Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Windows Patch Notes for CTE v7.7.0

Windows Patch Notes for CTE v7.7.0

search

Please Note:

Windows Patch Notes for CTE v7.7.0

Patch Information
Release v7.7.0.104
Date 2025-07-16
Document version 2

Addendum

A driver stability issue has been identified in one of the CTE agent drivers. This problem arises when flushing ‘dirty’ memory pages for very large files (exceeding 1TB) that are protected under GuardPoints, potentially leading to system instability. This stability issue is limited to very specific conditions and only affects certain configurations.

Affected Versions: This issue was introduced in CTE v7.6.0.xxx.
Solution: This stability issue is fixed in CTE v7.7.0.111 and subsequent versions. Thales strongly advises all CTE customers using CTE versions prior to CTE v7.7.0.111 to upgrade.

Resolved Issues

  • AGT-61694 [CS1583480]: Robocopy fails with "Invalid access to memory location" when accessing Windows share guarded with a local LDT policy

    AFFECTED VERSIONS: 7.6.0.87 - 7.7.0.87

    A file that was open in the CTE driver was failing due to an extra flag set by Windows Server2012 R2, which is not compatible with existing checks in the code. This has been fixed.

    To avoid this issue, in the registry file:

    1. Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmlfs\

    2. Create a new Parameter key.

    3. Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmlfs\Parameters

    4. Create a DWORD, name it DisableFlagExclusiveFlag, set the value to 1.

  • AGT-61846: In a Windows Access Only node with LDT over CIFS, the LDT AccessOnly Node becomes inactive after agent is rebooted

    AFFECTED VERSIONS: 7.7.0.87

    CipherTrust Manager failed to push the CIFS credentials to the LDT AccessOnly node on a policy change or key rotation. If no such policy change, or key rotation, occurs then LDT AccessOnly nodes are free to reboot.

  • AGT-62791 [CS1593263]: CTE nodes are crashing on the latest CTE version (7.6.0.132), causing issues with the LDT Communication Group, which cannot recover

    AFFECTED VERSIONS: 7.6.0.87 - 7.7.0.87

    LDT over CIFS locking code, on the secondary agent, was accessing and decrementing a reference count on a lock after a method it called decided to apply vm_free to that lock. Therefore, if another thread on the system had since allocated that same memory, then the reference count decrement corrupted their memory. The fix was to recognize that the lock was freed and therefore, there was no need to decrement the reference count.

  • AGT-62934 [CS1569355]: Failed to renew external client certs with error vmshare_update_rest_certs: rc = 403

    AFFECTED VERSIONS: 7.6.0.87 - 7.7.0.87

    CTE has been improved to manage a CipherTrust Manager API change which introduced an incompatibility with certificate renewal when using external certificate authorities.

  • AGT-62998 [CS1596488]: SQL server crashes after encrypting the database

    AFFECTED VERSIONS: 7.6.0.87 - 7.7.0.87

    There was a 32-bit DWORD overflow that was occurring after 4 billion IOs on any opened file, which could occur on long running SQL Server databases. Once the overflow hit, then system would crash. This has been fixed.

  • AGT-63090 [CS1594445]: Symlinks do not work when guarding with an LDT policy and running the CTE driver

    AFFECTED VERSIONS: 7.7.0.87

    Symlinks, inside of a GuardPoint, linked to different volumes, were not working with an LDT policy. Such symlinks are not supported by LDT. The solution was to have the CTE driver bypass the symlinks entirely in that scenario.

  • AGT-63124 [CS1600001]: Rekey is skipping the ACL (Access Control List) files

    AFFECTED VERSIONS: 7.6.0.87 - 7.7.0.87

    The issue occurred because the file data size was not aligned to the disk sector size. This issue caused LDT to intermittently fail on Windows Server 2016 and subsequent versions. The failure occurred because in some configurations, the Windows APIs failed to write files if the size was not aligned to the sector boundary. The solution was to make the file size grow to the required size when the amount of data is not aligned, and reduce the file size to the actual size.

Known Issues

  • AGT-36370: The vorvmd.log reports an error message, Not guarding path when guarding LDT over CIFS GuardPoint

    AFFECTED VERSIONS: N/A

    This error message displays when the CTE agent is in the process of authenticating the user. This error can be safely ignored.

  • AGT-39189 | AGT-55063: CTE failed to unguard after changing to incorrect CIFS credentials

    AFFECTED VERSIONS: All

    If a user has a CIFS guarded path, and tries to access it with invalid credentials, the unguard request fails. After this, if the user switches to valid credentials, the unguard request still fails because CTE agent is unable to access the CIFS share to update the credentials.

    Work-around

    To successfully guard/unguard a CIFS path, use valid credentials.

  • AGT-39190: File modified time does not change after rekey for excluded files

    AFFECTED VERSIONS: 7.7.0.87

    This is a limitation with the current CTE agent. This is due to the Windows Redirected Drive Buffering Subsystem (rdbss) limitation.

  • AGT-48196: Microsoft DPM recovery creation failed when creating an incremental backup recovery point

    AFFECTED VERSIONS: 7.5.0 — 7.7.0.87

    Work-around

    Perform a complete backup. Do not perform an incremental backup.

  • AGT-48580: The gzip files in a directory can be mistakenly identified as ransomware by Ransomware Protection

    AFFECTED VERSIONS: 7.5.0 — 7.7.0.87

    Some compression algorithms haves high entropy value and intermittently, zip or unzip activity that occurs on files that already themselves have high entropy, within a Ransomware Protection GuardPoint, is mistakenly identified as ransomware.

    Work-around

    Add the zip/gzip/winzip programs to the Ransomware Protection process exemption list in the CipherTrust Manager.

  • AGT-48862: Unguard process fails if CTE secfsd service is down

    AFFECTED VERSIONS: 7.5.0 — 7.7.0.87

    The secfsd service is a critical CTE service. If this service is down, certain CTE features may not work as intended.

    Work-around

    Manually restart the secfsd service in the service manager.

  • AGT-58577: Issues and limitations for Multifactor Authentication and Ransomware Protection co-existence

    AFFECTED VERSIONS: 7.7.0.87

    Multifactor Authentication is not yet supported for a GuardPoint with Ransomware Protection with a CTE Agent.

  • AGT-61138: When applying a GuardPoint on the UNC (Universal Naming Convention) name instead of a Local drive, files display as cipher-text format when accessing using local drive

    AFFECTED VERSIONS: 7.7.0.87

    User must apply GuardPoint on the local drive. If the user decides to apply the GuardPoint on the UNC path, user must use the UNC path to access the data. Do not view through the local Windows explorer path.

  • AGT-61679 [CS1581483]: The Apache service does not start when launched within a GuardPoint

    AFFECTED VERSIONS: 7.6.0.87 — 7.7.0.87

    This issue is interoperability issue between CTE and Windows Defender.

    Work-around

    Create an exclusion rule for Windows Defender that will exclude the Apache2.4 directory.

On this page