Endpoint Encryption

 View Only
Expand all | Collapse all

How do I turn off efail protection on 10.4.2 HF1 or higher?

  • 1.  How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Jun 07, 2019 12:48 PM

    I recently downloaded the latest version of Endpoint Encryption and now I can’t decrypt files using a key. All I use this software for is encrypting and decrypting files sent between customers and myself. My customers are on an earlier version of Endpoint and I don't want force them to upgrade because they’ll have the same problem with their other venders that I am having with them. From the reading I’ve done on the Symantec website (https://support.symantec.com/en_US/article.TECH252997.html , https://support.symantec.com/en_US/article.TECH253087.html) it seems the solution to my problem is turning off efail protection. How do I do this?



  • 2.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Jun 09, 2019 04:21 PM

    Have you checked these out?

    https://support.symantec.com/en_US/article.TECH179808.html

    https://support.symantec.com/en_US/article.HOWTO60713.html

    Thanks!

     



  • 3.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Jun 13, 2019 01:32 PM

    These articles pertain to email encryption; I am looking for file zip encryption and decryption.



  • 4.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?
    Best Answer

    Posted Jun 19, 2019 09:48 AM

    According to those articles you linked, turning off EFAIL protection requires contacting Tech Support:

    "In Symantec Encryption Desktop HF1 or above, additional options have been made available to allow these PGP zips to be decrypted that used the deprecated SE Packets.  Using these options will allow the SE packet Integrity Protection to be bypassed, which will disable the effectiveness of the security features we put in place to protect you from the Efail vulnerability.

    If your organization understands these risks, and still needs to have access to those older PGP zip files, please contact Technical Support, and ask that your case be advanced to Backline (Tier 2) support for assistance in setting these options."

    Your alternative, is to ask your customer to upgrade their keys to v4 keys, and to use the AES cpher with the Modification Detection flag set.  That should then produce encrypted files using their older version of PGP, that can be decrypted by 10.4.2 HF1 or later.

    #EDIT#

    It's worth noting that as older version of PGP are fully capable of producing efail protection compliant ZIPs, that they should also be capable of decrypting them.  This suggests there wouldn't be any backwards compatibility issues (i.e. a PGP client running a veersion prior to 10.4.2 HF1, should be decrypt a file produced by 10.4.2 HF1 and later).



  • 5.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Aug 24, 2019 06:09 PM

    Is there a reason the workaround is not simply published here in the forum?  I'm having this same issue. 



  • 6.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Nov 01, 2019 10:46 AM

    Same here. Why does this require a support aggreement to get this information? Does anyone have any inforamtion they can post about how to disable this?



  • 7.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Nov 02, 2019 01:27 PM

    Agreed.  I used to think highly of Symantec, but now wouldn't use them at all because of this way they're treating their users.



  • 8.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Nov 21, 2019 10:07 AM

    Can symantec put an answer here? Because we also have this issue in our environment.



  • 9.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?
    Best Answer

    Posted Nov 21, 2019 02:57 PM

    Connect is community-based and not staffed by Symantec employees for the most part. You would probably need a support call to be raised and resolved and then post here.

    Otherwise reach out to the community admin.

    Thanks!



  • 10.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Sep 02, 2021 10:44 PM

    Can somebody with support actually get instructions on how to disable EFAIL blocks, and post them here?

    Broadcom is refusing to tell people with expired service agreements how to make their existing product work with certain emails.

    And I must say that I am not inclined to spend money on purchasing from them again if this is how they treat customers :(




  • 11.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Broadcom Employee
    Posted Sep 07, 2021 09:19 AM
    Hi @Jeppe Oland,
    We are sorry, but we cannot post this information in the public forum, but if you submit a support case with our team, we would be happy to assist you!

    https://knowledge.broadcom.com/external/article/209191/logging-a-support-case-for-symantec-endp.html



    ------------------------------
    Global Support Lead, Encryption
    BRCM
    ------------------------------



  • 12.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Sep 07, 2021 01:20 PM
    > We are sorry, but we cannot post this information in the public forum, but if you submit a support case with our team,
    > we would be happy to assist you!

    No I can't - that is exactly the problem.
    I don't have a current support contract (it expired last year), and your support people won't even talk to us if we don't have one.

    So I am now an owner of a product that no longer works for about half my messages, that DOES in fact seem to have an option to fix it, but that I can't turn on because you guys won't document it publicly.

    What am I supposed to do?


  • 13.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Broadcom Employee
    Posted Sep 14, 2021 01:47 PM
    Hi @Jeppe Oland,
    I understand the predicament--we still can't post the information related to this as it is a security configuration and we do all that through our support organization.

    Alternatively, you can renew the support contract and then we could help you, which is really what we recommend so that we can help you troubleshoot and also provide the latest versions of the software.

    Failing that, you can uninstall the client that you have and install the older client, which will effectively remove this security configuration.  SED clients 10.4.2 GA and older will not have this.

    Let us know if the above will work for you, but we are not allowed to post anything related to security items in a forum, it's just not the best place to do it to protect the community.


    ------------------------------
    Global Support Lead, Encryption
    BRCM
    ------------------------------



  • 14.  RE: How do I turn off efail protection on 10.4.2 HF1 or higher?

    Posted Sep 14, 2021 02:06 PM
    Hi @Dallin Fyffe,

    I can sort of understand that, and would agree if you guys didn't make it so hard to do anything.
    In my case, I probably could go back to 10.4.2 (unless there was some fix in the 10.5 line I would suffer from).
    But I don't have the installer, and as far as I can tell, Broadcom doesn't even make the installers available.
    Even *with* a support contract, it's painful to get support (Corporate buys it, so I don't necessarily have the company entitlement ID - and even when it *was* still valid, I had to jump through hoops to just get updated versions).
    I can understand not wanting to expose the community at large to the risk of these settings - except your recommendation is to go back to an old version that is *just* as vulnerable.
    I guess I am stuck...