Files identified as sensitive by Symantec Data Loss Prevention (DLP) are not encrypted when written to removable media

book

Article ID: 158824

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Files that Symantec Data Loss Prevention (DLP) identified as sensitive were not encrypted when written to removable media, even though the “Encrypt files as per Symantec DLP for Endpoint” policy was enabled.

Resolution

This issue is resolved by applying the following:

  • Upgrade to Symantec Endpoint Encryption version 8.2.1 MP9 or higher
  • A visual basic (VB) script, UpdatePassword.vbs
  • A hot fix (HF1) for DLP 11.5 (or higher)
     

All files are encrypted to a Default Password when written to removable media. Files are then checked against the list of files that DLP has identified as sensitive. Sensitive files remain encrypted. Files that are not sensitive are decrypted. Files that are encrypted include those that are copied or moved to the device, or modified once on the device.

To install and deploy the hot fixes

As an administrator:

  1. Obtain the hot fix packages from your Symantec Support contact.
  2. Upgrade SEE-RS to version 8.2.1 MP9 or higher.
  3. Upgrade your DLP 11.5 installation to DLP 11.5.HF1 or higher.
  4. Make sure that you have enabled the following policies in SEE Removable Storage:
    • Encrypt files as per Symantec DLP for Endpoint
      (Removable Storage Computer Policy, Security Level Options panel, Automatic Encryption feature)
       
    • Allow users to set a Default Password
      (Removable Storage Computer Policy, Default Passwords panel)
       
  5. Deploy the VB script to all SEE Removable Storage endpoints. Use any distribution method, including GPO, Tivoli, SMS, and so on. For the script to create a Default Password for a user, the following endpoint conditions are required:
    • The user must have a Windows account.
    • The user must be a registered user with SEE Removable Storage.
    • The user must be logged on (have an active Windows session) when the VB script runs.

Attachments

UpdatePassword.safevbs get_app