InfoSec: McAfee EEPC drive status showing "Partially Encrypted" in ePO

McAfee Endpoint Encryption for PC (formerly SafeBoot) is an enterprise-level solution that allows enterprises to deploy full-disk encryption to managed workstations. One of the many benefits of the solution is the centralized management and reporting capability, which enables asset management teams to report on the encryption status of lost or stolen assets (thus differentiating between a benign asset loss event or a possible full-blown "unencrypted device" data loss incident). Employee reported their laptop stolen? Not a problem, login to ePO, search for their system either by system name or employee's username and check the corresponding tab to see if it is encrypted (see steps 1 through 4 below).

Unfortunately, according to the McAfee KB76098 article, there is a known cosmetic issue with EEPC versions 6.2 Patch 1 and earlier, which results in obscure reporting of the device drive encryption status as "Partially Encrypted", if it has any hidden/system recovery partitions. This may, understandably, send your incident response and risk management teams into a possible "unencrypted device loss" investigation frenzy, despite the primary partition (usually the "C:" drive) being actually encrypted in its entirety. Luckily the solution is available (according to the article, updating to EEPC 7.0 addresses this) and the workaround is fairly straightforward.

How to Check the Volume Encryption Status

1. First, login to your ePO console and locate the system you are investigating in the System Tree.

2. Click the "Drive Encryption" tab under the system view (this may be named something like "SafeBoot" or "Endpoint Encryption" if you have older versions of ePO or corresponding components), confirm that the "State" is "Active" and click the "More" link on the bottom-left of the screen:

If the "State" doesn't say "Active", you may indeed have an unencrypted asset on your hands - proceed accordingly.

3. Once the Drive Encryption details window opens, you want to go to the "Disks" tab, to see the actual HDD drives detected in this particular system:

4. Here is where you would see the worrisome "Partially Encrypted" message, suggesting that not all of your user's data was encrypted:

Don't jump to conclusions yet - go ahead and click on that entire line to load the Disk Details page.

5. On the bottom of the Disk Details page, click on the "Go to related Disk Volumes" link - this will let you see what volumes are detected and what their individual encryption status is:

6. Once the list loads, confirm whether all system and data partitions are encrypted:

As you can see, this particular 115 Gb drive had a 95 Gb system partition (Drive "C:") which was indeed encrypted in its entirety, and it did not have any other unencrypted data partitions, like the "Partially Encrypted" status would lead your incident response team to believe. The remaining 20 Gb was a dedicated "system recovery" partition with the blank image of the laptop's "factory default" operating system, and it was in fact, also encrypted.

What we were seeing, was the manifestation of the KB76098 cosmetic bug affecting EEPC versions 6.2 Patch 1 and older, where hidden partitions caused ePO to falsely report the drive as "Partially Encrypted", when system/data partition size did not match the total drive size. The hidden partitions still got encrypted (we have confirmed this using Encase), but wouldn't get reported to ePO, causing this issue with erroneous partial encryption reporting.

As mentioned above, this is addressed in newer versions of McAfee EEPC/ePO, but in the meantime - you can use the above steps to get your incident response guys off the ledge, whenever a "Partially Encrypted" device gets reported as lost or stolen within your organization.

No comments: