Important: Do not uninstall or upgrade your client before applying the patch below!
Introduction
In August 2019, Check Point released version E81.20 to address the use limitation of older versions of Check Point’s Endpoint, VPN, and SandBlast Agents (sk158912). These out of support versions will cease to operate starting January 1st, 2021. Starting that date, following a reboot of the computer, Remote Access VPN and Endpoint Security Client versions E81.10 (inclusive) and lower may stop functioning, and the upgrade will fail.
Check Point issued a small (2MB) and quick-to-install Patch for this issue. It replaces an existing .SYS file, delivering a fix that is already proved to be safe, and is used by customers widely. The Patch has no impact on clients the are not listed in the affected version list.
Most users do not reboot their PC frequently thus their VPN connectivity still works until they reboot. Central deployment is the preferred procedure to keep distributing the patch to the end-users that are still connected. This solution will fix the issue for the end-users in most organizations.
For users with VPN connectivity - distribute the patch through a Central Deployment tool
Use an aggressive update timing to supply the patch as quickly as possible.
Use Central Deployment tools such as - Compliance blade (sk171279), GPO (sk171338), SCCM.
Verify that the GlobalSign root certificate is installed on your affected devices. For more information see sk171399.
For users with no VPN connectivity
Send your employees instructions that describe how to download and install this patch - EPPatcher_for_users.
Limited to Windows 7, 8.1 and 10, and to these versions: E80.81 - E81.10.
Installing the patch on versions E80.81 or E80.82 requires end-users to have administration privileges.
Important: If you use Endpoint Security Client or SandBlast Agent, provide the end-user with the uninstall password as well, as it is necessary for the patch installation process. The uninstall password is not required for Endpoint Security VPN users.
If only a low number of users lost VPN connectivity – Use a tool such as Zoom to conduct a remote session to their PC and install the patch.
If the above tools are not applicable for your scenario, use one of the additional mitigation tools described in the table below.
Important:
We recommend upgrading to the latest recommended version (E84.00) after the patch completes the installation. For VPN users who plan to upgrade to E84.20 or E84.30 an additional fix is needed. Contact Check Point support to get the fix.
From Central Management: SmartLog –> query for action:"Log In" AND ("Endpoint Security") AND (E80.81 or E80.82 or E80.83 or E80.84 or E80.85 or E80.86 or E80.87 or E80.88 or E80.89 or E80.90 or E80.92 or E80.94 or E80.95 or E80.96 or E80.97 or E81.00 or E81.10)
From Client-side: right click on the client icon -> help -> about
The issue occurs because of the internal certificate used by VPN/Endpoint services. One of the certificates expires on January 1st, 2021. Therefore after this date, all services that use this certificate stops working. The fix is in the driver library: epklib. The library fixes an issue with regards to the certificate's expiration validation.
This issue impacts different Endpoint blades such as VPN, Firewall, Anti-Bot, Forensics, and Threat-Emulation. The issue indirectly affects the administrator's ability to upgrade the clients that use software deployment rules. For example - FDE continues to work correctly but, if an organization uses VPN for connectivity, updates to the client fail.
The issue has been fixed on August 2019 and is a part of E81.20. We have recently identified customers that need to upgrade to the recommended versions and continue to use one of the deprecated and/or not supported versions. At this time we are proactively approaching the applicable customers, ensuring they implement the patch on the current version and/or upgrade to a higher version.
The patch replaces a file on the local computer, fixing the date expiration verification of the certificate. It is safe to run and is already a part of E81.20. Customers use it for the last 1.5 years on millions of computers.
If deployed through software distribution tools or Check Point's Compliance blade before January 1st, 2021, administrator privileges are not required. If not, administrator privileges are necessary to install the fix.
Look at the patch logs for success/failure messages when using the EPPatch.msi – For more information, follow sk171275.
Look for the file version of the epklib.sys itself (C:\windows\system32\drivers\) and validate that the version is the same as or higher than 8.60.5.7253
To use Check Point's Compliance blade to examine the outdated driver that needs replacement (by checking the version) – follow sk171279.