1 2 Previous Next 17 Replies Latest reply on Sep 22, 2009 8:41 AM by SafeBoot

    Crypt Start/End Audit events not present

      Is there some setting in EE that might cause "Crypt Start" and "Crypt End" events not to be present (recorded) in machine Audit Log? That's in 5.1.7 version.
        • 1. RE: Crypt Start/End Audit events not present
          No, these events were never in the v5 product. 5 does encryption outside the sync process.
          • 2. RE: Crypt Start/End Audit events not present
            Then I consider that a drawback. McAfee® Endpoint Encryption for PC Administration Guide Version 5.1.7.0 still lists those events and they worked in SafeBoot 4.2.
            • 3. RE: Crypt Start/End Audit events not present
              4 and 5 are completely different products.

              They are listed I guess for people who upgrade, but certainly they are not created any more, not since 2005. You should use the machine policy to determine the encryption state at the current time, rather than audit information which only indicates what it was at that time - it could have changed 20seconds later.
              • 4. RE: Crypt Start/End Audit events not present
                2005? I'm sure that new revisions and/or fixes to 4.x product were made after 2005. Version 5.x was made to be compatible with the older one, hence my question.

                "Machine Policy"? What's that? EE Policies are to be used with EE File Encryption and Port Control, but Disk Encryption? Unless you meant "policy" in generic meaning. Could you please clarify that and provide specifics?

                What I'm saying is that we were able to track from EE Manager console, machine encryption times. Not anymore with 5.x clients.
                • 5. RE: Crypt Start/End Audit events not present

                   

                  "Machine Policy"? What's that?



                  The policies that apply to machines with EEPC installed. They are linked to the MACHINES in the database, rather than the USER. Yes, it's used for Disk Encryption.


                   

                  What I'm saying is that we were able to track from EE Manager console, machine encryption times. Not anymore with 5.x clients.



                  True. An undesirable "feature" of the 5.x versions. How about: First synch time? Database object creation time? EEPC installation time? All sorts of interesting information isn't available in the SB DB. EPO actually has installation time, which is interesting.
                  • 6. RE: Crypt Start/End Audit events not present
                    v5 was written to offer much the same functionality of v4, but of course, some things were dropped - they didn't make sense, or the new code didn't support them. Crypt audit events were dumped when we moved encryption out of the sync - people felt it was more important to be able to reverse encryption on the fly, and not have connections held open for extended periods of time. The same will happen when we move to v6.

                    Yes, I mean policy in a generic way, ie the configuration of the machine.
                    • 7. RE: Crypt Start/End Audit events not present


                      Most interesting is to see if disk encryption has finished running. That affects EE ability to synchronise and is good to know if machine reached that state. That info should be available from EE Manager.
                      • 8. RE: Crypt Start/End Audit events not present
                        Actually that's not true - one of the big changes in v5 is that it works backwards to your assumption - it actually stops encrypting to syncronize.

                        So, it can sync at any time you like, and you can change the encryption perspective at any time.

                        the machine policy clearly tells you the current policy, and last reported state for each drive, plus with the report generator you can determine if encryption was "in progress", and which direction for the last time the machine reported in.

                        All the info's there, it's just not in the audit log as it's not a fixed "event".
                        • 9. RE: Crypt Start/End Audit events not present

                          I will check report generator ability in this respect, but I would still prefer to have that information accesible via EE Manager. End of disk encryption is still an important event, from my point of view (but not as much as I initialy thought).
                          1 2 Previous Next