This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luiz_
Collaborator
‎2022-07-07 07:35 AM
Jump to solution

Using Compliance blade to check Windows registry for Windows Firewall rules

Hi there checkmates,

 

We are trying to create a Compliance rule to check if a specific Windows Defender Firewall rule is present on the user's laptop.

The registry folder where the rules are located is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules.

The value of each registry is where we look for a certain string to check if the rule we want to check is there, it looks like: v2.30|Action=Allow|Active=TRUE|Dir=Out|Name=Microsoft Solitaire Collection|Desc=Microsoft Solitaire Collection|LUOwn=S-1-5-21-1918626456-2443561179-3960203745-1002|AppPkgId=S-1-15-2-1985198343-3186790915-4047221937-1969271670-3792558349-1325541827-400269725|EmbedCtxt=Microsoft Solitaire Collection|Platform=2:6:2|Platform2=GTEQ|

The challenge is: the 'name' for each registry is randomized, a value like "{0E69F20E-9517-4D89-A9AB-603E27C8891F}". We can't find a way to check all registries because of that, we would need to use wildcard to do that and we aren't able to do that according to our tests.

Screenshot is attached with the configuration, where we would use * on the "Registry value name" field.

We have an open case with TAC for almost two weeks trying to get this answer but it doesn't go anywhere.

Any ideas? Thanks a lot.

 

 

Preview file
12 KB
Preview file
90 KB
0 Kudos
1 Solution

Accepted Solutions
jcortez
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-07-12 04:28 PM
In response to jcortez
Jump to solution

@PhoneBoy & @Luiz_ 

After speaking with our internal resources the only workaround that could work is creating a wildcard test in a script and using our Compliance Blade to run the script periodically.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2022-07-10 03:10 PM
Jump to solution

Is this with Harmony Connect or Harmony Endpoint managed via the cloud?

0 Kudos
Luiz_
Collaborator
‎2022-07-10 04:06 PM
In response to PhoneBoy
Jump to solution

It's Harmony Endpoint managed via the cloud

0 Kudos
PhoneBoy
Admin
Admin
‎2022-07-12 05:53 AM
In response to Luiz_
Jump to solution

@jcortez can you think of a better way to do what's trying to be done here?

0 Kudos
jcortez
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-07-12 09:15 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy & @Luiz_ 

That is a very good question. Due to the fact that the Registry Key values a randomized it would be very difficult to achieve this. I honestly cannot think of a good workaround.

 

Let me have some of our internal resources take a look at this and I will reply back.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
jcortez
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-07-12 04:28 PM
In response to jcortez
Jump to solution

@PhoneBoy & @Luiz_ 

After speaking with our internal resources the only workaround that could work is creating a wildcard test in a script and using our Compliance Blade to run the script periodically.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
Luiz_
Collaborator
‎2022-07-13 09:32 AM
In response to jcortez
Jump to solution

Very good idea! Thanks a lot!

We're going to try this way.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events