Table of Contents:

• Compliance Blade Overview
• Compliance Blade Client Functionality
  • Compliance Blade Architecture
• Managing Compliance Blade
• Planning for Compliance Rules
• Configuring Compliance Policy Rules
  • Configuring Compliance States Enforcement
  • Monitoring Compliance State
• Troubleshooting and Debugging
  • Compliance Blade is not running
  • Compliance Blade does not recognize 3rd-pary Anti-Malware signatures
  • Collecting Debug Information

Note: Relevant for R81.

Compliance Blade Overview

The Compliance Blade enforces a security policy created by an administrator and reports the status of computer to the Management Server.

The Compliance Status shows if a computer is compliant with the corporate security policy. Statuses are supplemented by colors indicating the severity of the statuses.

Statuses can be the following:

• Compliant - Computer has the required software and approved versions.
• Warn - Computer is not compliant with the corporate security requirements. Network resources are still accessible, actions shown must be done to become compliant.
• About to be restricted - Computer is not compliant with the corporate security requirements. Access to the corporate network will be restricted if the actions shown are not done within the specified time.
• Restricted - Computer is not compliant with the corporate security requirements. Access to the corporate network is restricted. Do the actions shown to become compliant.

Compliance Blade Client Functionality

Compliance makes sure that:

• All assigned Software Blades are installed and running on the endpoint computer.
• Anti-Malware is running and that the engine and signature databases are up to date.
• Required operating system service packs and updates are installed on the endpoint computer.
• Only authorized programs are installed and running on the endpoint computer.
• Required registry keys and values are present.

Notes:

• Registry and File Version checks are not relevant for Mac.
• Starting in E83.20, Microsoft WSUS support is included in Compliance blade. Refer to sk164060.

If an object (for example an OU or user) in the organizational tree violates its assigned policy, its compliance state changes, and this affects the behavior of the endpoint computer:

• The compliant state is changed to non-compliant.
• The event is logged, and the status of the computer and its users can be monitored by administrators.
• Users receive warnings or messages that explain the problem and give a solution.
• Policy rules for restricted computers apply.

Compliance Blade Client UI

By clicking "Compliance" in the Software Blades list the following additional information is shown:

• Policy Details - A summary of the Compliance policy that is installed on the computer.
• Current Status - Tells if the computer has Compliance policy violations. Messages show all problems and give recommended remedies.

To correct compliance violations from the Client:

1. Select a compliance violation message and click "Fix it" to correct the selected violation.
2. Click "Fix All" to try to correct all listed compliance violations.

If these actions do not resolve the violations, the administrator should be notified.

When the client is out of compliance with policy, its icon in the Notification Area changes to this one: 

Compliance Alerts

Compliance Alerts show when a computer does not match the Compliance policy. This can occur if there are changes in the Compliance rules, or in computer configuration.

If Compliance Blade determines that the computer is not compliant, a Compliance Alert shows with this information:

• One of these Compliance states:
  • Warn - Computer is not compliant with the corporate security requirements. Network resources are still accessible, actions shown must be done to become compliant.
  • About to be restricted - Computer is not compliant with the corporate security requirements. Access to the corporate network will be restricted if the actions shown are not done within the specified time.
  • Restricted - Computer is not compliant with the corporate security requirements. Access to the corporate network is restricted. Do the actions shown to become compliant.
• Instructions for making your computer compliant with the policy.

Compliance Logs and Reports

Endpoint Security activity, including Compliance events, is recorded in logs. This information is uploaded to the Server and can be viewed by administrators. Upload depends on settings in the Client Policy.

Compliance logs contain the following events:

• Compliance Check Not Met - occurs when some policy violation is detected, but before enforcing Restricted state.
• Status Changed - occurs when Compliance enforces Restricted state, or reverts to previous state when compliance checks are met.
• Remediation - occurs when remediation action is applied.

Besides logs, Compliance also reports the following information to the Management Server:

• Status of currently installed anti-malware software (including 3rd-party anti-malware software)
• Compliance status of the computer

Logs can be viewed locally using the Log Viewer utility. It can be opened by navigating to 'Endpoint Security Client UI Main Page > Advanced > View Logs'.

Compliance Blade Architecture

Client-Server Communications

From the Compliance perspective, the Endpoint Security Client gets the following information from the Endpoint Security Server:

• Policy definitions

Also, the Compliance blade can contact other servers to download Compliance Remediation Actions from them as configured in Policy.

The Endpoint Security Client sends the following information to the Endpoint Security Server:

• Logs (from the other blades as well). Log upload process can be customized in Client Settings policy
• Compliance reports (Compliance statuses and Anti-Malware information)

To reduce load on the Endpoint Security Server, additional servers can be deployed. These servers are called Policy Servers. Policy Servers provide the same functionality to Clients; however, they cannot be used to manage policies with SmartConsole.

Client architecture

On the client-side, there are several important components which communicate one with another, as described in the figure above.

These components are:

• Check Point Endpoint Agent service - performs all communications with the Endpoint Security Server, including Policies download, log upload, etc.
• Check Point Device Auxiliary Framework service - performs all communications with the installed Endpoint Security Blades and UI.
• Check Point Client UI service and Client UI process - perform user actions handling and show blades statuses, messages and alerts.
• Check Point Compliance service - performs Compliance checks according to Policy, manages computer state (applies Restricted State) and watches 3rd-party Anti-Malware software.
• Other infrastructure components - other modules, for example, Log Viewer utility.

Managing Compliance Blade

The Compliance blade makes sure that endpoint computers comply with security rules defined by administrators.

Computers that do not comply show as non-compliant and restrictive policies can be applied to them.

Planning for Compliance Rules

Before defining and assigning Compliance rules, do these planning steps:

1. Identify the applications, files, registry keys, and process names that are required, or not permitted on the endpoint computers.
2. Collect all information and remediation files necessary for user compliance. Use this information when you create remediation objects to use in Compliance rules. Compliance rules can prevent users from accessing required network resources when they are not compliant. Think about how to make it easy for users to become compliant.
3. Make sure that the firewall rules gives access to remediation resources. For example, sites from which service packs or anti-malware updates can be downloaded. Note: In Windows 7, make sure the Interactive Service Detection service is running. This is necessary for remediation files (running with system credentials) that must interact with the user.
4. Define rule alerts and login policies to enforce the rules after deployment.

Configuring Compliance Policy Rules

For each Action in a rule, select an option, which defines the Action behavior. You can select a predefined Action option. or select New to define a custom Action option.

Right-click an Action and select "Edit" or "Edit Shared Action" to change the Action behavior.

Changes to policy rules are enforced only after you install the policy.

Blades Running Action

This action makes sure that all installed Software Blades are running and defines what happens if they are not running.

The action options are:

• Inform if assigned Software Blades are not running - Send a warning message if one or more assigned blades are not running.
• Restrict if assigned Software Blades are not running - Restrict network access if one or more assigned blades are not running.
• Monitor if assigned Software Blades are not running - Create log entries if one or more assigned blades are not running. No messages are sent.
• Do not check if assigned Software Blades are not running - The Compliance Blade does not make sure that assigned Software Blades are running.

VPN Client Verification Action

The VPN Client Verification action selects the procedure used to enforce the "Upon verification failure" option, as defined in SmartDashboard. The two procedures are:

• VPN Client verification process will use Endpoint Security Compliance - Uses the Endpoint Security policy to control access to organizational resources.
• VPN Client verification process will use VPN SCV Compliance - Uses SCV (Security Configuration verification) settings from the Security Gateway to control access to organization resources. SCV checks, which are defined in the Local.scv policy, always run on the client. This option is described in the Remote Access Clients Administration Guide.

Note: Endpoint Security Clients on Mac always get their Compliance status from Endpoint Security Compliance, even if "VPN Client verification process will use VPN SCV Compliance" is selected.

Compliance Action Rules

Many of the Compliance Policy actions contain Action Rules that include these components:

• Check Objects (Checks) - Check that objects define the actual file, process, value, or condition that the Compliance blade looks for.
• One or more Remediation objects - A Remediation object runs a specified application, or script to make the endpoint computer compliant. It can also send alert messages to users.
• One of these Action options - What happens when a computer violates the rule:
  • Observe - Log endpoint activity without further action. Users do not know that they are non-compliant. Non-compliant endpoints show in the Observe state in the Reporting tab.
  • Warn - Alerts the user about non-compliance and automatically does the specified remediation steps. Sends a log entry to the administrator.
  • Restrict - Alerts the user about non-compliance and automatically does the specified remediation steps. Sends a log entry to the administrator. Changes applicable polices to the restricted state after a pre-defined number of heartbeats (default =5). Before this happens, the user is in the "about to be restricted" state. On the monitoring tab, the user is shown as pre-restricted.

The Compliance blade runs the rules. If it finds violations, it runs the steps for remediation and does the Action in the rule.

Some Action Rules are included by default. You can add more rules for your environment.

Basic Workflow for defining additional compliance rules:

1. In the Policy tab, right-click an action in the Actions column and select "Edit Properties".
2. Click "Create Rule" to create new Action Rules as necessary:
   1. In the Name field, enter the Action rule name.
   2. Click "Check" to add Check objects to the Action rule.
   3. Select an Action from the list.
   4. Click the Remediation tab to add remediation objects to the rule. If the selected Action is Observe, the rule does not require a remediation object.
   5. Optional: In the Comment field, enter a comment for the action rule.

Do these steps again to create additional Action rules as necessary.

Compliance Check Objects

Each Compliance Action Rule contains a Check object that defines the actual file, process, value or condition that the Compliance blade looks for.

To create a new or change an existing Check object:

1. In the Edit Properties window of a Compliance Action, click "View Objects List".
2. Click "New" to create a new Check object, or "Edit" to change an existing one.
3. For Required applications and files only: When you create a new Check object, select an Object Type:
   • Required Entity Check - Add one specified file Check object.
   • Required Entity Group - Add a group of Check objects that must all be on the computer.
4. In the Compliance Check Properties window, fill in the fields described in the table below.

Note: You can optionally select or define a Remediation action for this Check object. The remediation action applies only to this Check object and overrides the remediation action specified in the rule.
Note: To define a Check object remediation action, select a Remediation action from the list, or click Remediation tab > New to define a new one.

 

Option	Description
Name	Unique name for this Check Object
Comment	Optional: Free text description
Operating System	Select the operating system that this Check object is enforced on
Check Registry	Select one of these options to enable the registry check, or clear to disable it: Registry key and value exist - Find the registry key and value. If the registry key exists, the endpoint computer is compliant for the required file. Registry key and value do not exist - Make sure the registry key and value do not exist. If the key does not exist, the endpoint computer is compliant for an application that is prohibited.
Registry Key	Enter the registry key
Registry Value	Enter the registry value to match
Check File	Select one of these options to check if an application is running, or if a file exists: File is running at all times - For example, make sure that Endpoint Security Client is always running. File exists - For example, make sure that the user browsing history is always kept. File is not running - For example, make sure that DivX is not used. File does not exist - For example, make sure that a faulty DLL file is removed.
File Name	Enter the name of the file, or executable to look for. To see if this file is running or not, you must enter the full name of the executable, including the extension (either .exe or .bat)
File Path	Enter the path without the file name. Select the "Use environment Variables of logged in user" option to include paths defined in the system and user variables. Do not add the "\" character at the end of the path
Check File Properties	Additional options to check for an existing, or non-existing file
Match File Version	Make sure that a specific version, or range of versions of the file or application complies with the file check
Match MD5 Checksum	Find the file by the MD5 Checksum. Click "Calculate" to compare the checksum on the endpoint with the checksum on the server.
File is not older than	Select this option and enter the maximum age, in days, of the target file. If the age is greater than the maximum age, the computer is considered to be compliant. This parameter can help detect recently installed, malicious files that are disguised as legitimate files

Compliance Remediation Objects

Each Compliance Action Rule can contain one or more Remediation objects.

A Remediation object runs a specified application, or script to make the endpoint computer compliant. It can also send alert messages to users.

After a Remediation object is created, you can use the same object in many Action rules.

To create a new or change an existing Remediation object:

1. In the Edit Properties window of a Compliance Action, click "View Objects List".
2. Select the Remediations tab and click "New".
3. In the Remediation Properties window, fill in these fields:

Operations

Option	Description
Run Custom File	Run the specified program, or script when an endpoint computer is not compliant.
Download Path	Enter the temporary directory on the local computer to download the program, or script to. This path must be a full path that includes the actual file and extension (*.bat or *.exe). This parameter is required. Note: The Endpoint Security Client first tries to access the file from the specified path. If the client fails, it downloads the file from the URL to the temporary directory and runs it from there. Note: To run multiple files, use one of the popular compression programs such as WinRAR to produce a self-extracting executable that contains a number of .exe or .bat files.
URL	URL of an HTTP, or file share server where the file is located. This field can be left empty, although, if specified, the URL should be the full path. Note: Only following extensions are supported: *.bat and *.exe. Note: Make sure the file share is not protected by a username or password. Note: Local paths can be used by using File:// prefix: File://C:\path\to\file.exe
Parameters	If the executable specified in the URL runs an installation process, make sure that the executable holds a parameter that specifies the directory, where the program should be installed. If the executable does not hold such a parameter, enter one here
MD5 Checksum	Click "Calculate" to generate a MD5 Checksum, a compact digital fingerprint for the installed application, or the remediation files
Run as System	Apply system rights for running the executable file. Not all processes can run with user rights. System rights may be required to repair registry problems and uninstall certain programs
Run as User	Apply user rights and local environment variables for running the executable file

Messages

Option	Description
Automatically execute operation without user notification	Run the executable file without displaying a message on the endpoint computer
Execute operation only after user notification	Run the executable file only after a user message opens and the user approves the remediation action. This occurs when Warn or Restrict is the selected action on a Compliance check
Use same message for both Non-Compliant and Restricted messages	Select that the same text be used for both messages. A Non-Compliant message tells the user that the computer is not complaint and shows details of how to become compliant. A Restricted message tells the user that the computer is not compliant, shows details of how to achieve compliance, and restricts computer use until compliance is achieved.
Message Box	Displays selected non-compliant and restricted messages. The message box is available only by selecting the "Execute only after user notification" setting. Click "Add", "Remove", or "Edit" to add a message, and remove, or revise a selected message. Note: User cannot prevent the remediation application, or file from running.

Applying registry changes via Compliance blade

It is possible to modify registry entries on windows machines having Compliance Blade installed.

This can be achieved by two options:

• Configuring a separate Compliance Check Action that checks for the registry and Compliance Remediation Action that modifies registry if the check is not met.
• Configuring one Compliance Check Action that modifies the registry without the need of Remediation action.

The second configuration requires special setting of Check Action Rule.

To create Check Action rule that modifies registry:

1. Add new Check Action
2. Choose "Check Registry" checkbox and select Registry key and value option
3. In Registry Value Name, type OPERATION REG_TYPE Path\In\Registry
4. In Registry Value Data, enter the requested data. 

Operation can be one of the following:

• ADD - adds entry if it does not exist, otherwise leaves untouched
• REPLACE - changes entry only if it exists, otherwise does not create new entry
• UPDATE - adds entry if it does not exist, otherwise changes existing entry 
• REMOVE - removes registry entry. 

Reg_type can be one of the following:

• REG_SZ - creates or updates entry with REG_SZ type, typically used for string values
• REG_DWORD - creates or updates entry with REG_DWORD type, typically for numeric values

Note: REMOVE operation cannot remove registry keys (even empty ones), only registry entries inside keys.

Deploying files via Compliance Blade

It is possible to add, or replace files on Windows machines having the Compliance blade installed.

This can be achieved by two options:

• Configuring a separate Compliance Check Action that checks for file existence, or version and Compliance Remediation Action that downloads, or copies this file, if check is not met.
• Configuring Compliance Check Action with special Remediation Action that deploys file without the need to write remediation script, or executable file.

The second configuration requires a special setting of the Remediation Action. 

To create Check Action and Remediation Action that deploy one file:

1. Add new Check Action
2. Choose "Check File" checkbox and select "File Exists" option
3. In File Name, enter File name without path.
4. In File Path, enter full path to a folder containing file.
5. If needed, specify also check by version, or MD5 checksum
6. Create a new Remediation for this action
7. Choose "Run Custom File" checkbox
8. Specify Download Path. Make sure the name of the file is EPComplianceRemediationFile.bat. This name cannot be changed. For example: %PUBLIC%\EPComplianceRemediationFile.bat
9. Specify URL. You can select a file with Browse dialog, or enter URL directly.
10. In the Parameters entry, you should add MOVE keyword prior to target path, where the file should be deployed.

Note: Browse dialog shows only exe and bat files. If you need to deploy files with different extensions, enter their URLs manually. 

Service Packs for Compliance

The Service Packs Compliance Action makes sure that computers have the most recent operating system service packs and updates installed. The default settings show in the "Latest Service Packs Installed Action Rules".

Required Applications and Files

Required Application and File Compliance Settings look for the presence of specified files, registry values, and processes that must be running, or present on endpoint computers. The default settings show in the "Required Application Action Rules".

For Required Application Action Rules, multiple check objects in the rule are mutually exclusive. If one or more check object is not compliant, the defined action and remediation is triggered. 

Prohibited Applications and Files

The Prohibited Applications and Files Action makes sure that files, registry keys, and processes that must not be on endpoint computers are not present or running. The default settings show in the "Prohibited Application Action Rules". 

For Prohibited Application Action Rules, all check objects must be non-compliant to trigger the action and remediation. If only one check object is compliant, the action and remediation are not triggered.

Anti-Malware for Compliance

The Anti-Malware check makes sure that computers have an anti-malware program installed and updated. The default settings show in the "Anti-Malware Compliance Action Rules".

Note: If you select several Anti-Malware programs, Compliance will check that at least one of them is running and up to date according to policy.

Note: Vendors not listed in the Anti-Malware Compliance Check window are currently unsupported. 

Configuring Compliance States Enforcement

Compliance blade can affect client state and make it enforce other policies.

When you create a policy rule, you can select the state or states during which this policy is enforced. By default, policies apply when the client is Connected.

States are not applicable for all blades. For example, Full Disk Encryption rules always apply and cannot change based on state. The option to create rules based on state only shows for applicable blades.

If there is no applicable rule for the "Disconnected" or "Restricted" states, the Connected policy applies.

• The Connected state policy is enforced when a compliant endpoint computer connects to the Endpoint Security Management Server.
• The Disconnected state policy is enforced when an endpoint computer is not connected to the Endpoint Security Management Server. For example, you can enforce a more restrictive policy, if users are working from home and are not protected by organizational resources.
• The Restricted state policy is enforced when an endpoint computer is not in compliance with the enterprise security requirements. Its compliance state is moved to "Restricted". In the Restricted state, the typical action is preventing users from accessing some or even all network resources.

The following Policies can have different configurations for Restricted state:

• Firewall
• Access Zones
• Application Control
• Media Encryption & Port Protection 

The Heartbeat Interval

Endpoint Security Clients send "heartbeat" messages to the Endpoint Security Management Server to make sure that all connections are active and that all policies are up to date. The time between heartbeat messages is known as the "heartbeat interval".

Note: The default heartbeat interval is 60 seconds. Reducing the heartbeat interval can cause performance degradation. Increasing the heartbeat interval can cause security degradation, and less accurate reporting.

The endpoint computer Compliance state is recalculated at each heartbeat. The heartbeat interval also controls the time that an Endpoint Security client is in the "About to be Restricted" state before it is restricted.

To configure the heartbeat interval:

1. Click 'Manage > Endpoint Connection Settings'. The Connection Settings Properties window opens.
2. In the Connection Settings section, set the "Interval between client heartbeats".
3. Click "OK".

Configuring the "About to be Restricted" State

The "About to be Restricted" state sends users one last warning and gives an opportunity to immediately correct compliance issues before an endpoint computer is restricted.

You can configure the period of time that a user has to correct the issues, after the warning message shows.

You define this period of time in heartbeats.

To configure the time period that users have before an endpoint computer is restricted:

1. Click 'Manage > Endpoint Connection Settings'. The "Connection Settings Properties" window opens.
2. In the "Out of Compliance" section, enter the number of heartbeats.
3. Click "OK".

When you configure this time period, we recommend that you give users sufficient opportunity to:

• Save their data.
• Correct the compliance issues.
• Make sure that the endpoint computer is compliant.

The formula for converting the specified time period to minutes is: <number of heartbeats> * <heartbeat interval in seconds> / 60.

Monitoring Compliance State

You can monitor the Compliance State of computers from:

• SmartView Tracker(part of SmartConsole application since R80)
• SmartEndpoint (Overview tab)
• SmartEndpoint (see 'Reporting tab > Compliance')

Compliance Logs

Compliance logs can be seen in SmartView Tracker or SmartConsole and include the following Endpoint Compliance events:

• Compliance Check Not Met - occurs when some policy violation is detected, but before enforcing "Restricted" state.
• Status Changed - occurs when Compliance Blade enforces Restricted state, or reverts to default state when compliance checks are met.
• Remediation - occurs when a remediation action is applied.

Note: The same logs can be also viewed locally with the Log Viewer utility.

Compliance Overview

These Compliance States are used in the Security Overview and Compliance reports:

• Compliant - The computer meets all compliance requirements.
• Observe - One or more of the compliance rules that is set as "Observe" is not met. Users do not know about this status and have no restrictions.
• Warn - The computer is not compliant, but the user can continue to access network resources.
• About to be restricted - The computer is not compliant, and will be restricted soon.
• Restricted - The computer is not compliant, and has restricted access to network resources.

SmartEndpoint can show a Trend Diagram, or detailed information about all computers in the organization in the Overview tab.

Compliance reports

These Compliance statuses are used in the reports:

• Compliant - The computer meets all compliance requirements.
• About to be restricted - The computer is not compliant and will be restricted if steps are not done to make it compliant.
• Observe - One or more of the compliance rules that is set as "Observe" is not met. Users do not know about this status and have no restrictions.
• Restricted - The computer is not compliant, and has restricted access to network resources.
• Warn - The computer is not compliant, but the user can continue to access network resources. Perform the steps necessary to make the computer compliant.
• Not installed - Compliance is disabled, or not installed.
• Not Running - Compliance engine is not running correctly.
• Status information is missing - No status information coming from the computer.

The following Charts in the Reporting Tab show information from the Compliance Blade:

• Compliance Status - Shows Endpoint Compliance policies that make sure that the computer meets all compliance requirements.
• The correct version of Endpoint Security is installed.
• The operating system includes all required updates and service packs.
• Only approved software applications are installed.

If a user or computer is in violation of a rule, the name of the rule is shown in the "Compliance Violations" column. Names of custom rules are also shown.

Top Violations - Shows the top compliance violations.

Note: Anti-Malware Charts in the Reporting tab can also show information from the Compliance blade. Compliance is needed to collect information about installed 3rd-party Anti-Malware software.

Troubleshooting and Debugging

This section provides troubleshooting steps and recommendations.

Compliance Blade is not running

Usually, this means that one of the corresponding services is not running. Try to examine their status with thev Control Panel Services utility. Try to manually run services, if some of them are not running.

Compliance Blade does not recognize 3rd-pary Anti-Malware signatures

New versions of Check Point Endpoint Security contain the latest versions of Compliance components that perform 3rd-party Anti-Malware software handling. In case of such problems, it is recommended to check if the problem is reproduced with the latest version of Endpoint Security.

Collecting Debug Information

If you experience some other problems with the Endpoint Security Compliance Blade, or suggested steps do not help, contact Check Point Support. Special debug information is required for the investigation.

Cpinfo utility

On all systems installed with Endpoint Security, there is a debug log collector accessible via Endpoint Security Client. The tool is called CPinfo, see sk90445 for more information.

CPinfo can be executed in Basic, General and Extended modes. For faster investigation, always select Extended mode as it contains more information.

Other debugging tools

In some cases, Check Point Support may use some other debugging tools. They can be common troubleshooting tools like Wireshark or Process Monitor, or can be some Check Point-specific tools.

These Check Point-specific tools either control and check some internal settings and states of Compliance Blade components, or enable additional logging.

Check Point Support will provide explanations about performed tests and used tools. if they are required.