Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 3309 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unencrypt off of network

jontan8181

Guys,

Is there a way to unencrypt a drive without having it sync with the Safeguard server? We have 2 drives with boot volume viruses that need to be unencrypted so our Network Security department can examine the drives. Is there a way to unencrypt those two drives without exposing them to our network and risking the virus spreading?

Thanks,

Jontan8181

:1024


This thread was automatically locked due to age.
  • 0
    Just a suggestion: Of course the network department has SafeGuard Enterprise on their machines as well. Assign the key(s) belonging to the machine(s) where the drives came from to one or more of their users (or their whole OU), and make sure those keys end up in their key ring. Then disconnect a machine where those keys were already synced to from the network. Log on as one of the users with these keys, and slave the disk over a USB connection. The disk can be accessed transparantly (as if it weren't encrypted). Depending on how and where the contamination took place it might be totally unnecessary to access the drives this way, by the way. If the contamination was caused by booting with a contaminated boot medium they can inspect the MBR right away, no need to decrypt.
    :1026

    “First things first, but not necessarily in that order” – Doctor Who

  • 0

    The security team doesn't want to hook the drives up to their own machines, as the virus could spread to their machines, then to the network when they re-connect. They are planning on booting up a live CD such as Backtrack to look at the drives, and linux can't see the drives until they are decrypted.

    Thanks,

    Jontan8181

    :1028
  • 0

    To add to my questions....

    If we unencrypt a drive as a slave to another computer....will it remove the POA from the slave drive. We are having issues with the POA on a drive, and we are unencrypting as a slave....but will it still have the POA until the software is removed.

    Jontan8181

    :1029
  • 0
    jontan8181 wrote:

    The security team doesn't want to hook the drives up to their own machines, as the virus could spread to their machines, then to the network when they re-connect. They are planning on booting up a live CD such as Backtrack to look at the drives, and linux can't see the drives until they are decrypted.

    Thanks,

    Jontan8181

    Jontan8181,

    Thanks for visting the forum. Sophos offers a similar method to access an encrypted drive as using a Backtrack CD. 

    Another way to recover data is using the WinPE 2.0 disc with the SGN drivers and libraries. You access the encrypted drive either using the Logon Recovery option in the SGN Management Center to access the encrypted disk or try using the WinPE recovery disc with POA authentication. Take a look at this KB Article for details on how to execute the recovery process. KBA #108555

    What that KBA overlooks is the situation when POA is disabled. During the boot process, when the display reads that the auto user is logging in or please wait for auto logon hit the F2 key. That will bring POA up and then login.

    Hopefully this will help you clean the infected drive. Please let us know if this response helps so others can benefit as well.

    :1064
  • 0
    jontan8181 wrote:

    To add to my questions....

    If we unencrypt a drive as a slave to another computer....will it remove the POA from the slave drive. We are having issues with the POA on a drive, and we are unencrypting as a slave....but will it still have the POA until the software is removed.

    Jontan8181

    Hi Jontan8181,

    Not exactly sure what you mean here. Do you  mean that when slaving the drive, will POA prompt you from the slaved drive for authentication?

    If that is your question, then the answer is: the slave drive may have a boot loader, but it's not being called, so no POA will appear from that disk.

    Or if your question is, will slaving a drive protected with SGN remove the active POA after it's a master again?

    If that is your question, then the answer is: The only way to remove POA from boot is to change the security policies either from the SGN Management Center or SGN Policy Editor.

    If I completely missed the context of your question, then please post it with more detail or with an example.

    :1065
Unfiltered HTML