Full Disclosure mailing list archives
Another Checkpoint SecureClient NGX SCV Bypass
From: Avner Peled <avnerus () gmail com>
Date: Thu, 15 Dec 2005 10:35:34 +0200
Hello all, After reading the post on http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/039634.htmlabout disabling secure configuartion verification in Checkpoint's SecureClient I thought I'd post my own findings. My method of bypassing the check also requires Administrator privileges but does not require anything running in the background. Here are the steps I took to bypass the check. 1. Download the free OPSEC Desktop SDK from www.opsec.com 2. Prepare an scv dll using the sample scv plugin in the sdk, have the plugin always return SCV_CHECK_PASSED in Status() function. 3. Make a copy of that dll for each dll that is being used by the policy, each time changing the #define PiName for the name of the check you want to bypass (For example AntivirusMonitior, RegMonitor). Copy the new dll's (dll name could be different) to Program Files\Checkpoint\SecureRemote\scv 4. Stop secureclient. 5. Use the tool provided in the sdk PiReg.exe to unregsiter (-d flag) the monitor dll's in Program Files\Checkpoint\SecureRemote\scv 6. Use the same tool to register all of the dll's with the same PiName. 7. Start secureclient. "Configuration Verified" --------------------- Avner Peled. avnerus () gmail com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Another Checkpoint SecureClient NGX SCV Bypass Avner Peled (Dec 15)