Getting XPProEmu to let us use Safend Protector encrypted USB media?


  • Our organization has implemented use of Safend Protector to limit access to USB media.

    One of my colleagues needs to move files between the protected workstation and an XPProEmu-based system.  When we install the USB media into the XPe system, it recognizes the media.  We are presented with a Safend dialog that asks for a password that is set when the media was manipulated by the protected system.  Until the password is put in, we can see a .exe and a .ses file on the media, but as soon as the media password is entered, the USB media disappears.  I tried loading the .exe in Dependency Walker on the target system, but it says the executable cannot be loaded.

    I've got an e-mail into safend support and am awaiting a reply, but in the meantime it seemed reasonable to open a thread here for discussion and maybe for eventual posting of a solution.  Has anyone encountered Safend Protector while using an XP Embedded image?

    Wednesday, May 25, 2011 8:39 PM

All replies

  • I used a similar product some time ago. It required the boot media to be formatted with NTFS. Is you system formated with NTFS?

    -Sean / /, Book Author - ProGuide to WES 7, XP Embedded Advanced, WEPOS / POS for .NET Step-by-Step
    Thursday, May 26, 2011 2:20 AM
  • The product prepared the USB media as FAT32.  I'm not sure there was an option to reformat the media, but possibly that could be worked on.

    I got a kiss-of-death reply from support this morning.  XP Embedded is not on their list of supported operating environments. I did reply with an explanation that it is XP Pro in this case, and it does not seem reasonable to bail out with that rationale, so hopefully they will reconsider.  It is not nice to tell everyone that if their company utilizes products like this they can't update the product via protected USB media especially when the embedded unit does not write to the media.  We've already had people download updates from home and bring them to work.  Surely that is not what companies like Safend are out to do... force people to go off the company network to get their jobs done.

    IT can put in an exception on the serial number of the USB media.  It could come down to convincing IT there is a business need for allowing an exception since I can do the same operations without the protection by simply burning CDs and using a USB-attached CD drive on the embedded system.  Unfortunately, without a solution, this is going to be more than an annoyance for anyone who buys the product that works for a company that employs protective measures of this sort, and besides, on the real product, I really don't want USB CD drivers, etc. on the box for more than one reason.

    Will post back as more develops.  Thanks for your idea.  I can try formatting a stick as NTFS and try it again.

    Thursday, May 26, 2011 2:52 PM
  • Oh.  I think you may have meant to say the "embedded boot media" was formatted with NTFS.  Yes.  Our product does boot from an NTFS file system.
    Thursday, May 26, 2011 3:04 PM
  • Yes, that was what I ment. 

    Typically for server software companies not to know what embedded is. The volume and sales on the desktop is the attractive piece. With Thin clients growing really big, I am nost sure I uderstand why the limit to desktop systems. I think Symantec Endpoint has something similar, and they might suppor XPe\WES2009.

    -Sean / /, Book Author - ProGuide to WES 7, XP Embedded Advanced, WEPOS / POS for .NET Step-by-Step
    Thursday, May 26, 2011 4:21 PM
  • A manager from Safend contacted me this morning.  They will not support XP Embedded at this time, however he also said that XP Embedded support is on their 2012 roadmap.

    It's up to us to try to figure out what the dependencies are until that time.

    Tuesday, May 31, 2011 1:32 PM
  • You said your using ntfs and fat32 for the usb drive. did you include fat32? did you tried the stick without the software. please check first the normal communication between os and the usb drive itself before trying to get everything work with the first attempt.

    many companys say the don't support embedded, this is because of the unknown dependencies. they don't have a basement. Symantec e.g. provides an SLD as i saw for there Embedded AV. - and there is (nearly) always a way to get windows embedded work with any software.
    "Mark/Propose As Answer" if you got one.
    Tuesday, May 31, 2011 4:56 PM
  • Indeed, as the product can see the Safend files on the USB media, that shows FAT32 is added, but yes, unencrypted media of the same type and file system can be read by the product.

    Certainly I agree that there would be a way to do it.  The complication is that the AccessSecureData.exe on the encrypted media cannot be opened using tools normally use to trace dependencies.  This is true whether the .exe is analyzed on a target or on the system that secured the media, and I am not admin on the system that secured the media.

    Tuesday, May 31, 2011 5:04 PM
  • Did you try to trace it with procmon? 
    "Mark/Propose As Answer" if you got one.
    Tuesday, May 31, 2011 5:12 PM