Showing results for 
Search instead for 
Did you mean: 
Level 7

EEFF Questions

Can anyone please weigh in on how they have handled the following issues? Thanks.

1. In our EEFF environment, we have discovered that users can circumvent encryption by saving a copy of an encrypted file outside of an encrypted folder. These are regular files (Word, Excel, etc). If my understanding of the blocked processes setting in the encryption options is correct, blocking a process like Excel would mean that users would not be able to edit the encrypted file. Meaning we cannot block these processes. Is McAfee DLP the only way to block this action?

2. We have noticed that some users have moved the location of an encrypted folder that was set up by the administrator. Since the ePO has a defined folder encryption policy, once the path changes we will be unable to mange that folder from the ePO. Although encryption is persistent, we would also like to prevent users from moving such folders.

3. When using user-based policy assignment rules, we have noticed that we have had to move the rule to the top of the priority list to get the folder encryption policy applied on newly created network share folders. Other than explicitly encrypting the folder, is there any way around this?

4. Regarding the use of an "admin" key. Would existing encrypted folders be negatively impacted if we were to add the "admin" key to existing Grant Key policies?

0 Kudos
1 Reply
Level 21

Re: EEFF Questions

1. Why don't you set EEFF to always encrypt files of those types wherever they are stored? The problem you are facing is that moving an encryted file preserves encryption (unless there is a specific decrypt policy), but in this case users are creating NEW files in locations you did not set an encryption policy on.

2. You can use Windows security permissions to stop users moving folders.

3. No.

4. Not that I can think of - remember though files are only encrypted with one key. If you start encrypting folders with a key that the users don't have, they won't be able to access the data.

Rather than setting policy re location, you might want to think about setting policy based on originating application?

0 Kudos