By default, Endpoint Encryption Removable Media Encryption encrypts any files copied to a USB drive. With very few exceptions, it also encrypts any existing unencrypted files on the USB drive that are modified either by the end user or by an application.
In the case of some applications, it may not be apparent to the end user that the application has modified files on the USB.
This can result in the configuration files of third party applications being made unusable by the application. For example, an application may store configuration files in a specific folder on the USB and Removable Media Encryption may encrypt such files, causing the application to stop working properly.
Symantec Endpoint Encryption Removable Media Encryption 11.3 and above.
Symantec Endpoint Encryption Manager has a policy option that allows files with specific file extensions to be excluded:
If the third party application uses configuration files with unusual file extensions, using this policy to exclude certain file extensions may be able to resolve the issue of configuration files being encrypted.
However, if the third party application uses files with common file extensions, this policy will cause too many files not to be encrypted.
The third party application may use a specific folder on the USB drive. Currently it is not possible to exclude specific folders from being encrypted. Therefore, a feature request has been created to allow specific folders to be excluded from encryption.
Endpoint Encryption has two more policy options that may be useful in preventing Removable Media Encryption from encrypting the configuration files of third party applications. The first is Allow read-only access to files on removable media. However, this option lacks flexibility. The other option is Allow users to choose which gives the end user the ability to choose whether Removable Media Encryption will encrypt files. The default is not to encrypt files. These options appear as follows in Symantec Endpoint Encryption Manager policy:
Enabling the Allow users to choose option results in the User Preference option being visible in SEE Management Agent on the client:
This will prevent the third party's configuration files from being encrypted. Once the user has finished using the USB that contains third party application configuration files, they can change the User Preference to Encrypt new files.