Defeating Checkpoint's Reflexes


Admin on the box you are trying to work with.
(For how to get admin privilages please refer to previously posted tutorial "Gaining Admin Rights on Windows Boxen")

Checkpoint puts out some pretty decent security and firewall software.
The problem is that they are also known for buying software from other people and then having to cleanup and support someone else's mess that they just made their own because the idea behind the software sounded like a good idea the first time they heard it.

Two examples of this are "Zone Alarm" antivirus and firewall suite
(Personally I think antivirus systems are a bit pointless, but I do like zone alarm's firewall setup due to checkpoint being pretty much the "firewall masters".).
And Reflex Disknet which is based off of a new corporate concept of not allowing users to use a flash drive or any other external media to copy data to.

Firstly, the reason for the Reflex software being utilized more is because of a test a hacker did a while back leaving a virus/trojan infected flash drive laying around an office and almost everyone who saw it felt they needed to plug it into their work computers to see what was on it.
Also there is some truth in the fact that companies are scared about all the propaganda behind so called "hacker attacks" everyone is taking extra precautions to keep corporate data safe.

So if you're an admin or security personnel and you've still got read permissions turned on for flash drives/external media, you're not exactly preventing the above mentioned thing.

A little while ago I found out that if you have read access even though the software denies you from writing to an external device there are many ways around this.

First and foremost, if you are already an administrator of the machine, you can simply remove the software.
This is generally not a good idea because you're admin/security person will get angry.

Secondly, do a little playing and research and edit the registry keys which it changes to disallow you writing to external media.
This isn't a bad thing but you have remember to change them back and it may get logged so you'll have to delete those too.

Thirdly, and what I would consider the preferred way.
Step1: (from your personal, non work computer)
Have "Truecrypt.exe" downloaded and placed on a flash drive.

Step2: (from your personal, non work computer)
Make an encrypted volume on the flash drive; any size you want.
This will involve creating a password with which to mount the encrypted volume with.

Step3: (from your work computer)
Plug in the flash drive or external media.

Open the directory your flash drive is set at, lets call it E:\
execute truecrypt.exe (normally if they allow read, they allow execute)

Use truecrypt to mount the encrypted partition you have created on your flash drive.
Lets pretend this mounts as F:\

Write whatever info you want successfully bypassing Reflex to the F:\ drive!
Remember to try and delete any log files as older versions store their log files to the disk and newer versions write logs to a server setup on the network.
(obviously you could unplug from the network connection if you needed to, but the logs may be cached locally somewhere if you do that waiting to be sent out next chance it gets)

Why does this work?
Because the way the software is setup is to not allow you to write to external devices.
Once you mount the encrypted volume, windows sees it as a directly connected partition not as an external device.

Another method I recently found out, along the same lines, is that if you have a folder on you flash drive and you make that folder a share drive. You are then able to write to that share drive regardless of the fact that it is located on a flash drive.

The proper way to prevent this sort of thing from happening would be for the admin to already have the proper shared drives mounted and in place and deny everything else.
Deny any mounting of any other drive and deny all access that hasn't already been given to any other drives.
Also to possibly try and defeat the other above mentioned ways, you can deny registry editing which can actually be a pain because there are so many ways of getting around that as well, or you can just not give people admin rights, and stick with "power user" or something at most.