Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Real World local.scv Example

As I am looking through the Remote Access Client admin guide and sk38702, I'm wondering if anyone is willing to share their local.scv files in production. The syntax isn't crazy easy to understand, but I'm most interested in the following if it's supported. 

Checking if Windows 10 is >= 1903
Check if AV process is running - This looks supported
Check if client computer is joined to company domain

0 Kudos
18 Replies
Highlighted
Admin
Admin

Under OsMonitor, you'd need something like:

:major_os_version_number_10 (10)
:minor_os_version_number_10 (0)
:os_version_operand_10 ("==")

And yes, this should be in the documentation somewhere, but it's not.

AV is definitely supported, see example here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As for checking if domain-registered, this registry key seems to be the one to check for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain
However, you can also check for a specific registry entry that you add via GPO or similar.
Highlighted

What does the minor version correspond to? Is there a way to reference the Windows 10 build? Like 1903 being 18362.753. Ultimately, it would be nice to do build >= 18362.753 is compliant and allowed to connect.
0 Kudos
Highlighted
Admin
Admin

Minor version in this case is most likely zero (as in Windows version 10.0).
Hotfix Monitor is probably what you want to use here, but not sure of the exact syntax.
0 Kudos
Highlighted

Windows version information can be found in the registry on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Open this key in regedit and you'll see a lot of information.
Therefore, the check for version, build and whatever else can be done with RegMonitor.
0 Kudos
Highlighted

Thanks for all the input.
0 Kudos
Highlighted

Were you able to make this work im trying to do it and nothing seem to work 

Im on Gaia R80.30 on both MGMT and Firewall

Thanks !

0 Kudos
Highlighted

No, I haven't got around to trying this yet.
0 Kudos
Highlighted

ok thanks 

0 Kudos
Highlighted

And here is an example of the Windows build check. Here we require Windows 10 version 1903 or newer:

		: (RegMonitor
			:type (plugin)
			:parameters (
				:begin_and (1)
					:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion=6.3")
					:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseId>=1903")
				:end (and1)
				:begin_admin (admin)
					:send_log (alert)
					:mismatchmessage ("Windows 10 version 1903 or newer is required.")
				:end (admin)
			)
		)

As an alternative, you can compare CurrentMajorVersionNumber with 10. In this case, replace

:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion=6.3")

with

:value ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentMajorVersionNumber=10")

Do not forget to include RegMonitor in SCVPolicy section:

	:SCVPolicy (
		: (RegMonitor)
	)

Save the local.scv file and install policy. If a separate gateway/management configuration is used, the local.scv file has to be configured on the management. I assume, you have SCV check turned on.

0 Kudos
Highlighted

That's this part that was missing 

 

Do not forget to include RegMonitor in SCVPolicy section:

	:SCVPolicy (
		: (RegMonitor)
	)

Thanks for your help ! 

0 Kudos
Highlighted

Refer to sk65267 for an example of how to check for the domain.  In short, add a check to RegMonitor section, e.g.:

:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=your_company_domain")

Here we check string value "Domain" in the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"

Highlighted
Copper

I was not even aware SCV was a thing in Checkpoint, always thought you needed the full endpoint security client to do stuff like domain checks.  There's always something to learn:-)

Anyhow - this thread inspired me to build this up in my lab and test with just the Check Point Mobile client.

I got it working very nicely after a couple of false starts.  I will post a full writeup on the forum also when I have a bit of time.  In the meantime, here is my local.scv lab file (had to change extension otherwise I cannot upload to the forum) which checks for domain membership (lab domain is checkpoint.root).

These sources were very helpful:

sk65267
sk147416
https://community.checkpoint.com/t5/Remote-Access-Solutions/White-Paper-Check-Point-Compliance-Check...

0 Kudos
Highlighted
Admin
Admin

SCV has been around since before Check Point offered a full Endpoint Security client.
While the Compliance checks in Endpoint Security are the preferred approach, SCV is still useful in cases where the full Endpoint client isn't needed.
Note that SCV is only applicable for Windows clients, it is not supported on Mac or on other platforms.
0 Kudos
Highlighted

It was my understanding that the full endpoint client still uses the local.scv file for its posture checks. Is this not the case? If so, how does the full endpoint client accomplish its posture checks?
0 Kudos
Highlighted
Admin
Admin

The full Endpoint client can use SCV, the configuration file for which is stored on the relevant gateway.
Compliance checks are configured in SmartEndpoint and stored on the Endpoint Management server.
0 Kudos
Highlighted

With the compliance check with the local.scv file or the SmartEndpoint server there is an option to check if a file exist.  Ive create a dummy file and i would like to insert it in the MSI im giving to external user so they can install the VPN without knowing they need this file to connect to our server.  How can i add this file to the EPS.MSI or the E82.50_CheckPointVPN.msi

 

Thanks for your help !

0 Kudos
Highlighted
Admin
Admin

An MSI is basically an archive.
Which means, you should be able to add a file to one of the folders that gets installed from the MSI.
Now whether that will actually work or not is a separate question.

There are better ways to check if the system is a trusted asset or not (e.g. registry checks).
0 Kudos
Highlighted

I know we can do this with registry too but it will still be the same thing i will need to add a registry key in the MSI because we have external user that are not part of the company that have VPN access to maintain some software.  So i would prefer to keep the registry or file secret from them 

 

Thanks !

0 Kudos