Third-party Legacy Filter Drivers Can Impact Encryption Behavior for External Media When Dell Encryption Enterprise is Installed

Affected Products:

• Dell Encryption Enterprise

Affected Operating Systems:

• Windows

As the Legacy filter driver performs the external media monitoring, it may cause the files to appear removed or deleted to the shield. As a result, the files are not encrypted as they should be per the Policy-based rules.

The EMS logs show messages similar to the below:       

21.03.31 13:20:37.617 [I] [Volume "E:\"] [SWEEP] Starting full volume sweep! ContinuedSweep = 'F'
21.03.31 13:20:37.625 [I] Raising Event: "DeviceSweepStart".
21.03.31 13:20:37.687 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\CmgCryptoLib.mac"
21.03.31 13:20:37.690 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp.chm"
21.03.31 13:20:37.691 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_DE.chm"
21.03.31 13:20:37.692 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_ES.chm"
21.03.31 13:20:37.692 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_FR.chm"
21.03.31 13:20:37.693 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_IT.chm"
21.03.31 13:20:37.694 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_JA.chm"
21.03.31 13:20:37.694 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_KO.chm"
21.03.31 13:20:37.695 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_PT-BR.chm"
21.03.31 13:20:37.695 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_PT.chm"
21.03.31 13:20:37.698 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\VolEncInfo.iff"
21.03.31 13:20:37.766 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\VolEncInfo.temp.iff"
21.03.31 13:20:37.767 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\VolumeInfo.xml"
21.03.31 13:20:37.770 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\Access Encrypted Files (Mac).dmg"
21.03.31 13:20:37.773 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\autorun.inf"
21.03.31 13:20:37.773 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\newtest.pptx"
21.03.31 13:20:38.173 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_EMS_Config_Data_Dir_\VolEncInfo.iff"
21.03.31 13:20:38.173 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_EMS_Config_Data_Dir_\VolumeInfo.xml"
21.03.31 13:20:38.176 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\CmgCryptoLib.mac"
21.03.31 13:20:38.179 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp.chm"
21.03.31 13:20:38.179 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_DE.chm"
21.03.31 13:20:38.180 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_ES.chm"
21.03.31 13:20:38.180 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_FR.chm"
21.03.31 13:20:38.181 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_IT.chm"
21.03.31 13:20:38.181 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_JA.chm"
21.03.31 13:20:38.182 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_KO.chm"
21.03.31 13:20:38.183 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_PT-BR.chm"
21.03.31 13:20:38.183 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\EMSHelp_PT.chm"
21.03.31 13:20:38.186 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\VolEncInfo.iff"
21.03.31 13:20:38.188 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\VolEncInfo.temp.iff"
21.03.31 13:20:38.188 [W] [SWEEP] File deleted before we got a change to sweep it! "E:\_Encryption_Data_Do_Not_Delete_\VolumeInfo.xml"
21.03.31 13:20:38.189 [I] [Volume "E:\"] Encryption sweep finished: Result = 0x00000000

A WSScan of the External Media also shows that zero (0) encrypted files exist on the external media drive.

Driver Elevation output shows a Legacy driver that is listed above our CMG Shield drivers:

Figure 1: (English Only) Legacy drive above CMS Shield driver

There is no remediation available for this behavior other than disabling the External Media monitoring of the software.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.