cp es r73 client userguide en checkpoint

14 April, 2010

User Guide

Endpoint Security

R73

More Information

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10580

For additional technical information about Check Point visit Check Point Support Center (http://supportcenter.checkpoint.com).

Feedback

Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to us (mailto:[email protected]?subject=Feedback on Endpoint Security R73 User Guide).

© 2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights.

http://supportcontent.checkpoint.com/documentation_download?ID=10580

http://supportcenter.checkpoint.com/

mailto:[email protected]?subject=Feedback%20on%20Endpoint%20Security%20R73%20User%20Guide

mailto:[email protected]?subject=Feedback%20on%20Endpoint%20Security%20R73%20User%20Guide

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Contents

Introduction to Endpoint Security ......................................................................... 8 Tour of the Endpoint Security Main Page ............................................................ 8

The Endpoint Security Main Page ................................................................... 8 System Tray Icons .......................................................................................... 9 Panels ............................................................................................................ 9 Overview Panel ..............................................................................................10

Responding to Alerts ..........................................................................................10 New Program Alerts .......................................................................................10 New Network and VPN Alerts ........................................................................11 Compliance Alerts ..........................................................................................11

Anti-malware ......................................................................................................... 12 Endpoint Security Anti-malware ..........................................................................12

Enabling Anti-malware ...................................................................................12 Viewing Anti-malware Protection Status.........................................................12 Updating Anti-malware ...................................................................................13

Scanning ............................................................................................................13 Understanding Scan Results ..........................................................................13 Treating Files Manually ..................................................................................14 Submitting Infected Files and Spyware to Check Point ..................................14 Viewing Quarantine Items ..............................................................................15 Viewing Logs .................................................................................................16

Advanced Options ..............................................................................................16 Scheduling Scans ..........................................................................................16 Updating Malware Definitions ........................................................................17 Specifying Scan Targets ................................................................................17 On-Access Scanning .....................................................................................18 Enabling Automatic Infection Treatment.........................................................18 Repairing Archived Files ................................................................................19 Infected File Scan Options .............................................................................19 Infected File Exceptions List ..........................................................................19

VPN ........................................................................................................................ 21 VPN Basics ........................................................................................................21

Types of Endpoint Security VPNs ..................................................................21 Legacy VPN Client .............................................................................................22

Compact and Extended VPN Interfaces .........................................................22 Authentication in the Legacy VPN Client ........................................................23 Creating Profiles and Sites in the Legacy VPN Client ....................................26 Connecting and Disconnecting Using the Legacy Client ................................30 Advanced Configuration Options in the Legacy Client ....................................35 Switching to Endpoint Connect ......................................................................37

Check Point Endpoint Connect VPN Client .........................................................37 Authentication in Endpoint Connect ...............................................................37 Creating Sites in Endpoint Connect ...............................................................42 Connecting and Disconnecting Using Endpoint Connect ...............................42 Advanced Configuration Options in Endpoint Connect ...................................46 Switching to the Legacy VPN client ................................................................47

WebCheck ............................................................................................................. 49 Understanding WebCheck ..................................................................................49

WebCheck Protection ....................................................................................49 Suspicious Site Warnings ...................................................................................49

Yellow Caution Banner ..................................................................................50 Blue "May Be Unsafe" Warning .....................................................................50 Blue Warning Alerts .......................................................................................51

Firewall .................................................................................................................. 52 Understanding Firewall Protection ......................................................................52 Understanding Zones .........................................................................................52

Zones Manage Firewall Security ....................................................................53 Zones Provide Program Control .....................................................................53

Configuring New Network Connections ..............................................................53 Integrating with Network Services .......................................................................54

Enabling File and Printer Sharing...................................................................54 Connecting to Network Mail Servers ..............................................................54 Enabling Internet Connection Sharing ............................................................54

Choosing Security Levels ...................................................................................54 Setting Advanced Security Options ....................................................................55

Setting Gateway Security Options ..................................................................56 Setting ICS Options .......................................................................................56 Setting General Security Options ...................................................................56 Setting Network Security Options...................................................................57

Blocking and Unblocking Ports ...........................................................................58 Default Port Permission Settings....................................................................58 Adding Custom Ports .....................................................................................59

Configuring VPN Connection for Firewall ............................................................60 Supported VPN Protocols ..............................................................................60 Configuring VPN Connection .........................................................................60

Program Control ................................................................................................... 62 Understanding Program Control .........................................................................62

Program Access Control ................................................................................62 Program Authentication .................................................................................62

Setting Program Control Options ........................................................................63 Setting Program Control Level .......................................................................63 Enabling Automatic Lock ...............................................................................63

Configuring Program Access ..............................................................................64 Setting Program Access Permissions ............................................................64 Customizing Program Control Settings ..........................................................65

Setting Specific Permissions ..............................................................................65 Using the Programs List .................................................................................66 Adding Programs to the Programs List ..........................................................66 Granting Internet Access Permissions to Programs .......................................67 Granting Server Permission to Programs .......................................................67 Granting Send Mail Permission to Programs .................................................67 Advanced Program Control ............................................................................67 Disabling Outbound Mail Protection ...............................................................68 Setting Authentication Options .......................................................................68 Allowing Others to Use Programs ..................................................................68

Managing Program Components ........................................................................68 Using Programs with the Client ..........................................................................69

Using Antivirus Software ................................................................................69 Using Browsers ..............................................................................................69 Using Chat .....................................................................................................69 Using E-mail ..................................................................................................69 Using Internet Answering Services ................................................................70 Using File Sharing .........................................................................................70 Using FTP ......................................................................................................70 Using Streaming Media ..................................................................................70 Using Games .................................................................................................70 Using Remote Control ....................................................................................71 Using VNC .....................................................................................................71 Using Voice over IP .......................................................................................71 Using Web Conferencing ...............................................................................71

Full Disk Encryption ............................................................................................. 72 Authenticating to Full Disk Encryption.................................................................72 Ensuring That Your Computer Has Not Been Tampered With ............................72

Authenticating for the First Time .........................................................................72 Using a Fixed Password ................................................................................73 Using a Dynamic Token .................................................................................73 Using a Smart Card/USB Token ....................................................................74 What if I forget my password? ........................................................................75 What if I don't have access to my token/smart card? .....................................75

Optional Full Disk Encryption Features ...............................................................75 Synchronizing Passwords ..............................................................................75 Single Sign-on and OneCheck Logon ............................................................76 Windows Integrated Logon ............................................................................77

Using the Full Disk Encryption Panel ..................................................................78 Viewing Status and Encryption Information ....................................................78 Changing Authentication Credentials .............................................................79 Changing the Language Used in the Interface ...............................................80 Characters Supported in the Preboot Environment ........................................83

Media Encryption .................................................................................................. 84 Features .............................................................................................................84

Encryption Policy Manager ............................................................................84 Removable Media Manager ...........................................................................84 Device Manager .............................................................................................85 Program Security Guard ................................................................................85 Cached Passwords ........................................................................................85

Using the EPM Client .........................................................................................86 Encrypting Media ...........................................................................................86 Encrypting CDs and DVDs .............................................................................88 Accessing Encrypted Media ...........................................................................88 Accessing Encrypted Media from non-Media Encryption Computers .............89 Erasing CDs or DVDs ....................................................................................90 Changing the Encrypted Device Password ....................................................90

Using the Removable Media Manager ................................................................90 Authorizing Removable Media .......................................................................90

Using the Device Manager .................................................................................91 Using the Program Security Guard .....................................................................91 Maintenance Section ..........................................................................................91

File Encryption ...................................................................................................... 92 Before You Start .................................................................................................92

About Passwords and Keys ...........................................................................93 Working with File Encryption ..............................................................................93 Accessing File Encryption for the First Time .......................................................93

Using a Certificate and Setting a Password ...................................................94 Setting a Password ........................................................................................94

Authenticating to and Logging Off from File Encryption ......................................95 Authenticating with a Certificate .....................................................................95 Authenticating with a Password .....................................................................96 Logging Off from File Encryption ....................................................................96

Information and Help on File Encryption .............................................................96 Using File Encryption ..........................................................................................96

File Encryption Options ..................................................................................97 Protected Information in Windows Explorer ...................................................99

Protecting Information Locally ............................................................................99 Encrypting Information ...................................................................................99 Accessing Protected Information Stored Locally .......................................... 100 Decrypting Information ................................................................................. 100 Securely Deleting Information Stored Locally ............................................... 101

Working with Encrypted Packages ................................................................... 101 About Encrypted Packages .......................................................................... 101 Creating an Encrypted Package .................................................................. 101 Opening Encrypted Packages ...................................................................... 104 PKCS7 Encryption ....................................................................................... 105 Securely Deleting Packages ........................................................................ 106

Protecting Information on Removable Media .................................................... 106 Protecting Information on Removable Media ............................................... 106 USB Sticks, Firewire/USB Hard Drives, Floppy/CD/DVD Disks .................... 107 CD/DVDs ..................................................................................................... 108 Accessing Protected Information ................................................................. 109 Working in a Stand-alone Access Environment ............................................ 110

Managing Passwords and Keys........................................................................ 111 Changing Your Local Password ................................................................... 111 Changing Passwords on Removable Media ................................................. 112 Sharing Media/Floppy Disks and Managing Keys ........................................ 112

Securely Deleting Information ........................................................................... 113 Secure Delete Basics ................................................................................... 113

Forgot your Password? .................................................................................... 114 What if I forget my password? ...................................................................... 114

Policies ................................................................................................................ 116 Policy Types ..................................................................................................... 116 Understanding Policy Arbitration ....................................................................... 116 Viewing Available Policies ................................................................................ 116 Using the Policies Panel ................................................................................... 117

Alerts and Logs ................................................................................................... 118 Understanding Alerts and Logs ........................................................................ 118

About Alerts ................................................................................................. 118 About Event Logging.................................................................................... 119

Setting Basic Alert and Log Options ................................................................. 119 Setting Alert Event Level .............................................................................. 119 Setting Event and Program Logging Options ............................................... 119

Showing or Hiding Alerts .................................................................................. 119 Showing or Hiding Firewall Alerts ................................................................ 119

Setting Event and Program Log Options ........................................................... 120 Formatting Log Appearance......................................................................... 120 Customizing Event Logging ......................................................................... 120 Customizing Program Logging ..................................................................... 120 Viewing Log Entries ..................................................................................... 121 Viewing the Text Log ................................................................................... 122 Archiving Log Entries ................................................................................... 123 Using Alert Advisor ...................................................................................... 123

Alert Reference ................................................................................................... 124 Informational Alerts........................................................................................... 124

Firewall Alert/Protected ................................................................................ 124 MailSafe Alert .............................................................................................. 125 Blocked Program Alerts ............................................................................... 125 Internet Lock Alerts ...................................................................................... 126 Compliance Alerts ........................................................................................ 126

Program Alerts ................................................................................................. 127 New Program Alerts ..................................................................................... 127 Repeat Program Alerts ................................................................................ 127 Changed Program Alerts ............................................................................. 128 Program Component Alerts.......................................................................... 128 Server Program Alerts ................................................................................. 129 Advanced Program Alerts ............................................................................ 130 Manual Action Required Alerts ..................................................................... 131 New Network Alerts ..................................................................................... 131

Troubleshooting ................................................................................................. 133 VPN Troubleshooting ....................................................................................... 133

Configuring Client for VPN Traffic ................................................................ 133 VPN Auto-Configuration and Expert Rules ................................................... 133 Automatic VPN Detection Delay .................................................................. 134

Network Troubleshooting .................................................................................. 134 Making Your Computer Visible on Local Network ........................................ 134 Sharing Files and Printers Locally ................................................................ 134

Resolving Slow Startup ................................................................................ 135 Internet Connection Troubleshooting ................................................................ 135

Connecting to the Internet Fails after Installation ......................................... 135 Allowing ISP Heartbeat Messages ............................................................... 136 Connecting Through an ICS Client ............................................................... 136 Connecting Through a Proxy Server ............................................................ 137

Glossary of Terms .............................................................................................. 139 Index .................................................................................................................... 145

Chapter 1

Introduction to Endpoint Security Check Point Endpoint Security™ is the first and only single agent that combines all essential components for total security on the endpoint: highest-rated firewall, Anti-malware, Full Disk Encryption, Media Encryption with port protection, network access control (NAC), program control and VPN.

Check Point Endpoint Security protects PCs and eliminates the need to deploy and manage multiple agents, reducing total cost of ownership.

In This Chapter

Tour of the Endpoint Security Main Page 8

Responding to Alerts 10

Tour of the Endpoint Security Main Page The Endpoint Security Main Page provides one-stop access to the security features that keep your computer safe.

To launch the Endpoint Security Main Page, select Settings from the Endpoint Security system tray menu.

The Endpoint Security Main Page

Introduction to Endpoint Security

The left menu provides access to the available panels.

System Tray Icons The icons displayed in the system tray let you monitor your security status and Internet activity on the fly, and access your security settings in just a few clicks. Right-click any of the icons below to access a shortcut menu.

Table 1-1 System Tray Icons

Icon Description

VPN is connected.

Security scan, encryption, or change in client settings is in progress.

Attention needed (for example: client is out of compliance with policy, application error, or reboot needed).

Panels Your Endpoint Security Client may have any or all of the possible panels, depending on the installation and configuration that the administrator created for you.

VPN

Shows whether you are connected to the VPN, if you have VPN installed on your Endpoint Security client.

Anti-malware

Shows whether the protection is turned on, and if so, how many infected files or spyware were treated.

Firewall

Indicates whether your firewall is on and displays the number of firewall alerts and Internet Lock alerts that have occurred since the last reset. If a warning is displayed, click the underlined warning text to go immediately to the panel where you can adjust your settings.

Program Control

Indicates whether program control is configured safely and displays the number of program alerts that have occurred since the last reset. Endpoint Security client will warn you if program control is disabled.

Full Disk Encryption

Provides access to Full Disk Encryption options.

Media Encryption

Provides access to Media Encryption options and the EPM (Encryption Policy Manager) client.

WebCheck

Indicates which WebCheck options have been provided to this client by the administrator.


Policies

Shows a table of the available Policies and the details of the currently active policy.

Alerts & Logs

Provides a view of alerts and a log viewer to view the log output for the Endpoint Security features.

Overview Panel The Overview panel provides quick access to the most urgent issues and offers quick scanning of the status of different areas of protection and connection.

To open the Overview panel:

1. Right-click the Endpoint Security tray icon.

2. Select Settings.

The Endpoint Security Main Page opens, displaying the Overview panel, Main tab.

Using the Overview Main Tab

The Main tab of the Overview panel tells you whether your firewall, program, and e-mail security settings are enabled and provides a summary of security activity. From the Main tab you can:

See at a glance if your computer is secure

See a summary of the client's activity

Understanding the Product Info Tab

The Overview Product Info tab shows the version information for the following components:

Endpoint Security client (also includes date and time of installation)

TrueVector Security Engine

Driver

VPN Engine (if relevant)

Anti-malware Engine

WebCheck

Full Disk Encryption (if relevant)

Media Encryption (if relevant)

DAT file version

Responding to Alerts When you first start using the client, it is not unusual to see a number of alerts. Endpoint Security client is learning your program and network configurations, and giving you the opportunity to set up your security the way you want it.

How you respond to an alert depends upon the type of alert displayed.

New Program Alerts The majority of the initial alerts you see will be New Program alerts. These alerts occur when a program on your computer requests access or server permission to the Internet or your local network. Use the New Program alert to give access permission to programs that need it, such as your browser and e-mail program.


Note - Select the Remember this answer check box to give permanent permission to programs you trust.

Few programs or processes actually require server permission in order to function properly. Some processes, however, are used by Microsoft Windows to carry out legitimate functions. Some of the more common ones you may see in alerts are:

lsass.exe

spoolsv.exe

svchost.exe

services.exe

winlogon.exe

If you do not recognize the program or process that is asking for server permission, search the Microsoft Support Web site (http://support.microsoft.com/) for information on the process to determine what it is and what it is used for. Be aware that many legitimate Windows processes, including those listed above, have the potential to be used by hackers to disguise worms and viruses, or to provide backdoor access to your system for Trojan horses. If you were not performing a function (such as browsing files, logging onto a network, or downloading files) when the alert appeared, then the safest approach is to deny server permission. At any time, you can assign permissions to specific programs and services from the Programs

List, accessed by selecting Program Control Programs tab.

If you are seeing many server program alerts, you may want to run an anti-malware scan as an added precaution.

New Network and VPN Alerts The other initial alerts you may see are the New Network alert and VPN Configuration alerts. These occur when the client detects a network connection or VPN connection. They help you configure your Trusted Zone, port/protocol permission, and program permissions correctly so that you can work securely over your network.

Compliance Alerts Compliance alerts occur when Endpoint Security server operating in conjunction with Endpoint Security client determines that your computer is non-compliant with enterprise security requirements. Depending on the type of non-compliance, your ability to access the corporate network may be restricted or even terminated.

Computers that are running the correct types and versions of required software are said to be compliant with enterprise security requirements. When on the other hand Endpoint Security determines that a computer is non-compliant, it:

Displays a Compliance alert (but only if the display of Compliance alerts is enabled in the currently active enterprise security policy)

Directs you to a Web page that tells you how to make the endpoint computer compliant

What happens next depends on your company's security Policies.

If you do not make your computer compliant in the time allotted by the security policy, your access to the corporate network may be restricted or terminated.

If your computer is restricted, you can continue to access some corporate network resources before you perform the steps necessary to make your computer compliant.

If your computer is terminated, you may only be able to access the Web page that tells you how to make your computer compliant with corporate security requirements.

Chapter 2

Anti-malware The integrated Anti-malware feature protect your computer against infected files and spyware in a single powerful operation. Multiple scanning options automatically detect infected files and spyware and render them harmless before they can damage your computer.

In This Chapter

Endpoint Security Anti-malware 12

Scanning 13

Advanced Options 16

Endpoint Security Anti-malware The Anti-malware feature keeps known and unknown infected files from affecting your computer by scanning files and comparing them to a database of known infected files and against a set of characteristics that tend to reflect the behavior of infected files. Files can be scanned as they are opened, closed, executed, or as part of a full computer-wide scan. If an infected file is detected, it is rendered harmless, either by repairing or denying access to the infected file.

The Anti-malware feature also detects spyware components on your computer and either removes them automatically, or places them in quarantine so that you can remove them manually after assessing their risk.

Enabling Anti-malware To enable Anti-malware protection:

1. Open Anti-malware Main.

2. In the Anti-malware area, click On.

Viewing Anti-malware Protection Status To view the status of your Anti-malware protection, see Overview Main, or Anti-malware Main.

The Main tab of the Anti-malware panel displays the status of your infected files and spyware protection. From this area you can:

Verify that the infected files and spyware protection is turned on.

The dates and times of your last scans.

The dates and times of your last signature updates.

Date and time when the next scan is scheduled.

Update definition files.

Invoke a scan.

View the status of a scan that is currently running.

Access advanced settings. This setting is not available when in enterprise or disconnected mode.

For information on the status information found on the Overview panel, Using the Status tab (see "Using the Overview Main Tab" on page 10).

Anti-malware

Updating Anti-malware Every anti-malware application contains a definition file, with information to identify and locate infected files and spyware on the computer. As new infections or spyware applications are discovered, the client updates its databases with the definition files it needs to detect these new threats. Therefore, the computer is vulnerable to infections and spyware whenever its database of definition files becomes outdated.

In Anti-malware Main, you can see if the Anti-malware protection needs to be updated.

To get updates on demand:


2. If Update overdue appears in the Anti-malware section, click Update Now.

Scanning There are several ways you can initiate a scan of your computer.

In Anti-malware Main tab, click Scan Now.

Right-click a file on your computer and choose Scan with Check Point Anti-malware.

Schedule a system scan to run once or at regular intervals.

Open a file (if On-Access scanning is enabled).

System scans provide another level of protection by allowing you to scan the entire contents of your computer at one time. System scans detect infections that may be dormant on your computer's hard drive.

Because of the thorough nature of full-system scans, they can take some time to perform. As a result, your system's performance may be slowed down while a full-system scan is in progress. To avoid any impact on your workflow, you can schedule system scans to run at a time when you are least likely to be using your computer.

Note - Clicking Pause in the Scan dialog while a scan is being performed will stop the current scan only. On-Access scanning will not be disabled. Click Resume again to resume the current scan.

Understanding Scan Results The results of the scan are displayed in the Scan Results window.

Data Description

Name Name of the infected file/spyware.

Treatment Specifies the treatment applied to the infection/spyware: Quarantined or Deleted.

Risk Indicates the risk level of the infection.

High: Poses a security threat. All infected files are

considered High risk.

Med: Potential privacy breach.

Low: Adware or other benign, but annoying software.

Path Location of the infected file/spyware.

Type Specifies whether the infection was caused by a virus.

Status: Indicates whether the file has been repaired, deleted, or remains infected.

Information: Provides more details.

Anti-malware

Data Description

Detail Active Items: Infections/spyware found during the scan that could not be treated automatically. To accept the suggested treatments in the Treatment column, click Apply.

Auto Treatment: Items already treated; you do not need to take further action.

Treating Files Manually If you do not have automatic treatment enabled, or if a file could not be repaired automatically, you can handle it manually from the Scan details window.

To treat a file manually:

1. In the Scan Results window, select the item you want to treat.

2. In the Treatment column, choose a treatment option.

3. Click Close, when you have finished treating files.

Table 2-2 Infected File Treatment Options

Option Description

Repair Tries to repair the selected file.

Quarantine The file is placed in a quarantine file and rendered harmless because it is isolated.

Rename Allows you to rename the file. Use this option only if you are sure that the file is in fact not infected.

Delete Deletes the selected file.

Delete on Reboot Deletes the selected file when your computer is next restarted.

Ignore Always Instructs the client to ignore the file in all future scans.

Ignore Once Instructs the client to remove the item from the list and take no further action.

If the results of a scan contain Error, No treatment available, or Treatment failed, there is not yet a way to automatically remove the infection without risking the integrity of your computer or other files.

To find manual treatment procedures, enter the name of the infection, with the word "removal" into a search engine, such as Google or Yahoo, to locate removal instructions.

Check Point is constantly researching infections and developing safe ways to remove them.

Submitting Infected Files and Spyware to Check Point Reporting suspected malware to Check Point helps to improve the security and protection of all Internet users. The Check Point Security Team monitors all incoming submissions for new files. The Check Point Security Team will act on your submission as appropriate and may contact you for more information or to provide details about the files you submit.

Due to the volume of malware released each day, our researchers cannot respond to each file you submit. However, we appreciate the assistance of our users and thank you for taking the time to help secure the Internet. Please address any questions or concerns to [email protected] mailto:[email protected].

To submit malware to Check Point for review:

1. Place the malware file in a password-protected .zip archive with the password set to infected.

mailto:[email protected]

Anti-malware

For help with creating a password-protected archive, refer to the Help for WinZip.

2. Send the .zip file to [email protected] mailto:[email protected].

Use this e-mail address only for sending malware to the Check Point Security Team.

Important - Do not send malware files if you feel you cannot do so safely or if it would increase the risk of infection or damage to your system. Do not e-mail suspected malware files to others.

Viewing Quarantine Items In some cases, items detected during a malware scan cannot be treated or removed automatically. These items are usually placed into quarantine so that they are rendered harmless but preserved so that they may be treated in the future after an update to your infected files and spyware signature files.

To view malware in quarantine:

1. Open Anti-malware.

2. Open the Quarantine tab.

3. Choose Infected Files or Spyware from the Quarantined View drop-down list.

Table 2-3 Quarantine Information for Infected Files

Information Description

Infection Name of the infection.

Days in Quarantine Number of days the file has been in quarantine.

Path Location of the infected file on your computer.

Table 2-4 Quarantine Information for Spyware

Information Description

Type Type of spyware: keylogging or cookie.

Name Name of the spyware.

Risk The risk level of the infection: whether Low, for adware; or a serious threat, for keylogging software.

Days in Quarantine Number of days the file has been in quarantine.

Handling Quarantine Items

You can move infected files or spyware into, and out of, quarantine.

To delete or restore an item in quarantine:

1. Open Anti-malware Quarantine.

2. Select a file or software from the Quarantined View list.

To send the item to the Recycle Bin, click Delete.

To send the item to its original path, click Restore. Use this function carefully, as you do not want to restore files that could be malicious.

mailto:[email protected]

Anti-malware

Viewing Logs By default, all infected file and spyware events are recorded in the Log Viewer.

To view logged malware events:

1. Open Alerts & Logs Log Viewer.

2. From the Alert Type drop-down list, select Anti-malware.

Field Information

Date/Time Date and time of the infection.

Type Type of event that occurred:

Update

Scan

Treatment

E-mail

Infection Name The common name of the infection (for example, iloveyou.exe) or spyware (for example, NavExcel).

Filename The name of the infected file, the name of files being scanned, or the name and version number of update and/or engine.

Action How the infected file was handled by the client:

Updated, Update canceled, Update Failed

Scanned, Scan canceled, Scan Failed

File Repaired, File Repair Failed

Quarantined, Quarantine Failed

Deleted, Delete Failed

Restored, Restore Failed

Renamed, Rename Failed

Mode Whether the action was manual or automatic.

E-mail If the infected file was detected in e-mail, the e-mail address of the sender.

1. Click Clear List to reset the list.

2. Click Add to Zone to add the site to either the Trusted or Internet Zone.

Advanced Options The Advanced Options button is enabled if the only active policy is the Personal Policy (see Policies).

If an Enterprise, Corporate, or Disconnected Policy is active, the features of this option are controlled by your system administrator.

Therefore, you will be able to control the Advanced Options of your own client only if the Enterprise Policy was not yet received and there is no contact with the Endpoint Security server, or the assigned policy consists only of an Enterprise Policy and your client is disconnected from the server.

Scheduling Scans Scanning your computer for infected files and spyware is one of the most important things you can do to protect the integrity of your data and computing environment. Scanning is most effective when performed at regular intervals, so it often makes sense to schedule it as a task to run automatically. If your computer is not on when the scheduled scan is set to occur, the scan will occur fifteen minutes after your computer is restarted.

To schedule a scan:


Anti-malware

2. Click the Advanced Options button.

The Advanced Options window appears.

3. Select the Scan for viruses check box, then specify a day and time for the scan.

4. In the Scan Schedule options, select the Scan for infected files check box, then specify a day and time for the scan.

5. Specify the scan frequency: daily, weekly, or monthly.

6. Specify the scan frequency.

7. Click OK.

Note - If you select a weekly repeating schedule, the scan will run on the day of the week based on the starting date. For example, if the starting date is November 4, 2009; the scan will run every subsequent Wednesday.

Updating Malware Definitions Every malware application contains a definition file, with information to identify and locate infected files and spyware on your computer. As new infections or spyware applications are discovered, the client updates its databases with the definition files it needs to detect these new threats. Therefore, your computer is vulnerable to infections and spyware whenever its database of definition files becomes outdated.

By enabling the automatic update feature, you will always receive the latest definition files when they are available.

To enable automatic updates:


2. Click Advanced Options.


3. Open the Updates options.

4. Select the Enable automatic Anti-malware updates checkbox.

5. In the Set update frequency drop-down list, specify when the client should check for updates and download and install them if available.

6. Click OK.

In Anti-malware Main, you can see if the Anti-malware protection needs to be updated.

To get updates on demand:


2. If Update overdue appears in the Anti-malware section, click the click to update link; or click Update Now.

Specifying Scan Targets You can specify which drives, folders, and files are scanned when a system scan occurs. Exclude or include an item in the scan by selecting the checkbox beside it. By default, the client only scans local hard drives.

To specify scan targets:




3. Open Virus Management Scan Targets.

4. Select the drives, folders, and files to be scanned.

5. Select the Scan boot sectors for all local drives checkbox and then click OK.

6. Select the Scan system memory checkbox and then click OK.

The following table provides an explanation of the icons shown in the Scan Targets window.

Anti-malware

Table 2-5 Icons Indicating Scan Targets

Icon Description

The selected disk and all sub-folders and files will be included in the scan.

The selected disk and all sub-folders and files will be excluded from the scan.

The selected disk will be included in the scan, but one or more sub-folders or files will be excluded from the scan.

The selected folder will be excluded from the scan, but one or more sub-folders or files will be included in the scan.

The selected folder will be included in the scan. A gray check mark indicates that scanning of the folder or file is enabled because scanning has been enabled for a higher level disk or folder.

The selected folder will be excluded from the scan. A gray "x" mark indicates that scanning of the folder or file is disabled because scanning has been disabled for a higher level disk or folder.

Other RAM DISK and any unknown drives.

Specify other drives to scan.

On-Access Scanning On-Access scanning protects your computer by detecting and treating infections that may be dormant on your computer. On-Access scanning is enabled by default and supplies the most active form of protection against infections. Files are scanned for infections as they are opened, executed, or closed, allowing immediate detection and treatment of infections.

Note - On-Access scan will only scan for infections in an archive (compressed file, such as those with a *.zip extension) when the file is opened. Unlike other types of files, archives are not scanned when moved from one location to another.

On-Access scanning does not support other Anti-virus providers, and is disabled if you are not using Check Point Anti-malware.

To enable on-access scanning:



3. Open Anti-malware Management On-Access Scanning and then select the Enable On-Access Scanning checkbox.

4. Click OK.

Enabling Automatic Infection Treatment When an infection is detected, the Scan window offers the available treatment options, such as Quarantine, Repair, or Delete. By default, the client automatically attempts to treat files that contain infections. If a file cannot be repaired, the Scan window will inform you so that you can take the appropriate action.

To enable automatic infection treatment:


Anti-malware


3. Open Anti-malware Management Automatic Treatment.

4. Select the auto treatment option you want:

Alert me - Do not treat automatically

Try to repair, and alert me if repair fails

Try to repair, quarantine if repair fails (recommended)

5. Click OK.

Repairing Archived Files If the infected file is located in an archive file (such as a .zip file), the client will not be able to treat it while the file is still included in the archive.

To repair a file in an archive:

1. Make sure On-Access Scanning is enabled.

2. Open the file that was specified in the Scan Results window from within an archival utility, such as WinZip.

On-Access scanning will scan the file for infections. The Scan Results window will appear with the results of the scan.

3. Extract the files from the archive that need to be treated and run the scan again.

Infected File Scan Options You can configure your infection scan to ignore any file larger than a specified size (default setting is 8 MB). This option improves scan time without increasing risk, as malware files are usually smaller than 8 MB. While large files ignored by the scan may contain infections, your computer is still protected if you have On-Access scan enabled.

You can also enable the extended database. This database includes a comprehensive list of malware in addition to the standard infection list. However, some malware listed in the extended database may also be listed in the standard infection database; some suspected malware may be scanned twice. Also, the extended database malware list may include programs that you consider to be benign.

To specify infected file scan options:




3. Open Virus Management Scan Options.

4. Select the Skip if the object is greater than check box and enter a maximum object size in the MB field.

5. Select one or more of the following options:

Enable cpChecker: Determines if a file has changed since it was last scanned. If so, it is scanned for malware again. If not, the file is not scanned.

Enable cpSwift: Determines if an NTFS file has changed since it was last scanned. If so, it is scanned for malware again. If not, the file is not scanned.

Enable ADS scanning: Scans for malware attached to NTFS files.

Enable heuristics scanning: Scans for malware not found in the malware database based on characteristics of the file in question.

6. Click OK.

Infected File Exceptions List Although some programs considered to be suspicious by the extended database have the potential to harm your computer or to make your data vulnerable to hackers, there are many potentially benign applications that still will be detected as infected during a scan. If you are using one of these applications, you can exclude it from Anti-malware scans by adding it to the Exceptions list.

Anti-malware

To add programs to the Exceptions list:

In the Scan Results list, click the program and choose Ignore Always, or do the following:



3. Open Anti-malware Management Exceptions.

4. In the Infected Files Treatment Exceptions area, click Add File.

The Add Exception window opens. It shows examples of exceptions that can be added.

5. Provide an exception such as in the examples, or click Browse and select the file, folder, or drive to exclude from the scan.

6. Click OK.

If you accidentally add an infected file to the exceptions list, you can remove it.

To remove infected files from the Exceptions list:



3. Open Anti-malware Management Exceptions.

4. In the Infected Files Treatment Exceptions area, select the infected file you want to remove and click Remove from List.

5. Click OK.

Chapter 3

VPN

In This Chapter

VPN Basics 21

Legacy VPN Client 22

Check Point Endpoint Connect VPN Client 37

VPN Basics Endpoint Security VPN lets you connect securely to your enterprise network when working remotely. You can then access private files over the Internet knowing that unauthorized persons cannot view or alter them. The VPN connection can be made directly to the server or through an Internet Service Provider (ISP). Remote users can connect to the organization using any network adapter (including wireless adapters) or modem dialup.

The Endpoint Security VPN feature authenticates the parties and encrypts the data that passes between them. The VPN feature uses standard Internet protocols for strong encryption and authentication. Encryption ensures that only the authenticated parties can read the data passed between them. In addition, the integrity of the data is maintained, which means the data cannot be altered during transit.

The VPN Main panel displays information about any current VPN connection (if any) and about the status of your remote connection to VPN enabled security gateway. From the Main panel, you can click VPN Settings > New to launch the Site Wizard to create a VPN site, connect to or disconnect from a VPN site, or open the VPN Settings window to configure profiles and sites, configure any special connection options, or manage certificates.

Types of Endpoint Security VPNs Your administrator will have configured a VPN type for your client. It may be either:

Check Point Endpoint Connect or

the Legacy Endpoint Security VPN (SecureClient).

The options that you have to choose from depend on which VPN is provided in your client.

To determine which VPN client you have:

Open the main VPN VPN Settings window.

VPN

If you see:

Figure 3-1 VPN settings in legacy client

The VPN client is the legacy Check Point client. For managing options in this client, see: Legacy VPN Client (on page 22)

If you see only two tabs, one for Sites and one for Advanced

Figure 3-2 Endpoint connect VPN settings

The VPN client is Check Point Endpoint Connect. For managing options in this client, see: Check Point Endpoint Connect VPN Client (on page 37)

Legacy VPN Client This section covers the configuration options available for the legacy VPN Client.

Compact and Extended VPN Interfaces If your Endpoint Security client is configured with a Legacy VPN, it is deployed with either a compact or an extended version of the VPN interface.

You can change versions yourself when the client is running.

Compact view provides a simplified view of the VPN interface for users who do not need multiple sites or profiles.

VPN

Extended view is for more advanced users who need to connect to different VPN sites and who want to manage their VPN configuration in greater detail.

To switch between extended and compact views:

1. If you are switching from extended to compact view, you must first:

a) Delete all sites (see Deleting Sites (on page 30)).

b) Disable Auto Local Logon (see Auto Local Logon (on page 33)).

c) Disable Secure Domain Logon (see Secure Domain Logon (on page 33)).

2. Open VPN Main and click VPN Settings.

3. Open the Advanced tab.

4. In the Product View section, select Extended View or Compact View and click OK.

5. Click OK to confirm restart of VPN services.

The VPN panel shows a message indicating that VPN services are restarting. When the VPN panel is restored it activates the selected view.

Authentication in the Legacy VPN Client When you connect to a VPN site, and supply identification details, you are authenticating using credentials. There are many authentication methods available.

Contact your system administrator to send you one of the following:

A registered certificate (on diskette, or a hardware token) and password (for opening the certificate)

A registration code that allows you to complete the certificate creation process online.

User name and password

SecurID card

SmartCard Response code

Changing Authentication Methods

Your administrator may ask you to change your VPN authentication method. If your laptop acts as a terminal for other users (each user connecting to the site with their own unique certificates), certificates should be switched as needed.

Note - You cannot change authentication methods while connected to a VPN site.

The procedure for changing authentication methods is varies according to the type of VPN that is configured for your client. Choose the instructions relevant to your client, according to the options that are available to you.

To change authentication methods:

1. Open VPN Main.

2. If you are connected to a VPN site, click Disconnect.

3. Click VPN Settings.

4. In the Connections tab, select a site and click Properties.

5. Open the Authentication tab.

6. Choose an authentication method from the Scheme drop-down list.

7. Provide the information appropriate for your authentication method.

For example, if you are using a certificate, click Browse and choose the certificate.

8. Click OK.

The first time that you configure a VPN, the same Scheme configuration option is provided, in the First Time Configuration - Authentication Method window. Select the authentication method from the Scheme drop-down list and then click OK.

VPN

Managing Certificates

It is recommended to use digital certificates for authentication when establishing a VPN connection. Certificates are more secure than other methods such as user name and password. When authenticating with certificates, the client and the VPN site each confirm that the other's certificate has been signed by a known and trusted certificate authority, and that it has not expired or been revoked.

You or your administrator must enroll with a certificate authority. You can use any third-party OPSEC (Open Platform for Security) PKI (Public Key Infrastructure) certificate authority that supports the PKCS#12, CAPI, or Entrust standards.

Endpoint Security client lets you create or renew Check Point certificates and manage Entrust certificates.

Managing Entrust Certificates

Endpoint Security client accommodates Entrust certificates. If desired, you can use Entrust Entelligence to create and recover certificates. When you use Entrust for certificate management, the client automatically connects to the Entelligence UI when appropriate.

Before you begin, make sure your administrator has given you a reference number and authorization code, which are required for completing the process.

To use an Entrust certificate for authentication:

First, enable Entrust Entelligence:


2. In the Certificates tab, clear the Don't use Entrust Entelligence checkbox.

Second, initiate the Entrust certificate:

3. In the Certificates tab, click Select INI file, browse to the entrust.ini file, and click Open.

By default, the entrust.ini file is stored in your Windows directory (for example, C:\Windows).

4. Click Configure INI file. The Configure Entrust.INI window appears.

5. Provide the following information:

The CA manager's host name or IP address and its port number. The default port number is 709.

The LDAP Server's host name or IP address and its port number. The default port number is 389.

6. Click OK.

Third, create the Entrust certificate:

1. In the Certificates tab, Entrust Certificates section, click Create. The Create User window appears.

2. Click Save to File. Then browse to the directory in which to save the certificate.

3. Provide and confirm a password for your profile. Your password must conform to the following Entrust specifications:

At least eight characters long

At least one uppercase letter or a numerical digit

At least one lowercase letter

No long strings of repeating characters

No long substrings of the user name

4. Specify your profile parameters by entering the Reference Number and Authorization code supplied by your system administrator.

5. Click OK.

6. In the confirmation window that appears, click OK again.

Managing Check Point Certificates

Your system administrator might ask you to create a new Check Point certificate. You can store a Check Point certificate either as a Public-Key Cryptography Standard #12 (PKCS#12) file or as a hardware or software token (CAPI). Confirm with your system administrator how you should store the certificate.

Before you begin, obtain the following information from your administrator:

the certificate format you should choose

the certificate registration key

the IP address (or host name) of the VPN gateway

VPN

Creating Check Point Certificate PKCS#12

If your system administrator has asked you to save the certificate in the PKCS#12 format, follow the instructions in this section.

To create a PKCS#12 file:


2. In the Certificates tab, click Create Certificate.

The Check Point Certificate window appears.

3. Select Store as a file (PKCS #12). and click Next.

4. Provide the connection site IP address or host name and the registration key. Click Next.

5. Provide and confirm a password for use with the certificate. Click Next.

6. In the confirmation window that appears, click Finish.

Creating Check Point Certificate CAPI Token

If your system administrator has asked you to save the certificate as a hardware or software token, follow the instructions in this section.

Before you begin, make sure your administrator has specified which Cryptographic Service Provider (CSP) to use. Some CSPs need special hardware (for example, a token reader/writer), while others do not. Endpoint Security works with the CSPs supported by Windows, and Check Point provides the Internal Certificate Authority (ICA) of the security gateway as a CSP.

To create a hardware or software token:


2. In the Certificates tab, click Create Certificate.


3. Select Store on a hardware or software token (CAPI). Click Next.

4. Select the Cryptographic Service Provider (CSP) for your certificate storage, and then click Next.

Note - Each CSP uses its own unique configuration windows. For specific details, consult your CSP documentation.

5. Provide the connection site IP address or host name and the registration key. Click Next.

6. Click Security Level, select the level specified by your administrator, and click Next.

7. In the window that appears, click Finish.

8. Click Yes.

9. In the window that appears, click Finish.

Storing PKCS#12 in CAPI Store

If you are using the Check Point Internal Certificate Authority (ICA) of the security gateway as a CSP, you can use this procedure to store PKCS#12 files in the CAPI store.

To enter the PKCS#12 file into the CAPI store:

1. Double-click the file with the p12 extension.

The certificate import wizard opens.

2. Click Next.

The correct path to the file you wish to import is automatically shown:

3. Click Next, and enter the password for the private key.

This is the key you obtained from your system administrator.

Enable strong private key protection: you will be prompted to enter the password each time the private key is used by the client.

Mark this key exportable: the key can be backed up or transported at a later time.

4. Click Next, and either allow the file to be automatically stored or browse to a specific storage folder.

5. Click Finish to complete the certificate import wizard.

Saving the Certificate in Another Location

You, or your administrator, may choose to not save your certificate to the CAPI store.

For example, if you use several desktop workstations and laptops, it is not recommended installing your certificate on all of them.

VPN

For this reason, your system administrator may switch from using the certificate stored in the CAPI and to require you to authenticate using a PKCS#12 certificate directly, stored on a floppy disk or USB drive. If this happens, a message displays when you try to connect to the active site. Browse to the drive where the certificate is stored.

To save the certificate:

1. Save the PKCS#12 certificate to a floppy or USB disk.

2. Configure the authentication scheme to use certificates (Properties window of site Authentication tab).

3. From the Certificate drop-down list, select From File.

4. Browse to the certificates stored on a floppy or USB disk.

5. Enter the certificate's password.

6. Click Connect.

Renewing Check Point Certificates

Endpoint Security client automatically prompts you to renew your Check Point certificate shortly before it expires. You can also renew the certificate at any time.

To renew a certificate with VPN Settings (Legacy Endpoint Security VPN):


2. In the Certificates tab, click Renew Certificate.

The client displays the Renew Check Point Certificate window automatically if your certificate is about to expire.

3. In the Certificate field, confirm the location of your current certificate or browse to the new location.

4. In the Current password field, provide the password to open the certificate.

5. Click Next.

The Save Certificate window appears.

6. Confirm the certificate file name and location.

7. Provide the new password in the Password and Confirm Password fields.

Your password should contain at least six characters, of which four must be unique.

8. Click Next.


9. Click Finish.

The client will use this renewed certificate the next time you authenticate to a site.

Creating Profiles and Sites in the Legacy VPN Client A site represents the organization to which you want to connect. A profile defines the parameters the client will use to connect to your site.

Note - Profiles are supported by Legacy Endpoint Security VPN only.

Before Endpoint Security VPN connects to a site it needs to obtain information regarding the site's structure or Topology, such as the computers and servers available within the organization. The connection wizard gathers this site information. The initial connection, which is different from all subsequent connections, obtains the site's topology. During this process you are requested to authenticate either by supplying a certificate, or through some other means. If you are using certificates to authenticate yourself but have not received one from your system administrator, you will be asked to register. Registering a certificate means that you will complete a certificate creation process which was initiated by your system administrator.

The Settings window displays all your connection profiles, either those you created yourself or profiles created for you by your system administrator. Use this window to define your site and authentication methods.

Managing Connection Profiles

A connection profile defines the parameters the client uses to connect to your site. Most users need only one profile. However, if your network environment changes frequently (for example, if you sometimes connect from hotels or from a partner company's network), you or your system administrator may need to create several different profiles. Each profile connects to the site in a slightly different way, for example

VPN

using Office mode or Hub mode. Endpoint Security client automatically downloads new profile information when you perform a site update. If you have more than one profile, contact your administrator to find out which one to use.

The functions described in this section are only available in extended view. (For details on compact versus extended view, see Compact and Extended VPN Interfaces (on page 22).)

Creating Profiles

If you are using VPN extended view, your system administrator might require you to create a new connection profile for a particular site. Note that you can only create a new connection profile if you have already defined at least one site.

To create a new connection profile:

1. Do one of the following:

Open VPN Main and click VPN Settings.

Right-click or double-click on the system tray icon, select Connect to VPN and then click Options.

2. In the Connections tab, click New Profile.

The Profile Properties window opens.

3. Provide a profile name and description.

4. Select a site from the Site drop-down list.

5. Select a gateway from the Gateway drop-down list.

6. Open the Advanced tab, and select any configuration options specified by your administrator.

7. Click OK to close the Profile Properties window and then click OK to close the VPN Settings window.

Exporting and Importing Profiles

You can export (save) and import existing profiles. For example, if your administrator creates a profile and asks you to import it.

To export a profile:


2. In the Connections tab, do one of the following:

Select the desired profile and then click Options Export Profile.

Right-click the desired profile and select Export Profile.

The profile is saved as a file with srp extension.

To import a profile:

Click New Import Profile.

Cloning Profiles

You can clone profiles and then modify and save them as new profiles.

To clone a profile:



Select the desired profile and then click New Clone Profile.

Right-click the desired profile and select Clone Profile.

The Profile Properties window appears.

3. Modify the profile properties as desired. For example, change the name, the description, or the gateway.

4. Click OK.

Changing Profiles

If you are using VPN extended view and if you have configured more than one profile, you can change the profile with which you connect.

Note - You cannot change profiles while connected a VPN site.

VPN

To switch profiles:

1. If you are connected to a VPN site, disconnect by doing one of the following:

Right-click the Endpoint Security system tray icon and select Disconnect from VPN.

Open VPN and click Disconnect.

2. Open the VPN Connection window by doing one of the following:

Right-click the Endpoint Security system tray icon and select Connect to VPN.

Open VPN and click Connect.

The VPN Connection window opens.

3. In the Location Profile drop-down list, choose the desired profile.

4. Provide your password and click Connect.

The selected profile is now default.

Creating Profile Desktop Shortcut

You can create a desktop shortcut that brings up the VPN Connection window, configured to use your chosen profile. This works only for profiles that specify a particular gateway (as opposed to profiles that use the default, "Any Gateway").

To create a profile shortcut:



Select the desired profile and then click Options Create Shortcut.

Right-click the desired profile and select Create Shortcut.

You can now double-click the shortcut on your desktop to initiate a VPN connection.

Viewing Profile Properties

The client displays profile properties in the Profile Properties window. This same window also appears when you start to clone a profile or create a new profile.

To view profile properties:


2. In the Connections tab, right-click the profile and choose Properties.


3. Click a tab:

General: Shows the site name, site description, and gateway.

Advanced: Set Office Mode, connectivity enhancements, Visitor Mode, and Hub Mode.

Deleting Profiles

If you use VPN extended view, you can delete profiles when they are no longer useful.

Note - You can only delete a profile that you created; you cannot delete a profile provided by your network administrator.

To delete profiles



Select a profile and then click Delete.

Right-click a profile and select Delete Profile.

3. In the confirmation window, click Yes.

Managing VPN Sites

Before you establish a VPN connection, you must define a site (a VPN server or device) to which the client connects. A site definition tells the client how to connect to the VPN site. During the initial connection, you must authenticate by supplying a certificate or authenticate through some other means. The client then obtains the site's structure (or topology). After the site is defined, VPN connections can be opened.

VPN

Defining Sites

If you have configured the client to display the extended version of the VPN interface, you can define additional sites as needed. Using the instructions in this section, follow the Site Wizard to define a new site.

Before defining a site, make sure your administrator gives you:

Information about your method of authentication (user name and password, certificate, or similar). If you are planning to use a certificate for authentication, you should already have created the certificate or received one from your administrator (see Managing Certificates (on page 24)).

The name or IP address of the security gateway that provides remote access to the corporate network.

Preparing:

If you are using Endpoint Security VPN functionality for the first time, and have not defined a site:

1. Open VPN Main and click Connect.

2. In the window that opens, click Yes.

If you have already defined a VPN destination site, and now want to define another:


2. Open the Sites tab.


If you are in extended view, click New Site.

If you are in compact view, click Define Server.

If you are in the Sites tab, click New.

The Site Wizard window appears.

To define a site:

1. Provide the VPN site IP address or host name.

2. Select Display Name and provide a display name.

3. Click Next.

The client takes a moment to identify the site.

4. Select the method of authentication. The choices and subsequent actions are:

User name and Password: Click Next to advance to the User Details window. Provide your user name and password, and click Next.

Certificate: Click Next to advance to the Certificate Authentication window. Browse and select your certificate and then provide the certificate password. Click Next.

SecurID: Click Next to advance to the SecurID Authentication window. Choose Use Key FOB hard token, Use PinPad card, or Use SecurID Software token. Click Next. Provide the necessary information for your authentication type. Click Next.

Challenge Response: Click Next to advance to the Challenge Response window. Provide your user name and click Next.

5. If prompted, choose the desired connectivity setting (Standard or Advanced) and click Next.

After a short wait, the Please Validate Site window displays your certificate's fingerprint and distinguished names (DN).

If your administrator gave you the site's fingerprint and DN, compare them to those in the window. If they match, click Next.

The Site Created Successfully window appears.

6. Click Finish.

Viewing Site Properties

The client lets you view site properties, such as the site IP address and the authentication method. Information in the Site Properties window is divided into the following categories:

General: Shows the site name, site IP address, and the last site update time.

Authentication: View or modify the authentication method. See Changing Authentication Methods (on page 23).

Advanced: Enable the NAT-T protocol. See Enabling Connectivity Enhancements (see "NAT Traversal" on page 36).

VPN

To view site properties:

1. Open VPN Main and click VPN Settings or VPN Options.

2. In the Connections tab or Sites tab, right-click the desired site (not the profile, but the site that holds the profile) and choose Properties.

The Site Properties window appears.

3. Open General, Authentication, or Advanced tab.

Updating Sites

When you update a site, you download any new client settings and any updated information about the site and its associated profiles, including any new profiles your administrator has configured. To update a site, you must first be connected to the site. If you are not connected when you attempt to update, the client prompts you to connect.

To update a site:


2. In the Connections tab or Sites tab, select a site and click Options Update Site.

If you are already connected to the site, a progress window indicates when the update is complete.

If you are not connected, the client prompts you to connect. You must do so to complete the update.

Disabling Sites

You can disable a site, and then enable it later. Note that by disabling a site, you also disable all associated profiles.

To disable a site:


2. In the Connections tab, disconnect your VPN connection.


Select the desired site and then click Options Disable Site.

Right-click the desired site and select Disable Site.

A red "x" appears on the icons for the site and associated profiles indicating they are disabled.

To re-enable a site:

Select the site and then click Options Enable Site.

Right-click the site and select Enable Site.

Deleting Sites

You can delete sites when they are no longer useful.

Important - If you delete a site, you also delete all associated profiles.

To delete sites:

1. Open VPN Main and click VPN Settings Connections tab.

2. Disconnect your VPN connection.


Select the site and then click Delete.

Right-click the site and select Delete Site.

4. In the confirmation window that appears, click Yes.

Connecting and Disconnecting Using the Legacy Client This section explains how to connect to and then disconnect from a VPN site. The instructions assume you have already defined at least one site.

To connect to an existing site:

1. Right-click the Endpoint Security icon in the system tray and select Connect to VPN. Or in Endpoint

Security VPN, click Connect.

VPN

The VPN Connection window opens. Depending on your authentication method, the window displays different fields. For example, if you authenticate using certificates, the certificate path is displayed and you are prompted to provide your password.

2. Provide the appropriate information and click Connect.

Endpoint Security displays a window showing progress and whether the connection is successful.

To disconnect:


Right-click the Endpoint Security icon in the system tray and select Disconnect from VPN.

In Endpoint Security, open VPN Disconnect.

A confirmation window appears.

2. Click Yes.

Connection Status

You can view different types of connection status information.

To view connection status information:

Open VPN: View current connection status, active profile name, connection duration, and remaining time before re-authentication.

Open VPN Activity: View details about the compression and decompression of IP packets.

Open VPN and click the Connection Details link: View connection details.

Understanding Connection Details - Legacy VPN

Endpoint Security client provides the following categories of information about the current connection, if your VPN is SecureClient (Legacy Check Point VPN).

Table 3-6 Legacy VPN Connection Details

Information Type Description

Status Summary Client connection status, gateway IP address, current computer's IP address.

Connections Name, IP address, site name, and tunnel properties of each available gateway. The active gateway is designated "(Primary)".

Gateway information More Gateway information.

UDP Encapsulation Enables Endpoint Security client to overcome problems created by a Hide NAT device.

Visitor Mode Enables Endpoint Security client to connect through a gateway that limits connections to port 80 or 443.

Office Mode Prevents IP address conflicts on remote networks by ensuring that the client receives a unique IP address from the gateway.

Tunnel Active Indicates whether the VPN tunnel is open.

IP Compression Indicates whether data is compressed for slow links, such as dialup.

IKE Over TCP Indicates whether IKE negotiation is over TCP or not (if not, it is over UDP). Enable for complex IKE.

Tunnel MTU Properties

Current Maximum Transmission Unit (MTU). When the client is communicating across multiple routers with a site, it is the smallest MTU of all the routers that is important.

VPN

Information Type Description

Computer Current computer's connection status and other connection information.

Active Connection Settings

Summary of current profile, including: site to connect to, gateway hostname, protocol specifications.

Name Name of the connection profile, as it appears in the VPN Connection window. It might be an IP Address.

Description Descriptive name for the profile, showing additional information.

Site Name of the site to connect to.

Profile Gateway Name of the gateway specified in the connection profile.

Selected Gateway Actual gateway chosen for the connection; may differ from the gateway defined in the connection profile.

Gateway defined in the connection profile

Name of the defined gateway.

Support Office mode Indicates whether Office Mode is supported.

Support IKE over TCP

Indicates whether the tunnel negotiation is taking place over TCP instead of UDP to avoid packet fragmentation.

Force UDP Encapsulation

Indicates whether UDP encapsulation is being used to overcome problems created by hide NAT devices that do not support packet fragmentation.

Visitor Mode Indicates whether Visitor Mode is active.

Route all traffic through gateway (Hub mode)

Indicates whether Hub Mode is active.

Tunnel MTU Discovery

Indicates whether the process that discovers the MTU from Endpoint Security to the gateway is active.

Enabling Logging

For trouble-shouting purposes, your system administrator may ask you to create a report log. The report log contains site-specific information and should be treated as strictly confidential. Send the report only to your system administrator or other authorized authority.

To enable logging:

1. Open VPN Main and click VPN Settings

2. In the Advanced tab, select Enable Logging.

To send logs:

1. In the Advanced tab, click Save Logs

If a message appears (Send this report only to your system administrator.) click OK.

2. Wait while the logs are connected. A confirmation message will appear; click OK.

The folder, where the logs are saved, opens.

3. Send the CAB or TGZ file to the administrator.

VPN

Configuring Connection Options

This section describes various connection and login options available to the legacy VPN Client.

Note - Auto-Connect, Secure Domain Logon, and Auto Local Logon are not available in the compact version of the VPN interface.

Auto-Connect

This option is available in Legacy Endpoint Security VPN only.

Auto-connect prompts you to establish a VPN connection when you first try to access a private network, such as the company intranet. This saves you the time of navigating through Endpoint Security and initiating the connection yourself.

In Auto-Connect mode, the client prompts you to establish a VPN connection every time it detects traffic destined for your corporate network or intranet site.

If you choose to connect, the client encrypts traffic to the site.

If you do not connect, the client prompts you to indicate how long to wait before reminding you again to connect. During this time, traffic to the site is sent unencrypted. However, if your site is configured to drop all unencrypted traffic, you will not be able to communicate with servers behind the site's gateway.

If Office Mode is also enabled, you must re-initiate the connection after the Auto-Connect connection has succeeded.

To activate Auto-Connect:


2. In the Options tab, select the Enable Auto-Connect checkbox and click OK.

The Enable Auto Connect window appears.

3. Select a re-launch option.

4. Click OK.

Secure Domain Logon


In a Windows environment, your account may belong to a domain controlled by a domain controller (a computer that provides Microsoft Active Directory service to network users and computers). Secure Domain Login (SDL) is useful when the domain controller lies behind your site's firewall.

When you try to establish a VPN connection to a Windows domain, the client sends your login credentials to the domain controller for verification. When you enable SDL, the client establishes the VPN connection before communicating with the domain controller.

To enable Secure Domain Logon:


2. In the Options tab, select Enable Secure Domain Logon and click OK.

Auto Local Logon


If you log in to the VPN site with a user name and password (as opposed to logging on with a certificate), you can enable Auto Local Logon to automate your login.

If you enable both Auto Local Logon and Auto-Connect, the client automatically establishes a VPN connection when you first try to access a site that requires encrypted communication (that is, traffic whose destination is the VPN site). This is useful for unattended computers that serve many end users as a terminal.

To enable Auto Local Logon:


2. In the Options tab, select Enable Auto Local Logon and click Auto Local Logon Options.

The Auto Local Logon window appears.

3. Provide your Windows user name and password, and VPN user name and password and then click OK.

VPN

A message displays stating that your change will be applied after the next reboot.

4. When the window closes, click OK to close the VPN Settings window.

Connecting Through a Hotspot

Your enterprise or disconnected policy may not automatically allow access to your network through a wireless hot-spot provided by a hotel or other public place. Your policy may allow you to partially override this restriction to register a hot-spot. This override is temporary, and has the following limitations:

Only ports 80, 8080, and 443 are opened. These ports are commonly used for hot-spot registration.

No more than five IP addresses are allowed while registering the hot-spot.

Ports 80, 8080, and 443 are closed if any of these events occur:

The client successfully connects to the network

Ten minutes pass

Three connection attempts result in failure

To enable hot-spot registration:


Right-click the system tray icon and select Register to Hotspot/Hotel.

Open the Connect window and click Options, then select Register to Hot Spot/Hotel.

A message appears, indicating the time period allowed for registration.

2. Connect to the Internet.

If the Register to Hotspot/Hotel option is not available, this feature has been disabled by your network administrator.

Enabling Office Mode

Office Mode causes the gateway to assign your computer a temporary IP address that does not to conflict with any other IP address at the site. The assignment is made after authentication and remains valid as long as you are connected. This feature overcomes certain connectivity issues.

Office Mode can be enabled through a profile that your administrator deploys to your client, or you can enable it manually.

To enable Office mode:




3. Click the Advanced tab, select Office Mode, and click OK.

VPN Tunneling (Hub Mode)

Hub Mode enables Endpoint Security VPN to use the site's gateway as a router, thus making all the client's traffic available for content inspection, and introducing an extra layer of security. If your system administrator decides to use Hub Mode, you might be instructed to enable it manually.

To enable Hub mode:

1. Open VPN Main.

2. If you see VPN Settings button:

a) Click VPN Settings.

b) In the Connections tab, select a profile and click Properties.

c) Open the Advanced tab.

d) Select Route all traffic through gateway and click OK.

Proxy Settings (Visitor Mode)

If you connect to the organization from a remote location such as hotel or the offices of a customer, Internet connectivity may be limited to web browsing using the standard ports designated for HTTP, typically port 80

VPN

for HTTP and port 443 for HTTPS. The remote client needs to perform an IKE negotiation on port 500 or send IPSec packets (instead of the usual TCP packets); therefore, a VPN tunnel cannot be established in the usual way. This issue is resolved using Visitor Mode (also known as TCP Tunneling), through a proxy server.

Before you configure proxy settings, contact your system administrator for a valid user name and password to use to access the proxy. You may also need the proxy server IP address and port number.

To configure proxy settings:

1. Open VPN Main and click VPN Settings

2. On the Options tab, click Configure Proxy Settings.

3. Configure proxy settings.

No proxy / transparent proxy: Default.

Detect proxy from Internet Explorer settings: Client takes proxy settings from Microsoft Internet Explorer. Before selecting this setting, make sure the settings are defined manually: in Microsoft

Internet Explorer, Tools Internet options Connections tab LAN Settings, select "Use a proxy server for this connection". If the "Automatically detect settings" option or the "Use automatic configuration script" option is selected, the client will not be able to detect the proxy settings from Microsoft Internet Explorer.

Manually define proxy: If the proxy's settings cannot be automatically detected, you may be required to configure the Microsoft Internet Explorer settings according to the instructions, IP address, and port number provided by your system administrator.

4. In the Proxy Authentication section, provide the user name and password for proxy authentication.

5. Click OK.

Dial Up Support

The option to configure and use dialup connections through Endpoint Security is available if you have the Endpoint Connect VPN client.

If no network is available when you try to connect to a site, and no dialup connection has been configured, the Endpoint Connect client displays a message:

Connection Failed No network detected Click here to activate dialup

Click the link to open the New Connection Wizard and configure a dialup connection.

If a single dialup connection is already defined, click the link to dial and connect.

If multiple dialup connections are defined, a list is displayed. Choose a connection and Endpoint Connect dials it.

If Transparent Network and Interface Roaming is enabled, and the VPN is in the Reconnecting state,

Endpoint Connect displays a Reconnecting message with the link to activate dialup.

Advanced Configuration Options in the Legacy Client If you are using the extended version of the VPN interface, the client provides the advanced configuration options.

Suspending Popup Messages

When Endpoint Security VPN is disconnected from the site, and Auto-Connect is enabled, every time Endpoint Security VPN detects traffic destined for the site, a popup message prompts you to connect. Clicking inside this message displays the Suspend Popup message. Clicking Cancel will display an option suspending pop-up messages.

If you choose to suspend popup messages, for example for sixty minutes, then during those sixty minutes all traffic to the site is either dropped or sent unencrypted. When the sixty minutes expires, you are once again prompted to connect each time Endpoint Security VPN detects traffic destined for the site.

VPN

NAT Traversal

To use NAT (Network Address Translation) with VPN, you need to configure your VPN client to support NAT-T. You must do this in cooperation with the administrator of the firewall gateway, as NAT-T ports and options must be configured in both your client and the gateway to support each other.

To enable Connectivity Enhancements




3. On the Advanced tab, select Use NAT-T Traversal Tunneling and configure:

IKE over TCP: Solves the problem of large UDP packets created during IKE phase I, by using TCP packets. This option is relevant if the VPN uses IKE protocols. The administrator must enable support of IKE over TCP.

Force UDP Encapsulation: Solves the problem of large UDP packets by wrapping them in IPSec headers. The administrator must enable port 2746 for source and destination.

4. Click OK.

To use NAT (Network Address Translation) with VPN, you need to configure your VPN client to support NAT-T. Do this with your system administrator. NAT-T ports and options must be configured in both your client and the gateway to support each other.

To enable NAT-T:


2. Select the Site and click Properties.

3. On the Advanced tab, select Enable NAT-T protocol.

Note - Enable NAT-T should be the default option.

4. Click OK.

Command Line Options

Command Explanation

SCC VPN commands executed on SecureClient are used to generate status information, stop and start services, or connect to defines sites using specific user profiles.

scc connect Connects to the site using the specified profile, and waits for the connection to be established. In other words, the OS does not put this command into the background and executes the next command in the queue.

scc connectnowait Connects asynchronously to the site using the specified profile. This means, the OS moves onto the next command in the queue and this command is run in the background.

scc disconnect Disconnects from the site using a specific profile.

scc erasecreds Unsets authorization credentials.

scc listprofiles Lists all profiles.

scc numprofiles Displays the number of profiles.

scc restartsc Restarts SecureClient services.

scc passcert Sets the user's authentication credentials when authentication is performed using certificates.

VPN

Command Explanation

scc setmode <mode> Switches the SecuRemote/SecureClient mode.

scc setpolicy Enables or disables the current default security policy.

scc sp Displays the current default security policy.

scc startsc Starts SecureClient services.

scc status Displays the connection status.

scc stopsc Stops SecureClient services.

scc suppressdialogs Enables or suppresses dialog popups. By default, suppressdialogs is off.

scc userpass Sets the user's authentication credentials -- username, and password.

scc ver Displays the current SecureClient version.

scc icacertenroll Enrolls a certificate with the internal CA, and currently receives 4 parameters - site, registration key, filename and password.Currently the command only supports the creation of p12 files.

scc sethotspotreg Enables HotSpot/Hotel registration support.

Switching to Endpoint Connect There may be occasions when your site administrator requests you to switch from the Legacy VPN client to Endpoint Connect. The administrator will provide the command line tool called: changeVPN.exe.

1. Copy changeVPN.exe to a folder on your local machine.

2. Open a command prompt:

Start Run cmd

3. Change directory to the folder where you saved changeVPN.exe

4. Run:

ChangeVPN EPC

Executing this command terminates existing VPN connections, and prevents additional connections until the client machine is rebooted.

5. Reboot the client machine.

Check Point Endpoint Connect VPN Client This section covers the configuration options available for Check Point Endpoint Connect.

Authentication in Endpoint Connect This section covers authentication and credential management in the Check Point Endpoint Connect VPN client.

User Name and Password

User name and password is the simplest form of authentication. Together with your system administrator, decide on an appropriate user name and password. Strong passwords:

VPN

Are lengthy

A 15-character password composed of random letters and numbers is much more secure than an 8-character password composed of characters taken from the entire keyboard. Each character that you add to the password increases the protection that the password provides.

Combine letters, numbers, and symbols

A mixture of upper and lower case letters, numbers, and symbols (including punctuation marks not on the upper row of the keyboard).

Avoid sequences or repeated characters

For example 12345, or aaaaa.

Avoid look-alike substitutions of numbers or characters

For example replacing the letter "i" with the number "1", or zero with the letter "o".

Avoid your login name

Avoid dictionary words in any language

These authentication credentials are stored either in the security server database, on an LDAP or RADIUS server.

Understanding Certificates

A certificate is the digital equivalent of an ID card issued by a trusted third party known as a Certification Authority (CA). While there are well known external CAs such as VeriSign and Entrust, Endpoint Connect typically uses the digital certificates issued by the site's security gateway, which has its own Internal Certificate Authority (ICA). The digital certificate used by Endpoint Connect contains:

Your name

A serial number

Expiration dates

A copy of the certificate holder's public key (used for encrypting messages and digital signatures)

The digital signature of the certificate-issuing authority, in this instance the ICA, so that the security gateway can verify that the certificate is real and (if real) still valid.

A certificate is a file in the PKCS#12 format with the .p12 extension.

Certificates are either supplied by your system administrator, or obtained through the enrollment and renewal process. See Certificate Enrollment and Renewal (on page 40)

Certificates can either be imported to the CAPI store or saved to a folder of your choice.

Storing a Certificate in the CAPI Store

By means of a Windows software library that implements the Microsoft Cryptographic Application Programming Interface (CAPI), Check Point certificates for Endpoint Connect are stored as either hardware or software tokens. A token is a complex string of numbers used for authentication and encryption. CAPI enables Windows-based applications such as Endpoint Connect to perform secure, cryptographic operations.

Controlled by the Windows operating system, the CAPI store is a repository of digital certificates associated with a given Cryptographic Service Provider (CSP). CAPI oversees the certificates, while each CSP controls the cryptographic keys belonging to the certificates. For Endpoint Connect, the CPS is the Internal Certificate Authority (ICA) of the security gateway.

If you are using certificates for authentication, your system administrator will supply (out of band) a file with a P12 extension. This is a PKCS#12 file, a format commonly used to store private encryption keys. The PKCS#12 file is password protected. The password will have been set by your system administrator. Once you have this password from your system administrator, you can enter your certificate into the CAPI store.

To enter the PKCS#12 file into the CAPI store:

1. Double-click the file with the p12 extension.

The certificate import wizard opens.

2. Click Next.

The correct path to the file you wish to import is automatically shown:

VPN

3. Click Next, and enter the password for the private key.

This is the key you obtained from your system administrator. If you:

Enable strong private key protection you will be prompted to enter the password each time the private key is used by the client.

Mark this key exportable, the key can be backed up or transported at a later time.

4. Click Next, and either allow the file to be automatically stored or browse to a specific storage folder.

5. Click Finish to complete the certificate import wizard.

Saving the Certificate to a Folder of Your Choice

If you do not wish to save your certificate to the CAPI store, for example you use several desktop workstations and laptops and for security reasons do not wish to leave your certificate on different machines, then save the PKCS#12 certificate to a floppy or USB disk. Then:

1. Configure the client to use certificates for authentication. (See Changing Authentication Schemes (on page 40))

2. From the drop-down Certificate box, select From File.

3. In the From File area, browse to the certificates stored on a floppy or USB disk.

4. Enter the certificate's password.

5. Click Connect.

Note - If you have the Always-Connect option configured, then each time the client loses communication with the site, you will be prompted to enter the certificate's password.

Another advantage of not having the PKCS#12 certificate in the CAPI store is that, if someone steals your laptop, they will not be able to use the client to connect to the site without knowing the password—even if they have the PKCS#12. For this reason, your system administrator may switch from using the certificate stored in the CAPI and to require you to authenticate using the PKCS#12 certificate directly. If this happens, a message displays when you try to connect to the active site. Browse to the folder where the certificate is stored.

SecurID

The RSA SecurID authentication mechanism consists of either hardware (FOB,USB token) or software (softID) that generates an authentication code at fixed intervals (usually one minute) using a built-in clock and an encoded random key.

The most typical form of SecurID Token is the hand-held device. The device is usually a key FOB or slim card. The token can have a PIN pad, onto which a user enters a Personal Identification Number (PIN) to generate a passcode. When the token has no PIN pad, a tokencode is displayed. A tokencode is the changing number displayed on the key FOB.

The Endpoint Connect site wizard supports both methods as well as softID. For more information, see: SoftID (on page 39)

Endpoint Connect uses both the PIN and tokencode or just the passcode to authenticate to the security gateway.

SecurID Authentication Devices

Several versions of SecurID devices are available. The older format is a small device that displays a numeric code (tokencode) and time bars. The token code changes every sixty seconds, and provides the basis for authentication. To authenticate, the user must add to the beginning of the tokencode a special PIN (Personal Identification Number). The time bar indicates how much time is left before the next tokencode is generated. The remote user is requested to enter both the PIN number and tokencode into the Client's main connection window.

The newer format resembles a credit card, and displays the tokencode, time bars and a numeric pad for typing in the PIN number. These type of devices mix the tokencode with the entered PIN number to create a Passcode. SecureClient requests only the passcode.

SoftID

SoftID operates the same as a passcode device but consists only of software that sits on the desktop.

VPN

The Advanced view displays the tokencode and passcode with COPY buttons, allowing the user to cut and paste between softID and the VPN client.

Key Fobs

A small hardware device with built-in authentication mechanisms that control access to network services and information is known as a key fob. While a password can be stolen without the owner's knowledge, a missing key fob is immediately apparent. Key fobs provide the same two-factor authentication as other SecurID devices: the user has a personal identification number (PIN), which authenticates them as the device's owner; after the user correctly enters their PIN, the device displays a number which allows them to log on to the network. The SecurID SID700 Key Fob is a typical example of such a device:

When the Endpoint connect window opens for a user that has identified securID as the preferred method of authentication, a field for the PIN is displayed:

Challenge Response

Challenge-response is an authentication protocol in which one party presents a question (the challenge) and another party provides an answer (the response). For authentication to take place, a valid answer must be provided to the question. Security systems that rely on smart cards are based on challenge-response.

Changing Authentication Schemes

To change the authentication scheme used by the client for a specific site:

1. In the VPN window, click VPN Settings.

The Options window opens

2. On the Site tab, select the relevant site and click Properties.

The Properties window for that site opens.

On the Settings tab, use the drop-down Authentication Method box to either:

a) Username and password

b) Certificate - CAPI

c) Certificate - P12

d) SecurID - Keyfob

e) SecurID - PinPad

f) SecurID - Software token (SoftID)

g) Challenge Response

Certificate Enrollment and Renewal

Enrollment refers to the process of applying for and receiving a certificate from a recognized Certificate Authority (CA), in this case Check Point's Internal CA. In the enrollment process, your system administrator creates a certificate and sends you the certificate's registration key. The client sends this key to gateway, and in return receives the certificate, either CAPI or PCKS#12, which is saved or stored. (See Storing a Certificate in the CAPI Store (on page 38)).

You can enroll either when creating a site or after a site is created.

Enrolling During Site Creation

To enroll for a certificate while creating a site:

1. Open the VPN panel > open VPN Settings

2. On the Sites tab, click New.

The Site wizard opens.

Follow the wizard until you reach the Certificate Authentication window

3. Select Check this if you don't have a certificate yet (only works with ICA certificates).

4. Click Next.

VPN

When the Site Created Successfully Message appears, click Finish.

5. When asked if you would like to create a certificate now, click Yes.

The client's enrollment window opens, either for CAPI or PCKS#12.

6. Enter the required authentication details, such as the registration key, and click Enroll.

If you have a PCKS#12 certificate, the SAVE AS window opens. Save the certificate to an appropriate directory.

(i) You are asked if you want to connect. Click Yes.

(ii) When the main connection window opens, browse to the location of your PCKS#12 certificate.

CAPI certificates are automatically entered into the CAPI store.

(i) The RSA window opens.

(ii) Click OK.

The certificate will be a protected item. Each time the client uses the certificate, you will be required to manually grant permission.

7. The Enrollment window opens.

8. When prompted, add the certificate to the root store.

9. After the Enrollment succeeded message, the connection window opens with the certificate selected.

10. Click Connect.

Enrolling After Site Creation

To enroll for a certificate after the site has been created:

1. Open the VPN panel and click VPN Settings.

2. On the Sites tab, select the site and click Properties.

The Properties dialog opens.

3. On the Settings tab, under Authentication, select the relevant certificate option, CAPI or P12 and click on Enroll.


If you selected P12, enter and confirm a password for your certificate.

If you selected CAPI, select the relevant certificate provider.

5. Enter your registration key and click Enroll.


If you selected P12 certificate:

Enter a file name for the certificate and save it to an appropriate directory.

If you selected CAPI certificate, the RSA window opens.

Click OK, and confirm that you want to install the certificate.

7. In the Enrollment succeeded window, click Connect.

The connection window opens with the certificate selected.

8. For P12 certificates, enter the password you chose for your certificate.

Click Connect.

Automatic Certificate Renewal

When using certificates for authentication, each time you connect to the site, the client checks to see how close the certificate is to its expiration date. If necessary, and simultaneously with the connect process, the certificate is renewed. A message balloon appears in the system tray: Certificate renewal in progress.

Certificate Renewal

A certificate can be renewed at any time.

To renew a certificate:

1. In the VPN window, click VPN Settings.

2. Select the site and click Properties.

3. Click Renew.

VPN

The authentication window opens.

4. Using the drop-down box, select your certificate.

5. When prompted, grant access to the protected item (your certificate).

6. Wait while the certificate is renewed.

A Renewal Succeeded message appears, followed by the connection window.

Creating Sites in Endpoint Connect To create a site:

1. From your system administrator, obtain the name or IP address of the security gateway that provides remote access to the corporate network.

2. Right-click the client icon in the system tray, and select Settings.

3. In the VPN window, click VPN Settings

The Options window opens:

4. On the Sites tab, click New.

The Site Wizard opens:

5. Enter the name or IP address of the security gateway, and click Next.

The Authentication Method window opens.

6. Select an authentication method, and click Next.

If Certificate is your preferred method of authentication, when you click Next the Certificate authentication window opens.

Select whether to use a PKCS#12 certificate stored in a folder, or a PKCS#12 that has been entered into the CAPI store.

See Understanding Certificates (on page 38) for more information.

See Certificate Enrollment and Renewal (on page 40) if you do not have a certificate and wish to obtain one.

7. Click Next...

The digital fingerprint, a way for the site to authenticate itself to the client, appears.

This digital fingerprint is kept in the Windows registry and not displayed again — even if the client is upgraded.

8. Click Yes, and wait until the Site created successfully message appears.

9. Click Finish.

10. When asked if you would like to connect, click yes.

The main connection window opens.

11. Enter your authentication credentials, and click Connect.

The client connection window opens. If your system Administrator has configured Endpoint Security on Demand (ESOD):

A compliance check runs to determine whether your desktop is secured by anti virus software, the presence of a firewall, recommended and relevant software updates.

If your desktop or laptop fails the initial compliance check, a report is displayed that contains links to online remediation sources. Follow the links to correct the problems discovered by the endpoint security check, then try to connect again through the main connection window.

12. The connection status window opens.

When the "connection succeeded" message displays, click Hide. The client is now connected.

Connecting and Disconnecting Using Endpoint Connect

Connecting to a Site

To connect to a newly created or existing site:

1. Right-click the client icon in the system tray, and select Settings.

2. In the VPN window, click Quick Connect or Connect

The Connection window opens:

VPN

3. Enter your authentication credentials.

If you are using a certificate, the last certificate is automatically selected.

4. Click Connect.

The Connection Status window displays:

During this time:

You are authenticated using your chosen method

Network topology information is downloaded from the gateway to your local client

Virtual network adapters are loaded

If configured by the site administrator, an Endpoint Compliance check is run.

Alternative Ways of Connecting

Endpoint Connect offers two alternative ways of connecting.

Right-click the client icon in the system tray, and select Quick Connect

Endpoint Connect connects directly to the last active site.

A tool tip appears when the connection is established.

Right-click the client icon in the system tray, select Connect.

Understanding Connection Details - Endpoint Connect VPN

Endpoint Security client provides the following information if your VPN is Endpoint Connect.

Details Tab Description

Name Name of the VPN site gateway you are currently connected to.

IP Address IP address of the VPN site.

Last time connected Day, date, and time that you last connected to this site.

Last office mode IP Address

IP address of the VPN gateway office mode, if relevant.

Understanding Connection Settings - Endpoint Connect VPN

Settings Tab Description

Always Connect If you client is configured to allow you to change this option, select Enable Always Connect to automatically connect to the active VPN whenever possible.

VPN Tunneling If you client is configured to allow you to change this option, select Encrypt all traffic and route to gateway to use the VPN tunneling functionality for all traffic going from this client.

Authentication Select the authentication method from the drop-down list.

Disconnecting from a Site

To disconnect from a site:

1. Right-click the client icon in the system tray.

VPN

2. Click Disconnect from VPN.

A tooltip appears above the system tray informing you that the client is disconnected.

Password Caching for Single Sign On

Providing that your site administrator has enabled password caching, then Endpoint client remembers any password you entered during the last authenticated/successful connect operation. For example if you use username/password as your authentication scheme, or enter the password to your p12 certificate.

This password is held only in memory and deleted once you explicitly disconnect from a site.

If, for example, location awareness is enabled, then as the client automatically reconnects to the site, the password is supplied transparently from cache.

If you see the password field already populated when you attempt to connect to a site, this means that the cached credentials will be used. If necessary, you can override them and enter new credentials.

Configuring Connection Options

This section describes various connection and login options available for Check Point Endpoint Connect.

Staying Connected all the Time

To ensure that you remain connected to the active site:

1. Right-click the client icon in the system tray and select Settings.

2. In the VPN window, select VPN Settings.

The Options window opens.

3. On the Sites tab, select the site to which you wish to remain connected, and click Properties.

The Properties window for the site opens.

4. In the Always-Connect area of the window, select Enable Always-Connect.

Location Aware Connectivity

Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. When the client is detected within the internal network, the VPN connection is terminated. If the client is in Always-Connect mode, the VPN connection is established again when the client exits.

Connecting Through a Hotspot

Hotspot Detection

For wireless connections, Endpoint Connect automatically detects the presence of a hotspot. When connecting for the first time through the hotspot server:

1. The connection naturally fails because no registration details have been presented.

2. The client automatically opens its internal browser window showing the hotspot registration form.

3. Enter the relevant authentication and payment credentials.

The client automatically detects when the form is submitted and immediately connects to the site.

Hotspot Exclusion

The VPN client automatically detects the presence of a hotspot server and stores its IP address. Upon connection to the site, if the client discovers that the IP address of the hotspot server is duplicated on a gateway within the VPN domain, that gateway within the domain is removed from the topology. This enables the client to keep the hotspot open for the duration of the connection.

Proxy Settings

From time to time you may need to change your proxy server settings.

To change the proxy settings for Endpoint Connect:




3. Click the Advanced tab and select Proxy Settings.

VPN

The Proxy Settings window opens.

4. Configure your Proxy Definition and Proxy Authentication credentials according to the new settings.

No proxy/transparent proxy: No proxy is defined.

Detect proxy from Internet Explorer settings: This is the default setting. The client takes proxy settings from Microsoft Internet Explorer. Before selecting this setting, verify that the proxy settings are defined manually:

In Microsoft Internet Explorer, open Tools > Internet Options > Connections tab > LAN Settings, then select Use a proxy server for this connection.

Manually define proxy: You may be required to configure the proxy settings manually. In Microsoft Internet Explorer, open Tools > Internet Options > Connections tab > LAN Settings, then select Use a proxy server for this connection. Your administrator can provide the IP address and port number.

5. In the Proxy Authentication section, provide the user name and password for proxy authentication.

VPN Tunneling (Hub Mode)

A VPN tunnel is an encrypted channel that provides secure access to the active site. To configure VPN Tunnel settings:




3. On the Sites tab, select the site to which you wish to remain connected, and click Properties.

The Properties window for the site opens.

4. In the VPN tunneling area of the window, select Encrypt all traffic and route to gateway.

If you select Encrypt all traffic and route to gateway, all outbound traffic on the client is encrypted and sent to the security gateway but only traffic directed at site resources passes through the gateway. All other traffic is dropped.

If you do not select Encrypt all traffic and route to gateway, only traffic directed at site resources is encrypted and sent to the gateway. All other outbound client traffic passes in the clear.

Dial Up Support

Endpoint Connect supports dialup connections for a number of scenarios:

If no network is available when you try to connect to a site, and no dialup connection has been configured, the client displays a connection failed message:

Connection Failed No network detected Click here to activate dialup

Click the link to configure a dialup connection.

The link opens the New Connection Wizard. Complete the wizard to configure a dialup connection.

If a single dialup connection is already defined, then clicking the activate dialup link instructs the client to dial it.

If more than a single dialup connection is configured, then choose which connection to choose from the displayed list.

If Transparent Network and Interface Roaming is enabled, and the client is in a state of "reconnecting", the option to configure a dialup connection is displayed.

Smart Card Removal

If you are authenticating using a Smart Card, and the smart card or smart reader is removed from the USB port, the client detects that the certificate is no longer available and disconnects from the site. A VPN tunnel has disconnected. Smart card was removed message is displayed.

Tunnel Idleness

If you see a VPN tunnel has disconnected. Tunnel inactivity timeout reached message, this means that no traffic has passed between you and the site during a period set in minutes by your system administrator.

VPN

Your organization may have specific security requirements, such that an open VPN tunnel should be transporting work-related traffic to the site at all times. An idle or inactive tunnel should be shut down.

A mail program such as OUTLOOK performing a send-receive operation every five minutes would be considered work-related, and the tunnel kept open.

Advanced Configuration Options in Endpoint Connect

Command Line Options

The Endpoint Connect can also be run from the command line. The client has a number of command line

options of the type: command_line <command>[<args>].

To use the command line:

1. Open a command prompt.

Start Run type: cmd

2. Browse to the Endpoint Connect directory:

C:\Program Files\CheckPoint\TRAC

3. Enter command_line <command> [<args>]:

Where <command> is one of the following:

Command Function

Start Starts the Endpoint Connect service

Stop Stops the Endpoint Connect service

Status Prints status information and lists current connections

info [-s <site name>] Lists all connections or prints site name information

connect -s <sitename> [-u <username> -p <password> | -d <dn> | -f <p12> | -pin <PIN> -sn <serial>]

Connects using the given connection.

<sitename> parameter is optional. If no site is

defined, the client connects to the active site. If

no active site is defined, an error message

appears.

Optional credentials can be supplied.

disconnect Disconnects the current connection

create -s <sitename> [-a <authentication method>]

Creates a new connection, and defines an authentication method. Valid authentication values are:

username-password

certificate

p12-certificate

challenge-response

securIDKeyFob

securIDPinPad

SoftID

Note - An administrator can specify a particular authentication method. If the wrong method is entered, you will be prompted to enter an alternative.

delete -s <site name> Deletes the given connection

help / h Shows how to use the command

list Lists user Domain Names stored in the CAPI

VPN

Command Function

ver Prints the version

log Prints log messages

enroll_p12 -s <sitename> -f <filename> -p <password> -r <registrationkey> [ -l <keylength> ]

Enroll a p12 certificate

renew_p12 -s <sitename> -f <filename> -p <password> [ -l <keylength>]

Renews a p12 certificate

enroll_capi -s <sitename> -r <registrationkey> [ -i <providerindex> -l <keylength> -sp <strongkeyprotection> ]

Enroll a capi certificate

renew_capi -s <sitename> -d <dn> [ -l <keylength> -sp <strongkeyprotection> ]

Renew a capi certificate

change_p12_pwd -f <filename> [ -o <oldpassword> -n <newpassword> ]

Change p12 password

Collecting and Sending Log files

To troubleshoot unforeseen issues with the Endpoint Connect, your system administrator may ask you to send log files. Before you can collect and send log files, logging must be enabled.

To enable Logging:




3. On the Advanced tab, select Enable logging.

To send log files:




3. On the Advanced tab, click Collect Logs.

If your system administrator has preconfigured an email address for the logs, your default email program opens with the address already entered and the logs attached as a single compressed file.

If no email address has been configured, the log files are gathered into a single compressed file which you can save.

4. Send the contents of the compressed file to your site administrator.

Switching to the Legacy VPN client There may be occasions when your site administrator requests you to switch from Endpoint Connect to the Legacy VPN client. For example to take advantage of legacy client features such as:

Link Selection

Secondary Connect

Multiple Entry Points (MEP)

VPN

SAA Authentication

The administrator will provide the command line tool called: changeVPN.exe.

1. Copy changeVPN.exe to a folder on your local machine.

2. Open a command prompt

Start > Run > cmd

3. Change directory to the folder where you saved changeVPN.exe

4. Run:

ChangeVPN SC

Executing this command terminates existing VPN connections, and prevents additional connections until the client machine is rebooted.

5. Reboot the client machine.

Chapter 4

WebCheck WebCheck provides comprehensive protection against various Internet threats for your computer and your corporate network.

If your administrator has configured your Endpoint Security policy to include WebCheck, this feature is included in your Endpoint Security client.

In This Chapter

Understanding WebCheck 49

Suspicious Site Warnings 49

Understanding WebCheck WebCheck adds a layer of protection against Web-based threats to the Endpoint Security Anti-malware and firewall functionality, which protect against PC-based threats.

WebCheck Protection Your administrator determines which WebCheck settings are deployed to protect your computer against Web-based threats. The following list explains WebCheck features.

Trusted sites versus non-trusted sites: When you visit Web sites that your administrator deems trustworthy, "Check Point WebCheck - Trusted Site" appears in the browser's title bar. This means that WebCheck’s features are inactive because these Web sites do not pose the same risk as the Internet at large. If you visit a Web site that the administrator has not configured as a trusted site, all WebCheck protection features are active, and the text "Check Point WebCheck displays in the browser's title bar.

Virtualization: WebCheck traps malware and other uninvited programs that are downloaded to your computer without your permission or knowledge in a virtual file system and blocks them so that they never reach your real computer hard disks.

Anti-phishing (signature): WebCheck tracks the most recently discovered phishing and spy sites. If you go to one of these sites, WebCheck interrupts your browsing with a warning so you can leave the site immediately.

Anti-phishing (heuristics): WebCheck also uses heuristics, which look for certain known characteristics of fraudulent sites, to detect phishing sites that were created even seconds before you encountered them.

In the WebCheck section of the Endpoint Security client main page, you can see if the feature is turned on or off. If it is on, a list of trusted domains is shown.

Suspicious Site Warnings When WebCheck detects a security problem with a Web site you are visiting, it warns you immediately about the imminent danger so you can leave before anything happens.

For example, if you visit a site that is known to be a phishing site, the WebCheck toolbar turns red and a warning interrupts your browsing. At sites that are questionable but not yet proven dangerous, you see a caution message under the toolbar.

WebCheck

Yellow Caution Banner If you reach a Web site that does not have adequate security credentials, a yellow caution message appears under the toolbar.

This site may not necessarily be malicious. It may be that it is new or has limited funding and therefore has not yet obtained a strong security certification (SSL certificate). Nevertheless, the lack of security at the site means that data could be intercepted, so avoid entering sensitive data.

Table 4-7 Yellow Caution Banner

Risk level of Web site MEDIUM for entering data or downloading files from this site.

Recommendation With WebCheck active, viewing the site should be safe, but do not enter any sensitive data or download files at this site.

Why is the site questionable?

Click the Read more link in the warning dialog box to get security related information about the site.

Blue "May Be Unsafe" Warning If you reach a Web site where the heuristic detection of WebCheck finds characteristics associated with phishing, your browsing is interrupted by a blue "may be a unsafe" message.

Although the site has characteristics common to phishing, it has not been officially reported as a phishing site. It could be a new, not-yet-discovered phishing site. On the other hand it could be safe.

Consider the following recommendations to help you decide whether to trust this site.

Table 4-8 Blue "May Be Phishing" Warning

Risk level of Web site MEDIUM to HIGH for entering data or downloading files from this site.

Recommendations The site may not be a phishing site, but we recommend you click Avoid this Site if any of the following are true:

Did you get to this site by clicking a link in an e-mail?

Does the address start with http instead of https? (Sites that ask for private data should be secured by extra encryption and authentication, indicated by https.)

Is there a misspelling in the site address, such as "yahooo" instead of "yahoo"?

Was the site created very recently?

Is the site hosted in a country you weren't expecting?

Why is the site questionable?

Heuristic detection has found some characteristics common to phishing, but the site is not officially reported as a phishing site at his time.

If you believe that the site is safe to access, you can click the Stay on Site button. If you do not want any more warning messages from this site, click the Click here link and you will not get a warning message the next time you access the site.

WebCheck

Blue Warning Alerts If you browse to a site that is known to be dangerous, WebCheck interrupts your browsing with a warning, and the WebCheck toolbar turns blue.

Table 4-9 Blue Warning

Risk level of Web site

VERY HIGH

Recommendation If you are not very sure that this site is legitimate, you should leave this site immediately to protect your computer and network.

Click Avoid this Site in the message to get out safely.

If you are sure that the site is safe to access, you can click the Stay on Site button. If you do not want any more warning messages from this site, click the Click here link and you will not get a warning message the next time you access the site.

Chapter 5

Firewall Firewall Protection is your front line of defense against Internet threats. The client's default zones and security levels give you immediate protection against the vast majority of threats.

In This Chapter

Understanding Firewall Protection 52

Understanding Zones 52

Configuring New Network Connections 53

Integrating with Network Services 54

Choosing Security Levels 54

Setting Advanced Security Options 55

Blocking and Unblocking Ports 58

Configuring VPN Connection for Firewall 60

Understanding Firewall Protection In buildings, a firewall is a barrier that prevents a fire from spreading. In computers, the concept is similar. There are a variety of "fires" out there on the Internet—hacker activity, viruses, worms, and so forth. A firewall is a system that stops these attempts to damage your computer.

The client firewall guards the "doors" to your computer—that is, the ports through which Internet traffic comes in and goes out. The client examines all the network traffic arriving at your computer, and asks these questions:

What Zone did the traffic come from and what port is it addressed to?

Do the rules for that Zone allow traffic through that port?

Does the traffic violate any global rules?

Is the traffic authorized by a program on your computer (Program Control settings)?

The answers to these questions determine whether the traffic is allowed or blocked.

Understanding Zones Endpoint Security client keeps track of the good, the bad, and the unknown out on the Internet by using virtual containers, called Zones, to classify the computers and networks that connect to your computer.

The Internet Zone (on page 141) is the "unknown." All the computers and networks in the world belong to this Zone—until you move them to one of the other Zones.

The Trusted Zone (on page 144) is the "good." It contains all the computers and networks you trust and want to share resources with—for example, the other machines on your local or home network.

The Blocked Zone (on page 139) is the "bad." It contains computers and networks you distrust.

When another computer wants to communicate with your computer, the client looks at the Zone it is in to help decide what to do.

Firewall

Zones Manage Firewall Security The client uses security levels to determine whether to allow or block inbound traffic from each Zone. Open the Firewall panel, Main tab to view and adjust security levels.

High Security Setting

High security places your computer in stealth mode, making it invisible to hackers. High security is the default configuration Internet Zone.

In High security, file and printer sharing is disabled; but outgoing DNS, outgoing DHCP, and broadcast/multicast are allowed, so that you are able to browse the Internet. All other ports on your computer are closed except when used by a program that has access permission and/or server permission.

Medium Security Setting

Medium security is the default setting for the Trusted Zone.

In Medium security, file and printer sharing is enabled, and all ports and protocols are allowed. (If Medium security is applied to the Internet Zone, however, incoming NetBIOS traffic is blocked. This protects your computer from possible attacks aimed at your Windows networking services.) At Medium security, you are no longer in stealth mode.

We recommend that you use the Medium security setting for the first few days of normal Internet use after installing the client. After a few days of normal use, the client will have learned the signatures of the majority of the components needed by your Internet-accessing programs, and will remind you to raise the Program Authentication level to High.

No security level is necessary for the Blocked Zone, because no traffic to or from that Zone is allowed.

Note - Advanced users can customize high and medium security for each Zone by blocking or opening specific ports. See Blocking and Unblocking Ports (on page 58).

Zones Provide Program Control Whenever a program requests access permission or server permission, it is trying to communicate with a computer or network in a specific Zone. For each program you can grant or deny the following permissions:

Access permission for the Trusted Zone.

Access permission for the Internet Zone.

Server permission for the Trusted Zone.

Server permission for the Internet Zone.

By granting access or server permission for the Trusted Zone, you enable a program to communicate only with the computers and networks you have put in that Zone. This is a highly secure strategy. Even if a program is tampered with, or given permission accidentally, it can only communicate with a limited number of networks or computers.

By granting access or server permission for the Internet Zone, however, you enable a program to communicate with any computer or network, anywhere.

Configuring New Network Connections If your computer connects to a network, decide whether to place that network in the Trusted Zone or in the Internet Zone.

Placing a network in the Trusted Zone enables you to share files, printers, and other resources with other computers on that network. Networks you know and trust, such as your home or business LAN, should go in the Trusted Zone.

Firewall

Placing a network in the Internet Zone prevents you from sharing resources with other computers on that network and protects you from the security risks associated with resource sharing. Unknown networks should go in the Internet Zone.

When your computer connects to a new network, an alert appears, displaying the IP address of the detected network and is usually placed in the Internet Zone by default.

To enable your computer to connect to the Internet through a proxy server, add the proxy to your Trusted Zone. See Adding to the Trusted Zone.

Integrating with Network Services If you are working on a home or business network, you may want to share files, network printers, or other resources with other people on the network, or send and receive e-mail through your network's mail servers. Use the instructions in this section to enable safe resource sharing.

Enabling File and Printer Sharing To share printers and files with other computers on your network, you will need to configure Endpoint Security client to allow access to the computers with which you plan to share resources.

To configure the client for file and printer sharing:

1. Add the network subnet (or, in a small network, the IP address of each computer you are sharing with) to your Trusted Zone.

See Adding to the Trusted Zone.

2. Set the Trusted Zone security level to Medium. This allows trusted computers to access your shared files.

See Setting Security Level for Zones.

3. Set Internet Zone security to High. This makes your computer invisible to non-trusted machines.

Connecting to Network Mail Servers Endpoint Security client is configured to automatically work with Internet-based mail servers using POP3 and IMAP4 protocols, when you give your e-mail client permission to access the Internet.

Some mail servers, such as Microsoft Exchange, include collaboration and synchronization features that might require you to trust the server for those services to correctly function.

To configure the client for mail servers with collaboration and synchronization:

1. Add the network subnet or IP address of the mail server to your Trusted Zone.

2. Set the Trusted Zone security level to Medium. This allows server collaboration features to work.

3. Set Internet Zone security level to High. This makes your computer invisible to non-trusted machines.

Enabling Internet Connection Sharing If you are using Windows' Internet Connection Sharing (ICS) option, or a third-party connection sharing program, you can protect all of the computers that share the connection from inbound threats by installing Endpoint Security client on the gateway machine only. However, to receive outbound protection, or to see alerts on the client machines, you must have Endpoint Security client installed on the client machines as well.

Before you configure the client, use your ICS software to set up the gateway and client relationships. If you use hardware such as a router to share your Internet connection rather than Microsoft's Internet Connection Sharing (ICS), ensure that the local subnet is in the Trusted Zone.

Choosing Security Levels The default firewall security levels (on page 143) (High for the Internet Zone, Medium for the Trusted Zone) protect you from port scans and other hacker activity, while allowing you to share printers, files, and other

Firewall

resources with trusted computers on your local network. In most cases, you do not have to make any adjustment to these defaults. You are protected as soon as Endpoint Security client is installed.

To set the security level for a Zone, open Firewall Main and drag the sliders to the setting you want.

Table 5-10 Internet Zone Security

HIGH This is the default setting.

Your computer is in stealth mode, making it invisible to other computers.

Access to Windows NetBIOS (Network Basic Input/Output System) (see "NetBIOS" on page 142) services, file and printer shares is blocked.

Ports are blocked unless you have provided permission for a program to use them.

MED Your computer is visible to other computers.

Access to Windows services, file and printer shares is allowed.

Program permissions are still enforced.

LOW Your computer is visible to other computers.



Table 5-11 Trusted Zone Security

HIGH Your computer is in stealth mode, making it invisible to other computers.

Access to Windows (NetBIOS) services, file and printer shares is blocked.

Ports are blocked unless you have provided permission for a program to use them.

MED This is the default setting.

Your computer is visible to other computers.



LOW Your computer is visible to other computers.



Setting Advanced Security Options Advanced security options enable you to configure the firewall for a variety of special situations, such as gateway enforcement and Internet Connection Sharing (ICS).

Firewall

Setting Gateway Security Options Some companies require their employees to use Endpoint Security client when connecting to the Internet through their corporate gateway (on page 140). When the Automatically check the gateway control is selected, the client checks for any compatible gateways and confirms that it is installed so that gateways requiring the client will grant access.

You can leave this option selected even if you are not connecting through a gateway. Your Internet functions will not be affected.

To set automatic gateway check:

1. Open Firewall Main.

2. Click Advanced.

The Advanced Settings window opens.

3. In the Gateway Security area, check the Automatically check the gateway for security enforcement checkbox.

4. Click OK.

Setting ICS Options If you are using ICS (Internet Connection Sharing) (see "ICS" on page 141), use these controls to configure Endpoint Security client to recognize the ICS gateway and clients.

To set Internet Connection Sharing preferences:


2. Click Advanced.

The Advanced Settings window opens.

3. In the Internet Connection Sharing area, choose your security settings.

This computer is not on an ICS/NAT net: Internet Connection sharing is disabled.

This is a client of an ICS/NAT gateway running Endpoint Security: The client automatically detects the IP address of the ICS gateway and displays it in the Gateway Address field. You also can type the IP address into the field.

Select the Forward alerts from gateway to this computer checkbox to log and display alerts on the client computer that occur on the gateway.

This computer is an ICS/NAT gateway: The client automatically detects the IP address of the ICS gateway and displays it in the Local Address field. You also can type the IP address into the field.

Select Suppress alerts locally if forwarded to clients to suppress alerts forwarded from the gateway to clients.

4. Click OK.

Setting General Security Options These controls apply global rules regarding certain protocols, packet types and other forms of traffic (such as server traffic) to both the Trusted Zone and the Internet Zone.

To modify general security settings:


2. Click Advanced.

3. In the General Settings area, choose your security settings.

Firewall

Table 5-12 General Settings Options

Field Description

Block all fragments Blocks all incomplete (fragmented) IP data packets. Hackers sometimes create fragmented packets to bypass or disrupt network devices that read packet headers.

Caution: If you select this option, The client will silently block all fragmented packets without alerting you or creating a log entry. Do not select this option unless you are aware of how your online connection handles fragmented packets.

Block trusted servers Prevents all programs on your computer from acting as servers to the Trusted Zone. Note that this setting overrides permissions granted in the Programs panel.

Block Internet servers Prevents all programs on your computer from acting as servers to the Internet Zone. Note that this setting overrides permissions granted in the Programs panel.

Enable ARP protection Blocks all incoming ARP requests except broadcast requests for the address of the target machine. Also blocks all incoming ARP replies except those in response to outgoing ARP requests.

Filter IP traffic over 1394 Filters FireWire traffic. You must restart your computer if you select this option.

Allow VPN Protocols Allows the use of VPN protocols (ESP, AH, GRE, SKIP) even when High security is applied. With this option disabled, these protocols are allowed only at Medium security.

Allow uncommon protocols at high security

Allows the use of protocols other than ESP, AH, GRE, and SKIP, at High security.

Lock hosts file Prevents your computer's hosts file from being modified by hackers through spyware or Trojan horses. Note that some legitimate programs need to modify the hosts file to function.

Disable Windows Firewall Detects and disables Windows Firewall.

Setting Network Security Options Automatic network detection helps you configure your Trusted Zone easily so that traditional local network activities such as file and printer sharing aren't interrupted. The client detects only networks to which you are physically connected. Routed or virtual network connections are not detected.

You can set the client to silently include every detected network in the Trusted Zone; or to ask you in each case whether to add a newly detected network.

To specify Network settings:


2. Click Advanced.

3. In the Network settings area, choose your security settings.

Firewall

Table 5-13 Network Settings Options

Include networks in the Trusted Zone upon detection

Automatically moves new networks into the Trusted Zone. This setting provides the least security.

Exclude networks from the Trusted Zone upon detection

Automatically blocks new networks from being added to the Trusted Zone and places them in the Internet Zone. This setting provides the most security.

Ask which Zone to place new networks in upon detection

The client displays a New Network alert or the Network Configuration Wizard, which gives you the opportunity to specify the Zone.

Blocking and Unblocking Ports The client's default security levels determine which ports and protocols are allowed and which are blocked. If you are an advanced user, you can change the definition of the security levels by changing port permissions and adding custom ports.

Default Port Permission Settings The default configuration for High security blocks all inbound and outbound traffic through ports not being used by programs you have given access or server permission except:

DHCP broadcast/multicast

Outgoing DNS (port 53) - If the computer is configured as an ICS gateway

Table 5-14 Default Access Permissions for Traffic Types

Traffic Type

Security levels

HIGH MED LOW

DNS outgoing block n/a allow

DHCP outgoing block n/a allow

broadcast/multicast allow allow allow

ICMP

incoming (ping echo) block allow allow

incoming (other) block allow allow

outgoing (ping echo) block allow allow

outgoing (other) block allow allow

IGMP

incoming block allow allow

outgoing block allow allow

Firewall

Traffic Type

Security levels

HIGH MED LOW

NetBIOS

incoming n/a block allow

outgoing n/a allow allow

UDP (ports not in use by a permitted program)



TCP (ports not in use by a permitted program)



To change a port's access permission:


2. In either the Internet Zone Security or the Trusted Zone Security area, click Custom.

The Custom Firewall Settings window appears.

3. Scroll to locate High and Medium security settings.

4. To block or to allow a specific port or protocol, select the relevant checkbox.

5. Click OK.

Important - When you select a traffic type in the High security settings, you are choosing to ALLOW that traffic type, thus decreasing protection of the HIGH Security Level.

When you select a traffic type in the Medium security settings, you are choosing to BLOCK that traffic type, thus increasing protection of the MED Security Level.

Adding Custom Ports You can allow communication through additional ports at High security, or block additional ports at Medium security by specifying individual port numbers or port ranges.

To specify additional ports:


2. In either the Trusted Zone or Internet Zone area, click Custom.

The Custom Firewall settings window appears.

3. Scroll to the security level (High or Medium) to which you want to add ports.

4. Select port type that is marked with none selected: incoming UDP, outgoing UDP, incoming TCP, or outgoing TCP.

5. Provide the port or port ranges you want to allow or block in the Ports field, separated by commas. For example, 139, 200-300.

6. Click OK.

Firewall

Configuring VPN Connection for Firewall Endpoint Security client is compatible with many types of VPN client software and can automatically configure the connection for certain VPN clients.

Supported VPN Protocols The client monitors the VPN protocols listed in the following table.

Table 5-15 Supported VPN Protocols

Networking Protocol Explanation and Comments

AH Authentication Header Protocol

ESP Encapsulating Security Payload protocol

GRE Generic Routing Encapsulation protocol

IKE Internet Key Exchange protocol

IPSec IP Security protocol.

L2TP Layer 2 Tunneling protocol. L2TP is a more secure variation of PPTP.

LDAP Lightweight Directory Access protocol

PPTP Point-to-Point Tunneling protocol

SKIP Simple Key Management for Internet Protocol

Configuring VPN Connection If your VPN connection cannot be configured automatically, the client displays a Manual Action Required alert, informing you of manual changes needed to configure your connection.

Allowing VPN Protocols

To ensure proper configuration of your VPN software with Endpoint Security client, you will need to modify your general security settings to allow VPN protocols.

To allow VPN protocols:


2. Click Advanced.

3. In the General settings area, select the Allow VPN protocols checkbox.

4. Click OK.

Note - If your VPN program uses protocols other than GRE, ESP, and AH, also select the Allow uncommon protocols at high security checkbox.

Granting Access Permission to VPN Software

Grant access permission to the VPN client and any other VPN-related programs.

Firewall

To grant permission to your VPN program:

1. Open Program Control Programs.

2. In the Programs column, select your VPN program.

3. In the Access column, click below Trusted and choose Allow.

Note - If your VPN program is not listed, click Add to add it to the list.

To grant access to VPN-related components:

1. Open Program Control Components.

2. In the Components column, select the VPN component for which you want to grant access.

3. In the Access column, select Allow.

Chapter 6

Program Control Program control protects you by making sure that only programs you trust can access the Internet. You can use the Program alerts to configure program permissions as they are needed, or use the Programs tab to establish permissions ahead of time. Advanced users can also control the ports that each program is permitted to use.

In This Chapter

Understanding Program Control 62

Setting Program Control Options 63

Configuring Program Access 64

Setting Specific Permissions 65

Managing Program Components 68

Using Programs with the Client 69

Understanding Program Control To protect your computer from malware, the Program Control feature uses Program Authentication (verifies that your programs have not been tampered with) and Program Access Control (provides access or server permission only when you tell it to).

Program Access Control When a program requests access for the first time, a New Program alert asks you if you want to grant the program access permission. If the program is trying to act as a server, a Server Program alert is displayed. A Server Program alert asks you if you want to grant server permission to a program.

To avoid seeing numerous alerts for the same program, select the Remember this answer checkbox before clicking Yes or No.

Afterwards, the client will silently block or allow the program. If the same program requests access again, a Repeat Program alert asks you if you want to grant (or deny) access permission to a program that has requested it before.

Because Trojan horses and other types of malware often need server rights, you should be particularly careful to give server permission only to programs that you know and trust, and that need server permission to operate properly.

Program Authentication Whenever a program on your computer attempts to access the network, Endpoint Security client authenticates it with its Smart Checksum. If the program has been altered since the last time it accessed the Internet, the client displays a Changed Program alert.

You decide whether the program should be allowed access or not. For added security, the client also authenticates the components, for example, DLL (on page 140) files, associated with the program's main executable file. If a component has been altered since the last time permission was granted, the client displays a Program Component alert, similar in appearance to the Changed Program alert.

Program Control

Setting Program Control Options When you are using Endpoint Security client, no program on your computer can access the Internet or your local network, or act as a server, unless you give it permission to do so.

Setting Program Control Level Use the program control level to regulate the number of Program alerts you will see when you first begin using the client.

Check Point recommends the Medium setting for the first few days of normal use. This component learning mode enables the client to quickly learn the MD5 signatures of many frequently used components without interrupting your work with multiple alerts. Use this setting until you have used Internet-accessing programs (for example, browser, e-mail, and chat) at least once with the client running. After you have used each of your programs that need Internet access, change your Program Control setting to High.

To set the global program control level:

1. Open Program Control Main.

2. In the Program Control area, click the slider and drag it to the desired setting.

Table 6-16 Program Control Levels

HIGH Advanced program and component control and Application Interaction Control are enabled.

You may see a large number of alerts.

Programs and components are authenticated.

Program permissions are enforced and Application Interaction Control is enabled.

MED Advanced program control and Application Interaction Control are disabled.

Fewer alerts display.

Component learning mode is active.

Programs are authenticated; components are learned.

Program permissions are enforced.

Note: After you have used each of your programs that need Internet access, change your Program Control setting High.

LOW Advanced program control is disabled.

Program and Component Learning Mode is active.

No program alerts are displayed.

OFF Program control is disabled.

No programs or components are authenticated or learned.

No program permissions are enforced.

All programs are allowed access/server rights.

No program alerts are displayed.

Enabling Automatic Lock The automatic Internet lock protects your computer if you leave it connected to the Internet for long periods even when you are not actively using network or Internet resources.

Program Control

When the lock engages, only traffic initiated by programs to which you have given Pass-lock permission is allowed. All traffic to and from your computer is stopped, including DHCP messages, or ISP heartbeats, used to maintain your Internet connection. As a result, you may lose your Internet connection.

You can set the Internet lock to engage:

When your screen saver engages, or

After a specified number of minutes of network inactivity.

To enable or disable the automatic lock:


2. In the Automatic Lock area, select On or Off.

To set automatic lock options:


2. In the Automatic Lock area, click Custom.

The Custom Lock Settings window appears.

3. Specify the lock mode to use.

Lock after __ minutes of inactivity: Engages automatic lock after the specified number of minutes has passed. Specify a value between 1 and 99.

Lock when screen saver activates: Engages automatic lock whenever your screen is activated.

Configuring Program Access You can configure program access automatically or manually. Using the Program Wizard, you can automatically configure Internet access for some of the most commonly used programs.

Setting Program Access Permissions Endpoint Security client displays a New Program alert when a program on your computer tries to access the Internet or local network resources for the first time. It displays a Server Program alert when a program tries to act as a server for the first time. You can configure the client to automatically allow or block new programs without displaying an alert. For example, if you are sure you have given access permission to all the programs you want, you can automatically deny access to any program that asks for permission.

To set connection attempt permissions for new programs:


2. Click Advanced.

The Advanced Program Settings window opens.

3. In the Connection Attempts area, specify your preferences for each Zone.

Table 6-17 Connection Attempts

Always allow access Allows all new programs access to the specified Zone.

Always deny access Denies programs access to the specified Zone.

Always ask for permission

Displays an alert asking for permission for the program to access the specified Zone.

Note - Settings for individual programs can be established in the Programs tab. Settings in this panel apply ONLY to programs not yet listed in the Programs tab.

To set server attempt permissions for new programs:


2. Click Advanced.

Program Control

3. In the Server Attempts area, specify your preferences for each Zone.

Table 6-18 Server Attempts

Always accept the connection

Allows all programs attempting to act as a server.

Always deny the connection

Denies all programs attempting to act as a server.

Always ask before connecting

Displays an alert asking for permission for the program to act as a server.

Customizing Program Control Settings By default, the client always asks you whether to block or to allow connection attempts and server access attempts for the Internet and Trusted Zones. If the TrueVector Service is running, but the client is not, program access is denied by default.

You can customize program control by setting global program properties.

To set global program properties:


2. Click Advanced, then open the Alerts & Functionality tab.

3. Specify global program options.

Table 6-19 Global Program Options

Show alert when Internet access is denied

Displays a Blocked Program alert when the client denies access to a program. To have access denied silently, clear this option.

Deny access if permission is set to "ask" and the TrueVector service is running but the client is not.

Protects the client application from the rare event of an independent process (such as a Trojan horse) shutting down the client but leaving the TrueVector service running.

Require password to allow a program temporary Internet access

Prompts you to enter a password to grant access permission. Requires that you be logged in to respond Yes to a Program alert.

To allow access without a password, clear this option.

Setting Specific Permissions By setting the Program Control level to High, Medium, or Low, you specify globally whether programs and their components must request permission before accessing the Internet or before acting as a server.

You can also specify different settings for an individual program. For example, if you wanted to allow access to a particular program, but keep security High for all other programs, you could set the permission for that program to Allow.

Program Control

Using the Programs List The programs list contains the programs that have tried to access the Internet or the local network and tells you which Zone the program is in, whether the program can act as a server, and whether the program can send e-mail. As you use your computer, the client detects every program that requests network access and adds it to the programs list.

To access the programs list:

Open Program Control Programs.

The Access, Server, and Send Mail columns indicate whether a specific program is allowed to access the Internet, to act as a server, and to send e-mail.

Table 6-20 Program Permission Icons

Symbol Meaning

The program is allowed access/server rights. To change the permission, click the icon and choose either Block or Ask.

The client will display a Program alert when the program asks for access and/or server rights. To change the permission, click the icon and choose either Allow or Block.

The program is denied access/server rights. To change the permission, click the icon and choose either Allow or Ask.

The program is currently active.

Adding Programs to the Programs List If you want to specify access or server permission for a program that does not appear on the programs list, you can add the program to the list and set permissions.

To add a program to the programs list:


2. Click Add.

The Add Program window appears.

3. Select the program you want to add and click Open.

Be sure to select the program's executable file.

To edit a program on the programs list:


2. Right-click a program in the Programs column and choose one of the available options.

Table 6-21 Program Control Options

Changes Frequency

The client uses only file path information to authenticate the program. The MD5 signature will not be checked.

Caution: This is a Low security setting.

Options Opens the Program Options dialog box, in which you can customize security options and create expert rules for programs.

Properties Opens your operating system's properties dialog box for the program.

Remove Deletes the program from the list.

Program Control

Granting Internet Access Permissions to Programs There are different ways a program can be granted permission to access the Internet: through a response to an alert, through manual configuration in the programs list, and by automatic configuration by the client.

Many of your most commonly used programs can be automatically configured for safe Internet access. To determine whether a program was configured manually or automatically, select the program in the Programs List and refer to the Entry Details field.

To grant a program permission to access the Internet:


2. In the Programs column, click the program and choose Allow.

Built-in rules ensure a consistent security policy for each program. Programs with access to the Internet Zone also have access to the Trusted Zone. Programs with server permission in a Zone also have access permission for that Zone. This is why (for example) selecting Allow under Trusted Zone/Internet Zone automatically sets all of the program's other permissions to Allow.

Granting Server Permission to Programs Exercise caution when granting permission for programs to act as a server, as Trojan horses and other types of malware often need server rights. Permission to act as a server should be reserved for programs you know and trust, and that need server permission to operate properly.

To grant a program permission to act as a server:


2. In the Programs column, click the program and choose Allow.

Granting Send Mail Permission to Programs To enable your e-mail program to send e-mail messages and to enable protection against e-mail threats, grant send mail permission to your e-mail program.

To grant send mail permission to a program:


2. In the list, click in the Send Mail column of the program and choose Allow.

Advanced Program Control Advanced Program Control tightens your security by preventing unknown programs from using trusted programs to access the Internet, and by preventing hackers from using the Windows CreateProcess and OpenProcess functions to manipulate your computer.

By default, the following applications are allowed to use other programs to access the Internet:

Endpoint Security

MS Word, Excel, PowerPoint, and Outlook

To enable Advanced Program Control for a program:


2. In the Programs column, select a program.

3. Click Options.

The Program Options window appears.

4. Open the Security tab.

5. Set Advanced Program Control options.

Program Control

Table 6-22 Advanced Program Controls

This program may use other programs to access the Internet

Allows the selected program to use other programs to access the Internet.

Allow Application Interaction Allows the selected program to use OpenProcess and CreateProcess functions on your computer.

Disabling Outbound Mail Protection By default, Outbound Mail protection is enabled for all programs. Because the ability to send e-mail is not a characteristic of all programs, you may choose to disable Outbound Mail protection for any program that does not require it.

To disable Outbound Mail protection for a program:


2. Select a program from the list and then click Options.

The Program Options window appears.

3. Open the Security tab.

4. Clear the Enable Outbound E-mail Protection for this program checkbox.

Setting Authentication Options By default, all programs are authenticated by their components. You can specify authentication options for a program from the Program Options window.

Allowing Others to Use Programs You may want to prevent your children from changing your security settings, but still allow them to use new programs.

To allow access to programs without using a password:

1. Open Overview Preferences.

2. Click Set Password.

3. Select the Allow others to use programs without a password (unless the program permission is set to "Block" checkbox.

With this option selected, users must provide a password before they will be allowed to change your settings. However, without providing a password, users will be able to allow Internet access for new programs and programs whose permissions are set to "Ask". For programs explicitly blocked by you, access will continue to be denied.

4. Click OK.

Managing Program Components For each program on your computer, you can specify whether the client will authenticate the base executable only, or the executable and the components it loads. In addition, you can allow or deny access to individual program components.

The Components List contains the program components for allowed programs that have tried to access the Internet or the local network. The Access column indicates whether the component is always allowed access, or whether the client should alert you when that component requests access.

As you use your computer, the client detects the components that are used by your programs and adds them to the Components List.

Program Control

To access the Components List:


To grant access permission to a program component:


2. Select a component from the list and then click in the Access column and choose Allow.

Using Programs with the Client To ensure that your other software programs are compatible with the client, you may need to modify the program's configuration settings.

Many of your most commonly used programs can be configured automatically for Internet access. To see if the programs you use can be automatically configured, consult the list in the Program Wizard. Although in some cases Internet access can be configured automatically, many programs also require server access rights.

Using Antivirus Software For antivirus software to receive updates, it must have access permission for the Trusted Zone.

To receive automatic updates from your antivirus software vendor, add the domain that contains the updates (e.g., update.avsupdate.com) to your Trusted Zone. See Adding to the Trusted Zone.

Using Browsers For your browser to work properly, it must have access permission for the Internet Zone and Trusted Zone. Before granting permission, make sure that you understand how to configure your browser's security for optimal protection and have the latest service packs installed for the browser you are using.

To grant access your browser access permission, do any of the following:

Run the Program Wizard.

The client will automatically detect your default browser and prompt you to grant it Internet Zone access.

Grant access to the program directly. See Granting Internet Access Permissions to Programs (on page 67).

Answer Yes when a Program alert for the browser appears.

Using Chat Chat and instant messaging programs (for example, AOL Instant Messenger) may require server permission to operate properly.

To grant server permission to your chat program:

Answer Yes to the Server Program alert.

Grant server permission to the program.

See Granting Server Permission to Programs (on page 67).

Important - It is strongly recommended that you set chat software to refuse file transfers without prompting first.

Using E-mail For your e-mail program to send and receive mail, it must have access permission for the Zone the mail server is in. In addition, some e-mail client software may have more than one component requiring server permission. For example, Microsoft Outlook requires that both the base application (OUTLOOK.EXE) and the Messaging Subsystem Spooler (MAPISP32.exe) to have server permission.

Program Control

To securely give e-mail programs access:

1. Add the local mail server to the Trusted Zone.

2. Limit the e-mail program access to the Trusted Zone.

3. Add the remote mail server (host) to the Trusted Zone.

Note - You can also heighten security by limiting the ports that your e-mail program can use (see Default Port Permission Settings (on page 58)).

Using Internet Answering Services To use Internet answering machine programs (such as CallWave) with the client:

1. Give the program server permission and access permission for the Internet Zone.

2. Add the IP address of the vendor's servers to the Trusted Zone.

3. Set the security level for the Internet Zone to medium.

Note - To find the server IP address, contact the vendor's technical support.

Using File Sharing File sharing programs, such as Napster, Limewire, AudioGalaxy, or any Gnutella client software, must have server permission for the Internet Zone to work with the client.

Using FTP To use FTP (File Transfer Protocol) programs, you may need to adjust your FTP client program settings.

To enable FTP with the client:

1. Enable passive or PASV mode in your FTP client.

This tells the client to use the same port for communication in both directions. If PASV is not enabled, the client may block the FTP server's attempt to contact a new port for data transfer.

2. Add the FTP sites you use to the Trusted Zone.

3. Give Trusted Zone access permission to your FTP client program.

To learn how to add to the Trusted Zone and give access permission to a program, see Setting Advanced Security Options (on page 55).

Using Streaming Media Applications that stream audio and video, such as RealPlayer, Windows Media Player, and QuickTime, must have server permission for the Internet Zone to work with the client.

To learn how to give server permission to a program, see Granting Server Permission to Programs (on page 67).

Using Games To play games over the Internet while using the client, you may have to adjust the program permissions and security levels.

Program Control

Using Remote Control If your computer is either the host or the client of a remote access system such as PCAnywhere or Timbuktu, configure the remote control.

To configure remote access:

1. Add the IP addresses of the hosts or clients to your Trusted Zone. See Adding to the Trusted Zone.

2. Add the subnet of the network you are accessing remotely to your Trusted Zone.

3. If a dynamic IP address is assigned to the remote machine, add the DHCP server address or range of addresses to the Trusted Zone.

Important - If the remote control client or host is on a network not under your control, perimeter firewalls or other network features may prevent you from connecting.

Using VNC To enable VNC and Endpoint Security to work together:

1. On both the server and viewer (client) machine, do one of the following:

If you know the IP address or subnet of the viewer (client) you will be using for remote access, and it will always be the same, add that IP or subnet to the Trusted Zone. See Adding to the Trusted Zone.

If you do not know the IP address of the viewer, or it will change, give the program access permission and server permission for the Trusted and Internet Zones. See Setting Specific Permissions (on page 65).

When prompted by VNCviewer on the viewer machine, provide the name or IP address of the server machine, followed by the password. You should be able to connect.

2. On the viewer (client) machine, run VNCviewer to connect to the server machine. Do not run in "listen mode."

Important - If you enable VNC access by giving it server permission and access permission, be sure to set and use your VNC password to maintain security.

It is recommended to add the server and viewer IP addresses to the Trusted Zone, rather than giving the application Internet Zone permission.

Using Voice over IP To use Voice over IP (VoIP) programs with the client, you must to do one or both of the following, depending on the program:

1. Give the VoIP application server permission and access permission.

2. Add the VoIP provider's servers to the Trusted Zone. To learn the IP addresses of these servers, contact your VoIP provider's customer support.

Using Web Conferencing If you experience problems using a Web conferencing program, such as Microsoft NetMeeting:

1. Add the domain or IP address that you connect to, to the Trusted Zone. See Adding to the Trusted Zone

2. Disable the web conferencing program's Remote Desktop Sharing option.

Chapter 7

Full Disk Encryption Full Disk Encryption is a policy-based, enterprise security software solution. Full Disk Encryption combines boot protection, preboot authentication and strong encryption to ensure only authorized users are granted access to information stored in desktop and laptop PCs.

Full Disk Encryption is deployed and administered across the network. As encryption is both automatic and transparent, security is enforced without requiring special efforts from users.

In This Chapter

Authenticating to Full Disk Encryption 72

Ensuring That Your Computer Has Not Been Tampered With 72

Authenticating for the First Time 72

Optional Full Disk Encryption Features 75

Using the Full Disk Encryption Panel 78

Authenticating to Full Disk Encryption This section discusses how to use a fixed password, dynamic token, or smart card/USB token to authenticate yourself, to access your Full Disk Encryption-protected computer.

Being authenticated means being verified by Full Disk Encryption as someone who is authorized to use a specific computer. When you switch on or restart a Full Disk Encryption-protected computer, the User Account Identification dialog box opens.

Enter a valid user account name and password. Full Disk Encryption verifies that you are authorized to access the computer and allows the computer to start.

Ensuring That Your Computer Has Not Been Tampered With

If you did not personally start the machine yourself, you should always press CTRL+ALT+DEL to restart your computer before authenticating yourself. This ensures that your computer has not been tampered with and that your user account name and password cannot be hijacked.

Authenticating for the First Time The following sections explain how to access your Full Disk Encryption-protected computer as a new user.

Assume that your administrator has configured a temporary user account and password for you. The first time you authenticate to Full Disk Encryption, you must use the temporary user account name and password.

After you have successfully entered the temporary user account name and password, Full Disk Encryption prompts you to enter your personal (new) user account name and fixed password (or to use a dynamic token or smart card for authentication). These are the credentials you will use in the future, instead of the


temporary user account name and password. Your administrator will inform you of your user account name and of requirements for the password.

Instead of a temporary user account, your administrator may have configured your personal user account and a password, or configured a dynamic token or smart card for your authentication. The administrator will inform you how you are to authenticate yourself the first time.

Using a Fixed Password A fixed password is a private string of characters, known only to you and Full Disk Encryption, which you use each time you want to access the computer.

Your Full Disk Encryption administrator will tell you which user account name and password to use the first time you access the Full Disk Encryption-protected computer.

To authenticate yourself with a fixed password:

1. Start your Full Disk Encryption-protected computer.

The User Account Identification dialog box opens.

Note - If you did not personally start the computer, press CTRL+ALT+DEL to ensure that your computer has not been tampered with. Your computer restarts and Full Disk Encryption re-displays the User Account Identification dialog box.

2. Provide the following information:

In the User account name field, enter the user account name you received from your administrator.

In the Password field, enter the password you received from your administrator. The password is obscured with asterisks (*) when entered.

3. Click OK.

4. If your administrator has configured your ordinary user account instead of a temporary account, click Continue. You are authenticated and Full Disk Encryption allows Windows to start.

If your administrator has configured a temporary user account for you, Full Disk Encryption displays the following message:

Before continuing, the temporary user account name must be changed to your regular

user account name, and a new password must be set. Your correct user account name

might already be displayed in the next window. If it is correct, you only have

to set a new password.

5. Click OK to close the message box.

You will now enter your personal (new) user account name and fixed password. These are the credentials you will use in the future, instead of the temporary user account name and password that you just used.

The Temporary User dialog ox opens.

6. Provide your personal user account name and click OK.

The Set new password dialog box opens.

7. Provide and confirm the fixed password you want to use and click OK.

Full Disk Encryption confirms that you have successfully accessed the computer for the first time using your Full Disk Encryption credentials.

8. Click Continue to close the dialog box.

Full Disk Encryption now allows Windows to start.

Using a Dynamic Token A dynamic token is a password you generate using a password token every time you want to be authenticated by Full Disk Encryption.

Your Full Disk Encryption administrator will provide you with a dynamic token, the information you need to use it, and a username.

To authenticate yourself using a dynamic token:

1. Start your Full Disk Encryption-protected computer.




2. In the User account name field, provide the username you received from your administrator and press TAB.

Full Disk Encryption recognizes that you will be using a dynamic token to authenticate yourself and displays the User Account Identification dialog box.

3. In the dynamic token, provide the Full Disk Encryption challenge to generate a response.

4. Provide the response in the Response field and click OK.

Full Disk Encryption confirms that you have successfully accessed the computer for the first time using your Full Disk Encryption credentials.

5. Click Continue to close the dialog box.

Full Disk Encryption now allows Windows to start.

Using a Smart Card/USB Token Smart cards and USB tokens store certificates protected by PIN codes. To be authenticated by Full Disk Encryption, you must connect the card or token to the computer and enter a valid card or token PIN.

Your Full Disk Encryption administrator will supply you with your smart card or USB token, the information you need to use it, and if necessary, a temporary username and password to use the first time you access the Full Disk Encryption protected computer.

Ensure that your smart card/USB token is connected to your computer before you start to authenticate yourself.

To authenticate yourself using a smart card/USB token:

1. Connect your smart card/USB token to your Full Disk Encryption-protected computer.

2. Start your computer.



Provide the following information:

In the User account name field, enter the user account name you received from your administrator.

In the Password field, enter the password you received from your administrator. The password is obscured with asterisks (*) when entered.

3. Click OK.

If your administrator has configured your ordinary user account instead of a temporary account, skip the next two steps.

If your administrator has configured a temporary user account for you, Full Disk Encryption displays the following message:

Before continuing, the temporary user account name must be changed to your regular

user account name, and a new password must be set. Your correct user account name

might already be displayed in the next window. If it is correct, you only have

to set a new password.

4. Click OK to close the message box.

The Temporary User dialog box opens.

5. Provide your new user account name and click OK.

Full Disk Encryption recognizes that you have a user account that uses a smart card for authentication. It confirms that this is the first time you are logging on with the new user account name. The Logon Successful dialog box opens.

6. Click Continue.

After Windows loads, the Change Credentials dialog box opens.

7. Select the certificate you want to use and click OK.


Important - Do NOT choose the Personal Store certificate; if you do, you will not be able to authenticate yourself after restarting the computer.

Full Disk Encryption confirms that your user certificate has been updated.

8. Click OK.

9. Restart the computer when prompted to do so.

After restarting, the Token Authentication dialog box opens.

10. Enter your PIN. The PIN is obscured with asterisks (*) when entered.

11. Click OK.

Note - Regardless of the keyboard layout used, we recommend that you use smart card PINs that are comprised only of ASCII characters: !"#$%&'()*+,-./ 0123456789:;<=>?@ ABCDEFGHIJKLMNOPQRSTUVWXYZ [\]^_`abcdefghijklmnopqrstuvwxyz{>}~ The space character is also an ASCII character.

Full Disk Encryption communicates with the smart card and performs authentication.

12. Click OK.

What if I forget my password? If you forget your password, you can use the Full Disk Encryption Password Change option.

To change your password:

1. Start your Full Disk Encryption-protected computer. The User Account Identification dialog box opens.

2. Provide your user account name and select Remote Help.

The Remote Help Logon dialog box opens.

3. Call your Full Disk Encryption administrator or helpdesk to guide you through the password change process.

What if I don't have access to my token/smart card? If you do not have access to your dynamic token or smart card, you can use the Full Disk Encryption One-Time logon option.

To use the One-Time logon option:

1. Start your Full Disk Encryption-protected computer. The User Account Identification dialog box opens.

2. Provide your user account name and select Remote Help.

The Remote Help Logon dialog box opens.

3. Select the One-Time Logon option to enable that function. Call your Full Disk Encryption administrator or helpdesk to guide you through the one-time logon process.

Optional Full Disk Encryption Features This section describes some optional features which your administrator may have chosen to configure for your Full Disk Encryption installation. For example, depending on the configuration, you may or may not be able to use the same password for logging on to Windows as for authenticating yourself to Full Disk Encryption, or you may not have to provide your Full Disk Encryption credentials at all.

Synchronizing Passwords Using Full Disk Encryption’s password synchronization, you can synchronize Windows and Full Disk Encryption passwords with each other, assuming that your administrator has enabled password synchronization for your user account.

Depending on the settings configured by your administrator, your passwords may be synchronized in one or both of the following ways:


Using the Windows password when authenticating to Full Disk Encryption

If this synchronization option has been configured for you, the Windows password is also used for Full Disk Encryption preboot authentication. Once synchronized, changing the Windows password will automatically change the Full Disk Encryption password to the new Windows password.

(This setting is called Synchronize Windows Password to Preboot in the administrator’s application.)

Using the Full Disk Encryption password when logging on to Windows

If this synchronization option has been configured for you, the password used for Full Disk Encryption preboot authentication is used also for Windows authentication. Once synchronized, changing the Full Disk Encryption password will automatically change the Windows password to the new Full Disk Encryption password.

(This setting is called Synchronize Preboot Password to Windows in the administrator’s application.)

Using the Windows Password for Full Disk Encryption

When your password synchronization policy has been changed so that you will use the Windows password to authenticate yourself to Full Disk Encryption, the passwords will be synchronized after you either

Change your Windows password

or

Log on to Windows for the first time after the policy change.

You will be prompted to provide your Full Disk Encryption password, and it will be synchronized with the Windows password.

When the passwords have been synchronized, changing the Windows password will automatically change the Full Disk Encryption password to the new Windows password.

To synchronize the Full Disk Encryption password with the Windows password:

1. When you have either changed your Windows password or logged on to Windows for the first time after the policy change, the Password Synchronization dialog box opens.

2. Provide your Full Disk Encryption password and click OK.

Full Disk Encryption confirms that your password was changed.

From now on, use your Windows password when authenticating yourself to Full Disk Encryption.

Using the Full Disk Encryption Password for Windows

When your password synchronization policy has been changed so that you will use the Full Disk Encryption password to log on to Windows, the passwords will be synchronized after you do either of the following:

Change your Full Disk Encryption password

When you change your Full Disk Encryption password, you will be prompted for your Windows password. It is then synchronized with your Full Disk Encryption password.

Log on to Windows for the first time after the policy change

The passwords are synchronized automatically.

When the passwords have been synchronized, changing the Full Disk Encryption password will automatically change the Windows password to the new Full Disk Encryption password.

Single Sign-on and OneCheck Logon This section describes how to log on with either Single Sign-on (SSO) or OneCheck Logon.

Single Sign-on: The Single Sign-on (SSO) feature enables you to authenticate to Full Disk Encryption and to be automatically authenticated and logged on to Windows.

OneCheck Logon: The OneCheck Logon feature enables you to authenticate to Full Disk Encryption and to be automatically authenticated and logged on to Windows, Endpoint Connect VPN, and Media Encryption.

Note - Your Full Disk Encryption administrator decides whether or not you will have access to SSO or OneCheck Logon or neither.


First Logon after Enabling SSO or OneCheck Logon

After the administrator has enabled SSO or OneCheck Logon for your Full Disk Encryption user account on a computer, Full Disk Encryption must learn your account’s credentials. This is done at the first logon after SSO or OneCheck Logon is enabled. At this logon, you log on to Windows as usual. Full Disk Encryption then stores your credentials securely and uses them on subsequent logons when SSO or OneCheck Logon is enabled.

De-selecting the SSO Option

When the SSO option is not selected (when the SSO Active checkbox is not selected), no credentials are passed to Windows. This permits a different Windows user account to be used.

If SSO has been turned off, no Windows credentials will be recorded or used, and the chain is broken. If SSO is then turned back on, the previous credentials must be specified again for SSO to function again.

SSO and OneCheck Logon and Password Changes

Periodically, it will be necessary to change your Windows password. Full Disk Encryption will look for Change Password dialog boxes and record the changes. When a Change Password dialog box is opened, Full Disk Encryption records what is entered into the new password field. When you next restart your computer, SSO or OneCheck Logon will work as usual, because the new password has already been stored.

Logging on with SSO or OneCheck Logon Enabled

Logging on when SSO or OneCheck Logon is enabled is similar to logging on without SSO or OneCheck Logon. Just remember to select the SSO Active checkbox. OneCheck Logon uses the same dialog box.

To log on with SSO enabled:

1. Authenticate yourself as usual in the User Account Identification dialog box.

2. Make sure that the SSO Active checkbox is selected, and click OK.

Your computer starts, and with SSO you are automatically logged on to Windows. With OneCheck Logon you are automatically logged on to Windows and to either Endpoint Connect VPN, Media Encryption or both.

Note - If your administrator has configured the SSO Active to be enabled, you can clear this option to not use SSO.

Windows Integrated Logon If the Windows Integrated Logon (WIL) feature has been selected by your administrator, you are normally logged on to Windows without entering your Full Disk Encryption credentials.

Depending on the settings configured by your Full Disk Encryption administrator, you may not be able to start Windows in Safe Mode.

In addition, you may need to authenticate yourself to Full Disk Encryption if you have:

Removed your WIL-enabled computer from the network

Added hardware devices to your WIL-enabled computer or in any way tampered with the hard drive

Moved the hard drive to another computer

Exceeded the allowed number of failed attempts to log on to Windows.

If the system detects any indications of these issues, WIL may be disabled automatically. The computer then restarts, and you must authenticate yourself to Full Disk Encryption before the operating system is loaded.


Using the Full Disk Encryption Panel This section describes how to use the Full Disk Encryption panel in Endpoint Security Client after you have authenticated yourself to Full Disk Encryption and gained access to the operating system. In the Full Disk Encryption panel, you can:

View status and encryption information

Change your Full Disk Encryption user credentials

Change the language used in the Full Disk Encryption client user interface.

Viewing Status and Encryption Information You can view the status information of your Full Disk Encryption installation in the Full Disk Encryption panel.

To view status information:

Open Full Disk Encryption Status.

Full Disk Encryption Status Information

The Full Disk Encryption Status panel displays the following status information.

Status Field Explanation

Locally installed version The version of Full Disk Encryption currently installed on this computer.

Preboot user account The name of the user account that authenticated at preboot.

OneCheck OneCheck can be on or off.

FDEMC user account The name of the user account currently logged on to Full Disk Encryption Management Console (FDEMC), if applicable.

MI mode Indicates whether this installation of Full Disk Encryption is running in MI mode or not. The possible values are: Yes or No.

Windows integrated logon The current value specified for the Windows Integrated Logon setting. The possible values are: Enabled or Disabled.

Last recovery update Date and time when the most recent recovery file was created.

Last recovery file delivery Date and time a recovery file was last copied to its target directory. The target directory is the directory specified under Recovery Path in the Install settings under System Settings.

Last log file update Date and time the log file was last updated by Full Disk Encryption.

Last log file delivery Date and time the local log file was last written by Full Disk Encryption. The file name of the local log file is the same as the name of the machine. The local log file is written to the directory or directories specified in Set Central Log Path(s) (Install settings under System Settings).



Last local edit Date and time of the most recent change to a Local setting; also contains the group and the user account name of the user who made the change.

Last update profile Date and time when the most recent update profile was downloaded and the path, including the profile name, from which it was downloaded.

License expire date Date when the license expires. Expiration date is only used for evaluation versions of the product.

License activation State of the Full Disk Encryption license.

Full Disk Encryption License Activation Information

License activation states may be one of the following:

License activated: Normally, the license is activated automatically on the license server used for your installation.

License not activated: If your license is not activated for some reason, Full Disk Encryption will display nag dialogs, prompting you to activate the license on the license server. If you experience this, make sure you are online. When you are, the information is automatically sent to the license server. If Full Disk Encryption displays nag dialogs even when you are online, contact your help desk.

Activation disabled: If you are using a legacy license which can not be registered on the license server, license activation is disabled.

Encryption Information

The following Encryption information relevant to each volume is displayed:


Encrypting nn% Displays the progress of encryption and the percentage of encryption completed.

Fully encrypted States that the volume is fully encrypted.

Decrypting nn% Displays the progress of decryption as the percentage of decryption completed.

Unencrypted States that the volume is unencrypted.

Error An error has occurred during encryption or decryption.

Note - If a disk is neither encrypted nor boot-protected, it is not listed in the encryption information box.

Changing Authentication Credentials Using the Full Disk Encryption GUI, you can:

Change your password if you authenticate yourself with a fixed password.

Change your current authentication method (logon method) - fixed password, dynamic token, smart card. The authentication method or methods to which you can change are active under Logon method in the Change Credentials dialog, the others are dimmed because they are unavailable.


To change credentials:

1. Open Full Disk Encryption Other.

2. Click Change.

The Full Disk Encryption Authentication dialog box opens.

3. Authenticate in the Full Disk Encryption authentication dialog box. If you use a smart card for authentication, select Use inserted smart card.

If you need to use Remote Help to authenticate, contact your Remote Help administrator, who will guide you through the Remote Help procedure.

After successful authentication, the Change Credentials dialog box opens.

The Change Credentials dialog box displays the logon methods that are available to you. The available methods can be:

Fixed Password: Provide and confirm a new password if you authenticate with a fixed password. If the Hide typing checkbox is selected, the characters you enter are disguised as asterisks (*), otherwise the actual characters entered are displayed. The dialog box provides guidance on the validity of the password you enter.

Dynamic token: Provide the required information.

Smart card: Provide the required information.

4. Select the available Logon method to which you want to change.

5. Click OK.

Changing the Language Used in the Interface You can change the language used in the Full Disk Encryption client’s preboot interface, system tray, recovery utility, and Single Sign-on interface (if Single Sign-on is active).

To change the language used:

1. Open Full Disk Encryption Other.

2. From the Select Language drop-down menu, select the language you want to use.

3. Close Endpoint Security Client. The next time you start Full Disk Encryption, the preboot environment dialog will use the language you selected.

Languages Supported

The following languages are supported in Full Disk Encryption:

Brazilian Portuguese

Canada French

Chinese (Simplified)

Chinese (Taiwan)

Czech

English

French

German

Hungarian

Italian

Japanese

Korean

Polish

Portuguese

Russian

Spanish

Thai


These languages are available in:

Client preboot interface

Client system tray

Client single sign-on dialog (if single sign-on is active on that client)

Client OneCheck Logon dialog (if it is active on that client)

Fallback Languages

If the operating system language is a non-supported variant of one of the supported languages, for example, French (Canada) or Chinese (Singapore), the language variant that will be used is the fallback language listed in the following table:

ID Selected Language Fallback Language

ID

0x0C04 Chinese (Hong Kong S.A. R.) Chinese (Traditional)

0x7C04

0x1404 Chinese (Macau S.A.R.) Chinese (Traditional)

0x7C04

0x0804 Chinese (People's Republic of China) Chinese (Simplified)

0x0004

0x0004 Chinese (Simplified) Chinese (Simplified)

0x0004

0x1004 Chinese (Singapore) Chinese (Simplified)

0x0004

0x0404 Chinese (Taiwan) Chinese (Traditional)

0x7C04

0x7C04 Chinese (Traditional) Chinese (Traditional)

0x7C04

0x0009 English English (United States)

0x0409

0x0C09 English (Australia) English (United States)

0x0409

0x2809 English (Belize) English (United States)

0x0409

0x1009 English (Canada) English (United States)

0x0409

0x2409 English (Caribbean) English (United States)

0x0409

0x1809 English (Ireland) English (United States)

0x0409

0x2009 English (Jamaica) English (United States)

0x0409

0x1409 English (New Zealand) English (United States)

0x0409



ID

0x3409 English (Republic of the Philippines) English (United States)

0x0409

0x1C09 English (South Africa) English (United States)

0x0409

0x2C09 English (Trinidad and Tobago) English (United States)

0x0409

0x0809 English (United Kingdom) English (United Kingdom)

0x0809

0x0409 English (United States) English (United States)

0x0409

0x3009 English (Zimbabwe) English (United States)

0x0409

0x000C French French (France) 0x040C

0x080C French (Belgium) French (France) 0x040C

0x0C0C French (Canada) French (France) 0x040C

0x040C French (French) French (France) 0x040C

0x140C French (Luxembourg) French (France) 0x040C

0x180C French (Principality of Monaco) French (France) 0x040C

0x100C French (Switzerland) French (France) 0x040C

0x0007 German German (Germany) 0x0407

0x0C07 German (Austria) German (Germany) 0x0407

0x0407 German (Germany) German (Germany) 0x0407

0x1407 German (Liechtenstein) German (Germany) 0x0407

0x1007 German (Luxembourg German (Germany) 0x0407

0x0807 German (Switzerland) German (Germany) 0x0407

0x0010 Italian Italian (Italy) 0x0410

0x0410 Italian (Italy) Italian (Italy) 0x0410

0x810 Italian (Switzerland) Italian (Italy) 0x0410

0x0011 Japanese Japanese (Japan) 0x0411

0x0411 Japanese (Japan) Japanese (Japan) 0x0411

0x0019 Russian Russian (Russia) 0x0419

0x0419 Russian (Russia) Russian (Russia) 0x0419

0x000A Spanish Spanish (Spain) 0x0C0A



ID

0x2C0A Spanish (Argentina) Spanish (Spain) 0x0C0A

0x400A Spanish (Bolivia) Spanish (Spain) 0x0C0A

0x340A Spanish (Chile) Spanish (Spain) 0x0C0A

0x240A Spanish (Columbia) Spanish (Spain) 0x0C0A

0x140A Spanish (Costa Rica) Spanish (Spain) 0x0C0A

0x1C0A Spanish (Dominican Republic) Spanish (Spain) 0x0C0A

0x300A Spanish (Ecuador) Spanish (Spain) 0x0C0A

0x440A Spanish El Salvador) Spanish (Spain) 0x0C0A

0x100A Spanish (Guatemala) Spanish (Spain) 0x0C0A

0x480A Spanish (Honduras) Spanish (Spain) 0x0C0A

0x080A Spanish (Mexico) Spanish (Spain) 0x0C0A

0x4C0A Spanish (Nicaragua) Spanish (Spain) 0x0C0A

0x180A Spanish (Panama) Spanish (Spain) 0x0C0A

0x3C0A Spanish (Paraguay) Spanish (Spain) 0x0C0A

0x280A Spanish (Peru) Spanish (Spain) 0x0C0A

0x500A Spanish (Puerto Rica) Spanish (Spain) 0x0C0A

0x0C0A Spanish (Spain) Spanish (Spain) 0x0C0A

0x380A Spanish (Uruguay) Spanish (Spain) 0x0C0A

0x200A Spanish (Venezuela) Spanish (Spain) 0x0C0A

Characters Supported in the Preboot Environment The following characters are supported in the Full Disk Encryption Preboot Environment:

Chapter 8

Media Encryption Check Point Media Encryption is a unique solution that provides a policy driven mechanism for securing enterprise information and ensures data integrity. The product includes the following features, which have been defined by your system administrator.

Media Encryption is an integral component of the Check Point Endpoint Security Client. The Endpoint Security Client combines firewall, network access control, program control, anti-malware, data security, and remote access protections in a unified application with a common user interface.

In This Chapter

Features 84

Using the EPM Client 86

Using the Removable Media Manager 90

Using the Device Manager 91

Using the Program Security Guard 91

Maintenance Section 91

Features To view or edit Media Encryption settings:

1. Right-click the system tray icon and select Settings.

The Check Point Endpoint Security client opens.

2. Click Media Encryption in the panel list.

The Media Encryption Main panel opens. Features that have been disabled by your system administrator appear in gray.

Encryption Policy Manager The optional Encryption Policy Manager (EPM) allows you to encrypt and control access to data on removable media connected to endpoint computers. The greatest threat when granting access to removable media storage devices is the loss of sensitive or proprietary information. The Encryption Policy Manager ensures that data can be accessed only by authorized persons on authorized systems.

The Encryption Policy Manager provides transparent encryption of removable media storage devices. This feature includes encryption of CD or DVD media when using the Windows built-in software on Media Encryption-protected workstations. Depending on how Media Encryption is set up by your system administrator, you can access data on encrypted devices even when offline. You can also access encrypted devices on computers which do not have Media Encryption installed, as long as the media was encrypted allowing this and you have the password to the device.

Removable Media Manager The Removable Media Manager controls access to removable media and devices such as: floppy disks, PDAs, flash memory, digital cameras, external hard disks (FAT formatted), etc. It controls device access on all available ports including USB and Firewire. CD and DVD drives are protected by using the Device Manager feature, see the section Device Manager (on page 85).

Media Encryption

All removable media (except CD/DVDs and NTFS formatted external hard disks) must be authorized before access is permitted. The process of authorizing removable media involves storing a digital signature on the media itself. This signature must be present in order to access removable media from a protected endpoint computer.

Your system administrator has controlled authorization by defining Removable Media Manager rules in a Media Encryption policy installed on your computer. Rules define access rights for each type of removable media including prerequisites such as virus scanning and data authorization.

The digital signature is automatically updated when you move data to and from the device when you are within the protected environment. If changes to the media are permitted outside of the organization, the device must be re-authorized, that is, you have to enter a password and Media Encryption has to re-authorize the device before it can be used within the protected environment again.

Media Encryption ensures that all your devices are virus-free and prevents unauthorized encryption and decryption of data. Depending on the configuration, Media Encryption may prevent you from gaining access to unauthorized hot-swap and plug-and-play devices.

Device Manager The Media Encryption Device Manager controls your access to devices connected to various ports on your computer. Your system administrator may have set up rules for the following ports: IrDA, COM, USB, Firewire, and LPT. These rules specify whether you have Read Only, Read/Write, and/or Execute permissions to removable media connected to a port on your computer, such as: CD/DVD drives, PDAs, Blackberries, Bluetooth devices and external hard disks. The Device Manager may also prevent you from connecting unauthorized devices to your computer ports at all.

Program Security Guard The Program Security Guard may, depending on the configuration set up by your system administrator, prevent you from creating specific file types on your computer or on network drives. The Program Security Guard may also prevent you from modifying or deleting certain files.

The protected file types are specified by their extension and can be used to prevent the modification of unlicensed or unauthorized software (.exe, .com, .dll, etc.), potentially malicious file types (.vbs, .scr, etc.) or simply unwanted file types (.mpg, .mp3, .mov, .avi, etc.). This protection applies to any external source including e-mail attachments and web downloads.

Cached Passwords Normally, when your computer is connected to the company network, you can access data on removable media automatically (that is, without having to enter a password). If you try to access the same data when offline from the company network or on a computer which do not have Media Encryption installed, you may be asked to enter a password.

If the cached passwords feature is enabled by your system administrator, you can let Media Encryption save the password when entering a password for the first time. The next time you access the device, you can choose to use the saved password instead of entering the password again.

When inserting an encrypted device into your computer, the Access Control dialog opens.

To save a password: Select the Enter a Password and Cache Password options, then enter a password matching the password policy set up for your organization and click OK.

To use an already saved password: Select the Use cached Password option and click OK. You can see the text 'Full Access' or 'Read Only Access' in brackets after Use cached Password. This tells you whether the saved password will give you full access or read-only access to the encrypted media.

To change an already saved password: Select the Enter password and Cache Password options, then enter the old password and click OK. A new dialog displays where you can set a new password.

Grayed out options

Media Encryption

Some of the options in the Password dialog may be grayed out for the following reasons:

Grayed out: Reason:

Both 'Use cached password' and 'Cache password'

The cached passwords feature has not been enabled by your system administrator. or First time access to media, no password has been set before.

'Use cached password' There is no saved password in the cache. The password might not have been saved before. or The password has just been changed. During a change of password, the old password is erased from the cache and the new one has not yet been saved.

'Cache password' You need to change your password. The Cache password checkbox is grayed out since there is no need to save the old password.

Using the EPM Client This section describes the process of encrypting, decrypting and managing removable media.

Media Encryption secures removable media by encrypting some or all of the storage area of the media, and then putting your information in this encrypted area. You can encrypt and manage removable media by using the Encryption Policy Manager (EPM) Client.

To work with the EPM Client, click Open in the EPM Client section on the Media Encryption page.

The EPM Client window opens, showing connected removable media devices in the pane to the left.

Encrypting Media The policy in your organization may be configured to allow access only to encrypted media. In that case, an encryption process will start as soon as you insert a non-encrypted media into your Media Encryption-protected computer. You can also start an encryption process manually.

In both cases you are guided through the encryption process by a wizard. The process creates an encrypted storage area on the device, this process is called import.

You can define, in percentage, how much of the device you want to encrypt. If you, for example, set this to 50%, Media Encryption creates an encrypted container that is half the size of the total disk space. When you import and encrypt files, the files are always placed in this container.

Note - If you define an area that is smaller than the data you want to put there, the encryption will fail.

To encrypt a media:

1. Start the wizard by inserting a removable media device or CD/DVD into your computer, or click Import Media into EPM Control in the EPM Client window if the wizard does not start automatically. Click Next.

Media Encryption

Important - It is not advisable to encrypt removable media that may be used in external non-computer devices such as: digital cameras, iPods, MP3 players, etc. In such cases, a message appears and the media is granted read-only access. If the encryption process has started, let it finish and then decrypt the media by clicking Export Media from EPM Control.

2. In the Media Properties window, enter a percentage of the media to encrypt. Click Next.

Note - For CDs or DVDs, it is not possible to encrypt only a part of the disk, so this setting is grayed out.

3. In the Media Owner Information window, define the owner of the media device by selecting one of the following options:

Media owner will be assigned on first use: The first user to insert the media into an endpoint computer will automatically become the owner.

Assign media to a user: Assign ownership to the user performing the encryption (that is, yourself) or click Browse to select a user from the active domain.

Note -When encrypting CDs/DVDs, only the Assign media to a user option is available.

4. Click Next.

5. In the Password Protection window, enter and confirm an access password. Passwords must conform to rules set up by your system administrator. Click Next.

The password enables other users who do not have Media Encryption installed to access information on the device or disk.

6. If you are encrypting a CD/DVD, a window displays where you can add and remove files which will be imported to the encrypted area on the disk.

a) Go up one step in the folder structure.

b) Add files or add an entire folder to be burnt on the disk.

c) Select and delete any file or folder that you do not want to include on the disk. Click Next. The files will be imported, and the disk will be burnt.

d) A message displays when the burning process is finished.

7. The Progress window displays the encryption progress. Depending on the type of media and the quantity of data, this process may take a long time.

Important - Do NOT remove the storage device during the encryption process. This will destroy your data and may damage the media.

8. When the Finish window opens, click Finish to complete the process. The EPM Client window returns.

The encrypted media status now appears as Encrypted, and the Import button is no longer available.

The following information is displayed for the selected device:

EPM Status: The current status of the selected encrypted device.

Media Size: The size of the selected device.

Date Created: The date the selected encrypted drive was created.

Date Accessed: The date the selected encrypted drive was last accessed.

Owner: The user ID of the user who created the encrypted device.

Encryption: This field displays the encryption algorithm used to encrypt the media.

Note - We recommended that you always use the ‘Safely remove hardware’ feature to disconnect encrypted media from your computer in order to prevent it from becoming corrupted. Click on the Safely remove hardware icon in the system tray and select the media you want to disconnect.

Media Encryption

Encrypting CDs and DVDs If permitted by your policy, Media Encryption can encrypt CDs and DVDs with the following limitations:

CDs and DVDs can be encrypted on Windows XP, Windows Vista, and Windows 7.

Note - To encrypt DVDs on XP machines, see the Microsoft Knowledge Base article KB932716 http://www.microsoft.com/downloads/details.aspx?FamilyId=B5F726F1-4ACE-455D-BAD7-ABC4DD2F147B&displaylang=en.

Encryption can be done only on RW and blank R/RW disks.

Nothing can be added to or removed from a once-burnt CD/DVD. Such disks can only be erased completely.

The process of importing and exporting files to CDs/DVDs is similar to that of other removable media described in Encrypting Media (on page 86). Two differences between CDs/DVDs and other removable media are that you cannot encrypt only a part of a CD/DVD, and you cannot add or delete files once the disk has been burnt. If you wish to remove information on a rewritable disk, you need to use the Erase feature to completely erase it.

CD/DVD Burning Software

If your policy allows, or enforces, you to encrypt CDs/DVDs, you can use either the built-in software in Windows or Nero Burning ROM (version 9, or later) to burn the encrypted disks.

If you are using Nero:

In Nero's New Compilation window, select compilation type "CD-ROM (Check Point)" or "DVD-ROM Check Point" and start the burn process. The Media Encryption wizard starts and you can follow the instructions in Encrypting Media (on page 86). See also the Nero Burning ROM manual for more instructions on how to use Nero.

Accessing Encrypted Media When protecting information, Media Encryption creates an encrypted area on your removable device where all data is placed. To access the data on the protected area, you can choose between decrypting or exporting the information. Normally, your Media Encryption policy permits only the owner or another authorized user to perform the decryption.

Decryption: The Media Encryption client reads the information from the media but the information remains in the protected area. This is what normally happens when you access the media from your computer when it is connected to the company network. If you are not connected to the network or tries to access the media from a computer that has not Media Encryption installed, you may have to enter a password.

Export Media from EPM control: Export means that Media Encryption extracts the data from the encrypted area and removes the encrypted space. The media will from then on not be encrypted anymore.

To decrypt removable media:

1. Insert your encrypted media to your computer.

2. If you do not have automatic access to the media, you may need to enter a password. In the Password window, enter the appropriate password or use a saved password. Click OK.

3. The files are now accessible. They are not encrypted so it is possible to move the files from the media to your hard disk by drag and drop or copy and paste.

To export information from removable media:

1. Insert your encrypted media to your computer.

2. Open the EPM Client and click Export Media from EPM control. The EPM Media Export wizard opens.

3. If you do not have automatic access to the media, you may need to enter a password. In the Password window, enter the appropriate password or use a saved password. Click OK.

4. Click Finish to complete the process. The decryption may take some time depending on the size and type of the device. When the decryption process is finished, the encrypted area has been decrypted and removed. The data on the media is now unencrypted and unprotected.

http://www.microsoft.com/downloads/details.aspx?FamilyId=B5F726F1-4ACE-455D-BAD7-ABC4DD2F147B&displaylang=en

http://www.microsoft.com/downloads/details.aspx?FamilyId=B5F726F1-4ACE-455D-BAD7-ABC4DD2F147B&displaylang=en

Media Encryption

Important - Do NOT under any circumstances, remove the media device during the decryption process. This will destroy your data and may damage the media.

Accessing Encrypted Media from non-Media Encryption Computers

If your profile allows access to encrypted information from computers that do not have Media Encryption installed, an unlock.exe file is copied automatically to the root folder of the removable media during the encryption process.

Note - You must set a password during the encryption process to be able to access the information from computers that do not have Media Encryption installed.

To decrypt removable media when offline:

1. Insert the encrypted device into a machine not running Media Encryption. The following files are displayed: dvrem.epm, autorun.exe and unlock.exe.

Dvrem.epm is the encrypted storage, autorun.exe runs the unlock file and unlock.exe is the file that decrypts the encrypted storage.

2. To access encrypted data on the device, double-click the unlock.exe file (it will auto-run on most systems). Enter the access password.

3. The Encryption Policy Manager Explorer window opens, which displays the contents of the encrypted device.

4. There are two methods of accessing the data on the encrypted device: extracting files to the local hard disk or to a secure location on the device itself. See the descriptions of these two methods below.

If you used a Full access password, it is now possible to drag-and-drop or copy-and-paste files to and from the encrypted device. If you used a Read Only password, you can only read the information on the device but not move files to or from the device.

Extracting Files to Local Hard Disk

You can extract files and folders from the encrypted area and save them on a local hard disk or network drive.

To extract files to your hard disk or network drive:

1. Select the files or folders that you want to decrypt and save to a local hard disk by using the Ctrl and Shift keys, then right-click and select Extract.

2. Select the location where you want the files to be saved.

The files are now decrypted and saved in clear text at the location you chose.

3. When you close the EPM Explorer, you are asked if you wish to securely delete all of the extracted files. By clicking Yes, all of the newly extracted files will be securely deleted, thus leaving no traces of sensitive information.

Extracting Files to Temporary Secure Location

To extract files to a temporary secure location:

Double-click the file within the drive explorer.

The EPM Explorer transparently decrypts the file to a temporary location and then automatically opens the file with the associated application.

To view a file in secure mode:

Double-click the required file.

If you make any changes to the decrypted file, a prompt is displayed asking you whether the encrypted file within the device should be updated. Click Yes if you want to save the file.

Media Encryption

Erasing CDs or DVDs After an encrypted CD or DVD is burnt, there is no way to remove any single file on the disk. The only option is to erase all information on the disk.

To erase a disk, click Erase in the EPM.

Changing the Encrypted Device Password To change the removable media access password for an encrypted device:

1. Select the required device in the EPM Client window left pane.

2. Click Set. The Password window opens.

3. Enter the old password and click OK.

If you enter a Full Access password, you are allowed to change both a Full access password and a Read Only password. If you enter a Read Only password, you are only allowed to change the Read Only password.

Note - The Full Access and Read Only passwords cannot be identical.

4. Enter and confirm the new password.

Note - The password must meet the administrator-defined criteria that can be accessed by clicking Policy Note.

5. Click OK.

Using the Removable Media Manager You can control access to removable media and devices such as: floppy disks, external disk drives (FAT formatted), PDAs, flash memory, digital cameras, etc.

When the Removable Media Manager is enabled, all removable media (except CDs and DVDs) must be authorized before you can access them.

Authorizing Removable Media If you are permitted to authorize removable media, an alert appears.

To authorize the removable media device from this window:

1. Click Authorize.

The Media Import Wizard opens, which will guide you through the authorization steps.

2. Click Ignore to close this alert, and the removable media cannot be accessed.

If permitted, you can also authorize removable media by clicking Scan from the Removable Media Manager section on the Media Encryption panel. This opens the Media Import Wizard.

To authorize removable media with the Media Import wizard:

1. In the Welcome window, click Next to continue.

In the Virus Scanners window, either all discovered virus scanners on your computer are selected or you may be allowed to select virus scanners yourself. The virus scanners ensure that the removable media is virus-free and contains only authorized file types.

2. If the policy permits you to select virus scanners, select the scanners you wish to run.

If the policy permits you to skip scanning, that is, to authorize removable media without scanning it first, you can select the Skip Scan option. This is not recommended.

3. Click Next.

If a virus scan was performed, a window displays saying if the removable media successfully passed the scan or not. If the scan failed, access to the removable media is blocked.

4. When the Finish window appears, click Finish.

Media Encryption

Using the Device Manager The Media Encryption Device Manager controls access to devices connected to various ports on your computer. A Media Encryption policy specifies which devices you can access and what type of access is permitted (Read only, Read/Write and Execute).

The Device Manager user options are located in the Device Manager section of the Media Encryption page.

To view the policy rules for various devices, click View.

When Device Manager rules block access to a device or port, an alert appears.

Using the Program Security Guard The Program Security Guard may prevent you from modifying specific file types in any way on your computer or on a network drive. See the section Program Security Guard for more information on the Program Security Guard.

If the Program Security Guard blocks access to a file, a message appears.

Maintenance Section The Maintenance section of the Media Encryption page allows you to manually update the Media Encryption policy and to test connectivity with the Media Encryption server.

To update the Media Encryption policy, click Update.

To test network connectivity with the Media Encryption server, click Test. This feature is useful for diagnosing client/server connection problems.

Chapter 9

File Encryption File Encryption encrypts information stored on your workstation, removable media, Firewire/USB-connected external hard drives, CDs, DVDs and floppy disks. Once encrypted, the information can be accessed only by people who know the correct password.

File Encryption also enables you to create encrypted information packages for easy and secure storage and transfer, for example via e-mail.

File Encryption is tightly integrated with Windows, so using File Encryption is simple. You access File Encryption by right-clicking on a file folder or volume and selecting the Encrypt with Check Point File Encryption option.

In This Chapter

Before You Start 92

Working with File Encryption 93

Accessing File Encryption for the First Time 93

Authenticating to and Logging Off from File Encryption 95

Information and Help on File Encryption 96

Using File Encryption 96

Protecting Information Locally 99

Working with Encrypted Packages 101

Protecting Information on Removable Media 106

Managing Passwords and Keys 111

Securely Deleting Information 113

Forgot your Password? 114

Before You Start This section explains how to use File Encryption to protect information stored on your workstation, removable media, Firewire/USB-connected external hard drives, floppy disks and CDs/DVDs.

In this section, we discuss all the options File Encryption provides for protecting information. However, your File Encryption administrator might not make all options available to you. If you cannot do something documented in this section, ask your administrator for more information.

Note - Depending on how it is configured, File Encryption can integrate seamlessly with Pointsec for PC/Full Disk Encryption if both are installed on your workstation.

File Encryption can be configured not to prompt you to authenticate yourself if you have already authenticated yourself to Pointsec for PC/Full Disk Encryption.

This section assumes that neither Pointsec for PC nor Full Disk Encryption are installed on your workstation so that we can explain File Encryption authentication.

File Encryption

About Passwords and Keys In File Encryption, you will set passwords and keys to access encryption options and protect information.

The following are guidelines to help you set secure passwords and keys:

always set passwords that are at least 8 characters long

include both numbers, letters and punctuation characters in passwords

use both upper and lower case letters in passwords

do not use more than two consecutive identical characters.

For more information see Managing Passwords and Keys (on page 111).

Working with File Encryption Working with File Encryption entails:

What to do after your administrator has installed File Encryption on your workstation. See Accessing File Encryption for the First Time (on page 93).

Authenticating yourself. See Being Authenticated by File Encryption ("Authenticating to and Logging Off from File Encryption" on page 95).

Accessing encryption options. See Using File Encryption (on page 96).

Protecting information stored on your workstation. See Protecting Information Locally (on page 99).

Protecting and packaging information for storage or transferal. See Working with Encrypted Packages (on page 101).

Protecting information stored on removable media: Firewire/USB-connected external hard drives, CDs/DVDs and floppy disks. See Protecting Information on Removable Media (on page 106).

Setting, changing and deleting passwords and keys used to protect information. See Managing Passwords and Keys (on page 111).

Securely deleting files. See Securely Deleting Information (on page 113).

Knowing what to do if you cannot remember a password. See Forgot your Password? (on page 114).

Accessing File Encryption for the First Time

After your system administrator installs File Encryption, you must restart your workstation and log on to Windows. Depending on your organization’s security policy, the following will happen:

File Encryption will prompt you to log on to File Encryption before Windows can start. You will have to set a valid File Encryption password before you can access the computer.

File Encryption will prompt you to log on to File Encryption after Windows has started, but you can cancel the dialog. Instead, you will have to set a valid File Encryption password when you first access the File Encryption feature via Windows file explorer.

Windows will start normally, and you will not be prompted to log on to File Encryption. You will have to set a valid File Encryption password when you first access the File Encryption feature via Windows file explorer.

Also depending on your organization's security policy, File Encryption will do one of the following:

Prompt you to select your certificate and then set a password. See Using a Certificate and Setting a Password (on page 94).

Prompt you to set a password. See Setting a Password (on page 94).

File Encryption

Using a Certificate and Setting a Password If you use a certificate to authenticate yourself on your network or workstation, your system administrator can configure File Encryption to work with your certificate. This simplifies the logon process by allowing you to use your certificate to authenticate yourself to File Encryption.

Note - Do not use certificate authentication if File Encryption is running on Windows 2000 when you want to access protected information on a workstation running Windows XP.

To use a certificate and set a password:

1. After your system administrator has installed File Encryption, restart your workstation and log on to Windows.

2. If you are not prompted to point out a certificate and set a password during or after Windows start-up, do the following:

Open Windows file explorer and right-click a file or folder.

In the menu that opens, select Encrypt with Check Point File Encryption > Log on to File Encryption.

File Encryption prompts you to select your certificate.

3. Select your certificate and click OK.

Note - If your certificate is not displayed, contact your File Encryption administrator for help.

4. You are prompted to set a password.

Table 9-23 Set Password Fields

Field Description

Password Enter a password. File Encryption will associate this password with your certificate and you will need to authenticate yourself with your certificate only when logging on in future.

Note - Your organization will require that your password is a certain length and contains certain characters, numbers and upper- or lowercase characters. Ask your administrator for more information.

Password guidelines:

Always set a password that is at least 8 characters long

Include both numbers, letters and punctuation characters

Use both upper and lower case letters

Do not use more than two consecutive identical characters

Confirm password

Enter the password again.

1. Click OK to save the password and gain access to File Encryption options.

Setting a Password If you do not use a certificate to authenticate yourself when logging on, you must set a File Encryption password and re-enter it every time you log on.

To set a password:

1. After your system administrator has installed File Encryption, restart your workstation and log on to Windows.

2. If you are not prompted to set a password during or after Windows start-up, do the following:

Open Windows file explorer and right-click a file or folder.

In the menu that opens, select Encrypt with Check Point File Encryption > Log on to File Encryption.

File Encryption

File Encryption prompts you to set a password.

3. Enter the following information:

Table 9-24 Set Password fields

Field Description

Password Enter a password. You will need to enter this password every time you log on to Windows in order to be able to access encrypted information and File Encryption encryption options.







Confirm password

Enter the password again.

1. Click OK to save the password and gain access to File Encryption options.

From now on, whenever you or anyone else logs on to Windows, File Encryption will prompt you for this password. If you have forgotten it or do not know it, you will have to complete a successful Remote Help procedure with the help of your Remote Help administrator in order to access encrypted information stored locally on the workstation or use File Encryption.

Authenticating to and Logging Off from File Encryption

How you authenticate yourself to File Encryption depends on how you authenticate yourself on your network or workstation: using a certificate or a password.

Depending on the settings determined by the File Encryption administrator, you will either

Be logged on to File Encryption automatically when you log on to Windows

Be prompted to log on to log on to File Encryption during or immediately after Windows start-up

Have to authenticate yourself to File Encryption when you try to access the File Encryption features via Windows file explorer.

Once you have authenticated yourself, you can log off from File Encryption whenever you want, without having to log off from Windows.

Authenticating with a Certificate Before you can use File Encryption to protect information and access encrypted information, you must authenticate yourself.

Your File Encryption administrator may have configured File Encryption to prompt you for your File Encryption credentials when you log on to Windows. Otherwise, you need to log on to File Encryption as described in this section when you want to use the File Encryption features .

To authenticate yourself with your certificate:

1. In Windows file explorer, right-click a file or folder. File Encryption prompts you to select your certificate.

2. Select your certificate and click OK. Once you have been authenticated, you have access to encrypted information and encryption options which enable you to protect information.

File Encryption

Note - If you click Cancel, you will not be able to access encryption/decryption functionality or encrypted information.

Authenticating with a Password Before you can use File Encryption to protect information and access encrypted information, you must authenticate yourself.

Your File Encryption administrator may have configured File Encryption to prompt you for your File Encryption credentials when you log on to Windows. Otherwise, you need to log on to File Encryption as described in this section when you want to use the File Encryption features .

To authenticate yourself with your password:

1. In Windows file explorer, right-click a file or folder.

2. Select Encrypt with Check Point File Encryption > Log on to File Encryption.

A dialog box opens.

3. In the Password field, enter your File Encryption password. Click OK to continue.

Once you have been authenticated, you have access to encrypted information and encryption options which enable you to protect information.

Note - If you click Cancel, you will not be able to access encryption/decryption functionality or encrypted information.

Logging Off from File Encryption Sometimes you want to log off from File Encryption once you have authenticated yourself, even if you want to stay logged on to Windows. This might be necessary, for example if someone else will have access to your computer for a while.

To log off from File Encryption:

1. Right-click a file or folder.

2. Select Encrypt with Check Point File Encryption > Log off File Encryption.

Information and Help on File Encryption To access information and online help on File Encryption:

1. From the Start menu, choose Programs Check Point File Encryption.

2. Choose one of the following:

Table 9-25 File Encryption menu items

About Information about File Encryption, including version numbers.

Help This manual in online form.

Using File Encryption The following sections explain File Encryption options available to protect and manage information.

File Encryption

File Encryption Options

Accessing Options

You access File Encryption options by opening the Encrypt with Check Point File Encryption menu which is available when you right-click on a file, folder or volume.

To access encryption options:

1. Log on to Windows and authenticate yourself to File Encryption. See Being Authenticated by File Encryption ("Authenticating to and Logging Off from File Encryption" on page 95) for more information.

2. Right-click on a file, folder or volume and select Encrypt with Check Point File Encryption.

The Encrypt with Check Point File Encryption menu opens.

Note - The options available depend on what you right-click on and how File Encryption is configured on your workstation.

Overview of Options

File Encryption offers the following options:

File Encryption

Table 9-26 File Encryption options

Option Available for Description

Encrypt folder Folders and volumes Adds or removes folders and volumes to or from

the protected list.

See Protecting Information Locally (on page 99) for more information.

Note - Depending on how your administrator has configured File Encryption, you may not be able to add certain folders or volumes and their contents to the protected list. Your administrator may have decided to stop you from encrypting certain information.

Create Encrypted Package

Files and folders Packs the selected item(s) into an encrypted package.

For more information, see Chapter 3, "Working with Encrypted Packages" ("Working with Encrypted Packages" on page 101).

Create Encrypted ISO Image

Files and folders Packs the selected item(s) into an encrypted ISO 9660 + Joliet image. The resulting file can be burnt onto a CD/DVD-R(W) disk.

File Encryption will treat such a disk in the same way as an encrypted floppy or a USB memory stick and authenticated users will be able to access the files transparently.

For more information, see Protecting Information on Removable Media (on page 106).

Encrypt with PKCS7

Files Packs and encrypts the selected file(s) with approved and selected certificate(s). See Working with Encrypted Packages (on page 101) for more information.

Note - This option is only available if you use a certificate to authenticate yourself to File Encryption.

Decrypt with PKCS7

Files Unpacks and decrypts files protected by PKCS7. See Working with Encrypted Packages (on page 101) for more information.

Secure Delete Files and folders Securely deletes the selected item(s).

For more information, see Securely Deleting Information (on page 113).

Change Password

Removable media, Firewire/USB-connected external hard drives, and floppy disks

Opens the Change Password dialog box.

Here you can:

change the password used for the

disk/card/floppy disk.

access Remote Help options.

For more information, see Managing Passwords and Keys (on page 111) and Forgot your Password? (on page 114).

File Encryption

Option Available for Description

Encryption Settings

Removable media, Firewire/USB-connected external hard drives, floppy disks and CDs/DVDs

View and edit keys for a disk/card/floppy disk/CD/DVD.

Delete keys from a disk/card/floppy disk.

For more information, see Managing Passwords and Keys (on page 111).

Change File Encryption Password

Log off File Encryption

Files and folders Select this option to log off from File Encryption. You will no longer have access to encrypted information, and you will not be able to encrypt information until you have logged on to File Encryption again.

Protected Information in Windows Explorer File Encryption displays the current protection status of information in Windows Explorer. For example:

Table 9-27 Protection status indication

Icon Description Explanation

Protected folder The folder is on the protected list, or is a sub-folder

to a folder in the protected list.

Protected files The files are located on a protected

disk/card/floppy disk/CD/DVD or in a folder which is on the protected list.

Checking Encryption Status

When File Encryption is active, files, folders and volumes have an additional Encryption properties page that displays whether information is encrypted.

To check encryption status:

1. Right-click on the file, folder or volume and select Properties.

2. Select the Encryption tab.

Here you can see whether the information is encrypted, and if so, with which type of algorithm.

3. Click OK to close the Properties page.

Protecting Information Locally The following sections explain how to protect information stored locally on your workstation.

Encrypting Information You protect, i.e., encrypt, information stored locally on your workstation by adding the folders and volumes that contain the information to the File Encryption protected list.

File Encryption

Note - About the protected list:

If a folder or volume contains information that your organization

has decided must not be encrypted, you will not be able to add it

to the protected list.

Never put folders or volumes on the protected list if they contain

files or settings used by your workstation during startup. If you do,

your workstation will not start correctly.

To protect information on your workstation:

1. In Windows Explorer, right-click on the folders or volume that holds the information you want to protect and select Encrypt with Check Point File Encryption.

The Encrypt with ... menu opens.

2. Select Encrypt folder. File Encryption adds the folder or volume to the protected list and encrypts the information stored there.

Note - If the information is stored in a folder that is shared on your network, use the Create Encrypted Package or Encrypt with PKCS7 options instead. See Working with Encrypted Packages (on page 101) for more information.

If you do not, anyone who has access to the shared folder will have access to the information when you are logged on and authenticated by File Encryption.

While encryption is proceeding, File Encryption shows a progress bar to display which operations are currently underway.

Note - When encrypting or decrypting large amounts of information, the progress bar may display the text "wiping file". You can safely ignore this information. The file being wiped is a temporary file, not the information you are encrypting or decrypting.

You cannot view the protected list directly, but you can always check the status of files, folders and volumes. For details see Using File Encryption (on page 96).

Accessing Protected Information Stored Locally Once you have been authenticated, using a certificate or password, by File Encryption, you have immediate access to protected information stored on your workstation.

Anyone who uses a certificate accepted by File Encryption on your workstation has immediate access to protected information stored on your workstation.

Anyone who can supply your password when prompted by File Encryption has immediate access to protected information stored on your workstation.

Note - As long as you are logged on and authenticated by File Encryption, anyone who can gain access to your workstation or to a shared folder on your workstation, can also gain access to File Encryption-protected information.

To ensure that only authorized users can access the information:

Lock your workstation whenever you leave it unattended

Never save protected information in folders that are shared on your network; use encrypted packages or PKCS7 packages instead. For more information see Working with Encrypted Packages (on page 101).

Decrypting Information You can decrypt information stored on your workstation in folders and volumes by removing the folders and volumes from the protected list. Once removed from the protected list, File Encryption decrypts the information stored there.

File Encryption

To decrypt information:

1. In Windows Explorer, right-click on the folder or volume you no longer want to protect and, from the Encryption menu, select Decrypt folder.

File Encryption removes the folder or volume from the protected list and decrypts the information.

While decryption is proceeding, File Encryption shows a progress bar to display which operations are currently underway.

Note - When encrypting or decrypting large amounts of information, the progress bar may display the text "wiping file". You can safely ignore this information. The file being wiped is a temporary file, not the information you are encrypting or decrypting.

Securely Deleting Information Stored Locally See Using Secure Delete With File Encryption Installed (on page 114).

Working with Encrypted Packages The following sections explain how to use File Encryption to pack files into password or certificate-protected, encrypted packages.

Encrypted packages can be used to transfer and store information securely, for example by attaching the encrypted package to an e-mail message or distributing it on CD, DVD, disks or network drives.

About Encrypted Packages Depending on the encryption option you select, an encrypted package can contain one or more files, folders and sub-folders.

Table 9-28 Encryption options

Option Description

Encrypted Packages

Packs and encrypts a file, folder or volume.

This option is suitable if you and the recipient(s) have agreed on a shared password to open the package.

For more information, see Creating an Encrypted Package (on page 101).

Encrypt/decrypt with PKCS7

Packs/unpacks and encrypts/decrypts file(s) with authentication certificates.

This option is suitable if you and the recipient(s) use certificates to authenticate yourselves.

For more information, see PKCS7 Encryption (on page 105).

Note - This option is only available if your administrator has enabled it and you use a certificate to authenticate yourself.

Creating an Encrypted Package File Encryption can package and encrypt files, folders and volumes for secure transferal, for example via e-mail, or storage.

Note - Do not use both EFS (Windows encryption) and File Encryption to encrypt the same file(s).

File Encryption

Maximum File Size for Encrypted Packages

The following table lists the maximum file sizes for encrypted packages on various file systems.

Table 9-29 Maximum Encrypted Package Size

File System Maximum Encrypted Package Size

With SFX (exe) Without SFX (pcp)

FAT 2GB 2GB (volume size limit)

FAT32 2GB 4GB minus 2 bytes

NTFS 2GB Volume size limit

The maximum file size to include in encrypted packages is 2GB, independent of the file system used.

If the files you wish to encrypt comprise more than the maximum file size for the file system you are using, compress the files to less than the maximum file size.

To create an encrypted package:

1. In Windows Explorer, right-click on the files or folders to be included in the encrypted package and select Encrypt with Check Point File Encryption.

File Encryption options are displayed.

2. Select Create Encrypted Package.

The Create Encrypted Package dialog box opens.


File Encryption

Table 9-30 Create Password options

Option Description

Password Enter a password.

Minimum length = 4 alphanumeric characters

Maximum length = 80 alphanumeric characters






Use both upper and lower case letters in passwords


Note - This password is used only to protect this encrypted package.

If you intend to send the package via e-mail, the recipient has to know the password to open the package. You can both agree on a password before the e-mail is sent, for example on the phone, or you can use a password you already share. Never send the package’s password by e-mail.

Confirm password Re-enter the password to confirm it.

Use default message

Select this option to use your organization’s default message as defined by your organization’s policy. To view the message, click View.

Customized message

If your organization’s security policy allows it, you can define a message that is shown before the encrypted package is opened. This message can tell the recipient what to do or what to expect.

To write a custom message:

1. Click Edit.

The Package Message dialog box opens.

2. Enter your message. To copy the message from a text file, click the From File button and browse for the text file.

Note - This message is package-specific and will not be saved anywhere else other than in this package.

Tip - To use the same message for several encrypted packages, save the message in a text file and use the From File option in the Package Message dialog box to load the message for each package.

File Encryption

Option Description

Specify auto-open file

If your organization’s security policy allows you to, you can specify that one of the files in the encrypted package be opened automatically when the encrypted package is decrypted.

To specify a file:

1. Click Browse to select the file to open when the encrypted package is opened. The Auto-open dialog box opens.

2. Select which file should be opened automatically. In the Program Arguments field, enter any command switches/arguments to use when the file is opened.

3. Click OK to return to the Create Encrypted Package dialog box. After you have configured the options there, click OK.

Create package without extractor

Select this option if you want to create an encrypted package which can be opened only on a workstation running File Encryption.

By default this option is not selected. This ensures that all recipients, including those without access to File Encryption, can open the package.

Note - Not all options may be available. Ask your File Encryption administrator if there are options you want to use that are not available.

4. Click OK.

The Save As dialog box opens.

5. Enter a name for the encrypted package and browse to the location on the hard disk where you want to save the package.

Note - The file extension depends on the type of package being created:

.exe is used by self-extracting encrypted packages.

.pcp is used by encrypted package without extractor.

6. Click Save.

File Encryption confirms that the package has been saved with the name you entered.

7. Click OK to close the confirmation message.

Note - The original files and folders are not deleted when you create an encrypted package. If you need to delete them, select and right-click on the files, select Encrypt with Check Point File Encryption and choose Secure Delete. For more information, see Securely Deleting Information (on page 113).

You can now distribute or store the package as required.

Opening Encrypted Packages You can open a self-extracting encryption package (*.exe) on any Windows workstation. A package without an extractor (*.pcp) can only be opened on a workstation with File Encryption installed.

To open an encrypted package:

1. Double-click on the encrypted package. A window opens, displaying any opening messages.

2. Read the message, if any, and enter the following information:

File Encryption

Table 9-31 Open Encrypted Package options

Field/option Description

Password Enter the password for the package.

Web Remote Help This option enables you to receive Remote Help from your Check Point administrator or helpdesk if you are a legitimate user and have forgotten the password. See Forgot your Password? (on page 114) for more information.

Note - This option might not be available, it depends on how File Encryption is configured on your workstation.

Overwrite existing files Select this option to overwrite any files with the same name in the location where you want to put the decrypted information.

Create directory tree Select this option to create a directory tree that mirrors the tree the files were originally stored in.

Save long names in 8.3 format

Select this option to store the MS-DOS compatible form of any long file names.

PKCS7 Encryption Using File Encryption, you can encrypt information and control access to it using a list of approved authentication certificates. Users whose certificates are listed get immediate access to the information.

Encrypting a Package with PKCS7

Note - This option is only available if your administrator has enabled it on your workstation and you use a certificate to authenticate yourself.

To encrypt the file:

1. In Windows Explorer, right-click on the folder or file(s) containing the information you want to protect and select Encrypt PKCS7.

Note - This type of encryption creates a separate package for each file encrypted.

If you select three files, File Encryption will create three packages.

If you select a folder, File Encryption will create a package for each file contained in the folder.

2. In the window that opens, enter the following information:

Table 9-32 Package Encryption information

Field/option/ button

Description

Search base From the drop-down list, select the directory that contains the user certificates you want to use for authentication when decrypting the package(s).

Search Click to search for certificates and display them in the area below.

3. From the list displayed, select the certificates of the users you want to give access to the packages.

Note - Your administrator may have already configured File Encryption to automatically add certain certificates to the package. Ask your administrator for more information.

File Encryption

4. Click OK.

The Save As dialog box opens.

5. Browse to where you want to save the file(s) and click Save. File Encryption saves the package(s).

Decrypting a File with PKCS7

Note - Only users with File Encryption installed on their workstations and whose certificates are included in the package(s) can open files protected by PKCS7.

To decrypt a file with PKCS7:

1. In Windows Explorer, right-click on the file(s) and select Decrypt from PKCS7. File Encryption decrypts the file and opens the Save As dialog box.

2. Browse to where you want to save the file(s) and click Save.

Note - File Encryption decrypts on a file by file basis and prompts you for location for each file.

Securely Deleting Packages See Using Secure Delete With File Encryption Installed (on page 114).

Protecting Information on Removable Media

The following sections explain how to protect information stored on removable media such as USB memory sticks, Firewire/USB-connected external hard drives, memory cards, floppy disks, CDs and DVDs.

Protected information can be securely shared with those who know the correct password or use an approved authentication certificate.

Protecting Information on Removable Media How you protect information on removable media depends on the media you are using.

Table 9-33 Protected removable media

Media Protection method

USB memory sticks

Firewire/USB-connected external hard drives

Memory cards

Floppy disks

CDs and DVDs in Live File System mode

Copy or save the information directly on the media. File Encryption will prompt you to set a password to protect the information.

For more information, see USB Sticks, Firewire/USB Hard Drives, Floppy/CD/DVD Disks (on page 107).

File Encryption

Media Protection method

CDs on Windows XP and CD/DVDs in Mastered mode on Windows Vista

Create an encrypted package containing the information and burn it on the disc. See Working with Encrypted Packages (on page 101) for more information.

Create an encrypted ISO image containing the information and burn it on the disc. See Creating an ISO Image (on page 108) for more information.

Note - Your organization’s security policy may not allow you to use all of these media. Ask your administrator for more information.

USB Sticks, Firewire/USB Hard Drives, Floppy/CD/DVD Disks

With File Encryption installed on your workstation, all you have to do is enter a password when prompted to encrypt and protect information you are saving on removable media, Firewire/USB-connected external hard drives, floppy disks, or CD/DVD disks in Live File System mode in Windows Vista.

Encrypting Media/Floppy Disks

You can encrypt information on a stick, drive or floppy disk so that only you (and others you decide should see the information, if applicable) can access it.

To encrypt information:

1. Attach the stick, drive or floppy disk to your workstation.

2. Save or copy the information to it.

File Encryption prompts you to enter a password.

3. Do one of the following, depending on whether you wish to encrypt the media:

Enter your account name and password, and then confirm the password. Click OK.

Select Options. In the window that opens, enter your account name and password, and then confirm the password. Select the Stand-alone access box if you wish to allow stand-alone access. Click OK.

Any information you save on this media or floppy disk will now be encrypted. For information on how to access the encrypted information, see Accessing Protected Information (on page 109).

If you do not wish to encrypt the media, deselect the Encrypt this media checkbox.

Sharing Media/Floppy Disks

The number of workstations with File Encryption installed that can receive SSO for the same removable media, Firewire/USB-connected external hard drive or floppy disk is set by your administrator.

If your administrator has enabled the "user select" option, you will also be able to adjust this setting. See the following procedure for details.

To initialize media for use by multiple workstations:

1. Encrypt information on media, see Encrypting Media/Floppy Disks (on page 107).

If the corporate password for the media is applied to your profile, all users with the same profile can use this media.

2. Right-click on the media in a file explorer, and select Encryption and then Encryption settings.

The settings window for shared passwords opens.

3. If desired, enter information on the Workstation Keys, Public Keys and Options tabs to control access to the media.

4. Select Add.

The New shared password window opens.

File Encryption

5. Enter account and password information for the user you wish to allow access to the media.

6. If you wish to limit the number of times this user will be allowed to access the media, select Limit usage and enter the maximum number of times they are to be allowed access.

Note - The SSO and limit usage features are only applicable to writable media; they cannot be used for CD/DVD or write-protected media.

7. If you wish to enable SSO for this user, select Host using password gets SSO.

Note - If you specify that SSO is to be used for a user, File Encryption will save the workstation key when that user logs on to that media. When that media is inserted into the computer the next time, PME will just apply the kept workstation key and not ask for the user's password.

8. Select Add to finalize.

Restoring Key Files of Media/Floppy Disks

Each time a removable media/floppy disk is modified by adding or removing shared users, workstation keys or certificate entries or by logging on with a password to writable media, its key files are saved in the following folder:

Documents and Settings\All Users\Application Data\Pointsec\Pointsec Media

Encryption\Auth\RM_Backup

File Encryption names the key backup files according to the following format:

{Volume_name}_{Creation_time}_{Volume_serial_number}_{GUID_of_key_file}.prk

where:

Volume_name Volume name of media/floppy disk, assigned during formatting

Creation_time Time at which the key file was created

Volume_serial_number Serial number of the media/floppy disk

GUID_of_key_file Key file’s GUID, generated when media/floppy disk was initialized

For example:

{MyUSBCard}_{2007-02-16_10h43m17s}_{AC396524}_{4ceb7d5c-5c1d-467d-a645-2544505f

f080}.prk

If you have removed the key file from the media/floppy disk, you can restore it from the backup file.

To restore the key file on a media/floppy disk:

Note - You must use an unprotected computer to restore the key file.

1. Save the key backup file on the media/floppy disk with the name pointsec media encryption.prk.

The key file is restored.

CD/DVDs To protect information you want to store on a CD or DVD, you can create an encrypted ISO image or an encrypted package and burn it on the CD/DVD.

For information on creating encrypted packages, see Working with Encrypted Packages (on page 101).

Creating an ISO Image

1. In Windows Explorer, right-click on the files or folders to be included in the encrypted ISO image.

File Encryption

Note - Names of files or folders must be shorter than 65 characters (including spaces, periods etc.). Otherwise, the file or folder will not be written into the image.

2. From the Encrypt with Check Point File Encryption menu, select Create Encrypted ISO Image.

The Create Encrypted ISO Image dialog box opens.


Table 9-34 ISO Image information

Field Description

Password Enter the password that must be used to decrypt the protected information.

Note - Your password must match the criteria stipulated by the administrator when installing File Encryption on your workstation.

Confirm password

Re-enter the password to confirm it.

Volume label Enter a suitable label to be displayed in Windows Explorer.

4. Click OK. The Save As dialog opens.

5. Enter a name for the ISO image and browse to the location on the hard disk where you want to save the encrypted image.

Note - We recommend that the total path, including the file name of the ISO image, be less than 120 characters (including spaces, periods etc.). Otherwise, some software may have problems reading the CD.

6. Click Save.

If you use a password to authenticate yourself to File Encryption, go to step 10. If you use a certificate to authenticate yourself, a dialog box opens asking you if you would like to select the certificates you want to allow access to the encrypted media.

7. Here you can enable other certificate users to access the encrypted image with their certificates. Click Yes to select the certificates you want to use.

8. In the window that opens, click Search to display a list of user certificates available. From the list displayed, select the certificates of the users you want to have access to the images.

Note - Your administrator may have already configured File Encryption to automatically add certain certificates to the image. Ask your administrator for more information.

File Encryption creates the image, and you are informed via a dialog box.

9. Click OK to acknowledge the message.

10. The image is saved with the name you entered. Now you can use your burning software to burn it onto a CD/DVD.

Note - The original files and folders are not deleted when you create an encrypted image. If you need to delete them, right-click on the files and choose Secure Delete from the Encrypt with ... menu to delete them securely.

For information on accessing the information, see Accessing Protected Information (on page 109).

Accessing Protected Information

With File Encryption Installed

The following instructions apply if you have File Encryption installed and running on your workstation. If you do not, you may still be able to access the information. See Without File Encryption Installed (on page 110) for more information.

To access protected information stored on removable media, CDs and DVDs:

1. Attach the media to your workstation and browse to it in Windows Explorer.

File Encryption

2. Double-click the file you wish to open.

If SSO is not enabled for this media and you are not the media creator, you will be prompted to enter the account name and password associated with the media. Once you have authenticated yourself, you have access to the information.

If SSO is enabled, you will be prompted only once for authentication and will from that point on have immediate access to the information.

Without File Encryption Installed

When installing and configuring File Encryption on your workstation, your administrator may have enabled stand-alone access to protected information.

Stand-alone access enables anyone who knows the password to access protected information even if they do not have File Encryption installed on their workstation.

Note - Naturally, if the media is read-only, it is not possible to update the files you have accessed.

For more information, see Working in a Stand-alone Access Environment (on page 110).

Working in a Stand-alone Access Environment The following sections provide instructions on working with File Encryption configured for stand-alone access.

Decrypting Files to the Hard Drive

You can decrypt files to the hard drive and work with them as you would any normal file. This section describes how to gain stand-alone access to protected information on removable media, CDs and DVDs.

To decrypt files to the hard drive:

1. Attach the media to your workstation. In Windows Explorer, browse to it and select pme.exe. Enter your

account name and password, and click OK.

Note - For information on what to do if you have forgotten the password, see Forgot your Password? (on page 114).


a) Click the Extract button on the File Encryption toolbar.

b) Select Extract from the File Encryption File menu.

c) Right-click the file you want to decrypt and select Extract from the Context menu.

3. The Browse for Folder dialog box displays. After you select where to extract the files, they are decrypted and saved in the destination folder.

For information on the other options, see Updating Encrypted Information (on page 110) and Securely Deleting Information (on page 113).

Updating Encrypted Information

Information that has been updated or changed can be securely saved on the File Encryption-protected removable media, Firewire/USB-connected hard drive or floppy disk.

1. Open File Encryption and double-click an encrypted file to open it.

2. Save the file when you are finished working with it.

The Confirm File Update dialog box opens.

3. Click Yes to update the file.

The information is securely saved on the removable media.

Adding Files and Folders

There are several ways to add files and folders to File Encryption.

File Encryption

To add files and folders to File Encryption:

1. Attach the media to your workstation, browse to it and select pme.exe. Log in when prompted, and do

one of the following:

a) Select a file or folder on your computer and drag and drop it to the File Encryption dialog box.

b) Use the Add files or Add folders button on the toolbar.

c) Use Add files or Add folders from the File menu.

d) Right click in the File Encryption dialog box and click Add Files or Add Folder in the context menu.

To create files and folders directly in File Encryption:

1. Right-click the File Encryption dialog box. Select New, then select either Folder or File.

To copy files and folders to your computer:

1. Select a file or folder in File Encryption and select Copy to Clipboard from the menu. You can then paste it anywhere on your computer.

To copy files and folders to File Encryption:

1. Select a file or folder on your computer and copy it.

2. Select a location in File Encryption and then paste the file or folder from the clipboard.

Restoring Warnings

Some File Encryption message boxes allow you to hide messages by default. If you want to restore all hidden warnings, select Restore All Warnings from the View menu.

Securely Deleting Extracted Files

For information on securely deleting extracted files, see Using Secure Delete With the Stand-alone Utility (on page 114).

Managing Passwords and Keys The following sections explain how to change your local File Encryption password and how to manage keys on removable media.

Changing Your Local Password It is always good security practice to change your password regularly. You change your password in the Authentication dialog.

To change your password:

1. Log on to Windows.

If the Authentication dialog box does not open during or immediately after Windows start-up, do the following:

In Windows Explorer, right-click on a folder or volume and select Encrypt with Check Point File Encryption.

The Encrypt with ... menu opens.

2. Click Change Password.

The Change key password dialog box opens.


File Encryption

Table 9-35 Change Password Information

Field Description

Current Password Enter the password you currently use.

New Password Enter a new password.



always set a password that is at least 8 characters long

include both numbers, letters and punctuation characters

use both upper and lower case letters

use both upper and lower case letters in passwords

do not use more than two consecutive identical

characters.

Confirm New Password Re-enter your new password to confirm it.

1. Click OK.

File Encryption changes your password.

Changing Passwords on Removable Media It is good security practice to change passwords regularly.

To change the password:

1. In Windows Explorer, right-click the disk/card/floppy disk.

2. On the Encrypt with Check Point File Encryption menu, select Change Password.

The Change Password dialog box opens

3. Enter your account name, current password, new password, and finally the new password again.

4. Click OK.

File Encryption changes the password.

Sharing Media/Floppy Disks and Managing Keys You can share a protected removable media/device by adding new password entries.

You can specify the number of times the shared media can be accessed by setting Usage, and require that other users always enter a password by deleting their machine’s keys from the media/device.

Sharing and SSO

If a new password entry has SSO selected, each workstation running File Encryption writes its own encryption key on the disk/card/Firewire drive/floppy disk when a new password is entered from the workstation.

The number of workstation keys that may be added to media is controlled by your administrator. If that number has been reached and File Encryption discovers that it cannot add new workstation keys to the media, you will be informed that you have to remove one or more existing workstation keys. If you do not remove keys, the new workstation will be able to access the removable media/devices but will not have SSO.

Note - The SSO and limit usage features are only applicable to writable media; they cannot be used for CD/DVD or write-protected media.

File Encryption

Sharing Media

You can share a protected removable media/device so that other users can access it. When you insert the media into the computer you are prompted for your password, which is then associated with the media. This makes you the "owner", allowing you to add accounts to the media for sharing.

To share media:

1. Right-click on the card/drive/floppy disk, and choose the Encrypt with Check Point File Encryption menu.

2. Add the user name(s) and password(s) of the user(s) you want to allow to access the card/drive/floppy disk, and configure SSO if applicable.

Note - If you specify that SSO is to be used for a user, File Encryption will save the workstation key when that user logs on to that media. When that media is inserted into the computer the next time, File Encryption will just apply the kept workstation key and not ask for the user's password.

3. Specify a number in the Limit usage field, if applicable. If you do, the user can only log on to the media a limited number of times. The number of allowed logons is displayed in the "Usage limit" control and the number is decreased after each successful logon.

The card/drive/floppy disk can now be accessed by the user(s) you added.

Deleting Keys

On cards/Firewire drives/floppy disks, you can force other users to always enter the password by deleting their machines’ keys from the card/floppy disk.

Note - It is not possible to delete keys from a CD/DVD.

To delete keys from a card/floppy disk:

1. Right-click on the card/drive/floppy disk, and choose the Encrypt with Check Point File Encryption menu.

2. Choose Encryption settings.

Note - If the media was encrypted on a different workstation, you will be prompted for the password that protects the media.

The Delete User Keys dialog box opens.

3. Select the workstation(s) whose key(s) you want to delete and click Delete Keys.

Note - It is not possible to delete the original key.

Securely Deleting Information The following sections explain how to securely delete information.

There are ways to recover information that has been deleted conventionally. To prevent such recovery, the disk space used by the file containing the information must be securely overwritten with other data. File Encryption’s Secure Delete function destroys information securely by overwriting the disk space the information used.

Your organization’s security policy determines the number of overwrites during the secure deletion of information.

Secure Delete Basics You can securely delete information from:

A PC with File Encryption installed

File Encryption

Removable media without File Encryption installed

Using Secure Delete With File Encryption Installed

You use the Encrypt with Check Point File Encryption menu to delete information from a PC with File Encryption installed.

To securely delete information from a PC with File Encryption Installed:

1. In Windows Explorer, right-click on the files and/or folders that contain the information you want to delete and from the Encrypt with Check Point File Encryption menu, select Secure Delete.

2. Click Yes to confirm that you want to delete the information. File Encryption securely deletes the information according to your organization’s security policy.

Using Secure Delete With the Stand-alone Utility

The File Encryption stand-alone utility allows you to securely delete information extracted from removable media, Firewire/USB-connected external hard drives, and floppy disks to the local drive.

To securely delete files extracted from removable media by stand-alone utility:

1. When you close File Encryption, you will be asked to securely delete any files you have extracted.

2. Select Yes to securely delete all extracted files from you computer. If you select No, files will not be securely deleted and will be accessible even if you delete them from Windows File Explorer.

Note - Once you have securely deleted information, it will no longer be available. If you are unsure of the deletion, click Cancel to review what will be deleted.

Forgot your Password? The following sections explain how what to do if you forget a password.

What if I forget my password? If you forget your password, you can regain access to information protected by File Encryption using Remote Help provided by your helpdesk or Endpoint Security webRH (Web Remote Help). These are available through the File Encryption logon authentication, media logon authentication (including stand-alone utility) and the Change Password option.

Remote Help and webRH for Information Stored Locally

To access Remote Help or webRH:

1. Log on to Windows.

If the Authentication dialog box does not open during or immediately after Windows start-up, do the following:

In Windows Explorer, right-click on a folder or volume and select Encrypt with Check Point File Encryption > Log on to File Encryption.

2. Call your helpdesk or Remote Help administrator and identify yourself.

3. Select the Remote Help option your helpdesk/administrator tells you: Forgot password or Web Remote Help.

4. Follow your helpdesk/administrator’s instructions to regain access to File Encryption-protected information.

Remote Help and webRH for Removable Media/Devices

Remote Help and webRH for removable media/devices can be accessed in two ways, through the media authentication dialog and the Change Password option.

File Encryption

Note that in the case of read-only removable media/devices, Remote Help/webRH only allows access to the media/device and does not allow for changing the password.

To access protected information stored on removable media/devices through the authentication dialog:

1. Attach the media/device to your workstation, browse to it in Windows Explorer and double-click on it.

The Authentication dialog box opens.

2. Enter the account name that the media creator has set for this media/device.

3. Call your administrator or helpdesk, who will tell you how to proceed.

To access protected information stored on removable media/devices using the Change

Password option:

1. Attach the media/device to your workstation, browse to it in Windows Explorer and right-click on it.

2. From the Encrypt with Check Point File Encryption menu, select Change Password.

The Change Password dialog box opens.

3. Enter the account name that the media creator has set for this media/device.


Remote Help for Encrypted Packages

Note that only webRH is available for encrypted packages.

To access information stored in encrypted packages:

1. Double-click on the encrypted package.

2. Select Web Remote Help. A dialog box opens, displaying a challenge which you need to give to your administrator or helpdesk staff.


Chapter 10

Policies Policy Enforcement enables Endpoint Security client to protect your enterprise network by enforcing a security policy created by your network administrator. Enterprise policy enforcement occurs when the client is used in an Endpoint Security Server environment. With Endpoint Security, your administrator can send enterprise Policies out to the computer users on the enterprise's local network. In this way, your enterprise can be sure that everyone on the network is adequately protected from Internet threats.

In This Chapter

Policy Types 116

Understanding Policy Arbitration 116

Viewing Available Policies 116

Using the Policies Panel 117

Policy Types Personal Security Policy: Settings you choose for your firewall, program control, e-mail protection and other features in Endpoint Security client.

Enterprise Security Policy: Settings for the same security features, but created by a your company's security administrator and assigned to users on the enterprise network.

Disconnected policy: Created by a security administrator, enforces certain enterprise security settings even when your computer is not connected to the corporate network.

A security administrator sends enterprise Policies to the Endpoint Security clients on the corporate network.

If you are out of compliance with the enterprise policy, your computer may enforce restricted rules that limit your access. If this occurs, you will be directed to a Web page that provides instructions for getting your computer back into compliance. If you need further assistance, contact your system administrator.

Understanding Policy Arbitration Your personal policy is active if the client is arbitrating or there is no enterprise policy in effect. An enterprise policy may be active or inactive, depending on the situation.

When both your personal policy and an enterprise policy are active, Endpoint Security arbitrates between the two Policies: the more restrictive of the two policy settings is enforced. For example, if your personal policy calls for the Internet Zone security level to be set to medium; and an active enterprise policy calls for it to be set to high, the high setting is enforced.

Because of policy arbitration, an active enterprise policy may block traffic that your personal policy is set to allow, or vice-versa. If you think Endpoint Security is blocking legitimate traffic that should be allowed, contact your system administrator.

Viewing Available Policies Depending on how your administrator has configured your policy settings, you may only be able to view your personal, enterprise, and disconnected Policies, or you might also be able to view any updates that have been made to your enterprise policy.

Policies

Using the Policies Panel Use the Policies panel to:

See which Policies are installed, which is currently active, and the last time a policy was updated.

Access a text version of policy settings for each enterprise policy and for your personal policy.

Table 10-36 Policy Panel Information

Policy Name Name of the policy.

Personal Policy: Settings you have established for the client by using the Endpoint Security Main Page. Other policy names refer to enterprise Policies that your administrator has installed on your computer.

Author The administrator who created and assigned the security policy. For the personal policy, this is listed as N/A.

Connection For example, Local, Lan, etc.

Active This column indicates whether the listed policy is currently active.

Personal Policy is always active. The administrator can activate or deactivate an enterprise policy. When both your personal policy and another policy are active, Endpoint Security arbitrates between the two active Policies.

Policy Type For example, Personal Policy, Corporate Policy, Disconnected Policy.

Last Server Contact

For enterprise security Policies, this column indicates the date and time that the client first established the current connection to an Endpoint Security Server, to enforce the listed enterprise policy.

If the connection to the server is down, or the client is not enforcing an enterprise policy, this column displays Disconnected.

Server Address Address of the Endpoint Security Server to which the Endpoint Security client is connected.

Description Details about the policy that is currently selected in the list.

Always warn me when an enterprise policy disables my personal poilcy

The user can select this check box to receive a notification when his or her personal policy is superseded by an enterprise policy.

Chapter 11

Alerts and Logs You can be notified by an alert each time the client acts to protect you; or only when an alert is likely to have resulted from malicious activity. You can choose to log all alerts, only high-rated alerts, or alerts caused by specific traffic types.

In This Chapter

Understanding Alerts and Logs 118

Setting Basic Alert and Log Options 119

Showing or Hiding Alerts 119

Setting Event and Program Log Options 120

Understanding Alerts and Logs The client alert and logging features keep you aware of what is happening on your computer without being overly intrusive, and enable you to go back at any time to investigate past alerts.

About Alerts Endpoint Security client generates two alert types: enterprise or personal, which correspond to settings or rules contained in the active policy.

Both policy types have three categories of alerts: informational, program, and network.

To learn how to respond to specific alerts, see Alert Reference (on page 124).

Informational Alerts

Informational alerts tell you that the client has blocked a communication that did not fit your security settings.

Informational alerts do not require a decision from you.

Click OK to close the alert box.

Program Alerts

Program alerts ask you if you want to allow a program to access the Internet or local network, or to act as a server. Program alerts require a Yes or No response. The most common types of Program alerts are the New Program alert and the Repeat Program alert.

Click Yes to grant permission to the program.

Click No to deny permission.

New Network Alerts

New Network alerts occur when you connect to any network: a wireless home network, a business LAN, or an ISP network.

If you are on a home or local network, New Network alerts let you instantly configure the client to allow you to share resources with the network.

Alerts and Logs

About Event Logging By default, the client creates a log entry every time traffic is blocked, whether an alert is displayed or not. Log entries record the traffic source and destination, ports, protocols, and other details. The information is recorded to a text file named ZALOG.txt, stored in the Internet Logs folder. Every 60 days, the log file is archived to a dated file, so that it does not become too large.

You can choose to prevent specific categories of events from being logged. For example, you may want to create log entries only for firewall alerts, or suppress entries for a particular type of Program alert.

Setting Basic Alert and Log Options Basic alert and log options let you specify the type of event for which the client displays an alert and for which events it creates a log entry.

Setting Alert Event Level The alert events Shown control, in the Main tab of Alerts & Logs, lets you control the display of alerts by rating. Program alerts are always displayed, because they ask you to decide whether to grant permission.

To set the alert event level:

1. Open Alerts & Logs Main.

2. In the alert events Shown area, select the desired setting.

High: Displays an alert for every security event that occurs, both high-rated and medium-rated.

Med: Displays only high-rated alerts, which are most likely a result of hacker activity.

Off: Displays Program alerts only. Informational alerts are not displayed.

Setting Event and Program Logging Options Use the Event Logging and Program Logging areas to choose what types of informational alerts and program alerts will be logged.

To enable or disable event logging and program logging:


2. In the Event Logging area, select the desired setting.

On: Creates a log entry for all events.

Off: No events are logged.

3. In the Program Logging area, specify the log level.

High: Creates a log entry for all program alerts.

Med: Creates a log entry for high-rated program alerts only.

Off: No program events are logged.

Showing or Hiding Alerts You can specify whether you want to be alerted to all security and program events, or if you only want to be notified of events that are likely a result of malicious activity.

Showing or Hiding Firewall Alerts The Alert Events tab gives you more detailed control of alert display. You can specify for which types of blocked traffic Firewall and Program alerts are displayed.

Alerts and Logs

To show or hide firewall or program alerts:


2. Click Advanced.

The Alert & Log Settings window appears.

3. Open the Alert Events tab.

4. In the Alert column, select the type of blocked traffic for which the client should display an alert.

5. Click Apply.

Setting Event and Program Log Options You can specify whether the client keeps track of security and program events by enabling or disabling logging for each type of alert.

Formatting Log Appearance You can set the field separator for your text log files.

To format log entries:

1. Open Alerts & Logs.

2. Click Advanced.

The Advanced Alerts and Log Settings window appears.

3. Open the Log Control tab.

4. In the Log Archive Appearance area, select the format to be used for logs: Tab, Comma, or Semicolon.

Customizing Event Logging By default, the client creates a log entry when a high-rated firewall event occurs. You can customize firewall alert logging by suppressing or allowing log entries for specific security events, such as MailSafe quarantined attachments, Blocked non-IP packets, or Lock violations.

To create or suppress log entries based on event type:


2. Click Advanced.

The Advanced Alerts and Logs window appears.

3. Select Alert Events.

4. In the Log column, select the type of event for which the client should create a log entry.

5. Click Apply to save your changes.

6. Click OK to close the Alert & Log Settings window.

Customizing Program Logging By default, the client creates a log entry when any type of Program alert occurs. You can customize Program alert logging by suppressing log entries for specific Program alert types, such as New Program alerts, Repeat Program alerts, or Server Program alerts.

To create or suppress log entries based on event type:


2. In the Program Logging area, click Custom.

3. In the Program Logs column, select the type of event for which the client should create a log entry.

4. Click Apply to save your changes.

5. Click OK to close the Alert & Log Settings window.

Alerts and Logs

Viewing Log Entries You can view log entries in a text file using a text editor or in the Log Viewer. Although the format differs slightly, the general information contained in the log is the same.

To view the current log in the Log Viewer:


2. Select the number of alerts to display (from 1 to 99) in the alerts list.

You can sort the list by any field by clicking the column header.

3. Click a log entry to view Log entry details.

Log Viewer Fields

At the top of the Log Viewer panel, the Alert Type drop down list allows you to view Program, Firewall, Anti-malware, and SmartDefense alerts.

Table 11-37 Log Viewer Information

Column Heading

Description

Rating Each alert is rated critical, high, or medium. Critical-rated and High-rated alerts are those likely to have been caused by hacker activity. Medium-rated alerts are likely to have been caused by unwanted but harmless network traffic.

Date / Time The date and time the alert occurred.

Type The type of alert: Firewall, Program, Malicious Code Detection, Lock Enabled, Scan, Update, or Treat.

Protocol In the Alert Type drop-down list choose Firewall to view the Protocol column.

Identifies the protocol used by the traffic that caused the alert condition.

Program The name of the program attempting to send or receive data. (Applies only to Program alerts).

Source IP The IP address of the computer that sent the traffic that the client blocked.

Destination IP The address of the computer the blocked traffic was sent to.

Direction The direction of the blocked traffic: Incoming or Outgoing to/from your computer.

Action Taken How the traffic was handled by the client.

Count The number of times an alert of the same type, with the same source, destination and protocol, occurred during a single session.

Source DNS The domain name of the computer that sent the traffic that caused the alert.

Destination DNS The domain name of the intended addressee of the traffic that caused the alert.

Alerts and Logs

Column Heading

Description

Policy The name of the policy containing the security setting or rule that caused the alert. Endpoint Security client recognizes three policy types: personal, enterprise, and disconnected.

Rule In the Alert Type drop-down list choose Firewall to view the Rule column.

When an alert was caused by conditions specified in a classic firewall rule, this column contains the name of the rule.

Viewing the Text Log By default, alerts generated by Endpoint Security are logged in \WINDIR\Internet Logs\ZAlog.txt

(where WINDIR is usually c:\Windows).

To view the current log as a text file:


2. Click Advanced.

The Advanced Alerts & Log Settings window opens.


4. In the Log Archive Location area, click View Log.

Table 11-38 Text Log Information

Field Description Example

Type Type of event recorded. FWIN

Date Date of the alert, in format yyyy/mm/dd

2001/12/31 (December 31, 2001)

Time Local time of the alert. This field also displays the hours difference between local and Greenwich Mean Time (GMT).

17:48:00 -8:00GMT (5:48 PM, eight hours earlier than Greenwich Mean Time. GMT would be 01:48.)

Source IP address of the computer that sent the blocked packet, and the port used; OR the program on your computer that requested access permission.

192.168.1.1:7138 (firewall events) Microsoft Outlook

Destination IP address and port of the computer to which the blocked packet was addressed.

192.168.1.101:0

Transport Protocol (packet type) involved.

UDP

Alerts and Logs

Archiving Log Entries At regular intervals, the contents of ZAlog.txt are archived to a date-stamped file, for example, ZALog2005.09.12.txt (for September 12, 2005). This prevents ZAlog.txt from becoming too large.

To view archived log files, use Windows Explorer to browse to the directory where your logs are stored.

To set archive frequency:

1. Open Alerts & Logs Main

2. Click Advanced.


4. Select the Log Archive Frequency checkbox.

If this checkbox is not selected, Endpoint Security continues to log events for display in the Log Viewer tab, but does not archive them to the ZAlog.txt file.

5. In the Log Frequency area, specify the log frequency (between 1 and 60 days).

Using Alert Advisor Check Point AlertAdvisor is an online utility that enables you to analyze the possible causes of an alert, and helps you decide how to respond to a Program alert.

To use AlertAdvisor, click More Info in an alert pop-up, where available.

Endpoint Security sends information about your alert to AlertAdvisor. AlertAdvisor returns an article that explains the alert and gives you advice on what, if anything, you need to do to ensure your security.

To submit an alert to AlertAdvisor:


2. Right-click anywhere in the alert record you want to submit and choose More Info.

Chapter 12

Alert Reference There are various types of alerts you may see while using Endpoint Security. This reference describes why Alerts happen, what they mean, and what to do about them.

In This Chapter

Informational Alerts 124

Program Alerts 127

Informational Alerts Informational alerts tell you that the client has blocked a communication that did not fit your security settings.

Informational alerts do not require a decision from you.

Click OK to close the alert box.

Firewall Alert/Protected Firewall alerts are the most common type of informational alert. Firewall alerts inform you that the Endpoint Security firewall has blocked traffic based on port and protocol restrictions or other firewall rules.

Why Firewall Alerts Occur

Firewall alerts with a red band at the top indicate high-rated alerts. High-rated alerts often occur as a result of malicious activity.

Firewall alerts with an orange band at the top indicate medium-rated alerts. Medium-rated alerts are likely the result of harmless network traffic. For example, if your ISP is using ping to verify that you are still connected. However, they also can be caused by a hacker trying to find unprotected ports on your computer.

What you should do

If you are on a home or business network, and your Trusted Zone security is set to HIGH, normal LAN traffic such as NetBIOS broadcasts may generate Firewall alerts. Try lowering Trusted Zone security to MEDIUM.

By default, Endpoint Security only displays high-rated Firewall alerts. If your defaults have been changed, you may see a lot of medium-rated alerts. Try setting your alert display settings to MEDIUM.

If you receive a large number of Firewall alerts, and you are working on a home network or business LAN, it is possible that normal network communications are being blocked. If this is happening, you can eliminate the alerts by placing your network in the Trusted Zone.

Reducing Firewall Alerts

Repeated alerts may indicate that a resource you want to trust is trying repeatedly to contact you. If you are receiving a lot of firewall alerts, but you do not suspect you are under attack, try the following troubleshooting steps:

Determine if the source of the alerts should be trusted.

Submit repeated alerts to AlertAdvisor to determine the source IP address that caused the alerts.

Alert Reference

If the alerts were caused by a source you want to trust, add it to the Trusted Zone.

Determine if your Internet Service Provider is sending you "heartbeat" messages.

Try the procedures suggested for managing ISP heartbeat. See Allowing ISP Heartbeat messages (on page 136).

MailSafe Alert MailSafe alerts let you know that Endpoint Security has quarantined a potentially dangerous outgoing e-mail message.

Why MailSafe Alerts Occur

A violation of Outbound MailSafe protection settings, such as an e-mail that has too many recipients, or too many e-mails within a short time, can cause a MailSafe alert to occur.

What you should do

Examine the alert carefully. Does the activity noted describe actions you were recently performing? For example, did you recently attempt to send out a legitimate mailing to a large number of recipients, or to send many e-mails in a short period of time? If so, you may want to modify your Outbound MailSafe settings to better accommodate your needs. See Outbound MailSafe Protection.

Verify that your e-mail address is listed on the approved sender's list. If you selected the if the sender's e-mail is not in this list option, and your e-mail is not on that list or is misspelled, add your valid e-mail address to the list.

Blocked Program Alerts Blocked Program alerts tell you that Endpoint Security has prevented an application on your computer from accessing the Internet or Trusted Zone resources. By clicking OK, you are not allowing the program access, just acknowledging that you saw the alert.

Why Blocked Program Alerts Occur

Blocked Program alerts occur when a program tries to access the Internet or the Trusted Zone, even though you have explicitly denied it permission to do so.

What you should do

If the program that was blocked is one that you want to have access to the Internet Zone or Trusted Zone, use the Programs tab to give the program access permission.

Reducing Blocked Program Alerts

To turn off Blocked Program alerts, do one of the following:

When you see a Blocked Program alert, select Do not show this window again before clicking OK. From then on, all Blocked Program alerts will be hidden. Note that this will not affect New Program, Repeat Program, or Server Program alerts.

In the Program Control panel, click Advanced to access the Alerts & Functionality tab, then clear the Show alert when Internet access is denied checkbox.

Note - Turning off Blocked Program Alerts does not affect your level of security.

Alert Reference

Internet Lock Alerts Internet Lock alerts let you know that Endpoint Security has blocked incoming or outgoing traffic because the Internet Lock is engaged. By clicking OK, you are not opening the lock; you are just acknowledging that you are seen the alert.

Why Internet Lock Alerts Occur

These alerts occur only when the Internet Lock is engaged.

Reducing Internet Lock Alerts

If you are receiving a lot of Internet Lock alerts, it is possible that your Automatic Internet Lock settings are engaging the Internet Lock after every brief period of inactivity.

To reduce the number of alerts, you can do one of the following:

Turn off the Automatic Internet Lock.

Increase the interval of inactivity required to engage the Automatic Internet Lock to engage (see Enabling Automatic Lock (on page 63)).

Compliance Alerts Compliance alerts occur when Endpoint Security server operating in conjunction with the Endpoint Security client determines that your computer is non-compliant with enterprise security requirements. Depending on the type of non-compliance, your ability to access the corporate network may be restricted or even terminated.

Why Compliance Alerts Occur

These alerts appear when you are trying to connect to your corporate network and you are out of compliance with the enterprise policy stored in Endpoint Security Server.

What you should do

Compliance alerts, in conjunction with special Web pages, will tell you what you need to do to become compliant with security policy settings.

If the non-compliant condition does not require immediate remediation, your access to the corporate network may be restricted: You can continue to access some corporate network resources, but you should perform the steps necessary to make your computer compliant as soon as possible.

If the non-compliant condition requires immediate remediation, your access to the corporate network may be terminated. In this case, you may only be able to access the Web page that tells you how to make your computer compliant with corporate security requirements.

Click the link in the alert or corresponding Web page to begin the remediation process. Remediation generally involves installing a newer version of Endpoint Security or approved antivirus software. If you see a Compliance alert and you are unsure of how to make your computer compliant with corporate security, consult your system administrator.

Your administrator has the option of configuring Endpoint Security to automatically install any applications required to bring your computer into compliance with corporate guidelines. In some cases, this may result in a program being installed on your computer without warning, and could require a reboot of your computer. If you experience an automatic system reboot or if a program attempts to install itself on your computer, consult with your system administrator.

Reducing Compliance Alerts

You can avoid seeing Compliance alerts by keeping your computer is in compliance with the security policy established by your administrator.

Alert Reference

Program Alerts Most of the time, you are likely to see program alerts when you are actually using a program. For example, if you've just installed Endpoint Security, and you immediately open Microsoft Outlook and try to send an e-mail message, you'll get a program alert asking if you want Outlook to have Internet access. However, program alerts can also occur if a Trojan horse or worm on your computer is trying to spread.

New Program Alerts New Program alerts enable you to set access permission for program that has not asked for Internet Zone or Trusted Zone access before.

If you click Yes, the program is allowed access.

If you click No, the program is denied access.

Why New Program Alerts Occur

New Program alerts occur when a program on your computer tries to initiate a connection with a computer in the Internet Zone or Trusted Zone, and that program has not already received access permission from you.

As you begin to work with Endpoint Security, you will probably see one or more New Program Alerts.

What you should do

Click Yes or No in the alert pop-up after answering these questions:

Did you just launch a program or process that would reasonably require permission? If so, it's probably safe to click Yes. If not, continue.

Do you recognize the name of the program in the Alert pop-up? If so, does it make sense for the program to need permission? If so, it's probably safe to click Yes. If not, or if you are not sure, continue.

If you are really not sure what to do, it is best to click No. You can always grant permission later by going to the Programs tab.

Reducing New Program Alerts

You may see several New Program alerts soon after installing Endpoint Security. As you assign permissions to each new program, the number of alerts you see will decrease.

To keep from seeing Repeat Program alerts, select Remember this answer the next time I use this program.

Repeat Program Alerts Repeat Program alerts occur when a program on your computer tries to initiate a connection with a computer in the Internet Zone or Trusted Zone, and that program has asked for permission before.

Why Repeat Program Alerts Occur

If you click Yes or No to a New Program alert without checking Remember this answer the next time I use this program, you'll see a Repeat Program alert the next time the program asks for access permission.

What you should do

You should respond to Repeat Program alerts in the same way you would to New Program alerts.

New Program alerts enable you to set access permission for program that has not asked for Internet Zone or Trusted Zone access before.

If you click Yes, the program is allowed access.

If you click No, the program is denied access.

Alert Reference

Reducing Repeat Program Alerts

To keep from seeing Repeat Program alerts, select Remember this answer the next time I use this program before clicking Yes or No in any New Program or Repeat Program alert. This sets the permission for the program to Allow or Block in the Programs tab.

Changed Program Alerts Changed Program alerts warn you that a program that has asked for access permission or server permission before has changed somehow.

If you click Yes, the changed program is allowed access. If you click No, the program is denied access.

Why Changed Programs Alerts Occur

Some programs are configured to access the Internet regularly to look for available updates. Changed Program alerts can occur if you have updated a program since the last time it accessed the Internet. However, they can also occur if a hacker has tampered with the program.

Consult the documentation for your programs, or refer to the support Web sites of their vendors, to find out if the program has automatic update functionality.

What you should do

To determine how to respond to a Changed Program alert, consider these questions:

Did you (or system administrator) recently upgrade the program that is asking for permission?

Does it make sense for the program to need permission?

If you can answer "yes" to both questions, it's probably safe to click Yes.

Note - If you are unsure, it is safest to answer No. You can always grant permission later by going to the Programs tab.

Reducing Changed Program Alerts

Changed Program alerts are always displayed because they require a Yes or No response from you. If you are using a program whose checksum changes frequently, you can avoid seeing numerous alerts by having Endpoint Security check the program's file name only. Adding a Program to the Programs List" (see "Adding Programs to the Programs List" on page 66).

Program Component Alerts Use the Program Component alert to allow or deny Internet access to a program that is using one or more components that haven't yet been secured by Endpoint Security. This helps protect you from hackers who try to use altered or faked components to get around your program control restrictions.

By clicking Yes, you allow the program to access the Internet while using the new or changed components.

By clicking No, you prevent the program from accessing the Internet while using those components.

Why Program Component Alerts Occur

Program Component alerts occur when a program accessing the Internet or local network is using one or more components that Endpoint Security has not yet secured, or that has changed since it was secured.

Endpoint Security automatically secures the components that a program is using at the time you grant it access permission. This prevents you from seeing a Component alert for every component loaded by your browser. To learn how Endpoint Security secures program components, see the Program Authentication (on page 62).

Alert Reference

What you should do

The proper response to a Program Component alert depends on your situation. Consider the following questions:

Are any of the following true?

You just installed or re-installed Endpoint Security.

You recently updated the application that is loading the component (For the application name, look under Technical Information in the alert pop-up.)

The application that is loading the component has an automatic update function.

Someone else (for example, a systems administrator at your workplace) may have updated a program on your computer without your knowledge.

Are you actively using the application that loaded the component?

If you can answer Yes to both questions, it is likely that Endpoint Security has detected legitimate components that your browser or other programs need to use. It is probably safe to answer Yes to the Program Component alert.

By clicking Yes, you allow the program to access the Internet while using the new or changed components. If you cannot answer yes both questions, or if you feel unsure about the component for any reason, it is safest to answer No.

By clicking No, you prevent the program from accessing the Internet while using those components.

Note - If you are unsure of what to do, or if you decide to answer No, investigate the component to determine if it is safe.

Reducing Program Component Alerts

You may receive a large number of component alerts if you raised the Program Authentication level to high soon after installing Endpoint Security. With authentication set to High, Endpoint Security cannot automatically secure the large number of DLLs and other components commonly used by browsers and other programs.

To reduce the number of alerts, lower the authentication level to medium for the first few days after installing Endpoint Security.

If you have been using Endpoint Security for more than a few days, it is very rare to see large numbers of program alerts.

Server Program Alerts Server Program alerts enable you to set server permission for a program on your computer.

Why Server Program Alerts Occur

Server Program alerts occur when a program on your computer wants server permission for either the Internet Zone or Trusted Zone, and that program has not already received server permission from you.

Relatively few programs on your computer will require server permission. Some common types of programs that do are:

Chat

Internet Call Waiting

Music file sharing (such as Napster)

Streaming Media (such as RealPlayer)

Voice-over-Internet

Web meeting

Alert Reference

If you are using the types of programs described above that require server permission to operate properly, grant permission before you start using the program. See Granting Server Permissions (see "Granting Server Permission to Programs" on page 67).

Note - If your browser does not have permission to access the Internet, you will be re-routed to the online help. To access AlertAdvisor, give your browser permission to access the Internet. See Granting Internet Access Permissions to Programs (on page 67).

What you should do

Before responding to the Server Program alert, consider the following:

Did you just launch a program or process that would reasonably require permission? If so, it's probably safe to click Yes. If not, continue.

Do you recognize the name of the program in the alert pop-up, and if so, does it make sense for the program to need permission? If so, it's probably safe to click Yes.

Click the More Info button in the alert box. This submits your alert information (for example, the name of the program and the address it was trying to reach) to AlertAdvisor, which then displays a Web page with information about the alert and the program. Use the AlertAdvisor information to help you decide if it's safe to answer Yes. See Using Alert Advisor (on page 123).

If you are still not certain that the program is legitimate and needs server permission, it is safest to answer No. If it becomes necessary, you can give the program server permission later by using the Programs tab. See Granting Server Permission to Programs (on page 67).

Reducing Server Program Alerts

If you are using the types of programs described above that require server permission to operate properly, use the Programs tab in Endpoint Security to grant permission before you start using the program.

Advanced Program Alerts Advanced Program alerts are similar to other Program alerts (New Program, Repeat Program, and Changed Program)--they inform you that a program is attempting to access the network.

However, they differ from other Program alerts in that the program is attempting to use another program to connect to the Internet, or is attempting to manipulate another program's functionality.

Why Advanced Program Alerts Occur

Advanced Program alerts occur in two situations: when a program on your computer tries to initiate a connection with a computer in the Internet Zone or Trusted Zone by instructing another program to connect; or when a program attempts to hijack the processes of another program by calling the OpenProcess function.

There are some legitimate programs associated with your operating system that may require access to another program. For example, if you were using Windows Task Manager to shutdown Microsoft Internet Explorer, Windows Task Manager would need to call the OpenProcess function on the Microsoft Internet Explorer program in order to shut it down.

What you should do

How you should respond to an Advanced Program alert depends upon the cause of the alert. If the Advanced Program alert was caused by the OpenProcess function being called, you should determine whether the function was called by a legitimate program or by a malicious one. Verify that the program cited in the alert is one you trust to carry out this function. For example, if you were attempting to shut down a program using Windows Task Manager when you received the Advanced Program alert, it is probably safe to answer Yes. Similarly, if the alert was caused by a program using another program to access the Internet and that program routinely requests such permission, is probably safe to answer Yes. If you are unsure as

Alert Reference

to the cause of the alert or the expected behavior of the program initiating the request, it is safest to answer No. After denying advanced permission to the program, perform an Internet search on the program's file name. If the program is malicious, it is likely that information about it is available, including how to remove it from your computer.

Reducing Advanced Program Alerts

It is unusual to see a large number of Advanced Program alerts. If you receive repeated alerts, research the program name or names and consider either removing the program from your computer or providing the program with the necessary access rights.

Manual Action Required Alerts A Manual Action Required alert informs you that further steps must be taken before Endpoint Security is properly configured to support your VPN connection.

Why Manual Action Require Alerts Occur

A Manual Action Required alert occurs when Endpoint Security is unable to configure your VPN connection automatically, or if further manual changes are required before automatic configuration can be completed.

What you should do

Manual Action Required alerts do not require a response from you. To configure VPN connection manually, see Configuring VPN Connection Manually (see "Configuring VPN Connection" on page 60) and follow the instructions for manual configuration.

Reducing Manual Action Alerts

It is unusual for you to see many Manual Action Required alerts. If you do see multiple alerts, either perform the required steps to properly configure your Endpoint Security to support your VPN connection, or remove the VPN software from your computer.

New Network Alerts A New Network alert appears when Endpoint Security detects that you are connected to a network you haven't seen before. You can use the alert pop-up to enable file and printer sharing with that network. New Network alerts occur when you connect to any network--be it a wireless home network, a business LAN, or your ISP's network.

The first time you use Endpoint Security, you will almost certainly see a New Network alert. This alert is a convenience tool designed to help you configure Endpoint Security.

Why New Network Alerts Occur

New Network alerts occur when you connect to any network--be it a wireless home network, a business LAN, or your ISP's network.

By default, Endpoint Security versions 3.5 and above display the Network Configuration Wizard, rather than the New Network alert, when a network is detected.

What you should do

How you respond to a New Network alert depends on your particular network situation.

If you are connected to a home or business local network and you want to share resources with the other computers on the network, put the network in the Trusted Zone.

To add the new network to the Trusted Zone:

1. In the New Network alert pop-up, provide a name for the network (for example "Home NW") in the Name box.

Alert Reference

2. Select Trusted Zone from the Zone drop-down list.

3. Click OK.

Use caution if Endpoint Security detects a wireless network. It is possible for your wireless network adapter to pick up a network other than your own. Be sure that the IP address displayed in the New Network alert is your network's IP address before you add it to the Trusted Zone.

Important - If you are not certain which network Endpoint Security has detected, write down the IP address displayed in the alert box. Then consult your home network documentation, systems administrator, or ISP to determine what network it is.

Reducing New Network Alerts

It is unusual to receive a lot of New Network alerts.

Chapter 13

Troubleshooting

In This Chapter

VPN Troubleshooting 133

Network Troubleshooting 134

Internet Connection Troubleshooting 135

VPN Troubleshooting If you are having difficulty using VPN software with the client, refer to the table for troubleshooting tips provided in this section.

Table 13-39 Troubleshooting

If... See...

You can't connect to your Virtual Private Network (VPN)

Configuring Client for VPN Traffic (on page 133)

You have created expert firewall rules

VPN Auto-Configuration and Expert Rules (on page 133)

You are using a supported VPN client and Endpoint Security client does not detect it automatically the first time you connect

Automatic VPN Detection Delay (on page 134)

Configuring Client for VPN Traffic If you cannot connect to your VPN, you may need to configure the client to accept traffic coming from your VPN.

To configure the client to allow VPN traffic:

1. Add VPN-related network resources to the Trusted Zone.


2. Grant access permission to the VPN client and any other VPN-related programs on your computer.

See Setting Specific Permissions (on page 65).

3. Allow VPN protocols.

See Adding VPN Resources to Trusted Zone.

VPN Auto-Configuration and Expert Rules If you have created expert firewall rules that block VPN protocols, Endpoint Security client will not be able to automatically detect your VPN when you initiate a connection. To configure your VPN connection, you will need to make sure that your VPN client and VPN-related components are in the Trusted Zone, and that they have permission to access the Internet. See Configuring VPN Connection (see "Configuring VPN Connection for Firewall" on page 60).

Troubleshooting

Automatic VPN Detection Delay Endpoint Security client periodically polls your computer to determine if supported VPN protocols are engaged. Upon detection, Endpoint Security client prompts you to configure your connection automatically. If you have recently installed a VPN client and have tried to connect, the client may not have detected your VPN configuration. If you prefer the client to configure your connection automatically, you can wait ten minutes. Then, try connecting again. If you prefer to connect right away, you can configure your connection manually. See Configuring VPN Connection (see "Configuring VPN Connection for Firewall" on page 60).

Network Troubleshooting If you are having difficulty connecting to your network or using networking services, refer to the table for troubleshooting tips provided in this section.

Table 13-40 Troubleshooting Network Issues

If... See...

You can't see the other computers in your Network Neighborhood, or if they can't see you

Making Your Computer Visible on Local Network (on page 134)

You can't share files or printers over your home or local network

Sharing Files and Printers Locally (on page 134)

Your computer is on a Local Area Network (LAN) and takes a long time to start up when Endpoint Security client is installed

Resolving Slow Startup (on page 135)

Making Your Computer Visible on Local Network If you can't see the other computers on your local network, or if they can't see your computer, it is possible that the client is blocking the NetBIOS traffic necessary for Windows network visibility.

To make your computer visible on the local network:

1. Add the network subnet (or, in a small network, the IP address of each computer you are sharing with) to your Trusted Zone. See Adding to the Trusted Zone.

2. Set the Trusted Zone security level to Medium, and the Internet Zone security level to High. This allows trusted computers to access your shared files, but blocks all other machines from accessing them. See Setting Advanced Security Options (on page 55).

Note - The client will detect your network automatically and display the New Network alert. You can use the alert to add your network subnet to the Trusted Zone.

Sharing Files and Printers Locally Endpoint Security client enables you to quickly and easily share your computer so that the trusted computers you are networked with can access your shared resources, but Internet intruders can't use your shared resources to compromise your system.

To configure the client for secure sharing:

1. Add the network subnet (or, in a small network, the IP address of each computer you are sharing with) to your Trusted Zone. See Adding to the Trusted Zone.

Troubleshooting

2. Set the Trusted Zone security level to Medium. This allows trusted computers to access your shared files. See Choosing Security Levels (on page 54).

3. Set the Internet Zone security level to High. This makes your computer invisible to non-trusted computers. See Setting Security Level for Zones (on page 55).

Resolving Slow Startup If the client is configured to load at startup, some users connected to the LAN may find that it takes several minutes for the startup process to finish.

In most cases, this is because your computer needs access to your network's Domain Controller to complete its startup and login process, and the client is blocking access because the Controller has not been added to the Trusted Zone.

To solve this problem, add the host name or IP address of your network's Domain Controller to the Trusted Zone.

Internet Connection Troubleshooting If you are having difficulty connecting to the Internet, refer to the table for troubleshooting tips provided in this section.

Table 13-41 Troubleshooting Internet connection problems

If... See...

You cannot connect to the Internet

Connecting to the Internet Fails after Installation (on page 135)

You can connect to the Internet but are disconnected after a short time

Allowing ISP Heartbeat Messages (on page 136)

Your computer is an Internet Connection Sharing (ICS) client and you can't connect to the Internet

Connecting Through an ICS Client (on page 136)

Your computer uses a proxy server to connect to the Internet and you can't connect to the Internet

Connecting Through a Proxy Server

Connecting to the Internet Fails after Installation If you are unable to connect to the Internet after installing Endpoint Security client, the first troubleshooting step is to determine whether Endpoint Security client is the cause. If you are unable to follow the steps below, for example, if you can't clear the Load Endpoint Security at startup box, contact Check Point technical support.

To determine if Endpoint Security client is the cause of connection problems:

1. Open Overview Preferences.

2. In the General area, clear the checkbox Load Check Point Endpoint Security at startup.

A warning window labeled Check Point TrueVector Service opens.

3. Click Yes.

4. Restart your computer, then try to connect to the Internet.

Troubleshooting

If you can connect Your Endpoint Security client settings may be the cause of your connection problems. Make sure that your browser has access permission.

If you cannot connect Your Endpoint Security client settings are not the cause of your connection problems.

Allowing ISP Heartbeat Messages Internet Service Providers (ISPs) periodically send heartbeat messages to their connected dial-up customers to make sure they are still there. If the ISP cannot determine that the customer is there, it might disconnect the customer so that the user's IP address can be given to someone else.

By default, Endpoint Security client blocks the protocols most commonly used for these heartbeat messages, which may cause you to be disconnected from the Internet. To prevent this from happening, you can identify the server sending the messages and add it to your Trusted Zone or you can configure the Internet Zone to allow ping messages.

Identifying the Source of the Heartbeat Messages

This is the preferred solution because it will work whether your ISP uses NetBIOS or ICMP (Internet Control Messaging Protocol) (see "ICMP" on page 141) to check your connection, and it allows you to maintain high security for the Internet Zone.

To identify the server your ISP uses to check your connection:

1. When your ISP disconnects you, click Alerts & Logs Log Viewer.

2. In the alerts list, find the alert that occurred at the time you were disconnected.

3. In the Entry Detail area, note the Source DNS detected.

If you are not able to identify the server this way, contact your ISP to determine which servers need access permission.

4. After you have identified the server, add it to the Trusted Zone.


Configuring Endpoint Security Client to Allow Ping Messages

If your ISP uses ICMP echo (or ping) messages for connectivity checks, configure the client to allow ping messages from the Internet Zone.

To configure the client to allow ping messages:


2. In the Internet Zone area, click Custom.

3. Select the Allow incoming ping (ICMP echo) checkbox.

4. Click OK.

5. Set the security level for the Internet Zone to Medium.

See Choosing Security Levels (on page 54).

Connecting Through an ICS Client If you are using Windows' Internet Connection Sharing (ICS) option, or a third-party connection sharing program, and you are unable to connect to the Internet, make sure that Endpoint Security client is properly configured for the client and gateway machines. See Enabling Internet Connection Sharing (on page 54).

Do not configure the client for Internet Connection Sharing if you use hardware such as a server or router, rather than a host PC.

Troubleshooting

Connecting Through a Proxy Server If you connect to the Internet through a proxy server and you are unable to connect to the Internet, make sure that the IP address of your proxy server is in your Trusted Zone. See Adding to the Trusted Zone.

Glossary of Terms

Symbols & Numeric

1394

A very fast external bus standard that supports data transfer rates of up to 400Mbps (in 1394a) and 800Mbps (in 1394b). Products supporting the 1394 standard go under different names, depending on the company. Apple, which originally developed the technology, uses the trademarked name FireWire.

A

Access Permission

Access permission allows a program on your computer to initiate communications with another computer. This is distinct from server permission, which allows a program to "listen" for connection requests from other computers. You can give a program access permission for the Trusted Zone, the Internet Zone, or both.

Act as a Server

A program acts as a server when it "listens" for connection requests from other computers. Several common types of applications, such as chat programs, e-mail clients, and Internet Call Waiting programs, may need to act as servers to operate properly. However, some hacker programs act as servers to listen for instructions from their creators. The client prevents programs on your computer from acting as servers unless you grant server permission.

ActiveX Controls

ActiveX controls (developed by Microsoft) are a set elements such as a checkboxes or buttons that offer options to users or run macros or scripts that automate a task.

Ad Blocking

A client feature that enables you to block banner, pop-up and other types of advertisements.

Advanced Program Control

Advanced Program Control is an advanced security feature that tightens your security by preventing unknown programs from using trusted programs to access the Internet.

Alert Advisor

Check Point AlertAdvisor is an online utility that enables you to instantly analyze the possible

causes of an alert, and helps you decide whether to respond Yes or No to a Program alert. To use AlertAdvisor, click the More Info button in an alert pop-up. The client sends information about your alert to AlertAdvisor. AlertAdvisor returns an article that explains the alert and gives you advice on what, if anything, you need to do to ensure your security.

Animated Ad

An advertisement that incorporates moving images.

B

Banner Ad

An ad that appears in a horizontal banner across a Web page.

Blocked Zone

The Blocked Zone contains computers you want no contact with. The client prevents any communication between your computer and the machines in this Zone.

C

Cache Cleaner

Privacy feature that enables you to remove unwanted files and cookies from your computer on demand, or on a scheduled basis.

Challenge Response

Challenge-response is an authentication protocol in which one party presents a question (the challenge) and another party provides an answer (the response). For authentication to take place, a valid answer must be provided to the question. Security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user presents to log in.

Component

A small program or set of functions that larger programs call on to perform specific tasks. Some components may be used by several different programs simultaneously. Windows operating systems provide many component DLLs for use by a variety of Windows applications.

Component Learning Mode

The period after installation when program control is set to Medium. When in component learning mode, the client can quickly learn the MD5 signatures of many frequently used components without interrupting your work with multiple alerts.

Cookie

A small data file used by a Web site to customize content, remember you from one visit to the next, and/or track your Internet activity. While there are many benign uses of cookies, some cookies can be used to divulge information about you without your consent.

Cookie Control

Privacy feature that allows you to prevent cookies from being stored on your computer.

D

DHCP

Dynamic Host Configuration Protocol

A protocol used to support dynamic IP addressing. Rather than giving you a static IP address, your ISP may assign a different IP address to you each time you log on. This allows the provider to serve a large number of customers with a relatively small number of IP addresses.

DHCP Broadcast/Multicast

A type of message used by a client computer on a network that uses dynamic IP addressing. When the computer comes online, if it needs an IP address, it issues a broadcast message to any DHCP servers which are on the network. When a DHCP server receives the broadcast, it assigns an IP address to the computer.

Dial-Up Connection

Connection to the Internet using a modem and an analog telephone line. The modem connects to the Internet by dialing a telephone number at the Internet Service Provider's site. This is in distinction to other connection methods, such as Digital Subscriber Lines, which do not use analog modems and do not dial telephone numbers.

DLL

Dynamic Link Library

A library of functions that can be accessed dynamically (that is, as needed) by a Windows application.

DNS

Domain Name Server

A data query service generally used on the Internet for translating host names or domain names (like www.yoursite.com) into Internet addresses (like 123.456.789.0).

E

Embedded Object

An object such as a sound file or an image file that is embedded in a Web page.

Endpoint Security On Demand

In addition to providing an effective endpoint compliance check (for required software updates, anti virus signatures, etc) when connecting, the Endpoint Security On Demand scanner also screens endpoint computers for potentially harmful software before allowing access to the internal network. Access is granted or denied to the end user based on the compliance options set by the security gateway administrator.

Endpoint Security Server

An Endpoint Security system by Check Point that enables system administrators to manage computer security from a single location. Administrators create security Policies, then deploy them to the Endpoint Security client applications running on their users' computers

Enterprise Policy

A collection of security settings (firewall, program control, e-mail protection, and so forth) designed by a network administrator and delivered to the client by uploading from Endpoint Security Server. The endpoint user cannot change the enterprise policy

G

Gateway

In networking, a combination of hardware and software that links two different types of networks. For example, if you are on a home or business Local Area Network (LAN), a gateway enables the computers on your network to communicate with the Internet.

H

Heartbeat Messages

Messages sent by an Internet Service Provider (ISP) to make that a dial-up connection is still in use. If it appears a customer is not there, the ISP might disconnect her so that her IP address can be given to someone else.

High-Rated Alerts

An alert that is likely to have been caused by hacker activity. High-rated Firewall alerts display a red band at the top of the alert pop-up. In the Log Viewer, you can see if an alert was high-rated by looking in the Rating column.

HTTP Referrer Header Field

An optional field in the message that opens a Web page, containing information about the "referring document." Properly used, this field helps Web masters administer their sites. Improperly used, it can divulge your IP address, your workstation name, login name, or even (in a poorly-implemented e-commerce site) your credit

card number. By selecting Remove Private Header information in the Cookies tab, you prevent this header field from transferring any information about you.

I

ICMP

Internet Control Messaging Protocol

An extension of the Internet Protocol that supports error control and informational messages. The "ping" message is a common ICMP message used to test an Internet connection.

ICS

Internet Connection Sharing

ICS is a service provided by the Windows operating system that enables networked computers to share a single connection to the Internet.

IKE

Internet Key Exchange, a method used in the IPSec protocol for:

Authenticating users

Negotiating an encryption method

Exchanging a secret key used for data encryption

Index.dat

Index.dat files keep copies of everything that was in your Temporary Internet, Cookies, and History folders even AFTER these files have been deleted.

Information Alerts

The type of alerts that appear when the client blocks a communication that did not match your security settings. Informational alerts do not require a response from you.

Internet Zone

The Internet Zone contains all the computers in the world—except those you have added to the Trusted Zone or Blocked Zone.

The client applies the strictest security to the Internet Zone, keeping you safe from hackers. Meanwhile, the medium security settings of the Trusted Zone enable you to communicate easily with the computers or networks you know and trust—for example, your home network PCs, or your business network.

IP Address

The number that identifies your computer on the Internet, as a telephone number identifies your phone on a telephone network. It is a numeric

address, usually displayed as four numbers between 0 and 255, separated by periods. For example, 172.16.100.100 could be an IP address.

Your IP address may always be the same. However, your Internet Service Provider (ISPs) may use Dynamic Host Configuration Protocol (DHCP) to assign your computer a different IP address each time you connect to the Internet.

IPSec

A security protocol for authentication and encryption over the Internet.

ISP

Internet Service Provider

A company that provides access to the Internet. ISPs provide many kinds of Internet connections to consumers and business, including dial-up (connection over a regular telephone line with a modem), high-speed Digital Subscriber Lines (DSL), and cable modem.

J

Java Applet

A Java applet is a small Internet-based program written in Java, which is usually embedded in an HTML page, and which can be executed within a Web browser.

JavaScript

A popular scripting language that enables some of the most common interactive content on Web sites. Some of the most frequently used JavaScript functions include Back and History links, changing images on mouse-over, and opening and closing browser windows. The default settings allow JavaScript because it is so common and because most of its uses are harmless.

K

Key Fobs

A small hardware device with built-in authentication mechanisms that control access to network services and information is known as a key fob. While a password can be stolen without the owner's knowledge, a missing key fob is immediately apparent. Key fobs provide the same two-factor authentication as other SecurID devices: the user has a personal identification number (PIN), which authenticates them as the device's owner; after the user correctly enters their PIN, the device displays a number which allows them to log on to the network. The SecurID SID700 Key Fob is a typical example of such a device.

M

Mail Server

The remote computer from which the e-mail program on your computer retrieves e-mail messages sent to you.

MD5 Signature

A digital "fingerprint" used to verify the integrity of a file. If a file has been changed in any way (for example, if a program has been compromised by a hacker), its MD5 signature will change as well.

Medium-rated Alert

An alert that was probably caused by harmless network activity, rather than by a hacker attack.

MIME-type integrated object

An object such as an image, sound file, or video file that is integrated into an e-mail message. MIME stands for Multipurpose Internet Mail Extensions.

Mobile Code

Executable content that can be embedded in Web pages or HTML e-mail. Mobile code helps make Web sites interactive, but malicious mobile code can be used to modify or steal data, and for other malevolent purposes.

Mobile-Code Control

A client feature that enables you to block active controls and scripts on the Web sites you visit. While mobile code is common on the Internet and has many benign uses, hackers can sometimes use it for malevolent purposes.

N

NetBIOS

Network Basic Input/Output System

A program that allows applications on different computers to communicate within a local network. By default, the client allows NetBIOS traffic in the Trusted Zone, but blocks it in the Internet Zone. This enables file sharing on local networks, while protecting you from NetBIOS vulnerabilities on the Internet.

P

Packet

A single unit of network traffic. On "packet-switched" networks like the Internet, outgoing messages are divided into small units, sent and routed to their destinations, then reassembled on the other end. Each packet includes the IP address of the sender, and the destination IP address and port number.

Persistent Cookie

A cookie put on your hard drive by a Web site you visit. These cookies can be retrieved by the Web site the next time you visit. While useful, they create a vulnerability by storing information about you, your computer, or your Internet use in a text file.

Personal Policy

Your personal policy comprises all the security settings you can control through the client interface. For example, if you use the Zones tab to add a server to the Trusted Zone, that configuration becomes part of your personal policy.

Personal Store

A certificate container on your computer (in contrast to a certificate on a token). It is not available before you have gained access to the operating system.

Ping

A type of ICMP message (formally "ICMP echo") used to determine whether a specific computer is connected to the Internet. A small utility program sends a simple "echo request" message to the destination IP address, and then waits for a response. If a computer at that address receives the message, it sends an "echo" back. Some Internet providers regularly "ping" their customers to see if they are still connected.

Pop-under Ad

An ad that appears in a new browser window that opens under the window you are looking at, so you don't see the ad until you close the original browser window.

Pop-up Ad

An ad that appears in a new browser window that 'pops up' in front of the window you are looking at.

Port

A channel associated with the use of TCP or UDP. Some ports are associated with standard network protocols; for example, HTTP (Hypertext Transfer Protocol) is traditionally addressed to port 80. Port numbers range from 0 to 65535.

Port Scan

A technique hackers use to find unprotected computers on the Internet. Using automated tools, the hacker systematically scans the ports on all the computers in a range of IP addresses, looking for unprotected or "open" ports. Once an open port is located, the hacker can use it as an access point to break in to the unprotected computer.

Privacy Advisor

A small display that shows you when the client blocks cookies or mobile code, and enables you to un-block those elements for a particular page.

Private Header

A section of a Web page that contains information about the Web site, which can collect information about visitors to the site. Private header information enables sites you visit by clicking a link from another site to know what site you came from. If a site implements the use of private headers carelessly, private headers can transfer information that you've entered in a web form--for example, Social Security number, credit card, etc.).

Programs List

The list of programs to which you can assign Internet access and server permissions. The list is shown in the Programs tab of the Program Control panel. You can add programs to the list, or remove programs from it.

Protocol

A standardized format for sending and receiving data. Different protocols serve different purposes; for example SMTP (Simple Mail Transfer Protocol) is used for sending e-mail messages; while FTP (File Transfer Protocol) is used to send large files of different types. Each protocol is associated with a specific port, for example, FTP messages are addressed to port 21.

Public Network

A large network, such as that associated with an ISP. Public networks are placed in the Internet Zone by default.

Q

Quarantine

MailSafe quarantines incoming e-mail attachments whose filename extensions (for example, .EXE or .BAT) indicate the possibility of auto-executing code. By changing the filename extension, quarantining prevents the attachment from opening without inspection. This helps protect you from worms, viruses, and other malware that hackers distribute as e-mail attachments.

R

Remote Access Community

Remote Access Community is a type of VPN community created specifically for users that usually work from remote locations outside of the corporate LAN.

Remote Access VPN

Refers to remote users accessing the network with client software, for example Endpoint Connect. The Connectra Gateway provides a Remote Access Service for remote clients.

S

Script

A series of commands that execute automatically, without the user intervening. These usually take the form of banners, menus that change when you move your mouse over them, and popup ads.

SecurID

The RSA SecurID authentication mechanism consists of either hardware (FOB,USB token) or software (softID) that generates an authentication code at fixed intervals (usually one minute) using a built-in clock and an encoded random key.

The most typical form of SecurID Token is the hand-held device. The device is usually a key FOB or slim card. The token can have a PIN pad, onto which a user enters a Personal Identification Number (PIN) to generate a passcode. When the token has no PIN pad, a tokencode is displayed. A tokencode is the changing number displayed on the key FOB.

Security Levels

The High, Med., and Low settings that dictate the type of traffic allowed into or out of your computer.

Server Permission

Server permission allows a program on your computer to "listen" for connection requests from other computers, in effect giving those computers the power to initiate communications with yours. This is distinct from access permission, which allows a program to initiate a communications session with another computer. Several common types of applications, such as chat programs, e-mail clients, and Internet Call Waiting programs, may need server permission to operate properly. Grant server permission only to programs you are sure you trust, and that require it in order to work. If possible, avoid granting a program server permission for the Internet Zone. If you need to accept incoming connections from only a small number of machines, add those machines to the Trusted Zone, and then allow the program server permission for the Trusted Zone only.

Session Cookie

A cookie stored in your browser's memory cache that disappears as soon as you close your browser window. These are the safest cookies because of their short life-span.

Skyscraper Ad

An ad that appears in a vertical column along the side of a Web page.

SoftID

SoftID operates the same as a passcode device but consists only of software that sits on the desktop.

The Advanced view displays the tokencode and passcode with COPY buttons, allowing the user to cut and paste between softID and the client.

Stealth Mode

When the client puts your computer in stealth mode, any uninvited traffic receives no response--not even an acknowledgement that your computer exists. This renders your computer invisible to other computers on the Internet, until a permitted program on your computer initiates contact.

T

TCP

Transmission Control Protocol

One of the main protocols in TCP/IP networks, which guarantees delivery of data, and that packets are delivered in the same order in which they were sent.

Third Party Cookie

persistent cookie that is placed on your computer, not by the Web site you are visiting, but by an advertiser or other \'third party.\' These cookies are commonly used to deliver information about your Internet activity to that third party.

Trojan Horse

A malicious program that masquerades as something useful or harmless, such as a screen saver. Some Trojan horses operate by setting themselves up as servers on your computer, listening for connections from the outside. If a hacker succeeds in contacting the program, he can effectively take control of your computer. This is why it's important to only give server permission to programs you know and trust. Other Trojan horses attempt to contact a remote address automatically.

TrueVector Security Engine

The primary component of the client security. It is the TrueVector engine that examines Internet traffic and enforces security rules.

Trusted Zone

The Trusted Zone contains computers you trust want to share resources with.

For example, if you have three home PCs that are linked together in an Ethernet network, you can put each individual computer or the entire network adapter subnet in the Trusted Zone. The Trusted Zone's default medium security settings enable you to safely share files, printers, and other resources over the home network. Hackers are confined to the Internet Zone, where high security settings keep you safe.

U

UDP

User Datagram Protocol

A connectionless protocol that runs on top of IP networks and is used primarily for broadcasting messages over a network.

V

Visitor Mode

A Check Point remote access VPN solution that enables tunneling of all client-to-gateway communication over a regular TCP connection on port 443. Visitor mode ensures secure communication through firewalls and proxy servers configured to block IPSec packets.

VPN

Virtual Private Network

A VPN is a network that provides secure, private access to a LAN (such as your organization's network) over public infrastructure (such as the Internet), by tunneling the transmissions and data through encryption protocols and other security measures.

W

Web Bug

An image file, often 1x1 pixel, designed to monitor visits to the page (or HTML e-mail) containing it. Web bugs are used to find out what advertisements and Web pages you have viewed.

Index 1

1394 • 139

A

About Alerts • 118 About Encrypted Packages • 101 About Event Logging • 119 About Passwords and Keys • 93 Access Permission • 139 Accessing Encrypted Media • 88 Accessing Encrypted Media from non-Media

Encryption Computers • 89 Accessing File Encryption for the First Time • 93 Accessing Options • 97 Accessing Protected Information • 109 Accessing Protected Information Stored Locally

• 100 Act as a Server • 139 ActiveX Controls • 139 Ad Blocking • 139 Adding Custom Ports • 59 Adding Files and Folders • 110 Adding Programs to the Programs List • 66 Advanced Configuration Options in Endpoint

Connect • 46 Advanced Configuration Options in the Legacy

Client • 35 Advanced Options • 16 Advanced Program Alerts • 130 Advanced Program Control • 67, 139 Alert Advisor • 139 Alert Reference • 124 Alerts & Logs • 10 Alerts and Logs • 118 Allowing ISP Heartbeat Messages • 136 Allowing Others to Use Programs • 68 Allowing VPN Protocols • 60 Alternative Ways of Connecting • 43 Animated Ad • 139 Anti-malware • 9, 12 Archiving Log Entries • 122 Authenticating for the First Time • 72 Authenticating to and Logging Off from File

Encryption • 95 Authenticating to Full Disk Encryption • 72 Authenticating with a Certificate • 95 Authenticating with a Password • 96 Authentication in Endpoint Connect • 37 Authentication in the Legacy VPN Client • 23 Authorizing Removable Media • 90 Auto Local Logon • 33 Auto-Connect • 33 Automatic Certificate Renewal • 41 Automatic VPN Detection Delay • 134

B

Banner Ad • 139 Before You Start • 92 Blocked Program Alerts • 125

Blocked Zone • 139 Blocking and Unblocking Ports • 58 Blue • 50 Blue Warning Alerts • 51

C

Cache Cleaner • 139 Cached Passwords • 85 CD/DVDs • 108 Certificate Enrollment and Renewal • 40 Certificate Renewal • 41 Challenge Response • 40, 139 Changed Program Alerts • 128 Changing Authentication Credentials • 79 Changing Authentication Methods • 23 Changing Authentication Schemes • 40 Changing Passwords on Removable Media •

112 Changing Profiles • 27 Changing the Encrypted Device Password • 90 Changing the Language Used in the Interface •

80 Changing Your Local Password • 111 Characters Supported in the Preboot

Environment • 83 Check Point Endpoint Connect VPN Client • 37 Checking Encryption Status • 99 Choosing Security Levels • 54 Cloning Profiles • 27 Collecting and Sending Log files • 47 Command Line Options • 36, 46 Compact and Extended VPN Interfaces • 22 Compliance Alerts • 11, 126 Component • 139 Component Learning Mode • 139 Configuring Client for VPN Traffic • 133 Configuring Connection Options • 33, 44 Configuring Endpoint Security Client to Allow

Ping Messages • 136 Configuring New Network Connections • 53 Configuring Program Access • 64 Configuring VPN Connection • 60 Configuring VPN Connection for Firewall • 59 Connecting and Disconnecting Using Endpoint

Connect • 42 Connecting and Disconnecting Using the

Legacy Client • 30 Connecting Through a Hotspot • 34, 44 Connecting Through a Proxy Server • 136 Connecting Through an ICS Client • 136 Connecting to a Site • 42 Connecting to Network Mail Servers • 54 Connecting to the Internet Fails after Installation

• 135 Connection Status • 31 Cookie • 140 Cookie Control • 140 Creating an Encrypted Package • 101 Creating an ISO Image • 108 Creating Check Point Certificate CAPI Token •

25 Creating Check Point Certificate PKCS#12 • 25 Creating Profile Desktop Shortcut • 28 Creating Profiles • 27

Creating Profiles and Sites in the Legacy VPN Client • 26

Creating Sites in Endpoint Connect • 42 Customizing Event Logging • 120 Customizing Program Control Settings • 65 Customizing Program Logging • 120

D

Decrypting a File with PKCS7 • 106 Decrypting Files to the Hard Drive • 110 Decrypting Information • 100 Default Port Permission Settings • 58 Defining Sites • 29 Deleting Keys • 113 Deleting Profiles • 28 Deleting Sites • 30 De-selecting the SSO Option • 77 Device Manager • 85 DHCP • 140 DHCP Broadcast/Multicast • 140 Dial Up Support • 35, 45 Dial-Up Connection • 140 Disabling Outbound Mail Protection • 68 Disabling Sites • 30 Disconnecting from a Site • 43 DLL • 140 DNS • 140

E

Embedded Object • 140 Enabling Anti-malware • 12 Enabling Automatic Infection Treatment • 18 Enabling Automatic Lock • 63 Enabling File and Printer Sharing • 54 Enabling Internet Connection Sharing • 54 Enabling Logging • 32 Enabling Office Mode • 34 Encrypting a Package with PKCS7 • 105 Encrypting CDs and DVDs • 87 Encrypting Information • 99 Encrypting Media • 86 Encrypting Media/Floppy Disks • 107 Encryption Information • 79 Encryption Policy Manager • 84 Endpoint Security Anti-malware • 12 Endpoint Security On Demand • 140 Endpoint Security Server • 140 Enrolling After Site Creation • 41 Enrolling During Site Creation • 40 Ensuring That Your Computer Has Not Been

Tampered With • 72 Enterprise Policy • 140 Erasing CDs or DVDs • 89 Exporting and Importing Profiles • 27 Extracting Files to Local Hard Disk • 89 Extracting Files to Temporary Secure Location •

89

F

Fallback Languages • 81 Features • 84 File Encryption • 92 File Encryption Options • 97 Firewall • 9, 52 Firewall Alert/Protected • 124

First Logon after Enabling SSO or OneCheck Logon • 77

Forgot your Password? • 114 Formatting Log Appearance • 120 Full Disk Encryption • 9, 72 Full Disk Encryption License Activation

Information • 79 Full Disk Encryption Status Information • 78

G

Gateway • 140 Granting Access Permission to VPN Software •

60 Granting Internet Access Permissions to

Programs • 67 Granting Send Mail Permission to Programs •

67 Granting Server Permission to Programs • 67

H

Handling Quarantine Items • 15 Heartbeat Messages • 140 High Security Setting • 53 High-Rated Alerts • 140 HTTP Referrer Header Field • 140

I

ICMP • 141 ICS • 141 Identifying the Source of the Heartbeat

Messages • 136 IKE • 141 Index.dat • 141 Infected File Exceptions List • 19 Infected File Scan Options • 19 Information Alerts • 141 Information and Help on File Encryption • 96 Informational Alerts • 118, 124 Integrating with Network Services • 54 Internet Connection Troubleshooting • 135 Internet Lock Alerts • 126 Internet Zone • 141 Introduction to Endpoint Security • 8 IP Address • 141 IPSec • 141 ISP • 141

J

Java Applet • 141 JavaScript • 141

K

Key Fobs • 40, 141

L

Languages Supported • 80 Legacy VPN Client • 22 Location Aware Connectivity • 44 Log Viewer Fields • 121 Logging Off from File Encryption • 96 Logging on with SSO or OneCheck Logon

Enabled • 77

M

Mail Server • 142 MailSafe Alert • 125 Maintenance Section • 91 Making Your Computer Visible on Local

Network • 134 Managing Certificates • 24 Managing Check Point Certificates • 24 Managing Connection Profiles • 26 Managing Entrust Certificates • 24 Managing Passwords and Keys • 111 Managing Program Components • 68 Managing VPN Sites • 28 Manual Action Required Alerts • 131 Maximum File Size for Encrypted Packages •

101 MD5 Signature • 142 Media Encryption • 9, 84 Medium Security Setting • 53 Medium-rated Alert • 142 MIME-type integrated object • 142 Mobile Code • 142 Mobile-Code Control • 142

N

NAT Traversal • 36 NetBIOS • 142 Network Troubleshooting • 134 New Network Alerts • 118, 131 New Network and VPN Alerts • 11 New Program Alerts • 10, 127

O

On-Access Scanning • 18 Opening Encrypted Packages • 104 Optional Full Disk Encryption Features • 75 Overview of Options • 97 Overview Panel • 10

P

Packet • 142 Panels • 9 Password Caching for Single Sign On • 44 Persistent Cookie • 142 Personal Policy • 142 Personal Store • 142 Ping • 142 PKCS7 Encryption • 105 Policies • 10, 116 Policy Types • 116 Pop-under Ad • 142 Pop-up Ad • 142 Port • 142 Port Scan • 142 Privacy Advisor • 143 Private Header • 143 Program Access Control • 62 Program Alerts • 118, 127 Program Authentication • 62 Program Component Alerts • 128 Program Control • 9, 62 Program Security Guard • 85 Programs List • 143 Protected Information in Windows Explorer • 99

Protecting Information Locally • 99 Protecting Information on Removable Media •

106 Protocol • 143 Proxy Settings • 44 Proxy Settings (Visitor Mode) • 34 Public Network • 143

Q

Quarantine • 143

R

Reducing Advanced Program Alerts • 131 Reducing Blocked Program Alerts • 125 Reducing Changed Program Alerts • 128 Reducing Compliance Alerts • 126 Reducing Firewall Alerts • 124 Reducing Internet Lock Alerts • 126 Reducing Manual Action Alerts • 131 Reducing New Network Alerts • 132 Reducing New Program Alerts • 127 Reducing Program Component Alerts • 129 Reducing Repeat Program Alerts • 128 Reducing Server Program Alerts • 130 Remote Access Community • 143 Remote Access VPN • 143 Remote Help and webRH for Information Stored

Locally • 114 Remote Help and webRH for Removable

Media/Devices • 114 Remote Help for Encrypted Packages • 115 Removable Media Manager • 84 Renewing Check Point Certificates • 26 Repairing Archived Files • 19 Repeat Program Alerts • 127 Resolving Slow Startup • 135 Responding to Alerts • 10 Restoring Key Files of Media/Floppy Disks •

108 Restoring Warnings • 111

S

Saving the Certificate in Another Location • 25 Saving the Certificate to a Folder of Your

Choice • 39 Scanning • 13 Scheduling Scans • 16 Script • 143 Secure Delete Basics • 113 Secure Domain Logon • 33 Securely Deleting Extracted Files • 111 Securely Deleting Information • 113 Securely Deleting Information Stored Locally •

101 Securely Deleting Packages • 106 SecurID • 39, 143 SecurID Authentication Devices • 39 Security Levels • 143 Server Permission • 143 Server Program Alerts • 129 Session Cookie • 143 Setting a Password • 94 Setting Advanced Security Options • 55 Setting Alert Event Level • 119 Setting Authentication Options • 68

Setting Basic Alert and Log Options • 119 Setting Event and Program Log Options • 120 Setting Event and Program Logging Options •

119 Setting Gateway Security Options • 56 Setting General Security Options • 56 Setting ICS Options • 56 Setting Network Security Options • 57 Setting Program Access Permissions • 64 Setting Program Control Level • 63 Setting Program Control Options • 63 Setting Specific Permissions • 65 Sharing and SSO • 112 Sharing Files and Printers Locally • 134 Sharing Media • 113 Sharing Media/Floppy Disks • 107 Sharing Media/Floppy Disks and Managing

Keys • 112 Showing or Hiding Alerts • 119 Showing or Hiding Firewall Alerts • 119 Single Sign-on and OneCheck Logon • 76 Skyscraper Ad • 144 Smart Card Removal • 45 SoftID • 39, 144 Specifying Scan Targets • 17 SSO and OneCheck Logon and Password

Changes • 77 Staying Connected all the Time • 44 Stealth Mode • 144 Storing a Certificate in the CAPI Store • 38 Storing PKCS#12 in CAPI Store • 25 Submitting Infected Files and Spyware to Check

Point • 14 Supported VPN Protocols • 59 Suspending Popup Messages • 35 Suspicious Site Warnings • 49 Switching to Endpoint Connect • 37 Switching to the Legacy VPN client • 47 Synchronizing Passwords • 75 System Tray Icons • 9

T

TCP • 144 The Endpoint Security Main Page • 8 Third Party Cookie • 144 Tour of the Endpoint Security Main Page • 8 Treating Files Manually • 14 Trojan Horse • 144 Troubleshooting • 133 TrueVector Security Engine • 144 Trusted Zone • 144 Tunnel Idleness • 45 Types of Endpoint Security VPNs • 21

U

UDP • 144 Understanding Alerts and Logs • 118 Understanding Certificates • 38 Understanding Connection Details - Endpoint

Connect VPN • 43 Understanding Connection Details - Legacy

VPN • 31 Understanding Connection Settings - Endpoint

Connect VPN • 43 Understanding Firewall Protection • 52

Understanding Policy Arbitration • 116 Understanding Program Control • 62 Understanding Scan Results • 13 Understanding the Product Info Tab • 10 Understanding WebCheck • 49 Understanding Zones • 52 Updating Anti-malware • 13 Updating Encrypted Information • 110 Updating Malware Definitions • 17 Updating Sites • 30 USB Sticks, Firewire/USB Hard Drives,

Floppy/CD/DVD Disks • 107 User Name and Password • 37 Using a Certificate and Setting a Password • 94 Using a Dynamic Token • 73 Using a Fixed Password • 73 Using a Smart Card/USB Token • 74 Using Alert Advisor • 123 Using Antivirus Software • 69 Using Browsers • 69 Using Chat • 69 Using E-mail • 69 Using File Encryption • 96 Using File Sharing • 70 Using FTP • 70 Using Games • 70 Using Internet Answering Services • 70 Using Programs with the Client • 69 Using Remote Control • 70 Using Secure Delete With File Encryption

Installed • 114 Using Secure Delete With the Stand-alone

Utility • 114 Using Streaming Media • 70 Using the Device Manager • 91 Using the EPM Client • 86 Using the Full Disk Encryption Panel • 78 Using the Full Disk Encryption Password for

Windows • 76 Using the Overview Main Tab • 10 Using the Policies Panel • 117 Using the Program Security Guard • 91 Using the Programs List • 66 Using the Removable Media Manager • 90 Using the Windows Password for Full Disk

Encryption • 76 Using VNC • 71 Using Voice over IP • 71 Using Web Conferencing • 71

V

Viewing Anti-malware Protection Status • 12 Viewing Available Policies • 116 Viewing Log Entries • 121 Viewing Logs • 16 Viewing Profile Properties • 28 Viewing Quarantine Items • 15 Viewing Site Properties • 29 Viewing Status and Encryption Information • 78 Viewing the Text Log • 122 Visitor Mode • 144 VPN • 9, 21, 144 VPN Auto-Configuration and Expert Rules • 133 VPN Basics • 21 VPN Troubleshooting • 133

VPN Tunneling (Hub Mode) • 34, 45

W

Web Bug • 144 WebCheck • 9, 49 WebCheck Protection • 49 What if I don't have access to my token/smart

card? • 75 What if I forget my password? • 75, 114 What you should do • 124, 125, 126, 127, 128,

129, 130, 131 Why Advanced Program Alerts Occur • 130 Why Blocked Program Alerts Occur • 125 Why Changed Programs Alerts Occur • 128 Why Compliance Alerts Occur • 126 Why Firewall Alerts Occur • 124 Why Internet Lock Alerts Occur • 126 Why MailSafe Alerts Occur • 125 Why Manual Action Require Alerts Occur • 131 Why New Network Alerts Occur • 131 Why New Program Alerts Occur • 127 Why Program Component Alerts Occur • 128 Why Repeat Program Alerts Occur • 127 Why Server Program Alerts Occur • 129 Windows Integrated Logon • 77 With File Encryption Installed • 109 Without File Encryption Installed • 110 Working in a Stand-alone Access Environment •

110 Working with Encrypted Packages • 101 Working with File Encryption • 93

Y

Yellow Caution Banner • 50

Z

Zones Manage Firewall Security • 53 Zones Provide Program Control • 53

cp es r73 client userguide en checkpoint

Documents

cryptographic service provider

endpoint security arbitrates

pc full disk encryption

higher level disk

encoded random key

full disk encryption

open tools

engages automatic lock