endpoint security revision tracking r73 - check …...the anti-virus and anti-spyware engines are...
TRANSCRIPT
21 July 2010
Endpoint Security Revision Tracking
R73
More Information
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10877
For additional technical information about Check Point visit Check Point Support Center (http://supportcenter.checkpoint.com).
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Endpoint Security Revision Tracking R73 ).
© 2010 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights.
Contents
Introduction ............................................................................................................... 5 FDE 7.4 HFA 3 ........................................................................................................... 6
What's New in FDE 7.4 HFA 3 ............................................................................... 6 Build Numbers ........................................................................................................ 6 Resolved Issues ..................................................................................................... 6
Resolved Login and Authentication Issues ........................................................ 6 Resolved Hardware Issues ................................................................................ 7 Resolved Errors and Instability Issues .............................................................. 7 Resolved General Issues .................................................................................. 7
R73 ............................................................................................................................. 9 What’s New ............................................................................................................ 9 Build Numbers ........................................................................................................ 9 Known Limitations and Resolved Issues .............................................................. 10
R72 HFA1 ................................................................................................................. 11 What’s New in R72 HFA1..................................................................................... 11 Build Numbers ...................................................................................................... 11 Resolved Issues in R72 HFA 1 ............................................................................ 11
Endpoint Security Media Encryption ................................................................ 11 VPN ................................................................................................................. 12 WebCheck ....................................................................................................... 12
R72 ........................................................................................................................... 13 Components of This Release ............................................................................... 13
Build Numbers ................................................................................................. 13 What’s New in R72 ............................................................................................... 14
WebCheck Introduced in Endpoint Security .................................................... 14 Endpoint Connect VPN Introduced in Endpoint Security ................................. 14 Support for Windows Vista 64-Bit .................................................................... 14 Federated Servers Improve Scalability and Failover ....................................... 14 Secure Single Authentication to Endpoint Security Functions - OneCheck Logon .. 14 MFAE and Language Files in Full Disk Encryption Profiles ............................ 14 Support for Spanish and Russian Languages ................................................. 14 HTTPS File Shares Enhance Manageability ................................................... 15
Resolved Issues in R72 ....................................................................................... 15 Installation, Upgrading ..................................................................................... 15 Anti-virus / Anti-spyware .................................................................................. 15 Firewall ............................................................................................................ 16 GUI .................................................................................................................. 17 Full Disk Encryption ......................................................................................... 17 Media Encryption ............................................................................................. 19 Endpoint Security MI Framework .................................................................... 20
R71 ........................................................................................................................... 22 Components of This Release ............................................................................... 22 What’s New in R71 ............................................................................................... 22
Improved Removable Media Security .............................................................. 22 Support for Windows Vista .............................................................................. 22 Tight Integration with Native Windows CD/DVD Wizard ................................. 23 Improved Client Interface ................................................................................ 23 Simplified and Improved Setup and Deployment ............................................ 23 Easier Installation ............................................................................................ 23 Customizable Evaluation Deployment ............................................................. 23 Improved Performance .................................................................................... 23 Support for Additional Languages ................................................................... 23
Resolved Issues in Endpoint Security R71 .......................................................... 23 Installing, Upgrading ........................................................................................ 23 Anti-virus / Anti-spyware .................................................................................. 24 Firewall ............................................................................................................ 24 Performance .................................................................................................... 24 GUI .................................................................................................................. 25 Full Disk Encryption ......................................................................................... 25 Media Encryption ............................................................................................. 27 Endpoint Security Server ................................................................................. 27
R70 HFA 1 ................................................................................................................ 28 Resolved Limitations in R70 HFA 1...................................................................... 28
R70 ........................................................................................................................... 30 About Release R70 .............................................................................................. 30
Build Numbers ................................................................................................. 30 What’s New in R70 ............................................................................................... 30
Unified Endpoint Security Solution .................................................................. 30 One Console For Simplified Management ....................................................... 31 Endpoint Security Deployment Utility .............................................................. 31 Data Security ................................................................................................... 31 Full Disk Encryption (FDE) .............................................................................. 31 Media Encryption ............................................................................................. 32 Secure Access ................................................................................................. 32 VPN ................................................................................................................. 33 Endpoint Security License Server ................................................................... 33 SmartCenter for Pointsec - webRH ................................................................. 33
Resolved Limitations in R70 ................................................................................. 33 Full Disk Encryption ......................................................................................... 33 Secure Access ................................................................................................. 41
What's New in FDE 7.4 HFA 3
Introduction Page 5
Introduction This document contains information on changes and corrections implemented in previous versions of Endpoint Security. It also contains a summary of ‘What’s New’ in each release.
In This Document
FDE 7.4 HFA 3 6
R73 9
R72 HFA1 11
R72 13
R71 22
R70 HFA 1 28
R70 30
What's New in FDE 7.4 HFA 3
FDE 7.4 HFA 3 Page 6
FDE 7.4 HFA 3
What's New in FDE 7.4 HFA 3 You can now install Full Disk Encryption for Windows on Mac machines running a Windows operating
system.
Full Disk Encryption no longer requires USB 1.x for Preboot USB devices. This resolves USB related problems on machines with a new Intel chipset, such as Intel 5-series 3400.
Hibernation on 64-bit machines is now supported
You can now install Full Disk Encryption on machines with active volume type 27.
You can now configure the length of Response Two in Remote Help.
Build Numbers The version included in at the time of the release is:
Product Version
Full Disk Encryption for Windows FDE 7.4 HFA3 Build 1618
Resolved Issues The issues shown below are resolved after FDE 7.4 HFA 3 is properly installed.
Resolved Login and Authentication Issues ID Description
00545504 Clients can change the SSO setting, even if they do not have permissions to do so in their profiles.
00514474 Authentication issues occur when you use Full Disk Encryption with the eToken PKI Client 5.0SP1.
00514232 The hostname does not display in the Preboot.
00514118
00514883
It is possible to change the password during a One Time Login session.
00514783 Issues occur with Full Disk Encryption Management Console Remote Help when using the 20-Character Challenge.
00514974 Smart Card Crescendo C700 fails in the Preboot.
00514993 Remote Help gives an "Invalid Logon" message after the challenge length is changed from 20 characters to 10, the default.
00514910 When the pssoGina.dll Full Disk Encryption GINA is present, Full Disk Encryption does
not properly handle the removal of an Active Identity Smart Card.
Resolved Issues
FDE 7.4 HFA 3 Page 7
ID Description
00456309 The Aladdin eToken PRO 64k 4.2b Smart Card does not work with 2048 bit certificates in Preboot.
Resolved Hardware Issues ID Description
00515008 A USB mouse periodically freezes in the Preboot on Dell D820/D830 machines.
00513043 If a USB device is connected, there is a blinking cursor on Dell D510 machines in Preboot.
00515000 A black screen hang occurs on Acer Aspire One AOD250.
00515009 A USB Headset causes a freeze in Preboot.
00515054 IBM X301 machines do not resume from hibernation.
00512709 When you try to install Full Disk Encryption on Dell Inspiron Mini Netbooks, the installation fails and you see a blinking cursor.
Resolved Errors and Instability Issues ID Description
00514938 The error BSOD 0x050010FD occurs when you decrypt a drive.
00514853 On Windows 7, 32 and 64 bit, blue screens randomly occur when you hibernate the system.
00513337 During an upgrade, this error shows: Fatal error 24 while loading language.
00558643 If you are using Windows 7 with password complexity and User Acquisition is enabled in a
Full Disk Encryption profile, this error might show: Mpnotify.exe has encountered an error
and must close.
00513108 An application error occurs after you edit the User Acquisition settings.
00514923 An "Unhandled exception has occurred in your application" error shows when you create a new profile.
Resolved General Issues ID Description
00454833 Silent install is not possible if IgnoreOld Installation=Yes in the Precheck.txt file.
00515034
00514732
Installation on drives without drive letters causes problems.
00532081 Upgrading from Full Disk Encryption 6.3 HFA X to 7.3 HFA 1 corrupts additional global language files.
Resolved Issues
FDE 7.4 HFA 3 Page 8
ID Description
00513300 The recovery file is not updated when a client is added to a domain.
00513833 There are no limits for the values of the input boxes in the File Transfer Delay window.
00514570 UseRec.exe becomes unstable when you try to create recovery media on a machine that
does not have Pointsec or Full Disk Encryption installed.
00514662 The "Last log file update" value in the Local settings window is missing information.
00514665 There is a timestamp-mismatch between "Last log file delivery"/"Last log file update," which is displayed in the management console on the clients, and the modification timestamp of the logfile stored on the central log share.
00515041 There is a Non Paged Pool memory leak in prot_srv.
00539269 The etUpdate Profile path(s) is not translated correctly in the Japanese Full Disk
Encryption management console.
00539538 The legal notice shows incorrectly after you install Full Disk Encryption 7.3 HFA1 with OneCheck.
00514999 Reco_img.exe does not run successfully on Windows 7 if you select Writing on Drive.
00514647 If you install Full Disk Encryption with a reversed partition layout, the second volume will not be accessible after installation.
00514991 On Hibun Full Disk Encryption, you cannot do a silent installation by running autorun.exe
/install=q.
00514845 When running CPClean(R73, ver 1.2.2.0) on Windows Vista and Windows 7, some registry keys/files are not removed properly.
What’s New
R73 Page 9
R73
In This Section
What’s New 9
Build Numbers 9
Known Limitations and Resolved Issues 10
What’s New The Endpoint Security solution is now supported on the Windows 7 operating system.
File Encryption, the new add-on feature of Media Encryption, includes the ability to encrypt specific files and folders on local hard drives and removable media. With this addition, Check Point further integrates Pointsec Protector and Pointsec Media Encryption technologies.
The Anti-virus and Anti-spyware engines are unified into one scanning engine (now called Anti-malware), providing a more reliable, high performance malware scan.
Media Encryption supports burning encrypted media using Nero Burning ROM utility version 9 and greater.
Media Encryption supports management of USB devices by serial number.
Full Disk Encryption for Windows has a new precheck value, AllowRAID. If this value is set to Yes, you can install Full Disk Encryption on RAID systems with one hard drive only (for example, DELL E-series with IRRT enabled).
Improved client-side performance and new security enhancements.
Supports Chinese (Simplified).
Build Numbers Servers:
The relevant versions at the time of this release are listed below.
Component Version
Secure Access Server 7.60.040.000
Media Encryption 4.97.0.32
FE Administration Console 1.3 Build 21
License Server 6.0
WebRH Server 2.4.2.21
Clients:
The relevant versions at the time of this release are listed below.
This information is also available in the client in the Overview tab > Product Info.
Component Version
Secure Access Client 7.6.147.000
Known Limitations and Resolved Issues
R73 Page 10
Component Version
WebCheck 1.5.41.30
Media Encryption 4.97.0.32
Full Disk Encryption for Windows 7.4. HFA2 1601
Full Disk Encryption for Mac 3.2.190
Full Disk Encryption for Linux 223 build 137
Known Limitations and Resolved Issues The Known Limitations can be found in sk42156 (http://supportcontent.checkpoint.com/solutions?id=sk42156).
The Resolved Issues can be found in sk42157 (https://supportcontent.checkpoint.com/solutions?id=sk42157).
What’s New in R72 HFA1
R72 HFA1 Page 11
R72 HFA1
In This Section
What’s New in R72 HFA1 11
Build Numbers 11
Resolved Issues in R72 HFA 1 11
What’s New in R72 HFA1 New support for Full Disk Encryption client on Microsoft Windows 2000
Improved localization for Japanese
Enhanced WebCheck support for FireFox
Build Numbers The relevant build numbers at the time of this release were:
Component Build Number
Secure Access Client 7.5.237.000
Media Encryption Client and Server 4.95.0.348
Full Disk Encryption 7.3.1531
Resolved Issues in R72 HFA 1
In This Section
Endpoint Security Media Encryption 11
VPN 12
WebCheck 12
Endpoint Security Media Encryption Media Encryption Issues Resolved in R72 HFA 1
ID Description
00504907
00500847
Any user, not just administrator, can now ping the Endpoint Security Media Encryption server.
Resolved Issues in R72 HFA 1
R72 HFA1 Page 12
ID Description
00504155
00500042
00499997
Improved client stability while burning a large amount (more than 30,000 files) of small files to a CD using Endpoint Security Media Encryption.
00504070
00513106
00502029
Improved data maintenance and protection when encrypting large files (more than 4GB) with NTFS.
00504066
00503046
Improved security for encrypted devices - full access to password protected media no longer provides access to unauthorized sites.
00448293 Added support for copy and paste of files within EPM.
00503744 PSG driver fixed, so that it no longer blocks allowed operations.
00409980
00409654
00424852
Message when attempting to run executables from removable media that does not have execute permissions was fixed to correctly show that this is a Device Manager operation (not a PSG error).
VPN VPN Issues Resolved in R72 HFA 1
ID Description
00506549
00506274
Internet Explorer browser handles proxy replacement comments correctly, resolving some Internet access issues.
WebCheck WebCheck Issues Resolved in R72 HFA 1
ID Description
00459207 Firefox settings are modified more accurately, fixing specific instances that sometimes caused these modifications to be lost.
00459199 In Firefox it is possible to have different proxy settings in trusted and untrusted modes.
Components of This Release
R72 Page 13
R72
In This Section
Components of This Release 13
What’s New in R72 14
Resolved Issues in R72 15
Components of This Release The components of Endpoint Security are:
Endpoint Connect VPN: Virtual Private Network for secured private communication over public networks
Anti-Virus and Anti-Spyware: Prevention and treatment of virus, worm, trojan horse, keylogging software, and malware.
WebCheck: protection against Web-based threats, for example, phishing.
Firewall: Defense against Internet threats with definable zones and security levels.
Program Control: Ensures that only legitimate and approved programs are allowed to run on PCs. Enables automation of most application policy decisions.
Full Disk Encryption: Data security through pre-boot authentication and full disk encryption.
Media Encryption: Data security through encryption of removable media.
To enable correct and easy installation, the following components are also added:
Deployment Utility: System administrator utility to create installation packages for all components.
License Server and Reporting Tool: System administrator utility to easily activate licenses for required environment.
Build Numbers The relevant build numbers at the time of this release were:
Component Build Number
Secure Access 7.5.225
Media Encryption 4.95.0.329
Full Disk Encryption 7.3.1522
WebCheck 1.4.338.0
What’s New in R72
R72 Page 14
What’s New in R72
WebCheck Introduced in Endpoint Security The WebCheck feature was created from the ground up to protect users from the Web-based threats that exist today. At its core is a powerful yet lightweight virtualization engine that surrounds the user from all sides in a "bubble of security" as they surf the Web. WebCheck also contains advanced anti-phishing and data protection functionality.
Endpoint Connect VPN Introduced in Endpoint Security Endpoint Connect revolutionizes Remote Access. It provides intelligent auto-connection, so that the end user only has to press the Connect button regardless of the network connection. It is no longer necessary to select different connectivity modes depending on the network topology (for example, NAT Traversal, UDP encapsulation, Visitor Mode). Endpoint Connect also maintains VPN connections when the underlying network is intermittent (for example, wireless on the go) or the end user changes network by moving between different networks (for example, EDGE, LAN to wireless).
The customer can now choose the VPN client in the Endpoint Security client. It can be based on either the SecureClient code base or the Endpoint Connect code base.
Support for Windows Vista 64-Bit The Check Point Endpoint Security client now runs on 64-bit Windows Vista operating system.
Federated Servers Improve Scalability and Failover Endpoint Security now supports federated servers. With a federated architecture, clients will connect to one of several Connection Points (sub-servers). If the main server becomes unreachable, the clients will randomly pick another Connection Point in their list and connect to that server. The Connection Points connect back to the primary server to upload the logs, download policy, and DAT files. This provides high availability/scale beyond the single server model. The Connection Point can be geographically distributed and will connect back to the primary server whenever a connection is available.
Secure Single Authentication to Endpoint Security Functions - OneCheck Logon
Currently, once an end user logs on to preboot authentication, he or she can be automatically logged onto Windows with the Single Sign-On feature. But the end user still has to log in to VPN and to the encrypted USB sticks for USB sticks that are created to be read also on machines that do not have an EPS client. OneCheck Logon provides single sign-on functionality to Check Point’s Endpoint Connect VPN, Media Encryption, and to Windows.
MFAE and Language Files in Full Disk Encryption Profiles In past releases, customers wanting to make changes to MFAE (Multi Factor Authentication Engine) or localized languages had to run a script after installation. Changes to MFAE drivers and localized language files can now be specified in the same profile as all the other FDE settings.
Support for Spanish and Russian Languages In addition to English, French, Italian, German, and Japanese, the Endpoint Security client now supports Spanish and Russian.
Resolved Issues in R72
R72 Page 15
HTTPS File Shares Enhance Manageability FDE logs and policy can now be transferred over HTTPS in addition to the existing UNC file share method. This is useful because firewalls are often configured to block UNC file share traffic, which can prevent an EPS client using the FDE feature in EW mode from reaching the file share used by the FDE server. HTTPS ports are more likely to be kept open. Transferring over HTTPS is also better for MSPs that manage endpoints that are permanently outside the firewall.
Resolved Issues in R72
Note - The R72 Resolved Issues can be found in sk41771 http://supportcontent.checkpoint.com/solutions?id=sk41771.
Installation, Upgrading ID Symptom
00419859 After upgrading from SecureClient R60 HFA2, VPN services failed to start.
00429512
00428359
Installation sometimes provided ZoneAlarm Pro rather than Endpoint Security client.
00367497 After installing Endpoint Security client, software could not be installed or executed from a network shared drive.
00430694 Registry changes were made that caused DLLs to be incorrectly recognized and edited.
00432694 Skipping the Evaluation License page in the Deployment Utility will cause the Full Disk Encryption installation to fail, although the wizard will not display an error message. You must add a license in this window.
00432692 You cannot specify a CD/DVD drive as a location for the Full Disk Encryption recovery file because it is not possible execute the recovery operation from a CD or DVD. No error message appears describing this limitation during installation. We recommend that you backup ALL vital information before installing an evaluation of Full Disk Encryption.
00436637 When downloading the Endpoint Security package from machines that had another client already installed, the download was sometimes blocked previously, because of the ANI protection of SmartDefense. This has been fixed.
Anti-virus / Anti-spyware ID Symptom
00225128 It is easier to schedule Anti-Virus and Anti-Spyware scans.
00423841 While the Anti-virus and Anti-spyware processes are scanning the machine, memory performance was adversely affected.
00433960 When accessing large files (over 100 MB), particularly installers, you may have needed to wait a while for the right-click menu to appear.
Resolved Issues in R72
R72 Page 16
ID Symptom
00440999 Kaspersky Antivirus consumer version did not install, even if Endpoint Security was installed without the Anti-virus feature.
00431383 Anti-Spyware updates were not performed automatically.
00225122 When the Endpoint Security server is connected to the Internet through a proxy server, it could not get Anti-Spyware, Anti-Virus, or advisory updates.
Firewall ID Symptom
00384368 The firewall rule to block incoming NetBIOS was not enforced.
00414422 The CIFS Worm Catcher protection was not enforced.
00414430 The HTTP Worm Catcher protection was not enforced.
00415114 The firewall rule to block incoming ICMP pings was not enforced.
00421922 The SQL Slammer protection was not enforced on clients with VPN capabilities.
00425976 On Windows Vista SP1 with Windows Firewall enabled, the SR_GUI component of Endpoint Security was blocked. To ensure Endpoint Security functionality, the superfluous Windows Firewall was disabled.
00443052 The wireless adapter may have become disabled, and then fail to become enabled again.
00443098 If changing from VPN Endpoint Security to Non-VPN, the upgrade may have failed on Windows XP or Windows Vista.
00413532 When upgrading from version 7.0.843.000, user may have experienced a certificate issue, and the upgrade would sometimes cause the endpoint computer to become unresponsive.
00438456 Anti-Virus and Anti-Spam scan scheduling is configured per-policy, so when policy switching occurs, scheduling settings could change and cause unpredicted scans.
Note: It is important to make sure to use the same scheduler settings in all policies assigned to the same user.
00368632 The local subnets feature of Hotspot Registration was not enforced. Setting Hotspot.local.subnets.only to true had no effect.
00427170 The firewall driver is not digitally signed by Microsoft, causing issues when installing Endpoint Security Client with SMS (Microsoft Software Management System technology). In these cases, a dialog requesting the user to allow the installation of the driver must be shown. Because the installation is run by the system account, this dialog is actually shown on a separate Windows Desktop session. For the installation to continue, the user must switch to the other Windows session and answer the dialog. Fixed for Vista.
00224023 A user in an LDAP domain group, assigned to a domain-wide policy, was not able to install a policy sent specifically to the user.
Resolved Issues in R72
R72 Page 17
ID Symptom
00425205 Policy switching was taking more time than in previous versions. This is improved in this version.
00224765 Improved overall startup time and running performance of client.
00419844 Resolved various Media Encryption issues that sometimes resulted in Blue Screens.
00422848 After logging in, it took some time for the desktop to be available.
00423112 The log on process was slow, from 10 to 15 minutes.
GUI ID Symptom
00315338 The Flex client had to be rebooted to register changes to Return to Default buttons (in the Advanced Settings section of a policy's Client Settings tab).
00224058 Some endpoints displayed unreadable characters in the user name field for Endpoint Activity and monitoring reports.
00410825 The Removable Media Manager options on the Media Encryption page were unavailable after inserting a USB device.
00441181 On rare occasions the Endpoint Security Main window was displayed without panels.
Full Disk Encryption ID Symptom
00456144 00449505
On an IBM T400 T60 with a CD ROM drive that uses a SATA controller, the Alternative Boot Menu failed to recognize the CD ROM drive, and it was not possible to use BartPE with Ctrl+f10 on the encrypted machine. This, and similar problems, can be resolved by using FDE’s Dynamic Mount Utility, which is hardware independent and which can be used instead of FDE’s Alternative Boot Menu (which is not hardware independent). With the Dynamic Mount Utility, you can also access hard disks connected via USB. The utility can be used instead of FDE’s slaving functionality, and it can also be run without FDE. You can run the Dynamic Mount Utility on a BartPE CD or on a Windows installation.
00399295 The default value for ‘Allow Logon to Hibernated System’ listed in FDE Administration Guide has been corrected. The correct value of the default is ‘No’.
00397993 The precheck.txt setting ‘ShowRecoverMessages’was misspelled in the FDE Administration Guide.
00396208 The Preboot Execution Environment (PXE) was missing from the list of Alternative Boot Menu options in the FDE Administration Guide. It is now listed under ‘[network adaptor]’.
00456194 If you deployed an installation profile in which an FDE Service Start account is correctly specified, but the network cable not was attached during initial startup, the local system was used instead of the Service Start account.
00456032 Windows mini-dumps were corrupted/unreadable with Pointsec PC installed.
Resolved Issues in R72
R72 Page 18
ID Symptom
00456018 When upgrading to Full Disk Encryption, the upgrade failed with a message stating there were no valid partitions on which to install.
00456006 An error occurred when exporting Full Disk Encryption log data to CSV file from the FDE Management Console.
00455990 When using an HP Compaq dc7700 Small Form Factor with a Matrox P65-MDDAP64F (dual head graphic card), the characters in the logon window were displayed incorrectly.
00455984 The touch pad did not work as intended in the PBA.
00455975 An error occurred when a user account was locked because of too many failed logons and then Remote Help’s one-time login was performed.
00455965 The machine would blue screen with 0xED at the first reboot during installation on Vista SP1. The next time, there would be no blue screen.
00455961 ‘Authentication Settings’, ‘Logon’, and ‘Password Synchronization’ settings in the PCMC were not grayed out even though they were not editable.
00455958 An unhandled exception occurred when changing values of ‘Set Max Failed Logons’ in the PCMC.
00455954 When opening management console after an upgrade, the text in the ‘New settings added and certain settings reset’ dialog was displayed incorrectly when using a Japanese operating system.
00455940 FDE in R71 does not support Windows 2000, but the Endpoint Security Client Install Guide mistakenly said it did. This has been fixed.
00455923 USB tokens malfunctioned on Lenovo X200 laptops.
00455802 A ‘Missing operating system’ error would occur after performing ‘Remove by Force’ on a Windows Vista installation.
00455723 User Acquisition settings other than the default settings were not imported to the client with a silent installation profile. Instead the default User Acquisition settings were installed.
00455601 After enabling User Acquisition and configuring it under ‘Local Setting’ in the FDEMC and saving the configuration, User Acquisition was not enabled.
00455600 FDE failed when a temporary user account was reused.
00455451 Dynamic encryption malfunctioned after upgrade. FDE was installed, for example, on a machine with four volumes and only two volumes were encrypted. The machine was they upgraded. After the upgrade, an update profile containing the specification to encrypt all volumes was deployed to the machine, but not all volumes were encrypted.
00455406 The ‘Select Language’ setting in FDEMC did not work correctly after changing the setting, saving the configuration, and rebooting.
00455396 User Acquisition Settings were not correctly applied in Full Disk Encryption 7.0 and 7.1 with a silent installation profile based on the settings, groups and users from a Pointsec PC 6.x profile.
00455267 Update profiles were not pulled from a webshare running on Apache or WebDAV.
00455266 The log file was not updated on a webshare running on Apache or WebDAV although it was successfully stored on the webshare.
Resolved Issues in R72
R72 Page 19
ID Symptom
00455228 It was possible to use restore points created prior to the Full Disk Encryption installation.
00455192 The log export functionality for the CSV and TSV formats did not work. Regardless of the format chosen, an XML file was produced.
00455124 The following localization error has been corrected:‘Enable WIL?iWIL no yukouka’ has been changed to ‘WIL no yukouka’.
00454927 Erratic behavior of USB-keyboard responses in PBA on Dell Optiplex GX620.
00454847 FDE failed to write the log file if the path contained a special character.
00454731 The CpinfoCollector program did not collect the preboot debug logs.
00451574 The location of the Upgrade.log file on a Vista machine was missing from the FDE Administration Guide. The following text now appears in the manual: Error Handling and Logging All major upgrade actions that are performed and any errors that occur during upgrade are logged in a clear text log file: Upgrade_[computername].log. During upgrade, this file is stored in the Upgrade Operations 158 update folder in the Program Files\Pointsce\Pointsec for PC\Update folder. If the upgrade fails, the log file is uploaded to the 'Directory for software upgrades' folder (normally a file share). If the upgrade is successful, the log file is stored in Documents and Settings\All Users\Application Data\Pointsec\Pointsec for PC on a Windows XP installation, or in Users\All Users\Pointsec\Pointsec for PC on a Windows Vista installation. This log file contains valuable information for tracing upgrade problems.
00432197 Uninstallation message in Japanese was inaccurate. When user initiated uninstallation from Add/Remove programs in Endpoint Security FDE 7.0, the dialogue directs the user to 'press OK and reboot'. However, in Japanese version of the product, the dialogue said: 'If you press OK, the PC will be rebooted'. This discrepancy has been corrected so the user is directed to reboot.
00225237 Encryption did not t start because Secure Access stopped the fde_da_ew.exe.
00428499 Max Failed Logins did not work properly when WIL was enabled.
00512864 Recovery file issue after dynamic volume encryption on Vista.
00512878 "Invalid Logon - Unexpected Error" when authenticating to recovery file.
00512778 FDE not working when USB enabled in Pointsec on Fujitsu Siemens 9410.
Media Encryption ID Symptom
00417056 Media Encryption users were unable to create or modify custom profiles or users.
00426301 An incorrect message for the license ("users exceeds the license quantity") was displayed.
00499325 New CD/DVD devices could not be installed on a machine with a non-admin user logged in. (XP only)
00465587 Licensed features value was not updated for host groups members.
Resolved Issues in R72
R72 Page 20
ID Symptom
00464858 Media Encryption Server refused connections with the following error message: "No connection could be made because the target machine actively refused it".
00450129 Gyration Keyboard did not work when Media Encryption Client is installed.
00447204 Media Encryption blocked running executables from network shared folders.
00432504 The domain/user name was available when using webRH Challenge/Response.
00431869 "Force profile reload" did not work occasionally.
00424848 Password prompt popped up twice when inserting encrypted media.
00422507 Media Encryption did not enforce READ ONLY fully.
00423669 Read-only users were able to change Program Permissions settings, if multiple programs were selected.
00426613 In Trusted Zone, the "TCP Ports - Allow all except: 23" option did not work. Telnet connections between trusted clients were not dropped.
00429855 If the Anti-Spyware scan is scheduled for weekly or monthly basis, and the Restrict clients option is selected, the client will be restricted every day unless the scan is run.
00255607 When adding more than one Office Awareness servers via the client settings page, the personal policy was corrupted in client packages.
Endpoint Security MI Framework D Symptom
00455585 Previously, a deployment policy was saved automatically when the user left the policy. This could cause problems when the user only wanted to view and not edit a deployment policy. A question asking the user whether to save changes or not when leaving the form has been added. If the user clicks "No" to this question, the policy will be reloaded from the database.
00455548 Deployment policies used the same database object for all client which lead to random errors for the clients.
00455224 When trying to provide remote help via MI Web Remote Help to a user installed with Full Disk Encryption 7.0, the wrong Helper ID was generated. This made it impossible to provide remote help via the Web interface.
00455502 When opening the MI Web Remote Help login page the user could get an error message saying "Invalid Authentication" several times although the correct username and password were entered. After several attempts, the user was logged on.
00454944 When adding a Wait step for the User Collector in a deployment policy, you need to configure the User Collector properties to automatically add users to FDE or PC5. If this is not set on OU or client level, the policy will not continue. This has been documented in the Endpoint Security MI Framework 3.3 Administration Guide.
00453787 The Endpoint Security MI management console could crash when checking the status of a computer object after having deployed an FDE cab file to the \Device Agent\WORK folder on that computer object.
Resolved Issues in R72
R72 Page 21
D Symptom
00429771 If password authentication was set in the MI management console, and a user was added to the "Maintenance Group" in the Pointsec PC module, the user was not forced to use remote help to log in, but was able to log in with the password that was set.
A new setting, ‘Require Remote Help to Logon’, has been added under Logon in FDE. When enabled, this setting forces users to use remote help to login even if it has a password set.
00411297 When enabling HTTPS for Web Remote Help in MI, the following error is displayed: "error while downloading the domain list from the MI framework: the request failed with HTTP status 403 access denied".
The default URL in the web.config file is set to http://localhost. The change to https://localhost must be done manually. Instructions for this is found in the Endpoint Security MI Framework 3.3 Administration Guide under Using Another Application to Supply Remote Help > Modifying Connectivity Settings.
Components of This Release
R71 Page 22
R71
In This Section
Components of This Release 22
What’s New in R71 22
Resolved Issues in Endpoint Security R71 23
Components of This Release The components of Endpoint Security client are:
VPN: Virtual Private Network for secured private communication over public networks
Anti-Virus and Anti-Spyware: Prevention and treatment of virus, worm, trojan horse, keylogging software, and malware.
Firewall: Defense against Internet threats with definable zones and security levels.
Program Control: Access control to applications and Internet programs.
Full Disk Encryption: Data security through pre-boot authentication and full disk encryption.
Media Encryption: Data security through encryption of removable media.
To enable correct and easy installation, the following components are also added:
Deployment Utility: System administrator utility to create installation packages for all components.
License Server and Reporting Tool: System administrator utility to easily activate licenses for required environment.
The Build number of Check Point Endpoint Security Client R71 is: 7.3.158
What’s New in R71
Improved Removable Media Security Secure Device Formatting ensures that deleted data is permanently erased before removable media is
encrypted
256-bit encryption is now supported for removable media
Read-only access permissions for encrypted removable media
Support for Windows Vista The Check Point Endpoint Security client now runs on 32-bit Windows Vista operating system with SP1 installed.
Note - 802.1x authentication is not supported on Vista or Windows XP Pro SP3.
Resolved Issues in Endpoint Security R71
R71 Page 23
Tight Integration with Native Windows CD/DVD Wizard CDs can now be safely encrypted using Windows native wizards in Windows XP and Vista. DVDs can also be encrypted on Windows Vista.
Improved Client Interface The endpoint user now receives a clear notification on the Endpoint Security Client user interface when
the corporate policy is active.
Anti-Virus and Anti-Spyware user interface provides notification of next scheduled scan time, and for a current scan, estimated time to completion.
Simplified and Improved Setup and Deployment The Deployment Utility has been simplified and streamlined for easier setup and deployment. Only recovery file location and license key information are needed. In addition, the server installer wrapper allows all server components to be installed on a single server.
Easier Installation Access to installation logs and troubleshooting data has been improved for faster deployment and installation. Also, support for compatible installation with additional third-party programs has been added.
Customizable Evaluation Deployment A new option has been added to allow customizable evaluation deployment, with user-defined passwords.
Improved Performance Improved time to startup and enhanced overall performance for use of external applications and for more efficient use and access of shared storage.
Support for Additional Languages In addition to English, the Endpoint Security client now supports French, Italian, German, and Japanese languages.
Resolved Issues in Endpoint Security R71 The following issues have been resolved in R71.
Installing, Upgrading ID Symptom
00419859 After upgrading from SecureClient R60 HFA2, VPN services failed to start.
00429512
00428359
Installation sometimes provided ZoneAlarm Pro rather than Endpoint Security client.
00367497 After installing Endpoint Security client, software could not be installed or run from a network shared drive.
00430694 Registry changes were made that caused DLLs to be incorrectly recognized and edited.
Resolved Issues in Endpoint Security R71
R71 Page 24
Anti-virus / Anti-spyware ID Symptom
00225128 It is easier to schedule Anti-Virus and Anti-Spyware scans.
00423841 While the Anti-virus and Anti-spyware processes are scanning the machine, memory performance was adversely affected.
00433960 When accessing large files (over 100 MB), particularly installers, you may have needed to wait a while for the right-click menu to appear.
00440999 Kaspersky Antivirus consumer version did not install, even if Endpoint Security was installed without the Anti-virus feature.
00431383 Anti-Spyware updates were not performed automatically.
00225122 When the Endpoint Security server is connected to the Internet through a proxy server, it could not get Anti-Spyware, Anti-Virus, or advisory updates.
Firewall ID Symptom
00384368 The firewall rule to block incoming NetBIOS was not enforced.
00414422 The CIFS Worm Catcher protection was not enforced.
00414430 The HTTP Worm Catcher protection was not enforced.
00415114 The firewall rule to block incoming ICMP pings was not enforced.
00421922 The SQL Slammer protection was not enforced on clients with VPN capabilities.
00425976 On Windows Vista SP1 with Windows Firewall enabled, the SR_GUI component of Endpoint Security was blocked. To ensure Endpoint Security functionality, the superfluous Windows Firewall is disabled.
Performance ID Symptom
00224023 A user in an LDAP domain group, assigned to a domain-wide policy, was not able to install a policy sent specifically to the user.
00425205 Policy switching was taking more time than in previous versions. This is improved in this version.
00224765 Improved overall startup and running performance.
00419844 Resolved various Media Encryption issues that sometimes resulted in Blue Screens.
00422848 After logging in, it took some time for the desktop to be available. This issue was resolved with improvements to Anti-virus registry handling.
Resolved Issues in Endpoint Security R71
R71 Page 25
ID Symptom
00423112 The log on process was slow, from 10 to 15 minutes.
GUI ID Symptom
00315338 The Flex client had to be rebooted to register changes to Return to Default buttons (in the Advanced Settings section of a policy's Client Settings tab).
00224058 Certain character sets were not displaying on the server properly, because they were encoded incorrectly. This caused the username field to be unreadable.
00410825 The Removable Media Manager options on the Media Encryption page were unavailable after inserting a USB device.
00441181 On rare occasions the Endpoint Security Main window was displayed without panels. This issue was resolved with a correction in the enforcement of a security policy.
Full Disk Encryption ID Symptom
00451753 If HID drivers are deployed to non-tablet PC EW/MI clients, the clients were sometimes not able to boot into Full Disk Encryption preboot environment.
00453085 HP Compaq 6910P Notebook PC experienced intermittent blue screens in preboot.
00398150 If USB devices are attached to the Hewlett Packard d230MT, it displayed a black screen, thus inhibiting display of the Full Disk Encryption preboot environment for authentication.
00398074 The combination of an Axalto Cyberflex Access 64K Pegasus v2c smart card and a Schlumberger USB Reflex Version 1. smart card reader failed in preboot.
00400006 A black screen was displayed, causing preboot authentication to be inaccessible, when Enable USB Devices in Preboot is active and a USB Smart Card reader is enabled.
00451701
00451750
Single sign-on (SSO) fails on Windows Vista when using a user account name that contains an at sign '@'.
00414041 During a master installation the FDE R70 EA version using a non-evaluation Check Point license, the MSI.exe wizard will request that you specify a "License server folder path" and a password that will be used to access the license server. Error messages appeared that could be ignored.
00452853 Blue screen occurred - error code 0x0500128BD - when using multiple disks, especially with different kinds of drives, if the first disk that Windows discovered was not the boot disk.
00410933 When trying to create a recovery file on a SanDisk Cruzer USB, if the USB is used in standard (delivery) mode, while the recovery file is unlocked in two steps, the file could not be created on the USB.
Resolved Issues in Endpoint Security R71
R71 Page 26
ID Symptom
00454660 Stop error when a second hard disk is attached via a MultiBay. A bluescreen would sometimes occur during the first startup after Full Disk Encryption installation when a second encrypted hard disk was attached via a MultiBay unit.
00454604 Token removal handling have been enhanced.
00454457 The text of the Administrator's Guide has been updated for correct Remote Help authentication methods.
00454362 Update profiles would not be deployed if they contained a Japanese character in the screen saver text. The profile would disappear from the work folder, and no error was logged in event viewer.
00454322 The Administrator's Guide incorrectly stated that "Clients accept only upgrade packages that have been created with their current serial number".
00454316 Encryption did not start if the last specified recovery path is not accessible. When multiple recovery paths were specified in the installation profile with which Full Disk Encryption was installed, and the last recovery path in the list was not accessible, encryption would not start even though the other paths were accessible. A log entry was created, warning that the recovery file creation failed.
00454228 The Administrator's Guide description of the requirement to re-enter the Upgrade Validation Password after upgrading has been updated.
00454153 Recovery/log path was not displayed correctly when it contained Japanese characters. Paths are now displayed correctly.
00454110 If the username of an end user that was attempting to receive Remote Help contained the character '@', neither one-time logon nor password change functioned. After entering the response, the challenge was displayed as 'invalid'.
00454109 PC did not reboot even though the value specified for "Set Max Failed Windows Logon Attempts" was exceeded.
00454108 The Administrator's Guide description of the Hardware Hash has been updated.
00454082 Encryption did not start during installation when IgnoreOldInstallation is set to 'Yes' in precheck.txt. When reinstalling on one volume when other volumes are already encrypted, and thus 'IgnoreOldInstallation' is set to 'Yes' in precheck.txt to enable the reinstallation, encryption did not start.
00453989 Unable to complete an upgrade from Pointsec for PC 4.x/5.x to Full Disk Encryption via a Remote Desktop.
00453964 The Turkish Q keyboard layout is now supported.
00453923 During an upgrade, Full Disk Encryption failed to retrieve the MI communications key from the Framework.
00453922 Upgrade could lead to abnormal termination of Full Disk Encryption client on which smart card drivers were installed.
00453887 Windows Integrated Logon failed if the Enable Hardware Hash setting was enabled during installation or upgrade.
00453886 Erroneous OHCI register values could cause Full Disk Encryption to freeze during preboot.
Resolved Issues in Endpoint Security R71
R71 Page 27
ID Symptom
00453725 EventID 1 error (System Restore filter encountered unexpected error while processing the file ‘_filelst.cfg’) issued in System log after installing Full Disk Encryption.
00453591 'Decryption completed' message was issued repeatedly after uninstalling Full Disk Encryption with Add or Remove Programs.
00453534 After upgrading, the Event Viewer reported an invalid current state in the event viewer logs at every logon and every time the workstation was unlocked.
00453494 Logs for machines with computer names containing '.log' could not be viewed in the PCMC Log Viewer.
00453111
00418641
Hard disk drive slaving caused a blue screen (0x0000007E).
Media Encryption ID Symptom
00417056 Media Encryption users were unable to create or modify custom profiles or users.
00426301 An incorrect message for the license ("users exceeds the license quantity") was displayed.
Endpoint Security Server ID Symptom
00423669 Read-only users were able to change Program Permissions settings, if multiple programs were selected.
00426613 In Trusted Zone, the "TCP Ports - Allow all except: 23" option did not work. Telnet connections between trusted clients were not dropped.
00429855 If the Anti-Spyware scan is scheduled for weekly or monthly basis, and the Restrict clients option is selected, the client will be restricted every day unless the scan is run.
00441181 On rare occasions the Endpoint Security Main window was displayed without panels. This was caused by incorrect enforcement of a security policy, which has been fixed.
Resolved Limitations in R70 HFA 1
R70 HFA 1 Page 28
R70 HFA 1
Resolved Limitations in R70 HFA 1 ID Description
00374371 00223543
Unconnected endpoints did not get program group permissions.
Resolution: You now have the option to include program group permissions in a policy, so that these permissions will be used when the endpoint computer is unconnected with the Endpoint Security server. Enterprises are limited to five such Filter Groups because of the performance issues associated with including large numbers of program permissions in policies.
00311759 The method for enabling SYSLOG and SNMP traps in Linux was not documented.
Resolution:The method for enabling SYSLOG and SNMP traps in Linux is now documented in the Administrator Guide.
00197450 Smart Defense policy files (enabled policy and disabled policy) protection values lead to false positives.
Resolution:Fixed an issue in Smart Defense that could cause false positives.
00223348 Installation fails due to missing a root certificate.
Resolution:Root certificate is correctly configured during client installation.
00223367 No option to disable wireless on LAN.
Resolution:The Disable Wireless on LAN feature is now available. Activate it in the policy Client Settings tab.
00223544 7.0 Endpoint Security servers do not support 7.1 clients although they are in fact 6.5 clients with a nonsequential version number.
Resolution:Connections from Integrity 7.1 vista clients is now supported. However, these clients cannot be packaged with Check Point Endpoint Security 7.0 or greater.
00353336 Scan window doesn’t have the option to hide.
Resolution:The scan progress window can now be properly minimized.
00377341 VSMON memory leak.
Resolution:Memory leak fixed.
00378028 SOD related to third-party hooking.
Resolution:BSOD related to third-party hooking fixed.
00381633 Reporting problems for Full Disk Encryption and Media Encryption.
Resolution:Better reporting added to the Endpoint Detail report.
00382685 Register to hotspot’ option in Endpoint Security client is not deselected after connecting to VPN.
Resolution:Register to Hotspot tray menu item is now deselected after connecting to VPN.
00382700 Pop-up that hotspot registration is enabled doesn't appear.
Resolution:User experience for Register to Hotspot feature improved.
Resolved Limitations in R70 HFA 1
R70 HFA 1 Page 29
ID Description
00408642 The "Review compliance alert" option isn't working.
Resolution:Compliance Review feature functionality improved.
00411382 Auto Local Logon allows credential theft.
Resolution:Fixed a security issue related to Auto Local Logon.
00411387 Fingerprint accepted without user's confirmation.
Resolution:Fixed a security issue related to Fingerprint acceptance without user confirmation.
00413635 Changing the datastore ‘Number of Backups to keep’ setting causes a Java exception.
Resolution:The number of datastore backup to keep can now be changed without causing an exception.
00413700 When creating Enforcement Rules, Win2003 OS and Vista do not appear in the drop down list.
Resolution:You can now specify Enforcement Rules for Windows 2003 Server and Vista. Currently, only the Integrity 7.1 client supports Vista.
00413861 In the Windows XP Hebrew edition all yes/no ok/cancel buttons in dialog boxes are gibberish.
Resolution:VPN confirmation dialogs have correct button text for client installations on foreign OS.
00417381 Blue screen is received while trying to connect with Secure Client .
Resolution:Fixed BSOD related to connecting to the VPN.
About Release R70
R70 Page 30
R70
In This Section
About Release R70 30
What’s New in R70 30
Resolved Limitations in R70 33
About Release R70
Note - The Endpoint Security webRH does not, at this time, verify or perform any validation on installation packages. Please ensure that any installation packages used to install Endpoint Security features are obtained from a trusted source.
Build Numbers Endpoint Security Distribution Utility products build numbers at the time of release, as distributed on the product CD.
Product Build Number
Endpoint Client Deployment Utility 493000154
Full Disk Encryption 1349
Media Encryption 493000133
Secure Access 72077000_1
What’s New in R70
Unified Endpoint Security Solution Check Point Endpoint Security™ is the first and only single agent that combines all essential components for total security on the endpoint: highest-rated firewall, antivirus, anti-spyware, full disk encryption, media encryption with port protection, network access control (NAC), program control and VPN.
It protects PCs and eliminates the need to deploy and manage multiple agents, reducing total cost of ownership. Check Point Endpoint Security is the only solution that includes both data security to prevent data loss and theft and a VPN client for secure remote communications.
What’s New in R70
R70 Page 31
One Console For Simplified Management Endpoint Security features a powerful, unified management system that reduces overall cost and complexity by enabling administrators to deploy, manage, and monitor security policy for thousands of endpoints across a distributed organization—all from a single console. The management server installs in minutes, and the agent software can be deployed quickly without end-user involvement. It also provides powerful tools to enhance and customize endpoint security policies specific to the needs of an organization and enables distinct policies to be applied automatically to endpoints as they change networks, locations, and access points.
Monitor, analyze, and report on security events from a single administrative console
Easy to deploy and manage with one simple installation
Unified with Check Point SMART management to enable monitoring, analysis, and reporting of endpoint security events from SmartCenter™, Provider-1®, and Eventia® management systems
Endpoint Security Deployment Utility Check Point Endpoint Security™ includes a deployment utility that allows administrators to deploy customized installations to endpoint machines quickly and easily with a single installation process. Administrators typically use "silent" installation packages to automatically install pre-configured Endpoint Security Client deployments without the need for user intervention.
Administrators can create silent installation packages using the Endpoint Security Distribution Utility. Administrators can also use the Endpoint Security Distribution Utility to install licensed, working deployments or evaluation deployments on local computers.
Data Security Endpoint Security includes market-leading data security features to provide data rotection through an efficient blend of full-disk encryption, access control, port management, and removable media encryption.
Full Disk Encryption (FDE) Based on market-leading technologies, Endpoint Security Full Disk Encryption™ (FDE) is proven in enterprises, businesses and government agencies around the world, providing the highest level of data security for laptops and PCs through a combination of pre-boot authentication and strong encryption algorithms. Full Disk Encryption is now fully integrated in the Endpoint Security Client and can be easily installed using the new Deployment Utility. The enhanced feature/functionality in this release includes:
Simplified Administration:
Temporary user account management
Pre-boot environment debug log
Start menu MSI shortcut switch for FDE
Install Windows component only
Profile backward compatibility
Increased Flexibility:
Dual boot support (Windows and Redhat Linux)
Serial over LAN
Improved Feature Set:
Dynamic hard disk encryption
License server / License enforcement
What’s New in R70
R70 Page 32
Media Encryption Media Encryption prevents unauthorized copying of sensitive data by combining port and device management, content filtering and centralized auditing with robust media encryption. Media Encryption plugs potential leak points and logs data movement to and from any plug and play devices, providing comprehensive control of security policies.
Key Features:
Centrally managed port control and content filtering
Removable media encryption such as flash drives, CDs and DVDs, etc.
Enforced content and virus scan
Granular control of removable media by type, brand, or model
Centralized auditing and reporting
Secure Access The Secure Access features provide iron-clad endpoint client security while minimizing user intervention.
Firewall
Check Point Endpoint Security features an industry-leading firewall that blocks unwanted traffic, prevents malware from infecting endpoint systems, and makes endpoints invisible to hackers.
Uses "stealth mode" to make endpoints invisible to hackers scanning for vulnerable systems
Controls which applications are allowed network access
Ensures that approved programs cannot be spoofed, tampered with, or hijacked
Malware Protection
Check Point Endpoint Security terminates viruses, spyware, keystroke loggers, Trojans, and other malicious programs before they can damage endpoint systems. Backed by the industry’s fastest security update services.
Comprehensive antivirus, anti-spyware, and host intrusion prevention
Hourly updates provide immediate protection against the latest spyware, worms, Trojans and other malware
Resolved Limitations in R70
R70 Page 33
VPN Only Check Point Endpoint Security unifies advanced remote access as an indispensable part of endpoint security.
IPSec VPN client based on the award-winning VPN-1® and SecureClient™ technologies
Includes flexible connectivity options and supports multiple authentication schemes
Applies full security policies to remote access traffic
Endpoint Security License Server The License Server provides license enforcement and tracking capabilities for Endpoint Security clients. License Server monitors and manages installed licenses and activated licenses, including keeping track licensed assigned to specific clients.
SmartCenter for Pointsec - webRH SmartCenter for Pointsec - webRH provides a hierarchical remote help management solution for Full Disk Encryption and Media Encryption.
Resolved Limitations in R70 This section presents details of limitations that were resolved in R70.
Full Disk Encryption ID Description
00452256 Upgrade from Full Disk Encryption 5.x to 6.2 HFA1 freezes prior to completion.
The following scenario will produce the problem:
1. Before applying the upgrade package, make sure that HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "GinaDLL" is set to something other than pssogina.dll, for example, msgina.dll
2. Start the upgrade from Full Disk Encryption 5.x to 6.2 HFA1 (set UpdateSSO=0 in precheck.txt in the 6.2 package).
3. During upgrade, Full Disk Encryption will freeze.
Customer environment:
Full Disk Encryption 5.x
McAfee HIP (Host Intrusion Prevention). McAfee suite to prevent access to McAfee registry keys.
00452232 When the PC is set to English Canada language, you are not able to use some of the special characters in preboot. If you try to type them, it will not show the character you are typing. The following characters do not work {}",/<>=?@
If you use the Virtual keyboard with the en-CA setting, (English Canada) instead of a physical keyboard, the following characters are available and can be used ",/<>=?
The same issues are found when using DE-AU (German Austrian) keyboards.
Resolved Limitations in R70
R70 Page 34
ID Description
00452198 Password history is case insensitive. Environment: The 'Password History' setting is set to greater than 1, and password is set to be case sensitive.
When the user changes the password to something which is only a change of case from the previous password (for example, 'passWORD' => 'PASSword'), it is not accepted. It seems to be recognized as an existing password in the password history. However password is set to be case sensitive so it should be treated as a brand new password.
The following text has been added to the Administrator's Guide: Full Disk Encryption's Password History function does not consider case sensitivity when assessing password uniqueness. Thus, if you change a password that is recorded in Password History by changing only the case of one or more of its letters, it will not be accepted as unique, and therefore that altered password will not be allowed.
00452191 The customer name is erroneously found in a Full Disk Encryption token driver file, PTD.INF.
00452173 When installing Full Disk Encryption 6.3.1 on a Dell XT Tablet, the installation stalls when installing the system code.
00452163 Invalid Profile causes exceptions in FDEMC. The following scenario will produce the problem:
Install version 6.3.1 with a profile that has an erroneous "Set Max Failed Logons" value.
In Windows, start FDEMC and go to Local.
You will receive a error.
Press OK and you will get access to the Local settings but both buttons on bottom right are blank.
00452011 Data in DRAM actually fades out gradually over a period of seconds to minutes after the system shuts down. This enables an attacker to read the full contents of memory by cutting off power and then rebooting into a malicious operating system. When the memory content has been dumped, it can be analyzed, and by using a known algorithm it is possible to find the expanded partition key in memory. When a probable key is found, it could be used to try to decrypt a sector from the encrypted disk, and since this can be automated with a tool, there is a high risk that the correct encryption key can be found.
00451958 When the system boots (from scratch or from hibernation), the driver may be interacting with memory which is not within the driver's scope. This can cause unexpected behavior such as a stop error (BSOD).
00451815 SideBySide errors appear in the event viewer during Full Disk Encryption installation. They are caused by a Microsoft Visual Studio Manifest bug.
Workaround: install the latest Visual Studio Service Pack on the client machine before installing Full Disk Encryption.
Resolved Limitations in R70
R70 Page 35
ID Description
00451555 If USB is enabled in Full Disk Encryption, the computer will hang after the Full Disk Encryption progress bar is displayed.
If USB is enabled in Full Disk Encryption, the computer will hang after Full Disk Encryption progress bar is displayed. Even if USB legacy support is disabled in the BIOS, it will still hang with a black screen after the Full Disk Encryption progress bar is displayed.
The following scenario will produce the problem:
1. Install Full Disk Encryption 6.2 HFA1 with smart card drivers (set USB to Yes).
2. Reboot, then get the Full Disk Encryption system code installation, then do a second reboot.
3. The progress bar will appear and load.
4. After it is loaded, it will halt with a black screen.
Environment:
Toshiba Tecra M9, but the problem has also been reported on other Toshiba models such as the A200 and the A8.
Full Disk Encryption 6.2 HFA1
00451499 If the name of a Remote Help (RH) helper account is identical to one of the group names, the challenge code becomes <invalid>.
Example 1:
–System Group: SYSTEM
–User account 1: SYSTEM (helper account)
–User account 2: ADMIN
–User Group: USER
–Result: User account 1: CPFDE (RH recipient) --> challenge code becomes <invalid>
Example 2:
–System Group:SYSTEM
–User account 1: USER (helper account)
–User account 2: ADMIN
–User Group: USER
–Result: User account 1: CPFDE (RH recipient) --> challenge code becomes <invalid>
Note: This problem occurs only when the group name is all in uppercase. If the group name is "System" or "User", RH works.
00451427 It is possible to create two (or more) users with the same GUID when creating profiles. This is now prevented in the "sanity check" dialog prior to writing the profile to disk.
Resolved Limitations in R70
R70 Page 36
ID Description
00399981 Credential change smart card to password is not updated to other clients.
1. The scenario that produces the error is:
2. From the MI Framework, deploy the same smart card user account to at least two MI mode clients.
3. Via the tray, change a user account's authentication method from smart card to password on one of the clients.
4. Wait for the MIMC Server log to refresh. You will soon get a "failed: another authentication method" log entry and the authentication method will still be set to smart card in MIMC. But, in spite of the message, the authentication method has been changed to password on this client.
5. If the user account logs on to the second MI mode client it will not have receive the credential change update.
6. The result is that you now have the user account on one client using password authentication and on the other client the same user account uses smart card authentication.
Note: Changing credentials via the tray from password to smart card works correctly. A consequence of this issue is that the next time an update is sent to the first client, the update will set the authentication method back to 'smart card'.
00399939 ActivIdentity ActivKey V2 is not recognized in PBA. The following scenario will produce the problem:
1. Install the elements listed below, and ensure that the smart card is recognized in Windows and in Full Disk Encryption.
2. Define a smart card user account and choose the certificate.
3. Reboot with the smart card inserted.
4. There is no PIN dialog; the smart card does not work in PBA.
Environment:
–XPSP2
–ActivClient_5.4_bn457
–ActivIdentity Device Installer 2.1 x86 (BN 12)
–Full Disk Encryption 6.2.0 HFA1 (1226)
–Smart card:
–ActivIdentity ActivKey V2
–Axalto Cyberflex Access 64K V1 SM 2.1
–Full Disk Encryption drivers installed:
–Ac_p11.bin
–ActivKey.bin
00399936 Recovery file not written after resetting the value of the 'Logon authorized' setting. After setting 'Logon Authorized' to 'No' for a user account, a new recovery file is written. But if you then change this setting by right clicking and selecting 'Reset value' so that you once again inherit the value (in this case YES) from the group, a new recovery file is not written. If you however set the value to YES you will get a new recovery file. Resetting the value does not seem to trigger the writing of a new recovery file even though the value has changed from 'No' to 'Yes'.
Resolved Limitations in R70
R70 Page 37
ID Description
00399894 The sanity check which appears when closing FDEMC warns that fewer then two user accounts have permission to perform uninstall in the following scenario:
1. For the System group, specify the settings "Uninstall" and "Create recovery media" to: No.
2. On two user accounts in the System group, set "Uninstall" and "Create recovery media" to: Yes.
3. According to the new inheritance rules, the user account settings should override the group settings.
4. Close FDEMC, and a Sanity check will be displayed warning that fewer than two user accounts have permission to perform uninstall.
00399872 If you add new additional recovery paths after installation, new recovery files should be written to the directories addressed by the new paths. Three new paths were added after installation but recovery files were not written to the paths. Neither logging on to Windows several times nor running crerec.exe manually resolved the problem. The recovery file was written only after changing a value that triggers a recovery file update.
00399838 Some settings cannot be reset once they have been set. For example, if you change the setting Enable SSO to "YES" on a user account and deploy the profile, the client accepts the profile and the user account can log on using SSO. Then you reset the value in the framework and deploy the profile to the clients but the value is still set to "YES" and can log in using SSO even though the local log in FDEMC also says that the configuration of the profile has been made. This also applies to the "Password Synchronization" and "Single Sign-On" settings.
00399732 When providing Remote Help from FDEMC and navigating with the keyboard and Tab key (the mouse is not used) you got an error message with code 1280. The scenario that produces the error is:
Open the FDEMC.
1.Go to Remote Help.
2.Enter the End user account name and Helper account name.
3.Select Dynamic token in the Type of helper authentication field.
4.Use the keyboard and tab to generate the response.
5.Press Enter.
6.Error with code 1280 is displayed.
00399707 The "Smart Card Triggers Windows SSO logon" setting does not work. Enabling the setting should trigger SSO for the smart card user account, but it does not.
The following scenario will produce the problem:
1.Install Full Disk Encryption 6.2 HFA1.
2.Create a smart card account and confirm that it works.
3.Enable the "Smart Card Triggers Windows SSO logon" setting for the smart card user account.
4.Reboot the machine. When logging on to Windows, the user will be asked to enter account/password. SSO does not work.
Resolved Limitations in R70
R70 Page 38
ID Description
00399545 Characters in Path (recovery path/upgrade path, etc) will not be shown correctly when it contains Japanese characters. If you set a path (e.g. recovery path) that contains Japanese character, it will not be shown correctly in FDEMC.
The scenario that produces the error is:
1.Set recovery path containing Japanese character in the path (Please see screen shot JP1.JPG)
2.Close FDEMC
3.Re-open FDEMC. Check the recovery path. The path does not show correctly.
00399093 Upgrade from 4.x/5.x is normally performed via the 4.x/5.x upgrade functionality. In this case the upgrade is triggered by storing an upgrade package in the work folder/software update folder on an installation.
00399093 It should not be possible to perform an upgrade by executing the Full Disk Encryption MSI package (which is part of upgrade packages) manually. When this is done on a 5.x installation, the upgrade is aborted with an MSI error dialogue. However, on a 4.x installation the upgrade progresses quite far (at least if an upgrade profile is available), for example, the upgrade fails during the recovery file handling.
00399058 After upgrading, the CreRec.exe fails upon start of the tray application. The scenario that produces the problem is:
1.Install Full Disk Encryption 6.0.0
2.Upgrade to Full Disk Encryption HFA1
3.A few seconds after the first start of the Full Disk Encryption tray application after the upgrade, CreRec.exe fails with the following message: "CreRec.exe has generated errors and will be closed by Windows...". After a minute or two, the error message disappears. The error can be reproduced by logging off and on again.
4.If CreRec is run manually, the error message isn't displayed any more.
00398321 When unencrypted clear-text files are present, one or more instances of the following message are written to the Full Disk Encryption MI module log (ps_pc63_dsm.log): "Log error reported from PPC. Please remove any remaining clear-text install/upgrade logs from the Pointsec PC."
Workaround: Navigate to the directory specified in the Full Disk Encryption registry under Users Location. Remove any unencrypted clear-text log files from that directory.
00398155 When "Legacy USB Support" is active in the BIOS on a Hewlett Packard Compaq dc7700 Small Form Factor PC, USB keyboards do not work.
Workaround: Either disable USB Legacy Support in the BIOS, or use a PS/2 keyboard, or connect a USB keyboard and a PS/2 keyboard (and both will work).
Resolved Limitations in R70
R70 Page 39
ID Description
00398122 When SSO is disabled and then enabled again, a 'Record New Credentials' dialog box should be displayed. But under Windows Vista it is not displayed.
The following scenario will produce the problem:
1.Install P4PC 6.2 on Windows Vista.
2.Enable SSO for a user account.
3.Restart the PC, and login as the user account with SSO box selected.
4.At Windows startup, the SSO welcome screen is displayed.
5.After logging onto Windows, restart the PC.
6.Login at PBA as the same user, account but this time with the SSO box cleared.
7.After logging into Windows, restart the PC.
8.Login as the same user account, selecting the SSO check box again to re-enable SSO.
9.The 'Record New Credentials' dialog box should be displayed, but it is not. The- user account is logged onto Windows directly.
00397774 Clearing System Settings when creating a profile based on another profile or on local settings creates an installation that fails. Create a profile (e.g. upgrade) and base it on an Upgrade profile and clear the System Settings check box when creating it. All System settings are blank in the new profile. When using this profile, Pointsec upgrades; but the installation crashes when a user tries to use any of the System Settings.
Workaround: When making an upgrade profile, make sure to include all settings if it's based on another profile or on the local installation's settings. Do not clear any of the 'Base on' check boxes.
00397689 Under Windows XP and Vista, if, for example, you install the Europe1 language pack and then realize that you wanted Europe2; you will not be able to install the Windows part of the Europe2 pack. When running the command shell as an administrator, you run the pscontrol command "install-win-language" and it fails with the error message "Cannot create the file when that file already exist"
Workaround: Remove the existing plang32. file from C:/Program files/Pointsec/Pointsec for PC/ and from C:/Windows/System32/, and run the command again.
00397569 The Full Disk Encryption Token Insertion/Removal handling does not work with RSA SmartCards. The problem is due to incompatibilities with the RSA middleware used to access the RSA smart cards.
Workaround: Utilize similar Token Insertion/Removal handling in RSA middleware.
00397223 The FDEPBE hangs if a docking station is attached to the PC Acer TM 4400 and USB is enabled. If USB is disabled, the FDEPBE does not hang. However, in this latter case, the keyboard and mouse attached to the docking station do not work.
Workaround: Disable USB support in FDEPBE via the FDEMC setting "Enable USB".
00396641 When disabling WIL via the tray menu, the message "Access to your user account failed" is displayed. This message is incorrect; the message should request the user to log off.
Resolved Limitations in R70
R70 Page 40
ID Description
00396452 Lenovo model T43 may fail to boot after displaying the text "Full Disk Encryption… loading operating system". The failure results in a blank screen. This occurs only if you have a USB storage device attached to the machine and smart cards are enabled.
Workaround if this problem occurs: Remove the USB storage device and reboot the system; the machine should now boot normally.
Workarounds to avoid this problem: The following three workarounds will enable you to avoid the problem:
1. Detach the USB storage device during the boot sequence. Once the operating system is loaded, the USB device can be attached again.
2. If smart cards are not used for Full Disk Encryption preboot authentication, disable USB via the FDEMC under System Settings/Hardware Devices/USB.
3. Disable USB Legacy Support in the BIOS.
Note: This issue depends on both the hardware and the BIOS, and it is currently being investigated by Check Point.
00395668 Hibernation should not be allowed to start during an upgrade, but Full Disk Encryption does not inhibit it.
Workaround: Disable hibernation during upgrade.
00395629 If you upgrade directly from Full Disk Encryption 6.0.0 to 6.1.3, the system, local, and remote logs will be unreadable.
Workaround: Upgrade from 6.0.0 to 6.0.1 first, then upgrade from 6.0.1 to 6.1.3, and the logs will be readable.
00395332 When creating a recovery file with a USB memory stick on Acer TM4401 the mouse does not work. When the recovery menu is displayed, neither the keyboard nor the mouse works for the first 2-3 minutes. After this delay, it is possible to use keys and to tab but it is not possible to select volumes to recover -- you have to select all volumes.
00395257 If setting for USB is enabled in FDEMC (under Hardware) and a keyboard with built in smart card reader is used, the following behavior occurs in the FDEPBE: when entering the user account name, the first character is not registered or visible. For example, if the user account name is ADMIN you must enter AADMIN for it to be interpreted as ADMIN.
Tested on Hewlett Packard T3350 and T3350-2.
00394826 Note that when upgrading from 6.0.0 or 6.0.1 to 6.1, the values of Access to Local setting and Access to Remote setting are, by default, set to "Yes". These settings can of course be set to "No" after installation.
Workaround: Deploy a profile where you set this permission to "No" for your end-users as soon as you have successfully upgraded your clients.
00394776 The USB keyboard intermittently stops functioning in FDEPBE on a Hewlett Packard T3350. This happens in the following environment:
USB mouse was connected and worked flawlessly in FDEPBE
USB was enabled in FDEMC
USB legacy support was enabled in BIOS
Plug n Play OS was disabled in BIOS
Workaround: Unplug the keyboard in FDEPBE and then plug it in again.
00394609 The recovery program can fail when creating a recovery medium on certain USB devices. For example, the recovery program failed when using a USB memory stick on an IBM x60s machine, but it ran successfully on the same machine using a USB floppy disk.
Workaround: BIOS upgrade to 2.10 resolves this issue.
Resolved Limitations in R70
R70 Page 41
ID Description
00393966 Booting from a USB memory stick recovery medium created by the create recovery program fails on the HP dx5150. The machine hangs after you have entered your user account name and password.
Workaround: Using a floppy disk in a floppy disk drive connected via the USB port.
00393098 Users can encounter problems when attempting to open a file by double clicking it.
Workaround: Start the recovery program, and open the recovery file there.
00380812 When viewing logs in management console (FDEMC), the logs are incorrectly an hour behind the correct time. But if the logs are exported to a CSV file they are correct.
00397774 Clearing System Settings when creating a profile based on another profile or on local settings creates an installation that fails. Create a profile (e.g. upgrade) and base it on an Upgrade profile and clear the System Settings check box when creating it. All System settings are blank in the new profile.
When using this profile, Full Disk Encryption upgrades; but the installation crashes when a user tries to use any of the System Settings.
Workaround: When making an upgrade profile, make sure to include all settings if it's based on another profile or on the local installation's settings. Do not clear any of the 'Base on' check boxes.
Secure Access
Server Installation, Upgrade, and Backward Compatibility
00192556 By default, Endpoint Security webRH and the Check Point SecurePlatform administration interface both use port 443 for SSL communication. If you plan to run Endpoint Security webRH on SecurePlatform, change the SecurePlatform SSL to a different port during the operating system installation. Do not change the Endpoint Security webRH default port, as this is not supported.
00204868 Normally, after installing the Endpoint Security webRH, answering "Y" to the message "Would you like to start Endpoint Security webRH after exiting?" starts Endpoint Security webRH. If this does not work, type cpstop and cpstart (or, with Provider-1 setup, type mdsstop and mdsstart) to successfully start Endpoint Security webRH.
00208493 Endpoint Security webRH 7.0 is now certified to support 20,000 concurrent endpoint users with default configuration. Higher performance figures are possible with customization for your environment. Contact Check Point Professional Services for information about configuration for more than 20,000 concurrent endpoint users.
00222872 After installing a distributed Endpoint Security server (with a remote Smart Center), configuring the SIC communication, and installing the database, you must restart the Endpoint Security server machine in order to complete the configuration.
00374651 After upgrading an Endpoint Security server version 6.5.x to version 7.x, the Smart Portal IP and port will not be correctly configured.
To configure:
1. Log into the Endpoint Security server.
2. Go to System Configuration | Server Settings.
3. Click the Edit button.
Resolved Limitations in R70
R70 Page 42
4. Enter the correct Endpoint Server IP address and port for Smart Portal (default Smart Portal port is 4433. For example: 209.87.213.90:4433).
5. Click Save.
00374929 When installing Endpoint Security webRH in conjunction with other products from the wrapper on Linux and SPLAT, the Endpoint Security server is not configured properly until you run Smart Dashboard and install the database on the local machine.
00375433 Due to an issue in the SmartCenter import/export mechanism (existing in SmartCenter R65, and, possibly previous versions as well), when exporting and then importing a SmartCenter configuration in environments where the Endpoint Security server is managed by the SmartCenter, the communication between SmartCenter and the Endpoint Security server will cease functioning.
Workaround: Run the command cpprod_util SetCertPath ($CPDIR)/conf/sic_cert.p12 using the value of $CPDIR. You can verify this (on Linux or SPLAT) by using ckp_regedit -p -r HKLM /Software/checkpoint/SIC and reading the value of the CertPath parameter.
00380939 During SPLAT or Linux Endpoint Security installation, if you do not define a valid administrator, you will not be able to view events in the Endpoint Security reports. You must define a valid administrator during the install process.
00382778 When installing Endpoint security on Linux, if you cannot launch SmartPortal, use the following workaround:
1. Edit the /etc/hosts file and make sure the following entry exists:
127.0.0.1
machine's real IP machinehostname
2. Connect to the machine with SmartConsole.
3. Edit the Integrity object.
4. Set the IP address, and choose install Database.
00382764 Sometimes, after switching from Standby to Active Server, you may need to restart the services.
Client Installation, Upgrade, and Backward Compatibility
00222314 The Custom Parameter RESETCONFIG to keep personal policy during upgrade is not supported. This affects the Flex users who have configured their client rules through the client UI. User settings are always deleted during upgrade and re-connection to the server. Passwords and upgrade keys are kept during upgrade.
00317079 Clients cannot download packages from an external source when they are restricted. If the client becomes restricted due to a client Enforcement rule, and the rule specifies an upgrade package on an external URL, the client may not be able to download the external package. This can occur even if the external URL is actually the same as an Endpoint Security webRH. A workaround is to upgrade using the Upgrade package from Endpoint Security webRH option rather than upgrading from an external URL.
00350782 When you install a client without VPN on an endpoint computer with R60 SecureClient installed, SecureClient will not function properly because of a conflict with SmartDefense. (This conflict does not occur when you install VPN clients, which replace SecureClient.)
Workaround: Install VPN client packages to replace SecureClient. (See the section on Migrating from Check Point SecureClient in the Endpoint Security webRH Administrator Guide.) Alternatively, disable SmartDefense in the client installation package. You can do this in the Client Packager by specifying the custom parameter INSTALL_SD=NO.
Resolved Limitations in R70
R70 Page 43
00378020 The Custom Parameter REBOOTPROMPTWITHSILENT only affects installations when using an msi installer that was created from a Client Package using the msi option. The Custom Parameter does not affect an install that is run using a Client Package directly, including upgrades initiated via enforcement rules.
00378885 Before upgrading an existing GPO installation using manual upgrade or automatic update feature, you must verify the existing GPO configurations are removed from the client system.
Perform the following steps on the GPO server:
1. Select the installed package, right click, and choose All Tasks > Remove.
2. Select Allow users to continue to use the software, but prevent new installations.
This ensures the GPO settings are cleared on the client's registry but leaves the software on the system.
When the client receives the updated policy, the application settings are removed from the following GPO Application Management registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
3. Proceed with manual or automatic upgrade.
00380956 When performing a GPO upgrade, the existing Check Point Endpoint Security client’s disconnected policy must contain a firewall rule that allows outbound traffic to the GPO server's IP. If this is not configured, the upgrade process will not be able to remove the existing software correctly and the GPO upgrade will fail.
Integration
00200327 If you see an unexpected error when logging into Endpoint Security webRH with your SmartCenter administrator credentials, it may be because your SmartCenter license has expired or become invalid. If you are running Endpoint Security webRH together with SmartCenter (either on the same host or on separate hosts), and your SmartCenter license expires or becomes invalid, you are not able to log on to Endpoint Security webRH using your SmartCenter administrator credentials. This occurs whether you are trying to log on to Endpoint Security webRH directly or through SmartDashboard. Use the cplic command to check the status of your SmartCenter license, and if necessary, set a new SmartCenter license. (For information on cplic, see the Check Point Command Line Interface Guide.) Even if your SmartCenter license is invalid, however, you can log in to Endpoint Security webRH using your Endpoint Security webRH administrator credentials.
00203771 If you are setting up a distributed installation (in which Endpoint Security webRH and SmartCenter run on separate hosts), Endpoint Security webRH does not automatically synchronize with SmartCenter. To synchronize Endpoint Security webRH with SmartCenter, restart Endpoint Security webRH after you install and configure SmartCenter, install the database, and establish secure internal communication (SIC).
00347054 If you are setting up a distributed installation (one in which Endpoint Security webRH and SmartCenter run on separate hosts), changing the logging settings to store Endpoint Security webRH logs locally will result with an authentication error on every attempt to view logs from within Endpoint Security webRH. In this configuration, you can view the logs with SmartView Tracker or Smart Portal.
00326849 After installing an Endpoint Security webRH on a Provider-1 MDS machine, perform the following steps to prevent a crash:
1. Stop the CMA that works with the Endpoint Security webRH.
2. Log out of the shell used to start the Endpoint Security webRH installation.
3. Log in again to the root account.
4. Start the CMA.
Resolved Limitations in R70
R70 Page 44
After upgrading a Provider-1 MDS server that includes an installation of Endpoint Security webRH that is associated with one of the CMAs, perform the same procedure.
Logging, Alerts, and Errors
00208493 Endpoint Security webRH 7.0 is now certified to support 20,000 concurrent endpoint users with default configuration. Higher performance figures are possible with customization for your environment. Contact Check Point Professional Services for information about configuration for more than 20,000 concurrent endpoint users.
00222872 After installing a distributed Endpoint Security server (with a remote Smart Center), configuring the SIC communication, and installing the database, you must restart the Endpoint Security server machine in order to complete the configuration.
00311753 Continuous looping of log uploads occurs if the minimum number of events is less than 2. In order to prevent continuous looping of log uploads, in the Client Configuration > Client Settings panel's Log Upload Size area, set the minimum number of events to be equal to or greater than 2.
00313304 While Apache is running, it shows the following error: (730038)An operation was attempted on something that is not a socket.: winnt_accept: AcceptEx failed. Attempting to recover. Workaround: Place the directive Win32DisableAcceptEx on a separate line in the beginning of the httpd.conf configuration file (in install_dir\apache2\conf), and then restart Apache.
00318085 Logging at the Info level can produce a lot of data. For this reason, do not set Info level notifications to be sent to e-mail.
00374651 After upgrading an Endpoint Security server version 6.5.x to version 7.x, the Smart Portal IP and port will not be correctly configured.
To configure:
1. Log into the Endpoint Security server.
2. Go to System Configuration | Server Settings.
3. Click Edit.
4. Enter the correct Endpoint Server IP address and port for Smart Portal (default Smart Portal port is 4433. For example: 209.87.213.90:4433).
5. Click Save.
00374929 When installing Endpoint Security webRH in conjunction with other products from the wrapper on Linux and SPLAT, the Endpoint Security server is not configured properly until you run Smart Dashboard and install the database on the local machine.
00375433 Due to an issue in the SmartCenter import/export mechanism (existing in SmartCenter R65, and, possibly previous versions as well), when exporting and then importing a SmartCenter configuration in environments where the Endpoint Security server is managed by the SmartCenter, the communication between SmartCenter and the Endpoint Security server will cease functioning.
Workaround: Run the command cpprod_util SetCertPath ($CPDIR)/conf/sic_cert.p12 using the value of $CPDIR. You can verify this (on Linux or SPLAT) by using ckp_regedit -p -r HKLM /Software/checkpoint/SIC and reading the value of the CertPath parameter.
00380939 During SPLAT or Linux Endpoint Security installation, if you do not define a valid administrator, you will not be able to view events in the Endpoint Security reports. You must define a valid administrator during the install process.
Resolved Limitations in R70
R70 Page 45
00382778 When installing Endpoint security on Linux, if you cannot launch SmartPortal, use the following workaround:
1.Edit the /etc/hosts file and make sure the following entry exists:
127.0.0.1
machine's real IP machinehostname
2.Connect to the machine using SmartConsole.
3.Edit the Integrity object.
4.Set the IP address, and choose install Database.
00382764 Sometimes, after switching from Standby to Active Server, you may need to restart the services.
Localization and Special Characters
00313520 Classic Firewall Rules cannot contain certain symbols. You cannot use the ampersand symbol ('&'), quotation marks, or the less than symbol ('<') in the names of Classic Firewall Rules.
00314811 Using Client Rules to update clients of different locales (languages) is not supported. The rules are applied regardless of the client locales, which results in all clients being updated to the same language. Workaround: Assign a different policy with a different Client Rule to each client with a different locale.
You can move all users back to a shared policy after the upgrade has completed.
00315851 Localized characters are not supported in the Install Key. You cannot use non-English characters in the Install Key in the Client Packager page.
Workaround: Use only ascii characters for the Install Key.
00320198 In search fields in the Endpoint Security webRH administration console, Endpoint Security webRH interprets the characters "%" and "_" as search wildcards, NOT as literal characters for which to search.
Gateways and Third Party Product Integrations
00307263 In order for the Endpoint Security client to detect McAfee Virus Scan Enterprise Virus definition, you must use the full McAfee product version number when referencing it for the Endpoint Security client. This is because the McAfee product's user interface displays only a portion of the product version number.
00309474 SecureClient is not compatible with PC-Cillin 2005. If you have SecureClient installed, you will not be able to also install PC-Cillin 2005.
00316842 A personal policy is not able to block Microsoft Remote Desktop. You cannot block Microsoft Remote Desktop using application rules.
00322997 If you are using EAP and the Network Interface Card is disabled, it will remain disabled even after reboot.
00327385 If a client is out of compliance with an Enforcement Rule that is configured to Warn or Observe, the VPN Security Configuration (or SCV status) is displayed as Verified. It is displayed as Not Verified only if the Enforcement Rule is configured to Restrict the client.
Resolved Limitations in R70
R70 Page 46
00369461 Endpoint Security clients don't recognize full version numbers for Sophos antivirus products. Endpoint Security clients only recognize version numbers up to two places after the first decimal point (x.xx).
Miscellaneous
00209761 Scheduled Antispyware scan times can be incorrect when the Endpoint Security server and the Endpoint Security client are located in different time zones. This is because the scan time always occurs at the specified time in the server's time zone instead of the client's time zone.
00313856 Internet Explorer (6.x) limits to 3000 the number of groups you can import into an NT Domain, LDAP, or RADIUS catalog on Endpoint Security webRH. To import more than 3000 groups, use another of the supported browsers. Mozilla Firefox is the only compatible browser that accommodates imports of more than 10,000 groups. For very large imports, the import page may take up to ten minutes to display all imported groups. When importing groups with a browser other than Internet Explorer, users may get a warning asking whether to abort the long-running javascript routine. Users should close the dialog box or choose to continue running javascript. For Firefox, you can suppress this message by typing about:config in the address bar, finding the entry for dom.max_script_run_time, and setting the number to 60 (on new computers) or 120 (on older computers).
00315338 The Flex client must be rebooted to register changes to Return to Default buttons. When you change the setting of Hide Return to Default buttons in Flex (in the Advanced Settings section of a policy's Client Settings tab), the end user must reboot the Flex client for the change to take effect.
00316817 Enterprise policies cannot override keyboard and mouse settings. If a policy allows a program and to enforce the enterprise policy only, and the user has set permissions in the personal policy to block the program, the program is able to access the Zones as defined in the enterprise policy, but is not able to perform keyboard and mouse activity. Workaround: Users must set the program to allow
the keyboard and mouse activity in the personal policy.
00352091 Endpoint users in the Test Group do not receive automatic updates if Antivirus or Antispyware staging is not configured. Do not place users in the Test Group unless you also configure staging.
00367804 It is possible to block Antivirus and Antispyware updates with firewall rules. Be sure to configure your firewall rules to allow this traffic.
00368783 Updates will sometimes fail after initial installation due to file permissions issues. This update failure is not common and subsequent updates are generally successful.
00368936 The traceroute protocol cannot be used to block trace route outbound. In order to prevent traceroute from working, block the traceroute program with an Application Rule. Alternatively, you could block the inbound ICMP timeout packet, but this may cause issues.
00374371 When a client is in disconnected mode and has an active disconnected policy it will not ask the server for permissions of programs. Therefore all programs not explicitly overridden in the policy will be treated as "unknown" and will be given permissions according to the "unknown programs" group filter.
00378440 There are no implied rules to allow remediation or Antivirus or Antispyware updates. Do not configure firewall rules that block this traffic.
Resolved Limitations in R70
R70 Page 47
00379172 Logitec QuickCam software version 10.5 is incompatible with the Check Point Endpoint Security client. This causes crashes of many programs when they attempt to start. You must upgrade to version 11.5 of the Logitec QuickCam software.
00382005 Endpoint Security will not install on endpoint computer that have any active firewalls other than the Microsoft built-in firewall.
VPN
00209078 Entrust configuration is not supported in Endpoint Security webRH VPN packages. When you need Entrust configuration, install the Endpoint Security client and SecureClient separately.
00209079 You cannot configure script execution. If you need script execution for SCV enforcement, you must install an Endpoint Security client and SecureClient separately.
00320920 When using "Route all traffic through gateway" in conjunction with Office Mode in Endpoint Security with VPN, with SCV enforcement on Endpoint Security, the client sometimes sends packets from the real IP rather than the Office Mode IP.
Microsoft Windows Dead Gateway Detection causes this behavior as it handles the default route. To avoid this change the EnableDeadGWDetect registry key. More information can be found in the SecureKnowledge SK39013 article.
To disable the Dead Gateway Detection mechanism on NG AI R54 and R55, modify the registry as follows:
Note: Always back up the registry before making any modification.
1.Select Start > Run.
2.From the Run dialog box, under the Open field, execute the regedit command.
3.Locate the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters section.
4.Add the following DWORD with the value "0" EnableDeadGWDetect.
5.Save and exit.
6.Reboot.
00351326 Some buttons on VPN dialogs are not the default button even though they are highlighted as such. This will cause keyboard shortcuts to select different controls than highlighted.
00368106 For Firewall-1, the Implied/Hard-Coded rules that are applied before all policy rules don't include the new Endpoint Security ports and protocols. You must configure firewall rules to allow Endpoint Security traffic. Use the following steps:
1.Make a copy of the implied_rules.def file on SmartCenter and save it.
2.Under INTEGRITY_HEARTBEAT, change port 6054 to 80.
3.Under accept_integrity_server_ports, change port 80 to 2100.
4.Save the file.
Note that editing the implied_rules.def file must be done carefully and only for
important workarounds.
00368632 The local subnets feature of Hotspot Registration is not enforced. Setting Hotspot.local.subnets.only to ‘true’ has no effect.
00381474 When using the Cingular WWAN Connection Manager, it may conflict with Endpoint Security VPN client. When switching to the WWAN adapter, the Endpoint Security VPN client may switch to CLI mode.
Resolved Limitations in R70
R70 Page 48