Specifications

Endpoint Encryption for Files and Folders Policy Settings

| 47

The main purpose of process blocking is to prevent encrypted data from being

unintentionally exposed in plaintext; this is done by circumventing the Endpoint

Encryption for Files and Folders encryption engine. One example of this is to prevent

encrypted data from being uploaded to external FTP sites. By blocking the FTP

process, it is not possible for the user to upload data in plaintext to an FTP server.

The aim of this feature is not to share encrypted data via web-mail or the Internet, for

example. The Blocked Processes feature is not designed for such usage, due to the file

name change for encrypted files. The CE 3 design does not allow for any user mode

application interaction with blocked processes.

Consider the process exemption feature as a prevention feature, a part of the concept

of digital rights management, rather than a way for users to share encrypted data. For

sharing encrypted files beside regular file shares or removable media, consider using

the Endpoint Encryption for Files and Folders features of e-mail attachment encryption

or Self-Extractors.

With the blocked processes feature, it is also possible to prevent encrypted data from

being burnt to CD/DVD. By blocking the CD/DVD burning applications, encrypted files

cannot be written to CD/DVD.

Other processes that may be worth blocking are Internet browser applications (e.g.

iexplore.exe) and FTP applications.

CAUTION:DatacompressionapplicationslikeWinZip®mustnotbesetasblockedprocesses.Ifblocked,

theywillcontinuouslyfailtoperformcompressionoperationsonencrypteddata.Likewise,donotset

explorer.exeasablockedprocess;also,donotsetitasaKeyReq

uestExclusion.Seethenextsection.

Key Request Exclusions

Assume a user is working with encrypted data on the PC. All keys are loaded such that

encrypted data can be accessed transparently. The user then takes a lunch break at

11.30 a.m. and closes the keys manually (or the keys may unload due to work station

locking, for example). Now, at 11.50 a.m. the user’s antivirus software is set to start a

system scan each day. When the antivirus reaches the first encrypted file, it cannot

access the file since the encryption key is not loaded. Hence, an authentication dialog

will be presented to the user, who cannot do anything as he/she is at lunch.

Consequently, the entire virus scanning process will stop until the user is back at the

desk and can authenticate properly.

The Key Request Exclusion option exists to avoid scenarios like the one described

above. By listing processes that automatically shall get an Access Denied message if

keys are not available, the example situation above will be avoided and the user will

return from lunch finding the daily virus scanning process properly finished. Of course,

the encrypted files have not been scanned, but at least the virus scanning process