File Share Encryption

Symantec PGP consistently destroys OSX bootloader.

See Symantec PGP work its magic: http://www.youtube.com/watch?v=CXV6SZZX-sI

Symantec PGP version 10.2.1

Apple OSX version 10.7.4

Symantec.  How do you suggest we recover from this?  When will you release a new version that has been tested to be compatible with OSX?

i haven't tested this scenario yet, (i will be later this week!)

Was this a clean install of OSX?

were there any Filevault 2 disks connected or was the main disk filevault 2 encrypted?

what happens when you boot to verbose mode (command-V)? does it say waiting for boot device/volume?

Is this machine bound to Active Directory?

What happens if you try to select a boot volume @ boot (hold down option, select boot disk)

Some of these are shots in the dark (AD issue, selecting boot volume) but this is what i would do to determine what's going on. There are some weird issues with WDE, they also do strange update tracks when they were doing SP releases. a 10.1 wouldn't have the same fixes as a 10.0 SP2 release would.. i wonder if that is the case with 10.2.1 too.

There is a weird FV2 thing they added that disables the WDE driver.. usually only an issue if the boot volume is encrypted..

Thanks!

Yes.  It was a virgin install.  10.7 from a Apple-branded OSX Install stick, 10.7.4 via OSX built-in software update.

I am primary concerned with PGP 10.2.1, but I did also test 10.2.0 MP4 and MP5, and they produced the same result on two different laptops.

There were no FileVault Disks present.

Active Directory is not in use.

I hadn't tried verbose mode, but after another clean reinstall of OSX, I'm trying now.  I've been toiling with two macbooks for the last week trying to find a sequence that worked.

I installed pgp again, which promptly bricked the machine.  Booting in verbose mode, I notice that Symantec's Copyright banner prints twice, then
Block Storage Driver on-line
pgpwde:AES-NI CPU support not detected.

Then it waits for root device indefinitely.  I've attached a screenshot in case someone else can make better sense of it.  The photo was taken before it started "waiting for boot device/volume"  That line repeats every minute or so.

If I boot with the option key held down, there are two choices presented:
OS Disk (My OS Disk, which fails with a prohibition sign)
Recovery HD (Which boots into an OS X recovery environment)

Other users facing this problem: please do a command+v and take a picture of how your boot fails.

i wonder if it's hardware specific issue?

what model of mac are you using ex. macbook air 1,1 should be specific enough

MacBook 13-inch Aluminum Late-2008
MacBook Pro 13-inch Mid-2009

They reacted identically.

We are unable to reproduce this issue with 10.2 MP4, we're using a Late 2011 Macbook Air and did a clean install of 10.7.1, then a software update to 10.7.4 then install 10.2 MP4.

We were able to encrypt the hd and boot w/o an issue.  we will be testing 10.2.1 tomorrow. I'll try installing 10.7.4 clean too.

- Sarah

not very used to mac, but ..is there any way to uninstall filevault  ? (even that drive is not encrypted)

I think you should give this a try.

filevault comes with Mac OS X Lion and can not be disabled or uninstalled. It's like MS bitlocker, it's just there. 

Does Symantec have any software engineers working on PGP who are used to the OS that is is sold under the premise of supporting?

Symantec should have had them on a conference call during 10.7.4 release, to immediately test, and release an annouoncement, and software update within minutes if PGP stopped working.

OSX doesn't have the notion of holding on to specific versions.  You can't simply "stay on 10.7.3"  You have the install media version (10.7), and the latest version (10.7.4 as of 2012-05-30).  Telling customers not to do updates....  Is deplorable coming from a security company, and ought to subject Symantec to direct civil liability for damages if those updates would have prevented security incidents.

Imagine if Symantec had the gall to tell Windows users, "No Microsoft Updates for you, until we approve each one".  Get real.  That's not how it works.

As far as I can tell at this point, PGP broke because it was using a deprecated storage driver, which was finally removed in  the 32bit kernel for 10.7.4.  Is it Apple's fault for removing it, or Symantec's fault for not using the newer driver?  I don't care.  But Symantec's choice to keep its software as proprietary, non-libre, obligates Symantec to take the burdon of maintaining it when the rest of the world moves on.  Symantec is the only one who CAN fix this.  So they must.  And they have thus far failed to do so.  Weeks, if not months into this disaster.

As a customer, this is SEVERELY distressing.

Not a solution, but you can try this to at least get your computer into a usable state.

https://discussions.apple.com/thread/3374161?start=0&tstart=0

We have done tons of testing in QA with the developer seeds for 10.7.4. This issue (and another issue that has hit us all the sudden about Virtual Disk issues) was never discovered with current version testing. We tested 10.2 Mp5 and 10.2.1 on the 10.7.4 developer seed releases. This issue never came up, this is news to me (today actually). I have seen prior dicussions and forum threads saying taht the 10.7.4 update works on Mac OS X.

Are you certain taht you are not using Filevault at all? Including file vault encrypted external volumes? There is a problem with current version where we are still not 100% compatible with filevault and some uses cases will disable WDE functionality if it detects filevault encrypted disks at all.

Ben, thank you for responding to inquiries here. Can you tell us the status of testing/repair of the Virtual Disk problem with 10.2.1 and 10.7.4? I've successfully used the decryption workaround (via DiskUtility), but now I'm looking at a bunch of unencrypted virtual disks, and that's not good. When can we expect more information, or better yet, a final fix?

Yes.  I am certain: We are absolutely, unequivocally, not using FileVault or FileVault2 in any way, on any system that PGP WDE 10.2.1 has damaged.

The only places in our organization where we have used FileVault2, are on the laptops of team-members who have completely given up on Symantec PGP WDE, and vehemently obstruct the installation of any Symantec-branded software on their computers.  These users have been spared destruction.

Symantec PGP WDE 10.2.1 MP1 (Or 10.2.2) is overdue.

BCrookAtRA

We need to track down this issue and get to the bottom of this;

Please open a new case to support:

Submit and Manage your Cases online at MySupport:
http://www.symantec.com/business/support/index?page=cdlogin

Open to advanced team. They will gather evidence and work on a fix for this.

This is the only way to permanently solve the problem

Thanks

I attempted to "open a case" weeks ago, and was denied.  I attempted to report the bug to symantec by phone, and was rejected.  Some way to treat customers!

Perhaps you can tell me what I need to enter in one of these three fields, to get Symantec to listen.  This is where your link leads me after spending much time signing up for an account, filling out version numbers and problem details.

I am not having trouble using the software, and I do not need technical support.  I am reporting a catastrophic bug that has caused hundreds if not thousands of Symantec PGP customers catastrophic data loss and business interruption.

...From the link you provided:

@BCrookAtRA,

Would you mind sending me a copy of your system profile exported? This will tell us what system specifics you are using. Since QA did not see this problem come up in testing and support has been unable to resproduce this problem yet . It is most likely due to third party software (possibly conflicting with PGP WDE). Do you have any third party software used for Microsoft Active Directory policy updates to your Mac?   We have seen a conflict with Centrify software recently.

https://riskanalytics.com/attachments/mbp

I tried installing it agian, and today, 2012-06-04, Symantec PGP WDE 10.2.1 no longer bricks OSX 10.7.4.  I believe this to be because the most recently issued OSX update to 10.7.4 re-enabled the deprecated IO handle that PGP uses.

The root problem is not resolved until PGP uses CoreStorage like it is supposed to.

CoreStorage was made available in 10.7.0, and replaced the previous mechanism that dated back to 1998.

As of 10.7. CoreStorage was the proper layer to insert block cryptography.  FileVault2 used it from its inception.  PGP never has.  This is what caused OSX users to lose their data and brick their machines when applying regular OS updates.

Thanks for this information. It´s really helpful. I will create a KB article so every user can know this.

I tried to open link in firefox (windows) and safari (mac) , but seems something is missing. Is this quicktime?

 

Here is the article.

This is being worked by engineering team.

Attachment(s)

Unable to boot after installing Mac OSX 10.7.3 on a PGP W...7   35 KB 1 version

Hmm,  Weird thing on that link.  It worked for me (Google Chrome, on GNU+Linux)

It looks like Windows/Mac need the file extention, so I made a copy of it with .txt on the end:

https://riskanalytics.com/attachments/mbp.txt

The article describes updating OSX 10.7.2 to 10.7.3.  

The problem I reported was updating OSX 10.7 to 10.7.4

and your disk wasn't encrypted either.. so yeah, that article isn't correct at all.

this isn't the typical osx update blows away the PGP EFI. This is install PGP on 10.7.4 system reboot and the system will not boot.

Thanks Sarah, Yes, The final action occuring in my case, was the installation of PGP, not an update to OSX.

I'm not primarily a software engineer, but I do have a strong technical background.  Until a better solution can be conceived, I would recommend, and accept at least this as a fix:

1. Each installer for PGP embed a list of OSX versions that it is known to not destroy.
2. When first launching the installer, it would check that the presently running OSX version is on that list.  If on the list, procedd with install
3. If not on the list, check for a newer list that Symantec could post online in csv format. If on that list, proceed with install
4. If not on that list, abort the install or severely warn user..

There would be one csv on symantec's website for each released version of pgp.  This list would start out as a copy of what is embeded in the installer.  Over time, if newer versions of OSX are released, and Symantec's testing shows that a given version of PGP works on that newer version of OSX, Symantec can add that OSX version to the PGP version's compatability list, and installers will function thereon.

Perhaps because of the severity of the failure mode of this problem, the installer should ALWAYS, check online for compatability information.  This way Symantec can "revoke" compatability for a certain OSX version if they get reports of catastrophic failure.  Users would get a very nasty warning message alerting them that disaster lies ahead, but they could accept the warning and continue if they are installing without connectivity, or in a classified environment, and know it is supported.

This just happened to me.  I'm running the Brand New MBP Retnia on 10.7.4 Lion and PGP 10.2.1. [Build 4869].  At the Log in Screen, I try to put in my password, and then the keys stop working.  After hitting F3 to show password, it confirms that at times the keys entered are not inputing.  After about 5 min of off and on "F3" i finally get my password to fully input and hit enter, then it goes it and give me the same grey screen ad nothing happens.  Even after 10 min.

I'm screwed!!!!  Help!!!!

FYI,

• I have no filevault containers.
• 10.7.4 came factory installed from Apple on my Retnia before mountain lion was released.

HELP BEN & Julian!!!! I've tried multiple times to create a ticket and it times out! or says system error!

PGP WDE works with 10.7.4 with PGP Desktop 10.2.1 MP3 in our test cases. It works on both of my MacBook Pro's that I use here in support. One of them is a mid-2011 Macbook Pro and one of them is a 2008 MacBook Pro there must be something specific to these machines that does not work.

I have noticed several people on this forum thread are using Ivy Bridge chipsets in the new 2012 Macbook Pro's with Retina and non-Retina displays. I apologize for the  confusion - but this requries you to be PGP Desktop 10.2.1 MP3 (the latest as of 9/12) or newer.  This is because we introduced some new enhacements to the code to work with these newer Macbook Pro models. If you are not on that version of PGP WDE you will certainly see problems with trying to boot your 2012 Macbook pro. This has been confirmed. see this KB article here on that issue:

http://www.symantec.com/docs/TECH191890

See my later comments. PGP WDE 10.2 MP2 (Build 4869) doesn't support new MBP Retina display models. You need to be on PGWDE 10.2 MP3 (Build 4940). You will need to decrypt the disk using a recovery CD or target disk mode from another mac and then update PGP.

Sorry for the confusion!