Knowledge Base

Dell Data Protection Enterprise Edition Requires System32 .EXE’s to be Excluded.


Microsoft recently modified the Windows update process to change files within the \Windows\System32 directory before Dell Data Protection | Enterprise Edition drivers are loaded. This may result in SDE encrypted executables (.EXE) within the System32 folder to be replaced by a clear-text (non-encrypted) file without notifying Dell Data Protection | Enterprise Edition on the change. This will cause Dell Data Protection | Enterprise Edition to attempt to decrypt a non-encrypted file, resulting in a BSOD.


Affected Products:

Dell Data Protection | Enterprise Edition

Affected Versions:

7.0.x-9.2+




Only users using Dell Data Protection | Enterprise Edition with System Data Encryption (SDE) may be affected by this issue. Click on the version of your DDP | EE Server to determine if the issue is present in your environment.

  1. Log into the Dell Data Protection Remote Management Console (RMC).
  2. In the left-menu pane, select Enterprise, Endpoint Groups, or Endpoint. This option will depend on where SDE policies are modified in your organization.

  3. Select Security Policies tab.
  4. If the template menu appears, click Override and then proceed to step 5. Otherwise proceed to step 5.
  5. From the Policy Category drop-down, select Windows Encryption.
  6. Expand Fixed Storage.
  7. Confirm SDE Encryption Enabled is set to true. If SDE Encryption Enabled is False, then you are not affected by this issue.
  8. Under SDE Encryption Rules look for %ENV:SYSTEMROOT%\SYSTEM32\;exe or C:\Windows\System32\;exe without a "-" symbol.

Example of a policy with the issue:

  • C:\Windows\System32\;exe

  • @C:\Windows\System32\;exe

  • %ENV:SYSTEMROOT%\System32\;exe

  • @%ENV:SYSTEMROOT%\System32\;exe

Note: The syntax may include a "^", "^2" or "^3" symbol.

If you are unable to find syntax similar to the above examples, then you are not affected by the issue. If you find syntax similar to the above example, proceed to: How do I fix the issue?

  1. Log into the Dell Data Protection Remote Management Console (RMC).
  2. In the left-menu pane, click on Populations.
  3. Click on Enterprise, Endpoint Groups, or Endpoints. This option will depend on where SDE policies are modified in your organization.
  4. Click on File/Folder Encryption (FFE).
  5. Confirm SDE Encrypted Enabled is checked.
    Note: This issue does not affect your environment if SDE Encrypted Enabled is not checked.
  6. Under SDE Encryption Rules look for %ENV:SYSTEMROOT%\SYSTEM32\;exe or C:\Windows\System32\;exe without a "-" symbol.

Example of a policy with the issue:

  • C:\Windows\System32\;exe

  • @C:\Windows\System32\;exe

  • %ENV:SYSTEMROOT%\System32\;exe

  • @%ENV:SYSTEMROOT%\System32\;exe

Note: The syntax may include a "^", "^2" or "^3" symbol.

If you are unable to find syntax similar to the above examples, then you are not affected by the issue. If you find syntax similar to the above example, proceed to: How do I fix the issue?

Click on the version of your DDP | EE Server for the solution.

  1. Log back into the RMC and go to the SDE Encryption Rules section (covered in How do I know if I’m affected?).
  2. Add a "-" (minus) symbol to the syntax in question.
    Example of change:
    Before:

    After:
  3. In the bottom right corner, click Save.
  4. In the left menu pane, click Commit Policies (under Actions).
  5. Optionally enter a comment about the policy change and then click Apply Changes.
  6. Endpoints using Dell Data Protection | Enterprise Edition will pick up the new policy change on the next policy poll and begin decrypting .EXE’s within the System32 folder.
  1. Log back into the RMC and go the SDE Encryption Rules section (covered in How do I know if I’m affected?).
  2. Add a "-" (minus) symbol to the syntax in question.
    Example of change
    Before:

    After:
  3. In the top right menu, click Save.
  4. In the left-menu pane, click on Management.
  5. Click Commit.
  6. Under the Commit menu optionally enter comments about the policy change and then press Commit Policy.
  7. Endpoints using Dell Data Protection | Enterprise Edition will pick up the new policy change on the next policy poll and begin decrypting .EXE’s within the System32 folder.

This may result in BSOD’s if .EXE extensions are encrypted with System Data Encryption (SDE), Common, or User


For any questions/concerns, please call Dell Data Protection ProSupport at: 877.459.7304 Ext. 4310039. For support outside the US, reference ProSupport’s International Contact numbers list. You can also join us on our Dell Security Community Forum.


Article ID: SLN301956

Last Date Modified: 02/28/2017 08:46 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Feedback shows invalid character, not accepted special characters are <> () &#92;
Sorry, our feedback system is currently down. Please try again later.

Thank you. Your feedback has been sent.