Specific Protection against the "Cold Boot" or Princeton class of attack has been added to Symantec Endpoint Encryption since SEE FD 7.0. This protection is optional, but is enabled by default. This protection ensures that cryptographic key information can not be retrieved from RAM after shutdown or hibernation.

Users of the Symantec Endpoint Encryption 6.x product are advised that AES symmetric keys are not loaded into memory until the user authentication step has been completed. This step is required when the machine is either coming out of hibernation or being booted from a shut down or cold state. Also, even if the Symantec Endpoint keys are accessed in memory, a unique AES initialization vector still needs to be created to encrypt or decrypt each sector of the disk. Because of this, the attacker would need to figure out the seeding algorithm and key expansion methodology to recover data from the disk – making compromise of the Symantec Endpoint 6.x product highly unlikely.

As an additional precaution, enterprise security administrators in environments where SEE 6.x is being used are advised to take the following steps:

• Disable the “standby” function on PCs so that all machines are powered down when they are turned “off” (either via “shut down” or “hibernate” in Windows parlance)
• Restrict the ability to boot from removable media by taking steps such as requiring an administrative password to change the boot sequence in BIOS to allow boot from sources other than primary drive
• Use machines with BIOS that tests and initializes the memory through “power on self test”
• Physically secure DRAM to the machine to make it difficult to remove quickly and without damage