4 Replies Latest reply on Jun 15, 2011 5:11 PM by hoppyz06

    Fatal Error: 0xEE020006 Getting disk info

      Received this error after removing a "FakeAlert" virus/malware. I have created and booted using a WinPE recovery USB drive using the instructions from DLarson (https://community.mcafee.com/community/business/data/epoenc/blog/tags/eepc).  After booting, I receive various errors depending on what I'm trying to accomplish.

       

      1. When clicking on "Disk Information", receive the following error, "Disk information not available".
      2. When loading workspace from disk, receive error, "EE000000 - Insufficient Memory".
      3. When trying to remove EE, receive error, "EE120000 - Endpoint Encryption is not currently active".  I receive this same error when trying to "Crypt Sectors".

       

      Any ideas on what to try next?  I've already submitted an SR using our Gold Support but it can take a day, minimum, before getting a response.

       

      I'm hoping someone has seen this error before.

       

      Thanks!

        • 1. Re: Fatal Error: 0xEE020006 Getting disk info

          most likly you have a rootkit on your machine, so you could try restoring the SBR (depending on what version of EEPC - if it's 6 I don't believe this option is available), otherwise your only route forward is a manual decryption of the drive, then fixMBR to flush the root kit out.

           

          How many sectors did you try to load into the workspace though? You really only need to load up a few dozen at most.

          • 2. Re: Fatal Error: 0xEE020006 Getting disk info

            We are on version 6.0.1.  I tried loading all sectors for the boot drive, maybe that's why I received the "insufficient memory"?  It seemed no matter what option I tried, I would receive a different error.

             

            This is concerning my manager and myself, as we have only deployed this to about 15 machines so far.  No matter what we do we cannot get control on the malware around here.  We are using ePO 4.5, AV 8.7 and cranked Artemis to its highest level.  Even users without admin rights are getting hit.  Oh well, that is a different subject.

             

            Thanks!  I will try your suggestions.

             

            by the way, about loading the sectors... the PC has a Dell maint partition, I should only be doing the OS... right?

             

            Message was edited by: hoppyz06 on 6/15/11 1:38:53 PM GMT-07:00
            • 3. Re: Fatal Error: 0xEE020006 Getting disk info

              yes, the workspace is designed for a few undred sectors or so - unless you have 200GB memory you're not going to be able to load 200GB of data into it ;-)

               

              And yes, you'd get a different error, because you were doing different things - out of memory because you were trying to load too much data, not currently active because the root kit removed the EEPC signature from the MBR etc, No Disk Information because again, the MBR hook has been overwritten. All these things are giving you information about the state of the system.

               

              You just need to get the right export from ePO, test it with the workspace to make sure the keys are indeed correct, then decrypt the appropriate partition sector range.

               

              rootkits are the worst thing for full disk encryption products, but it's entirely recoverable from - just decrypt the drive with the supplied tools.

              • 4. Re: Fatal Error: 0xEE020006 Getting disk info

                Wow, what a pain!

                 

                I didn't think about how many sectors to load, just put in the starting and the range.  Good to know!

                 

                The drive is de-crypting now.  Thanks for all your help.  I'll go ahead and close the SR once the encryption is complete and the MBR is restored/re-created.

                 

                The instructions that DLarson did were superb.  I had a recovery disk (USB) created in no time.  I just need to throw some AV utils on it in case I run into this again.

                 

                Thanks again.