FAQ - DLP End-point Encryption for USB PSD
Show all answers
Hide all answers
How can I verify if the upgrade to Trellix Agent (TA) version 5.8.2.929 is successful?
1) Tap on the Trellix icon on the Windows toolbar.
2) Right-click the mouse, select "About..."
3) For an upgraded DLP computer client, the version number of the Trellix Agent (TA) is 5.8.2.929.
How long does it take to upgrade to Trellix Agent (TA) version to 5.8.2.929?
It takes about 5 minutes to process the upgrade after the new software is downloaded to the DLP computer client.
Why should I upgrade Trellix Agent (TA) to version 5.8.2.929?
The new version has fixed a number of issues and it officially supports Windows 11.
How to check the "Agent Version" from DLP Management Server?
1) Please go to the DLP Server console.
2) Click "Action" > "Choose Columns"
3) From "Available Columns", click "Product Version (Agent)".
How can I verify if the upgrade to Trellix File and Removable Media Protection (FRP) version 5.4.5.173 is successful?
1) Tap on the Trellix icon on the Windows toolbar.
2) Right-click the mouse, select "About..."
3) For an upgraded DLP computer client, the version number of the Trellix FRP version is 5.4.5.173.
How long does it take to upgrade to Trellix FRP version 5.4.5.173?
It takes about 5 minutes to process the upgrade after the new software is downloaded to the DLP computer client.
What should I do to upgrade Trellix FRP to version 5.4.5.173?
All DLP staff PCs connected to the HKU campus network (not including Wi-Fi.HK and eduroam) will have the DLP client software automatically upgraded by the DLP Server. A manual restart of the DLP PC is required to complete the installation. (The DLP PC will display a message informing you to restart it.) Please remember to save all your works before you restart the PC.
Why do I need to upgrade the Trellix FRP version 5.4.5.173?
The new version has fixed a number of issues.
Is there any impact to a USB PSD initialized by an old DLP software?
There is no impact. A USB PSD initialized by an old DLP software could be accessed normally on a DLP computer client with new DLP software installed.
Is there any change to the procedure on the initialization of a USB PSD by the new DLP software?
There is no change on the procedure for initializing a USB PSD by the new DLP software.
How are files of size > 4 GB can be stored in the encrypted container?
The encrypted container in the DLP USB PSD can now support files of size > 4 GB (maximum file size is up to 256 GB).
I cannot apply the Windows 10 version 1709 (a.k.a. Windows Fall Creators Update) update to my PC with DLP software installed, why?
The DLP software (version 5.0.3 or earlier) is not compatible with Windows 10 version 1709 and will stop any update to the latest Windows version. Please upgrade the DLP software to fix the upgrade issue.
When I save changes in files edited by Microsoft Word/Excel/PowerPoint/WordPad/Paint files stored on an exempted USB PSD, I received an error message and it did not allow me to save the file. What should I do?
This issue has been fixed in version 5.0.4. (You can use “Save as” function on the editor to save the working file to a new file; or you can copy the file to the local hard-disk of your PC, save the updated file and copy it to your exempted USB PSD.)
When I inserted a DLP initialized USB PSD to a PC, it did not prompt me to enter the password of that USB PSD and I could not run the DLP software executable (MfeEERM.exe) on that USB PSD. What should I do?
For DLP staff PCs, click the button “FRP Sync” after select the “Trellix” icon and “Quick settings”.
For Mac OS, please check and follow the procedures below to access your encrypted data in USB drive:
1. Go to System Preferences > Security & Privacy, under Privacy tab > select Full Disk Access
2. Click "+" button, locate the USB drive and find the Trellix Removable Media Protection.app and press Open.
3. After completed the above configuration, open the Trellix Removable Media Protection.app from the USB drive.
4. It will prompt you for entering password.
What are the supported platforms for installation of the new DLP software?
The supported platforms include:
1. Windows 11 (32-bit/64-bit)
2. Windows 10 (32-bit/64-bit) (Professional, Enterprise)
Is Mac OS X supported by the new DLP software?
The new DLP software could not be installed on Mac OS X platforms but any USB PSD initialized by the new DLP software is accessible (read and write) after authentication on the Mac OS 11.0.X and above.
I found that I did not need to input a password to access a DLP initialized USB PSD, why?
This is a new feature of the new DLP software. For any USB PSD initialized on a DLP PC, the user will only be prompted for setup of a password during the initialization process of the USB PSD. Any subsequent accesses will not require password authentication on the PC that initialized the USB PSD.
When I initialize USB PSD it shows “Key not available” and the button “Initialize” is dimmed, what should I do?
1) Close the Initialize Removable Media window, then click the buttons "Check New Policies" and "Enforce Policies" in Trellix Agent Status Monitor.
2) Click the button “Initialize media” from the “File and Removable Media Protection” option available after select the “Trellix” icon and “Managed Features”.
If it still shows “Key not available” when you initialize USB PSD, please check the encryption key that can be found in the DLP PC:
click the “Trellix” icon > “Managed Features” > “File and Removable Media Protection”, click “Available keys” and check there exists a personal key stored in your PC.
If a personal key can be found, that seems the personal key was not working.
You can get a new workable encryption key by the following steps:
1. Open “Computer Management” (in MS Windows) > “Local Users and Groups” > “Users” to rename the user account name.
2. Login by using the new user account name.
3. Click the DLP software icon to select “Trellix Agent Status Monitor”, then click “Check New Policies” and “Enforce Policies” buttons.
4. If you want to get back the original encryption key for recovery of password on your DLP USB PSD, you can rename the user account name back to the original name and login again.
When I select Forgotten Password on the DLP initialized USB PSD I found the DLP software pop up a message to ask me to contact the administrator and provide the challenge code give, what should I do?
The function for resetting forgotten password by using challenge and response codes on DLP software is not supported in the University.
Can I reset the encryption password on DLP initialized USB PSD if I forgot the password?
You can access the USB PSD on the DLP PC client you initialized that USB PSD without using password. And you can reset the password by the following steps:
1. Plug-in the DLP initialized USB PSD that you want to change the protection password.
2. Select Trellix icon on Windows toolbar.
3. Right-click the mouse and select Manage Features > File and Removable Media Protection.
4. Select Change credential.
5. Input a new protection password and re-confirm to set up.
I have been using DLP software on my staff PC for a while without problem. One day, after reboot of the staff PC I found the personal key disappeared and failed to encrypt USB PSD, what should I do?
Please click the buttons "Check New Policies" and "Enforce Policies" in Trellix Agent Status Monitor to test.
My backup software failed to detect the encrypted area of the DLP encrypted USB portable storage device, what should I do?
Please use Windows Backup and Restoration tool which is available in the 10/11 platforms to backup and restore the data files.
Is there any test made on initializing a USB Portable Storage Device (“PSD”) over 3 TB with encrypted area smaller than 3TB?
We have tested to encrypt a partition of 2TB over a 4TB USB PSD and write data into the encrypted partition, we found the result is we can read and write files in the encrypted partition without problem. However, please be informed do not create 65,534 or over files or folders in any single level as there is a limitation which no more than 65,534 files or folders could be created.
After completion of the first part of the DLP software installation, there is no pop-up message asking for reboot and there is no personal key available on the DLP software, what should I do?
Please check if there is Windows update process running on the PC for patch update and reboot the PC manually after the installation process of the patches is completed.
How to verify if DLP software is installed on my PC?
Please check the Windows taskbar, the DLP software is installed if you have the “File and Removable Media Protection” option available after select the “Trellix” icon and “Managed Features”.
What is the tool we are using in HKU for data leakage prevention?
HKU has adopted the data protection solution from Trellix which will mandate the encryption of USB flash drive before any write access to the device. After initialization by the software, access to the USB flash drive will be protected by password and data stored in the device will be encrypted. The software is available for download by all staff after logon into HKU portal under the DLP Project web site. Please click here to download.
What type of USB flash drive should I use on HKU staff PCs
Only DLP initialized USB flash drives should be used on the HKU staff PCs. Access to non-DLP ordinary USB flash drives will be limited to read-only access.
Files could not be opened in the encrypted USB PSD on the PC with DLP software installed and the error message is “The files were corrupted”. However the files can be opened in the encrypted USB PSD when connected to the PC without DLP software installed. What should I do?
It could be caused by a file table index problem in the encrypted area of the USB flash drive. Please change the authentication password of the encrypted USB flash drive on a PC without DLP software and test to access the files again in the PC with DLP software installed. The change of password will re-write the file table index in the encrypted area of the USB flash drive. If the problem persists please copy all data from the concerned DLP encrypted USB PSD to another DLP encrypted PSD through a PC without DLP software. After proper data transfer and access using the new USB PSD are confirmed, the problematic USB PSD can be disposed of or recycled as appropriate.
The IP address and MAC ("Media Access Control") address information is not properly displayed on DLP server after installation of the DLP software on my PC, why?
Please temporary disable the anti-virus software of the PC and click the buttons "Collect and Send Props", "Send Events", "Check New Policies" and "Enforce Policies" in Trellix Agent Monitor, then re-enable the anti-virus software to test.
After installation of the DLP software on PC, the personal key is not available and the button Initialize media" is dimmed in the "File and Removable Media Protection" module under the "Managed Features" of the DLP software icon, how to solve this problem?
Please change the user name of your user account of the Windows PC to test. Username with apostrophe (') is not supported by DLP software to assign the personal key.
Does DLP End-point Encryption for USB PSD change how I use my PC or applications?
No. You should not notice any difference in the performance of your PC, but your data will be protected as it is saved to USB PSD.
Is it mandatory to install the DLP software to all my PCs?
Yes, it is mandatory for all PCs that are within scope of the DLP Project. Please refer to “Project Scope and Phases of Development” section of the DLP web page. For PCs that are either for student use or not owned by HKU, no installation is required.
For a PC that will be used by several staff members, is it necessary for every staff member to perform the DLP software installation using their own login account?
After the first successful installation of the DLP software to the PC, it will become effective for any other staff members using the same PC without the need for installation by each of them. The recovery key will be unique to each login account.
Will I see encryption happening?
No. Encryption is transparent and automatic after the USB PSD is initialized.
Will encryption change how I use applications?
No. Applications won’t even notice the encryption process because it’s done automatically in memory.
I use an external USB portable hard-disk. Will it also need encrypting?
Yes if data will be transferred from University PC to the external USB device. Exemption of any external PSD will have to be approved by department head and recorded.
How do I encrypt my USB flash device?
To find out the step-by-step guide, see "DLP End-point Encryption for USB PSD procedure".
If a USB PSD contains data file is initialized by the DLP software, will the files be erased?
It is recommended to initialize USB PSD without any data so as to avoid any possible damages to the files it contains. However, under normal circumstances, the existing files would be kept in an unencrypted file folder of the PSD if it is initialized by the DLP software.
What is the proper procedure to take out a DLP encrypted USB PSD after its use?
A DLP encrypted USB PSD works simply in the same way like any other USB PSD. The “Eject” function must be invoked and wait until the message of advising safe removal of the device appears before it is removed physically from the computer. Otherwise, data corruption could be possible.
What is a USB PSD encryption password?
This is a password you define for each USB PSD you encrypt. It is used to ensure the encrypted data can’t be accessed by anyone who does not know the password.
Is the USB PSD encryption password the same as my PC logon password?
No. The password for your encrypted USB PSD is not the same as the password used to log into your Windows computer. A different password should be created for USB encryption.
What is the password policy for DLP End-point Encryption for USB PSD?
The password should have minimum 10 characters which consists of at least one alphabetical character and one numerical character.
What should I do if I forget my password?
If you forget your password please follow the steps below for recovery:
1. Plug the encrypted media in your PC which you used to create the encrypted USB PSD.
2. When you get the password prompt, simply click the "Recover" button.
3. You will be prompted again and simply click ‘Next’.
4. Once you are authenticated with your computer, you will be prompted again for password reset
Can I change the password of the encrypted USB flash drive from other PC (with or without DLP software)?
Yes, it is possible if you have the correct password. Please see "DLP Data Encryption for USB PSD procedure".
In case where the staff PC has crashed and accidentally the user has forgotten the password for his encrypted USB flash drive, what can we do?
Users can contact ITS through their departmental DLP project coordinator to see if encryption keys can be recovered from the central DLP server.
How are iPhone, smart phones, e.g., Android, Windows Mobile and digital cameras handled by DLP End-point Encryption for USB PSD?
For iPhone and smart phones that does not connect itself as USB massive storage but using other connection protocols like Media Transport Protocol and Picture Transfer Protocol (PTP) to a Windows operating system. Therefore, DLP End-point Encryption for USB PSD will not attempt to encrypt the storage inside the device. If you find there is a pop-up to ask for encryption, don't click on "Next" button and cancel the operation according to the instruction.
We are currently using USB flash drives with hardware build-in encryption feature. Do we need to install the DLP software? If it is required, will it work with such drives?
Yes, installation of the software is required to ensure that there is data encryption using any other USB flash drives without any build-in encryption feature. For USB flash drive with hardware build-in encryption feature, it will not compatible with the DLP solution and can only be used in PCs without DLP solution installed. Password recovery for such USB flash drive may not be possible that Department should start to use the DLP solution for data encryption where password recovery is possible.
How can we create USB boot up flash drive for the Ghost software?
Creation will be possible by (1) using PC without the DLP software and (2) USB flash drive without being initialized. The USB flash drive can then be used for the boot up purposes.
Can I use the USB ReadyBoost feature as supported by Windows platforms?
No. The Windows ReadyBoost feature is not supported by the DLP software no matter the USB flash drive is initialized or not.
I frequently do presentations around the world. Will my encrypted device still work?
Any modern PC running Windows will be able to read the content on your USB device. You will be prompted to type your password. After authentication, you will be able to present your work as normal from a container.
I have Windows 11/Windows 10/Mac OS at home. How does encryption affect me?
If you encrypt your USB device then you will be able to read and write to the device as normal on Windows platforms and Mac system with OS 11.0.x and above after entering the correct password.
I am bringing my USB drive to the classroom to present materials to my class. How do I access these files in the classroom?
You will need to type the password to retrieve your files from the USB device.
Is it possible to grant exemption from encrypting a device at individual device level instead of the whole device type?
No. It is not possible to grant exemption at individual device level due to the DLP solution design.
Why a department needs to setup a DLP Departmental Management PC?
Departmental DLP project coordinators will be given an account for accessing the central DLP server for granting exemption to the USB PSD in case needed. They can make use of the DLP Departmental Management PC to change the password of the account on a regular basis. Also, coordinators can perform initialization of USB flash drives via the DLP Departmental Management PC for staff members that do not have their own PC or with system in-compatible for DLP software installation.
Can we uninstall the DLP software by ourselves?
No. Uninstallation of the DLP software from staff PC is not allowed. If there are special or technical reasons that are justified and approved by the corresponding Department Head and Director of ITS, uninstallation is allowed and has to be performed by central ITS administrator.