WinTech and SafeTech Administration Guide

McAfee® WinTech and SafeTech

Administration Guide

McAfee, Inc.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA

Tel: (+1) 888.847.8766

For more information regarding local McAfee representatives please contact your local McAfee office, or visit:

www.mcafee.com

Document: WinTech and SafeTech Administration Guide Last updated: Friday, 12 December 2008 Endpoint Encryption for PC Product Version:

Copyright (c) 1992‐2008 McAfee, Inc., and/or its affiliates. All rights reserved.

McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non‐McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners.

Preface

| 3

Contents

Preface ........................................................................................... 4 Using this guide ............................................................................................. 4

Audience ................................................................................................. 4 Conventions ............................................................................................ 4

Welcome ......................................................................................... 5 Related Documentation ............................................................................. 5 Contacting Technical Support .................................................................... 5

Introduction ................................................................................... 6 Prior Knowledge ............................................................................................. 6

WinTech .......................................................................................... 7 Creating a BartPE Boot CD\DVD ................................................................. 8 Create the BartPE CD/DVD ........................................................................ 8 Boot from the BartPE Windows CD/DVD ...................................................... 9 Reset INT 13 .......................................................................................... 10 Avoiding the Reset of INT13 for a BIOS upgrade ......................................... 11 Encryption and Boot Sector Removal Procedure 1 ....................................... 11 Encryption and Boot Sector Removal Procedure 2 ....................................... 13 Mount Drive ........................................................................................... 14 Restoring the MBR (Master Boot Record) .................................................... 16 Restoring the EEPC MBR .......................................................................... 16

SafeTech ....................................................................................... 18 Creating a SafeTech Boot Disk .................................................................. 18 Creating the Endpoint Encryption Transfer Database ................................... 18 Emergency Boot ..................................................................................... 18 Reset INT 13 .......................................................................................... 20 Avoiding the Reset of INT13 for a BIOS upgrade ......................................... 20 Encryption and Boot Sector Removal Procedure 1 ....................................... 21 Encryption and Boot Sector Removal Procedure 2 ....................................... 22

Glossary ........................................................................................ 25

Preface

4 |

Preface

Using this guide This guide is designed to aid corporate security administrators to understand the

disaster recovery tools, WinTech and SafeTech. Included in this document are

procedures on how to recover data from problem machines. If you are unsure about

any procedure, and are concerned about your data, then you must contact McAfee

support before undertaking any of the procedures in this document.

Audience This guide was designed to be used by qualified system administrators and security

managers. Knowledge of basic networking and routing concepts, and a general

understanding of the aims of centrally managed security is required.

McAfee can only contribute to information security within your organization as part of

a coherent and well-implemented organizational security policy.

Conventions This guide uses the following conventions:

Bold Condensed All words from the interface, including options, menus, buttons, and dialog box names.

Courier The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt).

Italic Emphasis or introduction of a new term; names of product manuals.

Blue A web address (URL); a live link.

Note Supplemental information; for example, an alternate method of executing the same command.

Caution Important advice to protect your computer system, enterprise, software installation, or data.

Welcome

| 5

Welcome The team at McAfee is dedicated to providing you with the best in security for

protecting data on personal computers. Applying the latest technology, deployment

and management of users is enhanced using simple and structured administration

controls.

Endpoint Encryption for PC (EEPC) incorporates functionality not found in earlier

versions. This new edition of the software features a new dimension in IT security

incorporating many new enterprise level options, including automated upgrades, file

deployment, flexible grouping of users and centralized user management. In addition,

user’s credentials can be imported and synchronized with other deployment systems.

WinTech and SafeTech are McAfee’s disaster recovery systems used in conjunction

with Endpoint Encryption for PC (EEPC).

Through the continued investment in technology and the inclusions of industry

standards we are confident that our goal of keeping Endpoint Encryption at the

forefront of data security will be achieved.

Related Documentation • Endpoint Encryption for PC Administration Guide

• Endpoint Encryption for PC Quick Start Guide

• Endpoint Encryption Manager Administration Guide

Contacting Technical Support Please refer to www.mcafee.com for further information.

http://www.mcafee.com/�

Introduction

6 |

Introduction This guide discusses how to use the McAfee Endpoint Encryption disaster recovery

tools, WinTech and SafeTech.

SafeTech is a disaster recovery tool that allows the administrator to perform everyday

recovery functions. WinTech performs the same functions under a Windows-like

environment and includes greater features such as drive mounting, booting from

BartPe and easier access to encrypted USB drives and memory sticks.

Included in this guide are instructions on how to recover data from problem machines.

If you are unsure about any procedure, and are concerned about your data, then you

must contact McAfee support before undertaking any of the instructions in this

document.

Extreme care must be taken when using WinTech and SafeTech. If they are used

without diligence this may result in the loss of data. McAfee cannot be held responsible

for loss of data.

Prior Knowledge This guide was written for security administrators. It assumes the reader has some

knowledge of security concepts, data encryption, Endpoint Encryption for PC and the

Endpoint Encryption Manager. It is preferable that administrators (readers) attend

some form of McAfee training to understand the basic concepts before following the

procedures in this guide.

WinTech

| 7

WinTech This chapter explains some of the common tasks that can be undertaken using

McAfee’s Windows based disaster recovery tool, WinTech.

Please exercise caution for all WinTech procedures. McAfee is not responsible for the

loss of data. Please contact McAfee if you are unsure about attempting any of these

procedures.

WinTech contains the same functions as its sister application, SafeTech. WinTech,

however, contains the following features:

• Boot from a BartPE CD/DVD: This provides administrators with the ability

to utilize the same recovery environment for disaster recovery and repair.

• Mount Drive: The Mount Drive feature allows quick access to data on an

encrypted drive. This is only possible if the administrator has been properly

authorized using the correct key. There is no need to completely decrypt the

drive first to get at important files. Data is decrypted on-the-fly from the

encrypted disk and this allows full access to the contents.

• Easier access to encrypted USB drives and memory sticks: WinTech

provides access to USB drives and memory sticks that have been encrypted

using 5.x DE optional USB removable drive support.

• An encrypted USB flash memory stick or external USB drive is generally only

accessible from the machine it was encrypted from, however, WinTech allows

these encrypted drives to be mounted and viewed, or the contents removed,

without requiring access to the original working machine. However, for this to

work the machine key must still be available in the master Object Directory of

the Endpoint Encryption Manager.

You can access a machine using the WinTech plug-in providing you also have the

following:

• As with all McAfee data security products, at all times, a valid user

authentication or machine key is needed to access the data on the encrypted

hard drive or USB stick.

• The daily access code to allow access to the functions and use of WinTech.

This is usually obtained from McAfee Support by customers with a valid

support contract.

WinTech

8 |

The Daily access code does NOT provide access to encrypted data. Although WinTech

is a convenient recovery tool, it is NOT a ‘back door’ to data. The daily access code

ONLY enables advanced WinTech menu functions.

Authentication is still required to access the encrypted data. The other way is to

provide the machine’s unique encryption key exported from the administration

database (this requires administration rights to export).

Creating a BartPE Boot CD\DVD Bart's PE Builder helps you build a "BartPE" (Bart Preinstalled Environment) bootable

Windows CD-Rom or DVD from the original Windows XP.

Before you create the BartPE CD\DVD you will need the Windows XP \i386 folder. The

\i386 folder holds the files used to install, repair, modify, update and rebuild Windows.

This can be found on the root directory of a Windows XP Pro/Home installation CD.

You will also need the contents of the \Recovery\Making a Rescue CD\BartPE Plug-in

and the \SafeBoot\SBWinTech_AES-FIPS folders which can be found on the installation

CD. If you have downloaded Endpoint Encryption you can find these paths on the

computer where the Endpoint Encryption Manager resides.

Create the BartPE CD/DVD 1. Download the latest BartPe install file. See the http://www.nu2.nu/pebuilder/

website for information and download links.

2. Install BartPe using the default install locations.

3. Open Windows Explorer and navigate to the \pebuilderxxxxx\plugin folder.

Note: xxxxx = denotes the version number of BartPE.

4. Create a subfolder called safeboot. This folder will be the source for the

Endpoint Encryption recovery files.

5. Copy the files from the \Recovery\Making a Rescue CD\BartPe Plugin

folder to the \pebuilderxxxxx\plugin\EEPC folder.

6. Launch BartPe.

http://www.nu2.nu/pebuilder/�

WinTech

| 9

Figure 1 ‐ The BartPE CD/DVD Builder window

1. The Source box should contain the path to the Windows installation files, i.e.

the \i386 folder. See Creating a BartPE Boot CD\DVD for further info.

2. The Custom folder should contain any other local or remote files and folders

you may wish to include. Note: Do not include the Windows directory or any

other folder that has files in use. Also, bear in mind that the files you add must

fit your target CD or DVD. If you are unsure what to enter in this field, then

leave it empty.

3. In the Output Directory field enter a directory name to store the files PE

Builder copies. Please note that the location you enter is relative to your

\pebuilder directory.

4. If you need to specify an absolute path, you must change the Output path

absolute in the Builder Options dialog.

5. Use the Media Output section to specify whether you want to create a

CD/DVD or an ISO image.

NOTE: you can click the Plugins button to add, edit, enable/disable, configure or remove plugins from the

list.

6. Click the Build button to start writing the CD/DVD or build the ISO image.

Boot from the BartPE Windows CD/DVD WinTech is accessed via the BartPE plug-in boot CD/DVD. When the problem machine

is booted with this CD/DVD, the first screen you will see is the Endpoint Encryption

WinTech

10 |

interface (see below). This will be followed by a pop up dialogue that will prompt you

to start network services. You may start the network services if you have added the

drivers for your Ethernet card to the CD/DVD build; otherwise click No.

1. Boot the machine with the BartPE CD/DVD. This will load the Endpoint

Encryption interface.

Figure 2 ‐ Accessing Endpoint Encryption WinTech

Figure 3 ‐ The WinTech application

Reset INT 13 INT 13 is an interrupt vector that stores a machine’s bios information. If the hardware

of a machine changes (the motherboard, for example) or a virus has affected the bios,

this will have an impact on the pre-boot environment and Endpoint Encryption will not

work. In this situation you will need to boot from the BartPE CD/DVD to access

WinTech and reset the INT 13 to reflect the correct bios.

Before proceeding you must have the following:

• The BartPE Boot CD/DVD boot disk.

WinTech

| 11

• The floppy drive or USB containing the machine configuration file (.SDB). This

contains the machine key that will provide access to the problem machine.

• The daily access (authorization) code. This can be obtained directly from

McAfee Support or from your internal Help Desk (Note: availability from your

Help Desk is dependent on your contract with McAfee).



3. Click the Go Programs EEPC WinTech.

4. Enter the authorization/access code when prompted and click Ok.

5. From the top toolbar select EEPC Authenticate from SBFS. This will prompt

you for the Endpoint Encryption credentials for this machine.

6. Enter the username and password for the client machine.

7. Click the EEPC RESET INT13 Vector from the menu. A message

containing INT13 has been successfully reset should appear.

8. Click OK.

Avoiding the Reset of INT13 for a BIOS upgrade If you wish to avoid the Reset INT 13 condition while updating the BIOS, then you can

temporarily turn off Virus Protection before the BIOS upgrade.

1. Locate the machine in the Endpoint Encryption Manager, Devices tab.

2. Right-click on it and select Properties.

3. Select the General icon.

4. Under Options, scroll down until you find Virus Protection.

5. Deselect the Enable MBR virus protection option.

6. Click Apply.

When the BIOS has been upgraded, the Enable MBR virus protection option should

be re-enabled and the machine synchronized. This will again protect the machine’s

boot sector.

Encryption and Boot Sector Removal Procedure 1 Use the following procedure in the event that:

• Windows becomes corrupt.

• You cannot access the data of an encrypted machine.

WinTech

12 |

• Encryption or decryption fails.

CAUTION: Make sure the machine’s main power supply is plugged in for this procedure. Do not attempt to

perform on battery only.





Note: any sticks and drives required to access the machine must be plugged

in before WinTech starts.

• The daily access/authorization code. This can be obtained directly from McAfee

Support or from your internal Help Desk. Note: availability from your Help

Desk is dependent on your contract with SafeBoot.




3. Enter the access code when prompted and click Ok.

4. From the top menu click the EEPC option.

5. Select the Authenticate from SBFS option from the EEPC menu.

6. Enter the machine’s username and password.

7. Select Remove SafeBoot.

This will decrypt the drive and remove the boot sector. It may take some hours

depending on the machine performance and the storage capacity of the drive or

partition.

8. Next, when Endpoint Encryption has been removed, delete its record from the

Endpoint Encryption Manager (the central record will no longer have the

correct parameters for the machine). See the Endpoint Encryption for PC

Administration Guide for further information, or, contact your Endpoint

Encryption Database Administrator.

NOTE: If you had a problem with Windows and the operating system is repaired, Endpoint Encryption will

automatically reactivate itself if the installed files are still intact. It will also connect to the Endpoint

Encryption Server. The machine may encrypt at this point too depending on its settings in the database.

WinTech

| 13

This can be prevented by disconnecting from the network prior to booting the machine (or disable wireless

networking). After Windows has loaded, open Dos CMD prompt. Change to the EEPC folder on the machine

and enter: “sbsetup –Uninstall”. This command can only be used if the drive is completely unencrypted.

CAUTION: Make sure you check where the \SBADMIN (administration system files) and the \SBDATA

(database folder) have been installed. If your installation is not in the recommended locations, then make

sure you check where they have been installed before proceeding.

Also, disconnecting from the network will prevent re‐activation only if this machine was originally an Online

install. If it was an Offline install, then boot to Windows Safe Mode first. See the Endpoint Encryption for PC

Administration Guide for further information regarding online and offline installation.

Encryption and Boot Sector Removal Procedure 2 If Endpoint Encryption does not work and the previous Encryption and Boot Sector

Removal Procedure 1 cannot be used, then follow this procedure. Note: this procedure

should only be attempted under the guidance of McAfee Support. For this method the

machine’s configuration should be exported from the database.





Note: any sticks and drives required to access the machine must be plugged

in before WinTech starts.

• The daily access/authorization code. This can be obtained directly from McAfee

Support or from your internal Help Desk Note: availability from your Help

Desk is dependent on your contract with McAfee.

Export machine configuration to a floppy disk or a USB stick.

1. Insert your choice of removable media, i.e. floppy disk or USB drive.

2. Select the Devices tab from the Endpoint Encryption Manager.

3. Right-click on the machine name.

4. Select Export Configuration and browse to the floppy disk or USB drive.

5. Enter a name the database.

6. Click Save.

Boot the machine with the BartPE CD/DVD. This will load the Endpoint


WinTech

14 |




4. Select the Authenticate from Database option from the EEPC menu.

5. Next, select the machine SDB file and click Ok.

6. Select the correct machine name from the Select Machine window.

7. Select Remove EEPC from the EEPC drop down menu. This will decrypt the

drive and remove the boot sector. It may take some hours depending on the

machine performance and the storage capacity of the drive or partition.

8. Remember to delete the machine’s record from the Endpoint Encryption

Manager after Endpoint Encryption has been removed. The central record will

no longer have the correct parameters for the machine.

NOTE: When the operating system is repaired, Endpoint Encryption will automatically reactivate itself if the

installed files are still intact and it connects to the Endpoint Encryption Server. The machine may encrypt at

this point too depending on its settings in the database.


networking). After Windows has loaded, open Dos CMD prompt. Change to the EEPC folder on the machine

and enter: sbsetup –Uninstall. This command can only be used if the drive is completely

unencrypted.

WARNING: Disconnecting from the network will prevent re‐activation only if this machine was originally an

‘online’ install of SafeBoot. If it was an ‘offline’ install boot to Windows Safe Mode first. See the Endpoint

Encryption for PC Administration Guide PDF document for further information regarding online and offline

installation.

Mount Drive The Mount Drive feature allows quick access to data on an encrypted drive. This is

only possible if the administrator has been properly authorized using the correct key.

There is no need to completely decrypt the drive first to get at important files. Data is

decrypted on-the-fly from the encrypted disk and this allows full access to the

contents. This includes access to data stored on removable media.



WinTech

| 15



• The daily access (authorization) code. This can be obtained directly from

McAfee Support or from your internal Help Desk (Note: availability from your

Help Desk is dependent on your contract with McAfee).

1. Export the machine configuration to a floppy disk or a USB stick. Insert your

choice of removable media, i.e. floppy disk or USB drive.




(Note: There are two options you can select: the Include all users in the

configuration option will add all users that can access the machine, into the

machine configuration; the Include all files in the configuration option will

add all the files assigned to the machine’s groups into the machine

configuration).

5. Enter a name for the database file.

6. Click Save.

NOTE: Any USB sticks or drives you need to access later will need to be plugged in before Windows PE starts

to load. This includes any encrypted disks you wish to access, or, any disk containing the machine export

database.




9. Enter the authorization/access code when prompted and click Ok.

NOTE: The Info bar at the bottom of the tool reports Not Authorized until the code has been correctly

entered. After the code has been entered, this changes to Authorized.

The Not Authenticated message still shows. User authentication or an encryption key to decrypt any data is

still required!

10. Now enter the machine’s key retrieved earlier from the exported database.

From the EEPC menu select Authenticate from Database.

11. Browse to the location of the exported machine configuration, i.e. floppy or

USB stick.

WinTech

16 |

12. Click the SDB file you created earlier.

13. From the Disk menu, choose Mount Drive.

14. From the Go menu run the file management tool (BartPE default is A43 File

Utility Manager).

Restoring the MBR (Master Boot Record) The MBR loads the boot sector which in turn will load the operating system. The MBR

of a machine is stored in the central administration database during the

synchronization and can therefore be exported as part of the Endpoint Encryption

Transfer Database (.SDB) file. Note: if you have performed a manual (forced) decrypt

then you must follow this procedure to restore the original MBR.




Authenticate from the database using the .SDB file on the floppy disk or USB. This

must be plugged in before booting from the BartPE CD/DVD.

1. Click the EEPC menu followed by the Authenticate from Database option.

NOTE: There is a known problem with BartPE at present: if you select the Authenticate from Database

option from the EEPC menu, the dialog box may not immediately display the .SDB file(s). To view the

contents of the floppy disk/USB stick, then type in the drive letter containing the media, e.g. a:\, f:\, etc.

2. Next, select the machine SDB file from the floppy disk or USB drive.

3. Click Open.


5. Click Ok to confirm the authentication.

Restore the MBR:

1. Click the Disk menu followed by Restore MBR.

2. Click Yes to confirm that you want to overwrite the Master Boot Record.

Restoring the EEPC MBR The EEPC MBR loads the EEPC pre-boot environment. This MBR is stored in the central

administration database during the synchronization. You can restore the EEPC MBR in

the event.


WinTech

| 17



Authenticate from the database using the .SDB file on the floppy disk or USB. Note:

this must be plugged in before booting from the BartPE CD/DVD:

1. Click the EEPC menu followed by the Authenticate from Database option.

NOTE: There is a known problem with BartPE at present: if you select the “Authenticate from Database”

option from the EEPC menu, the dialog box may not immediately display the .SDB file(s). To view the

contents of the floppy disk/USB stick, then type in the drive letter containing the media, e.g. a:\, f:\, etc.

2. Next, select the machine SDB file from the floppy disk or USB drive.

3. Click Open.


5. Click Ok to confirm the authentication.

Restore the EEPC MBR:

1. Click the Disk menu followed by Restore MBR.

2. Click Yes to confirm that you want to overwrite the Master Boot Record.

SafeTech

18 |

SafeTech This chapter explains some of the common tasks that can be undertaken using

McAfee’s disaster recovery tool, SafeTech.

Please exercise caution for all SafeTech procedures. McAfee is not responsible for the

loss of data. Please contact McAfee if you are unsure about attempting any of these

procedures.

Creating a SafeTech Boot Disk You can create a boot disk from the Endpoint Encryption Manager by using the

Recovery menu option.

1. Select the Recovery option on the top toolbar of the Endpoint Encryption

Manager.

2. Select Create SafeTech Boot Disk.

3. Enter a floppy disk into the a:\ drive and select Ok. This will create the boot

disk.

Creating the Endpoint Encryption Transfer Database The Endpoint Encryption Transfer Database is the machine configuration file (.SDB).

This file contains the machine key that will provide access to the problem machine.

1. Enter the media into the drive you wish to export the database to, e.g. floppy

disk or USB drive.




5. Enter a name for the database.

6. Click Save.

Emergency Boot The Emergency boot is performed in the event of Endpoint Encryption failing to boot or

the logon screen is corrupt.


• The SafeTech boot disk.

SafeTech

| 19



• The daily access code. This can be obtained directly from McAfee Support or

from your internal Help Desk (Note: availability from your Help Desk is

dependent on your contract with McAfee).

1. Create a SafeTech boot disk. See the Creating a SafeTech Boot Disk procedure

at the beginning of this chapter.

2. Reboot the problem machine using the SafeTech boot disk.

3. Enter the authentication code.

4. Click Ok.

Authenticate from the database file (.SDB)

1. Enter the media containing the machine configuration file (.SDB).

2. From the top toolbar click SafeBoot.

3. Select Authenticate from Database.

4. Select the machine configuration file (filename.SDB) from the disk or USB

drive.

5. Click Ok. The machine name will be shown in the open window. This will be

the machine exported from the Endpoint Encryption Manager. The correct

machine name is listed.

6. Click Use Selected Machine. The panel at the bottom of the SafeTech screen

should display an Authorized and Ready status.

Perform the Emergency Boot.

1. From the top toolbar click SafeBoot.

2. Click the Emergency Boot option. This will prompt you to confirm the

operating system.

3. Click Yes if you are using Windows XP (or earlier), or, click No if you are using

Windows 2003, Vista and higher.

4. Click Ok to confirm the Emergency boot.

When the machine boots into Windows, if there is a network connection to the

Endpoint Encryption server, then the machine will synchronize with the Endpoint

Encryption Object Directory and fully repair itself. Check this by right-clicking on the

Endpoint Encryption icon in the system tray, followed by “Show Status”.

SafeTech

20 |

If Endpoint Encryption is unable to establish connection to the master directory at this

time, continue to use the SafeTech Emergency Repair boot disk to boot the machine

until a connection to the server is made.

Reset INT 13 INT 13 is an interrupt vector that stores a machine’s bios information. If the hardware

of a machine changes (the motherboard, for example) or a virus has affected the bios,

this will have an impact on the pre-boot environment and Endpoint Encryption will not

work. In this situation you will need to use a boot disk to access SafeTech and reset

the Int 13 to reflect the correct bios.








1. Create a SafeTech boot disk. See the Creating a SafeTech Boot Disk procedure

at the beginning of this chapter. Note: The machine configuration is not

required.

2. Reboot the problem machine using the SafeTech boot disk.


4. From the top toolbar select EEPC followed by Authenticate from SBFS. This

will prompt you for the Endpoint Encryption credentials for this machine.

If you get a message that indicates a failure to read the values from the disk, contact

McAfee Support – otherwise, click Login With Selected Token.

5. Enter the username and password for the client machine.

6. Click the EEPC option from the toolbar and select the RESET INT13 Vector

from the menu. The INT13 has been successfully reset message should

appear.

7. Click OK.

Avoiding the Reset of INT13 for a BIOS upgrade If you wish to avoid the Reset INT 13 condition while updating the BIOS, then you can

temporarily turn off Virus Protection before the BIOS upgrade.

SafeTech

| 21

1. Locate the machine in the Endpoint Encryption Manager, Devices tab.

2. Right-click on it and select Properties.

3. Select the General icon.

4. Under Options, scroll down until you find Virus Protection.

5. Deselect the Enable MBR virus protection option.

6. Click Apply.

When the BIOS has been upgraded, the Enable MBR virus protection option should

be re-enabled and the machine synchronized. This will again protect the machine’s

boot sector.

Encryption and Boot Sector Removal Procedure 1 Use the following procedure in the event that:

• Windows becomes corrupt.

• You cannot access the data of an encrypted machine.

• Encryption or decryption fails.

CAUTION: Make sure the machine’s main power supply is plugged in for this procedure. Do not attempt to

perform it on battery only.






1. Create a SafeTech Boot Disk. See the Creating a SafeTech Boot Disk procedure


2. Boot the problem machine with the SafeTech Boot disk.

3. Enter the authorization code.


5. Select the Authenticate from SBFS option from the EEPC menu. SafeTech

reads values from the drive and returns a message. If the message indicates a

failure to read the values from the disk then contact McAfee Support,

otherwise, choose the right token and click Logon with Selected Token.

6. Enter the machine’s username and password.

SafeTech

22 |

7. Select Remove SafeBoot.

8. This will decrypt the drive and remove the boot sector. It may take some

hours depending on the machine performance and the storage capacity of the

drive or partition.

9. Next, when Endpoint Encryption has been removed, delete its record from the

Endpoint Encryption Manager (the central record no longer has the correct

parameters for the machine). See the Endpoint Encryption for PC

Administration Guide for further information, or, contact your Endpoint

Encryption Database Administrator.

NOTE: If you had a problem with Windows and the operating system is repaired, Endpoint Encryption will

automatically reactivate itself if the installed files are still intact. It will also connect to the Endpoint

Encryption Server. The machine may encrypt at this point too depending on its settings in the database.


networking). After Windows has loaded, open Dos CMD prompt. Change to the Endpoint Encryption folder

on the machine and enter: “sbsetup –Uninstall”. This command can only be used if the drive is completely

unencrypted.

CAUTION: Make sure you check where the \SBADMIN (administration system files) and the \SBDATA

(database folder) have been installed. If your installation is not in the recommended locations, then make

sure you check where they have been installed before proceeding.

Also, disconnecting from the network will prevent re‐activation only if this machine was originally a

Endpoint Encryption ‘online’ install. If it was an ‘offline’ install, then boot to Windows Safe Mode first. See

the Endpoint Encryption for PC Administration Guide for further information regarding online and offline

installation.

Encryption and Boot Sector Removal Procedure 2 If Endpoint Encryption does not work and the previous Encryption and Boot Sector

Removal Procedure 1 cannot be used, then follow this procedure. Note: this procedure

should only be attempted under the guidance of McAfee Support. For this method the

machine’s configuration should be exported from the database.





SafeTech

| 23




1. Create a SafeTech Boot Disk. See the Creating a SafeTech Boot Disk procedure


2. Export machine configuration file (.SDB) to a floppy disk or a USB stick. See

the Creating the Endpoint Encryption Transfer Database procedure earlier in

the chapter.

3. Boot the problem machine with the SafeTech boot disk.

4. Enter the authorization code when prompted.

Use SafeTech to authenticate from the database:


2. Select the Authenticate from Database option from the EEPC menu.

3. Next, select the machine SDB file and click Ok.


5. Select Remove EEPC from the EEPC drop down menu. This will decrypt the

drive and remove the boot sector. It may take some hours depending on the

machine performance and the storage capacity of the drive or partition.

6. Remember to delete the machine’s record from the Endpoint Encryption

Manager after Endpoint Encryption has been removed. The central record will

no longer have the correct parameters for the machine.

NOTE: When the operating system is repaired, Endpoint Encryption will automatically reactivate itself if the

installed files are still intact and it connects to the Endpoint Encryption Server. The machine may encrypt at

this point too depending on its settings in the database.


networking). After Windows has loaded, open Dos CMD prompt. Change to the Endpoint Encryption folder

on the machine and enter: sbsetup –Uninstall. This command can only be used if the drive is

completely unencrypted.

WARNING: Disconnecting from the network will prevent re‐activation only if this machine was originally an

‘online’ install of SafeBoot. If it was an ‘offline’ install boot to Windows Safe Mode first. See the Endpoint

Encryption for PC Administration Guide PDF document for further information regarding online and offline

installation.

SafeTech

24 |

Glossary

| 25

Glossary Topic Description

Algorithms An option on the main menu for setting the correct algorithm on a machine.

Authorize Enter the daily access/authorization code in this dialog box. The code can be obtained directly from McAfee Support or from your internal Help Desk. Note: availability from your Help Desk is dependent on your contract with McAfee.

Authenticate from Database

This function allows the user to authenticate using the machine key obtained via the Select Transfer Database (SDB file) exported from the master object directory.

Authenticate from SBFS This authentication is through entering the correct userid and password.

Authenticate from HP Recovery File

This option is applicable to users of HP computers only. HP users can create a recovery file containing the machine key and recovery key. This menu option allows the user to authenticate onto a problem HP machine using the saved recovery file.

Contact Displays a list of current world telephone support numbers.

Crypt/Decrypt Sectors The Crypt/Decrypt option allows you to safely manipulate which sectors are encrypted on the disk. This option follows the crypt list (see “Get Disk Information”) to validate the ranges you submit, so it will not encrypt sectors which are currently encrypted, and will not decrypt sectors which are currently not encrypted. This option supports power fail protection.

You can only use the Crypt/Decrypt Sectors option if the disk crypt state is still valid. If Endpoint Encryption has become corrupt on the disk, or the crypt state has been corrupted, you will need to use the Force Crypt/Decrypt Sectors option.

If you change the encryption state with the Crypt/Decrypt Sectors option, appropriate modifications will be made to the disk Crypt List. For example, if you encrypt a new range, a new Region definition will be created. If you decrypt within an existing Region, then the existing region will be split into two, if you completely decrypt a region, it will be removed from the crypt list.

Disk Menu containing the options: Get Disk information; Repair Disk Information; Crypt Sectors; Force Crypt Sectors; Edit Crypt State; Restore MBR; Restore EEPC MBR; Mount Drive.

Glossary

26 |

Topic Description

Disk Information

GUID – The unique GUID of the machine’s disk (a Endpoint Encryption for PC construct).

Alg ID ‐ The ID of the Endpoint Encryption Algorithm used to encrypt the disk.

Database ID – The Endpoint Encryption Database ID (hexadecimal) of the host Endpoint Encryption Database that this machine has registered its keys to, and is accepting policy updates from. You can determine the Database ID through Endpoint Encryption Manager by looking at the License Information.

Machine ID – This is the machine unique object ID. You can find the machines corresponding policy object by authenticating to the correct Endpoint Encryption Database (using the Database ID above to ensure you’re connected to the correct DB). Then click the “Endpoint Encryption Machines Group” node in the Devices tab, then click the “Groups” → “Find” and search for the appropriate Object ID – in the example above it would be 00000003.

SBFS Sector Map – This is the sector location at the beginning of the SBFS Sector map. The SBFS Sector map defines the ranges of sectors on the users’ hard disk which contain the Endpoint Encryption for PC pre‐boot environment.

SBFS Sector Map Count – This is the size of the sector map.

Key Check – A hash of the encryption key used to protect the machine. This is used to verify keys are correct.

Crypt List

Region Count – The number of defined crypted areas of this logical disk. This usually corresponds to the number of partitions on the drive.

Region … ‐ Each region is defined as follows:

Start Sector – The physical start sector of the region

End Sector – The last physical sector included in the region

Sector Count – The number of sectors included in this region

PowerFail Status – Endpoint Encryption for PC tracks the progress of encryption on the drive to ensure that if power is lost during encryption, the process is recoverable.

Status – Determines whether the drive is currently in powerfail state. A status of Inactive indicates that the current encryption process has finished.

Partition – A section per Logical partition on this physical drive as follows:

Partition Number – The unique partition number.

Partition Type – The file system detected on this partition.

Glossary

| 27

Topic Description

Partition Bootable – Whether the partition is bootable or not.

Partition Recognised – Whether the partition is recognized as viable.

Partition Drive Letter – The detected drive letter of this partition.

Partition Start Sector – The physical start sector of the partition.

Partition End Sector – The physical end sector of the partition.

Partition Sector Count – The number of sectors in the partition.

Edit Disk Crypt State Before using this option call McAfee Technical support for assistance.

This option will certainly cause irretrievable data loss if used incorrectly.

Ensure when using this option that there is no possibility of losing power while it is working – this option DOES NOT support power fail protection.

Emergency Boot Repairs the Endpoint Encryption File system on the client machine.

EEPC Endpoint Encryption for PC (formerly known as Endpoint Encryption for PC).

Force Crypt/Decrypt Sectors

Before using this option call McAfee Technical support for assistance.

Unlike the Crypt/Decrypt sectors option, the Force Crypt/Decrypt option does not pay attention to the disk crypt state, it simply performs the operation blindly according to user input. Force Crypt does not support power fail, nor does it apply any logic or parameter validation on the input.

You should only use the Force Crypt/Decrypt sectors option when all else fails, when the on‐disk structures are completely corrupted for example.

This option will certainly cause irretrievable data loss if used incorrectly. If you are forced to use this option, you should make a recording of each operation you apply to aid in data recovery.

Ensure when using this option that there is no possibility of losing power while it is working – this option DOES NOT support power fail protection.

Get Disk Information This option displays information about the physical drives detected by SafeTech. Each physical disk has a node in the disk information tree which describes its LUN, partitions, size and Endpoint Encryption information.

Mount Drive The Mount Drive feature allows quick access to data on an encrypted drive. This is only possible if the administrator has been properly authorized using the correct key. There is no need to completely decrypt the drive first to get at important files. Data is decrypted on‐the‐fly from the encrypted disk and this

Glossary

28 |

Topic Description

allows full access to the contents.

Mount SBFS as a drive This option provides quick and easy access to the Endpoint Encryption File System by mounting it as a drive.

Open Workspace

This option opens the Workspace window. For assistance on how to use the SafeTech/WinTech workspace, please contact McAfee support.

Note: The Open Workspace option appears in the Disk menu for SafeTech only, however, with the WinTech application appears as a main menu option.

Remove SafeBoot

Removes the encryption and boot sector from a machine, but does not remove the Endpoint Encryption client files. (See the Endpoint Encryption for PC Administration Guide for details on removing client files).

Repair Disk Information

The Repair Disk Information option will fix problems with the boot disk only. For this to work the crypt list portion must still be valid and the power fail state must be inactive.

Reset INT13 vector

When moving a hard disk between machines, updating the BIOS, or after a virus attack, Endpoint Encryption will warn of a possible virus at boot time and deny access to the machine.

Should there be a possibility of a virus, run a virus checker.

Restore MBR

Restores the original MBR of the machine but does no validation checking.

Restore EEPC MBR

Now that the disk information for the boot disk is stored in the main partition, the only link to it is from the EEPC MBR. If the EEPC MBR gets removed or corrupted, there is no way to find the disk information. So the client now stores the EEPC MBR in the database during sync, hence it will be exported to the transfer database and can then be used by WinTech to restore the EEPC MBR.

This allows administrators to have the ability to restore it in case of a disaster recovery with WinTech.

This can be used to repair a corrupt logon screen, for example.

Set Background Colour (SafeTech only)

This option allows the background colour of the screen to be set to improve clarity on older monitors. You can choose from Black, Red, Green, Blue, or White.

.SDB The file type of the select transfer database file. See below.

Select Transfer Database The Select Transfer Database is the machine configuration file containing the encryption keys and MBR information for a particular machine. This file is created (exported) from the main

Glossary

| 29

Topic Description

database using the Endpoint Encryption Manager.

Set Disk Algorithm

This option allows you to specify an algorithm for the disk in the event that it is not picked up automatically.

Set Workspace Algorithm

This option allows you to specify an algorithm for the Workspace in the event that it is not picked up automatically.

Set Algorithm

This option allows you to select which algorithm to use in the current SafeTech session. As the Endpoint Encryption for PC algorithm is an enterprise‐wide setting, and can never be changed, you should confirm the algorithm the Endpoint Encryption Manager is using before setting it in SafeTech. You can do this from the Help/About/Modules screen – check the description of the SBAlg.DLL file.

Selecting the wrong algorithm here will prevent any manual decryption functions (decrypt sectors, force decrypt sectors etc) perform the wrong mathematical functions on the data. This process is reversible, by for example re‐encrypting the sector ranges but if the algorithm choice cannot be remembered, can be extremely time consuming to recover from.

Documents

WinTech and SafeTech Administration Guide