Re: R81.20 Latest JHF - SNX Installation Failure: ...

Dreyfuss

Hi everyone,

I am reporting a critical installation issue with the SSL Network Extender (SNX) on modern Windows 10/11 endpoints, even when served from a Management/Gateway running R81.20 with the latest Jumbo Hotfix.

Despite the Gateway being up to date, the SNX client attempts to install a version of the Check Point Virtual Network Adapter (VNA) that is being blocked by Windows Code Integrity.

Environment details:

Gateway/Management: R81.20 (Latest JHF)
Client OS: Windows 10/11 x64 (Secure Boot & Driver Signature Enforcement Enabled)
Driver in package: netvna.inf v1.2.2.0 (dated 03/14/2019)

The Technical Failure: The installation fails during the driver staging process. The setupapi.dev.log explicitly points to a revoked certificate in the netvna.cat file:

Code Snippet:

sig: {_VERIFY_FILE_SIGNATURE}
sig:  Key      = netvna.inf
sig:  FilePath = C:\WINDOWS\System32\DriverStore\Temp\{...}\netvna.inf
sig:  Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{...}\netvna.cat
! sig: Verifying file against specific (valid) catalog failed.
😫

Hard Revocation: The error 0x800b010c (CERT_E_REVOKED) is a terminal failure. Windows will not load this driver even if the certificate is manually added to the Trusted Root/Publisher stores, as the revocation bit is verified online via CRL/OCSP.
Legacy Binaries in R81.20: It appears the SNX components bundled with R81.20 still rely on the 2019 driver build, which carries a now-revoked signature.
Modern Security Compliance: On machines with Secure Boot enabled, there is no workaround (?) other than disabling (!) core security features (which is not an option for enterprise environments).

Question to the Community & R&D: Is there a specific SK or a separate "SNX Hotfix" for R81.20 that updates the CVPND components to include a VNA driver with a valid SHA-256 signature and a non-revoked certificate?

If the latest JHF does not address this, how can we ensure the "Thin" SNX client remains viable for Windows 11 deployments without pivoting to the full Endpoint Security VPN client?

Thanks in advance

Mr. Dreyfuss

PhoneBoy

Hadn't seen anything about it.
Would open a TAC case.

Dreyfuss

Thanks. I will do.

WiliRGasparetto

No Official Hotfix (as of latest R81.20 Jumbo)

As of the latest available documentation and SK articles, there is no dedicated SNX hotfix for R81.20 that updates the VNA driver to a version with a valid, non-revoked SHA-256 signature.
The issue is acknowledged in several SKs and community threads, with recommendations to use the full Endpoint Security VPN client as a workaround.

WiliRGasparetto

Here in Brazil we have some clients with this problem, actually I think I know you from here hehe, what I've been advising clients is to use a VPN client or Capsule.

Dreyfuss

Thanks, WiliRGasparetto. Yes, I'm from Brazil. And unfortunately, using a VPN client (IPSEC) isn't a viable solution for us. We have two types of clients, those that use SSL VPN and those that use IPSEC VPN. I believe Checkpoint is trying to force a migration to the SaSe solution, but we don't intend to pay for something that's already included in the package and free of charge.

WiliRGasparetto

I believe it's something to force it, but it must be a problem that will be solved soon.

Dreyfuss

That's what we all hope for. rs

Dreyfuss

I opened a TAC 6-0004558499 and a I don't want to believe what I'm reading.
It says Microsoft is the one who has to fix it? The driver issuer is CHECKPOINT!

Are you a member of CheckMates?

R81.20 Latest JHF - SNX Installation Failure: VNA Driver Certificate Revoked (Error 0x800b010c)

No Official Hotfix (as of latest R81.20 Jumbo)