Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Anyone else having problems with SEP 12.1 and CheckPoint VPN..?

Created: 20 Jul 2011 | 23 comments
Zeepee's picture

Hi there,

Is anyone else having problems getting CheckPoint Secure Client (VPN Client) to work on SEP 12.1 clients..?

Generally the SEP 12.1 client don't report that anything is being blocked, quarantined or similaer, when we install it on a machine with the CheckPoint VPN client on, it just prevents the VPN client from running.

However we have had a couple of machines that report that SONAR have blocked "svchost.exe" (See below)
 

 

Computer
User
IP Address

Risk
Risk Type

Risk Count

Date Time

Domain
Server
Group

Action
Source

File / Entry

EZ-MRT2
SYSTEM
10.100.200.70

Microsoft® Windows® Operating System
(None)

1

08-07-2011 15:14:32

Default
sec-03
My Company\Clients\64 bit

Access denied
SONAR

c:\windows\system32\svchost.exe

Now we have tried to make exceptions to SONAR as well as normal Security Scans on both the CheckPoint Secure Client folder and on the "svchost.exe", but still the same.

We have also tried to disable the whole SEP 12.1 client, but the problem continues.

Only when we uninstall the SEP 12.1 client from the machine, does CheckPoint VPN client work as before. 
 

Now, I am desperate to find a solution to this, as we can't implement SEP 12.1 into our enviroment, before the VPN client works. So if anyone else have experienced the same issue and found a solution, I really like to hear from you..smiley

Today all of our machines are currently running Windows 7 SP1 64 bit, and uses SEP 11.6100.645 along with the latest CheckPoint VPN client (Check Point Endpoint Security VPN E75)

 

/Zeepee
 

Comments 23 CommentsJump to latest comment

Srikanth_Subra's picture

Hi,

we are also having checpoint VPN..but we are planning to install 12.1..so 12.1 will clash with VPN?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

Schtiewie's picture

I have the problem, that we have SEP 12.1 and Checkpoint 7.6.306.001-R73.

I did NOT choose any firewall parts for the rollout package.

After several reboot (1-10) suddenly our remote controll (Dameware) utillity is not longer working.

When i uninstall Checkpoint, Dameware is working. If i uninstall SEP12.1, Dameware is also working.

If i have both installed, i am not able to connect to dameware remotly. (Acces denied)

No events in the client, that anything was blocked.

Then i create a packacke with firewall part. The firewall parts let me see in the activity monitor which app wants communicate.

Suddenly i see trgui.exe for a sec and is gone. 5 sec later the same. So i exclude the whole Checkpoint

folder from scan. After that the, trgui.exe is showed permanent in the activity monitor.

Then i add in the exclusion policy trgui.exe to the application for monitoring.

Now i get follow:

Computer
User
IP Address
Application Name
Application Type
Risk Count Date Time Domain
Server
Group
Action
Source
File
M01Pxxxxx
xxxxx
10.22.50.198
Check Point Endpoint Connect
Trojan Worm
1 21.07.2011 13:32:30 Default
w01abnav10
My Company\W01\W01 Client
Left alone
SONAR
c:\program files (x86)\checkpoint\endpoint security\endpoint connect\trgui.exe

If i scan manually, but nothing was found. Perhaps the checkpoint clients have code, that symantec blocks and did not report it?

_Brian's picture

This is caught by SONAR, not by the traditional AV signatures. SONAR provides proactive protection and uses heuristics to determine if a process may be malicious or not. If a process has characteristics of a worm, trojan, backdoor, etc. SONAR will flag it. This is what is happening here.

Check the SONAR tab in your AV policy and see how you have it set, example below:

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Paul Murgatroyd's picture

Zeepee,

Check your SONAR configuration for "Host file change detected" and "DNS change detected"

If they are set to Block, change them to Log and test again.

There is currently no way to exclude processes from these two protection items and they can cause problems with VPN applications on connect.

Schtiewie, by adding the process to "Application to Monitor" you are FORCING SONAR to detect the file everytime it runs, its not malicious, its being detected because you have told SONAR to detect it.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

_Brian's picture

Paul,

Just out of curiousity, is there a guide on the setting changes for SONAR?

With SEP 11, I know there was the option to Ignore when a commercial keylogger or commercial remote control app is detected.

I would like to know a little more about SONAR and what some of the settings mean. What is considered a high/low risk detection, What is aggressive mode, etc..

And I'm assuming the tab "TruScan Legacy Client Settings" only applies to SEP 11, so if we have no SEP 11 clients then this tab can be ignored?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

_Brian's picture

Schtiewie,

What version of Dameware are you running? I'm using 6.9.0.0 and SONAR is not detecting it?

Is it being detected when you try to remote to another machine?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

_Brian's picture

Tested Checkpoint VPN and got these results:

 

Just as Paul suggested, you can set it to either Log or Ignore and you won't have the problem any more:

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Schtiewie's picture

@Brian81

I use Dameware 6.9.0. Also tried newset Version 7.5.6.

When i try to connect from a remote machine i receive access denied. That only happend on the notebook where the checkpoint vpn+firewall client is installed.

DNS and Host was set to Ignore.

Sonar Detection for High risk is set to quarantine and low risk is set to log.

_Brian's picture

I'm currently using 6.9.0 but haven't tried 7.5.6. I'm having no issues with 6.9.0 though.

Access denied sounds different than the SONAR detection though. Assuming you have notifications turned on, you would get it but you can also check the PTP logs. Did you see anything in there saying it was stopping dameware?

I get access denied with dameware when the local admin password was changed on the box I'm remoting to or if the group I'm in to use Dameware has not been added to the correct group on the machine I'm remoting to.

You would need to verify the PTP log but this doesn't sound like SONAR.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Zeepee's picture

Sorry for the late answer, but didn't get a notification that anyone had replied..angel

I will test you suggestions regarding the DNS and Host file changes in SONAR ASAP and report back.

Thanks for the quick replies and solution suggestions..smiley

 

/Zeepee

 

Zeepee's picture

Okay I have tried making the configuration changes regarding DNS and Host file under SONAR, but the issue is still the same.

The Checkpoint Endpoint Security VPN E73 client still ceases to work and loses its connectivity to its own service.

Unfortuanately we still don't get any reports or logs on the SEP client or SEP Manager, that anything has been blocked, quarantined or logged. 

Also as I mentioned in the original post, I have tried to make exceptions for the checkpoint folders and processes, disabled SONAR and later the whole client, but the problem still persists.
 

But if I uninstall the new SEP 12.1 client from the machine, then the Checkpoint VPN client works as before.

So to me it seems that there is a compability issue between the SEP 12.1 client and the Checkpoint Endpoint Security VPN E73 client, running on the same machine.

Until this gets fixed, I guess we keep using SEP 11.x as that versions works fine with the Checkpoint VPN...

 

/Zeepee

 

Schtiewie's picture

@Zeepee

Did you find a solution?

I create a lot of Installation Packages and test it. Ervery package i create, i remove one feature.

At least i have only the basic protection and the problem still exists. But i find out, that when i install a client package, i must reboot 4 to 20 times till the problem with the Checkpoint Client appears.

I have the best result, when i install all features complete. Then it tooks 20 reboots till the problem appears.

Two weeks ago a create a "high priority" case at symantec support, but they did what i expect:

NOTHING.

MichelZ's picture

Hi guys

I do have the same problem with Checkpoint VPN E73.1 and Endpoint Protection 12.1 on Windows 7 x64 SP1, however, it does not seem to be permanent.

Sometimes, I do get the "Connectivity with the VPN service is lost", and sometimes (after a boot or two) it does work.

Anyone having a solution for this, or any tipps?
Else, I'm probably gonna open cases with Symantec/Checkpoint...

Cheers
Michel

Zeepee's picture

No I didn't find a solution yet...

For us the problem appears immediatly after installation and disables the Checkpoint VPN in 9 out of 10 statups.

We have tried to install different components of the SEP 12.1 client, but the problem persists.

 

We have already opened a support case with Symantec, but no solution yet.

If we get one, I post it here..angel

 

/Zeepee

MichelZ's picture

I just installed E75.20 (you can get it as an Early Availability from the Checkpoint homepage), and it seems that it does solve the problem. (At least the client was running now on both of my test-boots...)

Maybe you can all try it too, and let us know if it works on your ends.

Cheers
Michel

Bohdan789's picture

Hi guys,

I have the same problem with SEP 12.1. I tested Checkpoint version E75.20, Check Point Endpoint Security VPN service is able to start in this version without crash, but Checkpoint's GUI crashes each time on start, so it is not possible to use it..

Hopefully Symantec will fix it in next SEP 12 release...

Srikanth_Subra's picture

for me there is no issue with checkpoint VPN and Symantec..both are working fine..

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

CaryC's picture

I am having the same issues with hosts file/DNS changes being detected by SONAR for Juniper's network connect VPN. Thankfully it is not interfering with operation of the VPN.

It's extremely frustrating as we get heaps of notifications on these. I wish I could create an exception.

I don't consider turning the detections off to be a valid workaround.

Schtiewie's picture

Symantec knowledgebase:

http://www.symantec.com/business/support/index?page=content&id=TECH167057

 

Solution

Symantec is aware and investigating this issue.  This document will be updated as more information is available.  To work around this issue roll back to the previous client version.

This is what Symantec called a solution?

_Brian's picture

Not a solution, but a workaround. A solution will be forthcoming in a later version of SEP 12.1

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SySManager's picture

Yes, we are having troubles too, and Symantec support confirmed us that this problem will be fix in the next release.

I cant believe that, because the workaround that Symantec Support told us for migrated laptops is to do a rollback. And what about if you have hundred and hundred of machines?

 

MichelZ's picture

Sorry to say, but I'd suggest you have to think about your own internal testing procedures?

Schtiewie's picture

Installing 12.1RU1 fixed the problem.Checkpoint Client is now running.