In any secure environment security applications will be involved, which is all part of a best practice strategy to ensure the environment's data is protected. 

Sometimes security software will interact with other security software and it may be needed to add applications to an "Exclusion" or "Approved" list for the applications to run properly. 

This article will go over all the needed applications for Symantec Endpoint Encryption and Symantec Encryption Desktop to function properly and to prevent other applications from blocking.

This article will list all the SEE and SED (PGP) services that need to be added for full functionality including checking in with the server.

Some clues that security software may be interacting with Symantec Encryption or could be blocking include some of the following behavior:

*Systems may encounter blue screens during installations or upgrades of the Encryption software.

*Certain operations within Encryption may not function properly all of a sudden when Encryption has always worked.

*The Encryption application may not launch properly.

*Installations may not occur properly.

There could be other scenarios or situations that may occur, but even if you may not think the software is blocking, it is a good best practice to add these binaries to your safe list to ensure they do not block.

In some instances, it may be needed to collaborate with third-party vendors to ensure proper system stability.  
Security software updates may change behavior and having these added proactively could save you time and effort down the road. 

The following executables should be added to any exclusions/safe lists for Security applications, such as DLP and others to ensure the services are allowed to run.  In addition to adding the services, it is frequently necessary to also allow the protocol for communication back to the servers to ensure http/https communications is not blocked by any of these applications to the destination host. 

For example, Symantec Endpoint Encryption uses the management agent services to communicate to the server via http/https protocols.  If this communication is blocked, the clients will not be able to check in with the server.

Note: It may be necessary to add the actual path of these locations as well as the specific services themselves to be able install and run Symantec Encryption applications.

EFI Area of the operating System

As part of our software, It will modify the EFI area of the operating system and these are low-level areas of the OS, these also need to be allowed so that the PGP or SEE applications can make the needed adjustments.

For PGP, EFI is modified at the time of encryption.

For SEE, EFI is modified at the time of installation (before encryption).

Make any necessary adjustments to allow these to happen.  When PGP is upgraded to SEE, even more modifications are made.

Symantec Endpoint Encryption Management Server services\executables (SEE - Two Directory paths):
C:\Program Files (x86)\Symantec\Symantec Endpoint Encryption Management Server\Services
C:\Program Files\Symantec\Symantec Endpoint Encryption Management Server\Services

Symantec.Endpoint.Encryption.ADSync.exe (GEADSync)
Symantec.Endpoint.Encryption.ConfigManager.exe
Symantec.Endpoint.Encryption.DBConfigValidator.exe
Symantec.Endpoint.Encryption.NovellSync.exe (GENovellSync)
Symantec.Endpoint.Encryption.Telemetry.Transmitter.exe

SEE Management Agent (Client Communication):
C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent
EACommunicatorSrv.exe
EAFRCliManager.exe
EAFRCliStart.exe
SEEMASharedUI.exe
SEEMAUIApp.exe
SeemaAdminUIApp.exe

SEE Drive Encryption:
C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption
eedAdminCli.exe
eedRecoveryGui.exe
eeduser.exe
eedService.exe
WDEUpgrade.exe

SEE Bitlocker Client:
C:\Program Files\Symantec\Endpoint Encryption Clients\BitLocker
BitLockerClientUI.exe
SymBitLockerService.exe
 

SEE Removable Media Encryption:
C:\Program Files\Symantec\Endpoint Encryption Clients\Removable Media Encryption
EERAccessUtility.exe
EERApplication.exe
EEREncryptBurnCmd.exe
EEREncryptBurnGUI.exe
EERSDAEncryptor.exe
EERShellExExeModifier.exe

Symantec Endpoint Encryption for macOS
/Library/Application Support/Symantec Endpoint Encryption/SEEd
/Library/Application Support/Symantec Endpoint Encryption/SEEAgent.app
/Applications/Symantec Endpoint Encryption.app

Symantec Encryption Desktop (PGP Desktop)

To ensure Symantec Encryption Desktop is fully allowed, please allow the following directories and files:

Allow the following folders and all contents therein, these locations are where PGP reads/writes data from/to (PGP):
C:\Users\[username-here]\Documents\PGP
C:\Program Files (x86)\PGP Corporation\PGP Desktop
C:\Program Files (x86)\Common Files\PGP Corporation\Strings
C:\Users\[username-here]\AppData\Roaming\PGP Corporation\PGP

PGP Binaries:
C:\Program Files (x86)\PGP Corporation\PGP Desktop
PGPcbt64.exe
PGPdesk.exe
PGPmnApp.exe
pgpnetshare.exe
PGPtray.exe
PGPwde.exe
pgpstart.exe
PGP Viewer.exe
PGPfsd.exe

C:\Program Files\PGP Corporation\PGP Desktop (PGP)
EncryptionService.exe

C:\Windows\System32 and C:\Windows\SysWow64 (Allow only the following files - PGP):
PGPfsshl.dll
PGPhk.dll
PGPiconv.dll
PGPlsp.dll
PGPmapih.dll
PGPmn.dll
PGPsdk.dll
PGPsdkNL.dll
PGPsdkUI.dll
PGPtcl11.dll
PGPwinot.dll

C:\Windows\System32\drivers (allow only the following files - PGP):
PGPce.inf
PGPce.sys
PGPce.sys.sig
PGPdisk.sys
PGPfsfd.sys
PGPsdk.inf
PGPsdk.sys

Symantec Encryption Desktop for macOS (PGP)
/Applications/Encryption Desktop.app
/Applications/PGP Shredder.app
/Applications/PGP Viewer.app
/Library/Application Support/PGP/PGPsyncEngine.app
/Library/Application Support/PGP/PGP Engine.app


Note on PGP 11.0.1 and above:
The PGPce.dll is signed by PGP and there is a .sig file associated with it if you don't see this passing with digital signatures.
The PGPsdk.dll is now signed with 11.0.1 and above.

For macOS Big Sur 11 and above, the Network Kernel Extension(NKE) is replaced with a Network System Extension:
Run the following command to see if the PGP Network Kernel Extension is loaded:

systemextensionsctl list | grep pgp

Make note of the status. This Kernel Extension should be "Activated" and "Enabled".

If this is not, check to see if any kernel extensions have been blocked. 

If you install Symantec Encryption Desktop, you may be prompted to allow the application.  If you are not prompted, Open System Preferences, go to Network, and check to see if "PGPNEProxy" has been blocked.  Allow this and run the above commands again to see if this will allow the application to load properly. 


For macOS 10.14 (Mojave) and older, run the following command:

kextstat | grep PGP

com.pgp.iokit.PGPdiskDriver
com.pgp.kextPGPnke

If the above two PGP kernel extensions are not loaded, check your security software to make sure these kernel extensions can be allowed to load.

Reach out to  Symantec Encryption Support for further guidance if the above has not helped.

Keywords: Symantec Endpoint Encryption Exclusions

Symantec Encryption exclusions

symantec encryption safe list