safetech and wintech administration guide
TRANSCRIPT
McAfee, Inc.
1
5 1 4 0 ( 5 1 3 - 0 0 1 5 )
S a f e T e c h a n d W i n T e c h A d m i n i s t r a t o r s G u i d e
McAfee, Inc.
2
McAfee, Inc. McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USA
Tel: (+1) 888.847.8766
Internet: www.mcafee.com
For more information regarding local McAfee representatives please contact your local McAfee office, or visit:
www.mcafee.com
SafeTech/WinTech Administrators Guide
FOR BEST VIEWING RESULTS, PLEASE SET YOUR
ACROBAT READER VIEW TO “FACING”
Go to the View menu, then Page Layout, then click “Facing” Document: SafeTech and WinTech Administrators Guide Last updated: Wednesday, 27 February 2008 SafeBoot Enterprise Build: 5140(513-0015)
Copyright (c) 1992-2008 McAfee, Inc., and/or its affiliates. All rights reserved.
McAfee, SafeBoot and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners.
McAfee, Inc.
3
Contents 1. INTRODUCTION ............................................................................ 1-1
1.1 SAFETECH OVERVIEW ............................................................................................ 1-1 1.2 PRIOR KNOWLEDGE ............................................................................................... 1-1
2. USING SAFETECH/WINTECH ......................................................... 2-2
2.1 CREATING A SAFETECH DISK .................................................................................... 2-2 2.2 CONCEPTS ......................................................................................................... 2-2
2.2.1 SafeTech .................................................................................................... 2-2
2.2.2 WinTech .................................................................................................... 2-2
2.3 CREATING THE BOOT DISK ................................................................................. 2-3
2.3.1 SafeTech Concepts ...................................................................................... 2-3
2.3.2 When to Use WinTech/SafeTech .................................................................... 2-3
2.3.3 Using the WinTech : Additional Requirements .................................................. 2-3
3. SAFETECH COMMANDS .................................................................. 3-5
3.1 FILE ................................................................................................................. 3-5
3.1.1 Authorize ................................................................................................... 3-5
3.1.2 Quit ..................................................................................................... 3-5
3.2 DISK ................................................................................................................ 3-6
3.2.1 Open Workspace ......................................................................................... 3-6
3.2.2 Get Disk Information ................................................................................... 3-6
3.2.3 Crypt/Decrypt Sectors ................................................................................. 3-8
3.2.4 Force Crypt/Decrypt Sectors ......................................................................... 3-9
3.2.5 Edit Disk Crypt State ................................................................................. 3-10
3.2.6 Restore MBR ............................................................................................. 3-10
3.3 SAFEBOOT ....................................................................................................... 3-11
3.3.1 Authenticate from SBFS ............................................................................. 3-11
3.3.2 Authenticate from Database ........................................................................ 3-11
3.3.3 Reset INT13 vector .................................................................................... 3-11
3.3.4 Emergency Boot ........................................................................................ 3-11
3.3.5 Remove SafeBoot ...................................................................................... 3-11
3.4 ALGORITHMS ..................................................................................................... 3-11
3.4.1 Enumerate Algorithms ............................................................................... 3-11
3.4.2 Set Algorithm ........................................................................................... 3-12
3.5 OPTIONS ......................................................................................................... 3-14
3.5.1 Set Background Colour (SafeTech only option) .............................................. 3-14
3.6 HELP .............................................................................................................. 3-14
McAfee, Inc.
4
3.6.1 Contact .................................................................................................... 3-14
3.6.2 About ...................................................................................................... 3-14
4. THE WORKSPACE ........................................................................ 4-15
5. TROUBLESHOOTING .................................................................... 5-16
5.1 TROUBLESHOOTING SCENARIOS ............................................................................... 5-16 5.2 TROUBLESHOOTING PROCEDURES .................................................................... 5-17
5.2.1 How to create a SafeTech Disk .................................................................... 5-17
5.2.2 How to export the machine key (machine configuration) ................................. 5-17
5.2.3 How to create a WinTech PE Boot CD/DVD .................................................... 5-20
5.2.4 Reset INT 13 Procedure ............................................................................. 5-21
5.2.5 Remove INT 13 Protection .......................................................................... 5-25
5.2.6 SafeTech Emergency Boot Procedure ........................................................... 5-26
5.2.7 Encryption and Boot Sector Removal: Method 1 ............................................. 5-31
5.2.8 Encryption and Boot Sector Removal: Method 2 ............................................. 5-37
5.2.9 Mount Drive (WinTech Only option) .............................................................. 5-41
McAfee, Inc.
Table of Figures FIGURE 1 SAFETECH AUTHROIZATION CODE 3‐5 FIGURE 2 ‐ THE WORKSPACE 3‐6 FIGURE 3 ‐ DISK INFORMATION 3‐7 FIGURE 4 – INSERT THE START SECTOR VALUE (63) 3‐9 FIGURE 5 ‐ FORCE CRYPT/DECRYPT SECTORS 3‐10 FIGURE 6 ‐ ENUMERATE ALGORITHMS 3‐12 FIGURE 7 ‐ SET ALGORITHM 3‐13 FIGURE 8 ‐ CHECKING THE SBADMIN ALGORITHM 3‐13 FIGURE 9 ‐ CONTACT DETAILS 3‐14 FIGURE 10 ‐ ABOUT DISPLAY 3‐14 FIGURE 11 ‐ THE SAFETECH WORKSPACE 4‐15 FIGURE 12 ‐ CREATING THE SAFETECH BOOT DISK 5‐17 FIGURE 13 ‐ THE DEVICES TAB 5‐18 FIGURE 14 ‐ THE MACHINE GROUP 5‐18 FIGURE 15 ‐ EXPORT CONFIGURATION 5‐19 FIGURE 16 ‐ THE LOCATION OF THE BOOTABLE DISK 5‐20 FIGURE 17 ‐ ENTERING THE SAFETECH CODE 5‐21 FIGURE 18 ‐ SELECTING AUTHENTICATE FROM SBFS 5‐22 FIGURE 19 ‐ LOGIN WITH SELECTED TOKEN 5‐23 FIGURE 20 ‐ ENTER THE USERNAME AND PASSWORD 5‐23 FIGURE 21 ‐ SELECT RESET INT13 VECTOR 5‐24 FIGURE 22 ‐ INT13 VECTOR RESET MESSAGE 5‐24 FIGURE 23 ‐ VIRUS PROTECTION OPTION 5‐25 FIGURE 24 ‐ CLIENT MACHINE SYNCHRONIZATION MENU 5‐26 FIGURE 25 ‐ ENTER THE AUTHENTICATION CODE 5‐27 FIGURE 26 ‐ LOADING VALUES FROM A MACHINE’S DATABASE 5‐27 FIGURE 27 ‐ AUTHENTICATE FROM DATABASE 5‐28 FIGURE 28 ‐ SELECT THE MACHINE NAME 5‐29 FIGURE 29 ‐ CHOOSING EMERGENCY BOOT OPTION 5‐29 FIGURE 30 ‐ CHOOSE THE OPERATING SYSTEM 5‐30 FIGURE 31 ‐ CONFIRM EMERGENCY BOOT 5‐30 FIGURE 32 ‐ THE CLIENT STATUS SCREEN 5‐31 FIGURE 33 ‐ AUTHORIZATION CODE PROMPT 5‐32 FIGURE 34 ‐ SELECTING AUTHENTICATE FROM SBFS 5‐32 FIGURE 35 ‐ SELECT TOKEN 5‐33 FIGURE 36 ‐ ENTER YOUR USERNAME AND PASSWORD 5‐34 FIGURE 37 ‐ THE REMOVE SAFEBOOT OPTION 5‐34 FIGURE 38 ‐ SAFETECH REMOVING SAFEBOOT ENCRYPTION AND BOOT LOGON 5‐35 FIGURE 39 ‐ AUTHORIZATION CODE 5‐37 FIGURE 40 ‐ AUTHENTICATE FROM DATABASE 5‐38 FIGURE 41 ‐ SELECT THE FILE NAME 5‐38 FIGURE 42 ‐ SELECT MACHINE 5‐39 FIGURE 43 ‐ SELECT REMOVE SAFEBOOT 5‐39 FIGURE 44 ‐ REMOVING SAFEBOOT 5‐40 FIGURE 45 ‐ THE SAFEBOOT WINTECH OPTION 5‐41 FIGURE 46 ‐ THE WINTECH AUTHORIZATION SCREEN 5‐42 FIGURE 47 ‐ EXAMPLE CODE 5‐42 FIGURE 48 ‐ THE INFORMATION BAR 5‐42 FIGURE 49 ‐ THE AUTHENTICATE FROM DATABASE OPTION 5‐43
5
McAfee, Inc.
1. Introduction
1.1 SafeTech Overview This guide contains information on how to use the SafeBoot Device Encryption disaster recovery tool, SafeTech. SafeTech can, if used properly, recover data from encrypted hard disks and repair damaged and corrupted Device Encryption installations. If used without caution SafeTech can be dangerous for your machine. In this guide we detail some of the common tasks you might want to perform. We advise you always to seek the opinion of a SafeBoot certified support professional before attempting any of the more sophisticated procedures.
1.2 Prior Knowledge This guide was written for security administrators. It assumes that you have some knowledge of security concepts, encryption, and the SafeBoot product range; in particular, the SafeBoot Management Center. It is preferable that administrators (readers) will have attended some form of SafeBoot Training to understand basic concepts before following the procedures in this guide.
1-1
McAfee, Inc.
2. Using SafeTech/WinTech
2.1 Creating a SafeTech Disk You can create a boot disk with the files needed to use SafeTech from the SafeBoot Management Center by using the menu option Recovery > SafeTech Disk and follow the prompts to place the files on your selected media.
2.2 Concepts
2.2.1 SafeTech
SafeTech is SafeBoot’s comprehensive low level diagnostic, repair and recovery utility. It runs from the OnTime 32 bit Operating System and has the look of Windows but is not a true Windows application. SafeTech has some unique advantages as well:
The only disadvantage WinTech has is the ability to perform an Emergency Boot, whereas this feature is available in SafeTech created from the directory.
Since WinTech currently has no ability to perform an “Emergency Boot”, it will not be possible to fix a corrupted SafeBoot logon or boot time error with WinTech – please use SafeTech for such repairs.
Minor disadvantage is it cannot be made easily or directly from SafeBoot Management Center as it requires a compile of a Bart PE or Windows PE environment and also requires access to original Windows XP or 2003 install files when first creating the Bart PE environment
2.2.2 WinTech
WinTech is the true Windows version of SafeTech and offers several advantages:
1) The ability to booting directly from a Bart PE or Windows PE/RE boot environment using CD, DVD or bootable USB stick giving administrators the ability to utilize the same recovery environment they used always used for Disaster Recovery and Repair.
2) The new MOUNT drive feature allows data on an encrypted drive to be accessed quickly once authorized. There is no need to completely decrypt the drive first to get to important files or documents. Data is decrypted on-the-fly from the encrypted disk and this allows full access to the contents.
2-2
McAfee, Inc.
3) Easier access to USB drives and memory sticks that have been encrypted using the new 5.x DE optional USB removable drive support. Although normally an encrypted USB flash memory stick or external USB drive would only be accessible from the machine it was encrypted from, SafeBoot’s WinTech utility allows these encrypted drives to be mounted and viewed or the contents removed without requiring access to the original working machine as long as the machine key is still available in the Master Object Directory of the SafeBoot Management Center.
2.3 CREATING THE BOOT DISK
2.3.1 SafeTech Concepts
SafeTech is a diagnostic and repair tool for SafeBoot. It can be used to repair and fix problems with a SafeBoot protected system, such as damage caused by a virus or other types of corruption on the system. Individual machine encryption keys and configuration information is stored in the SafeBoot database and this can be exported for use by SafeTech to repair or remove SafeBoot from a problem machine. WinTech allows you to use SafeTech booted from a Bart PE or Win PE/RE environment with all the same functionality as SafeTech from the SBMC (except Emergency Boot).
2.3.2 When to Use WinTech/SafeTech
Recovery of users’ passwords and lost token devices are all handled by the SafeBoot Recovery option. This tool is sufficient to handle the majority of problems that arise. If a machine cannot boot to the SafeBoot logon screen then WinTech/SafeTech is needed. (Please refer to the Troubleshooting chapter for many common scenarios and the procedures to follow for each instance.)
2.3.3 Using the WinTech : Additional Requirements
Once a Bart PE or Windows PE boot CD/DVD is complied with the SafeBoot WinTech plugin the following is required:
• As with all SafeBoot products at all times, a valid user authentication or machine key is needed to access the data on the encrypted hard drive or USB stick.
• The daily access code to allow access to the functions and use of WinTech. This is usually obtained from SafeBoot Support by customers with a valid support contract.
2-3
McAfee, Inc.
Although WinTech is a convenient recovery tool, it is NOT a ‘back door’ to data. The Daily access code ONLY enables advanced WinTech menu functions - and thus stops casual incorrect usage of the tool which could damage a SafeBoot installation. The Daily access code does NOT provide access to encrypted data. Authentication is still required to access the encrypted data. The other way is to provide the machine’s unique encryption key exported from the administration database (requires SafeBoot administration rights to export).
2-4
McAfee, Inc.
3. SafeTech Commands
3.1 File
3.1.1 Authorize
Figure 1 SafeTech Authroization Code
This screen allows you to enter the SafeTech access code to unlock dangerous features. You only need to use this option if you started SafeTech without entering the code, and then chose to enter the code.
Once a correct code has been entered, the SafeTech status bar changes to show “Authorized” access.
Though you cannot damage any data by entering the code, you should be wary that if you don’t enter the code at all, then all dangerous features are blocked making SafeTech “Safe”. Once the code has been entered, all dangerous features are unlocked meaning you have the potential to cause data loss. You should only enter the authorisation code when you are sure you need to perform these potentially dangerous operations.
3.1.2 Quit
This option exits SafeTech and restarts the system.
3-5
McAfee, Inc.
3.2 Disk
3.2.1 Open Workspace
This option opens the Workspace. For assistance on how to use the SafeTech/WinTech workspace, please contact SafeBoot support.
Figure 2 - The Workspace
3.2.2 Get Disk Information
This option displays information about the physical drives detected by SafeTech. Each physical disk has a node in the disk information tree which describes its LUN, partitions, size and SafeBoot information.
3-6
McAfee, Inc.
Figure 3 - Disk Information
Disk Information GUID – The unique GUID of this disk (a Device Encryption construct)
Alg ID - The SafeBoot Algorithm used to encrypt the disk
Database ID – The SafeBoot Database ID (hexadecimal) of the host SafeBoot Database that this machine has registered its keys to, and is accepting policy updates from. You can determine the Database ID through SBAdmin by looking at the License Information.
Machine ID – This is the machine unique object ID. You can find the machines corresponding policy object by authenticating to the correct SafeBoot Database (using the Database ID above to ensure you’re connected to the correct DB). Then click the “SafeBoot Machines Group” node in the Devices tab, then click the “Groups” → “Find” and search for the appropriate Object ID – in the example above it would be 00000003.
SBFS Sector Map – This is the sector location at the beginning of the SBFS Sector map. The SBFS Sector map defines the ranges of sectors on the users’ hard disk which contain the Device Encryption pre-boot environment.
SBFS Sector Map Count – This is the size of the sector map.
Key Check – A hash of the encryption key used to protect the machine. This is used to verify keys are correct.
3-7
McAfee, Inc.
Crypt List Region Count – The number of defined crypted areas of this logical disk. This usually corresponds to the number of partitions on the drive.
Region … - Each region is defined as follows:
Start Sector – The physical start sector of the region
End Sector – The last physical sector included in the region
Sector Count – The number of sectors included in this region
PowerFail Status – Device Encryption tracks the progress of encryption on the drive to ensure that if power is lost during encryption, the process is recoverable.
Status – Determines whether the drive is currently in powerfail state. A status of Inactive Indicates that the current encryption process has finished.
Partition – A section per Logical partition on this physical drive as follows:
Partition Number – The unique partition number
Partition Type – The file system detected on this partition
Partition Bootable – Whether the partition is bootable or not
Partition Recognised – Whether the partition is recognized as viable
Partition Drive Letter – The detected drive letter of this partition
Partition Start Sector – The physical start sector of the partition
Partition End Sector – The physical end sector of the partition
Partition Sector Count – The number of sectors in the partition
3.2.3 Crypt/Decrypt Sectors
The Crypt/Decrypt option allows you to safely manipulate which sectors are encrypted on the disk. This option follows the crypt list (see “Get Disk Information”) to validate the ranges you submit, so it will not encrypt sectors which are currently encrypted, and will not decrypt sectors which are currently not encrypted. This option supports power fail protection.
You can only use the Crypt/Decrypt Sectors option if the disk crypt state is still valid. If SafeBoot has become corrupt on the disk, or the crypt state has been corrupted, you will need to use the Force Crypt/Decrypt Sectors option.
3-8
McAfee, Inc.
If you change the encryption state with the Crypt/Decrypt Sectors option, appropriate modifications will be made to the disk Crypt List. For example, if you encrypt a new range, a new Region definition will be created. If you decrypt within an existing Region, then the existing region will be split into two, if you completely decrypt a region, it will be removed from the crypt list.
Figure 4 – Insert the Start sector value (63)
Though this option follows the machines built in record of the encryption state of the disk, and supports power fail, manual manipulation of the encrypted sector ranges should only be attempted under the supervision of SafeBoot support personnel. If you have to use this function it is wise to record the exact ranges you manipulated in case of unforeseen issues.
3.2.4 Force Crypt/Decrypt Sectors
Unlike the Crypt/Decrypt sectors option, the Force Crypt/Decrypt option does not pay attention to the disk crypt state, it simply performs the operation blindly according to user input. Force Crypt does not support power fail, nor does it apply any logic or parameter validation on the input.
You should only use the Force Crypt/Decrypt sectors option when all else fails, when the on-disk structures are completely corrupted for example.
3-9
McAfee, Inc.
Figure 5 - Force Crypt/Decrypt Sectors
This option will certainly cause irretrievable data loss if used incorrectly. If you are forced to use this option, you should make a recording of each operation you apply to aid in data recovery. Ensure when using this option that there is no possibility of losing power while it is working – this option DOES NOT support power fail protection.
3.2.5 Edit Disk Crypt State
Call SafeBoot Technical support for assistance. This option will certainly cause irretrievable data loss if used incorrectly Ensure when using this option that there is no possibility of losing power while it is working – this option DOES NOT support power fail protection.
3.2.6 Restore MBR
This option restores the original MBR of the machined but does no validation checking.
3-10
McAfee, Inc.
3.3 SafeBoot
3.3.1 Authenticate from SBFS
This authentication is through entering the correct userid and password when presented with that screen.
3.3.2 Authenticate from Database
This function allows the user to authenticate with the machine key through the exported SDB file form the master object directory
3.3.3 Reset INT13 vector
When moving a hard disk between machines, updating the BIOS, or after a virus attack, SafeBoot will warn of a possible virus at boot time and deny access to the machine.
Should there be a possibility of a virus, run a virus checker.
3.3.4 Emergency Boot
Repairs the SafeBoot File system on the client machine.
3.3.5 Remove SafeBoot
Removes the encryption and boot sector from a machine, but does not remove the SafeBoot client files. (See the Device Encryption Administration Guide for details on removing client files).
3.4 Algorithms
3.4.1 Enumerate Algorithms
Enumerates through each possible algorithm and tries to load it from the SafeTech boot file. The algorithms are contained within the SafeTech program themselves.
3-11
McAfee, Inc.
Figure 6 - Enumerate Algorithms
3.4.2 Set Algorithm
This option allows you to select which algorithm to use in the current SafeTech session. As the SafeBoot Device Encryption algorithm is an enterprise-wide setting, and can never be changed, you should confirm the algorithm the Management Center is using before setting it in SafeTech. You can do this from the Help/About/Modules screen – check the description of the SBAlg.DLL file.
3-12
McAfee, Inc.
Figure 7 - Set Algorithm
Figure 8 - Checking the SBAdmin Algorithm
Selecting the wrong algorithm here will prevent any manual decryption functions (decrypt sectors, force decrypt sectors etc) perform the wrong mathematical functions on the data. This process is reversible, by for example re-encrypting the sector ranges but if the algorithm choice cannot be remembered, can be extremely time consuming to recover from.
3-13
McAfee, Inc.
3.5 Options
3.5.1 Set Background Colour (SafeTech only option)
This option allows the background colour of the screen to be set to improve clarity on older monitors. You can choose from Black, Red, Green, Blue, or White.
3.6 Help
3.6.1 Contact
Figure 9 - Contact Details
Displays a list of current world telephone support numbers.
3.6.2 About
Figure 10 - About Display
This option displays the major and minor SafeTech version.
3-14
McAfee, Inc.
4. The Workspace
The SafeTech workspace provides the administrator with the ability to examine sectors of the drive for encryption state. Since it also allow the administrator to write sectors back to the disk, it should only be used under the guidance of SafeBoot Support representatives (or by those who have received Advanced SafeTech Training) for advanced troubleshooting.
Figure 11 - The SafeTech Workspace
4-15
McAfee, Inc.
5. Troubleshooting
5.1 Troubleshooting Scenarios SCENARIO I:
The SafeBoot login screen does not appear when booting the PC.
Follow the Emergency Boot procedure.
SCENARIO II:
Updated the machine’s BIOS and now boot to a virus warning
Follow the Reset INT 13 Vector procedure
SCENARIO III:
Boot to missing operating system while the machine is in the process of encrypting or decrypting
Follow the Encryption and Boot Sector Removal: Method 1 procedure
SCENARIO IV:
Boot to missing operating system after machine has successfully encrypted
Follow the Encryption and Boot Sector Removal: Method 2 procedure
SCENARIO V:
Copy Data from a corrupted encrypted drive without removing encryption.
Follow the Mount Drive (WinTech Only option) procedure
SCENARIO VI:
Copy Data from an encrypted external USB attach drive or USB flash drive.
Follow the Mount Drive (WinTech Only option) procedure
5-16
McAfee, Inc.
5.2 TROUBLESHOOTING PROCEDURES
5.2.1 How to create a SafeTech Disk
A bootable disk can be created to contain all files necessary to run SafeTech. A blank diskette (or USB flash drive) can be used to create the SafeTech disk. It is no necessary to format the media as bootable (although the BIOS of the machine must support booting to USB if this media is selected.)
1. Select the menu option Recovery menu.
2. Select Create SafeTech boot disk.
Figure 12 - Creating the SafeTech boot disk
3. Select the media to use as the recovery disk and save it.
5.2.2 How to export the machine key (machine configuration)
1. Select the Devices tab from the tree window.
5-17
McAfee, Inc.
Figure 13 - The Devices tab
2. Locate the machine group that includes the problem machine, and double-click on it to open the group (or right click and choose open).
Figure 14 - The Machine Group
5-18
McAfee, Inc.
3. In the newly opened group window, right click on the machine needing recovery and click “Export Configuration”.
Figure 15 - Export Configuration
4. For normal use uncheck all three items under “Options” to save disk space.
5-19
McAfee, Inc.
Figure 16 - The location of the bootable disk
5. Type in the location of the bootable diskette just created or browse to locate (usually A ).
6. Click “OK”.
5.2.3 How to create a WinTech PE Boot CD/DVD
To compile a WinTech PE boot CD/DVD the following is required:
• BartPE Builder Version 3.1.10a (released on Feb 17, 2006) or later currently available from http://www.nu2.nu/pebuilder/ .
• A valid licensed copy of the XP or 2003 installation files are required.
• The WinTech plugin available on the 5.1.0.1 CD and later.
• Blank CD/DVD
Full instructions on actually making the disk are available separately in the “\Tools\Making a Rescue CD” folder on the current 5.1.1 or on a later SafeBoot Management Center installation. See the SafeBoot and Windows Rescue CDs document.
In this folder is an example bootable CD-ROM ISO image - please see the SafeBoot and Windows Rescue CDs document for further details.
Further information regarding BartPE is also available on the BartPE website http://www.nu2.nu/pebuilder/.
5-20
McAfee, Inc.
(Optionally Bart PE provides instructions on building the boot environment on a bootable USB device. Please refer to the Bart PE online information for how to do this).
Although SafeBoot has experience with WinPE/RE and BartPE, we cannot offer support on the use of these products other than information on how to install SafeBoot drivers and SafeBoot applications. SafeBoot Support cannot support issues around configuring BartPE or WinPE/RE for other hardware or software requirements.
5.2.4 Reset INT 13 Procedure
When moving a hard disk between machines, updating the BIOS, or after a virus attack, SafeBoot will warn of a possible virus at boot time and deny access to the machine.
1. Create a SafeTech or WinTech boot disk. See the How to create a SafeTech Disk procedure. Note: The machine configuration is not required.
2. Reboot the problem machine using SafeTech boot disk
3. At the DOS prompt, type SafeTech and press return
4. Enter the access code. This is obtained from the Helpdesk personnel or by calling SafeBoot Support.
5. Press the <Return> key.
Figure 17 - Entering the SafeTech Code
5-21
McAfee, Inc.
6. Select “Authenticate” from SBFS from the main menu
Figure 18 - Selecting Authenticate from SBFS
7. SafeTech reads values from the drive and returns a message as per the screenshot below.
If you get a message that indicates a failure to read the values from the disk, then contact SafeBoot Support – otherwise, click “Login With Selected Token”.
5-22
McAfee, Inc.
Figure 19 - Login With Selected Token
8. Enter Username and Password click “Ok”.
Figure 20 - Enter the username and password
9. Go to the Tool Bar menu and open the SafeBoot drop down menu. Select “RESET INT13 Vector” from the menu.
5-23
McAfee, Inc.
Figure 21 - Select RESET INT13 Vector
10. INT13 has been successfully reset message appears. Click “OK”.
Figure 22 - INT13 Vector reset message
5-24
McAfee, Inc.
Should there be a possibility of a virus, then run a virus checker.
5.2.5 Remove INT 13 Protection
If you wish to avoid the Reset INT 13 condition while updating the BIOS, then temporarily turn off “Virus Protection” before the BIOS upgrade.
1. In the SafeBoot Management Center find the machine, right click on it and select “Properties”.
2. Select the “General” icon.
3. Under Options, scroll until you find “Virus Protection”.
4. Deselect “Enable MBR virus protection” (see screenshot below).
5. Click Apply.
Figure 23 - Virus Protection option
After the BIOS has been upgraded the option is re-enabled, applied, and the machine is synchronized. This will again protect the boot sector of the machine.
5-25
McAfee, Inc.
Figure 24 - Client machine synchronization menu
5.2.6 SafeTech Emergency Boot Procedure
Should SafeBoot fail to boot, and the logon screen does appear, the SafeTech Emergency Repair process should be performed. Create a SafeTech boot disk before proceeding.
If the data is very important, or you are unsure about the procedure, the please contact SafeBoot support before proceeding. Note: When selecting options such as “Proceed” or “Abort” the correct selection is the grey box with > < surrounding the option (e.g. > continue < ) and NOT the colored option!
1. Reboot the problem machine using SafeTech boot disk.
2. Enter the authentication code. This can normally be obtained from the Helpdesk personnel or by calling SafeBoot Support.
3. Click “Ok”.
5-26
McAfee, Inc.
Figure 25 - Enter the authentication code
4. From the main menu select “SafeBoot” followed by “Authenticate from Database”.
Figure 26 - Loading values from a Machine’s database
5-27
McAfee, Inc.
5. Ensure the exact machine configuration is on the disk, select the correct machine and click “Ok”.
Figure 27 - Authenticate from database
6. The machine name will be shown in an open window – only one should be listed. Check the correct machine name is listed.
7. Click “Use Selected Machine”
5-28
McAfee, Inc.
Figure 28 - Select the machine name
8. Select “SafeBoot” followed by “Emergency Boot”.
Figure 29 - Choosing Emergency Boot option
9. Please click “Yes” if you are using Windows XP (or earlier), or, click “No” if you are using Windows 2003, Vista and higher.
5-29
McAfee, Inc.
Figure 30 - Choose the operating system
10. Click “Ok” to confirm the Emergency Boot
Figure 31 - Confirm Emergency Boot
11. When the machine boots into Windows, if there is a network connection through to the SafeBoot server, then the machine will synchronize with the SafeBoot Object Directory and fully repair
5-30
McAfee, Inc.
itself. Check this by right-clicking on the SafeBoot manager icon on the Taskbar, and selecting “Show Status”.
Figure 32 - The Client status screen
If SafeBoot is unable to establish connection to the master directory at this time, continue to use the SafeTech Emergency Repair boot disk to boot the machine (as per step 11), until a connection to the server is made.
5.2.7 Encryption and Boot Sector Removal: Method 1
Make sure the machine’s main power supply is plugged in for this procedure. Do not attempt to perform on battery only.
1. Create a SafeTech Boot Disk. See the How to create a SafeTech Disk procedure.
2. Boot the problem machine with the SafeTech Boot disk.
3. Start SafeTech (it may autoload depending on the boot disk).
5-31
McAfee, Inc.
4. Enter the authorization code.
Figure 33 - Authorization Code Prompt
5. Select the 2Authenticate from SBFS” option.
Figure 34 - Selecting Authenticate from SBFS
5-32
McAfee, Inc.
6. SafeTech reads values from the drive and returns a message as per the screenshot below.
7. If the message indicates a failure to read the values from the disk, contact SafeBoot Support; otherwise, choose the right Token and click “Logon With Selected Token”.
Figure 35 - Select Token
8. Enter the Username and Password.
5-33
McAfee, Inc.
Figure 36 - Enter your username and password
9. Select “Remove SafeBoot”.
Figure 37 - The Remove SafeBoot option
5-34
McAfee, Inc.
10. This will decrypt the drive and remove the boot sector. It may take some hours depending on the machine performance and the storage capacity of the drive or partition.
Figure 38 - SafeTech removing SafeBoot encryption and boot logon
11. Next, when the machine has been removed, delete its record from the SafeBoot directory (the central record no longer has the correct parameters for the machine). See the Device Encryption Administrators Guide for further information, or, contact your SafeBoot Database Administrator.
When the operating system is repaired, SafeBoot will automatically reactivate itself if the installed files are still intact and it connects to the SafeBoot Server. The machine may encrypt at this point too, depending on its settings in the database. This can be prevented by disconnecting from the network prior to booting the machine (or disable wireless networking). Once Windows has loaded from Windows CMD prompt, change to the SafeBoot folder on the machine and enter: “sbsetup –Uninstall” Important: The “sbsetup – Uninstall” command can only be used if the drive is currently completely unencrypted.
5-35
McAfee, Inc.
Make sure you check where the \SBADMIN (administration system files) and the \SBDATA (database folder) have been installed. If your installation is not in the recommended locations, then make sure you check where they have been installed before proceeding. Also, disconnecting from the network will prevent re-activation only if this machine was originally a SafeBoot ‘online’ install. If it was an ‘offline’ install, then boot to Windows Safe Mode first. See the Device Encryption Administrators Guide for further information regarding online and offline installation.
5-36
McAfee, Inc.
5.2.8 Encryption and Boot Sector Removal: Method 2
If SafeBoot itself is not working, method 1 cannot be used. Method 2 should only be attempted under the guidance of SafeBoot Support. For this method the machine’s configuration exported from the database will be required.
1. Create a SafeTech Boot Disk. See the How to create a SafeTech Disk procedure.
2. Export machine configuration. See the How to export the machine key (machine configuration) procedure.
3. Boot the problem machine with the disk.
4. Enter the authorization code.
Figure 39 - Authorization Code
5. Select “Authenticate from Database” from the SafeBoot drop down menu.
5-37
McAfee, Inc.
Figure 40 - Authenticate from database
6. Next select the current machine name shown in the open window. Then click OK.
Figure 41 - Select the file name
7. Now select the correct Machine Name.
5-38
McAfee, Inc.
Figure 42 - Select Machine
8. Select “Remove SafeBoot” from the SafeBoot drop down menu. This will decrypt the drive and remove the boot sector. It may take some hours depending on the machine performance and the storage capacity of the drive or partition.
Figure 43 - Select Remove SafeBoot
5-39
McAfee, Inc.
Figure 44 - Removing SafeBoot
9. Remember to delete the machine’s record from the SafeBoot directory once it has finished removing, as the central record no longer has the correct parameters for the machine.
When the operating system is repaired, SafeBoot will automatically reactivate itself if the installed files are still intact and it connects to the SafeBoot Server. The machine may encrypt at this point too depending on its settings in the database. This can be prevented by disconnecting from the network prior to booting the machine (or disable wireless networking). Once Windows has loaded from Windows CMD prompt change to the SafeBoot folder on the machine and enter: “sbsetup –Uninstall” (Note: This command can only be used if the drive is completely unencrypted).
Disconnecting from the network will prevent re-activation only if this machine was originally an ‘online’ install of SafeBoot . If it was an ‘offline’ install boot to Windows Safe Mode first. See the Device Encryption Administrators Guide PDF document for further information regarding online and offline installation.
5-40
McAfee, Inc.
5.2.9 Mount Drive (WinTech Only option)
Using WinTech: Accessing removable Data stored on an encrypted USB Drive.
To obtain the key for the USB drive or stick, Follow Procedure No. 2 above to export the machine’s database from the SBCM. This must be the machine that the attached drive was originally attached to when it was encrypted.
1. Export the machine’s database. Note: Save the machine database to a location you can retrieve later from the BartPE CD. This exported database file contains the machine’s key.
Booting BartPE
1. In the BIOS of the client PC, find the menu to alter the order of Boot devices.
2. Set the boot device order to boot from CD/DVD first. Consult your PC or laptop documentation for further information.
3. Insert your WinTech Bart PE disk. Confirm the prompt to press a key and boot from CD.
4. Once the PE environment has fully loaded you can start WinTech. From the Start menu, choose “Programs” then “SafeBoot WinTech”.
Figure 45 - The SafeBoot WinTech option
Any USB sticks or drives you need to access later will need to be plugged in before Windows PE starts to load, this includes any encrypted disks you wish to access, or any disk containing the machine export database.
5. WinTech will then load. It will prompt for the authorization code (this code can be obtained from SafeBoot Support). Enter the code.
5-41
McAfee, Inc.
Figure 46 - The WinTech authorization screen
Figure 47 - Example code
Notice the Info bar at the bottom of the tool reports “Not Authorized” until the code has been correctly entered. After the code has been entered, this changes to Authorized.
Figure 48 - The Information bar
The “Not Authenticated” message still shows. User authentication or an encryption key to decrypt any data is still required!
6. Now enter the machine’s key retrieved earlier from the exported database. Note: in the case of a USB stick or driver, enter the key of the machine the drive was attached to when it was encrypted.
7. Now authenticate from the machine’s database. From the SafeBoot menu choose “Authenticate from Database”.
5-42
McAfee, Inc.
5-43
Figure 49 - The Authenticate from Database option
8. Browse to the location of the exported machine configuration.
9. Choose the correct SDB file
10. From the “Disk” menu, choose “Mount Drive”.
11. From Start menu run your chosen File Management tool (BartPE default is A43 File Manager).