I tried with no success to download a trial version of F-Secure to test if it will work with my company’s VPN- as they say the do support it.
Naturally, I get no love when I try to login (Level-1 access, essentially worthless)
So, how is this fucking Juniper client validating that I don’t have the right version, and what can I do to beat him?
I figured watching his behavior under ProcMon would do the trick, but it’s led me to quite a few different interesting things.
I *think* the primary process that does host checking is dsHostChecker.exe, which you can find in the Juniper Client Install path. Or it’s roaming data path. Or whatever. These guys have got skills at being pains in the ass.
Directory of note: \Users\%User%\AppData\Roaming\Juniper Networks
After observing him during the process, there are a few ways this guy can be validating-
1. Registry – my first guess, and he does do a *lot* of registry calls against my F-Secure keys. But what that doesn’t explain is:
Some obscure keys come up during the check, I’m going to list a few interesting ones here for my reference later:
HKLM\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Agent
2.POLUTIL – this guy lives as part of the F-Secure installation and can provide tidbits of information on the install state. This post seems to scratch the surface: (http://community.f-secure.com/t5/End-point/How-do-I-query-my-F-Secure/td-p/2163)
3. What I’m dreading, but what is possible, is that there is a management client installed as part of F-Secure which allows apps to “hook” into the DLLs and get information on what’s going on in there. If this is the case, I have a few options it means I’d have to hack a DLL in F-Secure
Good luck.