Endpoint Encryption

I have deployed PGP Desktop Email 10.2 on 8 identical PCs in a Microsoft SBS 2008 network. All are running Windows 7 32bit and Outlook 2007. On 5 of them it works fine.

On the remaining 3, it won't encrypt or decrypt anything. If I write "[PGP]" in the subject line or check the "encrypt" option, the mail arrives at the destination unencrypted. If an encrypted mail arrives, it shows up in Outlook as empty, with an attachment named "encrypted.asc" which Outlook cannot display.

I have double and triple checked the configurations between working and non-working PCs and they are, to my eye, identical. The PGP Desktop log shows "processing" lines for all outgoing and incoming mails, even displaying the subject line containing "[PGP]", but doesn't actually process them. The only suspicious message is

16:06:58 E-Mail-Adresse     Fehler    Aufgrund von unzureichenden Berechtigungen ist die Proxyfunktion für den Vorgang 2372 nicht möglich.  Beim Vorgang handelt es sich möglicherweise um einen Dienst.

(E-Mail Address Error Because of insufficient permissions the proxy function for process 2372 is not possible. The process may be a service.)

which appears once after PGP Desktop is started, and sporadically during the day, but not in direct connection with sent or received mails, whether encrypted or not.

The Windows event log is clean.

What can I do to find and ideally correct the cause of that malfunction?

aTdHvAaNnKcSe,

Tilman

Have you tried enabling debug logging, and reattemping a send & receive of encrypted email?  This may shed more light on the issues:

http://www.symantec.com/business/support/index?page=content&id=TECH149847

I did enable debug logging, but that changed nothing except the line

15:28:22 PGP     Info    Einstellung der Protokollierungsstufe auf: 0xF3F

(Info Setting the log level to: 0xF3F)

in the PGP Desktop log which previously said "Normal" instead of "0xF3F".

I'm attaching the complete log of today (all in German, sorry - let me know if you need a translation) with only the details of some third-party E-mails sanitized (replaced by "[...]"). The last three lines are from my tests:

• I sent one (!) mail with "[PGP]" in the subject from the affected user's account to my own address, which arrived unencrypted in my mailbox.
• I then sent a PGP encrypted reply to that mail from my mailbox to the user, which was not decrypted.

Attachment(s)

pgp-debuglog-sanitized.txt   8 KB 1 version

Any ideas, anyone?

Should I open a support case?

Tilman,

   From the infomation you have given it looks like you are only dealing with PGP Desktop ad are not using Universal server as your email gateway. The problem is from the behaivor and from the error messages is that Proxy is not able to run on these systems that you are having problems with. If all 8 of these clients are identical with the same software I would first try to uninstall and reinstall on one of your systems that is having a problem if that does not improve your situation please open a case with support and we will help you out.

Good Luck,

Geoff

Geoff,

thanks for your reply.

Your understanding is correct. There is no Unversal Server involved, just PGP Desktop, Outlook, and Exchange.

I have uninstalled PGP Desktop on one of the affected PCs via Control Panel - Install/Remove Software, rebooted as requested by the uninstaller, installed PGPDesktopWin32-10.2.1MP2.exe, and rebooted again as requested by the installer. The newly installed PGP Desktop did not ask for configuration but came up with everything configured as before. Alas, the function was also as before, ie. it would list all incoming and outgoing mails in the PGP Desktop log but never encrypt or decrypt anything.

The error message: "Because of insufficient permissions the proxy function for process 3920 is not possible." is also still present. This time I have looked up process 3920 in Task Manager, and it turned out to be the PID of the TeamViewer process through which I was accessing the PC. So I assume that message is not related to the problem. I haven't had a chance to check whether the same message appears when TeamViewer is started on a PC where PGP Desktop works correctly.

I'll follow your recommendation and open a support case.

Thanks,

Tilman

This Knowledge Base Article may be helpful. Or http://www.symantec.com/docs/TECH149945

Tom,

thanks for the links. I wonder why they didn't show up in my KB search. Perhaps it doesn't know about localized messages?

Anyway, the case is in the hands of Symantec support now. Let's hope the technician knows about these articles, too.

Regards,

Tilman

Update:

Today the Symantec support engineer

1. deleted and recreated the "Messaging" entry in PGP Desktop, making all settings identical to those of one of the other PCs where encryption works correctly
2. reimported and signed the test recipient's public PGP key
3. deleted and recreated PGP Desktop's application profile (stopped PGP service, renamed folder "%AppData%\Roaming\PGP Corporation", started PGP Desktop which asked everything including the license key again)
4. recreated the messaging entry again, seeing that PGP Desktop hadn't detected and installed the Outlook account by itself
5. uninstalled PGP Desktop, deactivated UAC, and reinstalled PGP Desktop
6. retested with UAC still off

None of these helped.

He also tested encryption via the clipboard. That works fine. So the problem is clearly with the Outlook integration.

I'm waiting for him to try and reproduce the problem in his lab now.

Update2:

Today, 48 hours after his online troubleshooting session, the Symantec support engineer asked me by E-mail to activate debug logging according to http://www.symantec.com/docs/HOWTO64205, which differs slightly from TECH149847:

• LogingLevel is set to 3FFFF instead of F3F
• an additional DWORD value DebugLogging is created and set to 1

(Un?)fortunately, with that change, encryption of outgoing mail works.

I hesitate to call that a solution, though, and support agrees with me, so I sent him the logs and he'll try to figure out what's going on there.

Update3:

According to Symantec support, this problem may be caused by virus scanners which hook into the network stack as LSPs, because the PGP Desktop E-mail proxy uses the same mechanism. The effect may even depend on the startup timing which of course makes it rather elusive.

The PC which started working once I activated debug logging had an unwanted installation of McAfee Security Scan Plus (ISTR that Flash Player updates once tried to sneak that in) in addition to the normal Microsoft Security Essentials which the whole site is using. The support engineer was convinced that this was the source of the problem, and indeed after uninstalling the McAfee product and lowering the logging level the problem didn't reappear on that machine.

The other two affected machines do not have the McAfee scanner installed though. On one of them, activating debug logging caused the problem to disappear, anyway. On the other, it didn't, so we now have debug logs of the problem. Let's hope this brings us nearer to a solution.

Very interesting reading, please update when you get a resolution, it would be very good to know if that blasted McAfee Security Scan causes such issues

The mystery is solved. The trouble was cause by smartcard readers connected to the PCs and used for purposes unrelated to PGP (authentication to a web service). If a smartcard was present in the reader during the installation of PGP Desktop, the PGP Desktop configuration wizard would try to find usable PGP keys on it and crash in the attempt, leaving a half-working configuration.

Solution:

1. Stop the PGP Services.
2. Delete the folder "%AppData%\PGP Corporation" containing the bad configuration.
3. Make sure that there is no smartcard in the reader.
4. Start PGP Desktop and complete the configuration wizard.
5. In Options, deactivate the "synchronize keyring with tokens and smartcards" option.

After that, it works even if a smartcard is later inserted.

It is still advisable to deactivate UAC during the installation of PGP Desktop, and to make sure you uncheck the "install McAfee Security Scan Plus" option when updating Flash Player.

HTH
Tilman

Ahh, yes that makes a lot more sense that one.

Glad you got it sorted!

On a side note, I got the same problem with PGP 10.3. This time a Sophos service seems to be a problem.

I read within a post (I don't remember which one), to first

uninstall Sophos

Uninstall PGP

Install PGP

Install Sophos.

This solved the problem of Office/Thunderbird, not encrypting PGP messages.

And decreases the number of the error message of the failing proxy function.