EEFF v4.2 FAQs : General

Version 4

    NOTE : EEFF will henceforth be referred to as "File & Removable Media Protection".

    The necessary changes for the new product name will be incorporated in the next release v4.3.

     

     

    What versions of ePolicy Orchestrator (ePO) and MA are required for EEFF v4.2?
    McAfee ePolicy Orchestrator:

    ePO 4.6 Patch 2 and above

    ePO 4.6 Patch 6 and above required to use “Role Based Key Management” feature

     

    McAfee Agent:

    MA 4.6 and above

    MA 4.6 Patch 1 and above for Windows 8

    MA 4.8 Patch 1 and above required to use “Key Cache Expiry” feature


     


    Does EEFF v4.2 support Windows 8?

    Yes, Starting EEFF v4.1 Patch 1, Windows 8 is supported.

    For details of supported Operating Systems, please refer to KB72735

     


    What are the broad use cases that Endpoint Encryption for Files & Folders addresses?

    EEFF protects data on local drives, network shares and removable media devices.

    Specifically, it offers options to:

     

    • Encrypt files/folders on local drives
    • Encrypt files/folders on Network Shares
    • Encrypt removable media devices : Can restrict usage of encrypted removable media devices to just within the company’s environment (onsite access only) OR allow encrypted devices to be read on systems without having to install McAfee Encryption software
    • ·      Encryption of email attachments

     

     

    Is the process of encrypting files/folders on local machines & network shares “policy driven” or “user driven”?

    It can be both.

    The Administrator can take the policy driven approach and configure policies to encrypt either:

    ·        * Files of a certain type using the “File Encryption” policy

    ·        * Folders in a specific location (can either be local drive or network share) using the “Folder Encryption” policy

    The Administrator can also allow to selectively encrypt/decrypt files & folders by enabling the “Explicit Encrypt” & “Explicit Decrypt” options.


     

    What does persistent encryption feature of EEFF mean?
    This feature ensures that an individual file remains encrypted even after the decrypt driver for Full Disk Encryption has been loaded. Without persistent encryption, all files are effectively decrypted when a user authenticates and gains access to Windows. With persistent encryption, the individual file remains encrypted, regardless of where it is copied or what application accesses it.



     

    Removable USB Media:

     

    What are the “Protection Level” options available for Removable Media?

    ·         Allow Unprotected Access

    ·         Allow Encryption (with offsite access)

    ·         Enforce Encryption (with offsite access)

    ·         Enforce Encryption (onsite access only)


     

    Do the above “Protection Level” options use “File Based” encryption or “Container Based” encryption approach?

    Allow Encryption (with offsite access) and Enforce Encryption (with offsite) use the container based approach.

    Enforce Encryption (onsite access only) uses the File Based encryption approach.

     

     

    “Allow encryption (with offsite access)” and “Enforce encryption (with offsite access)" options for Removable USB Media (formerly known as EERM):

     

    What are the authentication options available with the above options selected?

    Authentication can be password based or certificate based.


     

    Can I force an end user to use password as the authentication mechanism for Removable USB Media?

    Yes, starting v4.2 release, it is possible to configure the authentication options available to the end user via the “Removable Media policy” page in ePO.


     

    Can I configure the password complexity rules for Removable USB Media?

    With effect from the v4.1 release, it is possible to configure the password complexity rules via the “Password Policy Rules” page in ePO. Administrator is able to configure the

    ·         Minimum length of the password

    ·         Minimum number of uppercase characters

    ·         Minimum lowercase characters

    ·         Minimum number of alphabetical characters

    ·         Minimum number of numeric characters

    ·         Minimum number of special characters.

    Please note that the same password quality rules will be applicable for “Allow encryption (with offsite access)” or “Enforce encryption (with offsite access)” options for Removable USB Media and CD/DVDs, Self-extractors and User Local Keys.

     


    Can I customize and set the number of recovery questions for EEFF v4.2?
    Starting EEFF v4.1, this recovery option is no longer available. EEFF v4.2 will have 3 recovery options, “Recovery Password, Recovery Key and Recovery Certificate”.

     


    In EEFF v4.x, can I force a recovery option to be enforced Removable USB Media?
    Yes, starting from EEFF v4.1, it is possible to enforce recovery options via a policy on the Removable Media policy page. Recovery options can be enforced by selecting the “Mandatory option”. In this case, the end user will not be able to initialize the device without filling in the mandatory recovery input.


     

    Will removable USB media devices initialized with the previous versions of EEFF work with EEFF v4.2?

    Yes, devices initialized with EEFF v4.0.x, v4.1.x will continue to work with v4.2


     

    During initialization of the device using EEFF v4.0.x, I had selected "Recovery Questions" during initialization? How do I recover this device, as I do not see "Recovery Questions" option in EEFF v4.2?

    The device can be recovered as before in the offsite mode (on machines without EEFF installed)



    What is the maximum recommended device size for “Allow encryption (with offsite access)” or “Enforce encryption (with offsite access)” options for Removable USB Media?
    McAfee has tested and will support devices up to the 2 TB, with EEFF 4.0 Patch 1 (4.0.1) and later.

    With the full device policy in place, if the end user chooses to back up the existing data, the data on the device will be copied first to the local computer; an encrypted container will be created on the removable device, before finally the data is copied back from the local computer to the encrypted container (removable device). Due to possible space limitations that may exist on the local computer (free space), and also the time that is taken for the copy operations (back and forth) to complete, McAfee recommends to use devices less than 128 GB for the following situations:

    • Full device policy is enabled
    • The removable device has large amounts of      existing data on it, and the end user wants to retain the data

     


    Does EEFF support USB 3.0 devices?

    Yes, McAfee has tested and will support USB 3.0 devices with EEFF v4.2

     


    Can the UI text that appears when a removable USB Media is inserted be customized in EEFF v4.2?
    Yes, starting EEFF v4.1, it is possible to customize the prompt message that appears when an end user inserts a removable media device. Administrators can configure this text via the “Removable Media Policy”, and the text can be up to 300 characters in length

     


    What are the encryption options available for Protected Area for EEFF v4.2?
    The following encryption options are available on EEFF v4.2 with “Allow Encryption (with offsite access)” and “Enforce Encryption (with offsite access)

    • Entire Device
    • User Managed

    Selecting the “User managed” option will give the end user the option to choose the size of the encryption portion of the device

     


    Can I read an encrypted USB device on a Windows computer that does not have McAfee encryption software installed?
    Yes, using the “Allow encryption (with offsite access)” or “Enforce encryption (with offsite access) options”. The solution has an explorer application residing on the USB stick, which negates the need for any computer to have McAfee Encryption software installed to authenticate and access the data within the secure container

     


    What is the largest file size that is supported with the “Allow encryption (with offsite access)” or “Enforce encryption (with offsite access) options”?
    The above options use the FAT32 file system for the secure encrypted container. Hence, the maximum file size that can be placed within the encrypted container is 4 GB, even though the container has no such limitation. McAfee will endeavour to address this file size limit in a future version while retaining FAT32 usage. This is currently subject to engineering research.

    NOTE: The file system of the USB device can be either FAT or NTFS, but the file system of the encrypted containers can only be FAT32. Thus, the storage area that is not assigned to be an encrypted container can be NTFS

     

     

    Can I use a wildcard to Exempted Device IDs?
    No. You can only exempt a device by using the Device ID. To find the DeviceID for a removable media device, see KB75531



    Can I configure to exempt devices by Vendor?
    Yes. For details see KB69770

     


     

     

    CD/DVDs


    What are the “Protection Level” options available for CD/DVDs?

    ·         Allow Unprotected Access

    ·         Allow Encryption (with offsite access)

    ·         Enforce Encryption (with offsite access)

    ·         Enforce Encryption (onsite access only)

    ·         Block write operations


     

    Do the above “Protection Level” options use “File Based” encryption or “Container Based” encryption approach?

    Allow Encryption (with offsite access) and Enforce Encryption (with offsite) use the container based approach.

    Enforce Encryption (onsite access only) uses the File Based encryption approach.

     

     

    What is the burning software that EEFF v4.2 supports with the option “Enforce Encryption (onsite access only)?

    EEFF supports Windows Burner (Mastered Format), Nero and Roxio CD creator. EEFF v4.2 has been tested with the latest versions of Nero (Nero12) and Roxio CD creator (v12.1)

     


     

     

    “Allow encryption (with offsite access)” and “Enforce encryption (with offsite access) options for CD/DVD/ISOs:

     

    Can I read an encrypted CD/DVD/ISO on a Windows computer that does not have McAfee encryption software installed?

    Yes, starting v4.1 Patch 1 Release. Using the “Allow encryption (with offsite access)” or “Enforce encryption (with offsite access) options”. The solution has an explorer application residing within the CD/DVD/ISO files, which negates the need for the computer used to read the encrypted CD/DVD/ISO to have McAfee Encryption software installed


    Do the “Allow encryption (with offsite access)” or “Enforce encryption (with offsite access)” options require installation of any burning software?

    This feature uses the native Windows API (Microsoft Windows Image Mastering API v2.0) to burn a CD/DVD. This is available by default on Windows Vista and later, but for Windows XP SP3, you must download the API; for details, see KB77267

     
    Is there a limit to the size of encrypted ISO file?
    Yes. Currently this is limited to the capacity of DVD-DL media, although Windows XP SP3 only supports media up to DVD-SL.
     

    What is the largest file size that is supported with the “Allow encryption (with offsite access)” or “Enforce encryption (with offsite access)” options?

    This utilizes a FAT32 file system to manage the encrypted files where FAT32 imposes a 4GB max file size limitation.