Endpoint Protection

Hi there,

Is anyone else having problems getting CheckPoint Secure Client (VPN Client) to work on SEP 12.1 clients..?

Generally the SEP 12.1 client don't report that anything is being blocked, quarantined or similaer, when we install it on a machine with the CheckPoint VPN client on, it just prevents the VPN client from running.

However we have had a couple of machines that report that SONAR have blocked "svchost.exe" (See below)
 

Now we have tried to make exceptions to SONAR as well as normal Security Scans on both the CheckPoint Secure Client folder and on the "svchost.exe", but still the same.

We have also tried to disable the whole SEP 12.1 client, but the problem continues.

Only when we uninstall the SEP 12.1 client from the machine, does CheckPoint VPN client work as before. 
 

Now, I am desperate to find a solution to this, as we can't implement SEP 12.1 into our enviroment, before the VPN client works. So if anyone else have experienced the same issue and found a solution, I really like to hear from you..

Today all of our machines are currently running Windows 7 SP1 64 bit, and uses SEP 11.6100.645 along with the latest CheckPoint VPN client (Check Point Endpoint Security VPN E75)

/Zeepee
 

Hi,

we are also having checpoint VPN..but we are planning to install 12.1..so 12.1 will clash with VPN?

I have the problem, that we have SEP 12.1 and Checkpoint 7.6.306.001-R73.

I did NOT choose any firewall parts for the rollout package.

After several reboot (1-10) suddenly our remote controll (Dameware) utillity is not longer working.

When i uninstall Checkpoint, Dameware is working. If i uninstall SEP12.1, Dameware is also working.

If i have both installed, i am not able to connect to dameware remotly. (Acces denied)

No events in the client, that anything was blocked.

Then i create a packacke with firewall part. The firewall parts let me see in the activity monitor which app wants communicate.

Suddenly i see trgui.exe for a sec and is gone. 5 sec later the same. So i exclude the whole Checkpoint

folder from scan. After that the, trgui.exe is showed permanent in the activity monitor.

Then i add in the exclusion policy trgui.exe to the application for monitoring.

Now i get follow:

If i scan manually, but nothing was found. Perhaps the checkpoint clients have code, that symantec blocks and did not report it?

This is caught by SONAR, not by the traditional AV signatures. SONAR provides proactive protection and uses heuristics to determine if a process may be malicious or not. If a process has characteristics of a worm, trojan, backdoor, etc. SONAR will flag it. This is what is happening here.

Check the SONAR tab in your AV policy and see how you have it set, example below:

Zeepee,

Check your SONAR configuration for "Host file change detected" and "DNS change detected"

If they are set to Block, change them to Log and test again.

There is currently no way to exclude processes from these two protection items and they can cause problems with VPN applications on connect.

Schtiewie, by adding the process to "Application to Monitor" you are FORCING SONAR to detect the file everytime it runs, its not malicious, its being detected because you have told SONAR to detect it.

Paul,

Just out of curiousity, is there a guide on the setting changes for SONAR?

With SEP 11, I know there was the option to Ignore when a commercial keylogger or commercial remote control app is detected.

I would like to know a little more about SONAR and what some of the settings mean. What is considered a high/low risk detection, What is aggressive mode, etc..

And I'm assuming the tab "TruScan Legacy Client Settings" only applies to SEP 11, so if we have no SEP 11 clients then this tab can be ignored?

Schtiewie,

What version of Dameware are you running? I'm using 6.9.0.0 and SONAR is not detecting it?

Is it being detected when you try to remote to another machine?

Tested Checkpoint VPN and got these results:

Just as Paul suggested, you can set it to either Log or Ignore and you won't have the problem any more:

@Brian81

I use Dameware 6.9.0. Also tried newset Version 7.5.6.

When i try to connect from a remote machine i receive access denied. That only happend on the notebook where the checkpoint vpn+firewall client is installed.

DNS and Host was set to Ignore.

Sonar Detection for High risk is set to quarantine and low risk is set to log.

Sorry for the late answer, but didn't get a notification that anyone had replied..

I will test you suggestions regarding the DNS and Host file changes in SONAR ASAP and report back.

Thanks for the quick replies and solution suggestions..

/Zeepee




 

I'm currently using 6.9.0 but haven't tried 7.5.6. I'm having no issues with 6.9.0 though.

Access denied sounds different than the SONAR detection though. Assuming you have notifications turned on, you would get it but you can also check the PTP logs. Did you see anything in there saying it was stopping dameware?

I get access denied with dameware when the local admin password was changed on the box I'm remoting to or if the group I'm in to use Dameware has not been added to the correct group on the machine I'm remoting to.

You would need to verify the PTP log but this doesn't sound like SONAR.

Okay I have tried making the configuration changes regarding DNS and Host file under SONAR, but the issue is still the same.

The Checkpoint Endpoint Security VPN E73 client still ceases to work and loses its connectivity to its own service.

Unfortuanately we still don't get any reports or logs on the SEP client or SEP Manager, that anything has been blocked, quarantined or logged. 

Also as I mentioned in the original post, I have tried to make exceptions for the checkpoint folders and processes, disabled SONAR and later the whole client, but the problem still persists.
 

But if I uninstall the new SEP 12.1 client from the machine, then the Checkpoint VPN client works as before.

So to me it seems that there is a compability issue between the SEP 12.1 client and the Checkpoint Endpoint Security VPN E73 client, running on the same machine.

Until this gets fixed, I guess we keep using SEP 11.x as that versions works fine with the Checkpoint VPN...



 

/Zeepee

 

@Zeepee

Did you find a solution?

I create a lot of Installation Packages and test it. Ervery package i create, i remove one feature.

At least i have only the basic protection and the problem still exists. But i find out, that when i install a client package, i must reboot 4 to 20 times till the problem with the Checkpoint Client appears.

I have the best result, when i install all features complete. Then it tooks 20 reboots till the problem appears.

Two weeks ago a create a "high priority" case at symantec support, but they did what i expect:

NOTHING.

Hi guys

I do have the same problem with Checkpoint VPN E73.1 and Endpoint Protection 12.1 on Windows 7 x64 SP1, however, it does not seem to be permanent.

Sometimes, I do get the "Connectivity with the VPN service is lost", and sometimes (after a boot or two) it does work.

Anyone having a solution for this, or any tipps?
Else, I'm probably gonna open cases with Symantec/Checkpoint...

Cheers
Michel

No I didn't find a solution yet...

For us the problem appears immediatly after installation and disables the Checkpoint VPN in 9 out of 10 statups.

We have tried to install different components of the SEP 12.1 client, but the problem persists.

We have already opened a support case with Symantec, but no solution yet.

If we get one, I post it here..

/Zeepee

I just installed E75.20 (you can get it as an Early Availability from the Checkpoint homepage), and it seems that it does solve the problem. (At least the client was running now on both of my test-boots...)

Maybe you can all try it too, and let us know if it works on your ends.

Cheers
Michel

Hi guys,

I have the same problem with SEP 12.1. I tested Checkpoint version E75.20, Check Point Endpoint Security VPN service is able to start in this version without crash, but Checkpoint's GUI crashes each time on start, so it is not possible to use it..

Hopefully Symantec will fix it in next SEP 12 release...

for me there is no issue with checkpoint VPN and Symantec..both are working fine..

I am having the same issues with hosts file/DNS changes being detected by SONAR for Juniper's network connect VPN. Thankfully it is not interfering with operation of the VPN.

It's extremely frustrating as we get heaps of notifications on these. I wish I could create an exception.

I don't consider turning the detections off to be a valid workaround.

Symantec knowledgebase:

http://www.symantec.com/business/support/index?page=content&id=TECH167057

Not a solution, but a workaround. A solution will be forthcoming in a later version of SEP 12.1

Yes, we are having troubles too, and Symantec support confirmed us that this problem will be fix in the next release.

I cant believe that, because the workaround that Symantec Support told us for migrated laptops is to do a rollback. And what about if you have hundred and hundred of machines?

Sorry to say, but I'd suggest you have to think about your own internal testing procedures?

Installing 12.1RU1 fixed the problem.Checkpoint Client is now running.