Securing Your Endpoints

safend
Securing Your Endpoints
SAFEND SUPPORT KNOWLEDGE BASE DOCUMENT
February 2009
2|P a g e
1. Table of Contents
2. Introduction: ....................................................................................................................................................7
3. Safend Protector Client .....................................................................................................................................8
3.1. Safend Protector Client architecture ..................................................................................................................................... 8
3.2. Support logs ........................................................................................................................................................................... 8
3.3. Troubleshooting Guidelines ................................................................................................................................................... 9
3.4. Safend Protector Client Support Solutions .......................................................................................................................... 11
3.4.1. Clients not sending logs back to the Safend Server ............................................................................................. 11
3.4.2. Pointing the installation to the SCC file ............................................................................................................... 11
3.4.3. Uninstalling the Safend Protector Client via startup script ................................................................................. 12
3.4.4. Silent install of a client ......................................................................................................................................... 12
3.4.5. The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend
Protector Client ................................................................................................................................................... 13
3.4.6. Installing the Safend Protector Client with by a startup script with elevated privileges..................................... 13
3.4.7. How to activate an ETL when using the offline access utility (when a client is not installed) – Version 3.2, 3.3 ....
............................................................................................................................................................................. 15
3.4.8. Sonic DLA burning not supported by Safend Protector ....................................................................................... 16
3.4.9. Cleanup utility for the Safend Protector Client ................................................................................................... 17
3.4.10. Using the Registry To Check If A Policy Was Updated ......................................................................................... 17
3.4.11. Client stops sending logs to the server when disabling the sprotector service .................................................. 18
3.4.12. Bubble notifications are not displayed for Safend Protector Events ................................................................... 18
3.4.13. Client installation fails instantly with an error message requesting to reboot ................................................... 19
3.4.14. Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands ...................... 19
3.4.15. Changing the Safend Protector Client installation method ................................................................................. 20
3.4.16. User or Computer Policy Uninstall Password ...................................................................................................... 21
3.4.17. Changing the Safend Protector Balloon Message Display Time .......................................................................... 21
3.4.18. Installing Safend Protector Client to a Non-Default Folder ................................................................................. 22
4. Safend Protector Management Server ............................................................................................................ 23
4.1. Safend Protector Management Server architecture ............................................................................................................ 23
4.2. Support logs ......................................................................................................................................................................... 24
4.3. Troubleshooting Guidelines ................................................................................................................................................. 24
4.4. Safend Protector Management Server Support Solutions ................................................................................................... 26
Chapter: Introduction:
4.4.1. How to configure the Websense integration ...................................................................................................... 26

4.4.2. How to change the synchronization interval between AD and the Management Server ................................... 27
4.4.3. How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3 ...................................................................... 28
4.4.4. How to use the log restore tool in version 3.2 GA1 ............................................................................................. 28
3|P a g e
4.4.5. How to obtain and change the base policy in 3.3 ................................................................................................ 29
4.4.6. How to manually remove the Management Server and Console........................................................................ 30
............................................................................................................................................................................. 30
4.4.7. How to view the lower levels of the organizational tree in 3.3 console when the directory tree has many
levels ............................................................................................................................................................................. 32
4.4.8. Suspension password identified as wrong when entered to the client .............................................................. 33
4.4.9. Using the HW fingerprint tool when changing server's hardware ...................................................................... 34
4.4.10. Time format conflict in the DB ............................................................................................................................. 34
4.4.11. Upgrade Path from Safend Protector 2.0 to 3.3 .................................................................................................. 36
4.4.12. Reducing the Logs Trace Level for the Safend Server .......................................................................................... 37
4.4.13. Alerts on client installation are not received in version 3.3 SP1 ......................................................................... 37
4.4.14. Restoring a server with Content Inspection fails ................................................................................................. 38
4.4.15. Disabling IIS Logs (to prevent accumulation of large log files) ............................................................................ 39
4.4.16. Role Based access does not function ................................................................................................................... 39
4.4.17. When changing the server certificate to an organizational certificate, logs are not sent ................................... 40
4.4.18. Changing source name when sending Safend alerts to the Event Viewer .......................................................... 41
4.4.19. IIS diagnostics tool ............................................................................................................................................... 41
4.4.20. User Permissions for the Safend Server .............................................................................................................. 42
4.4.21. Unable to publish a policy and a specific error appears in the Domain Service log ............................................ 42
5. Safend DB .........................................................................................................................................................
...................................................................................................................................................................... 44
5.1. Safend Protector Client Support Solutions .......................................................................................................................... 44
5.1.1. Policy not applied due to the small size of the DB column "Groups" .................................................................. 44
5.1.2. Restoring missing MySQL index files ................................................................................................................... 45
5.1.3. Repairing corrupted MySQL index files ............................................................................................................... 46
5.1.4. Changing external DB user, password and authentication method (domain) while connected to Protector .... 49
5.1.5. Replacing the DB which is used by Safend Protector Management Server ........................................................ 49
5.1.6. When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved. ................
............................................................................................................................................................................. 50
5.1.7. When using MsSQL DB User cannot connect to the server ................................................................................. 50
5.1.8. When using MsSQL DB the installation cannot create the DB ............................................................................ 51
5.1.9. When using MsSQL DB performing DB related actions causes console freeze. .................................................. 51
6. Safend Protector Management Console .......................................................................................................... 52
6.1. Support logs ......................................................................................................................................................................... 52
4|P a g e
6.3. Safend Protector Management Console Solutions .............................................................................................................. 54

6.3.1. When trying to log-in to the console, the error message "user is not in the authorized user group" appears ......
............................................................................................................................................................................. 54
6.3.2. How to login to the console without entering the password each time ............................................................. 54
6.3.3. Cannot use WMI commands from 3.3 console if MsSQL installed with windows authentication ...................... 57
6.3.4. Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied to
reports folder ....................................................................................................................................................... 57
6.3.5. When using role based permissions user can't publish policies .......................................................................... 58
6.3.6. When using role based permissions user can't associate polices ....................................................................... 58
6.3.7. Console cannot be opened due to Local and Domain Services fail with
"System.Security.Cryptography.CryptographicException - Access is denied" in the logs .................................................... 59
6.3.8. Enabling WMI commands via Safend Protector .................................................................................................. 59
7. Safend Auditor ..................................................................................................................................................
............................................................................................................................................................... 67
7.2. Safend Auditor Support Solutions ........................................................................................................................................ 68
7.2.1. Safend Auditor Command Line Parameters ........................................................................................................ 68
7.2.2. Enabling Safend Auditor Debugging logs Note: the logs are cryptic and no one except from a developer with
the code in front of him can understand them ................................................................................................... 68
7.2.3. Safend Auditor installation fails with DVOM registration errors ......................................................................... 69
7.2.4. Opening ports on Windows Firewall for the Safend Auditor .............................................................................. 69
7.2.5. Auditing a Remote Domain with the Safend Auditor .......................................................................................... 71
7.2.6. There is no response when clicking "View Excel" ................................................................................................ 71
7.2.7. Error received when attempting to view the Excel report of the Auditor scan .................................................. 72
7.2.8. Auditor report with connection time and data transfer ...................................................................................... 72
7.2.9. Local machine cannot be found in Auditor report .............................................................................................. 72
7.2.10. Safend Auditor fails to audit certain remote machines ....................................................................................... 73
7.2.11. Error message received when attempting to view HTML report of Auditor scan ............................................... 75
7.2.12. Safend Auditor Graphic Report Procedure for MS Excel ..................................................................................... 75
7.2.13. The Safend Auditor Scanning Method and Network bandwidth information..................................................... 76
7.2.14. Where the auditor is key located in the registry? ............................................................................................... 77
7.2.15. The Safend Auditor creates new user profiles on the audited machines ............................................................ 77
7.2.16. The Auditor seems not to detect remote devices when working via VPN .......................................................... 78
7.2.17. The Auditor is unreachable when right-clicking on a machine in the Clients World and choosing to Audit
Devices. ....................................................................................................................................................................
............................................................................................................................................................................. 78
5|P a g e
8. Safend Reporter ............................................................................................................................................. 79

8.1. Safend Reporter Support Solutions ...................................................................................................................................... 79
8.1.1. Internet Explorer Error message when running any report on Safend server 3.3 SP2 ........................................ 79
8.1.2. Required IE settings for Safend reporter ............................................................................................................. 80
9. Safend Encryptor ............................................................................................................................................ 84
9.1. Safend Encryptor Support Solutions .................................................................................................................................... 84
9.1.1. Internal hard disk encryption doesn't get applied to the client due to publishing backup compatible policies .....
............................................................................................................................................................................. 84
9.1.2. After encrypting the HD of a machine, shared folders which are located on this machine cannot be accessed
from another machine ......................................................................................................................................... 85
9.1.3. In Encryptor 2.0, how to copy the reset code & the one time access code from Encryptor login screen, ..............
............................................................................................................................................................................. 85
10.Implementation ............................................................................................................................................. 87
10.1. Implementation Support Solutions ...................................................................................................................................... 87
10.1.1. Implementation in non directory environments ................................................................................................. 87
10.1.2. Environment Requirements Estimates for the Safend Protector ........................................................................ 88
10.1.3. Resolving and Identifying GPO Errors .................................................................................................................. 89
10.1.4. Building Protector Policy per Security Group (GPO policy distribution) .............................................................. 90
10.1.5. Enabling Verbose logging for GPO installations .................................................................................................. 91
6|P a g e
7|P a g e
2. Introduction:
The Support knowledge base document provides common troubleshooting guidelines for Safend products.
It also includes support solutions for each and every safend component.
This document includes basic knowledge for which every certified safend engineer should know when managing or
supporting safend products.
For any further information feel free to contact us at support@safend.com
8|P a g e
3. Safend Protector Client
3.1. Safend Protector Client architecture
- Safend Protector consists of User and Kernel mode components.

 The “Manager” of all components is the SimonPro.exe process.
 Safend runs a service on the endpoint - SProtector.exe.
 The GUI process is Simba.exe.
 Safend Protector Emergency Clean-up utility (SPEC) is located under “…\Windows\System32\SPEC.exe”.
3.2. Support logs
- Installation Logs:
 An Event Trace Log (ETL) is automatically created during the installation process in the installation
directory (\program files\safend\safend protector client\)
 A file called ‘Sinta.log’ is created in “…\Windows\temp\” directory
 An MSI installer log can be created when installing the safend client using the following syntax:
‘msiexec /i SafendProtectorClient.msi /l* *filename+’
 Client operation logs
 To debug a certain issue, you need to create an ETL file and Policy XML files.
- Creation of an ETL file:
 Open regedit
 Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input
 Add a new dword called ‘dll’ and assign it with the value 3
 A file with ETL extension will be created in the installation directory (“…\program files\safend\safend
protector client\”)
 Reproduce the issue scenario
 Change the dword value to 0
 Creation of Policy XML files:
 Open regedit
 Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input
 Add a new dword called ‘dll’ and assign it with the value 4
 From the client GUI press Policy Update
 Policy XML files will be created in the installation directory (“…\program files\safend\safend protector Chapter: Safend Protector Client
client\”)
 Change the dword value to 0
- Creating a memory dump:
In cases of a BSOD, a full memory dump is needed in order to investigate the cause of the issue.
Configuring a full memory dump – via my computer  properties  advanced  startup and recovery
 settings  write debugging information  select complete memory dump
9|P a g e
 A BSOD memory dump can be open with the Windows Debugging Tools (windbg) to determine what was
the probable cause of the BSOD.
 Send the dump to Safend Support with the needed information.
3.3. Troubleshooting Guidelines
- When investigating an issue regarding the Safend Protector Client, most issues fall under the following
categories:
 Safend Client fails to install/uninstall

 Safend Client fails to send logs back to the Safend Server.
 Safend Client fails to receive/apply policies.
 Safend Client handles a device incorrectly.
 Safend Client conflicts with other software/BSOD.
- Safend Client Fails to Install/Uninstall
- When you encounter installation/uninstall issues, the following needs to be performed:

-
 Try the installation process again.
 Try the installation process on a different machine.
 Try to completely remove the Safend Client using the SPEC utility and run the installation process again.
 If one of the above was successful, the differences between the two attempts must be inspected.
Examples of differences between installation attempts:
 The new machine is in a different domain.

 A specific machine had environmental issues.
 There are different security configurations on the machine.
 The SPEC utility removed random corruptions that were previously on the machine.
- Safend Client Fails to Send Logs/ Receive Policies to/from the Safend Server
- When the client is not sending logs or receiving policies the following needs to be verified:
Chapter: Safend Protector Client

 Check that Safend Server services are running and that the websites are up.
 Check the Policy web service and event web service logs for indications of the source of the problem
Try to browse Safend web services:

https://[ServerName]:443/SafendProtector/EventSinkWebService.cs.asmx
https://[ServerName]:443/SafendProtector/PolicyWebService.cs.asmx
10 | P a g e
 SC commands – sc control SafendPS 222 (logs)/ 225 (policies)/ 228 (OTP)

 create an ETL file
 Safend Client handles a device incorrectly
- When the client does not handle a device correctly, the following needs to be verified:
 Search for the relevant log in the management console – how is the device identified (device type, port)?
 Is it a composite device, i.e., is it identified as several devices by the OS?
 Is the correct policy applied properly?
 Is the policy configured properly? Was the device added/removed from the white list?
 When auditing the device, does it appear correctly (as it appears in the policy)?
- Safend Client conflict with 3rd party software / BSOD
- When a conflict occurs between the Safend Client and 3rd party software, the following should be verified:
 Is this a system/environment issue?

 Is this the latest version/driver of the 3rd party software?
 What are the exact steps that caused the issue to occur?
- When a BSOD occurs with the Safend Client, the following should be verified:
 Is this a system/environment issue?

 Which driver was shown as the probable cause for the BSOD?
 Create a full memory dump and send it to Safend support with the needed information.

11 | P a g e
3.4. Safend Protector Client Support Solutions
3.4.1. Clients not sending logs back to the Safend Server
NEED:
In some cases, installed Safend Protector Clients do not succeed in sending logs back to the Safend Server. This is
usually due to environment definitions that block the log transfer to the Safend Server.
RESOLUTION:
In order to identify the issue and resolve it, please verify the following:
a) The policy you created is applied on the Client.

b) The Server is up and running (accessible by the Console).
c) Try pinging the Server from the Client machine.
d) Make sure the SSL port you use for the communication between the Server and the Clients (by default it is 443)
is open on any firewall or port blocking application (either on the Client or on the Server).
e) Try browsing (from the Client machine) to
https://ServerName/SafendProtectorWS/EventSinkWebService.cs.asmx
f) If all above is ok, please activate the Client logging
run regedit
go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector on V3.1
or HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\input on V3.2
create a new DWORD called Dll
give it the value of 3.
g) Run (on the Client machine) the following command – sc control SafendPS 222
h) Change the DWORD value back to 0 to stop logging, and send support@safend.com the Solog*.etl file created in
the \Program Files\Safend\Safend Protector Client folder.
3.4.2. Pointing the installation to the SCC file
NEED:
To point the installation to the location of the SCC files
PROBLEM:
The SCC file must be on the same directory as the installation file
SOLUTION:
When running the client installation a parameter can be specified to access the SCC file:
msiexec /i safendprotectorclient.msi /standalone="[path to SCC]"
12 | P a g e
3.4.3. Uninstalling the Safend Protector Client via startup script
NEED:
When uninstalling the Safend Protector client in a large environment, a method for performing mass un-
installation is required. Below you will find instructions for executing such a method, using a GPO linked to a
startup script which uninstalls the protector.
RESOLUTION:
Open Note Pad and enter the following text:
msiexec.exe /x "\\Servername\Path\SafendProtectorClient.msi" /qn UNINSTALL_PASSWORD="Password1"
Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file
used for the installation, and instead of "Password1" you enter the uninstall password defined for the client.
Save this file as a .bat file.
In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the
uninstall script.
Once the GPO is created within the OU, right click it and select edit.
In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts"
Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within
the domain controller.
Copy the script file to this location and click OK.
Once this is done, restart the relevant machines in order for the startup script to run and remove Safend's Clients
from them.
keywords: command line, uninstall
3.4.4. Silent install of a client
NEED:
When using silent installation one may want to prevent a reboot following the installation
RESOLUTION:

The reboot is caused due to two factors:
1. Windows installer requirement of reboot following the installation
2. Safend client requirement of reboot following the installation
Using the following command will suppress the reboot required by the windows installer: msiexec /i
\\PathToFile\Share\SafendProtectorClient.msi /norestart REBOOT=ReallySuppress /qn
*/qn parameter will causes a quite installation without showing the UI
Performing the following changes will suppress the reboot required by the client:
13 | P a g e
1. Open the clientconfig.scc file for editing

2. Search for the string “installmethod”
3. Change its value from “2” to “3”
3.4.5. The message "The Client Configuration file does not contain a valid policy." shows up when installing
Safend Protector Client
SYMPTOMS:
On rare occasions, when trying to reinstall Safend Protector Client with a different user than the original
installation, the following message will show up:
"The Client Configuration file does not contain a valid policy."
CAUSE:
The user trying to access the encryption object doesn't have the appropriate privileges.
SOLUTION:
In such cases, perform the following:
1. In order to run the Safend Protector Client installation as local machine please run the following command:
at *time+ /INTERACTIVE “cmd”

Instead of [time] write the current time + 1 minute.
For example: when time is 16:08 write 16:09.
2. A local system window will open. Run the installation from there by writing the following:
msiexec /I SafendProtectorClient.msi
3.4.6. Installing the Safend Protector Client with by a startup script with elevated privileges
NEED:
In some cases, it is not possible to implement the Safend Protector Client's installation process through a regular
GPO package. In such cases, the installation must be implemented by a GPO with a start up script, and the
administrator must enable elevated privileges for the end-users.

SOLUTION:
1. Installing the Safend Protector Client with a startup script:

Open Note Pad and enter the following text:
msiexec.exe /i "\\Servername\Path\SafendProtectorClient.msi" /qn
Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file
used for the installation. make sure the folder containing the msi is shared. Save this file as a .bat file.
14 | P a g e
In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the
installation script.
Once the GPO is created within the OU, right click it and select edit.
In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts"
Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within
the domain controller.
Copy the script file to this location and click OK.
Once this is done, restart the relevant machines in order for the startup script to run and install the Safend Client
on them.
2. Granting elevated privileges to non-administrator users:
following is an article by Microsoft, pertaining to this issue:
Important: This article contains information about how to modify the registry. Make sure to back up the registry
before you modify it. Make sure that you know how to restore the registry if a problem occurs.
SUMMARY:
This article describes three methods by which an administrator can enable a non-administrator user to install
managed Windows Installer applications.
An application is called a "managed application" if elevated (system) privileges are used to install the application. A
situation in which you might need to install a managed application is if you are installing an application on
Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following
methods, an administrator can enable a non-administrator user to install managed applications.
A) On a computer running Windows NT 4.0, Windows 2000, or Windows XP an administrator can set the
AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to
make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the
AlwaysInstallElevated value to "1" under the following registry keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
WARNING: This particular method can open the computer to a security risk because once an administrator with
elevated privileges has set these registry keys, non-administrator users can run installations with elevated
privileges and access secure locations on the computer, such as the System folder or HKLM registry key.
B) On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for
a per-machine installation (per-machine means that it will be available for all users of that computer). The
Windows Installer always has elevated privileges while performing per-machine installations. The administrator

uses elevated privileges to advertise the package. If a non-administrator user then installs the application, the
installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that
require elevated system privileges. The following is an example of a command line used by an administrator doing
a per-machine installation:
msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1
Here is an example of how the administrator would advertise the package on the computer per-machine:
msiexec -jm c:\pathtofile\mypackage.msi
For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK:
http://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp
15 | P a g e
C) On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing
the Windows Installer package using application deployment and Group Policy. The administrator uses elevated
privileges to advertise the package per machine. If a non-administrator user then installs the application, the
installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that
require elevated system privileges.
For more information on Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper:
http://www.microsoft.com/windows2000/docs/GPIntro.doc
These settings can also be set via GPO and not by directly opening the registry - the settings must be applied both
for Machines and Users:
- Computer Configuration>Administrative Templates>Windows Components> Windows Installer:

Always install with elevated privileges (enabled/disabled; this policy
must be set for the machine and the user to be enforced).
- User Configuration>Administrative Templates>Windows Components> Windows Installer:

Always install with elevated privileges (enabled/disabled; this policy
must be set for the machine and the user to be enforced)
Link to Microsoft documentation:

http://support.microsoft.com/default.aspx?scid=kb;en-us;q259459
Link to additional documentations for GPO configuration:

http://lspservices.iupui.edu/docs/win2k/gpo_configurations.asp
3.4.7. How to activate an ETL when using the offline access utility (when a client is not installed) – Version
3.2, 3.3
NEED:
On some cases the need to activate ETL for the offline access utility (Access secure data)
PROBLEM:
An ETL cannot be activated the ordinary way when a client is not installed, since the ETL requires the existence of a
registry string that indicates what is the Client's installation path.
SOLUTION:

In order to activate the ETL when no Client is installed:
1. Connect the encrypted device to the home machine.

2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector
3. Create a new String Value called InstallDir, and assign it with the value "c:\Progrem Files\Safend\Safend
Protector Client" . This creates the registry string that indicates where the Client is installed (of course, the Client is
not really installed; the above mentioned path is a path created when running the Offline Access Utility)
4. Now the ETL can be activated, as usual.
16 | P a g e
3.4.8. Sonic DLA burning not supported by Safend Protector
QUESTION:
Is the burning format used with the Sonic DLA software supported by the Safend Protector Client?
ANSWER:
The Sonic DLA software uses the UDF file system (which is supported by us) and the Packet writing burning format,
which is not supported. Therefore, the Sonic DLA burning format is not supported by the Safend Protector Client,
which means it will be blocked if the policy applied has the check box for "Block unsupported burning formats"
checked.
From Roxio
09/20/07 3:10 PM
Thank you for contacting Roxio Technical Support
Our apologies for the earlier agent's response. Please disregard it.
Drag to Disk and DirectCD have been discontinued in version 10 of our software due to
compatibility concerns. You should, however, be able to manage anything that they were able
to do using version 10.
Please tell us what you are trying to accomplish with them so that we may suggest other
means of doing so.
If the information provided does not resolve your issue simply update your web ticket with a
detailed explanation with the steps you have tried and any error messages you receive.
Regards,
Roxio Technical Support

http://support.roxio.com
Thank you for your comments and we appreciate the feedback

More information will be found on :
http://forums.support.roxio.com/lofiversion/index.php/t28374.html
17 | P a g e
3.4.9. Cleanup utility for the Safend Protector Client
NEED:
In some very rare cases, the Safend Protector Client installation may fail, rendering the Safend Protector Client
unable to function. in such cases, an alternate way for removing the Safend Protector Client is needed.
RESOLUTION:
The Safend Protector Emergency Cleanup utility - SPEC, is used to uninstall the Safend Protector Client in Cleanup
Mode. Once unzipped, it is ready for use, and requires only a link to the ClientConfig.scc file and the global uninstall
password.
If any of these details are not available, we will be able to generate a machine-specific Cleanup key according to
the Cleanup Token, provided by the utility. Please contact support@safend.com and request the SPEC utility and
the cleanup key for your machine's token.
Remember! This is more of a last resort for cleaning up the protector when nothing else can be done. Usually, we
would want to get to the bottom of why the crash happened so we will be able to improve the Safend protector to
be able to cope with such situations in the future.
On version 3.2 and above the Spec.exe utility is located in windows\system32 directory
3.4.10. Using the Registry To Check If A Policy Was Updated
QUESTION:
I would like to integrate a third party tool in order to distribute policy registry files to the end point. I would like to
have an indication that the policy was indeed updated.
ANSWER:
The registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\LastPolicyUpdate is a 4 bytes key that

contains the time in which the policy was last updated. You can use this key to check for update of policies.
The key "LastPolicyUpdate" is set to indicate that a policy was pulled from the GPO, without consideration of Chapter: Safend Protector Client
whether the content of the policy was updated. As the computer pulls policies on startup, it will show an update
when the computer is restarted, even though the content of the policy is not changed.
18 | P a g e
3.4.11. Client stops sending logs to the server when disabling the Sprotector service
PROBLEM:
When using local admin credentials, disabling the Sprotector service and then closing it, the safend client stops
sending logs to the server.
SOLUTION:
The mentioned behavior of the client is according to the product design. Be advised that the only effect of the
procedure on the Safend client is that he will not send logs until the next time that he will be loaded. All other
parameters of the clients are set exactly as they were before the procedure. All ports, device, storage device, files
and etc will act exactly as they acted before the procedure. Please notice that usually a user in an organization will
not receive local admin rights on machines, so this shouldn’t be a major issue.
3.4.12. Bubble notifications are not displayed for Safend Protector Events
SYMPTOM:
After installing the Safend Protector Client, Event Messages (Pop Up Messages) for device/port actions, do not
appear.
CAUSE:
Windows registry settings have disabled Balloon Tips for the machine.
SOLUTION:
Make sure that in the registry, under

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, there is no DWORD key
named EnableBalloonTips. If it exists, simply delete it.
Another simple way to control the balloons is by using a Microsoft's power tool called TweakUI (the tool can be
downloaded from http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx). The option
to allow balloon tips in TweakUI can be found in the Taskbar and Start Menu option and is called Enable balloon
tips.

19 | P a g e
3.4.13. Client installation fails instantly with an error message requesting to reboot
SYMPTOM:
When trying to install the Protector Client, installation fails instantly and the following error message is received:
Safend Protector Client

Please reboot before starting the Install process
If a reboot is indeed performed, the same error message is received again.

Additionally, the sinta.log file (located at windows\temp folder) will contain only the following entries:
[installation Date and time] = Localize installation

[installation Date and time] = **********************************
[installation Date and time] = Started Install Process. [version and build number]
CAUSE:
A Client was installed on the machine in the past, or the Offline Access Utility was used on the machine in the past.
For some reason, remnants of this were left in the system, and so the current installation process behaves as is if a
Client is currently installed.
SOLUTION:
Running the SPEC utility will clear any remnants of a previous Client installation or Offline Access Utility use.
Note that a SPEC utility of the same version or of a version above the version of the previous Client or Offline
Access Utility is to be used.
3.4.14. Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands
NEED:
In cases the WMI commands from the management console are not working, it is possible to trigger management
commands (update policy, send logs etc.) to the Protector Client from the command line.
SOLUTION:
The SC command (supplied with Windows XP or higher) can be used to specifically trigger our process for the Chapter: Safend Protector Client
following actions.
Send logs now! (without waiting for the interval):

sc control SafendPS 222
Update policy from the GPO (similar to gpupdate /force, but specific to our product and faster):
20 | P a g e
Update policy from REG file:

Force InitOTP (In case Client will not accept any passwords, or server will not generate them):
.
For Windows 2000 machines this command can be run remotely (i.e. : sc \\ComputerName control SafendPS 223).
3.4.15. Changing the Safend Protector Client installation method
NEED:
During the installation of the Safend Protector Client, the installer will go through a process of restarting all the
devices in order to make sure its drivers are effective immediately after the installation without the need for a
reboot.
The default installation method might take a few minutes to complete depending on the amount of connected
devices. Additionally, the administrator should consider a momentary network disconnection during this phase. In
case the administrator would like to avoid this, a simple parameter may be added to the Safend Protector Client
Configuration file (ClientConfig.scc).
RESOLUTION:
In order to configure the installation method, open the ClientConfig.scc file which is created using the Safend
Protector Management Console and add the following lines:
[InstallParams]
InstallMethod=x
where x is the option parameter as listed below:
InstallMethod=0
This is the default method (as if no parameter is added at all).

During the installation process all the ports and devices are restarted. If one of the devices has failed to restart, the
user is prompted to reboot.
InstallMethod=1
During the installation process, all the ports and devices are restarted. The user is not prompted to reboot, even if Chapter: Safend Protector Client
one of the devices has failed to restart. It is important to note that the endpoint will not be fully protected by the
Safend Protector Client until the system restarts. It is the responsibility of the system administrator to schedule this
system restart.
InstallMethod=2
During the installation process, none of the ports or devices are restarted. At the end of the installation, the user is
always prompted to reboot.
21 | P a g e
InstallMethod=3
During the installation process none of the ports or devices are restarted. The user is not prompted to reboot. It is
important to note that the endpoint will not be fully protected by the Safend Protector until the user restarts the
computer. It is the responsibility of the system administrator to schedule this system restart.
3.4.16. User or Computer Policy Uninstall Password
QUESTION:
If I set a different Uninstall Password for the Computer policies and the User policies, Which password should I use
to uninstall the Safend Protector Client?
ANSWER:
There are three scenarios that can be recognized in this situation:
1. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was either applied or not.
The current policy is applied for the logged on USER. The Safend Protector is uninstalled manually. ==> The
uninstall password is the one set in the USER policy
2. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was never applied. There is
currently no logged on user, so the default policy, as set in the Client Configuration file is applied. (This is the
situation if the uninstall process is taking place through Active Directory). ==> The uninstall password is the Global
uninstall password as it is set for the COMPUTER.
3. The machine was installed with the Safend Protector. A COMPUTER policy was applied. There is currently no
logged on user, so the COMPUTER policy is applied. ==> The uninstall password is the one set in the COMPUTER
policy.
3.4.17. Changing the Safend Protector Balloon Message Display Time
QUESTION:
Can the "User Message Balloon" display time be controlled?
ANSWER:

The parameter for the Balloon Tips display time in Windows XP can be found in the registry, in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify.
The DWORD entry called BalloonTip is set by default to the value of 3 (seconds). Change its value to control the
display time of the Balloon Tips.
Some information pertaining to the Balloon Tips of the Safend Protector can be controlled through the Default
Agent Policy (the Default Agent Policy is a file that contains some parameters that are not hard-coded into the
Protector, but are also not exposed to the user. It is possible to update the Default Agent Policy if necessary). These
parameters are the number of seconds that the Protector processes wait between balloons and the number of
22 | P a g e
seconds between the last notification and the icon returning to its idle mode. In order to change the Default Agent
Policy, please contact support@safend.com.
3.4.18. Installing Safend Protector Client to a Non-Default Folder
NEED:
Is it possible to install the Safend Protector Client silently as a GPO to a folder or drive which is not the default
installation path?
SOLUTION:
Yes, it is possible to install the client to a specified directory, but the installation needs to be done using a start-up
script, instead of a package installation. The process is as follows:
1. For the OU on which you would like to install, go to the OU Properties, Group Policy tab.
2. Create a new Group Policy, and give it a name, then click Edit to open the Group Policy Editor
3. Go to Computer Configuration > Windows Settings and select Start-up > Script
4. Click the Show Files button and create a new text document containing the following command:
msiexec.exe /i "\\<Full path to the installation shared folder\SafendProtectorClient.msi" /qn installdir="Full path to
target folder".
(The "Full path to target folder" is the path to the folder in which you chose to install the client. It can be, for
example, "D:\Program Files\Safend")
5. Save the file with a *.bat extension
6. Close the folder, click the Add button and then the Browse button
7. Select the newly created batch file and click the OK button
8. Restart the target machines in the OU. The Safend Protector will be installed silently when the computer is
started.

23 | P a g e
4. Safend Protector Management Server
4.1. Safend Protector Management Server architecture
- The Safend server contains three services:
 Safend protector DB
 Safend protector domain service
 Safend protector local service
 These services should start when starting the server (As a default, the services are running upon server
installation)
 Safend server is using the IIS Application for communication between its components:
 Server - Clients (Safend Protector Web Site WS)
 Server - Management Consoles (Safend Protector Web Site )
Chapter: Safend Protector Management Server

 The IIS web site processes are visible in the Windows task manager (W3WP).
24 | P a g e
4.2. Support logs
- Safend Protector Server Logging
When investigating Safend Server issues, the Server trace logs will provide valuable information.
Each of the different Safend Protector Server components writes a separate log file.
The relevant Server logs reside under the following folders:
\Program Files\Safend\Safend Protector\Management Server\logs
C:\Temp\bin\log
- Safend Protector Server Fails to Install/Upgrade/Uninstall
- When the installation/uninstall process fails, the following needs to be verified:

 Were all Safend Server prerequisites met (Please find the prerequisites at the end of the presentation)?
 Are there any security hardenings that can block the installation?
 Did the User used during installation have the appropriate credentials:
Local administrator
Domain account from your Active Directory that can control clients via WMI. We recommend using an
account with domain administrator privileges.
When you use an external DB (MS-SQL) – DB creator credentials are required.
 Are there any remnants of a previously installed Server?
 Verify that Safend services do not exist
 Verify that Safend Web sites do not exist
 Verify that Safend Protector folder does not exist under Program Files=>Safend
 Under <systemroot>\program files\common files\safend unregister and delete the dll files in case they
exist.
 Safend Protector Server Fails to Initialize

- When the Safend Protector Server fails to initialize, the following must be verified:
 Were there any hardware changes to the Server computer? HW changes will change the machine
fingerprint and you will need to use the HW fingerprint tool.
 Verify that no security policy was applied to the machine.
 Were the Server User credentials (the user supplied during installation) changed (password\permissions
etc.)?
 Was the Server DB user changed in any way?
 Are there any errors in the event viewer logs?
- When investigating an issue regarding the Safend Protector Server, most issues fall under the following
categories:
25 | P a g e
- Safend Protector Server fails to install/upgrade/uninstall

- Safend Protector Server fails to initialize.

26 | P a g e
4.4. Safend Protector Management Server Support Solutions
4.4.1. How to configure the Websense integration
NEED
Installation of Safend Protector integrated with Websense.
SOLUTION
In all Safend versions

-----------------------------
To install Safend protector with Websense integration steps should be performed on both servers Websense
server:
1.1 system modulesClick on configuration
1.2 Click the add button
1.3 Choose agent type: “endpoint server”
1.4 Enter Safend Server FQDN
1.5 Enter a password (this password will be used when installing Websense files on Safend’s server)
1.6 The “endpoint server” entry should be displayed in the system modules screen.
1.7 A new file called CPS.MSI should be created
Safend server:
2.1 Copy CPS.exe to Safend server

2.2 Run CPS.MSI
2.3 Choose an installation directory
2.4 Select “agents only’ installation
2.5 Click on the “endpoint support” icon, then press next
2.6 Provide the IP address for the CPS server and enter the one time password defined on the CPS server (step 5
above)
2.7 Press install
Websense server:

3.1 Press “deploy settings”
Safend server:
4.1 Press okay

4.2 Conf.xml file will be created in the directory defined during the installation
Safend console:
5.1 Open the console

5.2 Enter a license key (that includes Websense integration)
5.3 administrationgo to tools
5.4 choose the content inspection panel
5.5 check the “integrate with a 3rd Party Content Inspection Solution” checkbox
5.6 browse to the Conf.xml file
27 | P a g e
5.7 Click “show details”

5.8 Click “OK” to apply the content inspection flag to all policies
To verify that the policy was indeed applied check content inspection status in the client GUI
Addition to Safend Protector version 3.3 and above

--------------------------------------------------------------------
Since in version 3.3 and above, the Safend client automatically encrypts the files sent to the server (for inspection
or shadowing, inspection in this case), the files are sent encrypted to the Websense server as well. The Websense
server cannot decrypt these files, and therefore they become inaccessible.
Replacing a DLL on the Safend server will cause the files not to be encrypted on the client side, and therefore will
prevent the problem on Websense’s side. In order to replace the relevant DLL:
1. Stop Safend Local service

2. Kill the W3WP process. If multiple instances of the process exist, all of them should be killed
3. Go to \program files\safend\safend protector\Management server\bin, replace the Backend.Server.dll file with
the modified one. The modified DLL for server version 3.3 build 30270 is attached to this solution. For any other
server version, a DLL should be created by Safend team.
4. Restart Safend Local service.
Note: There are additional KBs describing the replacement of the Backend.Server.dll for different purposes. Be
advised that the Safend R&D team should be consulted if more than one of the issues fixed by this replacement is
manifested in the same server, since one replacement will cancel the other.
4.4.2. How to change the synchronization interval between AD and the Management Server
Note: Please be advised that changing the synchronization interval is not recommended. It can cause overload to
the Management Server's machine, to Active Directory and it creates a load on the network. (This solution is only
relevant for version until version 3.2 GA3)
NEED:

Sometimes customers want to change the synchronization interval between AD and the Management Server.
By default the interval is set to 8 hours which may not be enough.
SOLUTION:
The following steps should be performed on the server machine:

1. Stop Safend services - Domain, Local, Broadcast if version 3.2 is used.
2. Kill the w3wp process (check for multiple instances, kill all of them).
3. Open with notepad the following file for edit :
C:\Program Files\Safend\Safend Protector\Management server\servercconfig.xml
4. Search for the following line :
<task name="Domain Synchronizer" type="Safend.Protector.Admin.Backend.Domain.DomainSynchronizer"
assembly="Admin.Backend.DomainSynchronizer">
5. A few lines beneath it you will find the line: <periodic hours="8" /> . Change the number to your desired interval
28 | P a g e
in hours, please use whole numbers.

6. Save the changes and close the file.
7. Start the Safend services - Broadcast if version 3.2 is used, Local; wait for the Domain service to be restarted.
4.4.3. How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3
Note: This KB article is valid only for versions 3.2 GA2 and 3.2 GA3. for version 3.2.19275
NEED:
Sometimes a need to restore a Safend Log Back (SLB) arises.
PROBLEM:
There is no “import” option in the server for the backed up logs

an external tool to the server exist to perform this action
SOLUTION:
Running the following command will restore all the information from a backup file to the DB.
*Please note that this action will delete all the current logs from the server
1. Rename the ".slb" file to ".slb.Zip"

2. Double click and open the ".slb.zip" file
3. Change the value inside the version.txt file from 3200 to 3210 for GA2 or 3220 for GA3 and save.
4. Rename the ".slb.zip" back to ".slb"
5. Stop safend services, leave the db service running.
6. Run RestoreTool.exe restore -backupFile "[backup file+”
when –backupFile is case sensitive and [backup file] points to the actual file location
Note: The log restore tool cannot be used for restoration of logs from 3.2 version to 3.3 version due to a change in
the log structure in 3.3.X.

4.4.4. How to use the log restore tool in version 3.2 GA1
Note: This KB article is valid only for version 3.2.19275
NEED:
Sometimes a need to restore a Safend Log Back (SLB) arises.
PROBLEM:
There is no “import” option in the server for the backed up logs.

An external tool exists to perform this action.
SOLUTION:
29 | P a g e
Running the following command will restore all the information from a backup file to the DB.
*Please note that this action will delete all the current logs from the server
1. Stop Safend services, leave the DB service running
2. In cmd, run the following: RestoreTool.exe restore -backupFile "*backup file+”
Where [backup file] points to the actual file location
4.4.5. How to obtain and change the base policy in 3.3
Note: This solution should be done only with collaboration with Safend support.
NEED:
For different reasons, one would require to obtain the base policy and change it.
In 3.2, the base policy is one or two XML file/s located under the server “Bin” directory - “defaultAgentPolicy.xml”
and/or “defaultAgentPolicy.en-us.xml”.
In version 3.3, the base policy cannot be found in the one or two XML file/s, since they do not exist; The base policy
in 3.3 is a table in the database, which cannot be reached directly.
SOLUTION:
1. How to Obtain the base policy:

To obtain the base policy in 3.3, one should run the SPAdmin tool in
the following way:
a. Open Run / CMD
b. Type in the following (this is case sensitive):
"C:\Program Files\Safend\Safend Protector\Management Server\bin\SPAdmin.exe" -updateconfig -getfile
defaultagentpolicy.en-US [EnterAnyPath]:\[EnterAnyFilename].txt
c. Run the string.
This will result in a .txt file in the name and path entered. This .txt is a reflection of the base policy.
2. How to change the base policy:

After modifying and saving the .txt as required and with caution (again,
please review KB00000177 as mentioned above), in order to apply
the changes to the base policy (since this .txt is only a reflection),
one should perform the following:
a. Stop the Local service, kill the w3wp process.
b. Open Run / CMD
c. Type in the following (this is case sensitive):
"C:\Program Files\Safend\Safend Protector\Management Server\bin\SPAdmin.exe" -updateconfig -setfile
defaultagentpolicy.en-US [PathOfTheTxtFile]:\[TxtFilename].txt
d. Run the string.
e. Restart the above mentioned services
30 | P a g e
4.4.6. How to manually remove the Management Server and Console
NEED:
Sometimes, the Safend Protector Management Server and Console need to be uninstalled. The following solution is
required for scenarios in which you cannot uninstall successfully the Server and/or the Console using the
Add/Remove Programs menu.
SOLUTION:
There are 3 methods of removing the Safend Protector Server and Console.
One should use the methods in the order of appearance in this solution, so the cleanest possible removal will be
achieved.
Method #1 – Using the msiexec /x command

------------------------------------------------------------
1. Download the Msiinv tool from Microsoft MSDN: Extract it to c:\ or any other path.
2. In cmd, run the following command:
c:\msiinv\msiinv.exe -p > c:\msiinv_output.txt
You may change the path to the msiinv.exe according to the previous section, and the path of the .txt to any other
path desired.
This will create a .txt file which contains a list of the programs installed on the machine according to the Windows
Installer.
3. Open the c:\msiinv_output.txt , and locate the Safend Server and/or Console entries. Copy the GUID of the
Product Code from the server and/or console entries. The GUID appears in the following format: 77BFE295-D7B7-
4AF0-AF15-D14AF646AAE7.
Make sure to copy the product code and not the package code.
4. In run/cmd prompt, run the following command:
msiexec /x {Product Code}
When the Product Code is the GUID you previously copied. Make sure to use the curly braces.
5. If you removed the Server/Console and need also to remove the Console/server, perform the previous section
again with the proper GUID (again, make sure to use the curly braces).
6. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does
when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the
DBA, an action that is not supported by Safend.

Method #2 – Using the MSIzap tool
-----------------------------------------------
1. Download the Msiinv tool from Microsoft MSDN, Extract it to c:\ or any other path.
2. In cmd prompt, run the following command:
c:\msiinv\msiinv.exe -p > c:\msiinv_output.txt
You may change the path to the msiinv.exe according to the previous section, and the path of the .txt to any other
path desired.
This will create a .txt file which contains a list of the programs installed on the machine according to the Windows
Installer.
3. Open the c:\msiinv_output.txt , and locate the Safend Server and/or Console entries. Copy the GUID of the
product code from the server and/or console entries. The GUID appears in the following format: 77BFE295-D7B7-
4AF0-AF15-D14AF646AAE7.
Make sure to copy the Product Code and not the Package Code.
4. Download and the SmartMSIZap tool
5. Extract the tool to c:\ or any other path.
31 | P a g e
6. From cmd prompt, run the following (path may differ according to the where you extracted the tool to):
c:\smartmsizap.exe /p {product_code} When the Product Code is the GUID you previously copied from the Msiinv
tool. Make sure to use the curly braces.
7. If you removed the Server/Console and need also to remove the Console/server, perform the previous section
again with the proper GUID (again, make sure to use the curly braces).
Method #3 – Server removal only* – "Aggressive" deletion of Safend Server components

------------------------------------------------------------------------------------------------------------------------
1. Stop the Safend Services: Domain, Local, Broadcast (in 3.2 and below), DB (if internal DB is used).
2. Kill the w3wp.exe process (if more than one exists, kill all of the duplicates).
3. Delete the Safend websites: In the Internet Information Services (IIS) snap-in in the Computer Management,
delete the "Safend Protector Web Site" and the "Safend Protector Web Site WS".
4. Delete the Safend services in the following order. Note that for version 3.3, the Broadcast service doesn't need
to be deleted since it doesn't exist. Also note that if an external DB was used, the Safend Protector DB sevice
doesn't need to be deleted since it doesn't exist.
a. In cmd type:
sc delete "safend.protector.admin.app.managementserver.broadcastservice"
Press enter, and if the service was deleted successfully, the following line will apper:
SC [DeleteService] SUCCESS.
b. In cmd type:
sc delete "safend protector db"
c. In cmd type:
sc delete "safend.protector.admin.app.managementserver.domainservice"
d. In cmd type:
sc delete "safend.protector.admin.app.managementserver.localservice"
5. Go to the server's installation path, and change the name of the folder "management server" to "management
server old" or any other name.

* Method #3 does not relate to the removal of the console. The console can always be removed using method #1
or #2.
32 | P a g e
4.4.7. How to view the lower levels of the organizational tree in 3.3 console when the directory tree has
many levels
SYMPTOM:
In environments where the directory tree has many levels in its hierarchy, around 7 levels and above, only the few
highest levels can be seen in the console when browsing in the organizational tree in the Clients world or in other
places where the organizational tree is displayed.
CAUSE:
The component in the console that displays the organizational tree is a 3rd party component integrated into the
console. This component has a performance issue that causes long delays when trying to display a directory tree
that has many OUs under the root level. In version 3.3, in order to improve performance, it has been configured for
the console to automatically create "virtual containers", that each contain a certain amount of OUs. These
containers are relevant for the display only and are not created in the domain controller of course. In this way, the
loading time of the organizational tree decreases significantly.
However, due to their manner of action the virtual containers prevent the display of the lower levels of the
directory tree in trees with many levels.
SOLUTION:
It is possible to increase the amount of OU the virtual container contains, thus virtually disabling the function of
virtual containers. This is done by modifying the consoleconfig.xml file.
Note that if multiple consoles are used (remote consoles), the modification should be performed for each and
every console.
1. Close the console and kill the W3WP process. In case multiple instances of the process exist, kill all of them.
2. Go to C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole, open the
consoleconfig.xml file for editing.
3. Search the following item: <item name="treeNodeChildMaxCount" type="System.Int32">200</item>
4. Change the value of "200" to a very large number, such as "100000".
5. Save the consoleconfig.xml and exit.
6. Open the console and check if the lower levels of the organizational tree are displayed now.

33 | P a g e
4.4.8. Suspension password identified as wrong when entered to the client
SYMPTOM:
The one time suspension password (OTP) generated from the console in order to suspend the client's action is
identified as a wrong password when entered in the Client's GUI.
SOLUTION:
The steps below should be followed in order to identify and solve the source of this issue:
1. If the password was typed and not copied:

Make sure it was entered in uppercase and not in lower case, since the suspension passwords are always in
uppercase.
2. If this password was entered in lowercase twice or more in the specific client:
The password in question and no other new password generated will be applied since the suspension mechanism
was locked. In order to release the suspension mechanism, the OTP pool should be regenerated (InitOTP). This is
done when running the following command in the client machine:
As an alternative to this command, in version 3.3 the OTP pool can be regenerated from the console using a WMI
command from the clients world, by right-clicking the client/s and choosing "InitOTP".
Please refer to "KB00000123 - Forceful Initialization of OTP (InitOTP)" for further information regarding the OTP
pool initialization process.
3. If this password was always entered in uppercase in the specific client:
a. It is possible the OTP pool was exhausted. In order to regenerate it, use the following command:
As an alternative to this command, in version 3.3 the OTP pool can be regenerated from the console using a WMI
command from the clients world, by right-clicking the client/s and choosing "InitOTP".
Please refer to "KB00000123 - Forceful Initialization of OTP (InitOTP)" for further information regarding the OTP
pool initialization process.
b. If regenerating the OTP pool didn't help, make sure the client can browse to the OTPWebService page in the

SafendProtectorWS website. The address of the OTPWebService page is:
https://[ServerName]/SafendProtectorWS/OTPWebService.cs.asmx
A successful browsing will result in an approval page (since connection is made thru SSL).
c. If The client can browse successfully to the OTPWebService page, examine and escalate the OTPWebService
server log and activate an .etl while performing the command:
34 | P a g e
4.4.9. Using the HW fingerprint tool when changing server's hardware
NEED:
Sometimes a change to the server hardware needs to be performed. This solution also applies when changing a VM
workstation.
PROBLEM:
Every hardware has a unique fingerprint that Safend uses for certification. When you change the server’s machine
hardware, the HW fingerprint is automatically changed. The contradiction between the HW fingerprint that is
stored in the Safend server configuration and the machine’s new fingerprint cause a collision that prevents the
server from running.
SOLUTION:
After changing the hardware one should perform the following steps:
• If running, stop the server’s services in the following order: Broadcast,
Local and Domain.
• Run the attached Hardware Fingerprint Tool (after renaming the file’s
extension back to zip) in order to reset the license.
• When running the HW Tool, if a message window pops up regarding an
invalid key, click “no" to return to defaults, and send the new fingerprint to
Safend support.
• Restart the services: Broadcast, Local and Domain.
• If running, kill the IIS processes: w3wp.
• Reopen Safend Protector Console.
4.4.10. Time format conflict in the DB
*note - this KB article contains changes to be done with DLL files which are part of the Safend system, applying this
article incorrectly may cause the server to be dysfunctional. If you are unsure of how to do it, please contact
Safend support

SYMPTOM
In 3.2, MS SQL environment, when trying to change a global policy settings an error message appears regarding
regional time/date format. The problem also appears while trying to save a policy. While trying to enter the logging
tab in the policy world the console crushes followed by an "internal error message"
CAUSE
One of the definitions of regional settings is different in either the console machine, server machine or MS-SQL
machine. The server doesn't know how to handle different date/time formats (the problem is fixed in 3.3).
SOLUTION
35 | P a g e
This issue is resolved in version 3.3 and above. Also, if 3.2 GA3is used, a resolution is possible by replacing of one
of the dll file. Follow these instructions:
1. When installing a new server, use GA3 installation, following the install you will need to replace the
Admin.Utils.GeneralUtils.dll with the new one we gave you.
2. The dll should be replaced as follows:
a. Stop the Safend services. (stopping the Safend broadcast service will stop the domain and the local as well)
b. Copy the “Admin.Utils.GeneralUtils.dll” to < Safend\Safend Protector\Management Server\bin > this will
overwrite the existing dll file.
c. Then copy this dll file to the management console installation folders on every running console on the system (
on the web session we have only replaced the dll on the local console on the server machine) the dll should be
replaced on the console installation folder as follows :
- Copy the dll to < \Safend\Safend Protector\Management Console > this will overwrite the existing dll.
- Copy the dll to < \Safend\Safend Protector\Management Console\ManagementConsole > this will overwrite the
existing dll.
d. open the command line window and go to the server bin path.
e. run the following command: " SPAdmin /updateconfig /getfile globalPolicyBody <pathToFile>" (The getfile
command retrieves the value of the globalPolicyBody item in the serverconfig DB table) Note: The item name is
case sensitive so please Pay attention when running the command.
f. A file is created with the name "temp.xml", open it and look for the problematic string -look for the word “false”
and then change the problematic separators to " : " separators). Save the file
g. Run the following command: " SPAdmin /updateconfig /setfile globalPolicyBody <pathToFile>" (The setfile
command stores the file contents in the globalPolicyBody item in the serverconfig DB table).
h. Stop Safend services, kill W3Wp processes.
i. Replace the dll files in the management console and console updater.
j. Turn on Safend Services
Once the change for existing components is it required to be done in the installation package so new consoles will
also include this change.
In order to replace the Admin.Utils.GeneralUtils.dll in the management console install package please perform the
following:
1. Under < \Safend\Safend Protector\Management Server\consoleUpdater > you will find the console.zip file which
includes the actual console install files which are use upon the console installation.
2.Extract console.zip folder to any destination.
3. After extracting console.zip please copy Admin.Utils.GeneralUtils.dll to the extracted folder. this will overwrite

the existing Admin.Utils.GeneralUtils.dll.
4. Compress the extracted console folder which includes the new dll and name it console.zip.
5. Copy console.zip to < \Safend\Safend Protector\Management Server\consoleUpdater > and overwrite the
existing console.zip before the change of the .dll.
e. After performing all the replacements of the dll, please start the Safend server services again (start the
broadcast, then the local and finally the domain service), then kill the w3wp process and then start the console.
3. Please note that this issue will only happen when there is a difference between the regional settings of at least
one of the console machines or the server, and not on every environment. This fix is included in version 3.3.
4. in addition for fixing the problem after it happens using the SPAdmin tool:
a. open the command line window and go to the server bin path.
b. run the following command: " SPAdmin /updateconfig /getfile globalPolicyBody <pathToFile>" (The getfile
command retrieves the value of the globalPolicyBody item in the serverconfig DB table) Note: The item name is
36 | P a g e
case sensitive so please Pay attention when running the command.

c. A file is created with the name "temp.xml", open it and look for the problematic string -look for false and then
change the problematic separators to " : " separators). Save the file
d. Run the following command: " SPAdmin /updateconfig /setfile globalPolicyBody <pathToFile>" (The setfile
command stores the file contents in the globalPolicyBody item in the serverconfig DB table).
e. Stop Safend services, kill W3Wp processes.
f. Replace the dll files in the management console and console updater.
h. Turn on Safend Services
4.4.11. Upgrade Path from Safend Protector 2.0 to 3.3
NEED:
At some customer site, version 2.0 of the Safend Protector is installed, and an upgrade path to version 3.3 is
needed.
RESOLUTION:
No direct upgrade path is available from 2.0 to 3.2.
The current options for moving from version 2.0 to 3.3 are:
a) Uninstalling version 2.0 (Management Tools and Clients) and installing version 3.3
b) Upgrading version 2.0 to version 3.1 (Server and Clients), and then upgrading version 3.1 to 3.3
To upgrade your Safend Protector from V2.0 to V3.1
1. Export your current V2.0 policies manually using the Policy Builder.
2. Place the Safend Protector V2.0 datasource.smc file in the same folder in which the ManagementServer.msi file
is (This is the temporary folder into which the Self Extractor opens the installation files - C:\Temp). The .smc file is
placed in the System Configuration folder that you created while installing your first Management Tools in V2.0.
3. Install the Safend Protector Management Server.

4. Edit the exported .spl file, and go to:
ProtectorPolicy -> Body -> uiPolicy -> Security -> restrictedPorts -> deviceApproval -> detailedPolicy -> deviceTypes
Add the value:
<deviceType name="KeyLoggers" security="Allow" activityLogging="Log" />
At the bottom of the list.
5. Import the policies that you exported manually into Safend Protector Management Console. .
6. Upgrade the Safend Clients to version 3.1.

37 | P a g e
4.4.12. Reducing the Logs Trace Level for the Safend Server
NEED:
By default the Safend Protector Server logs are set to DEBUG level, for writing every Server action, in order to have
the most detailed logging for any investigation needed. In most environments, this level of logging is not necessary,
and should be changed in order to reduce the server resources needed for Log writing.
SOLUTION:
To Reduce the Logs detail level, open serverconfig.xml for editing (the file is located at \Program
Files\Safend\Safend Protector\Management Server\).
For each of the Server services (domainservice, broadcastservice, localService, managementServer,
eventSinkWebService, otpWebService, consoleUpdaterSite, consoleUpdaterManifestsGenerator) edit the
"TraceLevel" item.
By default it is set to "Debug". the values for this item are:
1) Debug - full logging for each event.

2) Warning - logging for Warnings and above.
3) Error - logging for Errors only.
By setting the TraceLevel to Error, the least logging will take place, and reduce load on the Server resources.
4.4.13. Alerts on client installation are not received in version 3.3 SP1
Note: This solution should be done only with collaboration with Safend support.
SYMPTOM:
Alerts on client installation are not received in version 3.3 SP1. The logs for the client installation are received
though.
This happens even after performing the proper procedure of generating this type of alerts - defining that this type
of event should generate an alert under Tools --> Global Policy Settings --> Alerts, then recreating the .scc file and
using it to install / upgrade clients.

CAUSE:
Generally, the .scc file contains the global policy settings that exist when the file is being generated; consequently,
these settings will be included in the initial policy a client receives. In 3.3 SP1, the definition of alert on client
installation events doesn't get into the .scc file, and so the initial policy doesn't contain this definition and the alerts
are not generated.
SOLUTION:
In 3.3 SP1, a number of files are to be replaced on the server and on the console(s) in order to make the .scc file
receive the client installation definition from the global policy settings:
Extract the attached RAR to a temporary folder. The RAR file contains two folders – Management Console (contains
38 | P a g e
one DLL file) and Management Server (contains a few DLL file).
Replacing the DLLs for the server, local console and future remote consoles:
--------------------------------------------------------------------------------------------------------
1. In the server machine, close the console and stop the 2 Safend services – Domain service, Local service.
2. Copy the DLLs from the Management Server folder in the temporary folder, to the folder
C:\Program Files\Safend\Safend Protector\Management Server\bin. Replace all existing files.
3. Copy the DLL from the Management Console folder in the temporary folder, to the folder C:\Program
Files\Safend\Safend Protector\Management Console\ManagementConsole. Replace the existing file.
4. Copy the DLL from the Management Console folder in the temporary folder to the following zip:
C:\Program Files\Safend\Safend Protector\Management Server\consoleUpdater\console.zip, replacing the existing
file inside the zip. This will enable future remote consoles to be installed with the modified DLL, without the need
to apply it to them.
5. Restart the Safend services – Local service, Domain service.
6. Kill the W3WP process. In case multiple instances of it exist, kill all of them.
Replacing the DLLs for existing remote consoles, in case you use such:
-------------------------------------------------------------------------------------------------
1. In the console machine, close the console.
2. Copy the DLL from the Management Console folder in the temporary folder, to the folder
C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole. Replace the existing file.
4.4.14. Restoring a server with Content Inspection fails
PROBLEM:
Restoring a server with Content Inspection fails
NEED:
User wants to restore his server from a backed up configuration (SCB file)
The installation throws an exception saying: "fail to validate config backup file: system.xml.xmlexception – the xml
declaration is unexpected. Line 86, position 7"

This is caused by a wrong line in the XML file
SOLUTION:
Rename the .SCB file to .ZIP file

Extract it
Open serverconfig.xml file for editing
Go to the line that say
<?xml version="1.0" encoding="utf-8" ?>
<contentInspection xmlns:xsd=http://www.w3.org/2001/xmlschema
xmlns:xsi=http://www.w3.org/2001/xmlschema-instance>
39 | P a g e
Replace these two lines with <ContentInspection>

Compress the files back to a zip (don't compress its folder - only the files)
Rename the zip file back to .scb
Restore the server
4.4.15. Disabling IIS Logs (to prevent accumulation of large log files)
NEED:
On the Safend Protector Server machine, the IIS component records every action/connection in log files. Theses log
files may accumulate and get very large in size. After the initial installation and configuration of the Safend
Protector, it is recommended to disable the IIS Logs, in order to avoid unnecessary strain on the server machine.
SOLUTION:
In order to disable the Safend Protector Web Site in the IIS from recording IIS logs, please do the following:
1) Go to the IIS snap in

2) Go into Web Sites, and right click the Safend Protector Web Site.
3) Choose Properties, and go to the Web Site tab.
4) uncheck "Enable Logging".
4.4.16. Role Based access does not function
SYMPTOM:
Upon linking different roles with AD User Group, cannot login to the Safend Management Console using a User
from the said User Group.
CAUSE:
The user Group linked with a defined Safend Management Console Role, does not have Local Logon access to the
Server machine.

RESOLUTION:
Add the appropriate User Group to the Logon Locally list on the Safend Management Server machine, either in a
domain policy or in the Local policy:
Local Policy -
1) Run gpedit.msc
2) Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights
Assignment
3) under Log On Locally, add the appropriate user group to the list.
Domain Policy -
1) Open a domain Group Policy for editing
2) Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights
40 | P a g e
Assignment
3) under Log On Locally, add the appropriate user group to the list.
4.4.17. When changing the server certificate to an organizational certificate, logs are not sent
SYMPTOM:
When changing the server certificate from Safend's default certificate (created during the installation of the server)
to an organization's specific certificate, policies can be updated for the clients but logs aren't sent from them. This
is seen in 3.2 and 3.3 clients.
CAUSE:
When publishing a policy, a derivative of the certificate called the certificate self-signer is being sent to the client.
A response based on the self-signer is sent back to the server when sending logs. When replacing the default
Safend certificate with an organization's specific certificate, the self-signer of the Safend certificate is still being
sent to the client when publishing a policy, which causes a faulty reply when the client attempti to send logs, and
thus, prohibits sending the logs - the clients' reply is based on the Safend certificate, while this certificate is no
longer in power due to its replacement.
Note that policies are updated successfully for the clients since there is no use in the self-signer in this process (it is
only "attached" to the policy).
SOLUTION:
This issue can be solved in version 3.3 only. This is done by replacing a DLL file on the server side will cause the
new, relevant self-signer to be sent to the clients.
In case there is a server cluster (possible in version 3.3 and above), the replacement should take place in every
server of the cluster.
1. Stop Safend services – Domain, Local, Broadcast if 3.2 in used. Leave the DB service running.
2. Go to C:\Program Files\Safend\Safend Protector\Management Server\bin
3. Replace the existing backend.server.dll with a modified copy of it.
Attached to the solution is the modified backend.Server.dll for version 3.3 build 30270; for any other 3.3 build, the
.dll file will have to be modified by the R&D team.

Note: There are additional KBs describing the replacement of the Backend.Server.dll for different purposes. Be
advised that the Safend R&D team should be consulted if more than one of the issues fixed by this replacement are
manifested in the same server, since one replacement will cancel the other.
41 | P a g e
4.4.18. Changing source name when sending Safend alerts to the Event Viewer
Note: This article contains information on how to change Safend configuration files and is intended for advanced
users. if you feel uncomfortable with changing these advances settings, please consult with Safend support or your
local Safend distributer.
NEED:
When configuring Safend Protector Alerts to be sent to an "Event Viewer" alert destination, all alerts are stored
under the application source. This can be hard to manage since other applications may also write events under the
application source, making it hard to isolate the Safend Protector events. You may change the default "Application"
source name to a unique name such as Safend by following the steps below.
RESOLUTION:
If you desire to change the source name to a unique name (easier when wanting to sort or filter out Safend logs
only), you may change 2 small parameters in the Safend Server configuration file - "\Program Files\Safend\Safend
Protector\Management Server\serverconfig.xml".
Look for the following text: eventLogSource="Application".

It should appear twice - once for the "Server Alert Action Dispatcher" and once for the "Client Alert Action
Dispatcher". Both need to be changed to your desired source name so that all types of logs will be stored using the
same source.
Example: eventLogSource="SafendAlerts"
All alerts which are forwarded to a machine's event viewer by the Safend Protector Server, will be stored under the
manually configured source name.
4.4.19. IIS diagnostics tool
NEED:

In some cases, the IIS service on the Server machine may experience problems that cause the Safend Protector
Management Server to become dysfunctional. In these cases, the problems must be identified and resolved
appropriately.
SOLUTION:
IIS problems may be diagnosed with the IIS Diagnostics Toolkit, available for dowload at:
http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa-
73c9156706e7&displaylang=en
One of the tests that can be performed with it is the Server Permissions test in the Auth Diagnostics 1.0
component. This test displays the permissions required for the server, and whether the server has them.
Additional IIS diagnostic tools can be found at:

42 | P a g e
http://www.iis-resources.com/modules/mydownloads/viewcat.php?cid=15
http://www.iistoolshed.com/tools.aspx
4.4.20. User Permissions for the Safend Server
QUESTION:
What are the permissions needed for the user account that is used by the Safend Protector Management Server?
ANSWER:
The user account used by the Safend Server should either be a domain administrator or have the following
permissions:
a) Member of the "Group Policy Creator Owner" group in the AD
b) Have DCOM Remote Launch, Remote Activation and Remote Access permissions on all machines.
This can be set through a GPO. Under Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options:
add the user to lists on both:
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
and
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.
and apply the policy on all machines with the Safend Client.
4.4.21. Unable to publish a policy and a specific error appears in the Domain Service log
SYMPTOM:
Receiving an error when trying to publish a policy (in all methods).

In the DomainService log the following error will appear:
[2008-02-19 08:00:50.047800] [Warning] [PolicyPublisher4] [ASB-PDC\sv-SafendAdmin] - Mandatory publish sink
TranslationSink failed:
Safend.Protector.Admin.Utils.Exceptions.OperationAbortedException - The parameter is incorrect.
at Safend.Protector.Policy.Interop.ServerPolicyFormatterClass.AddSecurityCategory(Int32 securityConfigIndex,
Int32 portIndex, String categoryName, Int32 categoryType, Int32& categoryIndex)
[2008-02-19 08:00:50.047800] [Error] [PolicyPublisher4] [ASB-PDC\sv-SafendAdmin] - 1 errors occurred while
publishing policy 5 revision 44 (Safend - Allow All + Default Logging (90 minutes))
In addition, this issue occurs only with version 3.1 and 3.2.
The fix was added to 3.3.
CAUSE:
43 | P a g e
Sometimes a name that is given to a group in the White-list tab shows up in the Base Policy and therefore an error
occurs.
SOLUTION:
In order to resolve this issue please change the name of the problematic group in the White-List.

44 | P a g e
5. Safend DB
5.1. Safend Protector Client Support Solutions
5.1.1. Policy not applied due to the small size of the DB column "Groups"
SYMPTOM:
In version 3.2, machine or user policy does not apply or applies only after restart.
In the Policywebservice log, the following error message appears:

"String or binary data would be truncated"
CAUSE:
The size of the DB column called "Group", existing in the 2 DB tables called "User" and "Computers", is set to 255
characters only in version 3.2. If the user/s or machine/s is a member of AD groups which their overall names is
composed of over 255 characters, the policy would be truncated and therefore not applied.
SOLUTION:
Increasing the "Groups" column size in both of the tables in the DB is required.
If using an external MsSQL DB (should be performed by the DBA):

----------------------------------------------------------------------------------------
1. Close the console, stop the Safend services - Domain, Local and Broadcast.
2. Open the SQL Enterprise Manager / Query Studio on the SQL Server machine.
3. Go to Databases and to the SafendProtector database.
4. Open Tables, and view the list of the different tables in the SafendProtector DB.
5. Right click the "Computers" table, choose Design Table.
6. Go to the "Groups" Column, check the length value and set it to MAX.
7. Save the changes.
8. Repeat the above steps with the "Users" table in the DB.
9. Restart the Safend Services - Broadcast, Local, Domain. Follwing this, run the command IISRESET from start/run
or from cmd.
11. Open the console, go to the Clients world. In the tools icon next to the Organizational Tree view, click "Sync
Tree with Directory".
12. Try publishing and updating the policy with a user or a machine to verify the policy is updated.
Chapter: Safend DB
45 | P a g e
5.1.2. Restoring missing MySQL index files
Note:
*This solution includes modification of the MySQL database, which might render the server useless. Please use this
solution with care.
NEED:
MyISAM is the default storage engine for the MySQL relational database management system, the DB used by
Safend as an internal DB.
Each MyISAM table is stored on the disk in three files. The files have names that begin with the table name and
have an extension to indicate the file type. MySQL uses a .frm file to store the definition and structure of the table,
but this file is not a part of the MyISAM engine, rather a part of the server. The data file has a .MYD (MYData)
extension. The index file has a .MYI (MYIndex) extension.
An example for a MyISAM table in the Safend Protector MySQL DB is the Computers table, which is stored in the
file computers.MYD and has an index file by the name of computers.MYI (and also, a .frm file called computer.frm).
The MYI (and MYD & frm) files are stored in the following folder:
C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector
SYMPTOM AND CAUSE:
In some occasions, an MYI file/s may become missing due to an unintentional deletion by the user. This can happen
only when the DB service is stopped since the DB service locks the MYI files.
Although tempering with the Safend installation folder, and especially with the DB folder, might render a Safend
server damaged beyond repair and is not officially supported, in many cases a missing MYI can be restored.
1. A missing MYI file can prevent the console from being launched or disrupt the function of the Logs world in such
a fashion that queries cannot be used.
2. In the Managementserver log, the following error appears:
[Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager1]

[PC120001XP\ASPNET] - Failed to obtain license information:
Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Can't find file: 'computers.MYI' (errno: 2)
In this error message, the missing MYI file's name is displayed. In the above example, the missing MYI file is the
computers.MYI.
3. In the folder C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector,

the MYI file that appeared in the error above will not be present. In case the MYI file is present, it is probably
corrupted; in this case, please refer to KB00000230 - Repairing corrupted MySQL index files
SOLUTION:
The safest way to restore a missing MYI file would be to revert to a recent image or snapshot of the machine. If this
Chapter: Safend DB
is not possible, described below is a procedure that recreates the index into an MYI file copied from a different
Safend server of the same version and build number.
This procedure is composed of a part performed in the customer's environment and a part performed in Safend.
1. Preparations at the customer's server:
a. Stop the Safend services in the following order – Domain, Local, Broadcast if version 3.2 is used, DB.
46 | P a g e
b. Kill the W3WP process. In case there are multiple instances of the process, kill all of them.
c. It is recommended to save an image or a snap-shot of the server machine. If this not possible, backup the entire
folder of C:\Program Files\Safend\Safend Protector\Management Server\database\data by copying it to a different
location.
d. Send to support@safend.com the MYD and frm files that correlate with the missing MYI file; for example, if in
the computer.MYI file is missing, the computers.MYD and computers.frm files should be sent.
2. Recreating the index at Safend:
a. Set-up a Safend server of the same version and build number, stop its services including the DB service.
b. Create a temporary folder in the server machine and copy the MYI file in question to the temporary folder from
the folder C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector in the
server you've just set-up.
c. Copy the MYD and frm files sent from the customer to the temporary folder.
d. Enter the following in cmd:
"C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r -q "C:\Program

Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI"
Where "tablename" should be replaced with the name of the missing MYI file.
Note the only the "-r -q" should be used. The -r switch must not be used alone, and no other repair switches (such
as --safe-recover) should be used as well. This is because only "-r -q" doesn't touch the MYD file, which is essential
in this case.
If the repair succeeded, all 3 files (MYI, MYD and frm) should be sent back to the customer.
If the repair failed, consult with the R&D team. Be advised that It is likely that the MYI cannot be recreated and the
entire Safend server should be re-installed.
3. Returning to working state at the customer's server:
a. Replace the MYI, MYD and frm file in question with the ones sent by Safend.
b. Restart the Safend services in the following order – DB, Broadcast if version 3.2 is used, Local, Domain.
c. Open the console and check that the policies have the right associations and the logs can be seen.
5.1.3. Repairing corrupted MySQL index files
Note:
*This solution includes modification of the MySQL database, which might render the server useless. Please use this
solution with care.
NEED:
MyISAM is the default storage engine for the MySQL relational database management system, the DB used by
Safend as an internal DB.
Each MyISAM table is stored on the disk in three files. The files have names that begin with the table name and
have an extension to indicate the file type. MySQL uses a .frm file to store the definition and structure of the table,
but this file is not a part of the MyISAM engine, rather a part of the server. The data file has a .MYD (MYData)
extension. The index file has a .MYI (MYIndex) extension.
An example for a MyISAM table in the Safend Protector MySQL DB is the Computers table, which is stored in the
Chapter: Safend DB
file computers.MYD and has an index file by the name of computers.MYI (and also, a .frm file called computer.frm).
The MYI (and MYD & frm) files are stored in the following folder:
C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector
SYMPTOM AND CAUSE:

47 | P a g e
In some occasions, an MYI file/s may become corrupted during the regular operation of the MySQL DB. This usually
prevents the console from being launched.
There are various manifestations of this issue, some are in the server logs and some are in the Windows Event
Viewer:
1. Example #1 – The following error appears in the Managementserver log:
[Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager2] [NT

AUTHORITY\NETWORK SERVICE] - Failed to obtain license information:
Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Got error 127 from storage engine
2. Example #2 – The following error event appears in the Windows Event Viewer. Usually, this event error appears
alongside the error in the Managementserver log seen in example #1.
Event Type: Error

Event Source: MySQL
Event Category: None
Event ID: 100
Date: 8/19/2008
Time: 7:51:33 AM
User: N/A
Computer: OCINSAPP01
Description:
d:\program files\safend\safend protector\Management Server\database\bin\mysqld-nt.exe: Can't open file:
'clientevents.MYI' (errno: 145)
3. Example #3 – The following error appears in the Managementserver log:
[Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager1]

[PC120001XP\ASPNET] - Failed to obtain license information:
Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Can't find file: 'computers.MYI' (errno: 2)
Note that from example #1 alone you cannot tell which MYI file is problematic and thus preventing the console
from opening, but in example #2 and #3 the problematic MYI is known (in the above example #2 and #3, the
problematic MYIs are clientevents.MYI and computers.MYI, respectively).
Also, note that the error message in example #3 may appear as well when an MYI file is missing. Restoring a
missing MYI file/s is described in KB00000231 - Restoring missing MySQL index files
SOLUTION:
The guideline in regards with repairing corrupted MYI files is that the data (MYD) should not be touched if possible.
1. Preparations:
a. Stop the Safend services in the following order – Domain, Local, Broadcast
b. Kill the W3WP process. In case there are multiple instances of the process, kill all of them.
if version 3.2 is used. Leave the DB service running.
Chapter: Safend DB
c. Backup the entire folder of C:\Program Files\Safend\Safend Protector\Management Server\database\data by

copying it to a different location. Also, you may want to save an image or a snap-shot of the server machine.
2. Identifying the corrupted MYI:
The first goal is to determine which MYI file is corrupted. Usually, only one MYI file gets corrupted at a time, but
theoretically, multiple MYI files can simultaneously exist as corrupted.
The simplest way to determine which MYI is corrupted is by checking the Event Viewer or the Managementserver
48 | P a g e
log, as seen in examples #2 and #3. In case no indication appears, as seen in example #1, use the myisamchk utility
to check the integrity of all of the MYI file.
In cmd, enter the following:
"C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" "C:\Program

Where "tablename" should be replaced with the name of a MYI file. Repeat this action for all of the MYI files.
Attached to the solution is an example of the myisamchk's output when the MYI file is valid, and when the MYI is
corrupted.
3. Repairing the corrupted MYI:
The procedure described below can be performed on the server machine, or in Safend once a customer sends the
MYI, MYD and frm files in question. If handled in Safend, the 3 files should be put in a temporary folder on a server
machine with the same version and build number of server as at the customer's..
After identifying the corrupted MYI, use the myisamchk utility in cmd to repair it.
a. Firstly, try to use the -r -q switches.
This attempts to repair the index file without touching the data file. If the MYD file contains everything that it
should and the delete links point at the correct locations within the MYD file, this should work, and the MYI is fixed.
The complete command should be:
"C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r -q "C:\Program

Where "tablename" should be replaced with the name of the corrupted MYI file.
If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional
corrupted MYIs.
If the repair failed (clearly seen in the cmd window), continue to the next section.
b. Try to use the –r switch alone.
This removes incorrect rows and deleted rows from the data file and reconstructs the index file.
"C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r "C:\Program

corrupted MYIs.
c. Try to use the --safe-recover switch.
Safe recovery mode uses an old recovery method that handles a few cases that regular recovery mode does not,
but is slower.
"C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" --safe-recover

"C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI"
Chapter: Safend DB
corrupted MYIs.
d. Try to use the -f switch.
The -f switch forces the indexing by overwriting old temporary files and includes touching the data.
49 | P a g e
"C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" --safe-recover

"C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI"
corrupted MYIs.
If the repair failed (clearly seen in the cmd window), please refer to Stages 3 and 4 in the following MySQL article,
and also consult with the R&D team:
http://dev.mysql.com/doc/refman/5.0/en/repair.html/url
4. Returning to working state:
Start the Safend processes in the following order – Broadcast if version 3.2 is used, Local, Domain.
5.1.4. Changing external DB user, password and authentication method (domain) while connected to
Protector
QUESTION:
Is it possible to change the external DB user and password or to change the authentication method (SQL/Windows)
while it is connected to the Protector?
ANSWER:
There is no problems when changing credentials (user/domain/password) but it should be done the right way and
while the Safend services are suspended.
SPAdmin utility cannot change more than one parameter simultaneously which means that it should be executed
few times - one for each parameter.
For example changing username and password to Administrator and Apple1 accordingly should be done like this:
1. SPAdmin.exe -dbinfoview dbinfo.xml username=Administrator

2. SPAdmin.exe -dbinfoview dbinfo.xml password= Apple1
If required, domain may be changed also the same way. There is no problem substituting domain user with SQL
user (or vice-versa).
In order to do so just specify empty domain name:
SPAdmin.exe /dbinfoview dbinfo.xml domain=
NOTE:
Password must be always the last parameter to change since when specifying the new password SPadmin tries to
connect to DB using existing user name and domain (specified in DBinfo.xml) and the new password.
Chapter: Safend DB
5.1.5. Replacing the DB which is used by Safend Protector Management Server
SYMPTUM:
50 | P a g e
In some cases, replacing the DB which is used by Safend Protector Management Server is needed.
SOLUTION:
In order to replace an existing DB used by Safend Protector Management Server to another, please perform the
following steps:
1. Backup the encryption keys files and configuration files through the Maintenance Tab in the Administration
Window.
2. Uninstall the Safend Protector Management Server.
3. Reinstall the Safend Protector Management Server by performing the following:
o Please pay attention to choose the Restore mode for restoring Server installations while maintaining previous
configuration (as seen in the attachment).
o When installing the server using this mode you should choose to use the Safend Protector backup files (as seen in
the attachment).
o Afterwards, you should choose what database you would like to use – an embedded database on the same
machine or an external existing MSSQL database (as seen in the attachment). Following this window continue with
the installation.
5.1.6. When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved.
PROBLEM:
User cannot save policies, run queries, change settings or logs are not saved.
CAUSE:
The minimum required level of permissions to run and maintain the Safend protector server is 'DB owner'
SOLUTION:
Security level can be checked on security --> logins
5.1.7. When using MsSQL DB User cannot connect to the server
PROBLEM:
User cannot connect to the server
SOLUTION:
This can be caused by lake lack of connectivity or lack of proper permissions,

Chapter: Safend DB
1. Check that the user has the proper permissions to perform the actions he is trying to do (the minimum required
permissions are DB owner)
2. Check connectivity to the server by using the PING utility
3. Telnet the SQL port (TCP 1433) to see if the server is listening both IP and computer name|
4. Install 'SQL client tools' on the Safend Server
4.a. Create a text file and rename its extension to .UDL
51 | P a g e
4.b. Open it with 'Microsoft old provider for MsSql server'

4.c. Enter the correct user name and password
4.d. Connect to the Safend protector DB
4.e. Server Errors can be found at management a SQL server logs à current
5.1.8. When using MsSQL DB the installation cannot create the DB
PROBLEM:
During installation the installer cannot create the DB. followed by an error message relating to insufficient
permissions of the user used to connect to the DB with
CAUSE:
The Minimum required level of permissions to install Safend protector is 'DB creator'
SOLUTION:
Security level can be checked on security --> logins
5.1.9. When using MsSQL DB performing DB related actions causes console freeze.
PROBLEM:
When performing DB related actions the console freezes.
CAUSE:
This can be related to certain objects "locking" other objects
SOLUTION:
On Query analyzer / query studio (installed with the SQL server), run the command 'SP_WHOZ', objects marked
with red mark are "locked" if these object persist to be locked they need to be "killed".
To kill a Process, run 'Kill [object name]'
You may also run a more detailed query:
Select * from master sysprocesses where blocked <> 0 or SPID in (select * from master)
Note: this solution should be performed by the Customer's DBA
Chapter:
52 | P a g e
6. Safend Protector Management Console
6.1. Support logs
- Safend Protector Management Console Logging
- When investigating issues with the Safend Protector Management Console, the logs provide valuable
information.
- There are 2 trace logs for the Management Console:
 Console Updater log – \Program Files\Safend\Safend Protector\Management Console\log

 Management Console log – \Program Files\Safend\Safend Protector\Management Console\Management
Console\log
- When investigating an issue concerning the Safend Protector Management Console, most issues fall under the
following categories:
 Safend Protector Management Console fails to open.

 Safend Protector Management Console fails to perform remote client commands.
 Safend Protector Management Console general errors and exceptions
- Safend Protector Management Console Fails to Open
Chapter: Safend Protector Management Console

- When the Management Console fails to open, the following must be verified:
 Are the Safend Server services running?
 Is the Management Console on the same machine as the server? If not, Does the local Management
Console, on the Safend Server machine, start successfully?
 Is the Management Console trying to communicate using the correct SSL port? (the correct port can be
found in the IIS  web sites  safend protector web site  properties  ssl port)
 Can the Safend Server machine be contacted from the console machine (Ping, Telnet)?
 Can the Management Console machine browse to the Safend Server machine using the https protocol?
 Management Console Install site: https://[servername]:4443/SafendProtector/consoleinstall.aspx
 Change the [servername] to the real server name
 4443 is the default port.
53 | P a g e
- Safend Protector Management Console Fails to Perform Remote Client Commands
- When the Management Console fails to perform remote commands, the following WMI configurations should
be examined:
 Is the WMI service enabled and started on both the Safend Server and Client machine
 Can the Safend Server contact the Safend Client machine by its FQDN?
 Does the Server User have sufficient privileges on the Target machine? i.e., permission to perform WMI
commands.
 Verify that the RDP ports are open.
 Use wmimgmt.msc to verify WMI valid communication.
- Safend Protector Management Console General Errors and Exceptions
- If the Management Console experiences any error or exception during work, the following should be
examined:
 Does the issue reproduce after a reboot?

 Were there any configuration changes applied to the Server/Console machine?
 Are there any errors in the event viewer logs?
 What is the exact error message?

54 | P a g e
6.3. Safend Protector Management Console Solutions
6.3.1. When trying to log-in to the console, the error message "user is not in the authorized user group"
appears
SYMPTOM:
When launching the console, entering the credentials and trying to log-in, the log-in fails with the error message
"user is not in the authorized user group".
CAUSE:
There are 2 possible causes for this issue:

1. The user that one is trying to log-in to the console with is not in the AD User Group / local machine user group
that is authorized to use the console. By default, this group is the BUILTIN\Administrators group. Note that this
group may differ according to the settings in the Users Management menu under Tools -> Administration ->
General.
2. The IIS service was uninstalled and re-installed, after the Safend server had been installed. This causes the
deletion of the Safend websites from the original server install.
SOLUTION:
There are 2 solutions for this, respective to the cause:

1. In AD / the local machine, add the user to the User Group that is authorized to use the console.
2. Re-install the Safend server. You may want to use the Restore installation option, using the backed-up keys and
settings, in order to have the new server communicating with the existing clients and to preserve the policies and
other settings. Please review the Installation Guide before uninstalling and re-installing the server.
6.3.2. How to login to the console without entering the password each time

NEED:
Sometimes, one needs to be able to login to the console without entering the password on each time launching it.
This is usually needed when log-on to Windows is performed using a smart card (usually it is set in AD - the
“Smartcard Required" option is active) and not using a password; in this scenario, the users usually don't know the
log-on password since they are using the smart card, and thus become unaware to the console's password as well.
SOLUTION:
One should try to launch the console as usual for the first time, and the login window can be closed (there's no
need to enter the password).
After this, the Single Sign On (SSO) capability can be used; this is set in the "Safend Protector Web Site" properties.
See the exact steps to doing so in the attached document.
55 | P a g e
In order to have SSO enabled please do the following:

Go to IIS management, right click on the SafendProtector website and go to directory security.
Click on Edit under Authentication and access control:

56 | P a g e
Uncheck the “Enable anonymous access” and check the “Integrated Windows authentication” radio buttons.
Restart the safend protector website (or just restart all IIS)
Close IIS management console
In this stage you can delete the shortcut to Safend management console on the desktop and create a new one
using these settings:
Right click on the desktop and choose new  shortcut
Click browse and go to program files\safend\Safend Protector\management console\management

console\management console.exe

57 | P a g e
Click ok and add the –no_login switch at the end of the path created so it will look like this:
"D:\Program Files\Safend\Safend Protector\Management
Console\ManagementConsole\ManagementConsole.exe" -no_login
make sure to replace the drive letter with the right one for the safend installation.
6.3.3. Cannot use WMI commands from 3.3 console if MsSQL installed with windows authentication
SYMPTOM:
When trying to perform a WMI command from a 3.3 console such as retrieve logs or update policy, and if the DB is
an MS SQL installed with windows authentication, the command will not be performed and the following error
message will appear:
Notification failed – try later. Object reference not set to an instance of an object
CAUSE:
When trying to connect to the MS SQL DB using windows authentication, the impersonation process performed by
the local service happens twice instead of once as it should. Connection with double impersonation is forbidden.
SOLUTION:
The file Admin.App.WebServer.dll should be replaced in the Safend server with a modified one. This will cause the
impersonation process to happen only once, as it should.
1. Stop the Safend Local service. This will stop the domain service as well
2. Go to \Program Files\Safend\Safend Protector\Management Server\bin and backup the file
Admin.App.WebServer.dll to another folder
3. Replace this DLL with the modified version. To this soultion, attached is the DLL that should be used with
3.3.30270 server version only. For any other server version and build, the DLL must be modified by the R&D team
4. From cmd, run the IISRESET command
5. Start the Local service and then start the Domain service

6.3.4. Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied
to reports folder
SYMPTOM:
After upgrading to 3.3 or after a 3.3 fresh installation, opening the console fails after entering the credentials, with
the following error message:
Application Execution Error

Management Console failed to start (<unknown>(Access to the path '[Server installation path\reports\f39121dd-
f95a-48c2-beed-9cefc9cc64d1' is denied)).
Note that another PID may appear instead of f39121dd-f95a-48c2-beed-9cefc9cc64d1.

58 | P a g e
This issue can occur right after the installation, but usually seen later (after a few hours or days).
CAUSE:
In the installation/upgrade process, a folder called "reports" is created in the management server folder. This
folder stores a few files related to the Reporter.
By default, the installation/upgrade grants a full control permission to "Everyone" for this folder.
In certain environments, GPOs or other means can change the permission to this folder (as to any other folder in
the machine) to something else, or simply deny "Everyone" from having full control over it. This might cause the
user who is running Safend application pool (by default it is the "network service" user) to be inaccessible to this
folder, and so the console cannot be opened.
Since general GPO updates usually occur once every in a while , this issue is usually not experienced right after the
installation but in a certain delay, hours or days later.
SOLUTION:
Granting full control over the reports folder to the user who is running the Safend application pool (by default it is
the network service).
To check which user is running the Safend application pool, go to My Computer > Manage > Internet Information
Service > Application Pools >SafendProtectorAppPool > Properties > Identity.
6.3.5. When using role based permissions user can't publish policies
PROBLEM:
When using "Role Based Management", users from specific 'User Roles' roles receive an error message when trying
to publish policies via the Safend Protector Policy Server.
SOLUTION:
This issue could be related to missing permissions for this specific Role. In order to publish policies , the "User Role"
must have 'Read' permissions on the "Global Policy" tab.

NEED:
When using role based permissions user need to enable "policies" but disable other options.
6.3.6. When using role based permissions user can't associate polices
PROBLEM:
When using "Role Based Management", users from specific 'User Roles' roles receive an error message when trying
to associate policies with organization objects via the Safend Protector Policy Server.
SOLUTION:
59 | P a g e
This issue could be related to missing permissions for this specific Role. In order to associate policies with
organization objects, the "User Role" must have 'Read' permissions on the "Clients" tab
6.3.7. Console cannot be opened due to Local and Domain Services fail with
"System.Security.Cryptography.CryptographicException - Access is denied" in the logs
SYMPTOM:
In rare cases, on hardened machines, the local and domain services will fail to configure. This will cause the console
to not to open.
1. The following error message is received:
Application Execution Error

Management Console failed to start (Access is denied)
2. A DCOM error in the Event viewer related to the user NT Authority\ Network Service will appear.
3. In the server logs, an error appears including the text:
System.Security.Cryptography.CryptographicException - Access is denied
CAUSE:
The Network Service user cannot access the Cryptographic keys library in Windows..
SOLUTION:
Grant Full Control privileges to the user Network Service for the following folder:
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys

6.3.8. Enabling WMI commands via Safend Protector
Safend Protector utilizes the, Windows Management Instrumentation (WMI) protocol for providing management
capabilities over all Safend clients via the Safend server. This document covers the minimum requirements for
enabling WMI communication between the Safend server and Safend clients.
What is WMI and how does Safend Protector use it?
Windows Management Instrumentation is a set of Window’s API’s in the Windows operating system that enables
devices and systems in a network, typically enterprise networks, to be managed and controlled. The Safend Agent
retrieves policies and sends logs to the server periodically over an SSL channel. However, the Safend administrator
can enforce the client to send logs or update policies immediately, via the management console tab. These
60 | P a g e
commands are sent to the client via the WMI channel. Please note that when these commands are disabled it will
not affect the Safend agent functionality.
To learn more about the Windows Management Instrumentation (WMI) protocol, please visit the following link:
http://msdn.microsoft.com/en-us/library/ms811553.aspx
What are the minimum requirements for using WMI with the Safend protector?

1. The Safend domain Service account must have sufficient privileges over the WMI objects on the target machines.
By default the built in Domain Admin group is part of the local admin group of any target machine in the network,
thus Domain Admin group, most likely will have sufficient privileges over WMI objects on the target machines. If
the Safend domain account is part of the Domain Admin group, all you will need to verify is that your domain
admin group is indeed part of the local admin on the target machine. In cases where the Safend domain service
account cannot be part of the domain admin group, you will need to add this user manually to the local Admin
group on all the machines in the network you will want to manage, via the Safend Management console. There are
several recommended methods for adding a domain user into a local group:
1. Using unrestricted groups for adding domain groups\users into local users, as described in the following
Microsoft article :
http://support.microsoft.com/kb/810076
61 | P a g e
2. Writing a simple VB script that will add the desired user automatically into the Local admin group on the target
machine using a startup script feature via GPO.
In order to see an example of such a script, please refer to Appendix D below.
3. Using an existing group that was already added to the local admin group, such as an SMS management group.
Note:
To determine which account is being used by the Safend Domain service, please refer to Appendix A below.
For further information on necessary WMI privileges required, please contact Safend support at
support@safend.com
2. The Server must be able to resolve the target machine FQDN name or its short host name.
In cases where you cannot resolve the FQDN of the target machines (i.e. machine.domain.com) from the Safend
server, but you can resolve the short host name (i.e. machine), you can
configure the Safend server to work with a short host name in order to configure the server to work with short
host name, please refer to Appendix B below.
3. Network firewalls or personal firewall such as Windows XP Personal firewall or any other personal firewall must
enable WMI traffic from the Safend management server to the Safend management console.
When sending WMI commands via Safend Management console, WMI must establish a DCOM connection from
the Safend Server to the target machines. In order to enable DCOM traffic, the following ports need to be opened
in addition to the SSL port (default 443) that must be enabled.
Port 135
Dynamically assigned ports, in the range of 1024 to 6535(typically in the range of 1024 to 1034).

In cases where the Safend agent machine has installed on it a WinXP personal firewall, you will be able to use the
procedure described in Appendix B, in order to allow WMI traffic easily, via GPO settings.
In cases where there is a network firewall between the management server and the Safend clients you may want
to use a fixed range of ports. For further information please visit the following link: http://msdn.microsoft.com/en-
us/library/ms809327.aspx
4. DCOM must be enabled on the server and clients.
DCOM is enabled by default on any Microsoft Operating system. However, there are some security policies that
may disable DCOM on Windows 2003 servers, thus it is wise to verify that DCOM is enabled on the server by
performing the following:
Run the following command : Start>run>dcomcnfg

62 | P a g e
Right click on My Computer and press Default Properties
Make sure that the first check box is checked.
5. The Safend Wmi classes are registered properly on the target machine.
By default the Safend agent registers all its WMI components. This setting is not changed unless during the
installation you use MSI MST files to change the Product name from its original name “Safend Protector”.
Note: Changing the Product Name is not supported, so WMI commands will not work.
Appendix A: How to determine which user is running the WMI commands via the Management Console

In order to get the user account that the Safend Server is using, perform the following:
1. Log in to the Management Console.
2. On the menu choose Tools>Administration.
3. In the General section the Server Credentials will indicate which User is being used for the Safend domain
service.
4. This account can be changed by pressing the Change button.

63 | P a g e
Appendix B: Working with a short host name when a FQDN cannot be resolved from the Safend Server
In order to configure the Safend server to work with a short host name, please perform the following: For version
3.3 and above:
1. Stop the following Safend Services
Safend Local Service
Safend DB

Note: Safend DB service will not be present when working with an external DB. The Safend domain service is set to
start manually, so it may not be running.
2. Edit the following info
Edit with Notepad the following xml file: C:\Program Files\Safend\Safend Protector\Management
Server\serverconfig.xml search the entry below and verify that the value is True, in case the value is false, change
its value from False to True. (note the capital ‘T’) <item name="useShortHostNames" type="System.Boolean"
assembly="mscorlib">True</item>
3. Reset the IIS by running the command iisreset via the command line.
64 | P a g e
For version 3.2 and below:
1. Stop all Safend Services
Safend Protector broadcast Service
Safend Protector Local Service
Safend Protector Domain Service
Safend Protector DB
Note: Safend DB service will not be present when working with an external DB.
2. Edit the following info :
Edit with Notepad the following xml file: C:\Program Files\Safend\Safend Protector\Management
Server\bin\serverconfig.xml Search the entry below and verify that the value is True, in case the value is False,
change its value from False to True. (note the capital ‘T’) <item name="useShortHostNames"

type="System.Boolean" assembly="mscorlib">True</item>
3. Reset the IIS by running the command iisreset via the command line.
65 | P a g e
Appendix C: Allow WMI communication via GPO for Windows Personal firewall
Step 1: Updating Your Group Policy Objects with the Windows Firewall Settings
To update your Group Policy objects with the Windows Firewall settings, using the Group Policy snap-in or using
the Group Policy Management Console (GPMC):
1. Open the GPO snap in or the Group Policy Management console.
2. Click the Group Policy object that you want to update with the new Windows Firewall settings. An example is
shown in the following figure
3. In the console tree, open Computer Configuration>Administrative Templates>Network>Network

Connections>Windows Firewall. An example is shown in the following figure.
66 | P a g e
4. Choose Domain Profile and right click on the following setting: Windows Firewall: Allow Remote Administration
Exception
5. Choose Enabled and save settings.
6. Each computer in the network that will get this GPO will allow WMI traffic.
67 | P a g e
7. Safend Auditor
When investigating an issue regarding the Safend Auditor, most issues fall under the following categories:
Safend Auditor fails to audit a remote machine.
Safend Auditor fails to open a report as an Excel/HTML file.
Safend Auditor fails to audit a remote machine
When the Safend Auditor fails to audit a remote machine, the following must be verified:
Is the remote machine running and connected to the network?
Are the appropriate ports opened between the scanning and scanned machines?
SetupAPI-based Audit:
In order for Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port 445
(SetupAPI; through file and printer sharing and remote registry service) to be open. In addition, you will need to
make sure that the "Remote Registry" service is running in the target machine.
WMI-based Audit:
Safend Auditor also allows auditing remote machines using the WMI method. This method requires port 135, in
addition to another dynamic port (allocated automatically by Windows when the WMI is used). Allowing the
"Remote Administration" exception in your firewall will allow Safend Auditor to scan the machine using WMI.
Does the User used when performing the Auditor scan have the appropriate privileges on the remote machines?
Safend Auditor fails to open a report as an Excel/HTML file
When the Safend Auditor fails to open a report as an Excel/HTML file, the following must be verified:
Can the Auditor report be opened in a different machine running the Safend Auditor?
Can a different Auditor report be opened on this machine?
Chapter: Safend Auditor

68 | P a g e
7.2. Safend Auditor Support Solutions
7.2.1. Safend Auditor Command Line Parameters
NEED:
In some cases, there is a need to run the Auditor through a Command Line interface.
SOLUTION:
To do that, you have the option to run the Auditor with command line parameters.
Usage:
auditor [/ip | /ou | /comp] [options]
*For a full list of all options and flags, please see attached document.
7.2.2. Enabling Safend Auditor Debugging logs

Note: the logs are cryptic and no one except from a developer with the code in front of him can
understand them
NEED:
Safend Auditor Debugging Logs may be enabled in order to troubleshoot unusual behavior witnessed during the
runtime of the Safend Auditor.
RESOLUTION:
Starting Safend Auditor Debugging Logs:
To enable Auditor logs, open the Registry Editor (regedit), and access the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor. Create a new String value with the name "LogLocation". Give
it the Value of the log location and name, for example: "c:\temp\log.txt".
Please make sure to use pre-existing directories in the log location value as the Auditor will not create new
directories for the log path.
RESULT:
This method will create a logging file in the defined location. Chapter: Safend Auditor
When sending this file to the Safend Support team, please provide the Auditor version number, which can be found
under Help-->About from the Auditor Menu.
69 | P a g e
7.2.3. Safend Auditor installation fails with DVOM registration errors
SYMPTOMS:
The Safend Auditor installation, may fail with the following error message or a similar one: "Error 1402. Could not
open key: UNKOWN\CDVOM.DeviceProperty2.1\CLSID. Verify that you have sufficient access to that key, or
contact your support personnel.
CAUSE:
This issue occurs when there has been a previous version of Auditor 2.0 which wasn't cleaned up properly during
uninstallation - Occures with specific builds of Auditor 2.0.
RESOLUTION:
The following registry keys need to be deleted, before the installation can be executed again and completed
successfully:
HKEY_CLASSES_ROOT\CDVOM.DeviceProperty2
HKEY_CLASSES_ROOT\CDVOM.DeviceProperty2.1
HKEY_CLASSES_ROOT\CDVOM.DVOMComputer2
HKEY_CLASSES_ROOT\CDVOM.DVOMComputer2.1
HKEY_CLASSES_ROOT\CDVOM.DVOMDevice2
HKEY_CLASSES_ROOT\CDVOM.DVOMDevice2.1
HKEY_CLASSES_ROOT\SafendDVOM.DVOMWifiInfo
HKEY_CLASSES_ROOT\SafendDVOM.DVOMWifiInfo.1
HKEY_CLASSES_ROOT\SafendXML2DVOM2.Translator2
HKEY_CLASSES_ROOT\SafendXML2DVOM2.Translator2.1
7.2.4. Opening ports on Windows Firewall for the Safend Auditor
SYMPTOMS:
In some cases the Safend Auditor will fail in auditing a target machine, although that machine may be up and
running.
CAUSE:
Depending on the method of scan in which the Safend Auditor is configured, different prerequisits must be met for
the Audit to succeed.
If the required ports are not allowed in your organization's firewall, and required services are not running, the
Audit will fail.
RESOLUTION:
SetupAPI based Audit:
In order for the Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port
445 (SetupAPI - through file and printer sharing and remote registry service) open. Additionally, you will need to
70 | P a g e
WMI based Audit:
The Safend Auditor also allows auditing remote machines by using the WMI method which requires port 135 in
addition to another dynamic port allocated automatically by Windows when WMI is used. Allowing the "Remote
Administration" exception in your firewall will allow the Safend Auditor to scan the machine using WMI.
Managing Windows XP Service Pack 2 Windows Firewall Using Group Policy:
Published by Microsoft: August 1, 2004

Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond
to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall
monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are
allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses
and TCP and UDP port numbers.
This behavior of Windows Firewall provides a level of protection from malicious users and programs that use
unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol
(ICMP) messages, Windows Firewall does not drop outgoing traffic.
Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and
Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a
computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dial-
up, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by
default.
Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and
services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the
Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer
Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall.
Identical sets of policy settings, as shown in Table 2, are available for two profiles:
• Domain profile. Used when computers are connected to a network that contains your organization’s Active
Directory domain.
• Standard profile. Used when computers are not connected to a network that contains your organization’s Active
Directory domain, such as a home network or the Internet.
Policy Setting Description

Windows Firewall: Protect all network connections
Turns on Windows Firewall. The default is Not Configured.
Windows Firewall: Do not allow exceptions

Specifies that Windows Firewall blocks all unsolicited incoming messages, including configured exceptions. This
policy setting overrides all configured exceptions. The default is Not Configured.
Windows Firewall: Define program exceptions

Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two
71 | P a g e
program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall
component in Control Panel. The default is Not Configured.
Windows Firewall: Allow local program exceptions

Allows local administrators to use the Windows Firewall component in Control Panel to define a local program
exceptions list. The default is Not Configured.
Windows Firewall: Allow remote administration exception allows remote administration of this computer using
administrative tools such as the Microsoft Management Console (MMC) and Windows Management
Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these
ports to communicate using RPC and DCOM.
The default is Not Configured.
Windows Firewall: Allow file and printer sharing exception

Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and
445. The default is Not Configured.
7.2.5. Auditing a Remote Domain with the Safend Auditor
QUESTION:
Can I use the Safend Auditor to audit a domain which my computer is not a member of, using the Change User
option?
ANSWER:
The Change User option in the Auditor can enable log-on to a domain which is not the computer's domain, as long
as there is a trust relationship between the two domains. Please ensure a trust relationship is set between the
computer's domain, and the domain you would like to audit. In addition, make sure that the user account you are
using to perform the audit has administrative permissions on the target computers.
7.2.6. There is no response when clicking "View Excel"
PROBLEM:
There is no response when clicking "View Excel"
SOLUTION:
The .dll file that is responsible for the operation of Excel (NSExcelProject.dll) may not be updated. The file should
be updated using the following steps:
1. Delete the old file
2. Un-register the .dll using the command line: regsvr32 "<file name including full path>" /u
72 | P a g e
3. Copy the new file into the same location

4. Register the .dll using the command line: regsvr32 "<file name including full path>"
7.2.7. Error received when attempting to view the Excel report of the Auditor scan
QUESTION:
Why do I get an error message when I click "Create Excel" in the Auditor?
ANSWER:
The version of Excel you have installed is incompatible with the Auditor requirements. Please ensure you have
installed excel 2003 professional.
7.2.8. Auditor report with connection time and data transfer
NEED:
Is there an option to get a detailed report on when the device was connected and the files that were transferred to
and from the device?
RESOLUTION:
The Safend Auditor does not have Device Connection timing information, since this information is not provided by
Windows. However, both Exact times of device connection and File Transfers are available through the Event Logs
recorded by the Safend Protector Client.
7.2.9. Local machine cannot be found in Auditor report
SYMPTOM:
When running the Auditor on an OU that includes the machine from which the Auditor is executed, the local
machine cannot be found in the results
CAUSE:
Due to some personal firewall settings, some times the firewall does not allow a ping to the local machine. As a
result, the local machine cannot be reached by the Auditor and will not be displayed.
RESOLUTION:
73 | P a g e
In order to run the Auditor for the current computer, use the option for running it on a single computer, with the
computer name being the word "local". This will bypass the firewall limitation.
7.2.10. Safend Auditor fails to audit certain remote machines
SYMPTOMS:
In some cases the Safend Auditor may will fail to audit a target machine.
CAUSE:
There may be a number of reasons for this:
1. The auditing user does not have administrative permissions to the audited computer (this is either the user
logged on to the computer on which the Auditor is installed, or the user to which the credentials were changed, in
the Change User option).
2. The machine did not respond within an acceptable time. This can happen if for any reason there was too much
load on the network at the time of the audit, or even if the machine was turned off at the time.
3. The machine is listed in Active Directory but does not exist. This can happen if its name was changed, or if it was
disconnected from the network at the time of the audit.
4. A Firewall may be active on these machines, blocking the access of the Safend Auditor.
SOLUTION:
1. Make sure the account that is used for auditing has sufficient permissions.
2. Make sure the machine is not turned off.
3. Make sure the machine is listed properly in the AD, and that it is connected to the network.
4. When the reason for failure is a Firewall on the target machine:

Depending on the method of scan in which the Safend Auditor is configured, different prerequisites must be met
for the Audit to succeed.
When conducting a SetupAPI based Audit:
In order for the Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port
445 (SetupAPI - through file and printer sharing and remote registry service) open. Additionally, you will need to
The other ports that the "file and printer sharing" is listening on (137,138 UDP and 139 TCP) are not needed for the
auditor, and therefore can remain closed at the firewall.
In order to enable file and printer sharing:

74 | P a g e
Open Control Panel --> Network Connections

Double click on your connection and then click the properties button.
* For a LAN connection, click the general tab and make sure the File and Printer Sharing for Microsoft Networks is
not selected.
* For a dial up connection, click the Networking tab and then make sure File and Printer Sharing for Microsoft
Networks is not selected.
In addition, the XP SP2 firewall has a built-in exception rule for "File and Printer Sharing", which is an exception for
ports 137-139 and 445. The rule is editable and can be modified to apply only to port 445.
To do this:
Open Control Panel -->Firewall
Go to the exceptions tab, choose file and printer sharing, click edit and select the checkbox next to 445.
When conducting a WMI based Audit:
The Safend Auditor also allows auditing remote machines by using the WMI method which requires port 135 in
addition to another dynamic port allocated automatically by Windows when WMI is used. Allowing the "Remote
Administration" exception in your firewall will allow the Safend Auditor to scan the machine using WMI.
Managing Windows XP Service Pack 2 Windows Firewall Using Group Policy:
Published by Microsoft: August 1, 2004

Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond
to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall
monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are
allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses
and TCP and UDP port numbers.
This behavior of Windows Firewall provides a level of protection from malicious users and programs that use
unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol
(ICMP) messages, Windows Firewall does not drop outgoing traffic.
Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and
Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a
computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dial-
up, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by
default.
Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and
services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the
Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer
Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall. Chapter: Safend Auditor
Identical sets of policy settings, as shown in Table 2, are available for two profiles:
• Domain profile. Used when computers are connected to a network that contains your organization’s Active
Directory domain.
• Standard profile. Used when computers are not connected to a network that contains your organization’s Active
Directory domain, such as a home network or the Internet.
75 | P a g e
Policy Setting Description

Windows Firewall: Protect all network connections
Turns on Windows Firewall. The default is Not Configured.
Windows Firewall: Do not allow exceptions

Specifies that Windows Firewall blocks all unsolicited incoming messages, including configured exceptions. This
policy setting overrides all configured exceptions. The default is Not Configured.
Windows Firewall: Define program exceptions

Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two
program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall
component in Control Panel. The default is Not Configured.
Windows Firewall: Allow local program exceptions

Allows local administrators to use the Windows Firewall component in Control Panel to define a local program
exceptions list. The default is Not Configured.
Windows Firewall: Allow remote administration exception allows remote administration of this computer using
administrative tools such as the Microsoft Management Console (MMC) and Windows Management
Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these
ports to communicate using RPC and DCOM.
The default is Not Configured.
Windows Firewall: Allow file and printer sharing exception

Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and
445. The default is Not Configured.
7.2.11. Error message received when attempting to view HTML report of Auditor scan
QUESTION:
Why do I get an error message when I click "View Report" in Auditor?
ANSWER:
The version of Internet Explorer you have installed is incompatible with the Auditor requirements. Please ensure
you have Internet Explorer 6 or above installed. If you have defined a different browser as your default browser,
try redefining Internet Explorer as the default browser.
7.2.12. Safend Auditor Graphic Report Procedure for MS Excel

NEED:
Presenting the Safend Auditor reports in Excel worksheets with queries and graphic representations - charts etc.
SOLUTION:
76 | P a g e
The Safend Auditor can export reports to MS Excel files that are pre-configured with the most commonly used
queries. It is also possible to add graphic reports of the audit results using the following procedure:
Note: MS Excel 2003 or above must be installed
1. Execute the Safend Auditor

2. Select the OU or IP range you wish to audit
3. Click Run to perform the Audit
4. Wait for Audit to complete
5. Click Create Excel
6. MS Excel will then open automatically with the Auditor results
7. In Excel select and highlight the entire devices or computers data table (DO
NOT select the Audit status table) including the Column Titles.
8. Go to the Data menu and select Pivot Table and Pivot Chart report.
9. The Pivot Table wizard will than start. Leave the settings as they appear by default and click next.
10. The Pivot Table and Pivot Chart window (Step 2 of 3) will than appear. Click next.
11. In the following window (Step 3 of 3) click Finish.
12. A window with the fields you have chosen will be displayed.
13. From the Pivot Table Field List window select “PORT”, drag it into the “Drop
Row Fields Here” area.
14. Perform step 13 for the “Types”, and “Device Info” fields as well as placing
them beside the port field performed in step 13 in succession.
Note the order of the fields: Port, Type, and than Device Info.
15. Next you will need to drag the “Description” field into the “Drop Data Items
Here” area.
16. In the “Device info Column” click the drop down arrow, and deselect
(uncheck) any unwanted devices, such as PCI devices. Make sure to uncheck the “Blank” items at the bottom of the
list.
16. You can now use the Chart wizard button to generate Bar or Pie charts as
needed.
See the attached document for these instructions, accompanied by screenshots of the entire process.
7.2.13. The Safend Auditor Scanning Method and Network bandwidth information
QUESTION:
How does the Safend Auditor scan target computers and what is the scan's impact on the network?
ANSWER:
The Safend Auditor software is configured to scan multiple computers on a single network simultaneously, through
WMI or SetupAPI protocols, as defined by the user via Settings--> Scan Protocol.
This is done by allocating a different thread for each machine to be scanned. By default the Auditor opens 10
threads in order to perform the scan, thus scanning 10 machines at the same time.
This value can be changed by editing the registry value NumThreads, located under:
HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor.
77 | P a g e
Audit Bandwidth:
In general when scanning a single machine the amount of data transferred from the machine is approximately
300KB ,depending on the number of devices that were previously connected to that machine up until the scan.
The network bandwidth taken up by a scan, is in direct proportion to the number of machines that are being
scanned simultaneously.
It is important to note that while the accumulated bandwidth from scanning across multiple machines
simultaneously may appear to be large, the actual effect on the network is relatively small.
This is due to the fact, that audit information is sent to the auditor in bursts, taking up short amounts of time.
7.2.14. Where the auditor is key located in the registry?
SYMPTUM:
When right-clicking a machine in the Clients World and choosing to Audit Devices, the Auditor is unreachable.
CAUSE:
On the first time when choosing to audit a machine from the Clients World, a window will pop-up asking to browse
the Auditor. When a wrong path was entered, every attempt to audit a machine via the Clients World will fail.
SOLUTION:
The registry key holding the location of the Auditor (used by the management server) is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor]
The value under this key that holds the location of the Auditor exe file is “ExePath”. Here is an example value:
"ExePath"="C:\\Program Files\\Safend\\Safend Auditor\\\\Auditor.exe"
Please delete this value.
7.2.15. The Safend Auditor creates new user profiles on the audited machines
PROBLEM:
new administrator profiles were created on organization machines that were scanned by the Safend Auditor.
SOLUTION:
The Safend Auditor has two scanning protocols that can be used while performing a scan: WMI and Setup API.
When the auditing process is done using the WMI protocol, the local OS on the end user's scanned machine will
automatically create a new administrator profile that will be named after the user that performed the auditing. In
order to avoid this result, the scan should be done using the Setup API protocol.
The only exception is that when auditing a machine that runs Windows Vista the scanning protocol must be WMI.
78 | P a g e
7.2.16. The Auditor seems not to detect remote devices when working via VPN
In order to run audits successfully, port 445 (‘Microsoft-DS’, which is used for resource sharing) and ICMP (Internet
Control Message Protocol) must be permitted in the network, and in the specific case, through the VPN.
7.2.17. The Auditor is unreachable when right-clicking on a machine in the Clients World and choosing to
Audit Devices.
SYMPTUM:
When right-clicking a machine in the Clients World and choosing to Audit Devices, the Auditor is unreachable.
CASUE:
On the first time when choosing to audit a machine from the Clients World, a window will pop-up asking to browse
the Auditor. When a wrong path was entered, every attempt to audit a machine via the Clients World will fail.
SOLUTION:
The registry key holding the location of the Auditor (used by the management server) is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor]
The value under this key that holds the location of the Auditor exe file is “ExePath”. Here is an example value:
"ExePath"="C:\\Program Files\\Safend\\Safend Auditor\\\\Auditor.exe"
Please delete this value

79 | P a g e
8. Safend Reporter
8.1. Safend Reporter Support Solutions
8.1.1. Internet Explorer Error message when running any report on Safend server 3.3 SP2
SYMPTOM:
After Upgrading from Safend Server 3.3 SP1 to Safend Server 3.3 SP2 with Reporter, in the reports tab, when trying
to run any report, Internet Explorer security error message appears with the path:
file://E:\Development\Code\trunk\Safend.Protector.Admin.UI\Admin.UI.World
After hitting “close”, the error message disappears and the report will run properly.
Attached are screenshot of the Spanish version of the error.
CAUSE:
The error pops up whenever the security level of the internet is set to "high"
(or Active Scripting is Disable). You can check it out at Tools-> Internet
Options -> Security -> Internet (or in Custom Level).
SOLUTION:
Replacing 2 .mht files under \Program Files\Safend\Safend Protector\Management Console\ManagementConsole:

- PleaseWait.en-US.mht
- PleaseWait.mht
Save the file that is attached to the solution under the two names, once as: PleaseWait.en-US.mht and once as:
PleaseWait.mht.
Note: The files need to be replaced at each existing console.

In order to have future remote console that might be installed from the given server to include the fix, the .mht file
should also be replaced in the console zip under the server's directory - C:\Program Files\Safend\Safend
Protector\Management Server\consoleUpdater\console.zip
Chapter: Safend Reporter

80 | P a g e
8.1.2. Required IE settings for Safend reporter
Internet explorer settings for Safend Reporter best view
1. Open internet explorer.
2. From the top menus select tools -> internet options
3. Go to advanced tab

81 | P a g e

82 | P a g e
4. Under multimedia select "play animations in web pages" and "show pictures"
5. Under printing select "print background colors and images

83 | P a g e
6. Under security select use TLS 1.0

84 | P a g e
9. Safend Encryptor
9.1. Safend Encryptor Support Solutions
9.1.1. Internal hard disk encryption doesn't get applied to the client due to publishing backup compatible
policies
SYMPTOM:
With Encryptor 2.0 (Protector 3.3 SP2), when publishing policies using GPO or REG files and "Publish backward
compatible policies" is checked in the console (under Tool --> Administration --> Policies):
1. Policies that contain HD encryption will not cause the hard disk to be encrypted although they are applied
properly to the client (can be seen in the client's GUI properly, and other functionality of the policy such as port
protection works properly).
2. In the client's GUI, the encryption status bar doesn't exist at all, as if it is not an Encryptor client.
3. In the registry under HKEY_LOCAL_MACHINE\software\policies\safend, a key called "V_3_3H" does not exist
although it should be.
Note: Generally, the key HKEY_LOCAL_MACHINE\software\policies\safend exists only if policies are published
using GPO or REG files.
CAUSE:
When applying policy using the GPO or REG file methods, under HKEY_LOCAL_MACHINE\software\policies\safend,
keys by the names of existing and previous Safend versions, which are "containers" of the policies themselves, will
appear under this key.
An example for such a key is HKEY_LOCAL_MACHINE\software\policies\safend\V3_3, which contains in it the
policy in 3.3 format once a policy is published to the client.
With a 3.3 SP1 client, the client will read the policy from this "container".
With Encryptor, when the Backward Compatible policies option is applied in the console, the key
HKEY_LOCAL_MACHINE\software\policies\safendV_3_3H, that is used to store in the policies created for the
Encryptor client, doesn't get created since the policy, being backward compatible, gets written to a previous
"container", usually "V_3_3".
When the policy is written to the "V_3_3" container, it can be read by the Encryptor client, but the part in the
policy regarding the HD encryption cannot be read by it. The end result is that the policy is applied properly but HD
encryption functionality will not work.
SOLUTION:
Each policy containing HD encryption should be published twice, so both Encryptor clients and previous client
versions will be able to read it and in order to have the HD encryption working properly.
This issue is fixed in versions above Encryptor 2.0.
Chapter: Safend Encryptor

85 | P a g e
9.1.2. After encrypting the HD of a machine, shared folders which are located on this machine cannot be
accessed from another machine
SYMPTOM:
With Windows XP, after encrypting the HD of a machine:
1. Shared folders which are located on this machine cannot be accessed from another machine even though all
permissions and sharing setting are correct. This is more common when using one or more anti-virus or similar
software on the encrypted machine.
2. BSOD occurs when trying to rename a network folder.
CAUSE:
Generally, several Windows drivers related to network shares assume a fixed number of file system drivers on the
machine. Installing Safend and encrypting the HD adds at least one file system driver, and each anti-virus or similar
software usually adds one as well, and so the default number of file systems drivers may be too low. This issue is
described in details in the following Microsoft article: http://support.microsoft.com/kb/177078/en-us
SOLUTION:
There are 2 possible solutions for this issue:

1. Upgrading the XP service pack of the encrypted machine to SP3.
2. If the above is not possible - Increase the number of file systems drivers allowed on the encrypted machine:
a. Increase the IrpStackSize in the registry as described in http://support.microsoft.com/kb/177078/. The
IrpStackSize should have the value of 18 or more (in decimal). In case increasing it to a certain number doesn't
resolve the issue, try to increase it further after completion of the steps below
b. Replace the mup.sys driver located at system32\drivers with the mup.sys driver attached to this solution. This
file is included in one of XP SP2 hot fixes, described in the following Microsoft article:
http://support.microsoft.com/kb/906866
Note that the mup.sys driver should only be replaced in client machines experiencing the issue and not with every
client machine
c. Increse the DfsIrpStackSize in the registry as described in following Microsoft article:
http://support.microsoft.com/kb/906866. The DfsIrpStackSize should have the value of 10 only.
d. Restart the machine
9.1.3. In Encryptor 2.0, how to copy the reset code & the one time access code from Encryptor login screen,
NEED:
1. One method of resetting the access password to the encrypted HD is by entering a reset password in Sami (in
native mode, before startup) on the client machine. This is done by pressing the F6 key and then the F9 key when
in Encryptor login screen. These 2 key strokes generate a long hexadecimal string that should be copied to the
console, and the reset password generated in the console (relatively short) should be entered back to Encryptor
login screen.
Since the process described above happens in Encryptor login screen before startup, there is no obvious way to
copy the long hexadecimal string so it can be pasted later into the console.
2. One method of obtaining a one time access password to the encrypted HD is from Encryptor login screen on the
86 | P a g e
Client machine (in native mode, before startup). This is done by pressing the F7 key and then F9 key when in
Encryptor login screen. These 2 key strokes generate a long hexadecimal string that should be copied to the
console, and then a one time access password (relatively short) is generated in the console. This password can
entered back to Encryptor login screen for one time access.
Since the process described above happens in Encryptor login screen before startup, there is no obvious way to
copy the long hexadecimal string so it can be pasted later into the console.
SOLUTION:
Respectively to the previous paragraph:

1. In Encryptor login screen, pressing Ctrl + Alt + Shift + F1 instantly creates a registry key in the client machine
containing the reset code.
After pressing the keys above, load Windows normally (can be done using Technician mode), open regedit and go
to:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SafendPS\ResetPasswordCode
The value of this key is the reset code that should be pasted into the console.
2. In Encryptor login screen, pressing Ctrl + Alt + Shift + F2 instantly creates a registry key in the client machine
containing the one time access password.
After pressing the keys above, load Windows normally (can be done using Technician mode), open regedit and go
to:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SafendPS\OtpCode
The value of this key is the one time access code that should be pasted into the console.
Note that In both cases, when loading Windows right after pressing the above mentioned key combinations, many
files will be encrypted since no password was entered to Encryptor login screen; this does not matter here, there is
no problem viewing the registry, even if logging-in with a non-admin user.

87 | P a g e
10. Implementation
10.1. Implementation Support Solutions
10.1.1. Implementation in non directory environments
NEED:
When installing Safend Protector in a non- Active Directory environment, the procedure for installing and working
with the protector is different. The changes to this procedure are listed below.
RESOLUTION:
The Safend Protector can easily be installed in non-AD environments.
The differences when working with Safend Protector in non-AD environments are:
• The product can be deployed using any deployment software that supports .msi files (again, such as Microsoft
SMS, etc.)
• The clients list will not be retrieved from the Active Directory, however, any machine with Safend Protector Client
installed will appear under the 'Clients' tab in the Safend Management Console and as "not in domain" in the
organizational tree, and all the management activities will be available for these machines.
• Policy Distribution must be done through either the direct Server-Client policy publish, or by publishing the
policies as Registry files.
All other functionality is exactly the same in non-AD environments.
When installing Safend Protector in non-AD environments you should ensure the following:
• During the Safend Server installation, when you reach the Domain Credentials Menu, enter the user name and
password of the local administrator, and enter the computer name of the server machine as the domain name.
Make sure the local administrator for the server also has local admin privileges on any of the client machines.
• SSL communication ports used for the Server-Client are open on all machines and firewalls.
As well, Policy distribution can also be done using reg files (that can be distributed using any distribution software
such as SMS, Novell Zenworks, etc.) rather than direct Server-Client policy publishing. These files are then run on
the endpoint machines, in order to link them to each respective machine's registry, causing the policy to take
affect.
(Please see the note at the bottom of this page for an example of such a method.)
To enable Registry Policy Publishing, after the installation make sure to change the policy distribution method in
the Management Console Administration to use registry files. This is done by opening the TOOLS menu in the
Management Console, and selecting Policies, checking the "Publish policies to a shared folder" box, and specifying
a location to store the regfiles. Make sure that "Use Active Directory" is not checked. Chapter: Implementation
There is also an option of automatically running an executable file after saving a policy, which enables automating
the entire policy distribution process (e.g. every time that a policy is saved, a script will be activated to distribute
this policy using the company's deployment software).
· To enable this option, be sure to check the "Run executable after publish" box, and provide a link to the custom
made executable.
88 | P a g e
10.1.2. Environment Requirements Estimates for the Safend Protector
QUESTION:
What are the system requirements and network requirements of the Safend Protector?
ANSWER:
Numerous real-life tests of the Safend software in live installations have shown that the effect on network and
endpoint performance of the software is insignificant, in that it is virtually unnoticeable and remains under the
average 'noise level' in a standard network environment. Following is some data about the performance of the
Safend system in a network environment.
Statistics regarding network bandwidth:
1. Safend Management Server → Endpoints:

1a. Update policy command over WMI – 1KB per machine (eg, sending an Update Policy trigger to an OU with
1,000 machines would require ~1MB).
1b. Retrieve logs command over WMI – 1KB per machine (eg, sending a Retrieve Logs trigger to an OU with 1,000
machines would require ~1MB).
2. Endpoints → Safend Management Server
2a. Send endpoint logs to database – Assuming average device activity, this will require around 40KB per machine
per day. The machines will send their logs every predefined interval, which can be fine-tuned according to the
organization's size, needs and network configuration.
3. Safend Management Server → Safend Management Console:
3a. Because the Safend Management Console will be installed only on a limited number of machines, the network
bandwidth required in this case is insignificant.
Statistics regarding workstation performance:
The installation of the Safend Protector Client on an endpoint has minimal effect on the system's performance.
Following are details of CPU & RAM utilization of the Safend Protector Client in both idle and active states:
1. Safend Protector Client Worker Process when idle: CPU utilization = 0%; RAM usage = 12MB.
2. Safend Protector Client Worker Process when active (ie: when the Safend Protector Client policy is being
updated): CPU utilization = 12% for less than a second, then back to 0%; RAM usage = 12.5MB
3. Safend Protector Client Worker Process when active upon the connection of a restricted device: CPU utilization =
2% for less than a second, then back to 0%; RAM usage = 12.76MB.
Note: The above results were recorded in our test lab, on a Pentium IV machine running WinXP SP2 with no special
additional applications running. The results may differ for machines with different specs than those in our lab.
Chapter: Implementation
Environment requirements for the installation of the Safend Management Server v3.0:
The following estimations assume that the customer has a dedicated Safend server.
1. Organizations with up to 1,000 endpoints -- We recommend using a server PC with 1 3~GHZ Processor, 1GB
RAM, a standard 7,200rpm HD, and Windows 2003 Server. We estimate that the Safend database will require
about 25-30GB a year, depending on device activity at the endpoints.
2. Organizations of up to 10,000 endpoints -- A dedicated server with 2-4 3.4~ Ghz Dual Xeon Processors, with at
least 2GB RAM and a large 10,000rpm HD. It is recommended that the customer install Windows 2003 Enterprise
89 | P a g e
Server. The Safend DB will reach about 250-300GB a year.

3. Organizations of up to 50,000 endpoints -- A dedicated server with 4 3.4~ Ghz Dual Xeon Processors, with at
least 2-4GB RAM and a large 10,000rpm HD. It is recommended that the customer install Windows 2003 Enterprise
Server. The Safend DB will reach about 1-2TB a year.
4. Organizations serving 50,000+ endpoints – Please contact Safend Support for a more precise hardware
requirements estimation according to the specific domain and clustering configurations.
Log files size:
Usually, the log files do not tend to exceed 1-2KB each when the machine is idle (and users are simply logging off
and back on), and you shouldn’t expect more than 10 log files a day. However, if there is much activity at the
endpoint (device connection/disconnection, such as you would expect for example on the sysadmin's endpoint),
the log files can reach 10-20KB each, plus another couple of KBs if file logging is enabled.
10.1.3. Resolving and Identifying GPO Errors
In order to verify that the computer can receive Group Policy updates, the computer must be connected properly
to the domain. All errors from SecCli , Userenv or Netlogon in the event viewer must be checked out thoroughly.
These errors can cause the computer not to receive group policy update or even to prevent proper domain logon.
2. The command line utility gpresult.exe can be used to verify that the Group Policy was received and applied
properly by the client computer (this utility should be run locally on the client computer). It is imperative to make
sure that the GPO is applied to the appropriate OU and Domain.
Gpresult is built in Windows XP and you can download it for Windows 2000 from:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
After running this tool in a command window with the /v option this utility will output all the Group Policy objects
that were applied to the local system. The output will be divided to user settings and computer settings. Verify that
all the Group Policy objects configured in the active directory are properly applied to the local system.
If some or all group policies are missing from gpresult's output, the event viewer needs to be checked for errors.
3. The command line utility gpotool.exe can be used to verify that all the group policy objects stored in the active
directory are valid and contain all the information needed to apply the group policy locally.
(This utility should be run locally on the client computer)
This tool can be downloaded from:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp
If you cannot find a certain group policy in the gpresult's output but you can find it in the gpotool, this might occur
due to late replication schedule.
Two more utilities that can be used to diagnose a misconfiguration in the network or the domain are netdiag.exe Chapter: Implementation
and dcdiag.exe:
4. The Command line Utility netdiag.exe is used to test the network status and indicate problems with the
connectivity of your client. This utility is included in the support tools package which is located on the install CD
under support\tools, it can also be downloaded from:
http://www.microsoft.com/downloads/details.aspx?familyid=1EA70814-7E6C-46E5-8C8C-
3C439A732E9F&displaylang=en
Use this utitlity by typing netdiag in the command line prompt and inspecting the results to make sure there are no
90 | P a g e
connectivity issues.
5. The command line utility dcdiag.exe is used to verify that the domain controller is configured properly and fully
functional, this tool runs numerous tests on the domain controller and any errors received need to be fixed and
verified. A poorly configured domain, or a malfunctioning domain controller can prevent the computers from
receiving a valid Group Policy. (This utility could be run locally on the client computer or on the domain controller).
This utility is included in the support tools package which is located on the install CD under support\tools, it can
also be downloaded from:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/dcdiag-o.asp
10.1.4. Building Protector Policy per Security Group (GPO policy distribution)
*This KB article describes the method of applying policies in Version 3.1, in version 3.2 this problem can be easily
resolved using 'Policy Server' mechanism.
NEED:
In some cases several Group Policy Objects need to be applied to different user/machine objects located in the
same OU.
The "Normal" way to apply the Protector Policies on objects that reside in an OU, is to link the GPO to the OU, thus
applying the Policy to all of the objects contained in the OU. In some cases, mainly large scale organizations, this
may be cumbersome, and very difficult to manage.
SOLUTION:
There is a way that enables us to apply several Protector/Group Policies on users that reside in security groups in
the same OU, in a process called security filtering.
A good example of an organization which could use this method is an organization which contains all users in one
OU, and all computers in another OU (in the domain). In this case it will be easier to use existing security groups
and apply the Protector policy on them rather than rearrange the whole computers/users in a new OU structure.
The security filtering is essentially a procedure where we apply several Protector/Group Policy objects on the same
OU (which contains users/computers) and then change the ACE (Access Control Entries) on those Protector/Group
Policy objects to only allow users in certain security group to read and apply that specific Protector/Group Policy.
Detailed instructions with screenshots can be found in the attached pdf document:
91 | P a g e
10.1.5. Enabling Verbose logging for GPO installations
NEED:
In some cases, the GPO installation of the Safend Protector Client may fail due to misconfiguration of the Active
Directory, or other components of the OS.
In such cases, detailed logs called Verbose Logs will need to be created in order to help identify and solve the
problem.
SOLUTION:
Following, are Microsoft's instructions on how to enable Verbose logging for GPO installations:
Warning!!! - Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by any
other method. These problems might require that you reinstall your operating system. Microsoft cannot
guarantee that these problems can be solved. Modify the registry at your own risk.
Use Registry Editor to add the following registry value (or modify it, if the value already exists):
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Value Type: REG_DWORD
Value Data: 10002 (Hexadecimal)
UserEnvDebugLevel can have the following values:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000
The default value is NORMAL|LOGFILE (0x00010001).
Note: To disable logging, select NONE (where the value is 0X00000000).
You can also combine the values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000
to get 0x00010002. So if UserEnvDebugLevel is set with a value of 0x00010002, this turns on both LOGFILE and
VERBOSE. Combining these values is the same as using an OR statement:
0x00010000 OR 0x00000002 = 0x00010002
Note If you set UserEnvDebugLevel = 0x00030002, the most verbose details are logged in the Userenv.log file.
The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log exists and is
greater than 300 KB, the existing file will be renamed to Userenv.bak, and a new log file created.
These instructions can also be found at: http://support.microsoft.com/kb/221833/


Securing Your Endpoints

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Securing Your Endpoints

Hochgeladen von

Copyright:

Verfügbare Formate

safend

Securing Your Endpoints

SAFEND SUPPORT KNOWLEDGE BASE DOCUMENT

4.4.1. How to configure the Websense integration ...................................................................................................... 26

6.3. Safend Protector Management Console Solutions .............................................................................................................. 54

8. Safend Reporter ............................................................................................................................................. 79

For any further information feel free to contact us at support@safend.com

3. Safend Protector Client

3.1. Safend Protector Client architecture

- Safend Protector consists of User and Kernel mode components.

3.2. Support logs

3.3. Troubleshooting Guidelines

 Safend Client fails to install/uninstall

- Safend Client Fails to Install/Uninstall

- When you encounter installation/uninstall issues, the following needs to be performed:

 The new machine is in a different domain.

Chapter: Safend Protector Client

Try to browse Safend web services:

 SC commands – sc control SafendPS 222 (logs)/ 225 (policies)/ 228 (OTP)

- Safend Client conflict with 3rd party software / BSOD

 Is this a system/environment issue?

 Is this a system/environment issue?

Chapter: Safend Protector Client

3.4. Safend Protector Client Support Solutions

3.4.1. Clients not sending logs back to the Safend Server

a) The policy you created is applied on the Client.

3.4.2. Pointing the installation to the SCC file

To point the installation to the location of the SCC files

3.4.3. Uninstalling the Safend Protector Client via startup script

Open Note Pad and enter the following text:

msiexec.exe /x "\\Servername\Path\SafendProtectorClient.msi" /qn UNINSTALL_PASSWORD="Password1"

keywords: command line, uninstall

3.4.4. Silent install of a client

Chapter: Safend Protector Client

*/qn parameter will causes a quite installation without showing the UI

1. Open the clientconfig.scc file for editing

In such cases, perform the following:

at *time+ /INTERACTIVE “cmd”

Chapter: Safend Protector Client

1. Installing the Safend Protector Client with a startup script:

msiexec.exe /i "\\Servername\Path\SafendProtectorClient.msi" /qn

2. Granting elevated privileges to non-administrator users:

following is an article by Microsoft, pertaining to this issue:

Chapter: Safend Protector Client

- Computer Configuration>Administrative Templates>Windows Components> Windows Installer:

- User Configuration>Administrative Templates>Windows Components> Windows Installer:

Link to Microsoft documentation:

Link to additional documentations for GPO configuration:

Chapter: Safend Protector Client

1. Connect the encrypted device to the home machine.

3.4.8. Sonic DLA burning not supported by Safend Protector

Thank you for contacting Roxio Technical Support

Roxio Technical Support

Thank you for your comments and we appreciate the feedback

Chapter: Safend Protector Client

3.4.9. Cleanup utility for the Safend Protector Client

3.4.10. Using the Registry To Check If A Policy Was Updated

The registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\LastPolicyUpdate is a 4 bytes key that

Make sure that in the registry, under

Chapter: Safend Protector Client

Safend Protector Client

If a reboot is indeed performed, the same error message is received again.

[installation Date and time] = Localize installation

Send logs now! (without waiting for the interval):