I have already spoek to Gold Support but not getting any further, I wonder if the community here were able to help. (I am the mcafee person for my company)
I have been asked to do a Force Decrypt from mcafee support I did that yesterday and have today been asked to do the same. ( I wased to do force decrypt and I could not autenticate from SBFS) Mounting the drive authenticated from database does not work.
I Sent support images of the workspace of sector 63 and they said it was ok.
This is EEPC 126.96.36.199 - Using Safetech for Windows (BartPE Environment) I think it's also know as Wintech? I get confused with all the wording and versions available.
I get the partition details from disk information and go to Force Crypt Sectors - Disk 0, start sector 63 amd sector count 0312576642. I hit Decrypt however it says Encrypting Disk 1242260, 3800000
I was told that even tho I hit Decrypt , it is now encrypting the drive, apparently this happens if it was not encrypted properly is this correct?
Apparently after this I should see if the drive is readable in windows as a secondary drive, if it fails, what next, do I decrypt once more to see if it decrypts, or do I do an Encrypt (so it encrypts properly and then another decrypt hopefully that may decrypt it?
Is it woth mounting the drive on Linux in raw format to see if the data is readable once this is finished?
Is it worh opening the workspace with Sector 0 and Encrypting that to see if that makes the decrypt work properly?Message was edited by: hmig added disk info on 10/10/13 12:18:34 IST
just let it complete, don't worry too much about the status bar - you are using a VERY old version of the product.
Don't decrypt it a 2nd time, that won't help at all. Once it's finished, you should use the "Restore original mbr" option, then your drive should be bootable again IF you used the correct SDM file. As long as the test decrypt of sector 63 worked, everything should be good.
I was told by the Gold support chat rep not to restore mbr, just attached it via SATA as a secondary drive.
The decryption process has already started again today, - again I was advised this by the chat rep. I assume there is no safe way to stop this and now I will have to wait a long numer of hours again.
If I do not restore the original MBR - Would that stop the drive from being readable in windows?
Also can you tell me what error e002000a means on the disk informations.
Also should I see what sector 0 looks like? I will either be safeboot has been corrupted or operating system missing.
if you force decrypted the same sector range twice, then your data is now double decrypted. You'll need to encrypt it once to get it back to plain text.
You are right about the MBR - if it's got SafeBoot messages in it, it's not a standard MBR. You don't need the MBR to be fixed if you just want to slave the drive though.
The error codes are in your EEPC manual, and in the KC - http://kc.mcafee.com/corporate/index?page=content&id=KB53580&actp=search&viewlocale=en_US&searchid=1...
it means the disk info is not there. You've not told us what the original problem was so I can't tell you how that occured, but it's probably because you force decrypted the disk information (which was not encrypted to start with).
I'm surprised support told you to repeat a force decrypt though - if they were aware you'd already successfully done this, I can't imagine them telling you to do it again - do you have a case number?
well, I am now ver annoyed I am going to have to spend another number of hours waiting for it to Encrypt.
Support told me to do it the first time yesterday and today again.
original error safebooth corrupt 92h
Case id : 4-3896697503
Also can you elaborate on why my screenshot 1 says it's Encrypting even tho I press decrypt?
The whole message is screwy - I expect it's just a display bug. You're using quite an old version unfortunately. As you probably know 5.1 went end of life in May 2012 so I am (pleasantly) surprised you were able to log a support case for it.
I appreciate the help I am recieveing from you and support, I know this is an old product, It's actaully available on the dropdown when logging a support case. Either way I still have lost today as a working day on a second decryption and will loose tomorrow on a re-encrypt.
Is there any way to tell if the data has been double decrypted? (ie via workspace)?
yes - just pick a sector and use the encrypt/decrpyt functions to see if you can work out a sequence which turns it into plain text.
if you've done the whole drive, pick something towards the end (likely to be all zeros) - you'll have to look for patterns in the data to tell if it's decrypted or not though, there's no automatic way to measure entropy.
I had a phone call from mcafee support, they said that if you decrypt a drive twice, then it will decrypt the first time and encrypt the 2nd time. So now I will have to do the decrypt process a 3rd time to get the disk decrypted.
The said to check sector 63 after this finishes to see what it looks like and to see if I can see anything like operating system missing or NTDLR missing.
From the workspace screen shot above I cant see anything similar, can you tell me if the workspace screen shot above shows the drive as encrypted/decrypted?
Also is it correct to see operating system missing or NTDLR missing I have to load sector 63 then hit Decrypt sector, or will it come up as soon as I load that secotor in the workspace.
The support was helpful but I dont think some of the questions above were answered as they did not understad.
this is not correct - decryption and encryption are the reverse of each other so if you incorrectly decrypt, you need to encrypt to get back to the start point.
decrypting again will put you even further away from where you need to be.
the workspace picture above is definitely, let's say "scrambled" - we don't know if you've encrypted it, or decrypted it incorrectly, so the only thing to do is to experiment - open it, decrypt it, take a look, decrypt it again etc - if it does not look correct, start again and encrypt it etc.
I expect from what you've told me, encrypting once should put you back to plain text based on
original state (Encrypted), decrypt (plain text), decrypt (negatively decrypted)
so to get to plain text, encrypt once.
All this assumes of course you are using the correct key - if you're not, it gets much more complicated.