Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 5038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Empty POA because of deleted KSA

Thorsten Trautwein-Veit

Dear Sirs,

 

we have an issue with up to now 21 Laptops with full disc encryption out of 625 installations. We use Sophos Safeguard 8.00.0.251. After we installed our DLP solution DigitalGuardian the laptop works normal for some time (completly different) and then closes all windows and reboots the laptop. The Operating System is Windows 7 PRO 64/32 bit, Antivirus is MCafee Virusscan Enterprise 8.8.0.

A forensic analyse of a decrypted images shows up with:

c:\ProgramData\Utimaco\SafeGuard Enterprise\logfile.sgt
It shows up a error message:
LCClientService.cpp,LCClientService::WatchingCorruptionSemaphore(Local cache is corrupt, forcing shutdown

After this shutdown the POA comes up as normal but there is no username or domain filled in. If I choose Recovery no Challence is displayed. So I gues the KSA is deleted in any way.

Restoring an MBR from the Console does not solve the problem (the MBR POA works just the userinformation is missing). The decryption of the drive enslaved worked good.

Any way to recover from this error? Any way to backup the KSA area or protect it?

Any help would be great.

Cheers,

Thorsten



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hello Thorsten,

    My name's Toby Gunston from the Global Escalations Team for Data Encryption, thanks for your query.

    Digital Guardian have now addressed this issue with a fix in a later version of their product.

    To prevent the issue from affecting more SafeGuard Clients, exclude the following SafeGuard Enterprise Client related Paths, Services and Drivers from the Digital Guardian Agent.

    • Note: If you are running a managed Digital Guardian Agent, get in contact with Digital Guardian Support and have the exclusions being put in place.

    SafeGuard Client related paths

    • %SystemDrive%\progra*\sophos*
    • %SystemDrive%\progra*\Utimaco\SafeGuard*\LocalCache*

    SafeGuard Client executables and services

    • sgnsafemodeser,SK+TR+NI+NH+NC+ND+PR
    • sgnauthservice,SK+TR+NI+NH+NC+ND+PR
    • befcsvcn.exe,SK+TR+NI+NH+NC+ND+PR
    • bedevctl.exe,SK+TR+NI+NH+NC+ND+PR
    • sgn_masterserv,SK+TR+NI+NH+NC+ND+PR

    SafeGuard Client drivers

    In addition, the device path \\.\GLOBALROOT\Device\SgmbeDisk\ needs to be excluded. If the path cannot be excluded directly, exclude the SafeGuard Device Encryption driver that mounts the device, located at “Windows\System32\drivers\BEFLT.sys”.

Reply
  • FormerMember
    0 FormerMember

    Hello Thorsten,

    My name's Toby Gunston from the Global Escalations Team for Data Encryption, thanks for your query.

    Digital Guardian have now addressed this issue with a fix in a later version of their product.

    To prevent the issue from affecting more SafeGuard Clients, exclude the following SafeGuard Enterprise Client related Paths, Services and Drivers from the Digital Guardian Agent.

    • Note: If you are running a managed Digital Guardian Agent, get in contact with Digital Guardian Support and have the exclusions being put in place.

    SafeGuard Client related paths

    • %SystemDrive%\progra*\sophos*
    • %SystemDrive%\progra*\Utimaco\SafeGuard*\LocalCache*

    SafeGuard Client executables and services

    • sgnsafemodeser,SK+TR+NI+NH+NC+ND+PR
    • sgnauthservice,SK+TR+NI+NH+NC+ND+PR
    • befcsvcn.exe,SK+TR+NI+NH+NC+ND+PR
    • bedevctl.exe,SK+TR+NI+NH+NC+ND+PR
    • sgn_masterserv,SK+TR+NI+NH+NC+ND+PR

    SafeGuard Client drivers

    In addition, the device path \\.\GLOBALROOT\Device\SgmbeDisk\ needs to be excluded. If the path cannot be excluded directly, exclude the SafeGuard Device Encryption driver that mounts the device, located at “Windows\System32\drivers\BEFLT.sys”.

Children
No Data
Unfiltered HTML