Symantec Endpoint Encryption protects the sensitive information of the users by encrypting all the files on the hard drive. Symantec Endpoint Encryption stores the decryption keys on a particular USB drive called a “key drive.”
Symantec Endpoint Encryption keeps the decryption keys stored in memory after reboots. If I talk about my personal experience, using volatility’s mimikatz plugin, I extracted the decryption keys from memory using Kali Linux and decrypt all volumes attached to my test system. Alternatively, you can simply power off the machine before it finishes booting to prevent the decryption of your drives.
This is a wrong design decision by Symantec, as it exposes their customers to unnecessary risk of data exposure, even if their master password is strong. It also makes using Filevault look more secure than it is.
The Perk of Decrypting Symantec Endpoint Encryption
Even if you have a strong master password on your endpoint encryption, it will decrypt all of your files if the vital drive is plugged in on bootup. Even if you power off or eject the key drive before it finishes booting, it will still keep the decryption keys stored in memory upon subsequent restarts.
A restart could occur if the system crashes or is shut down improperly. Symantec does not tell its users about this, so it can be quite a surprise to find out your data is exposed when you need it most.
Note: The critical drive must be plugged in at bootup for this to work. Otherwise, the files remain encrypted. Please note that endpoint encryption cannot decrypt data residing on an unencrypted partition (e.g., C:\). You will need to have some form of “plaintext” on one of your hard drives for this to work.
How to Decrypt Symantec Endpoint Encryption
Follow the below instructions to decrypt the Symantec endpoint encryption.
Step 1: Manually turn off all Symantec products that protect disk drives.
Step 2: Delete all vssadmin mementos from current user accounts.
Step 3: Shut down the computer and wait for all activity to stop.
Step 4: Plug in the vital drive and power on the computer.
Step 5: After the strong drive mounts, open a command prompt as an Administrator and run.
Step 6: Once the mounted disk drives have finished decrypting, you should be able to access data from all drive letters. Please note that this may take several minutes or more depending on how many files need to be decrypted.
Note: In my experience, mounting a volume using autofs seems to cause the decryption process to hang indefinitely. If you’re using autofs, either disable it entirely or manually mount each volume after the critical drive has been plugged in and before running the step.
If you want to stop the decryption process, unplug the critical drive and restart the computer. You should be able to access your files without any problem. To confirm that your files have been appropriately decrypted, please use a hex editor to check for plain text headers inside encrypted Microsoft Office documents (.docx/.xlsx/.pptx). You can also try copying an encrypted file onto an unencrypted partition to confirm that it decrypts appropriately.
Alternative Perks Of Decryption
If you have endpoint encryption installed but no key drive plugged in, Symantec keeps the decryption keys stored in memory to decrypt all attached disk drives after reboot – even if the critical drive is later plugged in! This means a second perk of decrypting data with a secondary key is no need for a currently active network connection!! Simply shut down the computer before it finishes booting and plug in the inactive USB drive after shutdown at any time (even months or years later), and it will still work as long as the computer has not been restarted.
Note: Symantec keeps the decryption keys in memory if you have endpoint encryption installed with no critical drive plugged in, even if the computer is completely powered off! No need to keep an active network connection. Simply sniffing Wi-Fi traffic will not work!!
Step 1: Manually turn off all Symantec products that protect disk drives;
Step 2: Delete all vssadmin mementos from current user accounts;
Step 3: Shut down the computer and wait for all activity to stop;
Step 4: Plug in the USB drive before powering on the computer;
Step 5: Power on the computer and plug in the second key drive after booting up (this is the inactive key, so Symantec doesn’t notice it yet);
Step 6: Open a command prompt as an Administrator and run:
Step 7: Once the drives have finished decrypting, you should access data from all drive letters. Please note that this may take several minutes or more depending on how many files need to be decrypted.
Step 8: Re-enable all Symantec products that protect disk drives;
Step 9: Reboot the computer and enjoy your newly decrypted data
Symantec fails to tell the user that endpoint encryption will decrypt all of your hard drives if the critical drive is plugged in at bootup. Without knowing this vital detail, encrypted data could be exposed to an unauthorized individual with physical access to your computer.