5 Replies Latest reply on Dec 15, 2010 9:30 AM by cdobol

    Endpoint Encryption is not Installed

    cdobol

      We are in the middle of an upgrade going from 4.x to 5.2.5.

       

      We have had a big increase in the number of machines that are getting the "endpoint encryption is not installed" error message that have 5.2.5.  Some users have had the issue happen to them multiple times.  Other than a potential MBR virus (getting one of the broken machines soon to investigate), has anyone noticed an issue with 5.2.5 having this problem in general?

       

      Thanks.

      Chris

        • 1. Re: Endpoint Encryption is not Installed

          Yes. Please make sure users have their BlackBerries or other USB devices disconnected, when running upgrade.

          • 2. Re: Endpoint Encryption is not Installed
            cdobol

            The upgrade appears to run fine.  The error occurs after the upgrade and new 5.2.5 builds, so I don't think its a matter of having something attached to the computer during the upgrade.  I am comparing MBRs on broken machines.  Certain users continually get this error; this is the cause of concern.  Virus/Malware causing this? I hope McAfee is able to do something with the 'broken' MBRs to determine what is causing this.  Its becoming a concern here since it is occuring more frequently with 5.2.5.

            • 3. Re: Endpoint Encryption is not Installed
              cdobol

              From what I can see at this point from a broken machine....

               

              It looks like the SafeBoot MBR has been overwritten.  Sector 0 appears to have a non-SafeBoot MBR.  Sector 1 is also populated with what appears to be a duplicate of sector 0 with slight differences.  Sector 3 is populated with "Error loading virtualization module. Contact network administrator.....  To boot to the Rescue and Recovery Environment, Press F11...  There has been a signature failure"

              Sector 4-8 appears to have something else in it (all hex).  I have multiple broken machines from the same user - the same broken MBR (and sectors 3-8) is on both broken machines.  So it appears something the user is doing is triggering this.

               

              What do I have here?  I have no idea right now.  Does anyone think this could be some sort of malware or rootkit causing this?

              • 4. Re: Endpoint Encryption is not Installed
                cdobol

                More information...  User appears to had "White Smoke" installed before the machine was rebooted and broke.  From what I have read White Smoke is a MBR virus.  I assume what has happened is a new variant is out in the wild that McAfee Virus Scan does not pick up, machines gets infected and breaks....

                • 5. Re: Endpoint Encryption is not Installed
                  cdobol

                  I used TDSKiller from Kaspersky and it found a rootkit on the infected drive (just slaved the drive and it was still able to read the infected MBR).   I quarantined the files and submitted to McAfee (not detected by McAfee).  Detected as Win32/Alureon.MBR, Rootkit.Tdss.AW, etc by other vendors.

                   

                  Scan results from one of the files --> http://www.virustotal.com/file-scan/report.html?id=40914dfd49a3a0df1c4aa0cf86745 0762a3ac16d398a2559dd266d48199e8d2b-1292423089

                   

                  I will post when this variant is caught and cleaned by McAfee.  Thanks for listening, you have been a great crowd!

                   

                   

                  Message was edited by: cdobol on 12/15/10 10:29:02 AM EST

                   

                   

                  Message was edited by: cdobol on 12/15/10 10:30:16 AM EST