Release Note for CTE v7.7.0 for Windows

This release of CipherTrust Transparent Encryption for Windows adds new features, fixes known defects and addresses known vulnerabilities.

New Features and Enhancements

Ransomware Protection for Windows Volume Shadow Copies

CipherTrust Transparent Encryption Ransomware Protection now detects and prevents deletion of Windows Volume Shadow Copies. The Volume Shadow Copy service is a built-in Windows feature that allows for the creation of backup snapshots of computer files, or disks, and often facilitates other commercial backup solutions. Most ransomware threats normally try to delete the volume shadow copies in order to prevent a healthy recovery from a Ransomware attack. Starting from CTE 7.7.0, deletion of volume shadow copies is prevented if CTE flags the presence of one or more malicious processes on the system.

Ransomware Protection for remote processes accessing exported NAS shares

CipherTrust Transparent Encryption Ransomware Protection can now protect systems against attacks from remote processes. In this scenario, a malicious process is executing on a remote system where CTE is not installed to protect data which is exported from a CTE GuardPoint. CTE Ransomware Protection can detect these attacks and actively prevent them from encrypting sensitive data.

Specify directory-process combinations in Trusted Process Exception list

Starting from CTE 7.7.0, Users can now exclude specific directory-process combinations from Ransomware detection and protection. The Process set now also allows for inclusion of Signature sets so that the processes can be exempted from Ransomware Protection.

Users can create a combination of trusted processes-directory combination, include signature sets, and exclude these directories and processes from Ransomware protection monitoring.

• See Adding Trusted Processes in the Ransomware Protection policy (Windows) for more information.

Manually Designate a Preferred Primary node in an LDT GuardPoint Group

You can now manually designate a preferred primary node. This feature is supported with:

• See Managing Designated Primary Set for more information.

CipherTrust Data Security Platform Services (CDSPaaS) Support

Support added for CipherTrust Data Security Platform Services (CDSPaaS) as a key manager.

Ability to enable LDT AccessOnly on Windows CTE clients after registration

Starting from CTE 7.7.0, users can enable the AccessOnly feature from the client UI in CipherTrust Manager, if not enabled during CTE client registration. Previously, users had to re-register to enable this feature if it was not enabled during initial registration.

Updated LDT limitations

• See Restrictions for more information.

Resolved Issues

• **AGT-49888 [CS1507982]: Unable to access files when Sybfilter driver is installed with CTE **

  This issue was due to a in interoperability issue between Sybfilter driver and CTE. The Sybfilter driver was not aware of the CTE mount point operations and the presence of a mount point.

  When the CTE driver performs mount point operations, it informs all other drivers about the presence of a mount point. This fix is enabled using a registry key. Locate the registry key DWORD value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmlfs\Parameters\ReparseOnCompletion and set to 1.

• AGT-52239: [CS1532420] Unable to register CTE with CipherTrust Manager when entire description is numeric

  When registering a Windows 7.5.0.78 client, if the user used numeric values in the description, the registration failed. This has been fixed.

• AGT-57784: User cannot retrieve the fingerprint information from etray: "Unable to display certificate info"

  The 'view fingerprints' option in the Windows etray is not available on a Windows client when registered to a CipherTrust Manager. This option is only available for DSM. The option has been removed when used with CipherTrust Manager.

• AGT-58683: Ransomware Protection alert is generated for exempted process set

  Ransomware Protection alerts were generated for exempted processes after the system was rebooted. This issue has been fixed.

• AGT-61226 | AGT-61391 [CS1567089]: Windows server becoming unresponsive if compressed or extended attribute, is set on a process inside a GuardPoint

  This is an interoperability issue between CTE and NTFS compression and the extended attribute (EA). CTE driver now detects if the file is compressed or contains an EA attribute, and adjusts the file locking accordingly.

  The fix can be applied by setting the CompressedEASpecialHandling parameter registry value to 1. The parameter is located at: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmlfs\Parameters

• AGT-61322 [CS1579420] Windows Server crashed when system is Guarded with LDT policy

This is an intermittent issue that occurs when IV is read from the system. CTE drivers have improved the locking function to handle this specific scenario.

Known Issues

• AGT-36370: The vorvmd.log reports an error message when guarding LDT over CIFS GuardPoint

  This error message displays when the CTE agent is in the process of authenticating the user. This error can be safely ignored.

• AGT-39189 | AGT-55063: CTE failed to unguard after changing to incorrect CIFS credentials

  If a user has a CIFS guarded path, and tries to access it with invalid credentials, the unguard request fails. After this, if the user switches to valid credentials, the unguard request still fails because CTE agent is unable to access the CIFS share to update the credentials.

  Work-around

  To successfully guard/unguard a CIFS path, use valid credentials.

• AGT-39190: File modified time does not change after rekey for excluded files

  This is a limitation with the current CTE agent. This is due to the Windows Redirected Drive Buffering Subsystem (rdbss) limitation.

• AGT-48196: Microsoft DPM recovery creation failed when creating an incremental backup recovery point

  Work-around

  Perform a complete backup. Do not perform an incremental backup.

• AGT-48580: gzip files in a directory can be mistakenly identified as ransomware by Ransomware Protection

  Some compression algorithms haves high entropy value and intermittently, zip or unzip activity that occurs within a ransomware GuardPoint is identified as ransomware.

  Work-around

  Add the zip/gzip/winzip programs to the Ransomware Protection process exemption list in the CipherTrust Manager.

• AGT-48862: Unguard process fails if CTE secfsd service is down

  secfsd service is a critical CTE service. If this service is down, certain CTE features may not work as intended.

  Work-around

  Manually restart the secfsd service in the service manager.

• AGT-58577: Issues and limitations for Multifactor Authentication and Ransomware Protection co-existence

  Multifactor Authentication is not yet supported for a GuardPoint with Ransomware Protection with a CTE Agent.

• AGT-61138: When applying a GuardPoint on the UNC (Universal Naming Convention) name instead of a Local drive, files display as cipher-text format when accessing using local drive

  User must apply GuardPoint on the local drive. If the user decides to apply the GuardPoint on the UNC path, user must use the UNC path to access the data. Do not view through the local Windows explorer path.

• AGT-61679 [CS1581483]: The Apache service does not start when launched within a GuardPoint

  This issue is interoperability issue between CTE and Windows Defender.

  Work-around

  Create an exclusion rule for Windows Defender that will exclude the Apache2.4 directory.

• AGT-61846: In a Windows Access Only node with LDT over CIFS, the Access-Only Node becomes inactive after agent is rebooted

  CipherTrust Manager fails to push the CIFS credentials to the Access-Only node. This issue will be fixed in the upcoming CipherTrust Manager release.

  Work-around

  Unguard all affected clients and then re-guard them on CipherTrust Manager. invoke