Dell Encryption Enterprise Requires System32 .EXE’s to be Excluded
Summary: Dell Encryption Enterprise (formerly Dell Data Protection Enterprise Edition) exclusions can be added for System32 .EXEs by following these instructions.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Affected Products:
- Dell Encryption Enterprise
- Dell Data Protection | Enterprise Edition
Affected Versions:
- v7.0.x and Later
Microsoft recently modified the Windows update process to change files within the \Windows\System32 directory before Dell Encryption Enterprise drivers are loaded. This may result in SDE encrypted executables (.exe) within the System32 folder being replaced by a clear-text (nonencrypted) file without notifying Dell Encryption Enterprise on the change.
Cause
This causes Dell Encryption Enterprise to attempt to decrypt a nonencrypted file, resulting in a blue screen.
Resolution
How Do I Know If I am Affected?
This issue only affects users using Dell Encryption Enterprise with System Data Encryption (SDE). Click the version of your Dell Security Management Server to determine if the issue is present in your environment.
- Log in to the Dell Data Protection Remote Management Console (RMC).
- In the left-menu pane, click Populations.
Figure 1: (English Only) Populations
- Click Enterprise, Endpoint Groups, or Endpoints. This option depends on where SDE policies are modified in your organization.
Figure 2: (English Only) Choose Enterprise, Endpoint Group, or Endpoints
- Click File/Folder Encryption (FFE).
Figure 3: (English Only) File/Folder Encryption (FFE)
- Confirm SDE Encrypted Enabled is checked.
Figure 4: (English Only) Verify SDE Encrypted Enabled
Note: This issue does not affect your environment if SDE Encrypted Enabled is not checked.
- Under SDE Encryption Rules, look for
%ENV:SYSTEMROOT%\SYSTEM32\;exeorC:\Windows\System32\;exewithout a-symbol.
Example of a policy with the issue:
C:\Windows\System32\;exe @C:\Windows\System32\;exe %ENV:SYSTEMROOT%\System32\;exe @%ENV:SYSTEMROOT%\System32\;exe
Note: The syntax may include a
^, ^2 or ^3 symbol.
If you are unable to find syntax similar to the above examples, this issue does not affect you. If you find syntax similar to the above example, go to: How do I fix the issue?
- Log in to the Dell Data Protection Remote Management Console (RMC).
- In the left-menu pane, select Enterprise, Endpoint Groups, or Endpoints. This option depends on where SDE policies are modified in your organization.
Figure 5: (English Only) Choose Enterprise, Endpoint Groups, Endpoints
Example of a policy with the issue:
Note: The syntax may include a
^, ^2 or ^3 symbol.
If you are unable to find syntax similar to the above examples, then you this issue does not affect you. If you find syntax similar to the above example, go to: How do I fix the issue?
- Select the Security Policies tab.
Figure 6: (English Only) Security Policies
- If the template menu appears, click Override and then go to step 5.
Figure 7: (English Only) Override
- From the Policy Category drop-down, select Windows Encryption.
Figure 8: (English Only) Select Windows Encryption
- Expand Fixed Storage.
Figure 9: (English Only) Fixed Storage
- Confirm SDE Encryption Enabled is set to true. If SDE Encryption Enabled is False, then this issue does not affect you.
- Under SDE Encryption Rules, look for
%ENV:SYSTEMROOT%\SYSTEM32\;exeorC:\Windows\System32\;exewithout a-symbol.
C:\Windows\System32\;exe @C:\Windows\System32\;exe %ENV:SYSTEMROOT%\System32\;exe @%ENV:SYSTEMROOT%\System32\;exe
How Do I Fix The Issue?
Click the version of your Dell Data Security Server / Dell Data Protection Server for the solution.
- Log back into the RMC and go to the SDE Encryption Rules section (covered in How do I know if I am affected?).
- Add a "-" (minus) symbol to the syntax in question.
Example of change:
Figure 10: (English Only) Before
Figure 11: (English Only) After
- In the upper right menu, click Save.
Figure 12: (English Only) Save
- In the left-menu pane, click Management.
Figure 13: (English Only) Management
- Click Commit.
Figure 14: (English Only) Commit
- Under the Commit menu, optionally enter comments about the policy change, and then press Commit Policy.
- Endpoints using Dell Encryption Enterprise will pick up the new policy change on the next policy poll and begin decrypting .exe’s within the System32 folder.
This may result in a blue screen if .exe extensions are encrypted with System Data Encryption (SDE), Common, or User.
Note: This is a default policy as of v9.2.
- Log back into the RMC and go to the SDE Encryption Rules section (covered in How do I know if I am affected?).
- Add a
-(minus) symbol to the syntax in question.
Example of change:
Figure 15: (English Only) Before
Figure 16: (English Only) After
- In the bottom-right corner, click Save.
Figure 17: (English Only) Save
- In the left menu pane, click Commit Policies (under Actions).
Figure 18: (English Only) Commit Policies
- Optionally enter a comment about the policy change and then click Apply Changes.
- Endpoints using Dell Data Protection | Enterprise Edition will pick up the new policy change on the next policy poll and begin decrypting .exe’s within the System32 folder.
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.
Affected Products
Dell EncryptionArticle Properties
Article Number: 000125667
Article Type: Solution
Last Modified: 08 May 2024
Version: 9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.