Knowledge Center

FAQs for Endpoint Encryption Files and Folders 3.x
Technical Articles ID:  KB72684
Last Modified:  09/24/2013


McAfee Endpoint Encryption Files and Folders 3.x



This article is a consolidated list of common questions and answers and is mainly intended for users who are new to the product, but can be of use to all users.


General - For product information, including licensing, and miscellaneous topics.
Compatibility - Interaction between other products and software, including EFS, Windows, Mac and iPhone.
Installation/Upgrade - For information about installing, upgrading, and removing.
Configuration - Includes best practices, optimizing, configuring and EERM.
Functionality - Product features and functions including authentication, EERM, self-extractor, policy/rules, certificates, keys and reporting/logging.

What is persistent encryption?
Persistent encryption is enforced by EEFF 3.x. It ensures that an individual file remains encrypted even after the decrypt driver for Full Disk Encryption has been loaded. Without persistent encryption, all files are effectively decrypted when a user authenticates and gains access to Windows. With persistent encryption, the individual file remains encrypted, no matter where it is copied or what application accesses it. The encryption remains transparent to a user with the encryption agent and proper keys loaded.

Back to Contents

Is EEFF 3.x compatible with the Microsoft Encrypted File System (EFS)?
No. This is because both EFS and Endpoint Encryption for Files and Folders (EEFF) are file encryption products and work at the same file system level. There would be a driver conflict. For more information about Microsoft EFS, see http://windows.microsoft.com/en-US/windows-vista/What-is-Encrypting-File-System-EFS.

Are EFS encrypted files supported on McAfee Encrypted USB devices?
No. To support EFS requires support for NTFS formatted drives. This means EFS encrypted files are not supported on USB devices that are encrypted by EERM that creates 4 GB FAT 32 encrypted containers.

Are the Microsoft Windows system files encrypted with EEFF?
No. System files are excluded from encryption as a safety precaution.

Does EEFF 3.x work in Microsoft Windows Safe Mode?
Yes for Safe Mode with networking. No for Safe Mode without networking.

Does EEFF 3.x support the Advanced Format Drives that have a 4 KB hard disk sector size?
Endpoint Encryption for PC (EEPC) and EEFF does not currently support the 4 KB native drives because the current Microsoft operating systems do not support this format. However, Endpoint Encryption products will support Microsoft operating systems that support drives that use the Advanced Format (4 KB physical and 512-byte logical sector size). The drives in this mode emulate 512-byte sectors, so no issues are expected. For further details, see KB71582.

Does Endpoint Encryption Connector Manager support secure LDAP?
Yes. For LDAP support with Endpoint Encryption, SSL certificates must already be installed and configured on all domain controllers.

Is EEFF 3.x supported on network shares?
Only on some operating systems. For details see KB72276.

Is EEFF 3.x supported on the Mac?
No. If you require a change to this functionality in a future version of the product, you can submit a Product Enhancement Request. To submit a PER, see the Related Information section. For supported environments, see KB68072.

How is an iPhone handled by Endpoint Encryption for Removable Media (EERM)?
The iPhone does not present itself as a USB storage device when connected to a Windows operating system. Therefore, EERM will not attempt to create an encrypted container.

NOTE: You can exempt devices from EERM by using the Exempted Device IDs option. To find the DeviceID for a removable media device, refer to the EEFF Administration Guide.

Back to Contents

Currently, there aren't any FAQs for this section.

Back to Contents

What is the maximum recommended device size for EERM?
64 GB. Although theoretically there is no maximum, devices larger than 64 GB will take a long time to initialize, and initialization might fail because of a system timeout. For large devices, consider true full-disk McAfee encryption solutions.

Can I change the EERM password policy?
No. This as this is hard coded. To submit a PER, see the Related Information section.

Can I use a wildcard with the EERM option Exempted Device IDs?
No. You can only exempt a device by using the Device ID. To find the DeviceID for a removable media device, see KB71681, or the latest EEFF Administration Guide.

Can I configure EERM to exempt devices by Vendor?
Yes. For details see KB69770.

What location is used by EERM to temporarily store the data when the encryption container is being created?
When EERM encrypts a USB device, the original data is moved to your local hard disk under: %<Users temp folder>%\McafeeEERMFormat\Format*

Can I modify the temporary location EERM uses when encrypting a USB device?
No. To submit a PER, see the Related Information section.

Can I configure EERM to allow only removable media devices that have no data on them to be encrypted?
No. However if you specify the EERM policy option Encrypt Entire Device, you are given the option to keep the existing files or not.

When is EERM configured to delete the files backed up on the local hard-disk?
The data will never be deleted until a response to a dialogue is provided either when exiting the EERM or re-opening the EERM application. This is done to protect the original data in case the encryption process is interrupted.

Can I configure EERM to have a policy where only removable media devices under a certain size are encrypted?
Yes. You can only specify an upper limit for the USB stick size to initialize with EERM. The following EERM encryption options are available:
  • Percentage of total size
  • Percentage of free space
  • Entire Device
Back to Contents


Why is a square symbol added to the extension of encrypted files?
When files are encrypted EEFF (regular encryption), a special Unicode symbol is added to the extension of the encrypted file. This symbol is displayed as a square, and is not visible on EEFF systems. On a system with Endpoint Encryption, the client transparently filters out the symbol, and restores the original extension so that applications can recognize the files and they are displayed normally to users. However, if the encrypted file is viewed from a system that does not have EEFF, you can see the symbol and the file type is unrecognized by the system. This means that these files cannot be opened by any default application.

This function was implemented to prohibit writing to encrypted files from systems that do not have the EEFF client installed. Some applications automatically write data to files when opened, without any notification. If data is written to encrypted files without first decrypting the file, the file can be irretrievably damaged. If the square symbol is still visible with EEFF installed, then the Endpoint Encryption driver has not attached itself to the drive or volume hosting the file. This can happen if the file resides on a non-supported file server platform or if the client has not been installed correctly. Verify that the latest Endpoint Encryption client version is used and that the file server platform is supported. You cannot disable this functionality. It exists as protection against unintentionally damaging encrypted data. For a list of supported operating systems, see KB68072.

Can I modify the EEFF 3.x login screen?

Does file encryption with EEFF 3.x increase the size of the file?
Yes, it will add only 512 bytes to each encrypted file regardless of the original file size.

Can I synchronize EEFF 3.x (usernames and passwords) with EEPC 6.0?
No, they are managed by two separate products, ePO and Endpoint Encryption Manager (EEM).

Can I read a EERM-encrypted USB device on a Windows computer that does not have EERM?
Yes. This is a key point of using EERM because it has an explorer application residing on the USB stick, which negates the need for any computer to have EERM/EEFF installed to authenticate and access the data within the EERM container.

Can a flash drive be made bootable after installing EERM?
Yes, because when you use EERM, there is both a private and public area. You can set up the flash drive as a bootable device if the files required to boot the system are in the public area and are not encrypted.

Can NTFS be used instead of FAT32 for the EERM encrypted container?
No, because there isn't any public driver implementations of NTFS available. Additionally, a driver must be installed on the host platform as well as requiring local administrator rights, which defeats the whole purpose of EERM. McAfee could use NTFS if we were allowed to install a driver or had some rights, but without this, it is impossible to install an NTFS file system. Instead, EERM has to use FAT32 which, because it is public, enables McAfee to build it into the application. However, the limitation of using FAT32 is that the maximum file size that can be placed within an encrypted EERM container is 4 GB, even though the container has no such limitation. Future versions of EERM will try to address this file size limit while retaining the usage of FAT32. This is currently subject to engineering research. To submit a PER, see the Related Information section.

What is the purpose of the Self-Extractor?
To share encrypted data with users that do not have EEFF installed on their computers. For example, you want to hand over the input material for your financial statements.

What algorithm is used when creating an EEFF 3.x a Self-Extractor file?
If you select Save to disk, the Self-Extractor is saved to the user specified location (for example, to a USB flash memory drive). When you are prompted to select the password to be used to encrypt the Self-Extractor, the key is based on PKCS#5 (Password-Based Cryptography Standard), the encryption key is derived from the password and then that key is used to encrypt the Self-Extractor. The encryption used is the AES 256 algorithm.

What is the largest recommended input data size when creating a self-extractor file?
The recommended upper input data size of 10 MB because it is optimized for email attachments. You might be able to use a larger input data size, but McAfee does not recommend this. Any issues found when using larger files will not be supported.

Which EEFF 3.x encryption rule takes precedence?
If a file extension encryption policy is set to encrypt, (for example, PDF files with Key A and a Folder Encryption policy is set to encrypt files in folder X with Key B), which key is used to encrypt a PDF file put into folder X? It is encrypted with Key B because Folder Encryption always overrides File Extension Encryption.

Can I use a EEFF encryption policy to encrypt the folder which is available in the folder encryption policy drop-down menu?
McAfee does not recommend this approach. Certain files in the <user profile> folder must not be encrypted. An example is ntuser.dat, because it can cause system deadlocks. The purpose of having the <user profile> folder in the drop-down menu is to address subfolders that exist below it, not the profile folder itself.

What is the expected behavior when a user applies a policy to a folder which cannot be encrypted?
If you cannot encrypt the folder, you cannot apply the policy successfully. However, the EEFF policy will keep trying to encrypt the folder until it becomes possible to encrypt.

Which certificates can I use for authentication EEFF 3.x and EERM?
For certificates to be used in EEFF and EERM, they have to have Data Encipherment as one of the Key Usage properties. Certificates must not have expired and for reasons of speed, there is no check of revocation lists and/or servers.

When using EERM and the Certificate Recovery option, what type of certificate is required?
One of the recovery options with EERM is Allow User Certificate. You can use any certificate available in the Microsoft Windows certificate store to enable this feature.

NOTE: For certificates to be listed in the EERM drop-down menu, you must enable either Data Encipherment or Key Encipherment, or both.

Should I delete or remove the User Local Keys created on the client?
No. These keys are not automatically deleted by design. They remain so they can be accessed again if the EEFF client is reinstalled. You can only delete User Local Keys manually.

What is the default timeout value for the User Local Key, when using the Create Local Key Wizard?
The timeout option default value is 60 minutes.

How do I generate the Default Local Key?
Access the user Properties, User Local Keys, then select the option to Automatically create a user local key.

Which key applies when a policy encrypts a sub-folder with a different key from its parent folder?

If you encrypt a sub-folder with a different key from its parent folder, you only require the key for the sub-folder to access the contents of that folder. Example scenario:

    • A policy exists that encrypts FolderA in the path C:\FolderA with a specific key.
    • A newer policy is created that encrypts Folder B in the path C:\FolderA\FolderB with a different key.
You only require the key for FolderB to access the contents of FolderB. Any other items in FolderA remain encrypted.
Can I log which files are encrypted with EEFF 3.x?
Not currently. Enhanced reporting and auditing are planned for a post-release EEFF 4 update. However, this feature will not be included in the initial EEFF 4.0 release. EEFF 4.0 is planned to be released in Q2/Q3 2011.

Back to Contents

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.