Please Note:

User Guides
Overview of CipherTrust Transparent Encryption Agent
- Configuring CTE with CipherTrust Manager
  - Installation Prerequisites
  - Installing and Registering CTE
    - Installation on Linux
    - Installation on Windows
    - Registration with Windows
  - Guarding a Device with CipherTrust Manager
    - Access the CipherTrust Manager Domain
    - Create an Encryption Key
    - Create a Standard Policy
    - Create a GuardPoint
  - Ransomware Protection
CTE Agent for Linux Advanced Configuration Guide Release
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
  - Linux Package Installation
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
- Special Cases for CTE Policies
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the saslauthd.service File
  - Supported Use Cases
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files
  - Restricting Access with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
  - Use Cases Involving IDT-Capable GuardPoints
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
CTE Agent for Windows Advanced Configuration Guide Release
- Overview of CTE
- Getting Started with CTE for Windows
  - Installation Workflow
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
      - Silent Installation Using the exe File
      - Silent Installation Using the MSI File
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
    - Using STA for Multifactor Authentication for CTE GuardPoints
    - Using Okta for Multifactor Authentication for CTE GuardPoints
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Using Cisco DUO for Multifactor Authentication for CTE GuardPoints
    - Use Cases for MFA on CTE
    - Administrator Tasks for Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Installing Ransomware Protection
    - Using Ransomware Protection
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - To Upgrade in Windows Silently
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent for AIX Installation and Configuration Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CipherTrust Manager
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files
  - Restricting Access with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CipherTrust Transparent Encryption Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Duplicate Elimination
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using dataxform to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with dataxform
  - Rekeying Using the Manual Copy Method
- Appendix A: DataXform Reference
  - Common Dataxform Examples
    - Verifying that a Guarded Directory Can be Rekeyed with dataxform
    - Estimating the dataxform Runtime Period
    - Manually Running dataxform on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous dataxform Session
  - Checking for Hard-Link Files Inside the GuardPoint with dataxform
  - Monitoring dataxform
    - Using the Message Log Window
    - Using vordxf_* Files
    - Using dataxform_status* Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete dataxform Session
  - Automatic and Manual GuardPoints
  - dataxform Examples and Full Command Syntax
    - dataxform Command Syntax Examples
    - dataxform Command Parameters
  - Unencrypting Data
CipherTrust Transparent Encryption - Live Data Transformation
- Introduction to CTE-LDT
  - Overview of CTE-LDT
  - Keys in CTE-LDT (Versioned Keys)
  - CTE-LDT Policies
  - CTE-LDT Runtime Flow
  - CTE-LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using CTE-LDT
  - Backup/Restore
  - Restrictions
- Installing CTE-LDT
  - System Requirements
  - Installing the CTE-LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling CTE-LDT on a Protected Host
- Using CTE-LDT
  - Creating and Viewing Versioned Keys
  - Creating CTE-LDT Policies
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
      - General Best Practices for QoS
      - Select and Set Rekey I/O Rate
  - Creating a CTE-LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of CTE-LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
      - Renaming Directories on Linux
      - Caveats
      - Example
      - Considerations
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
  - Using CTE-LDT with SAP HANA Fibre Channel Systems (Linux Only)
- CTE-LDT Administration
  - CTE-LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for CTE-LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for CTE-LDT (Linux)
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFSR and Replication (Windows)
  - Backing Up and Restoring CTE-LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - CTE-LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File (MDS) in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-CTE-LDT Backup Data to an CTE-LDT GuardPoint
    - Using fsfreeze (Linux only)
    - CTE-LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - CTE-LDT Backup and Restore Troubleshooting
  - CTE-LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different CTE-LDT Policy
  - Removing CTE-LDT and Security Encryption
    - Migrating a GuardPoint Out of CTE-LDT
    - Deleting CTE-LDT Metadata (Linux)
    - Deleting CTE-LDT Metadata (Windows)
    - Removing CTE-LDT from a Host
  - Uninstalling the Agent while CTE-LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using CTE-LDT with CIFS/NFS shares
  - Introduction
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role to a host within an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover
    - LDT GuardPoint Group Commands
      - Info
      - Remove
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - CTE Windows Deployment for LDT AccessOnly nodes
    - Policy and GuardPoint Management
      - Creating a GuardPoint on a CIFS Share Drive on CipherTrust Manager
      - Pausing and Resuming LDT per host and per GuardPoint
      - Migrating GuardPoints over NFS from or to an LDT Policy
      - Multiple GuardPoint Pathnames
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Alerts
  - Troubleshooting
  - Quality of Service
- Troubleshooting CTE-LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining CTE-LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing CTE-LDT Operations at the Command Line (Windows only)
  - Protecting CTE-LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume CTE-LDT Operation
    - Insufficient Resources
    - Failed to Update CTE-LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update CTE-LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations
CTE Terminology

Guarding a Device with CipherTrust Manager

After you register a client with a CipherTrust Manager, you can create as many standard GuardPoints on the client as you need. These GuardPoints can protect an entire device or individual directories.

For guarding using LDT on a local drive, or on a CIFS/Share drive, refer to CTE-Live Data Transformation with CipherTrust Manager guide.

In order to guard a device or directory, you need to use the CipherTrust Manager Console to:

Access the CipherTrust Manager domain in which the client is registered.
Identify or create an encryption key that CTE will use to encrypt the data on the device or directory.
Identify or create a policy for the device or directory that specifies the access controls and the encryption keys to use for the device or directory.
Assign a GuardPoint to the device or directory.

The following example creates a simple policy and uses it to guard a directory on a registered client. For all of the following procedures, you must be logged into the CipherTrust Manager Console as a CipherTrust Manager Administrator, and you must be in the domain with which the client is registered.

For details about any of these procedures or the options for domains, encryption keys, policies, and GuardPoints, see the CipherTrust Manager documentation.

Access the CipherTrust Manager Domain

In a web browser, navigate to the URL of the CipherTrust Manager Console you want to use and log in with CipherTrust Manager Administrator credentials.
If the client you want to protect is registered to the default domain (root), proceed to Create an Encryption Key. If you need to change to a different domain, do the following:
1. In the top menu bar, click the user name root/admin on the right-hand side.
2. Select Switch Domains, then select the domain in which the client is registered.
3. The logged in user now shows the new domain name/user name.

Create an Encryption Key

The following procedure is based on CipherTrust Manager version 2.2. If you are using a different version, see the CipherTrust Manager documentation for the version that you are using.

From the Products page in the CipherTrust Manager Console, click Keys in the left hand pane.

To navigate to the Products page from anywhere in the CipherTrust Manager Console, click the App Switcher icon in the top left corner.
Above the Key table, click Create a New Key.
In the Key Name field, add a name for the key. This name must be unique. For example, Simple-Key.
In the Key Usage section, make sure Encrypt and Decrypt are selected.
Click Create. CipherTrust Manager displays the properties for the new key.
In the general options area, enable the Exportable option.

You can also enable the Deletable option in this section if you want a CipherTrust Manager Administrator to be able to delete the key.
In the Key Access section, do the following:
1. In the Search Groups box, type "cte".
  
  If no groups are displayed, make sure the Added Only option is disabled.
2. Click the All check box for both the CTE Admins and CTE Clients groups.
3. When you are done, click Update.
Click the CTE tab and set the following properties:
- CTE Versioned: Specify whether the key is versioned. By default, the key is set as versioned.
  
  For a standard policy, you should clear this check box. If you do not, the key will not appear in the keys list when you add the key rule to the standard policy.
- Persistent on Client: Specify whether the key is stored in persistent memory on the client.
  
  When the check box is selected, the key is downloaded and stored (in an encrypted form) in persistent memory on the client.
  
  When the check box is left clear, the key is downloaded to non-persistent memory on the client. Every time the key is needed, the client retrieves it from the CipherTrust Manager. This is the default setting.
- Encryption Mode: Encryption mode of the key. The options are:
  - CBC
  - CBC CS1
  - XTS
  Encryption using the XTS and CBC CS1 keys is known as enhanced encryption.
When you are done, click Update.

Create a Standard Policy

In the Applications page of the CipherTrust Manager Console, select the Transparent Encryption application.
In the sidebar on the Clients page, click Policies.
Click Create Policy. CipherTrust Manager displays the Create Policy Wizard.

On the General Info page, set the following options:

Field	Description
Name	A unique name for the policy. Make sure you use a name that is descriptive and easy to remember so that you can find it quickly when you want to associate it with a GuardPoint. This example uses "Simple-Policy".
Policy Type	The type of policy you want to create. In this example, we will create a Standard policy.
Description	A user-defined description to help you identify the policy later. For example: Standard policy for new GuardPoints.
Learn Mode	Learn Mode provides a temporary method for disabling the blocking behavior of CTE/CTE-LDT policies. While useful for quality assurance, troubleshooting, and mitigating deployment risk, Learn Mode is not intended to be enabled permanently for a policy in production. This prevents the policy Deny rules from functioning as designed in the policy rule set. Ensure that the policy is properly configured for use in Learn Mode. Any Security Rule that contains a Deny effect must have Apply Key applied as well. This is to prevent data from being written in mixed states, resulting in the loss of access or data corruption. Apply Key will have no effect when combined with a Deny rule unless the policy is in Learn Mode.
Data Transformation	If you select Standard as the policy type, also select the the Data Transformation option to tell CTE that you want to change the current encryption key used on the data in the GuardPoint, or that you want to encrypt clear-text data for the first time. This option is only displayed for Standard policies.

When you are done, click Next.

On the Security Rules page, define the security rules that you want to use.

CipherTrust Manager automatically adds a default security access rule with an action of key_op and the effects Permit and Apply Key. This rule permits key operations on all resources, without denying user or application access to resources. This allows it to perform a rekey operation whenever the encryption key rotates to a new version.

To add additional security rules, click Create Security Rule and enter the requested information. For details about adding security rules, see the CipherTrust Manager documentation.

When you are done, click Next.

On the Create Key Rule page, click Create Key Rule and enter the following information:

Field	Description
Resource Set	If you want to select a resource set for this key rule, click Select and either choose an existing resource set or create a new one. Resource sets let you specify which directories or files will either be encrypted with the key or will be excluded from encryption with this key.
Current Key Name	Click Select to choose an existing key or create a new one. If the data has not yet been encrypted, select clear_key. Otherwise select the name of the non-versioned key that is currently being used to encrypt the data. In this example, select clear_key.
Transformation Key Name	Click Select to choose an existing versioned key or to create a new one. CTE uses the versioned key specified in this field to encrypt the data in the GuardPoint. If the data is currently encrypted, CTE decrypts it using the key specified in the Current Key Name field and re-encrypts it using the key specified in this field.

When you are done, click Next.

On the Data Transformation page, click Create Data Transformation Rule and enter the following information:

Field	Description
Resource Set	If you want to select a resource set for this key rule, click Select and either choose an existing resource set or create a new one. Resource sets let you specify which directories or files will either be encrypted with the key or will be excluded from encryption with this key.
Transformation Key Name	Click Select to choose an existing key or to create a new one. CTE uses the key specified in this field to encrypt the data in the GuardPoint. If the data is currently encrypted, CTE decrypts it using the key specified in the Current Key Name field and re-encrypts it using the key specified in this field. For this example, select the key Simple-Key you created in Create an Encryption Key.

When you are done, click Next.

Click Next.
On the confirmation page, review the information for the policy and click Save.

Create a GuardPoint

Caveats

You cannot have a symlink reside inside of a GuardPoint that is pointing to another location in that same GuardPoint
You cannot have a symlink reside inside of a GuardPoint that points to the root of that same GuardPoint

Prerequisites

Stop all applications that are accessing the device you want to protect. In this example, we are going to protect the following directories with the same policy and encryption key.
- C:\HR Files\
- C:\Accounting Files\
- C:\Shared Resources\HR\
- C:\Shared Resources\Accounting\
If you want to encrypt data without taking the device offline, you must use CipherTrust Transparent Encryption - Live Data Transformation.

Procedure

In the Applications page of the CipherTrust Manager Console, select the CTE application.
In the Clients table, click on the name of the client you want to protect.
Above the GuardPoints table, click Create GuardPoint.
In the Create GuardPoint page:
1. In the Policy field, select the policy you created earlier.
2. In the Type field, select the type of device. You can guard a directory or a raw/block device. For this example, select Auto Directory.
3. In the Path field, enter the directories you want to protect with this policy or click Browse to select them from a explorer window.
  
  If you want to enter multiple paths, put each path on its own line. For example:
4. Click Create.
5. If you want to use the same policy and GuardPoint type on another path, click Yes when prompted. Otherwise, click No. For this example, click No.
The CTE clients pull the GuardPoint configuration information from the CipherTrust Manager.
Type the following to transform the data:
```
 dataxform --rekey --print_stat --preserve_modified_time --gp <pathToGP>
```
When the data transformation has finished, applications can resume accessing the now-protected data. (See the CTE Data Transformation Guide for more information.)

Creating Ransomware Protection GuardPoints

Steps to create GuardPoints on individual clients and client groups are similar. GuardPoints can be created on the GuardPoints tab of individual clients and client groups.

To create an RWP GuardPoint:

Open the Transparent Encryption application.
Select the client or client group on which you want to create a GuardPoint.
- Click an RWP-enabled client under the Client Name column (Clients > Clients). These are the clients with RWP or CTE RWP as Protection Mode.
- Click a client group under the Client Group Name column (Clients > Client Groups).
On the GuardPoints tab, click Create GuardPoint.

When creating an RWP GuardPoint, (for volumes, without encryption) you do not need to specify a CTE policy. So, for clients with the RWP protection mode, the Policy field is unavailable.

On clients with the CTE RWP protection mode, (for GuardPoint, with encryption), you can create RWP GuardPoints as well as other types of GuardPoints with policies. So, the Policy field is available for such clients. Although the field is available, do not select any policy when creating an RWP GuardPoint.

Refer to Protection Modes for information on CTE protection modes.
(For clients with the CTE RWP protection mode) Select Ransomware Protection as the Type of device to protect. This is a mandatory field.

For clients with the RWP protection mode, Ransomware Protection is the default Type and cannot be modified.
Specify the Path (volume or network share) to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
- Enter/Browse Path: Select this option, and enter the volume path (for example, C:\, or D:\, or shared volume) by either typing or clicking the Browse button.
  Note
  - Ransomware Protection GuardPoints are applied at the volume level. Even if you specify the path of a folder or a file, the GuardPoint will be applied at the volume level.
  - If you specify a network share, all the network shares to be mounted subsequently will be protected.
  - A CTE client administrator can configure protection of all existing volumes and mount points, and those to be added to the client subsequently. Refer to the CTE Agent for Windows Advanced Configuration Guide for details.
  A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
  
  Browse Method
  1. Click Browse to select the volume by browsing the client file system. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
    
    File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
  2. In the Enter Path field, specify the volume path. Alternatively, in the Select Path field, select the path from the on-screen file system browser, and click Select Path.
  3. Click Add.
  Manual Method
  
  Alternatively, if you know the volume, manually enter volume in the given text box. Enter one volume per line.
- Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more paths. This is the recommended method to specify a large number of paths in one step.
If a manually entered path does not yet exist, check that you entered the path correctly. The CipherTrust Manager does not parse manually entered paths for correct syntax.
Click Create. A message appears prompting to confirm the reuse of these GuardPoint settings on another path.
- Click Yes to use the same settings on another path. The Use Settings on Another Path dialog box is displayed. Perform the following steps:
  1. In the Enter Path field, specify the path. Alternatively, in the Select Path field, select the path from the on-screen file system browser, and click Select Path.
  2. Click Add Path. The newly added path appears under the Paths list on the left. Similarly, add as many paths as required.
  3. Click OK.
- Click No if you do not want to use the same settings on another path.
Check the GuardPoint status, type:
```
secfsd -status guard
```

Setting Sensitivity

To get the best results for sensitivity:

Initially, set the operation mode to Monitor when you create your Ransomware Protection profile. Monitor mode sets the sensitivity to a lower score.
Monitoring mode will generate a list of many false positive results. Add the false positives entries to your process set to exempt them from monitoring.
When false positives are no longer reported, set the operation mode to Block, to block the relevant suspicious behaviors.

Suggest A Change

Guarding a Device with CipherTrust Manager

Access the CipherTrust Manager Domain

Create an Encryption Key

Create a Standard Policy

Create a GuardPoint

Caveats

Prerequisites

Procedure

Creating Ransomware Protection GuardPoints

Setting Sensitivity

On this page