Another Checkpoint SecureClient NGX SCV Bypass

[Avner Peled <avnerus () gmail com>]

Hello all,
After reading the post on
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/039634.htmlabout
disabling secure configuartion verification in Checkpoint's
SecureClient I thought I'd post my own findings.
My method of bypassing the check also requires Administrator privileges but
does not require anything running in the background.
Here are the steps I took to bypass the check.

1. Download the free OPSEC Desktop SDK from www.opsec.com
2. Prepare an scv dll using the sample scv plugin in the sdk, have the
plugin always return SCV_CHECK_PASSED in Status() function.
3. Make a copy of that dll for each dll that is being used by the policy,
each time changing the #define PiName for the name of the check you want to
bypass (For example AntivirusMonitior, RegMonitor). Copy the new dll's (dll
name could be different) to Program Files\Checkpoint\SecureRemote\scv
4. Stop secureclient.
5. Use the tool provided in the sdk PiReg.exe to unregsiter (-d flag) the
monitor dll's in Program Files\Checkpoint\SecureRemote\scv
6. Use the same tool to register all of the dll's with the same PiName.
7. Start secureclient.

"Configuration Verified"

---------------------
Avner Peled.
avnerus () gmail com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/