Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams

Data Protection

9 Posts tagged with the encryption tag

Full disk encryption fundamentally changes the way that IT organizations manage their systems. Resolving these challenges, and making the administrator's life easier is a big focus for the  McAfee Endpoint Encryption for PC team. Today we have released a new utility that makes it much easier for organizations to upgrade and re-image their encrypted systems. As IT organizations move away from Windows XP and focus on upgrading their endpoints to Windows 7, this utility will be incredibly valuable. The best part is that we are providing this utility at no cost.


We are calling this the RefreshTool. The actual executable name is SbWinUpgrade, and those who participated in the beta may know it as that - but we'd like to refer to it as the RefreshTool going forward. The reason is that the tool does more than allow you to upgrade. It also let's you re-image systems (going from Win7 to Win7, for example). This will be useful for all those organizations that are moving to a user self-service re-imaging support model. The utility also allows you to install service packs on systems, something that was previously unsupported.


The tool is very small and very simple. It is a command line utility and can be called from any script or program, but our documentation shows how to implement the utility with the standard Microsoft applications (Microsoft Deployment Toolkit, User State Migration Tool, etc). The tool is necessary because OS refresh, re-image, and service pack installation activities change data on the hard disk in a way that would break EEPC. A simple example is the fact that the master boot record gets modified by an OS refresh; any modification of the MBR will break EEPC. The idea of this utility is that it allows you to modify EEPC so that the refresh operations do not break it. This is a precise dance in which the moves of each partner must be carefully coordinated. The documentation explains exactly when an how to execute each command. If you follow this carefully, you will have a stable and repeatable process for refreshing the operating system on your endpoints without having to decrypt and re-encrypt them.


Get the utility and documentation here


McAfee Endpoint Encryption for PC version 6.1 is scheduled for release in Q1 2011. This is the first version of the product to offer an upgrade path for customers currently using version 5. EEPC version 6 is a major upgrade. The agent, the server and the database all receive significant updates – most notably, of course, is the change in management console. Version 6 is fully managed by McAfee ePO; this means you can retire your version 5 server and say goodbye to the proprietary SafeBoot database.

This upgrade was a hot topic at McAfee Focus 2010. By far, the most commonly asked question was “Do I need to decrypt and re-encrypt my machines?” The answer is no. Here’s a quick summary of the commonly asked questions.

Do I need to decrypt and re-encrypt my machines?

No. The upgrade process is designed to simply transfer the key from the old agent to the new agent. This is how we have always done upgrades. If you recall, the upgrade from v4 to v5 worked similarly.


What version 5 build do I need to be on in order to upgrade to v6.1?

5.1.7 is the minimum supported version for clients and server.


What version of ePO do I need?

ePO 4.5 patch 4 or later and McAfeeAgent 4.5 patch 1 or later.


What impact will it have on the end user?

With the release of v6.1.1 the end user no longer has to reset their password as part of the upgrade process. Now the EE Migration utility can export all user information (including passwords and SSO details) to ePO. This means the upgrade process is now completely transparent to the end user.


Can I do the upgrade in phases or will the upgrade be immediately deployed to all endpoints?

ePO allows you to do phased deployments . You can push to a single system or to a test group. ePO also allows you to track the upgrade progress with reports and dashboards. Also, you can use a third-party tool to deploy the v6 installers in a phased manner.


What are the steps involved in the upgrade?

First, understand that the upgrade is easy. You simply deploy the v6 agent over the top of the v5 agent. It is that simple. We have an upgrade document (attached) that fully explains the process, but this is how I see most upgrades happening:

  1. Install and configure the EE and EEPC components in ePO, following this guide: ide-for-mcafee-eepc-v6
  2. Manually create EEPC v6 policies based on your v5 policies
  3. Create a deployment task that targets the upgrade to a small test group of systems
  4. Wake up the test agents
  5. The endpoints will receive v6 and prompt for a reboot after the install
  6. After the reboot the v5 agent gives the encryption keys to the v6 agent, and then v5 is uninstalled. The v6 agent then registers those keys with ePO and the agent upgrade is complete.
  7. On the next reboot, the user will see the v6 pre-boot environment.


Note: Other tasks like setting up role-based access control and creating reports should also be done as part of the upgrade, but are not necessary in order to test the process.


Note: The upgrade document focuses an upgrade tool. This tool is primarily designed to preserve user-to-machine mappings. This tool will be useful for organization with complex user provisioning schemes, but I think most customers can do the upgrade without this tool. EEPC v6 has the ability to automatically provision currently logged in users and cached profiles to the system (in v5 we used custom scripts or the autodomain script to do this). This feature allows us to ignore the user mappings that were established in v5 because the v6 agent will simply recreate them as part of the upgrade.


How do I transfer my policies?

You don’t. The policies are different in ePO, so part of the upgrade process is to manually port your v5policies to v6. For most customers, this will be a 20 minute task.


Are there any reasons to stay with version 5 and not upgradeto 6.1?

Yes. EEPC v6 requires Active Directory. If you dot use Active Directoryfor user management, then you should stay on version 5. There are some plans on the roadmap to support other LDAPs, but those will not be immediately available in v6.1 so stay tuned.


Will WinTech and SafeTech work on endpoints encrypted with v6.1?

No. You will need to upgrade your support tools. The new tool is called EE Tech, and like the previous tool it will be available as a standalone version and also as a Windows application that can be built into PE environments or run from a "recovery workstation" so that you can rescue data from "slaved" drives.



If you have additional questions or concerns please post a comment!


Removable media security can mean a lot of different things. For some, it is the ability to "turn off" ports. For others, it means encrypting USB sticks. Different organizations have different needs, and the result has been lots of point products in the marketplace that only solve a part of the problem. The good news is that McAfee offers a comprehensive suite of data protection products. This suite covers all the common use cases and gives the added benefit of sharing a single management console - ePO. In this post, I'll outline our most common customer requests as use cases and then map those use cases to McAfee products. Generally speaking, you can cover all of these use cases with McAfee Total Protection for Data.


The best way to think about data protection for removable media is to break it down into three categories.

  • Block
  • Filter
  • Encrypt



McAfee Device Control is used to block removable media devices. This includes protection for common removable media, like USB sticks and CD/DVD media, but also has protection for other interfaces like Bluetooth. It also offers reporting so you can know who is trying to use the ports and how they are trying to use them. This visibility allows you to tune the policy and also allows you to show the effectiveness of your policy (you should see fewer violations over time).


Use Case: Block removable media

This is the simplest of use cases. The Device Control policy is set to block all removable media. The user is prevented from writing to or reading from the device. The event is recorded and sent to ePO for reporting. Optionally, a warning message can be displayed to the user. This, hopefully, teaches them about your security policy and modifies their behavior over time.


Use Case: Make removable media read only

This is a less restrictive Device Control policy. It allows the user to read data from their removable storage device, but stops data loss by making it read only. This can be useful when you have contractors or consultants on site and they need to share data with you, but you don't want to leak any data to their devices.


Use Case: Standardize on a secure device

This policy grants users read and write access to the device, but only if the device has been approved. The most common type of approved device is a pre-encrypted USB stick. McAfee, for example, sells pre-encrypted USB sticks and also partners with SanDisk to offer ePO management of their encrypted USB sticks.

McAfee Device Control Demo

Part 1

Part 2

Part 3



McAfee Host Data Loss Prevention is used to filter content copied to removable media. Device Control gives very granular control over devices. Host DLP does the same thing, but for data. The policy could be set to allow any kind of removable media to connect to systems, but Host DLP would prevent any sensitive data from being transferred to those devices. Like Device Control, Host DLP also offers rich reporting and warning prompts to the end user.


Use Case: Prevent transfer of sensitive data to removable media

Host DLP finds sensitive data based on template or custom content types (social security numbers, credit cards, etc). The policy then prevents that data from being copied to removable media. This preserves the end user's ability to work with removable media without putting the organization at risk for data loss.


Use Case: Ensure all sensitive data is encrypted when transferred to removable media

Integration with our encryption products allows Host DLP to do more than just prevent sensitive data transfers to removable media. The policy can be set to encrypt sensitive files when they are transferred to removable media. This allows the use of removable media and allows sensitive data to be on removable media, but only if the data is encrypted. You can see a demo of this integration here:


McAfee Endpoint Encryption for Files and Folders is used to encrypt removable media. This is a popular choice because pre-encrypted USB sticks are more expensive, and often times it is difficult for organizations to standardize on a secure device. It can also be difficult to classify all data and be 100% accurate with Host DLP. Removable media encryption, at that point, becomes the logical choice. The policy is usually set to simply encrypt all removable media when it is plugged into the host system. This ensures all data copied to that media, is stored in an encrypted container and therefore fully secured while at rest.


Use Case: Encrypt all USB sticks

McAfee Endpoint Encryption for Files and Folders can be set to fully encrypt removable media. Typically, the policy is set to prompt the user and give them the option to encrypt the device. If they decline the option, then the device is made read only. If they accept, then all data is backed up and the device is formatted. Then the entire device is encrypted and the data is restored. At this point, the device is encrypted and it can be accessed on any system - as long as the user remembers their password. The simplicity of this approach, and the portability of the data make this a very popular option. You can see a demo of this here: Note: this feature is sometimes referred to as Endpoint Encryption for Removable Media (EERM).




Hybrid Use Cases

Having all three of these products managed by ePO allows even greater flexibility. Some organizations have very specific needs for different groups of people. ePO allows us to mix-and-match policy options to deliver coverage for more use cases. Also, ePO allows us to granularly assign these policies so we don't have to settle for global "one size fits all" policies.


  1. Encrypt all USB sticks, but block sensitive data from being transferred to those devices.
  2. Allow data transfer only to approved devices, but make non-approved devices read only
  3. Encrypt files transferred to non-encrypted USB sticks, but don't do file level encryption if the destination media is encrypted

     ... and many more




Removable media security is a complex task. McAfee's Data Protection products offer the flexibility to cover the most diverse use cases and augment that protection with a common management interface. The granular control and superior reporting offered by ePO gives administrator's the flexibility they need and the assurance they desire to have confidence in the removable media protection strategy.


We now have a product presentation and live demo of EEPC v6 on The presentation covers the product features and how McAfee is unique in the industry. The demo shows six common use cases for encryption administrators. These include deployment, password recovery, policy updates, incident response and more.



Part 1:

Part  2:



Part  1:

Part  2:


Although ePO does a very good job of deploying Endpoint Encryption, many customers are required to deploy software via third-party tools. We can accommodate this requirement. In fact, it is a very simple process.


  • ePO 4.5 server
  • ePO 4.5 agent
  • Active Directory server is registered in ePO
  • EEPC is installed and configured as per the quick start guide


The Process

  • Determine if endpoints already have McAfee Agent v4.5 installed, if not build a framepkg.exe file from ePO and install before installing the EEPC components
  • Identify the target platform, 64bit or 32bit?
  • Execute appropriate MfeEEAgent.msi
  • Execute appropriate MfeEEPC.msi
  • Done (product will prompt for reboot and start encrypting after next sync to ePO)


Collect The Necessary Files

The EEPC installation is dependent upon the McAfee Agent being installed. If it is not installed, you will need to install it prior to attempting an EEPC install. To create an installer for the McAfee Agent that is specific to your environment, log in to ePO and then go to the System Tree. From there, click on System Tree Actions and then select New Systems.Select Create and download agent installation package. Then complete the other fields and click OK to proceed. The next screen will have a link to download the FramePkg.exe file. Remember, this step is not required if the McAfee Agent is already deployed in your environment.




The next file to collect is the installer for the McAfee Encryption Agent. This agent manages the encryption policies for all underlying encryption providers. This file can be extracted from the standard product download. EEPC is delivered as a zip file that contains four directories. The encryption agent installers are zipped in the Endpoint Encryption Host 1.0 directory. Go here and unzip the file. From there, copy the MfeEEAgent32.msi and MfeEEAgent64.msi. The file names indicate which platform they should be run on. For example, the MfeEEAgent32 is for 32bit platforms.




The final file to collect is the McAfee Endpoint Encryption for PC installer. This installer allows McAfee to use its software encryption technology to encrypt the disk. This file is also contained in the standard product download. The file is in the Endpoint Encryption for PC 6.0 directory. To get the files, unzip the file.




You now have all the files necessary to install McAfee EEPC via third-party tool. The MfeEEAgentxx.msi file should be run first and will not prompt for a reboot. The MfeEEPCxx.msi file should be run second and will prompt for a reboot when complete. After the reboot, the newly installed components will do an initial sync with ePO. After this sync encryption will start and the relevant policies will be enforced.


If you have further questions, please contact your McAfee representative or engage professional services. You can also post questions in the comments!


Thousands of EEPC v5 customers will be moving to v6 this year. This upgrade includes a database migration step. To make this migration as fast an easy as possible, I've put together a list of best practices for properly maintaining a v5 database. These should be implemented on all v5 databases, but they are especially important for customers planning an upgrade to v6.


Note: Do not make these changes on your production database. First, make a copy of your production database and move it to a test server. Then execute these steps on a test server. Once the steps have been successfully executed and validated in a test environment, simply repeat them on the production server (with the database service stopped).


Step 1: Is My Database Broken?

The first step is to check the database for corrupt objects. Corruption can happen for lots of reasons, but the most common ones are too much concurrency and another application interfering with our service's attempts to write to the database (such as antivirus software). Corruption usually causes errors that are hidden from the administrator, so it is difficult to know if you have corruption. The command line tool (SBADMCL) can be used to check for corruption.


Find corrupt user objects by running the command CleanupUserGroup. This command will find the corrupt objects and delete them. Note that the group parameter does not support asterisk (*) as an input, so you need to do each group individually. Also, this command does not support the -file parameter, so if you want to save the results you'll have to pipe it to a file by appending >filename.txt to the end of the command.

Syntax: SBADMCL -adminuser:admin -adminpwd:password -command:cleanupusergroup -group:"endpoint encryption users"




Find corrupt machine objects by running the command CleanupMachineGroup.This is the same as CleanupUserGroup, but it evaluates machine objects.

Syntax: SBADMCL -adminuser:admin -adminpwd:password -command:cleanupmachinegroup  -group:"endpoint encryption machines"




Find orphaned user objects and restore them with the RestoreUsers command. This is the same as running a group scan from the UI, but using the command line allows you to automate it.The -group parameter allows you to specify the group to which orphaned objects should be restored.

Syntax: SBADMCL -adminuser:admin -adminpwd:password  -command:restoreusers  -group:"orphaned users"




Find orphaned machine objects and restore them with the RestoreMachines command. This is the same as the RestoreUsers command, but for machine objects.

Syntax: SBADMCL -adminuser:admin -adminpwd:password   -command:restoremachines  -group:"orphaned machines"




The goal of this first exercise is to find all invalid objects and deleted them, and then to find all orphaned objects and restore them. If you complete these steps, you will have found all instances of database "corruption" and fixed them.


Step 2: Purge

Like all databases, the EEPC v5 database needs to be pruned regularly. The best practice is to first delete old objects, and then purge the audit data for the remaining objects.


Identify old objects with the ShowOldUsers and ShowOldMachines commands. Then use this data as input to the DeleteUser and DeleteMachine commands. This cannot be done with a single command, so you will need to use a custom script. I have attached an example batch script here, but would recommend using professional services to assist with this script. McAfee cannot support custom scripts, only the underlying commands.



Clear the audit data for all users with the DumpUserAudit command. You can use the -cleardaysold parameter to set how many days of data to retain. This command does support the asterisk (*) in the -group parameter. Consider retaining more data for administrators whose audits contain more meaningful events (admin activities like password resets, etc). For end users I recommend retaining no more than 10 days of data.

Syntax: SBADMCL -command:dumpuseraudit -adminuser:admin -adminpwd:password -file:all_users_audit.txt -group:* -cleardaysold:10




Clear audit data for all machines with the DumpMachineAudit command. This is the same as the DumpUserAudit command, but it looks at machine objects.

Syntax: SBADMCL -command:dumpmachineaudit -adminuser:admin  -adminpwd:password -file:all_machines_audit.txt -group:* -cleardaysold:10




The goal of step two is to remove old an unnecessary data from the database. If you have deleted old objects and purged the audits for the remaining objects, then you are done with this step.


Step 3: Tune for Maximum Performance

We have written a general best practices guide for EEPC. I recommend reading that in its entirety, but I'll highlight three key points in this document.


Index the database with a dbcfg.ini file. If you already have indexing in place, make sure you are properly managing the re-indexing. To enable indexing, you simply drop a dbcfg.ini file into the SBDATA directory. It will then index the database and create a names.dat and several names.0xx files in the database's file structure.

Example in C:\Program Files\McAfee\Endpoint Encryption Manager\SBDATA\00000001


Check that the timestamp next to these files is in the last one day for smaller deployments (25,000 or less) and within the last seven days for larger deployments. This ensures that your database is re-indexing on its expected schedule. If it is not, then work with professional services to get a toastcache script or to work out another process.


Check your antivirus settings. It is not sufficient to simply exclude the SBDATA directory from scanning. You should also mark all of the applications as "low risk" or exclude them from scanning. The most important application is sbdbserver.exe, but others like  sbadmin.exe sbadmcl.exe should be considered as well. If you are using McAfee VSE, do not scan these applications on reads or writes.



Finally, monitor the number of concurrent connections on your server. You can do this by logging into the console and going to the system tab. Then expand the list of servers and right-click on your active server. Select "Show Status". In the log window, it will show the number of concurrent connections. If this is above 100, you should tune your sync settings. Increase the regular sync to 360 or 480 minutes (or higher if necessary). As a reference point, I have a customer in the US who has 115,00 nodes reporting to their database and their average number of concurrent connections is between 75 and 90. If you have more than this, you probably have set your sync settings too aggressively.




Endpoint Encryption for Removable Media (EERM) is a subset of functionality within the Endpoint Encryption for Files and Folders (EEFF) product. While EEFF can encrypt any file or folder in any location (loca drive, network share, etc..), EERM was designed specifically to encrypt USB sticks and other removable media storage devices. One of the main benefits of EERM is its portability. The software is completely self-contained on the USB stick and does not require the host computer to have any other McAfee software installed. A user can encrypt the device on one PC and access the data from any other PC, as long as they know their password.


To achieve this portability, McAfee had to design a completely independent authentication system for the USB stick. This authentication system is separate from the authentication used by EEFF and EEPC (McAfee's full disk encryption software). For customers who use all of the products, the different authentication systems can be a source of confusion. The main thing to know is that EERM is designed to work completely independent of the other McAfee software and their authentication systems. It is possible to inter-mix the authentication systems from the different products (and there are some benefits to this approach if you also use EEPC), but I'll save that topic for another blog post.


Customers often ask us how to setup EERM so that the end user only sees the authentication screen for their USB stick and never sees any other McAfee encryption login screen. The trick for this is to simply disable all the non-EERM features in the EEFF policy. What follows is a step-by-step guide to enabling the EERM features and disabling all the other features in an EEFF policy.



  • No interaction between EEFF and EEPC is desired
  • Installed EEFF version is at least 3.2.x



  • Unlike regular EEFF policies, this policy does not need to be  assigned to user accounts.
  • The policy is included in the exe and therefore will be enforced  after install. The only way to change this policy is to run a new exe or  login to EEFF on the client and synchronize. This will display a login  prompt and the user should login with an account who has a different  EEFF policy assigned.


High Level Process

  • Configure EEFF policy
  • Create install set from that policy
  • Deploy install set to endpoint
  • Reboot
  • Policy will be enforced for any USB stick (or other removable media) inserted into PC




Step By Step Procedure

Log in to McAfee Endpoint Encryption Manager (EEM) > Navigate to Policies tab > Expand EEFF policy group > make new policy or edit existing policy


General Tab

  • Show about option on system tray menu
  • Disable forcing of logon on first boot




File Extensions Tab

  • Leave blank




Folders Tab

  • Leave blank




Removable Media Tab

  • Use McAfee Endpoint Encryption for Removable Media (EERM)
    • Entire Device
    • Allow Recovery Password (optional)
    • Allow User Questions (recommended)
    • Make unprotected files and folders Read-Only (recommended)




CD/DVD Encryption

  • Uncheck all options
    • Enabling any option on this screen will cause an additional EEFF authentication to be presented to the user. This happens because this uses the traditional EEFF (not the EERM) authentication mechanism.




Key Manager

  • Uncheck the enable inactivity timeout




User Local Kyes

  • Leave blank




Encryption Options

  • Preserve file times






  • Uncheck all




*See the EEFF Quickstart Guide for instructions on making the installation set.


End User Experience

When the end user inserts a USB stick, the policy will prompt them to decide if they want to encrypt the device. If they choose yes, encryption will begin. If they choose no, then the device will be made read-only (is is configurable by policy).




The user then must complete the initialization process. In this step the password and recovery options are set.




When the user clicks the Initialize button, the USB stick is formatted and a new volume is created. If the USB stick contained data, it is backed up in the user's temp directory and restored to the encrypted volume when initialization is complete.




When the operation is complete, the user simply clicks OK.




Once the removable media is initialized by EERM, all data copied to it will reside in an encrypted container. Opening this container requires authentication. If autorun is enabled, the login screen will appear automatically when the USB stick is inserted. If autorun is disabled, then the user will have to navigate to the root of the drive and run the MfeEERM.exe.




Encrypted files have their names shown in green. These files will be decrypted on-the-fly when they are copied from the encrypted media to a PC. That PC does not need to have any software installed to view the file(s).



The Quick Start Guide is back by popular demand! You can find it here: de-for-mcafee-eepc-v6


The goal of this document is to get new customers up and running as quickly as possible. It assumes no prior knowledge of endpoint encryption. If you follow the steps carefully and expediciously, you should have your first machine encrypting in about 15 minutes!


A recent article from  David Campbell also published on The Register reminded us that there’s a lot of computing power available for rent at the moment. Using a pretty standard brute force password cracker as a benchmark, and Amazon’s EC2 computing platform cost of $.30 per hour, he came up with some surprising, but perhaps unexpectedly low figures for how much money it takes to crack various strength passwords.


Brute forcing of passwords has often been dismissed due to the high amount of processing power it takes to make a dent in good password choices, but perhaps we sometimes forget that computing power is a lot less expensive than it once was, and is readily available. As you can pay for this kind of service via fraudulent means, and have it set up and available almost real time, the threat is very realistic.




David makes the comment:

As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor, using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.


From Simon Hunt's Personal Blog