Symantec Endpoint Encryption Removable Storage does not automatically decrypt files

Article Id: 157941
Status: Published
Updated On: 29-04-2013 07:40
Legacy Id: TECH205655
Products:
Endpoint Encryption
Issue/Introduction:

  • Symantec Endpoint Encryption Removable Storage does not automatically decrypt files when software utilizing a legacy filter driver is installed.
  • Encrypted files appear to be ".xml" files.
  • Encrypted files do not display a red or yellow lock icon.
  • System behaves as if Symantec Endpoint Encryption Removable Storage (SEE-RS) is not installed.

When opened, the file appears to only have metadata about itself and not the expected file contents.
Example:

<?xml version="1.0" encoding="UTF-16"?><!--GETRSFileHeaderSize=0x00000420--><GETEncryptedDataFile
version="x.x.x"><FileInformation><filename>D:\New Text Document.txt</filename><created>Tue, 23 Apr
2013 12:48:04 UT-0800</created></FileInformation><AlignmentLength>512</AlignmentLength><WrappedKeys
iv="mQZnB7cClEqL/k9k5m5BdA==" hash="ZRhu9kWDGiUhIie2/z7QXTXUwLiMdhKaRyxdWqUAskU="><Password
hashmethod="kdf2"><wrappedkey>
+Mnb0BXd3w2RcfNUbB4zDRMcsmBfvFWBNGHIZ3nwOh0=</wrappedkey></Password></WrappedKeys>
</GETEncryptedDataFile>
                                                                                                    

                                                                                                    

                                     설䞁霙퍲ϲ귀岍쬋

Cause:

The root cause was determined to be an interaction between the SEE-RS legacy filter driver and another software's legacy filter driver (in this case McAfee HIPS).  Microsoft has a detailed explanation of the findings in this case posted to the following page: http://blogs.msdn.com/b/ntdebugging/archive/2013/03/25/understanding-file-system-minifilter-and-legacy-filter-load-order.aspx

To put it simply, because of the way the windows filter-manager positioned the legacy filter drivers in relation to the newer "minifilter" drivers, data did not flow through the filter driver stack in the proper order. As a result SEE-RS did not function as expected. 

Resolution:

Symantec was able to determine that use of a "null" or "dummy" legacy filter driver would force Windows filter-manager to split the filter stack frames so that data would flow through the filter-stack properly.

To determine if you are experiencing this issue:

  1. Open a Windows command prompt and use the "fltmc" command.
  2. Look at the "Altitude" column. This column should be in descending numerical order.
    (This example shows an improper Altitude column. Drivers ordered in this way will result in the error behavior)

If the altitude column is not in descending numerical order please contact SEE-RS support to investigate and determine the best solution.


Applies To

Windows 7
SEE-RS
Software that utilizes a legacy filter driver other than SEE-RS