Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Windows Patch Notes for CTE v7.8.0

Windows Patch Notes for CTE v7.8.0.131

search

Please Note:

Windows Patch Notes for CTE v7.8.0.131

CTE version Date Version
v7.8.0.131 2025-12-03 v1

Resolved Issues

  • AGT-65707 [CS1616678]: Disparity seen between the number of active GuardPoints on CipherTrust Manager and the CTE client

    AFFECTED VERSIONS: 7.7.0.87 — 7.8.0.131

    The issue occurred due to the partial status updates feature. This feature allows the CTE client to only push status changes for GuardPoints where the status has changed since the last status push. This allows for very large configurations to not require very large status updates when only a small number of GuardPoints have changed state. CipherTrust Manager does not change the status for all of the other GuardPoints.

    The issue occurs when there are errors during the status updates from CTE to CipherTrust Manager. These errors can occur for a number of reasons, such as transient excessive loads, network glitches, etc. The CTE client continues to push status updates after such errors, but as the status may have changed since the last attempt, CTE was only including GuardPoint changes since that last failed attempt. Changes that occurred prior to the failure were thought to be already known to the CipherTrust Manager. These older updates were therefore lost and this caused the disparity. This has been fixed.

  • AGT-66341 [CS1619892]: 50% Disk Write Latency on GuardPoints using DiskSpd.exe vs Non-Guarded directories

    AFFECTED VERSIONS: 7.6.0-132 — 7.8.0.131

    The issue was caused by the CTE legacy driver deferring the processing of write I/O operations. This has been fixed. The CTE legacy driver now processes them immediately when you execute the following command:

    vmsec cmd -c set_enc_thread_algo=640

  • AGT-66626 [CS1604122]: Effective User ID displaying as Computer Name causing Access Denied on GuardPoints

    AFFECTED VERSIONS: 7.7.0.87 — 7.8.0.131

    The CTE Windows driver was denying access for FAST IO reads when it should have granted access. CTE now performs access checks when files open, so that the file cannot be opened if the user/process is denied per CTE policy.

  • AGT-67227 [CS2202496]: Unable to access Word/Excel files that reside in a guarded directory containing special characters

    AFFECTED VERSIONS: 7.7.0.87 — 7.8.0.131

    The issue occurred because users were unable to access files, over the network, from the client VM, when the files were stored in a protected folder whose name contained special characters. File access failed because CTE was not correctly recognizing folder names that included special, or accented, characters. This issue has been fixed. CTE now correctly identifies and processes directories containing special or extended characters.

  • AGT-68514 [CS2228624]: Database corruption found with unencrypted data in the first 1-2 MB range

    AFFECTED VERSIONS: 7.3.0.135 — 7.8.0.131

    The LDT for Windows recovery for a range that was not completely rekeyed did not enforce that both keys were in memory before performing the recovery. In rare scenarios, where the previous/current key pair is in memory, but the new key ID is not, LDT would not encrypt the range to the new key. This left that range in clear-text on the disk. LDT has now been enhanced to require that both keys are available in memory before performing any range recovery during the next access of that file. If both keys are not in memory, and a range does not need to be recovered, access to the file will be denied until both keys are in memory.

Known Issues

  • AGT-36370: The vorvmd.log reports an error message, Not guarding path when guarding LDT over CIFS GuardPoint

    AFFECTED VERSIONS: N/A

    This error message displays when the CTE agent is in the process of authenticating the user. This error can be safely ignored.

  • AGT-39189 | AGT-55063: CTE failed to unguard after changing to incorrect CIFS credentials

    AFFECTED VERSIONS: All

    If a user has a CIFS guarded path, and tries to access it with invalid credentials, the unguard request fails. After this, if the user switches to valid credentials, the unguard request still fails because CTE agent is unable to access the CIFS share to update the credentials.

    Work-around

    To successfully guard/unguard a CIFS path, use valid credentials.

  • AGT-39190: File modified time does not change after rekey for excluded files

    AFFECTED VERSIONS: 7.7.0 — 7.8.0.131

    This is a limitation with the current CTE agent. This is due to the Windows Redirected Drive Buffering Subsystem (rdbss) limitation.

  • AGT-48196: Microsoft DPM recovery creation failed when creating an incremental backup recovery point

    AFFECTED VERSIONS: 7.5.0 — 7.8.0.131

    Work-around

    Perform a complete backup. Do not perform an incremental backup.

  • AGT-48580: The gzip files in a directory can be mistakenly identified as ransomware by Ransomware Protection

    AFFECTED VERSIONS: 7.5.0 — 7.8.0.131

    Some compression algorithms haves high entropy value and intermittently, zip or unzip activity that occurs on files that already themselves have high entropy, within a Ransomware Protection GuardPoint, is mistakenly identified as ransomware.

    Work-around

    Add the zip/gzip/winzip programs to the Ransomware Protection process exemption list in the CipherTrust Manager.

  • AGT-48862: Unguard process fails if CTE secfsd service is down

    AFFECTED VERSIONS: 7.5.0 — 7.8.0.131

    The secfsd service is a critical CTE service. If this service is down, certain CTE features may not work as intended.

    Work-around

    Manually restart the secfsd service in the service manager.

  • AGT-58577: Issues and limitations for Multifactor Authentication and Ransomware Protection co-existence

    AFFECTED VERSIONS: 7.7.0 — 7.8.0.131

    Multifactor Authentication is not yet supported for a GuardPoint with Ransomware Protection with a CTE Agent.

  • AGT-61138: When applying a GuardPoint on the UNC (Universal Naming Convention) name instead of a Local drive, files display as cipher-text format when accessing using local drive

    AFFECTED VERSIONS: 7.7.0 — 7.8.0.131

    User must apply GuardPoint on the local drive. If the user decides to apply the GuardPoint on the UNC path, user must use the UNC path to access the data. Do not view through the local Windows explorer path.

  • AGT-64352: No Audit logs generated for same resource set on Standard Policy vs FAM policy

    AFFECTED VERSIONS: 7.7.0 — 7.8.0.131

    In FAM, no audit logs are generated with a FAM policy having a resource set matching the designated pattern.

  • AGT-64711: Data transformation is failing in case of existing data in OneDrive using dataxform

    AFFECTED VERSIONS: 7.7.0 — 7.8.0.131

    For OneDrive v23.066 and subsequent versions, Microsoft made a change to their software. Users can no longer disable the Files On-Demand feature. Disabling this feature is required for the CTE driver. As a result, the CTE driver can only support using a standard policy and Data Transformation with previous versions of OneDrive v23.066. For OneDrive v23.066 and subsequent versions, the CTE driver supports using a standard policy. It does not support using Data Transformation.

  • AGT-64971: Unable to delete GuardPoint inside a Ransomware protected volume, when simulating a ransomware attack when a process is marked as malicious by RWP

    AFFECTED VERSIONS: 7.8.0.131

    GuardPoint is not being removed from the directory. On CipherTrust Manager it displays that it's in the processing state.

    Work-around

    Reboot the agent.

  • AGT-65156 [CS1621581]: CTE fails to Sync with Dropbox on Windows

    CTE supports DropBox for standard and LDT policies. However, there is a conflict that occurs if CrowdStrike is installed on the same system. This issue prevents the download and synchronization of files to the guarded dropbox folder.

    AFFECTED VERSIONS: 7.6.0.56 - 7.8.0.121

    Fixed Versions: 7.8.0.131

    Workaround

    1. Wait until DropBox has fully started.

    2. Press CTRL-click on the DropBox icon on the task bar.

    3. Select to exit DropBox.

    4. Restart the DropBox client in the c:\Program files (x86) DropBox subfolder. Synchronization should then be successful and continue to be successful until logging off and the next log in.

  • AGT-65794: CTE/FAM duplicate audit logs generated for single action

    AFFECTED VERSIONS: 7.8.0.131

    For CTE protected paths, there can be multiple FAM audit logs generated for a single I/O operation.

  • AGT-66386: Not able to access CIFS file from a Windows AccessOnly node after key rotation

    AFFECTED VERSIONS: 7.8.0.77 — 7.8.0.131

    If a file on a CIFS share is accessed from a Windows AccessOnly node immediately following the initial LDT transformation operation, and then a subsequent rekey is performed, the file is no longer be accessible on the Windows AccessOnly Node.

    Workaround

    Reboot the Windows AccessOnly node.

  • AGT-68296 [CS2206591]: LDT encryption failed to create metadata error

    AFFECTED VERSIONS: 7.8.0.79 — 7.8.0.131

    If you use Windows quotas, which allow you to limit the amount of storage space a user account can use on a drive, you may not be allowing enough space for LDT. LDT uses an extra 4K per file for an LDT policy. If the extra space is not considered, and the space permitted by quotas is exceeded in a directory, then LDT may not be able to transform files or rekey those files later. LDT also requires space for temporary recovery metadata that exists during transform or rekey of a file. If the file metadata exists, but the recovery metadata cannot be created and written to, then rekey of that file fails.

    Workaround

    When setting quotas, ensure that you allocate enough space for LDT transformation, rekeying, and recovery of metadata.

On this page