadmap
Is it possible to coexist with 3rd party AV?
Yes, as long as you don’t deploy AM blade and configure mutual exclusions (e.g. by AV vendor software certificate). However, 3rd party AV replacement is recommended to unify endpoint clients and security operations.
Do we always take the recommended version or the latest as best practice?
The recommend version has significant customer adoption. The latest version may have newer features/functionality and/or support additional operating system versions. Choose what is best for your needs.
But it is important to say, all other versions are completely safe and we release them only after a comprehensive QA cycle.
Log Retention for Cloud-Management?
90 days by default. Additional log retention can be purchased.
Client upgrade would reboot the machine?
No, a clean upgrade without changing the blades/features will not cause a reboot. If you are switching between E1 and E2 versions, a reboot is required to ensure all E1 components are removed.
When an additional blade is added to the software deployment how soon is that replicated to the users in the assigned group?
It is based on the software deployment policy the admin implemented.
How to deploy agents without third party tools?
We have many options - Tiny agent, links, etc
How do I verify my client is E1 or E2?
Please review: https://support.checkpoint.com/results/sk/sk178307
When additional blades are deployed does the addition require a reboot to the device?
This is only required when adding Media Encryption / Full Disk Encryption.
What about the built-in vpn client in the HEP agent for linux?) Is there such a thing in the Roadmap?
Yes, it is part of our roadmap. Current expected timeline is Q1 2025, but this is subject to change.
Can the user delay the reboot or are they notified?
Yes, they can delay the installation and reboot based on the policy that the admin choose to implement.
Tiny agents are agents. How can I install on end users Machines remotely?
You can install remotely with a push operation based on active directory ( using a source machine to spread the installation): https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...
What is the recommended way to deploy the firewall blade for clients and server operating systems if you only want to have the "isolation" feature? Are there plans for a migration tool (windows defender -> checkpoint) or is there a way to have both firewalls in parallel but checkpoint in a "learning-mode" with isolation-capabilities?
For isolation only: keep the policy as is. A migration tool is not currently on the roadmap. You cannot have both firewalls enabled at the same time.
Is the E2 anti-malware engine faster at scanning than the E1 engine?
The new engine is much better, this is why we decided to announce it as our default engine a few weeks ago.
Is it possible to configure different url filtering categories for a specific group of users, but without having to configure in the rule all the other Threat Prevention configuration again (and without copying it)?
Yes, it is ideal to separate servers & workstations groups and to set the relevant policy for each one.
Does Check Point have like recommended exclusions for applications such as SQL/exchange/AD etc?
Yes, we are working on a new "Exclusions Catalog" which targeted for Q1 2025.
What if customer has another vendor's Anti-Malware offering and wants Check Point to run EDR only?
Behavioral Guard & Forensics already have predefined certificate-based exclusions for some AV vendors. You can add more. Don’t deploy AM blade. Exclude HEP agent from AV as well (e.g. relevant folders in Program Files, Program Data, and HarmonyBackup folders in root of each volume).
Can we deploy just Antimalware blade and disable other TP blades (Antiransomware,TE, Anti-bot) for servers ?
Yes, you can.
Is SHA1 support coming for process hash exclusions on the Forensics?
Yes, it is part of our roadmap
Any plans to support any form of HA in Harmony for AD Scanner & Strong Auth?
Currently it is not supported to have more than one domain controller as a target for a specific domain. We are checking it at the moment, hopefully the answer will be "YES" soon.
Any plans for AAD(Entra) Group management? You could technically do this via Intune, but having it in the console would make things simpler.
Yes, it is already supported, you will soon see it as part of the management console
AD scanner seems to be limited to minimum refresh of 120 minutes, is this correct? It makes use of AD groups far less useful particularly when deploying new devices
You can actually set the AD Scanner to refresh every 5 minutes. And we will allow usage of AzureAD/EntraID in the near future.
Can we use domain authentication for login in web console our on-premise instance of Harmony Endpoint?
Yes, you can 🙂
Does updating the version of the agent require a reboot?
In most cases, this is not required.
Could you explain in which case mixed mode can be used? As I understand it, the policies in this case are written for users, but there is no more detailed information in the documentation.
Depends on your use cases and AD/Entra-ID structure (user/machine groups/OUs): e.g. URLF policies make sense for users while EPP+EDR features should protect all users from cyberattacks equally.
Yes, we are working on a new "Exclusions Catalog" 🙂
How to change certificate on web console for our self-signed Harmony Endpoint one?
Yes, see https://support.checkpoint.com/results/sk/sk178064 (This applies to Endpoint Management also)
Do you have any recommendations to optimize the use of memory for the forensic process?
You can use the "Low memory mode" to reduce it. You can also use our "Run Diagnostics" tool. The upcoming E88.70 release will include dramatic improvements in RAM and CPU usage.
Are there any major features coming with Quantum R82 release?
Yes, it will close some gaps we have been on-premise and cloud management. This includes features added in the last six months (except for the upcoming DLP).
Can you push the Harmony Endpoint client with a custom VPN configuration/ (trac.confiug/trac.defaults)?
This currently requires customizing the MSI with VPNTool.
What is the by default log retention of HEP Complete package?
The default log retention for all HEP packages is 90 days 🙂
When using a MSSP tenant with Child tenants, is that possible to get in one place all the events coming from Harmony EP, Harmony Mobile, Email, etc. from one tenant?
Yes, we have our HEP MSSP view, where you can see all the data from all of you HEP child tenants. Additionaly, from the Infinity Events you can see the logs from all other Check Point products.
How we can investigate which component we should add to exclusion on our DBMS? We've added the relevant directories/processes
With Oracle, Harmony Endpoint utilize all CPUs and memory, but already all directories and processes connected with the DBMS have been added to exclusions.
Use Run Diagnostics push operation to get an interactive report and suggested exclusions
When HEP detects a malware activity is it able to restore everything the malware changed in the Desktop? I mean, deleted files, altered registry entries, etc...
It is able to remediate 100% the attack: stop the attack, identity all processes/files that took place and delete/stop them. If files were harmed by ransomeware or wiper they will be restored.
Can endpoint scan .exe files in a usb stick connected to an laptop? Can this complement Harmony Email & Collaboration's anti-malware engine?
Definitely! And many more security features. Harmony Email prevents threats incorporate email (~80% of attacks), while Harmony Endpoint prevents or blocks the rest. It’s the last line of defense.
Is it Log Retention or Threat Hunting that has a 3 month timeline?
Both.
I can see all the events from all tenants in Infinity Events, but not all events from one single tenant, right?
Correct. if you want to see details just for one tenant you should log to the relevant tenant. In the MSSP View, you can also take actions for child accounts - Policy, Exclusions, reports, etc.
Is there way to enforce the Harmony Endpoint Browser Plugin is enabled in incognito mode?
Very soon, it will be part of client version E88.60.
If I'm using a competing Endpoint product, can Harmony Endpoint serve as a substitute so I can manage everything through the Infinity Portal?
Yes, 100% form the portal.
Does installing the tiny agent via GPO require a reboot?
Yes, initial deployment requires reboot. But we recommend deployment of a complete exported package via GPO/SCCM/UEM in the same corporate network to optimize bandwidth consumption.
Do you have timescale for EntraID support? Docs say it's already there but I have a ticket open with our partner as the option is missing.
We expect to be available in the next couple of weeks.
Is possible to create an exception for a specific URL or only for the domain?
For URL Filtering, you can do an exclusion based on URL. For anti-phishing, domain only.
Does the HA EP allow to bind usb device to domain user? Need it in scenario when users use different PC's for work.
Yes.
Are there any recommended steps or SKs to follow, before activating smart exclusions? What will happen with existing Legacy exclusions?
Refer to: https://support.checkpoint.com/results/sk/sk181679
Legacy” exclusions will be converted automatically with a wizard.
Will this solution also include XDR or is this another product?
XDR is an add-on to Check Point products such as Harmony Endpoint.
Is the posture management option that you get on cloud also available for clients running the on-prem management?
Yes, with latest jumbo HF..
How can we block anonymizer applications, such as Ultrasurf? URL Filtering is not enough, there are evasions.
You can block specific EXEs (or use a whitelist approach) to ensure UltraSurf and similar apps do not run.
What is the next ground-breaking feature update coming, whether it be 1 or 2 years away?
DLP...in the coming weeks 🙂
When will XDR get acecss to Harmony Mobile and does it work already with Mail and Colaboration?
Mobile - Q3, Email - yes