Symantec Endpoint Encryption Removable Storage Release Notes

Symantec Endpoint Encryption Removable Storage Release

Notes

Symantec Endpoint Encryption Removable Storage 8.2.1 Symantec Endpoint Encryption Framework 8.2.1

www.symantec.com

About Symantec Endpoint Encryption Removable Storage

Symantec Endpoint Encryption Removable Storage allows enterprise organizations and government agencies to enjoy the benefits of removable storage devices while eliminating the liability, customer service, and brand erosion costs associated with data breach incidents. As part of Symantec Endpoint Encryption (SEE), SEE Removable Storage leverages existing IT infrastructures for seamless deployment and operation.

SEE Removable Storage provides the industry’s most robust and comprehensive integration with Microsoft Active Directory for fast, simple deployment of endpoint data protection controls in a familiar administrative environment.

What’s New

What’s New in Version 8.2.1

Device Exclusion List Increased

The number of devices the administrator can now exclude in the device exclusion list has increased from 20 to 50. In addition, wild card support has been added so administrators can exclude all devices from a vendor.

Able to encrypt multiple files/folders

Users can now encrypt multiple files and/or folders at a time using the Windows Access Utility.

What’s New in Version 8.2.0

Device Session Default Password

If allowed by policy, users can now set a default password that lasts as long as the device remains connected or until the user logs off of Windows.

Removable Storage Access Utility Distribution

Administrators can now choose whether to distribute the Removable Storage Access Utility for Mac OS X, the Removable Storage Access Utility for Windows, or both.

CD/DVD Burner Blocking

Symantec Endpoint Encryption Device Control can now block all CD/DVD burning applications except the Removable Storage CD/DVD Burner application, ensuring enforcement of Removable Storage policy on optical media. Requires separate Symantec Endpoint Encryption Device Control application.

eSATA

Removable Storage now protects eSATA drives. USB 3.0

USB 3.0 ports and devices are now supported. Multi-Factor Authentication Enhancements

This release of Removable Storage features the following enhancements to multi-factor Client Console authentication.

 Additional Readers Supported—ExpressCard smart card readers and Argus 3015 USB 2.0 Dual

Card Reader (smart card slot only).

 Additional Smart Cards Tested—Oberthur ID-One Cosmo 64 v5.2D Fast ATR with PIV application

SDK, Oberthur ID-One 128K v5.5 (dual), and HID Crescendo C700.

 Additional Software Supported—SafeSign Identity Client v3.0.40 and VeriSign PKI Client v1.5.

 Additional Data Model Supported—SafeSign v2.1.

Resolved Issues

For a list of issues that have been resolved in this release, please go to the Symantec Knowledgebase and search for TECH184842, "SEE Removable Storage Resolved Issues."

Installation Notes

Symantec Endpoint Encryption Framework 8.2.1 is only compatible with SEE Removable Storage 8.2.1 and SEE Full Disk 8.2.1. If you are running SEE Full Disk and plan to upgrade to SEE Removable Storage 8.2.1, you must also upgrade to SEE Full Disk 8.2.1.

Known Issues

Compatibility

Number

Third

Party

Product

Description

Workaround

After providing Microsoft BitLocker password, the drive gets unlocked but attempts to open the partition results in an "Access is denied" error.

Do not install SEE Removable Storage on a system encrypted with Microsoft BitLocker.

MA20688/2547597 Symantec Backup Exec

Attempts to restore from backup may fail with the message, “Errors exist.”

Remove and reinsert device.

MA24144/2551052 Microsoft Security Essentials (MSE)

After clicking to open an encrypted file, users may see XML code instead of the file contents.

Remove and reinsert device. To prevent the issue from

recurring, disable the MSE real-time protection feature. MA21710/2548617 Windows Live

File System

If the user chooses to format a CD/DVD using the Windows Live File System, the existing

encryption policy will be

enforced on the CD/DVD but the automatic copying of the Removable Storage Access Utility will not.

Users should insert a regular USB flash drive to obtain the Removable Storage Access Utility. Users can use the Removable Storage Access Utility from the alternate media to decrypt the CD/DVD.

MA22034/2549209 Windows Server 2008

The CD/DVD burner bundled with Windows Server 2008 enforces Removable Storage encryption policies.

Number

Third

Party

Product

Description

Workaround

Administrators may experience intermittent failures with Windows programs that make use of Volume Shadow Service (VSS) on Symantec Endpoint Encryption Removable Storage– protected computers with operating systems other than Windows XP.

Try again.

MA11594/2538616 Anti-Virus Tools

If an antivirus program scans a removable storage device, multiple password prompts may be generated.

Enable group key, set Default Password, or set Default Certificate(s).

MA11146/2538170 SanDisk U3 Software

The use of SanDisk’s built-in U3 software to download U3 applications is not supported. MA12322/2539344 Media

Transport Protocol (MTP)

Policies will not be enforced on devices that are in Media Transport Protocol (MTP) mode. MA14639/2541591 Roxio Easy

Media Creator

If the encryption policy is set to Encrypt all and the disc is formatted with Roxio Drag-to-Disc, files dragged and dropped to CD/DVD using Windows Explorer will be encrypted.

Installation/Upgrade

Number

Description

Workaround

2645266 With the increase in the number of devices that can be excluded from encryption in version 8.2.1, the Device Exclusions panel in Installation Settings, Group Policy Objects (GPOs), and Native Policies now takes longer to load.

MA24186/2551094 If an eSATA or USB 3.0 drive was connected during the installation of Full Disk and Removable Storage, the message “Update Settings failed” appears following the post-installation reboot.

Shut the computer down. Remove the drive. Power on.

MA23202/2550104 Novell users with Single Sign-On enabled are no longer logged onto Novell automatically following an upgrade from Symantec Endpoint Encryption Full Disk 7.0.7 or earlier or GuardianEdge Hard Disk 9.5.1 Patch 1 or earlier.

Users must log on to the User Client Console, open the Novell SSO panel, select the Turn on Single Sign-On to Novell Netware check box, and click OK.

Number

Description

Workaround

MA22161/2549066 If a custom destination folder was chosen during the installation of GuardianEdge Management Server 9.2.2, 9.2.1, or 9.2.0, the default path shown in the Destination Folder page during the upgrade to 7.0.7 will be missing the final subdirectory. For example, if you chose

C:\GuardianEdge\Management Server\ for your original installation files, C:\GuardianEdge will be the default.

Click Change and navigate to the desired destination of the Symantec Endpoint

Encryption Management Server files.

MA20747/2547656 If a local instance is selected during the installation of the Symantec Endpoint Encryption Management Server, the Symantec Endpoint Encryption Management Server uninstallation will fail with the message, “Could not connect to Microsoft SQL Server.”

Locate the

GEServerConfig.xml file on the Symantec Endpoint Encryption Management Server machine. Find (local). Replace with the computer name of the Symantec Endpoint Encryption

Management Server machine. Save and close the file. Try the uninstall again.

Manager Console

Number

Description

Workaround

MA21307/2548215 If an XPS print job is canceled, the following error may be displayed, “The data area passed to a system call is too small.”

MA16623/2543556 Deploying an Active Directory policy that contains a change to the Client Administrator settings from an Symantec Endpoint Encryption 6.1.0 or later Manager to Symantec Endpoint Encryption 6.0.0 or earlier and/or GuardianEdge 8.5.3 or earlier clients will result in a failure of the new Client

Administrator policy to be applied, a deletion of all existing Client Administrator policies, and a return to the Client Administrators specified in the original installation settings.

When deploying an Active Directory policy from a 6.0.0 or earlier Manager, add the following WMI filter: Select * FROM Win32_Product WHERE (name=“Symantec Endpoint Encryption Framework Client” AND Version <= “6.0.0”) OR (name=“GuardianEdge Framework Client” OR name=“Encryption Anywhere Framework Client”) AND version <= “8.5.3”))

When deploying an Active Directory policy from a 6.1.0 or later Manager, add the following WMI filter: Select * FROM Win32_Product WHERE (name = “Symantec Endpoint Encryption Framework Client” AND version > "6.1.0") OR (name = “GuardianEdge

Microsoft Office Files

Number

Description

Workaround

MA21207/2548115 After a user opens and attempts to save a

previously encrypted Microsoft Office 2003 or 2007 file residing on removable media other than CD/DVD when an Encrypt to CD/DVD only policy is in place, a “permission denied” error will occur.

The user should select Save As instead of Save.

Removable Storage Access Utility

Number

Description

Workaround

MA21347/2548255 The device must have free space equivalent to twice the size of each file to be encrypted to accomplish encryption using the Removable Storage Access Utility.

MA21392/2548301 If a Mac OS X user adds a file or folder to the device, declines to encrypt it, then chooses to encrypt it later, the file may show a status of No in the Encrypted column and be inaccessible.

Remove and reinsert the device.

MA21252/2548160 Users will be unable to launch the Removable Storage Access Utility from Mac OS X computers if the RSMacAccessUtility.dmg file or the Mac Access Utility folder was renamed.

Rename the folder to Mac Access Utility. Rename the file to RSMacAccessUtility.dmg. Try again.

MA18663/2545574 The Removable Storage Access Utility will not be copied automatically to CompactFlash cards inserted into multi-card readers after Windows has loaded.

Power down, insert the card, and power on.

MA17816/2544732 MA17526/2544444

Upon closing the Removable Storage Access Utility on a PC, users will not be prompted to encrypt unencrypted files if the files were added to the device using Windows Explorer or using the Send to right-click menu option.

Users should use the Removable Storage Access Utility to add files to their removable storage devices, not Windows Explorer.

MA18337/2545251 Users may be able to copy two files or folders of the same name to a removable storage device using Windows Explorer or the Send to right-click menu option on a PC.

MA17454/2544372 MA18230/2545144

When an Encrypt all policy is enforced in conjunction with the writing of the Removable Storage Access Utility to all devices, users may receive a Write Failed message after clicking Continue or Limited Access on the pre-existing files warning message and a 0 byte Autorun.inf file will be copied to their device.

Users should be instructed to ignore these messages and occurrences.

eSATA Drives

Number

Description

Workaround

MA23780/2550684 Attempts to launch the Removable Storage Access Utility from an eSATA drive connected using any port other than an eSATA port that was built into the original computer will fail.

MA23836/2550740 MA23695/2550599

Removable Storage blocks access to eSATA drives connected using ports other than eSATA ports that were built into the original computer.

File Decryption/Encryption

Number

Description

Workaround

MA23099/2550002 Due to Windows limitations, self-extracting

executables larger than 4 GB fail to extract with the message, “file name.exe is not a valid Win32 application.”

Users should not create a self-extracting executable larger than 4 GB.

MA20076/2546984 MA21512/2548422

Users may be unable to decrypt files encrypted by the Removable Storage Access Utility from a Symantec Endpoint Encryption Removable Storage–protected machine—if the device is of a sector size other than 512 bytes.

If the file was encrypted on a PC, you can use the

Removable Storage Access Utility on a PC to decrypt the files.

MA16902/2543829 Browsing the contents of removable storage devices using Windows Explorer, users may receive

repeated decryption prompts for thumbs.db and image files when Thumbnails or Filmstrip is selected from the Windows Explorer View menu.

The user should set a Default Password or Default

Certificate(s) or else avoid viewing removable storage device files in these modes. MA24174/2551082 After upgrading to Symantec Endpoint Encryption

from a GuardianEdge version, users cannot decrypt files encrypted under a Certificates only policy.

Use the Removable Storage Access Utility of the version that you upgrade from to decrypt the files.

Device Session Default Passwords

Number

Description

Workaround

MA23786/2550690 Removal of MultiMediaCards and Secure Digital cards does not result in the deletion of the Device Session Default Password.

Users must remove the device from the computer to clear the Device Session Default Password.

MA23801/2550705 A policy that allows users to set Device Session Default Passwords may occasionally prevent Removable Storage from caching decryption passwords on NTFS-formatted external hard drives.

Remove and reinsert the device.

Removable Storage may occasionally fail to set Device Session Default Passwords on

NTFS-Number

Description

Workaround

MA23794/2550698 Removable Storage does not log an event in the Windows System Event Log when it fails to set the Device Session Default Password.

iTunes Synchronization

Number

Description

Workaround

MA20798/2547707 Users who have synchronized photos from a machine not protected by Symantec Endpoint Encryption Removable Storage may experience encryption of the photos upon inserting the iPod Classic or Nano into a Symantec Endpoint

Encryption Removable Storage–protected machine when an Encrypt all policy is in place.

The user must resynchronize the iPod from the machine not protected by Symantec Endpoint Encryption Removable Storage.

MA20803/2547712 MA20804/2547713

If an Encrypt all or Encrypt new policy is in place and the user places files in the Calendar, Contacts, Notes, Recordings, or Photos directories of their iPod Classic or Nano using iTunes, these files will be encrypted by Symantec Endpoint Encryption Removable Storage. Encrypted files will not be visible once the iPod is detached from the Symantec Endpoint Encryption Removable Storage–protected machine.

Users must return to the Symantec Endpoint Encryption Removable Storage–protected machine to view the content.

MA20895/2547804 MA20893/2547802 MA20902/2547811

If a user does not have iTunes closed when they plug in their iPod, synchronization may fail.

Restore the iPod to its factory settings from a machine not protected by Symantec Endpoint Encryption Removable Storage. Ensure that users remember to close iTunes before plugging in their iPod.

File Icons

Number

Description

Workaround

MA16932/2543859 If the key for an encrypted EXE file is not available, the file may bear the icon of an unassociated file.

Ignore the incorrect icon display.

Safely Remove Hardware

Number

Description

Workaround

MA15648/2542592 Under an Encrypt all policy on Windows XP SP1 and SP2 endpoints, if Continue is selected on the limited access message and the device contains both encrypted and unencrypted files, selection of Safely Remove Hardware from the Windows notification area may occasionally produce a message that the device cannot be removed.

Number

Description

Workaround

MA20831/2547740 iPod Classic, Nano, and Shuffle devices cannot be safely removed.

CD/DVD

Number

Description

Workaround

MA23901/2550808 The CD/DVD Burner application fails to cache the decryption password if an installation setting or policy is in place that allows users to set Device Session Default Passwords.

MA15003/2541951 If a CD or DVD is in the drive when the user registers, the user will be unable to read the CD/DVD following registration.

Log off Windows or reboot.

Novell Logon

Number

Description

Workaround

MA19876/2546784 Users will have to log on to Novell and Windows separately following the installation of Symantec Endpoint Encryption Removable Storage, if Symantec Endpoint Encryption Full Disk is not also installed.

Section 508

Number

Description

Workaround

MA16937/2543864 JAWS does not always announce all of the information displayed within the Registration wizard and User Client consoles.

Users should follow these steps:

1.

Press INSERT+F9.

2.

Select the frame that is

of interest from the

resultant Frames List

dialog.

3.

Click OK.

4.

Press P.

If this doesn’t work, restart JAWS and try the steps again.

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the

Symantec’s support offerings include the following:

 A range of support options that give you the flexibility to select the right amount of service for any size organization

 Telephone and/or Web-based support that provides rapid response and up-to-the-minute information

 Upgrade assurance that delivers software upgrades

 Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis  Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web site at the following URL:

http://www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:

http://www.symantec.com/business/support/

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.

When you contact Technical Support, please have the following information available:  Product release level

 Hardware information

 Available memory, disk space, and NIC information  Operating system

 Version and patch level  Network topology

 Router, gateway, and IP address information  Problem description:

 Error messages and log files

 Troubleshooting that was performed before contacting Symantec  Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

http://www.symantec.com/business/support/

Customer service

Customer service information is available at the following URL:

http://www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as the following types of issues:  Questions regarding product licensing or serialization

 Product registration updates, such as address or name changes

 General product information (features, language availability, local dealers)  Latest information about product updates and upgrades

 Information about upgrade assurance and support contracts  Information about the Symantec Buying Programs

 Advice about Symantec's technical support options  Nontechnical presales questions

 Issues that are related to CD-ROMs or manuals

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:

Asia-Pacific and Japan [email protected] Europe, Middle-East, Africa [email protected]

North America, Latin America [email protected]

Copyright and Trademarks

Copyright (c) 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.