In any secure environment security applications will be involved, which is all part of a best practice strategy to ensure the environment's data is protected.
Sometimes security software will interact with other security software and it may be needed to add applications to an "Exclusion" or "Approved" list for the applications to run properly.
This article will go over all the needed applications for Symantec Endpoint Encryption and Symantec Encryption Desktop to function properly and to prevent other applications from blocking.
This article will list all the SEE and SED (PGP) services that need to be added for full functionality including checking in with the server.
Some clues that security software may be interacting with Symantec Encryption or could be blocking include some of the following behavior:
*Systems may encounter blue screens during installations or upgrades of the Encryption software.
*Certain operations within Encryption may not function properly all of a sudden when Encryption has always worked.
*The Encryption application may not launch properly.
*Installations may not occur properly.
There could be other scenarios or situations that may occur, but even if you may not think the software is blocking, it is a good best practice to add these binaries to your safe list to ensure they do not block.
In some instances, it may be needed to collaborate with third-party vendors to ensure proper system stability.
Security software updates may change behavior and having these added proactively could save you time and effort down the road.
The following executables should be added to any exclusions/safe lists for Security applications, such as DLP and others to ensure the services are allowed to run. In addition to adding the services, it is frequently necessary to also allow the protocol for communication back to the servers to ensure http/https communications is not blocked by any of these applications to the destination host.
For example, Symantec Endpoint Encryption uses the management agent services to communicate to the server via http/https protocols. If this communication is blocked, the clients will not be able to check in with the server.
Note: It may be necessary to add the actual path of these locations as well as the specific services themselves to be able install and run Symantec Encryption applications.
EFI Area of the operating System
As part of our software, It will modify the EFI area of the operating system and these are low-level areas of the OS, these also need to be allowed so that the PGP or SEE applications can make the needed adjustments.
For PGP, EFI is modified at the time of encryption.
For SEE, EFI is modified at the time of installation (before encryption).
Make any necessary adjustments to allow these to happen. When PGP is upgraded to SEE, even more modifications are made.
Symantec Endpoint Encryption Management Server services\executables (SEE - Two Directory paths):
C:\Program Files (x86)\Symantec\Symantec Endpoint Encryption Management Server\Services
C:\Program Files\Symantec\Symantec Endpoint Encryption Management Server\Services
SEE Management Agent (Client Communication):
C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent
SEE Drive Encryption:
C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption
SEE Bitlocker Client:
C:\Program Files\Symantec\Endpoint Encryption Clients\BitLocker
SEE Removable Media Encryption:
C:\Program Files\Symantec\Endpoint Encryption Clients\Removable Media Encryption
Symantec Endpoint Encryption for macOS
/Library/Application Support/Symantec Endpoint Encryption/SEEd
/Library/Application Support/Symantec Endpoint Encryption/SEEAgent.app
/Applications/Symantec Endpoint Encryption.app
Allow the following folders and all contents therein, these locations are where PGP reads/writes data from/to (PGP):
C:\Program Files (x86)\PGP Corporation\PGP Desktop
C:\Program Files (x86)\Common Files\PGP Corporation\Strings
C:\Program Files (x86)\PGP Corporation\PGP Desktop
C:\Program Files\PGP Corporation\PGP Desktop (PGP)
C:\Windows\System32 and C:\Windows\SysWow64 (Allow only the following files - PGP):
C:\Windows\System32\drivers (allow only the following files - PGP):
Symantec Encryption Desktop for macOS (PGP)
/Library/Application Support/PGP/PGP Engine.app
For macOS Big Sur 11 and above, the Network Kernel Extension(NKE) is replaced with a Network System Extension:
Run the following command to see if the PGP Network Kernel Extension is loaded:
systemextensionsctl list | grep pgp
Make note of the status. This Kernel Extension should be "Activated" and "Enabled".
If this is not, check to see if any kernel extensions have been blocked.
If you install Symantec Encryption Desktop, you may be prompted to allow the application. If you are not prompted, Open System Preferences, go to Network, and check to see if "PGPNEProxy" has been blocked. Allow this and run the above commands again to see if this will allow the application to load properly.
For macOS 10.14 (Mojave) and older, run the following command:
kextstat | grep PGP
If the above two PGP kernel extensions are not loaded, check your security software to make sure these kernel extensions can be allowed to load.
Reach out to Symantec Encryption Support for further guidance if the above has not helped.
Keywords: Symantec Endpoint Encryption Exclusions
Symantec Encryption exclusions
symantec encryption safe list