Endpoint Client now blocks against more encryption programs that may be used to encrypt a drive as part of a Ransomware attack. Programs that are used for legitimate purposes can be allowed by excluding the encryptor's signature. The feature is controlled by the "Block Bitlocker Encryption" option in the Endpoint management.
The new UI is now configured as the default UI for the Endpoint Security Client.
List of Enhancements and Resolved Issues in E86.60 for Windows
Enter a keyword of phrase to filter the below table:
A rare issue where the Compliance blade stops working when Log4J vulnerability mitigation is enabled.
The Compliance blade displays redundant user checks.
The Compliance blade stops running during internal log operations.
Enhancement: Stability and performance improvements in the Virtual Network Adapter driver.
Enhancement: No connection error in VPN client for Windows when:
The site contains several gateways in Multiple Entry Point (MEP) mode.
Those gateways have SAML login options with different "Name" values but the same "Display Name" values.
Enhancement: Added support for Advanced Encryption Standard New Instructions. AES-NI is a set of CPU instructions to improve the speed of traffic encryption and decryption with Advanced Encryption Standard (AES) cryptographic algorithms. VPN client for Windows uses AES-NI automatically if the CPU supports it.
Check Point Endpoint Security VPN constantly consumes more than 30% of CPU when the VPN is not connected. A reboot does not fix the issue.
Enhancement: Added option to define a time when to show the re-authentication window. Refer to sk75221 for more details about the reauth_grace_period parameter. The value can be set in the trac.defaults configuration file on the client-side and, or in the trac_client_1.ttm configuration file on the Security Gateway.
SecuRemote VPN client for Windows shows the warning "No security policy is configured" when Desktop Policy is defined.
To mitigate the potential for local privilege elevation, starting in E86.60 the VPN client for Windows will always install into the standard Windows folder for 32-bit applications (by default "C:\Program Files (x86)"). For organizations where the VPN client still should be installed in the non-default folder, an administrator can use the MSI parameter "INSTALLDIR”: "CheckPointVPN.msi INSTALLDIR="C:\MyOrgApplications"
To mitigate the potential to disable VPN functionality, Endpoint Security VPN Client for Windows protects relevant registry keys from modification.
Full Disk Encryption
Enhancement: Check Point FDE now supports shrinking encrypted volumes.
An issue in the deployment phase where enabling fast initial encryption through policy could not be undone.
A pre-boot keyboard issue with Dell XPS 13 9300.
Added support to FDE rescan. Now when dynamic encryption is enabled, encryption automatically starts when new volumes or disks are added.
Enhancement: In the new UI, it is now possible to click on the blade's icon in the main page tiles to navigate to the blade's page.
Enhancement: In the new UI, the VPN reauthentication button now shows on the VPN blade's page and the tray icon menu.
Enhancement: When hovered over, the tray lock icon in the new UI now updates to the correct status.
Enhancement: Added Ukrainian language support to the legacy and new UI.
Enhancement: The logo was updated in the legacy UI.
Enhancement: Endpoint Client now supports communication with the Endpoint Server through an authenticated proxy when the proxy username and password are received through policy.
During version upgrade on 32bit Win7 machines, get the blue screen of death (BSOD).
Endpoint Client Watchdog
Improvements in performances of Endpoint Client Watchdog.
In a rare scenario, the Endpoint upgrade procedure stops, which results in no network connectivity.
If these two things are done at the same time:
The Media encryption blade from the deployment rule is removed
Upgraded to a higher version
The upgrade fails in installed versions earlier than 86.20. The workaround is to first upgrade to a higher version and then remove the Media encryption blade from the deployment rule
While the user tries to cancel a scan, the Anti-Malware blade stops responding.
Enhancement: When malware shows in the Endpoint Client Anti-Malware (E2) detection logs, the user can now right-click the log and exclude the detection, which adds an exclusion to the management. This exclusion prevents the detection from taking place. It is a simplified procedure to automatically create exclusions when incorrect detections are identified in the logs.
In a rare scenario, after an upgrade when machine is disconnected from the Internet, the Security Gateway and Anti-Malware blade do not perform as expected.
Enhancement: Endpoint Client now blocks against more encryption programs that may be used to encrypt a drive as part of a Ransomware attack. Programs that are used for legitimate purposes can be allowed by excluding the encryptor's signature. The feature is controlled by the "Block Bitlocker Encryption" option in the Endpoint management.
Starting from E80.85, Harmony Endpoint improves coverage of malicious threats by sending anonymized Incident related data to the Check Point Threat Cloud. This feature is turned on by default. For more information, including how to disable this feature, refer to sk129753.
To support SmartLog or SmartView Tracker reporting with Endpoint Security Clients for all supported servers (except R80.20), you must update the log schema. Follow instructions in sk106662.
E86.60 Standalone VPN client starts but VPN connection cannot be established if there was no connection to the Internet during the VPN service start (system boot, restart). The "Connectivity with the Check Point Endpoint Security service is lost. VPN Service is down" error will be displayed until the Internet connection is resumed.
Users and devices that may be affected:
Majority of ATMs because these machines do not have access to the Internet.
Users at hotels, airports, etc., who connect through a hotspot portal but cannot use the system browser because the firewall policy blocks ports.
Organizations with restricted access to the Internet (only through VPN), such as banks, the military, or governments.
The issue was fixed in E86.61. The download links can be found above, under the Standalone Client Downloads section in this SK. If E86.61 Standalone VPN Client is installed, installation of E86.60 Endpoint Security Client (complete package) fails. To upgrade E86.61 Standalone VPN Client with a complete package, use E86.70 or above.
If a user with administrative privileges opens the "Network Connections" list, and then disables/enables the connection associated with the "Check Point Virtual Network Adapter For Endpoint VPN Client" device, connections to the VPN site fail. As a result, the VPN client shows this error message "Failed to load virtual network adapter". To resolve this issue, restart the "Check Point Endpoint Security VPN" service or reboot the computer.
Endpoint client fails to send files to emulation on a Threat Emulation (TE) Appliance that runs engine 59.990001349 or earlier. The issue does not affect emulation performed through ThreatCloud Emulation. Refer to sk180179.