7 Replies Latest reply on Aug 21, 2012 11:54 AM by erniev74

    Endpoint Encryption 6 patch 2 - Lost MBR/Partition Table

      Hi,

       

      I have a big issue here. I installed through ePO 4.5 the Endpoint Encryption for PC version 6 patch 2 into a manager's notebook. It didn't synchronize with my Active Directory and I decided to remove it and evaluate what happened. This way the manager could still work. I didn't have also the local admin for EEPC, unfortunatelly.

       

      I created the recover CD with the BartPE and EETech.zip. I didn't work I think because of the mode the HD was set (SATA RAID 0). Then I called the support and the sent me an ISO with the standalone version. I booted it and could load the recover screen. Did the procedures but when I clicked on Remove EE, it returned an error. Then I clicked on Restore MBR and after the reoobt I got the NTLDR file missing message.

       

      After that I kind of freaked out and started to recover it in any maners. I found the KB53258 explaining how to perform an Emergency Boot. But that KB isn't ok because in my recover CD there is no option such as Authenticate from Database or Select MAchine. I think it is the old version of the CD McAfee has on that KB. The recover CD isn't called SafeTech Boot Disk anymore.

       

      I then changed the BIOS option from SATA to ATA (IDE) mode and then tried a third party software to see if I could read the HD. I was able to read and even could copy it to other place, but the files seems to be encrypted.

       

      The Hard Disk seems to has lost its MBR and Partition Table. I think that it was even overwrited.

       

      My question is:

       

      Is there a way to recover my previous MBR or partition table? Does EEPC store the PBFS (Preboot File System) for recover?

       

      Is there a special software from McAfee, released only with a Service Request and a special code of the day to decrypt the files in another place?

       

      Or am I in trouble and that notebook is unrecoverable?

       

      I'd appreciate any kind of support because I am desperated.

       

      Thank you.

        • 1. Re: Endpoint Encryption 6 patch 2 - Lost MBR/Partition Table

          best thing to do is pass it over to the person who was trained in this product and let them help you.

           

          but, the machines original MBR is indeed in EPO. and there"s a "restore mbr" button you found in the tool already.  But, this would not do anything without you feeding it some information like an SDB file or a user name/password - can you remember EXACTLY what you did?

           

          If you can see a file structure of the disk, then it can't be encrypted - there's no way the files can be encrypted, and the directories not.

           

          It sounds like you had a WinTech CD, not an EETech CD? - you need to use the right tool for the product version you are using.

           

          What was the third party tool you used?

           

          No, there's no special software - it's not needed - you have everything you need to recover a normal machine.

           

          Finally, if the machine did not sync with AD, then it can't have activated the proeuct in the first place, the disk can't be encrypted - in fact, EEPC would not have made any changes to the drive itself. SO, what you say is quite mysterious

          • 2. Re: Endpoint Encryption 6 patch 2 - Lost MBR/Partition Table

            Well, I am the responsible for that software here in my company. I have also an open service request with the McAfee Gold support.

             

            I clicked on the Restore MBR button and it didn't ask me for a file. It only said it was ok. Should it be asking for some SDB file? Where the SDB file is located in ePO?

             

            For the EETech, I used the McAfee EETech user guide provided in the McAfee Website. There is two way of create the disk, WinPE v1 or Standalone. I did both nut used the Standalone version. So, following the steps of the user guide, I used the EETech CD. But the KB I said, says that there is a SafeTech Boot Disk. Is SafeTech Boot Disk the same as WinTech CD?

             

            I used Recovery Information File (.xml) that was exported from the ePO to authenticate.

             

            When I run some partition tools, such as Partition Find and Mount, I shows a partition with NTFS ok but with only two files. The size used on that partition is the size of the files. And other partition that was not recognized properly.

             

            So I think that the structure of this HD is confused, but the files still there.

             

            I used the GetDataBack tool to see the structure of the files. I can even opy the files but some of them open all scrambled, not readable.

             

            The issue with not sync with AD, maybe is because I applied the TAG first in ePO and after that I related an user from my domain to the machine. I think I should do that before assigning the TAG (encrypt).

             

            Thank you.

            • 3. Re: Endpoint Encryption 6 patch 2 - Lost MBR/Partition Table

              I think your partition tool is the cause of the problem here. There's no way it would find a real partition on an encrypted drive - I expect it's just found some random data and created a partition out of it.

               

              The question is, are you sure the drive was encrypted to start with? The product won't activate if there are no users assigned.

               

              The fact that you've used this partition tool and used EETech incorrectly means I think you'll need to speak to your platinum person to get any help here, even saying that, the data is probably lost now without spending a lot of time and probably professional services

              • 4. Re: Endpoint Encryption 6 patch 2 - Lost MBR/Partition Table

                Well, I think I could retrieve some data. If not, the manager said that he has a backup of some data.

                 

                I am sure the encrypt worked because when I reboot the computer, it prompts for the username and password. My AD user didn't work and I didn't know the local ePO user.

                 

                I did a recover with the challenge code and the response from ePO and could load  the Windows. But then, after that, Windows asked again for the login, with the EEPC GINA screen.

                 

                I'll contact my support person and see if I could try to restore something.

                 

                Thank you

                • 5. Re: Endpoint Encryption 6 patch 2 - Lost MBR/Partition Table

                  just a FYI - there's no such thing as a "Local ePO user" - EEPC just adds the users you tell it to add via the policy, there are no spare or extra ones.

                   

                  the most usual problem is people set it to add users in the fully qualified name format, rather than SAMAccountName, so you need to confirm that in your epo policy to see what format to type the user name in, either shunt, simon hunt, or simon_hunt@mcafee.com etc.

                   

                  It's your choice what format to use, but you need to obviously type the right one.

                  • 6. Re: Endpoint Encryption 6 patch 2 - Lost MBR/Partition Table

                    For the public good, I'm going to explain what you *should* have done in this scenario.

                     

                    1. When the EE Tech standalone tool returned an error, you should *not* have done the restore MBR operation. This does you no good at all since the disk is still encrypted.
                    2. You should have used one of the other decrypt methods in EE Tech, either "crypt sectors" or "force crypt sectors".
                    3. These methods require you to enter precise information for which sectors to decrypt. You can get this information by using the "disk info" button in EE Tech. This will show you the encrypted regions of the disk. You only want to decrypt those sector ranges.
                    4. Once that decrypt operation is done, THEN you'd want to restore the MBR.

                     

                    Because you restored the MBR too soon, the system displayed the NTLDR missing error. The way to recover from that would have been to go back into EE Tech and restore the Endpoint Encryption boot record and start at step 1 above.

                    • 7. Re: Endpoint Encryption 6 patch 2 - Lost MBR/Partition Table

                      Hi, In version 6.2 of Endpoint Encryption how do you "restore the Endpoint Encryption boot record"? I have placed a question here:

                       

                      https://community.mcafee.com/thread/47834

                       

                      Thanks a lot!