Symantec Endpoint Encryption Removable Storage Release Notes Symantec Endpoint Encryption Removable Storage 8.2.0 Symantec Endpoint Encryption Framework 8.2.0 www.symantec.com About Symantec Endpoint Encryption Removable Storage Symantec Endpoint Encryption Removable Storage allows enterprise organizations and government agencies to enjoy the benefits of removable storage devices while eliminating the liability, customer service, and brand erosion costs associated with data breach incidents. As part of Symantec Endpoint Encryption, Symantec Endpoint Encryption Removable Storage leverages existing IT infrastructures for seamless deployment and operation. Symantec Endpoint Encryption Removable Storage provides the industry’s most robust and comprehensive integration with Microsoft Active Directory for fast, simple deployment of endpoint data protection controls in a familiar administrative environment. What’s New Device Session Default Password If allowed by policy, users can now set a default password that lasts as long as the device remains connected or until the user logs off of Windows. Removable Storage Access Utility Distribution Administrators can now choose whether to distribute the Removable Storage Access Utility for Mac OS X, the Removable Storage Access Utility for Windows, or both. CD/DVD Burner Blocking Symantec Endpoint Encryption Device Control can now block all CD/DVD burning applications except the Removable Storage CD/DVD Burner application, ensuring enforcement of Removable Storage policy on optical media. eSATA Removable Storage now protects eSATA drives. Release Notes USB 3.0 USB 3.0 ports and devices are now supported. Multi-Factor Authentication Enhancements This release of Removable Storage features the following enhancements to multi-factor Client Console authentication. ■ Additional Readers Supported—ExpressCard smart card readers and Argus 3015 USB 2.0 Dual Card Reader (smart card slot only). ■ Additional Smart Cards Tested—Oberthur ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK, Oberthur ID-One 128K v5.5 (dual), and HID Crescendo C700. ■ Additional Software Supported—SafeSign Identity Client v3.0.40 and VeriSign PKI Client v1.5. ■ Additional Data Model Supported—SafeSign v2.1. Installation Notes Symantec Endpoint Encryption Framework 8.2.0 is only compatible with Symantec Endpoint Encryption Removable Storage 8.2.0 and Symantec Endpoint Encryption Full Disk 8.2.0. If you are running Symantec Endpoint Encryption Full Disk and plan to upgrade to Symantec Endpoint Encryption Removable Storage 8.2.0, you must also upgrade to Symantec Endpoint Encryption Full Disk 8.2.0. Resolved Issues Number Description MA23447 Attempts to access encrypted PST files on USB flash drives no longer cause occasional blue screens. MA23531 Removable Storage now encrypts files with names that begin with the $ symbol. MA24001 Third party utilities can no longer be used to recover unencrypted copies of files that were encrypted using the Removable Storage Access Utility for Windows. Known Issues Compatibility Number Third Party Product Description Workaround MA20688 Symantec Backup Exec Attempts to restore from backup may fail with the message, “Errors exist.” Remove and reinsert device. MA24144 Microsoft Security Essentials (MSE) After clicking to open an encrypted file, users may see XML code instead of the file contents. Remove and reinsert device. To prevent the issue from recurring, disable the MSE realtime protection feature. MA23517 Microsoft Application Virtualization (App-V) App-V cannot function when Symantec Endpoint Encryption Removable Storage is installed. Refer to the Symantec Endpoint Encryption knowledge base http://www.symantec.com/ business/support/index?page= content&key=55414&channel= TECHNICAL_SOLUTION Symantec Endpoint Encryption Removable Storage 8.2.0 Page 2 of 9 Release Notes Number Third Party Product Description Workaround MA22831 PGP Desktop Removable Storage blocks access to PGP Virtual Disks. MA21710 Windows Live File System If the user chooses to format a CD/DVD using the Windows Live File System, the existing encryption policy will be enforced on the CD/DVD but the automatic copying of the Removable Storage Access Utility will not. MA22034 Windows Server 2008 The CD/DVD burner bundled with Windows Server 2008 enforces Removable Storage encryption policies. MA21835 MA21950 MA20908 Volume Shadow Service (VSS) Administrators may experience intermittent failures with Windows programs that make use of Volume Shadow Service (VSS) on Symantec Endpoint Encryption Removable Storage–protected computers with operating systems other than Windows XP. Try again. MA11594 Anti-Virus Tools If an antivirus program scans a removable storage device, multiple password prompts may be generated. Enable group key, set Default Password, or set Default Certificate(s). MA11146 SanDisk U3 Software The use of SanDisk’s built-in U3 software to download U3 applications is not supported. MA12322 Media Transport Protocol (MTP) Policies will not be enforced on devices that are in Media Transport Protocol (MTP) mode. MA14639 Roxio Easy Media Creator If the encryption policy is set to Encrypt all and the disc is formatted with Roxio Drag-to-Disc, files dragged and dropped to CD/DVD using Windows Explorer will be encrypted. Users should insert a regular USB flash drive to obtain the Removable Storage Access Utility. Users can use the Removable Storage Access Utility from the alternate media to decrypt the CD/DVD. Installation/Upgrade Number Description Workaround MA24186 If an eSATA or USB 3.0 drive was connected during the installation of Full Disk and Removable Storage, the message “Update Settings failed” appears following the post-installation reboot. Shut the computer down. Remove the drive. Power on. Symantec Endpoint Encryption Removable Storage 8.2.0 Page 3 of 9 Release Notes Number Description Workaround MA23202 Novell users with Single Sign-On enabled are no longer logged onto Novell automatically following an upgrade from Symantec Endpoint Encryption Full Disk 7.0.7 or earlier or GuardianEdge Hard Disk 9.5.1 Patch 1 or earlier. Users must log on to the User Client Console, open the Novell SSO panel, select the Turn on Single Sign-On to Novell Netware check box, and click OK. MA22161 If a custom destination folder was chosen during the installation of GuardianEdge Management Server 9.2.2, 9.2.1, or 9.2.0, the default path shown in the Destination Folder page during the upgrade to 7.0.7 will be missing the final subdirectory. For example, if you chose C:\GuardianEdge\Management Server\ for your original installation files, C:\GuardianEdge will be the default. Click Change and navigate to the desired destination of the Symantec Endpoint Encryption Management Server files. MA20747 If a local instance is selected during the installation of the Symantec Endpoint Encryption Management Server, the Symantec Endpoint Encryption Management Server uninstallation will fail with the message, “Could not connect to Microsoft SQL Server.” Locate the GEServerConfig.xml file on the Symantec Endpoint Encryption Management Server machine. Find (local). Replace with the computer name of the Symantec Endpoint Encryption Management Server machine. Save and close the file. Try the uninstall again. Manager Console Number Description MA21307 If an XPS print job is canceled, the following error may be displayed, “The data area passed to a system call is too small.” MA20559 After clicking a column heading to sort by the column, the sort arrow will be displayed to the left of the column heading if the operating system is Vista or Server 2008. Symantec Endpoint Encryption Removable Storage 8.2.0 Workaround Page 4 of 9 Release Notes Number Description Workaround MA16623 Deploying an Active Directory policy that contains a change to the Client Administrator settings from an Symantec Endpoint Encryption 6.1.0 or later Manager to Symantec Endpoint Encryption 6.0.0 or earlier and/or GuardianEdge 8.5.3 or earlier clients will result in a failure of the new Client Administrator policy to be applied, a deletion of all existing Client Administrator policies, and a return to the Client Administrators specified in the original installation settings. When deploying an Active Directory policy from a 6.0.0 or earlier Manager, add the following WMI filter: Select * FROM Win32_Product WHERE (name=“Symantec Endpoint Encryption Framework Client” AND Version <= “6.0.0”) OR (name=“GuardianEdge Framework Client” OR name=“Encryption Anywhere Framework Client”) AND version <= “8.5.3”)) When deploying an Active Directory policy from a 6.1.0 or later Manager, add the following WMI filter: Select * FROM Win32_Product WHERE (name = “Symantec Endpoint Encryption Framework Client” AND version > "6.1.0") OR (name = “GuardianEdge Framework Client” AND version > "9.0.0") Microsoft Office Files Number Description Workaround MA21207 After a user opens and attempts to save a previously encrypted Microsoft Office 2003 or 2007 file residing on removable media other than CD/DVD when an Encrypt to CD/DVD only policy is in place, a “permission denied” error will occur. The user should select Save As instead of Save. Removable Storage Access Utility Number Description MA21347 The device must have free space equivalent to twice the size of each file to be encrypted to accomplish encryption using the Removable Storage Access Utility. MA21392 If a Mac OS X user adds a file or folder to the device, declines to encrypt it, then chooses to encrypt it later, the file may show a status of No in the Encrypted column and be inaccessible. Remove and reinsert the device. MA21252 Users will be unable to launch the Removable Storage Access Utility from Mac OS X computers if the RSMacAccessUtility.dmg file or the Mac Access Utility folder was renamed. Rename the folder to Mac Access Utility. Rename the file to RSMacAccessUtility.dmg. Try again. Symantec Endpoint Encryption Removable Storage 8.2.0 Workaround Page 5 of 9 Release Notes Number Description Workaround MA18663 The Removable Storage Access Utility will not be copied automatically to CompactFlash cards inserted into multi-card readers after Windows has loaded. Power down, insert the card, and power on. MA17816 MA17526 Upon closing the Removable Storage Access Utility on a PC, users will not be prompted to encrypt unencrypted files if the files were added to the device using Windows Explorer or using the Send to right-click menu option. Users should use the Removable Storage Access Utility to add files to their removable storage devices, not Windows Explorer. MA18337 Users may be able to copy two files or folders of the same name to a removable storage device using Windows Explorer or the Send to right-click menu option on a PC. MA17454 MA18230 When an Encrypt all policy is enforced in conjunction with the writing of the Removable Storage Access Utility to all devices, users may receive a Write Failed message after clicking Continue or Limited Access on the pre-existing files warning message and a 0 byte Autorun.inf file will be copied to their device. Users should be instructed to ignore these messages and occurrences. eSATA Drives Number Description MA23780 Attempts to launch the Removable Storage Access Utility from an eSATA drive connected using any port other than an eSATA port that was built into the original computer will fail. MA23836 MA23695 Removable Storage blocks access to eSATA drives connected using ports other than eSATA ports that were built into the original computer. Workaround File Decryption/Encryption Number Description Workaround MA23099 Due to Windows limitations, self-extracting executables larger than 4 GB fail to extract with the message, “file name.exe is not a valid Win32 application.” Users should not create a selfextracting executable larger than 4 GB. MA20076 MA21512 Users may be unable to decrypt files encrypted by the Removable Storage Access Utility from a Symantec Endpoint Encryption Removable Storage–protected machine—if the device is of a sector size other than 512 bytes. If the file was encrypted on a PC, you can use the Removable Storage Access Utility on a PC to decrypt the files. MA16902 Browsing the contents of removable storage devices using Windows Explorer, users may receive repeated decryption prompts for thumbs.db and image files when Thumbnails or Filmstrip is selected from the Windows Explorer View menu. The user should set a Default Password or Default Certificate(s) or else avoid viewing removable storage device files in these modes. MA24174 After upgrading to Symantec Endpoint Encryption from a GuardianEdge version, users cannot decrypt files encrypted under a Certificates only policy. Use the Removable Storage Access Utility of the version that you upgrade from to decrypt the files. Symantec Endpoint Encryption Removable Storage 8.2.0 Page 6 of 9 Release Notes Device Session Default Passwords Number Description Workaround MA23786 Removal of MultiMediaCards and Secure Digital cards does not result in the deletion of the Device Session Default Password. Users must remove the device from the computer to clear the Device Session Default Password. MA23801 A policy that allows users to set Device Session Default Passwords may occasionally prevent Removable Storage from caching decryption passwords on NTFS-formatted external hard drives. Remove and reinsert the device. Removable Storage may occasionally fail to set Device Session Default Passwords on NTFS-formatted external hard drives. MA23794 Removable Storage does not log an event in the Windows System Event Log when it fails to set the Device Session Default Password. iTunes Synchronization Number Description Workaround MA20798 Users who have synchronized photos from a machine not protected by Symantec Endpoint Encryption Removable Storage may experience encryption of the photos upon inserting the iPod Classic or Nano into a Symantec Endpoint Encryption Removable Storage– protected machine when an Encrypt all policy is in place. The user must resynchronize the iPod from the machine not protected by Symantec Endpoint Encryption Removable Storage. MA20803 MA20804 If an Encrypt all or Encrypt new policy is in place and the user places files in the Calendar, Contacts, Notes, Recordings, or Photos directories of their iPod Classic or Nano using iTunes, these files will be encrypted by Symantec Endpoint Encryption Removable Storage. Encrypted files will not be visible once the iPod is detached from the Symantec Endpoint Encryption Removable Storage–protected machine. Users must return to the Symantec Endpoint Encryption Removable Storage–protected machine to view the content. MA20895 MA20893 MA20902 If the user does not have iTunes closed when they plug in their iPod, synchronization may fail. Restore the iPod to its factory settings from a machine not protected by Symantec Endpoint Encryption Removable Storage. Ensure that users remember to close iTunes before plugging in their iPod. Number Description Workaround MA16932 If the key for an encrypted EXE file is not available, the file may bear the icon of an unassociated file. Ignore the incorrect icon display. File Icons Symantec Endpoint Encryption Removable Storage 8.2.0 Page 7 of 9 Release Notes Safely Remove Hardware Number Description Workaround MA15648 Under an Encrypt all policy on Windows XP SP1 and SP2 endpoints, if Continue is selected on the limited access message and the device contains both encrypted and unencrypted files, selection of Safely Remove Hardware from the Windows notification area may occasionally produce a message that the device cannot be removed. Upgrade to Windows XP SP3. MA20831 iPod Classic, Nano, and Shuffle devices cannot be safely removed. CD/DVD Number Description Workaround MA23901 The CD/DVD Burner application fails to cache the decryption password if an installation setting or policy is in place that allows users to set Device Session Default Passwords. MA15003 If a CD or DVD is in the drive when the user registers, the user will be unable to read the CD/DVD following registration. Log off Windows or reboot. Number Description Workaround MA19876 Users will have to log on to Novell and Windows separately following the installation of Symantec Endpoint Encryption Removable Storage, if Symantec Endpoint Encryption Full Disk is not also installed. Novell Logon Section 508 Number Description Workaround MA16937 JAWS does not always announce all of the information displayed within the Registration wizard and User Client consoles. Users should follow these steps: 1. Press INSERT+F9. 2. Select the frame that is of interest from the resultant Frames List dialog. 3. Click OK. 4. Press P. If this doesn’t work, restart JAWS and try the steps again. Legal Notice Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge and Encryption Anywhere are either registered trademarks or trademarks of GuardianEdge Technologies Inc. (now part of Symantec) in the USA and/or other countries. Other names may be trademarks of their respective owners. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 “Commercial Computer Symantec Endpoint Encryption Removable Storage 8.2.0 Page 8 of 9 Release Notes Software - Restricted Rights” and DFARS 227.7202, “Rights in Commercial Computer Software or Commercial Computer Software Documentation,” as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Symantec Endpoint Encryption Removable Storage 8.2.0 Page 9 of 9