safendSecuring Your Endpoints

SAFEND SUPPORT KNOWLEDGE BASE DOCUMENT

February 2009

2|P a g e

1.

Table of Contents2. Introduction: ....................................................................................................................................................7 3. Safend Protector Client .....................................................................................................................................83.1. Safend Protector Client architecture ..................................................................................................................................... 8 3.2. Support logs ........................................................................................................................................................................... 8 3.3. Troubleshooting Guidelines ................................................................................................................................................... 9 3.4. Safend Protector Client Support Solutions .......................................................................................................................... 11 3.4.1. 3.4.2. 3.4.3. 3.4.4. 3.4.5. 3.4.6. 3.4.7. 3.4.8. 3.4.9. 3.4.10. 3.4.11. 3.4.12. 3.4.13. 3.4.14. 3.4.15. 3.4.16. 3.4.17. 3.4.18. Clients not sending logs back to the Safend Server ............................................................................................. 11 Pointing the installation to the SCC file ............................................................................................................... 11 Uninstalling the Safend Protector Client via startup script ................................................................................. 12 Silent install of a client ......................................................................................................................................... 12 The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend Protector Client ................................................................................................................................................... 13 Installing the Safend Protector Client with by a startup script with elevated privileges..................................... 13 How to activate an ETL when using the offline access utility (when a client is not installed) Version 3.2, 3.3 .... ............................................................................................................................................................................. 15 Sonic DLA burning not supported by Safend Protector ....................................................................................... 16 Cleanup utility for the Safend Protector Client ................................................................................................... 17 Using the Registry To Check If A Policy Was Updated ......................................................................................... 17 Client stops sending logs to the server when disabling the sprotector service .................................................. 18 Bubble notifications are not displayed for Safend Protector Events ................................................................... 18 Client installation fails instantly with an error message requesting to reboot ................................................... 19 Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands ...................... 19 Changing the Safend Protector Client installation method ................................................................................. 20 User or Computer Policy Uninstall Password ...................................................................................................... 21 Changing the Safend Protector Balloon Message Display Time .......................................................................... 21 Installing Safend Protector Client to a Non-Default Folder ................................................................................. 22

4. Safend Protector Management Server ............................................................................................................ 234.1. Safend Protector Management Server architecture ............................................................................................................ 23 4.2. Support logs ......................................................................................................................................................................... 24 4.3. Troubleshooting Guidelines ................................................................................................................................................. 24 4.4. Safend Protector Management Server Support Solutions ................................................................................................... 26 4.4.1. 4.4.2. 4.4.3. 4.4.4. How to configure the Websense integration ...................................................................................................... 26 How to change the synchronization interval between AD and the Management Server ................................... 27 How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3 ...................................................................... 28 How to use the log restore tool in version 3.2 GA1 ............................................................................................. 28 Chapter: Introduction:

3|P a g e 4.4.5. 4.4.6. How to obtain and change the base policy in 3.3 ................................................................................................ 29 How to manually remove the Management Server and Console........................................................................ 30 ............................................................................................................................................................................. 30 4.4.7. levels 4.4.8. 4.4.9. 4.4.10. 4.4.11. 4.4.12. 4.4.13. 4.4.14. 4.4.15. 4.4.16. 4.4.17. 4.4.18. 4.4.19. 4.4.20. 4.4.21. How to view the lower levels of the organizational tree in 3.3 console when the directory tree has many ............................................................................................................................................................................. 32 Suspension password identified as wrong when entered to the client .............................................................. 33 Using the HW fingerprint tool when changing server's hardware ...................................................................... 34 Time format conflict in the DB ............................................................................................................................. 34 Upgrade Path from Safend Protector 2.0 to 3.3 .................................................................................................. 36 Reducing the Logs Trace Level for the Safend Server .......................................................................................... 37 Alerts on client installation are not received in version 3.3 SP1 ......................................................................... 37 Restoring a server with Content Inspection fails ................................................................................................. 38 Disabling IIS Logs (to prevent accumulation of large log files) ............................................................................ 39 Role Based access does not function ................................................................................................................... 39 When changing the server certificate to an organizational certificate, logs are not sent ................................... 40 Changing source name when sending Safend alerts to the Event Viewer .......................................................... 41 IIS diagnostics tool ............................................................................................................................................... 41 User Permissions for the Safend Server .............................................................................................................. 42 Unable to publish a policy and a specific error appears in the Domain Service log ............................................ 42

5. Safend DB ......................................................................................................................................................... ...................................................................................................................................................................... 445.1. Safend Protector Client Support Solutions .......................................................................................................................... 44 5.1.1. 5.1.2. 5.1.3. 5.1.4. 5.1.5. 5.1.6. 5.1.7. 5.1.8. 5.1.9. Policy not applied due to the small size of the DB column "Groups" .................................................................. 44 Restoring missing MySQL index files ................................................................................................................... 45 Repairing corrupted MySQL index files ............................................................................................................... 46 Changing external DB user, password and authentication method (domain) while connected to Protector .... 49 Replacing the DB which is used by Safend Protector Management Server ........................................................ 49 When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved. ................ ............................................................................................................................................................................. 50 When using MsSQL DB User cannot connect to the server ................................................................................. 50 Chapter: Introduction: When using MsSQL DB the installation cannot create the DB ............................................................................ 51 When using MsSQL DB performing DB related actions causes console freeze. .................................................. 51

6. Safend Protector Management Console .......................................................................................................... 526.1. Support logs ......................................................................................................................................................................... 52 6.2. Troubleshooting Guidelines ................................................................................................................................................. 52

4|P a g e 6.3. Safend Protector Management Console Solutions .............................................................................................................. 54 6.3.1. 6.3.2. 6.3.3. 6.3.4. 6.3.5. 6.3.6. When trying to log-in to the console, the error message "user is not in the authorized user group" appears ...... ............................................................................................................................................................................. 54 How to login to the console without entering the password each time ............................................................. 54 Cannot use WMI commands from 3.3 console if MsSQL installed with windows authentication ...................... 57 Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied to reports folder ....................................................................................................................................................... 57 When using role based permissions user can't publish policies .......................................................................... 58 When using role based permissions user can't associate polices ....................................................................... 58

6.3.7. Console cannot be opened due to Local and Domain Services fail with "System.Security.Cryptography.CryptographicException - Access is denied" in the logs .................................................... 59 6.3.8. Enabling WMI commands via Safend Protector .................................................................................................. 59

7. Safend Auditor .................................................................................................................................................. ............................................................................................................................................................... 677.1. Troubleshooting Guidelines ................................................................................................................................................. 67 7.2. Safend Auditor Support Solutions ........................................................................................................................................ 68 7.2.1. 7.2.2. 7.2.3. 7.2.4. 7.2.5. 7.2.6. 7.2.7. 7.2.8. 7.2.9. 7.2.10. 7.2.11. 7.2.12. 7.2.13. 7.2.14. 7.2.15. 7.2.16. 7.2.17. Safend Auditor Command Line Parameters ........................................................................................................ 68 Enabling Safend Auditor Debugging logs Note: the logs are cryptic and no one except from a developer with the code in front of him can understand them ................................................................................................... 68 Safend Auditor installation fails with DVOM registration errors ......................................................................... 69 Opening ports on Windows Firewall for the Safend Auditor .............................................................................. 69 Auditing a Remote Domain with the Safend Auditor .......................................................................................... 71 There is no response when clicking "View Excel" ................................................................................................ 71 Error received when attempting to view the Excel report of the Auditor scan .................................................. 72 Auditor report with connection time and data transfer ...................................................................................... 72 Local machine cannot be found in Auditor report .............................................................................................. 72 Safend Auditor fails to audit certain remote machines ....................................................................................... 73 Error message received when attempting to view HTML report of Auditor scan ............................................... 75 Safend Auditor Graphic Report Procedure for MS Excel ..................................................................................... 75 The Safend Auditor Scanning Method and Network bandwidth information..................................................... 76 Where the auditor is key located in the registry? ............................................................................................... 77 Chapter: Introduction: The Safend Auditor creates new user profiles on the audited machines ............................................................ 77 The Auditor seems not to detect remote devices when working via VPN .......................................................... 78 The Auditor is unreachable when right-clicking on a machine in the Clients World and choosing to Audit Devices. .................................................................................................................................................................... ............................................................................................................................................................................. 78

5|P a g e

8. Safend Reporter ............................................................................................................................................. 798.1. Safend Reporter Support Solutions ...................................................................................................................................... 79 8.1.1. 8.1.2. Internet Explorer Error message when running any report on Safend server 3.3 SP2 ........................................ 79 Required IE settings for Safend reporter ............................................................................................................. 80

9. Safend Encryptor ............................................................................................................................................ 849.1. Safend Encryptor Support Solutions .................................................................................................................................... 84 9.1.1. 9.1.2. 9.1.3. Internal hard disk encryption doesn't get applied to the client due to publishing backup compatible policies ..... ............................................................................................................................................................................. 84 After encrypting the HD of a machine, shared folders which are located on this machine cannot be accessed from another machine ......................................................................................................................................... 85 In Encryptor 2.0, how to copy the reset code & the one time access code from Encryptor login screen, .............. ............................................................................................................................................................................. 85

10.Implementation ............................................................................................................................................. 8710.1. Implementation Support Solutions ...................................................................................................................................... 87 10.1.1. 10.1.2. 10.1.3. 10.1.4. 10.1.5. Implementation in non directory environments ................................................................................................. 87 Environment Requirements Estimates for the Safend Protector ........................................................................ 88 Resolving and Identifying GPO Errors .................................................................................................................. 89 Building Protector Policy per Security Group (GPO policy distribution) .............................................................. 90 Enabling Verbose logging for GPO installations .................................................................................................. 91

Chapter: Introduction:

6|P a g e

Chapter: Introduction:

7|P a g e

2. Introduction:The Support knowledge base document provides common troubleshooting guidelines for Safend products. It also includes support solutions for each and every safend component. This document includes basic knowledge for which every certified safend engineer should know when managing or supporting safend products. For any further information feel free to contact us at support@safend.com

Chapter: Introduction:

8|P a g e

3. Safend Protector Client3.1. Safend Protector Client architectureSafend Protector consists of User and Kernel mode components. The Manager of all components is the SimonPro.exe process. Safend runs a service on the endpoint - SProtector.exe. The GUI process is Simba.exe. Safend Protector Emergency Clean-up utility (SPEC) is located under \Windows\System32\SPEC.exe.

3.2. Support logsInstallation Logs: An Event Trace Log (ETL) is automatically created during the installation process in the installation directory (\program files\safend\safend protector client\) A file called Sinta.log is created in \Windows\temp\ directory An MSI installer log can be created when installing the safend client using the following syntax: msiexec /i SafendProtectorClient.msi /l* *filename+ Client operation logs To debug a certain issue, you need to create an ETL file and Policy XML files. Open regedit Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input Add a new dword called dll and assign it with the value 3 A file with ETL extension will be created in the installation directory (\program files\safend\safend protector client\) Reproduce the issue scenario Change the dword value to 0 Creation of Policy XML files: Open regedit Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input Add a new dword called dll and assign it with the value 4 Policy XML files will be created in the installation directory (\program files\safend\safend protector client\) Change the dword value to 0 In cases of a BSOD, a full memory dump is needed in order to investigate the cause of the issue. Configuring a full memory dump via my computer properties advanced startup and recovery settings write debugging information select complete memory dump Chapter: Safend Protector Client From the client GUI press Policy Update

Creation of an ETL file:

Creating a memory dump:

9|P a g e A BSOD memory dump can be open with the Windows Debugging Tools (windbg) to determine what was the probable cause of the BSOD. Send the dump to Safend Support with the needed information.

3.3. Troubleshooting GuidelinesWhen investigating an issue regarding the Safend Protector Client, most issues fall under the following categories: Try the installation process again. Try the installation process on a different machine. Try to completely remove the Safend Client using the SPEC utility and run the installation process again. If one of the above was successful, the differences between the two attempts must be inspected. Examples of differences between installation attempts: The new machine is in a different domain. A specific machine had environmental issues. There are different security configurations on the machine. The SPEC utility removed random corruptions that were previously on the machine. Safend Client fails to install/uninstall Safend Client fails to send logs back to the Safend Server. Safend Client fails to receive/apply policies. Safend Client handles a device incorrectly. Safend Client conflicts with other software/BSOD.

Safend Client Fails to Install/Uninstall When you encounter installation/uninstall issues, the following needs to be performed:

-

Safend Client Fails to Send Logs/ Receive Policies to/from the Safend Server When the client is not sending logs or receiving policies the following needs to be verified: Check that Safend Server services are running and that the websites are up. Check the Policy web service and event web service logs for indications of the source of the problem Try to browse Safend web services: https://[ServerName]:443/SafendProtector/EventSinkWebService.cs.asmx https://[ServerName]:443/SafendProtector/PolicyWebService.cs.asmx Chapter: Safend Protector Client

10 | P a g e SC commands sc control SafendPS 222 (logs)/ 225 (policies)/ 228 (OTP) create an ETL file Safend Client handles a device incorrectly

When the client does not handle a device correctly, the following needs to be verified:

-

Search for the relevant log in the management console how is the device identified (device type, port)? Is it a composite device, i.e., is it identified as several devices by the OS? Is the correct policy applied properly? Is the policy configured properly? Was the device added/removed from the white list? When auditing the device, does it appear correctly (as it appears in the policy)?

Safend Client conflict with 3rd party software / BSOD When a conflict occurs between the Safend Client and 3rd party software, the following should be verified:

-

Is this a system/environment issue? Is this the latest version/driver of the 3rd party software? What are the exact steps that caused the issue to occur?

When a BSOD occurs with the Safend Client, the following should be verified: Is this a system/environment issue? Which driver was shown as the probable cause for the BSOD? What are the exact steps that caused the issue to occur? Create a full memory dump and send it to Safend support with the needed information.

Chapter: Safend Protector Client

11 | P a g e

3.4. Safend Protector Client Support Solutions3.4.1. Clients not sending logs back to the Safend ServerNEED: In some cases, installed Safend Protector Clients do not succeed in sending logs back to the Safend Server. This is usually due to environment definitions that block the log transfer to the Safend Server. RESOLUTION: In order to identify the issue and resolve it, please verify the following: a) The policy you created is applied on the Client. b) The Server is up and running (accessible by the Console). c) Try pinging the Server from the Client machine. d) Make sure the SSL port you use for the communication between the Server and the Clients (by default it is 443) is open on any firewall or port blocking application (either on the Client or on the Server). e) Try browsing (from the Client machine) to https://ServerName/SafendProtectorWS/EventSinkWebService.cs.asmx f) If all above is ok, please activate the Client logging run regedit go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector on V3.1 or HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\input on V3.2 create a new DWORD called Dll give it the value of 3. g) Run (on the Client machine) the following command sc control SafendPS 222 h) Change the DWORD value back to 0 to stop logging, and send support@safend.com the Solog*.etl file created in the \Program Files\Safend\Safend Protector Client folder.

3.4.2. Pointing the installation to the SCC fileNEED: To point the installation to the location of the SCC files PROBLEM: The SCC file must be on the same directory as the installation file SOLUTION: When running the client installation a parameter can be specified to access the SCC file: msiexec /i safendprotectorclient.msi /standalone="[path to SCC]"

Chapter: Safend Protector Client

12 | P a g e

3.4.3. Uninstalling the Safend Protector Client via startup scriptNEED: When uninstalling the Safend Protector client in a large environment, a method for performing mass uninstallation is required. Below you will find instructions for executing such a method, using a GPO linked to a startup script which uninstalls the protector. RESOLUTION: Open Note Pad and enter the following text: msiexec.exe /x "\\Servername\Path\SafendProtectorClient.msi" /qn UNINSTALL_PASSWORD="Password1" Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file used for the installation, and instead of "Password1" you enter the uninstall password defined for the client. Save this file as a .bat file. In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the uninstall script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK. Once this is done, restart the relevant machines in order for the startup script to run and remove Safend's Clients from them. keywords: command line, uninstall

3.4.4.

Silent install of a clientNEED: When using silent installation one may want to prevent a reboot following the installation RESOLUTION: The reboot is caused due to two factors: 1. Windows installer requirement of reboot following the installation 2. Safend client requirement of reboot following the installation Using the following command will suppress the reboot required by the windows installer: msiexec /i \\PathToFile\Share\SafendProtectorClient.msi /norestart REBOOT=ReallySuppress /qn */qn parameter will causes a quite installation without showing the UI Performing the following changes will suppress the reboot required by the client: Chapter: Safend Protector Client

13 | P a g e 1. Open the clientconfig.scc file for editing 2. Search for the string installmethod 3. Change its value from 2 to 3

3.4.5. The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend Protector ClientSYMPTOMS: On rare occasions, when trying to reinstall Safend Protector Client with a different user than the original installation, the following message will show up: "The Client Configuration file does not contain a valid policy." CAUSE: The user trying to access the encryption object doesn't have the appropriate privileges. SOLUTION: In such cases, perform the following: 1. In order to run the Safend Protector Client installation as local machine please run the following command: at *time+ /INTERACTIVE cmd Instead of [time] write the current time + 1 minute. For example: when time is 16:08 write 16:09. 2. A local system window will open. Run the installation from there by writing the following: msiexec /I SafendProtectorClient.msi

3.4.6. Installing the Safend Protector Client with by a startup script with elevated privilegesNEED: In some cases, it is not possible to implement the Safend Protector Client's installation process through a regular GPO package. In such cases, the installation must be implemented by a GPO with a start up script, and the administrator must enable elevated privileges for the end-users. SOLUTION: 1. Installing the Safend Protector Client with a startup script: Open Note Pad and enter the following text: msiexec.exe /i "\\Servername\Path\SafendProtectorClient.msi" /qn Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file used for the installation. make sure the folder containing the msi is shared. Save this file as a .bat file. Chapter: Safend Protector Client

14 | P a g e In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the installation script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK. Once this is done, restart the relevant machines in order for the startup script to run and install the Safend Client on them. 2. Granting elevated privileges to non-administrator users: following is an article by Microsoft, pertaining to this issue: Important: This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. SUMMARY: This article describes three methods by which an administrator can enable a non-administrator user to install managed Windows Installer applications. An application is called a "managed application" if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a non-administrator user to install managed applications. A) On a computer running Windows NT 4.0, Windows 2000, or Windows XP an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to "1" under the following registry keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer WARNING: This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, non-administrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key. B) On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation: msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1 Here is an example of how the administrator would advertise the package on the computer per-machine: msiexec -jm c:\pathtofile\mypackage.msi For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK: http://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp

Chapter: Safend Protector Client

15 | P a g e C) On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. For more information on Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper: http://www.microsoft.com/windows2000/docs/GPIntro.doc These settings can also be set via GPO and not by directly opening the registry - the settings must be applied both for Machines and Users: - Computer Configuration>Administrative Templates>Windows Components> Windows Installer: Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced). - User Configuration>Administrative Templates>Windows Components> Windows Installer: Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced) Link to Microsoft documentation: http://support.microsoft.com/default.aspx?scid=kb;en-us;q259459 Link to additional documentations for GPO configuration: http://lspservices.iupui.edu/docs/win2k/gpo_configurations.asp

3.4.7. How to activate an ETL when using the offline access utility (when a client is not installed) Version 3.2, 3.3NEED: On some cases the need to activate ETL for the offline access utility (Access secure data) PROBLEM: An ETL cannot be activated the ordinary way when a client is not installed, since the ETL requires the existence of a registry string that indicates what is the Client's installation path. SOLUTION: In order to activate the ETL when no Client is installed: 1. Connect the encrypted device to the home machine. 2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector 3. Create a new String Value called InstallDir, and assign it with the value "c:\Progrem Files\Safend\Safend Protector Client" . This creates the registry string that indicates where the Client is installed (of course, the Client is not really installed; the above mentioned path is a path created when running the Offline Access Utility) 4. Now the ETL can be activated, as usual. Chapter: Safend Protector Client

16 | P a g e

3.4.8.

Sonic DLA burning not supported by Safend ProtectorQUESTION: Is the burning format used with the Sonic DLA software supported by the Safend Protector Client? ANSWER: The Sonic DLA software uses the UDF file system (which is supported by us) and the Packet writing burning format, which is not supported. Therefore, the Sonic DLA burning format is not supported by the Safend Protector Client, which means it will be blocked if the policy applied has the check box for "Block unsupported burning formats" checked. From Roxio 09/20/07 3:10 PM Thank you for contacting Roxio Technical Support Our apologies for the earlier agent's response. Please disregard it. Drag to Disk and DirectCD have been discontinued in version 10 of our software due to compatibility concerns. You should, however, be able to manage anything that they were able to do using version 10. Please tell us what you are trying to accomplish with them so that we may suggest other means of doing so. If the information provided does not resolve your issue simply update your web ticket with a detailed explanation with the steps you have tried and any error messages you receive.

Regards, Roxio Technical Support http://support.roxio.com Thank you for your comments and we appreciate the feedback Chapter: Safend Protector Client

More information will be found on : http://forums.support.roxio.com/lofiversion/index.php/t28374.html

17 | P a g e

3.4.9.

Cleanup utility for the Safend Protector Client

NEED: In some very rare cases, the Safend Protector Client installation may fail, rendering the Safend Protector Client unable to function. in such cases, an alternate way for removing the Safend Protector Client is needed. RESOLUTION: The Safend Protector Emergency Cleanup utility - SPEC, is used to uninstall the Safend Protector Client in Cleanup Mode. Once unzipped, it is ready for use, and requires only a link to the ClientConfig.scc file and the global uninstall password. If any of these details are not available, we will be able to generate a machine-specific Cleanup key according to the Cleanup Token, provided by the utility. Please contact support@safend.com and request the SPEC utility and the cleanup key for your machine's token. Remember! This is more of a last resort for cleaning up the protector when nothing else can be done. Usually, we would want to get to the bottom of why the crash happened so we will be able to improve the Safend protector to be able to cope with such situations in the future. On version 3.2 and above the Spec.exe utility is located in windows\system32 directory

3.4.10. Using the Registry To Check If A Policy Was UpdatedQUESTION: I would like to integrate a third party tool in order to distribute policy registry files to the end point. I would like to have an indication that the policy was indeed updated. ANSWER: The registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\LastPolicyUpdate is a 4 bytes key that contains the time in which the policy was last updated. You can use this key to check for update of policies. The key "LastPolicyUpdate" is set to indicate that a policy was pulled from the GPO, without consideration of whether the content of the policy was updated. As the computer pulls policies on startup, it will show an update when the computer is restarted, even though the content of the policy is not changed.

Chapter: Safend Protector Client

18 | P a g e

3.4.11. Client stops sending logs to the server when disabling the Sprotector servicePROBLEM: When using local admin credentials, disabling the Sprotector service and then closing it, the safend client stops sending logs to the server. SOLUTION: The mentioned behavior of the client is according to the product design. Be advised that the only effect of the procedure on the Safend client is that he will not send logs until the next time that he will be loaded. All other parameters of the clients are set exactly as they were before the procedure. All ports, device, storage device, files and etc will act exactly as they acted before the procedure. Please notice that usually a user in an organization will not receive local admin rights on machines, so this shouldnt be a major issue.

3.4.12. Bubble notifications are not displayed for Safend Protector EventsSYMPTOM: After installing the Safend Protector Client, Event Messages (Pop Up Messages) for device/port actions, do not appear. CAUSE: Windows registry settings have disabled Balloon Tips for the machine. SOLUTION: Make sure that in the registry, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, there is no DWORD key named EnableBalloonTips. If it exists, simply delete it. Another simple way to control the balloons is by using a Microsoft's power tool called TweakUI (the tool can be downloaded from http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx). The option to allow balloon tips in TweakUI can be found in the Taskbar and Start Menu option and is called Enable balloon tips. Chapter: Safend Protector Client

19 | P a g e

3.4.13. Client installation fails instantly with an error message requesting to rebootSYMPTOM: When trying to install the Protector Client, installation fails instantly and the following error message is received: Safend Protector Client Please reboot before starting the Install process If a reboot is indeed performed, the same error message is received again. Additionally, the sinta.log file (located at windows\temp folder) will contain only the following entries: [installation Date and time] = Localize installation [installation Date and time] = ********************************** [installation Date and time] = Started Install Process. [version and build number] CAUSE: A Client was installed on the machine in the past, or the Offline Access Utility was used on the machine in the past. For some reason, remnants of this were left in the system, and so the current installation process behaves as is if a Client is currently installed. SOLUTION: Running the SPEC utility will clear any remnants of a previous Client installation or Offline Access Utility use. Note that a SPEC utility of the same version or of a version above the version of the previous Client or Offline Access Utility is to be used.

3.4.14. Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commandsNEED: In cases the WMI commands from the management console are not working, it is possible to trigger management commands (update policy, send logs etc.) to the Protector Client from the command line. SOLUTION: The SC command (supplied with Windows XP or higher) can be used to specifically trigger our process for the following actions. Send logs now! (without waiting for the interval): sc control SafendPS 222 Update policy from the GPO (similar to gpupdate /force, but specific to our product and faster): sc control SafendPS 223 Chapter: Safend Protector Client

20 | P a g e

Update policy from REG file: sc control SafendPS 225 Force InitOTP (In case Client will not accept any passwords, or server will not generate them): sc control SafendPS 228 . For Windows 2000 machines this command can be run remotely (i.e. : sc \\ComputerName control SafendPS 223).

3.4.15. Changing the Safend Protector Client installation methodNEED: During the installation of the Safend Protector Client, the installer will go through a process of restarting all the devices in order to make sure its drivers are effective immediately after the installation without the need for a reboot. The default installation method might take a few minutes to complete depending on the amount of connected devices. Additionally, the administrator should consider a momentary network disconnection during this phase. In case the administrator would like to avoid this, a simple parameter may be added to the Safend Protector Client Configuration file (ClientConfig.scc). RESOLUTION: In order to configure the installation method, open the ClientConfig.scc file which is created using the Safend Protector Management Console and add the following lines: [InstallParams] InstallMethod=x where x is the option parameter as listed below: InstallMethod=0 This is the default method (as if no parameter is added at all). During the installation process all the ports and devices are restarted. If one of the devices has failed to restart, the user is prompted to reboot. Chapter: Safend Protector Client InstallMethod=1 During the installation process, all the ports and devices are restarted. The user is not prompted to reboot, even if one of the devices has failed to restart. It is important to note that the endpoint will not be fully protected by the Safend Protector Client until the system restarts. It is the responsibility of the system administrator to schedule this system restart. InstallMethod=2 During the installation process, none of the ports or devices are restarted. At the end of the installation, the user is always prompted to reboot.

21 | P a g e

InstallMethod=3 During the installation process none of the ports or devices are restarted. The user is not prompted to reboot. It is important to note that the endpoint will not be fully protected by the Safend Protector until the user restarts the computer. It is the responsibility of the system administrator to schedule this system restart.

3.4.16. User or Computer Policy Uninstall PasswordQUESTION: If I set a different Uninstall Password for the Computer policies and the User policies, Which password should I use to uninstall the Safend Protector Client? ANSWER: There are three scenarios that can be recognized in this situation: 1. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was either applied or not. The current policy is applied for the logged on USER. The Safend Protector is uninstalled manually. ==> The uninstall password is the one set in the USER policy 2. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was never applied. There is currently no logged on user, so the default policy, as set in the Client Configuration file is applied. (This is the situation if the uninstall process is taking place through Active Directory). ==> The uninstall password is the Global uninstall password as it is set for the COMPUTER. 3. The machine was installed with the Safend Protector. A COMPUTER policy was applied. There is currently no logged on user, so the COMPUTER policy is applied. ==> The uninstall password is the one set in the COMPUTER policy.

3.4.17. Changing the Safend Protector Balloon Message Display TimeQUESTION: Can the "User Message Balloon" display time be controlled? ANSWER: The parameter for the Balloon Tips display time in Windows XP can be found in the registry, in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify. The DWORD entry called BalloonTip is set by default to the value of 3 (seconds). Change its value to control the display time of the Balloon Tips. Some information pertaining to the Balloon Tips of the Safend Protector can be controlled through the Default Agent Policy (the Default Agent Policy is a file that contains some parameters that are not hard-coded into the Protector, but are also not exposed to the user. It is possible to update the Default Agent Policy if necessary). These parameters are the number of seconds that the Protector processes wait between balloons and the number of Chapter: Safend Protector Client

22 | P a g e seconds between the last notification and the icon returning to its idle mode. In order to change the Default Agent Policy, please contact support@safend.com.

3.4.18. Installing Safend Protector Client to a Non-Default FolderNEED: Is it possible to install the Safend Protector Client silently as a GPO to a folder or drive which is not the default installation path? SOLUTION: Yes, it is possible to install the client to a specified directory, but the installation needs to be done using a start-up script, instead of a package installation. The process is as follows: 1. For the OU on which you would like to install, go to the OU Properties, Group Policy tab. 2. Create a new Group Policy, and give it a name, then click Edit to open the Group Policy Editor 3. Go to Computer Configuration > Windows Settings and select Start-up > Script 4. Click the Show Files button and create a new text document containing the following command: msiexec.exe /i "\\ Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment 3) under Log On Locally, add the appropriate user group to the list. Domain Policy 1) Open a domain Group Policy for editing 2) Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Chapter: Safend Protector Management Server

40 | P a g e Assignment 3) under Log On Locally, add the appropriate user group to the list.

4.4.17. When changing the server certificate to an organizational certificate, logs are not sentSYMPTOM: When changing the server certificate from Safend's default certificate (created during the installation of the server) to an organization's specific certificate, policies can be updated for the clients but logs aren't sent from them. This is seen in 3.2 and 3.3 clients. CAUSE: When publishing a policy, a derivative of the certificate called the certificate self-signer is being sent to the client. A response based on the self-signer is sent back to the server when sending logs. When replacing the default Safend certificate with an organization's specific certificate, the self-signer of the Safend certificate is still being sent to the client when publishing a policy, which causes a faulty reply when the client attempti to send logs, and thus, prohibits sending the logs - the clients' reply is based on the Safend certificate, while this certificate is no longer in power due to its replacement. Note that policies are updated successfully for the clients since there is no use in the self-signer in this process (it is only "attached" to the policy). SOLUTION: This issue can be solved in version 3.3 only. This is done by replacing a DLL file on the server side will cause the new, relevant self-signer to be sent to the clients. In case there is a server cluster (possible in version 3.3 and above), the replacement should take place in every server of the cluster. 1. Stop Safend services Domain, Local, Broadcast if 3.2 in used. Leave the DB service running. 2. Go to C:\Program Files\Safend\Safend Protector\Management Server\bin 3. Replace the existing backend.server.dll with a modified copy of it. Attached to the solution is the modified backend.Server.dll for version 3.3 build 30270; for any other 3.3 build, the .dll file will have to be modified by the R&D team. Note: There are additional KBs describing the replacement of the Backend.Server.dll for different purposes. Be advised that the Safend R&D team should be consulted if more than one of the issues fixed by this replacement are manifested in the same server, since one replacement will cancel the other. Chapter: Safend Protector Management Server

41 | P a g e

4.4.18. Changing source name when sending Safend alerts to the Event ViewerNote: This article contains information on how to change Safend configuration files and is intended for advanced users. if you feel uncomfortable with changing these advances settings, please consult with Safend support or your local Safend distributer. NEED: When configuring Safend Protector Alerts to be sent to an "Event Viewer" alert destination, all alerts are stored under the application source. This can be hard to manage since other applications may also write events under the application source, making it hard to isolate the Safend Protector events. You may change the default "Application" source name to a unique name such as Safend by following the steps below. RESOLUTION: If you desire to change the source name to a unique name (easier when wanting to sort or filter out Safend logs only), you may change 2 small parameters in the Safend Server configuration file - "\Program Files\Safend\Safend Protector\Management Server\serverconfig.xml". Look for the following text: eventLogSource="Application". It should appear twice - once for the "Server Alert Action Dispatcher" and once for the "Client Alert Action Dispatcher". Both need to be changed to your desired source name so that all types of logs will be stored using the same source. Example: eventLogSource="SafendAlerts" All alerts which are forwarded to a machine's event viewer by the Safend Protector Server, will be stored under the manually configured source name.

4.4.19. IIS diagnostics toolNEED: In some cases, the IIS service on the Server machine may experience problems that cause the Safend Protector Management Server to become dysfunctional. In these cases, the problems must be identified and resolved appropriately. SOLUTION: IIS problems may be diagnosed with the IIS Diagnostics Toolkit, available for dowload at: http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa73c9156706e7&displaylang=en One of the tests that can be performed with it is the Server Permissions test in the Auth Diagnostics 1.0 component. This test displays the permissions required for the server, and whether the server has them. Additional IIS diagnostic tools can be found at: Chapter: Safend Protector Management Server

42 | P a g e http://www.iis-resources.com/modules/mydownloads/viewcat.php?cid=15 http://www.iistoolshed.com/tools.aspx

4.4.20. User Permissions for the Safend ServerQUESTION: What are the permissions needed for the user account that is used by the Safend Protector Management Server? ANSWER: The user account used by the Safend Server should either be a domain administrator or have the following permissions: a) Member of the "Group Policy Creator Owner" group in the AD b) Have DCOM Remote Launch, Remote Activation and Remote Access permissions on all machines. This can be set through a GPO. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options: add the user to lists on both: DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax and DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax. and apply the policy on all machines with the Safend Client.

4.4.21. Unable to publish a policy and a specific error appears in the Domain Service logSYMPTOM: Receiving an error when trying to publish a policy (in all methods). In the DomainService log the following error will appear: [2008-02-19 08:00:50.047800] [Warning] [PolicyPublisher4] [ASB-PDC\sv-SafendAdmin] - Mandatory publish sink TranslationSink failed: Safend.Protector.Admin.Utils.Exceptions.OperationAbortedException - The parameter is incorrect. at Safend.Protector.Policy.Interop.ServerPolicyFormatterClass.AddSecurityCategory(Int32 securityConfigIndex, Int32 portIndex, String categoryName, Int32 categoryType, Int32& categoryIndex) [2008-02-19 08:00:50.047800] [Error] [PolicyPublisher4] [ASB-PDC\sv-SafendAdmin] - 1 errors occurred while publishing policy 5 revision 44 (Safend - Allow All + Default Logging (90 minutes)) In addition, this issue occurs only with version 3.1 and 3.2. The fix was added to 3.3. CAUSE:

Chapter: Safend Protector Management Server

43 | P a g e Sometimes a name that is given to a group in the White-list tab shows up in the Base Policy and therefore an error occurs. SOLUTION: In order to resolve this issue please change the name of the problematic group in the White-List.

Chapter: Safend Protector Management Server

44 | P a g e

5. Safend DB5.1. Safend Protector Client Support Solutions5.1.1. Policy not applied due to the small size of the DB column "Groups"SYMPTOM: In version 3.2, machine or user policy does not apply or applies only after restart. In the Policywebservice log, the following error message appears: "String or binary data would be truncated" CAUSE: The size of the DB column called "Group", existing in the 2 DB tables called "User" and "Computers", is set to 255 characters only in version 3.2. If the user/s or machine/s is a member of AD groups which their overall names is composed of over 255 characters, the policy would be truncated and therefore not applied. SOLUTION: Increasing the "Groups" column size in both of the tables in the DB is required. If using an external MsSQL DB (should be performed by the DBA): ---------------------------------------------------------------------------------------1. Close the console, stop the Safend services - Domain, Local and Broadcast. 2. Open the SQL Enterprise Manager / Query Studio on the SQL Server machine. 3. Go to Databases and to the SafendProtector database. 4. Open Tables, and view the list of the different tables in the SafendProtector DB. 5. Right click the "Computers" table, choose Design Table. 6. Go to the "Groups" Column, check the length value and set it to MAX. 7. Save the changes. 8. Repeat the above steps with the "Users" table in the DB. 9. Restart the Safend Services - Broadcast, Local, Domain. Follwing this, run the command IISRESET from start/run or from cmd. 11. Open the console, go to the Clients world. In the tools icon next to the Organizational Tree view, click "Sync Tree with Directory". 12. Try publishing and updating the policy with a user or a machine to verify the policy is updated.

Chapter: Safend DB

45 | P a g e

5.1.2. Restoring missing MySQL index filesNote: *This solution includes modification of the MySQL database, which might render the server useless. Please use this solution with care. NEED: MyISAM is the default storage engine for the MySQL relational database management system, the DB used by Safend as an internal DB. Each MyISAM table is stored on the disk in three files. The files have names that begin with the table name and have an extension to indicate the file type. MySQL uses a .frm file to store the definition and structure of the table, but this file is not a part of the MyISAM engine, rather a part of the server. The data file has a .MYD (MYData) extension. The index file has a .MYI (MYIndex) extension. An example for a MyISAM table in the Safend Protector MySQL DB is the Computers table, which is stored in the file computers.MYD and has an index file by the name of computers.MYI (and also, a .frm file called computer.frm). The MYI (and MYD & frm) files are stored in the following folder: C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector SYMPTOM AND CAUSE: In some occasions, an MYI file/s may become missing due to an unintentional deletion by the user. This can happen only when the DB service is stopped since the DB service locks the MYI files. Although tempering with the Safend installation folder, and especially with the DB folder, might render a Safend server damaged beyond repair and is not officially supported, in many cases a missing MYI can be restored. 1. A missing MYI file can prevent the console from being launched or disrupt the function of the Logs world in such a fashion that queries cannot be used. 2. In the Managementserver log, the following error appears: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager1] [PC120001XP\ASPNET] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Can't find file: 'computers.MYI' (errno: 2) In this error message, the missing MYI file's name is displayed. In the above example, the missing MYI file is the computers.MYI. 3. In the folder C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector, the MYI file that appeared in the error above will not be present. In case the MYI file is present, it is probably corrupted; in this case, please refer to KB00000230 - Repairing corrupted MySQL index files SOLUTION: Chapter: Safend DB The safest way to restore a missing MYI file would be to revert to a recent image or snapshot of the machine. If this is not possible, described below is a procedure that recreates the index into an MYI file copied from a different Safend server of the same version and build number. This procedure is composed of a part performed in the customer's environment and a part performed in Safend. 1. Preparations at the customer's server: a. Stop the Safend services in the following order Domain, Local, Broadcast if version 3.2 is used, DB.

46 | P a g e b. Kill the W3WP process. In case there are multiple instances of the process, kill all of them. c. It is recommended to save an image or a snap-shot of the server machine. If this not possible, backup the entire folder of C:\Program Files\Safend\Safend Protector\Management Server\database\data by copying it to a different location. d. Send to support@safend.com the MYD and frm files that correlate with the missing MYI file; for example, if in the computer.MYI file is missing, the computers.MYD and computers.frm files should be sent. 2. Recreating the index at Safend: a. Set-up a Safend server of the same version and build number, stop its services including the DB service. b. Create a temporary folder in the server machine and copy the MYI file in question to the temporary folder from the folder C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector in the server you've just set-up. c. Copy the MYD and frm files sent from the customer to the temporary folder. d. Enter the following in cmd: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r -q "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the missing MYI file. Note the only the "-r -q" should be used. The -r switch must not be used alone, and no other repair switches (such as --safe-recover) should be used as well. This is because only "-r -q" doesn't touch the MYD file, which is essential in this case. If the repair succeeded, all 3 files (MYI, MYD and frm) should be sent back to the customer. If the repair failed, consult with the R&D team. Be advised that It is likely that the MYI cannot be recreated and the entire Safend server should be re-installed. 3. Returning to working state at the customer's server: a. Replace the MYI, MYD and frm file in question with the ones sent by Safend. b. Restart the Safend services in the following order DB, Broadcast if version 3.2 is used, Local, Domain. c. Open the console and check that the policies have the right associations and the logs can be seen.

5.1.3. Repairing corrupted MySQL index filesNote: *This solution includes modification of the MySQL database, which might render the server useless. Please use this solution with care. NEED: MyISAM is the default storage engine for the MySQL relational database management system, the DB used by Safend as an internal DB. Each MyISAM table is stored on the disk in three files. The files have names that begin with the table name and have an extension to indicate the file type. MySQL uses a .frm file to store the definition and structure of the table, but this file is not a part of the MyISAM engine, rather a part of the server. The data file has a .MYD (MYData) extension. The index file has a .MYI (MYIndex) extension. An example for a MyISAM table in the Safend Protector MySQL DB is the Computers table, which is stored in the file computers.MYD and has an index file by the name of computers.MYI (and also, a .frm file called computer.frm). The MYI (and MYD & frm) files are stored in the following folder: C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector SYMPTOM AND CAUSE:

Chapter: Safend DB

47 | P a g e

In some occasions, an MYI file/s may become corrupted during the regular operation of the MySQL DB. This usually prevents the console from being launched. There are various manifestations of this issue, some are in the server logs and some are in the Windows Event Viewer: 1. Example #1 The following error appears in the Managementserver log: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager2] [NT AUTHORITY\NETWORK SERVICE] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Got error 127 from storage engine 2. Example #2 The following error event appears in the Windows Event Viewer. Usually, this event error appears alongside the error in the Managementserver log seen in example #1. Event Type: Error Event Source: MySQL Event Category: None Event ID: 100 Date: 8/19/2008 Time: 7:51:33 AM User: N/A Computer: OCINSAPP01 Description: d:\program files\safend\safend protector\Management Server\database\bin\mysqld-nt.exe: Can't open file: 'clientevents.MYI' (errno: 145) 3. Example #3 The following error appears in the Managementserver log: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager1] [PC120001XP\ASPNET] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Can't find file: 'computers.MYI' (errno: 2) Note that from example #1 alone you cannot tell which MYI file is problematic and thus preventing the console from opening, but in example #2 and #3 the problematic MYI is known (in the above example #2 and #3, the problematic MYIs are clientevents.MYI and computers.MYI, respectively). Also, note that the error message in example #3 may appear as well when an MYI file is missing. Restoring a missing MYI file/s is described in KB00000231 - Restoring missing MySQL index files SOLUTION: The guideline in regards with repairing corrupted MYI files is that the data (MYD) should not be touched if possible. 1. Preparations: a. Stop the Safend services in the following order Domain, Local, Broadcast b. Kill the W3WP process. In case there are multiple instances of the process, kill all of them. if version 3.2 is used. Leave the DB service running. c. Backup the entire folder of C:\Program Files\Safend\Safend Protector\Management Server\database\data by copying it to a different location. Also, you may want to save an image or a snap-shot of the server machine. 2. Identifying the corrupted MYI: The first goal is to determine which MYI file is corrupted. Usually, only one MYI file gets corrupted at a time, but theoretically, multiple MYI files can simultaneously exist as corrupted. The simplest way to determine which MYI is corrupted is by checking the Event Viewer or the Managementserver

Chapter: Safend DB

48 | P a g e log, as seen in examples #2 and #3. In case no indication appears, as seen in example #1, use the myisamchk utility to check the integrity of all of the MYI file. In cmd, enter the following: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of a MYI file. Repeat this action for all of the MYI files. Attached to the solution is an example of the myisamchk's output when the MYI file is valid, and when the MYI is corrupted. 3. Repairing the corrupted MYI: The procedure described below can be performed on the server machine, or in Safend once a customer sends the MYI, MYD and frm files in question. If handled in Safend, the 3 files should be put in a temporary folder on a server machine with the same version and build number of server as at the customer's.. After identifying the corrupted MYI, use the myisamchk utility in cmd to repair it. a. Firstly, try to use the -r -q switches. This attempts to repair the index file without touching the data file. If the MYD file contains everything that it should and the delete links point at the correct locations within the MYD file, this should work, and the MYI is fixed. The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r -q "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. b. Try to use the r switch alone. This removes incorrect rows and deleted rows from the data file and reconstructs the index file. The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. c. Try to use the --safe-recover switch. Safe recovery mode uses an old recovery method that handles a few cases that regular recovery mode does not, but is slower. The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" --safe-recover "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. d. Try to use the -f switch. The -f switch forces the indexing by overwriting old temporary files and includes touching the data. Chapter: Safend DB

49 | P a g e The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" --safe-recover "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), please refer to Stages 3 and 4 in the following MySQL article, and also consult with the R&D team: http://dev.mysql.com/doc/refman/5.0/en/repair.html/url 4. Returning to working state: Start the Safend processes in the following order Broadcast if version 3.2 is used, Local, Domain.

5.1.4. Changing external DB user, password and authentication method (domain) while connected to ProtectorQUESTION: Is it possible to change the external DB user and password or to change the authentication method (SQL/Windows) while it is connected to the Protector? ANSWER: There is no problems when changing credentials (user/domain/password) but it should be done the right way and while the Safend services are suspended. SPAdmin utility cannot change more than one parameter simultaneously which means that it should be executed few times - one for each parameter. For example changing username and password to Administrator and Apple1 accordingly should be done like this: 1. SPAdmin.exe -dbinfoview dbinfo.xml username=Administrator 2. SPAdmin.exe -dbinfoview dbinfo.xml password= Apple1 If required, domain may be changed also the same way. There is no problem substituting domain user with SQL user (or vice-versa). In order to do so just specify empty domain name: SPAdmin.exe /dbinfoview dbinfo.xml domain= NOTE: Password must be always the last parameter to change since when specifying the new password SPadmin tries to connect to DB using existing user name and domain (specified in DBinfo.xml) and the new password.

5.1.5. Replacing the DB which is used by Safend Protector Management Server

SYMPTUM:

Chapter: Safend DB

50 | P a g e

In some cases, replacing the DB which is used by Safend Protector Management Server is needed. SOLUTION: In order to replace an existing DB used by Safend Protector Management Server to another, please perform the following steps: 1. Backup the encryption keys files and configuration files through the Maintenance Tab in the Administration Window. 2. Uninstall the Safend Protector Management Server. 3. Reinstall the Safend Protector Management Server by performing the following: o Please pay attention to choose the Restore mode for restoring Server installations while maintaining previous configuration (as seen in the attachment). o When installing the server using this mode you should choose to use the Safend Protector backup files (as seen in the attachment). o Afterwards, you should choose what database you would like to use an embedded database on the same machine or an external existing MSSQL database (as seen in the attachment). Following this window continue with the installation.

5.1.6. When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved.PROBLEM: User cannot save policies, run queries, change settings or logs are not saved. CAUSE: The minimum required level of permissions to run and maintain the Safend protector server is 'DB owner' SOLUTION: Security level can be checked on security --> logins

5.1.7. When using MsSQL DB User cannot connect to the serverPROBLEM: User cannot connect to the server SOLUTION: This can be caused by lake lack of connectivity or lack of proper permissions, 1. Check that the user has the proper permissions to perform the actions he is trying to do (the minimum required permissions are DB owner) 2. Check connectivity to the server by using the PING utility 3. Telnet the SQL port (TCP 1433) to see if the server is listening both IP and computer name| 4. Install 'SQL client tools' on the Safend Server 4.a. Create a text file and rename its extension to .UDL Chapter: Safend DB

51 | P a g e 4.b. Open it with 'Microsoft old provider for MsSql server' 4.c. Enter the correct user name and password 4.d. Connect to the Safend protector DB 4.e. Server Errors can be found at management a SQL server logs current

5.1.8. When using MsSQL DB the installation cannot create the DBPROBLEM: During installation the installer cannot create the DB. followed by an error message relating to insufficient permissions of the user used to connect to the DB with CAUSE: The Minimum required level of permissions to install Safend protector is 'DB creator' SOLUTION: Security level can be checked on security --> logins

5.1.9. When using MsSQL DB performing DB related actions causes console freeze.PROBLEM: When performing DB related actions the console freezes. CAUSE: This can be related to certain objects "locking" other objects SOLUTION: On Query analyzer / query studio (installed with the SQL server), run the command 'SP_WHOZ', objects marked with red mark are "locked" if these object persist to be locked they need to be "killed". To kill a Process, run 'Kill [object name]' You may also run a more detailed query: Select * from master sysprocesses where blocked 0 or SPID in (select * from master) Note: this solution should be performed by the Customer's DBA

Chapter:

52 | P a g e

6. Safend Protector Management Console6.1. Support logsSafend Protector Management Console Logging

-

When investigating issues with the Safend Protector Management Console, the logs provide valuable information. There are 2 trace logs for the Management Console:

-

Console Updater log \Program Files\Safend\Safend Protector\Management Console\log Management Console log \Program Files\Safend\Safend Protector\Management Console\Management Console\log

6.2. Troubleshooting GuidelinesWhen investigating an issue concerning the Safend Protector Management Console, most issues fall under the following categories: Safend Protector Management Console fails to open. Safend Protector Management Console fails to perform remote client commands. Safend Protector Management Console general errors and exceptions

-

Safend Protector Management Console Fails to Open When the Management Console fails to open, the following must be verified: Chapter: Safend Protector Management Console

Are the Safend Server services running? Is the Management Console on the same machine as the server? If not, Does the local Management Console, on the Safend Server machine, start successfully? Is the Management Console trying to communicate using the correct SSL port? (the correct port can be found in the IIS web sites safend protector web site properties ssl port) Can the Safend Server machine be contacted from the console machine (Ping, Telnet)? Can the Management Console machine browse to the Safend Server machine using the https protocol? Management Console Install site: https://[servername]:4443/SafendProtector/consoleinstall.aspx Change the [servername] to the real server name 4443 is the default port.

53 | P a g e

-

Safend Protector Management Console Fails to Perform Remote Client Commands

-

When the Management Console fails to perform remote commands, the following WMI configurations should be examined: Is the WMI service enabled and started on both the Safend Server and Client machine Can the Safend Server contact the Safend Client machine by its FQDN? Does the Server User have sufficient privileges on the Target machine? i.e., permission to perform WMI commands. Verify that the RDP ports are open. Use wmimgmt.msc to verify WMI valid communication.

-

Safend Protector Management Console General Errors and Exceptions If the Management Console experiences any error or exception during work, the following should be examined: Does the issue reproduce after a reboot? Were there any configuration changes applied to the Server/Console machine? Are there any errors in the event viewer logs? What are the exact steps that caused the issue to occur? What is the exact error message?

Chapter: Safend Protector Management Console

54 | P a g e

6.3. Safend Protector Management Console Solutions

6.3.1. When trying to log-in to the console, the error message "user is not in the authorized user group" appearsSYMPTOM: When launching the console, entering the credentials and trying to log-in, the log-in fails with the error message "user is not in the authorized user group". CAUSE: There are 2 possible causes for this issue: 1. The user that one is trying to log-in to the console with is not in the AD User Group / local machine user group that is authorized to use the console. By default, this group is the BUILTIN\Administrators group. Note that this group may differ according to the settings in the Users Management menu under Tools -> Administration -> General. 2. The IIS service was uninstalled and re-installed, after the Safend server had been installed. This causes the deletion of the Safend websites from the original server install. SOLUTION: There are 2 solutions for this, respective to the cause: 1. In AD / the local machine, add the user to the User Group that is authorized to use the console. 2. Re-install the Safend server. You may want to use the Restore installation option, using the backed-up keys and settings, in order to have the new server communicating with the existing clients and to preserve the policies and other settings. Please review the Installation Guide before uninstalling and re-installing the server.

6.3.2. How to login to the console without entering the password each timeNEED: Sometimes, one needs to be able to login to the console without entering the password on each time launching it. This is usually needed when log-on to Windows is performed using a smart card (usually it is set in AD - the Smartcard Required" option is active) and not using a password; in this scenario, the users usually don't know the log-on password since they are using the smart card, and thus become unaware to the console's password as well. SOLUTION: One should try to launch the console as usual for the first time, and the login window can be closed (there's no need to enter the password). After this, the Single Sign On (SSO) capability can be used; this is set in the "Safend Protector Web Site" properties. See the exact steps to doing so in the attached document. Chapter: Safend Protector Management Console

55 | P a g e

In order to have SSO enabled please do the following: Go to IIS management, right click on the SafendProtector website and go to directory security.

Click on Edit under Authentication and access control:

Chapter: Safend Protector Management Console

56 | P a g e

Uncheck the Enable anonymous access and check the Integrated Windows authentication radio buttons. Restart the safend protector website (or just restart all IIS) Close IIS management console In this stage you can delete the shortcut to Safend management console on the desktop and create a new one using these settings: Right click on the desktop and choose new shortcut

Click browse and go to program files\safend\Safend Protector\management console\management console\management console.exe

Chapter: Safend Protector Management Console

57 | P a g e Click ok and add the no_login switch at the end of the path created so it will look like this: "D:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole\ManagementConsole.exe" -no_login make sure to replace the drive letter with the right one for the safend installation.

6.3.3. Cannot use WMI commands from 3.3 console if MsSQL installed with windows authenticationSYMPTOM: When trying to perform a WMI command from a 3.3 console such as retrieve logs or update policy, and if the DB is an MS SQL installed with windows authentication, the command will not be performed and the following error message will appear: Notification failed try later. Object reference not set to an instance of an object CAUSE: When trying to connect to the MS SQL DB using windows authentication, the impersonation process performed by the local service happens twice instead of once as it should. Connection with double impersonation is forbidden. SOLUTION: The file Admin.App.WebServer.dll should be replaced in the Safend server with a modified one. This will cause the impersonation process to happen only once, as it should. 1. Stop the Safend Local service. This will stop the domain service as well 2. Go to \Program Files\Safend\Safend Protector\Management Server\bin and backup the file Admin.App.WebServer.dll to another folder 3. Replace this DLL with the modified version. To this soultion, attached is the DLL that should be used with 3.3.30270 server version only. For any other server version and build, the DLL must be modified by the R&D team 4. From cmd, run the IISRESET command 5. Start the Local service and then start the Domain service Chapter: Safend Protector Management Console

6.3.4. Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied to reports folderSYMPTOM: After upgrading to 3.3 or after a 3.3 fresh installation, opening the console fails after entering the credentials, with the following error message: Application Execution Error Management Console failed to start ((Access to the path '[Server installation path\reports\f39121ddf95a-48c2-beed-9cefc9cc64d1' is denied)). Note that another PID may appear instead of f39121dd-f95a-48c2-beed-9cefc9cc64d1.

58 | P a g e This issue can occur right after the installation, but usually seen later (after a few hours or days). CAUSE: In the installation/upgrade process, a folder called "reports" is created in the management server folder. This folder stores a few files related to the Reporter. By default, the installation/upgrade grants a full control permission to "Everyone" for this folder. In certain environments, GPOs or other means can change the permission to this folder (as to any other folder in the machine) to something else, or simply deny "Everyone" from having full control over it. This might cause the user who is running Safend application pool (by default it is the "network service" user) to be inaccessible to this folder, and so the console cannot be opened. Since general GPO updates usually occur once every in a while , this issue is usually not experienced right after the installation but in a certain delay, hours or days later. SOLUTION: Granting full control over the reports folder to the user who is running the Safend application pool (by default it is the network service). To check which user is running the Safend application pool, go to My Computer > Manage > Internet Information Service > Application Pools >SafendProtectorAppPool > Properties > Identity.

6.3.5. When using role based permissions user can't publish policiesPROBLEM: When using "Role Based Management", users from specific 'User Roles' roles receive an error message when trying to publish policies via the Safend Protector Policy Server. SOLUTION: This issue could be related to missing permissions for this specific Role. In order to publish policies , the "User Role" must have 'Read' permissions on the "Global Policy" tab. Chapter: Safend Protector Management Console

NEED: When using role based permissions user need to enable "policies" but disable other options.

6.3.6. When using role based permissions user can't associate policesPROBLEM: When using "Role Based Management", users from specific 'User Roles' roles receive an error message when trying to associate policies with organization objects via the Safend Protector Policy Server. SOLUTION:

59 | P a g e

This issue could be related to missing permissions for this specific Role. In order to associate policies with organization objects, the "User Role" must have 'Read' permissions on the "Clients" tab

6.3.7. Console cannot be opened due to Local and Domain Services fail with "System.Security.Cryptography.CryptographicException - Access is denied" in the logsSYMPTOM: In rare cases, on hardened machines, the local and domain services will fail to configure. This will cause the console to not to open. 1. The following error message is received: Application Execution Error Management Console failed to start (Access is denied) 2. A DCOM error in the Event viewer related to the user NT Authority\ Network Service will appear. 3. In the server logs, an error appears including the text: System.Security.Cryptography.CryptographicException - Access is denied CAUSE: The Network Service user cannot access the Cryptographic keys library in Windows.. SOLUTION: Grant Full Control privileges to the user Network Service for the following folder: %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys Chapter: Safend Protector Management Console

6.3.8. Enabling WMI commands via Safend ProtectorSafend Protector utilizes the, Windows Management Instrumentation (WMI) protocol for providing management capabilities over all Safend clients via the Safend server. This document covers the minimum requirements for enabling WMI communication between the Safend server and Safend clients. What is WMI and how does Safend Protector use it? Windows Management Instrumentation is a set of Windows APIs in the Windows operating system that enables devices and systems in a network, typically enterprise networks, to be managed and controlled. The Safend Agent retrieves policies and sends logs to the server periodically over an SSL channel. However, the Safend administrator can enforce the client to send logs or update policies immediately, via the management console tab. These

60 | P a g e commands are sent to the client via the WMI channel. Please note that when these commands are disabled it will not affect the Safend agent functionality. To learn more about the Windows Management Instrumentation (WMI) protocol, please visit the following link: http://msdn.microsoft.com/en-us/library/ms811553.aspx

What are the minimum requirements for using WMI with the Safend protector? 1. The Safend domain Service account must have sufficient privileges over the WMI objects on the target machines. By default the built in Domain Admin group is part of the local admin group of any target machine in the network, thus Domain Admin group, most likely