Pointsec PC 6.3.1 HFA7 Release Notes - Check Point

Pointsec PC 6.3.1 HFA7 Release NotesRevised: July 1, 2009The Pointsec PC 6.3.1 HFA7 Release Notes document provides:• Lists changes included in release 6.3.1 HFA7• A detailed specification of System Requirements and System Limitations• A list of problems/issues that have been fixed in this release• A list of known issues in this release.Review this information before installing Pointsec PC 6.3.1 HFA7.Note - Before you begin installation, read the latest available version of the release notes. There maybe an updated version of this document and of the other documents you received with your copy ofPointsec PC. You can access the latest version at: http://www.checkpoint.com/support/In This DocumentAbout This Document page 1About Pointsec PC page 2New in Release 6.3.1 HFA7 page 2Fixed in This Release (6.3.1 HFA7) page 2System Requirements page 4Tablet PCs That Support Touch-Pen Logon in Preboot page 5IMPORTANT - Windows Integrated Logon (WIL) page 5Upgrading page 6Possible Security Risk When Using SSO with a Remote Desktop Application page 6Fragmented Disks page 6Modifying the Pointsec for PC.msi Package Not Supported page 6About File Systems/Volumes/OS Upgrades page 6Software Incompatibilities page 7Known Limitations page 8Known Issues in this Release page 10FYI page 25Documentation Feedback page 26About This DocumentThis document applies to both the EW version and the MI version of the product.Copyright © 2009 Check Point Software Technologies Ltd. All rights reserved 1

About Pointsec PCIn this document, the abbreviation N/A means Not Applicable. HFA stands for Hotfix Accumulator.About Pointsec PCPointsec PC is a policy-based, enterprise security software solution. Pointsec PC combines bootprotection, preboot authentication and strong encryption to ensure only authorized users aregranted access to information stored in desktop and laptop PCs.New in Release 6.3.1 HFA7Pointsec PC 6.3.1 HFA7 contains fixes for the issues listed under “Fixed in This Release (6.3.1HFA7)” on page 2, below. Known issues in Pointsec PC 6.3.1 HFA7 are listed under “KnownIssues in this Release” on page 10.Manual Upgrade Required for 6.3.1 HFA7Upgrading to Pointsec for PC 6.3.1 HFA7 must be done manually by deploying and running themsiexec.exe as described under “Performing the Upgrade by Running the Msiexec.exe” on page 163of the 6.3.1 HFA7 Administrator’s Guide. Upgrade to HFA7 cannot be done from the work folder orfrom an Upgrade Path.Fixed in This Release (6.3.1 HFA7)The following issues have been fixed and verified:Table 1Fixed in This ReleaseID Short description Description/Info455983 Erratic USB-keyboardresponse in preboot on DellOptiplex GX620On Dell Optiplex GX620 with Bios-version A11,responses to keystrokes were sometimes delayed, ornot registered, or the keystroke was repeated manytimes.455972 Token issues on Lenovo X200. Unable to use USB tokens on Lenovo X200 ifUSB in BIOS was disabled but Pointsec PC USBsupport was enabled. The token worked but Windowswas not loaded.455544 When installing on a Vistamachine, a bluescreen (0xEDstop error) occurred at thefirst reboot.455235 The Registry value ofCompatibleGinas is casesensitive, which caused SSOto fail.455096 Handling of Windows RestorePoints when Pointsec PC wasupgraded.455074 Restore points created prior toPointsec PC installation couldbe used.At the first reboot during installation, the machinewould bluescreen with a 0xED stop error. The nexttime the machine booted, the blue screen would notoccur.Because the Registry value, CompatibleGinas, and theGinaPath must match exactly (even in regards toupper and lowercase), SSO would fail if the user cutand pasted from Explorer to the registry and there wasa mismatch.Windows (Vista / XP / 2000) were left as is after anupgrade. Now, when an upgrade is completedsuccessfully, all restore points are deleted.Using Windows Vista Business (with and without SP1)and Pointsec PC 6.3.1 HFA5, restore points createdprior to the Pointsec PC installation could be used.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 2

Fixed in This Release (6.3.1 HFA7)Table 1Fixed in This ReleaseID Short description Description/Info454816 Authentication required whenWindows password changed.454723 One-time logon Remote Helperror.If a group policy forced a user to change password andpassword synchronzation was enabled, the user wouldbe required to enter the "old" Pointsec PC password.When a user account was locked because of too manyfailed logons and a one-time logon was performed, a‘User account locked’ window appeared. But the useraccount would be logged onto Windows after clickingOK on the ‘User account locked window’ and thencanceling the Remote Help window.454423 Multiple certificates on token. If tokens were initialized and more than onecertificate per token was added with "Aladdin eTokenPKI Client 4.55.22", logon to Pointsec prebootmalfunctions.This problem did not exist in the earlier Aladdinmiddleware the "Aladdin eToken Run TimeEnvironment 3.65.26".454282 When working on remoteprofiles, a user account thathad been removed was stillvisible in the managementconsole.454177 Logon screen in prebootunreadable.453993 A unhandled exceptionoccurred in the PCMC.452162 Messages in "New settingsadded and certain settingsreset" will be garbled andsymbolized.428343 Limit of the amount of datathat can be stored inpcmc.cfg.421616 Settings in PCMC were notgrayed out although they werenot editable.420302 Update Profile based on thelocal could not be imported(Japanese OS).399430 Memory dumps - Not possibleto create minidumpssuccessfully.After editing a remote profile and removing a useraccount from a Group-> User Accounts, the useraccount was still visible in the folder which containedall users in the group.When using: Pointsec 6.2.0/6.3.1 HFA3 on a HPCompaq dc7700 Small Form Factor with aMatroxP65-MDDAP64F (dual head graphic card), thepreboot logon screen was unreadable. It could be readafter turning off ‘hign graphic’, but its performancewas slow. When using the internal card (Intel), thepreboot logon display and performance was normal.A unhandled exception occured when changing thevalues for "Set Max Failed Logons" in the PCMC.After upgrading Pointsec PC (e.g. 6.1.3 to 6.3.1) andopening management console, a "New settings addedand certain settings reset" message appears. But themessages in the screen were symbolized and garbled ifoperating system was Japanese.When the amount of data that the PCMC was able toread from/write to pcmc.cfg was exceeded, one couldnot create any new sets without removing old ones.This issue has been resolved.Settings in PCMC were not grayed out although theyare not editable. The main folders are greyed out butif you opened one there are three folders that are notgrayed out..authentication settings, logon, andPassword Sync..the rest are greyed out.On a Japanese operating system, an update profilebased on the local settings could not be importedwhen placed in the work folder on the administrator'smachine.Windows minidumps would be corrupted whenPointsec PC was installed.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 3

System RequirementsSystem RequirementsThe following sections describe operating system, memory, and disk space requirements andlimitations. It also describes other system software that is required.Operating SystemsPointsec PC is supported when installed on an x86-compatible computer with:• Microsoft Windows Vista (32-bit only): Ultimate, Business, or Enterprise.• Microsoft Windows Vista (32-bit only) SP1: Ultimate, Business, or Enterprise• Microsoft Windows XP Tablet PC Edition.• Microsoft Windows Server 2003 (all variants and SPs) on workstations/PCs only; that is, not onservers.• Microsoft Windows 2000 Professional SP4 UR1.• Microsoft Windows XP Professional (SP1, SP2, and SP3. SP3 is recommended).Pointsec PC is NOT supported when installed on a computer with:• Microsoft Windows XP Home (all variants and SPs).• Microsoft Windows Media Center Edition (all variants and SPs).Pointsec PC is NOT supported on Apple Macintosh computers.Other Systems RequiredMicrosoft .NET Framework 2.0 or later is required to be able to use the Pointsec PC ManagementConsole (PCMC). If, however, the PCMC will not be used on a machine, it is not required to install.NET on that machine.Operating System Requirements/LimitationsStripe/Volume SetsOn Windows 2000/ Windows XP, Pointsec PC should not be installed on partitions that are part ofstripe or volume sets.Compressed Root DirectoryPointsec PC cannot be installed if the root-directory (or root directories) is/are compressed. Theroot directory must be decompressed before Pointsec PC is installed. However, subdirectories ofthe root directory may be compressed.Windows User Account requirements for Installation andUninstallationIn order to install or uninstall Pointsec PC, the user account executing the action (either directly,through "Run As…", or as a service) must be authorized to perform installations, this usually meanshaving Administrator permissions.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 4

Tablet PCs That Support Touch-Pen Logon in PrebootWindows User Account Registry Permission RequirementsIn order to install, upgrade, change language and import profiles on a Windows 2000 PC, a useraccount needs the following registry permissions: Query value, Set value, Create subkey, Enumeratesubkey, Notify, Create link, and Read control.In order to remove on a Windows 2000 PC, a user account needs the above registry permissionsplus Delete.Requirements for Dynamic TokensPointsec PC supports any dynamic token that supports the ANSI X.9.9 security standard if the DESalgorithm is used together with these tokens.Memory and Space Disk RequirementsThe current memory and disk space requirements are:Table 2Component, Memory, and Disk SpaceComponent Memory Disk SpaceWindows Vista 512 MB RAM 100 MB, of which 2 MB must be contiguous, free space.Windows XP 128 MB RAM 100 MB, of which 2 MB must be contiguous, free space.Windows 2000 64 MB RAM 100 MB, of which 2 MB must be contiguous, free space.Windows 2003 Server 128 MB RAM 100 MB, of which 2 MB must be contiguous, free space.Note: Not server hardwareWindows XP Tablet Edition 128 MB RAM 100 MB, of which 2 MB must be contiguous, free space.Note: The disk encryption process does not require extra space on the hard disk.Tablet PCs That Support Touch-Pen Logon in PrebootPointsec PC 6.2 and all later versions support preboot authentication with touch pens on thefollowing tablet PCs:• HP TC1100• HP TC4200• IBM X41• Toshiba Portégé M200• Toshiba Portégé M400• Motion Computing LS800• Motion Computing LS1600• Motion Computing LS1700• Motion Computing C5• AMTek Smart Caddie SCA002IMPORTANT - Windows Integrated Logon (WIL)When implementing Windows Integrated Logon (WIL), weigh the total cost of ownership (TCO)impact of implementing Pre-Boot Authentication against the need for strong security whenaccessing the encrypted data at rest. WIL simplifies the user's experience when logging on toPointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 5

UpgradingUpgradingencrypted machines at the cost of limiting the strength of the PC's security configuration. Considerusing Single Sign-On (SSO) in conjunction with proper Pre-Boot Authentication as an alternative toWIL. Carefully weigh the usage of WIL versus using user-authentication-based Pre-BootAuthentication according to the requirements of implemented enterprise security standards andgoals.You can upgrade to Pointsec PC 6.3.1 from the following Pointsec for PC 4.x and 5x versions:• Pointsec for PC 4.1 sr 2.14 or later• Pointsec for PC 4.2 sr 1.4 or later• Pointsec for PC 4.3• Pointsec for PC 5 x.xFor more information about upgrading from these versions, see the Administrator's Guide.For information about upgrading from Pointsec for PC 6.x.x to 6.3.1, see the chapter in theAdministrator's Guide devoted to this topic.Possible Security Risk When Using SSO with aRemote Desktop ApplicationConsider the possible security risk when using SSO with a remote desktop application. Normallythis is not a problem because only Administrators have permission to connect to a remotecomputer via the remote desktop application.Fragmented Disks2 MBS of contiguous disk space is required for Pointsec PC installation. If this amount ofcontinuous space is not available, the installation will fail. In general, it is considered goodpractice to avoid fragmented disks to enhance overall performance. It is also considered goodpractice to defragment disks prior to installing Pointsec PC.Modifying the Pointsec for PC.msi Package NotSupportedDo not modify the Pointsec for PC.msi package in any way. For instance, do not attempt to modifythe Pointsec for PC.msi package by using transforms. Modification of the Pointsec for PC.msipackage invalidates the supportability of the product.About File Systems/Volumes/OS UpgradesResizing Partitions and Using Disk ManagementFeatures/UtilitiesNever use software that alters the workstation's disk partitions when Pointsec PC is installed on theworkstation.If you need to resize a partition, remove Pointsec PC completely first and then resize the partition.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 6

Software IncompatibilitiesOverlapping PartitionsWhen moving disks between computers where the computers have different head counts (e.g.H=64 --> H=16) FDISK may produce overlapping partitions. The operating system does not noticethis. Pointsec PC will not start encryption if overlapping partitions are found. This problem cansometimes occur on machines with multiple volumes.System on Volume without Drive LetterIf the system partition is not accessible using a drive letter when Pointsec PC is installed,necessary changes cannot be made; and the installation cannot be completed.Disk UtilitiesDo not use disk utilities to change file systems or resize any volumes on the hard disk if PointsecPC is installed on the computer; in most scenarios, doing so leads to an unusable system and lossof system data.OS UpgradesDo not upgrade from one operating system version to another while Pointsec PC is installed, forexample upgrading from Windows 2000 to Windows XP. This may lead to an unusable system.However, you can install hotfix upgrades.Software IncompatibilitiesRemote Help Malfunctions on Slaved Hard Disk DrivesRemote Help's remote password change and one-time logon do not function on slaved hard diskdrives.Anti-virus SoftwarePointsec PC is not fully compatible with some anti-virus software. The encryption processperformed by Pointsec PC is performed in the background and does not affect computerperformance noticeably. However, if anti-virus software runs a disk scan while Pointsec PC isencrypting the disk, performance will be impaired.BIOS anti-virus feature functionality should be disabled. If active, it will cause the system to hangwhen reloading from suspend mode.Pointsec PC and VMwarePointsec PC does not support VMware in a production environment. VMware is supported only fortesting and demonstrations. In addition, note that the use of smart cards and smart card readerstogether with Pointsec PC is severely restricted in VMware sessions.Pointsec PC and Windows Vista BitLocker Drive EncryptionWindows Vista BitLocker Drive Encryption cannot be used together with Pointsec PC.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 7

Known LimitationsKnown LimitationsThis section documents known limitations to Pointsec PC.‘Max Failed Windows Logon Attempts’ Not Supported inWindows VistaThe Max Failed Windows Logon Attempts feature is not supported in Windows Vista.Unformatted Partitions Will Trigger the Cancellation of theInstallationIf computer on which Pointsec PC is being installed has an unformatted partition, the installationwill be cancelled.Multiple Drivers Can Hinder UpgradeHaving multiple drivers allocated can cause upgrade to fail. Workaround: Reduce the number ofdrivers to one set of a card and a reader driver before upgrading. More drivers can be allocatedafter the upgrade is complete.Smart Card Feature in the Pointsec Preboot EnvironmentSystems that do not allow the disabling of USB Legacy support in the BIOS may be incompatiblewith the smart card feature in the Pointsec PC preboot environment.Windows Vista's ReadyBoost and ReadyDrive Are NotSupportedPointsec PC does not support the use of Windows Vista's ReadyBoost and ReadyDrivetechnologies. Support for these technologies will be added to a future Pointsec PC release.FIPS Compliant Dynamic Tokens Are Not SupportedPointsec PC does not support dynamic tokens that are formatted to be FIPS compliant.Token Insertion/Removal Handling FeatureThe Pointsec PC Token Insertion/Removal Handling feature is unreliable except when using AladdineTokens.Deployment SoftwareWhen Pointsec PC is installed on a client using deployment software such as SMS or Tivoli, thesoftware must be run as LOCAL_SYSTEM and have "Interact with desktop" activated.If the software is run as a normal user account, the installation will fail.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 8

Known LimitationsAlternative Boot MenuThe options displayed in the alternative boot menu depend on what the BIOS of the machinesupports and the hardware that is currently installed. Therefore, the fact that an option is listed inthe menu does not mean it is supported by Pointsec PC.SATA USB/CD/DVD devices not supported in Alternative BootMenuSATA USB/CD/DVD devices are not supported in the Alternative Boot Menu.Dual BootingPointsec PC does not support dual boot environments.Japanese Language Pack Does Not Contain All JapaneseCharactersThe Pointsec PC Japanese language pack does not contain all Japanese characters. This means, forexample, that if the computer name contains Japanese characters that are not contained in theJapanese language pack, these characters will be displayed as black boxes.Multiple Hard DisksPointsec PC 6.3.1 supports up to six hard disks, which together can have a maximum total of 12volumes protected by Pointsec PC.Recovery and HibernationDo not attempt to perform recovery on a hibernated machine.Hidden VolumesPointsec PC cannot be installed on hidden volumes.Mounted Volumes/Dynamic DisksMounted volumes/dynamic disks are not supported.USB and CD-ROM LimitationsDevices with boot media should be removed while Pointsec Preboot Environment is loading. USBdevices, bootable CD-ROMs, and bootable DVD-ROMS are not supported in the system during thePointsec Preboot Environment and during preboot authentication.DocumentationCosmetic errors exist in the documentation: some screen images can be "back-level" and/or do notmatch the text. Note that the text is correct; it is the screen captures that are back level.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 9

Known Issues in this ReleaseKnown Issues in this ReleaseThe following sections document known issues in 6.3.1 HFA7:Table 3Known Issue SectionsSectionKnown General Issues in This Release 10Known Hardware-related Issues in This Release 22On pageFor further information regarding Known Issues from previous Check Point releases, see the 6.3.1HFA7 Known Limitations Supplement, located athttp://www.checkpoint.com/support/technical/documents/index.htmlKnown General Issues in This ReleaseThe following items are known general issues in this release:Table 4Known General Issues in This ReleaseID About Details455575 SSO can require input of thepassword a second timewhen PasswordSynchronization is enabledin both directions (preboot-> Windows and Windows ->preboot).To encounter this problem, follow this scenario:1. Enable SSO and Password Synchronization both ways:(preboot -> Windows and Windows -> preboot).2. Set a new password in PPBE.(Afterwards you will be automatically logged onto Windows.)3. Windows will now have the new password you just set.4. Reboot and log onto PPBE with the new password.5. It seems like SSO tries to sign into Windows withthe old password, which doesn't work andyou have to sign in manually.454901 Not possible to useJapanese characters duringa master installation.You will only need to sign in a second time manually and thenthe chain is corrected and SSO will work normally. This issueoccurs only if you configure Password Synchronization in bothdirections (preboot -> Windows and Windows -> preboot).If double-byte characters are used in the path specificationduring a master installation, the characters will not be displayedcorrectly.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 10

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details454539 Too little free space left onrecovery media created on aUSB.The size of the Pointsec PC recovery media is limited to 1.4mbto be able to fit onto a floppy media. This causes problems whenthere is a large number of users in the Pointsec PC Database.When creating the recovery media, the following message can beissued:"Unable to write recovery information to recovery medium"This message is most likely issued because the Pointsec PC userdatabase does not fit on the 1.4mb recovery image.Solution/workaround:To resolve this problem, a Pointsec PC recovery-image languagefile, Recovery.img, has been compressed to contain only the USEnglish language, thus reducing the amount of space taken bylanguages and thereby freeing space. The Recovery.img, file islocated in the folder: US only recovery image in the Tools folderon the installation media. This file can be used if this issueoccurs on a system.To resolve the problem:1. Place the Recovery.img file located in the US only recoveryimage in the Tools folder, together with the UseRec.exe filelocated in the Pointsec for PC installation folder.Note! Make sure that you do not overwrite the originalRecovery.img file because you will need this file to createrecovery media with full language support.2. Double click the UseRec.exe application and browse to therecovery file for the machine you need to decrypt.454222 Incorrect description ofFixed Password (KoteiPassword) in the Japaneseversion of theAdministrator's Guide.453737 MI recovery file is notwritten when resettingvalues.452500 Removing a user account viaMIMC does not trigger thecreation of a new recoveryfile.3. Create your recovery media.The description of Fixed Password (Kotei Password) in theJapanese version of the Administrator's Guide incorrectly statesthat a Fixed Password can be of length 6-31 characters.The correct length is: '4-31' characters.When changing "Uninstall" or "Create recovery media"permissions at the user level, the recovery file is updated by theclient. But when resetting the value (by right-clicking andchoosing "Reset value") in the MIMC, the update is deployed tothe client and the client writes a log entry and the changes inpermissions are implemented on the client, but the recovery fileis not updated.Deleting a user account via MIMC fails to trigger the writing of anew recovery file.The following scenario will produce the problem:1. Pointsec PC is installed, running, and configured.2. Add a user account which has uninstall and recoverypermissions via MIMC.3. A new recovery file that includes the new user account iswritten.4. Remove the user account via MIMC.5. A new recovery file is not written.Workaround: To trigger the creation of a new recovery file, changethe password of an existing user account that has uninstall andrecovery permissions.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 11

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details451763 Token removal malfunctionswhen using a SafeNet iKey2032 USB token.Token removal function "Lock workstation" fails when using aSafeNet iKey 2032 USB token.Lock workstation works when the token is removed, but when it isreinserting nothing happened and the smart card error dialogdisplays: "An internal error occurred".451753 Possible problems if HIDdrivers are deployed tonon-tablet PC EW/MIclients.451750 Password synchronizationfails when a UNC usernameis used in Windows Vista.451653 2048 bit certificates fail inPPBE when using anActivKey Display token.451535 Event ID 1002 was notlogged in the central log.451435 Pointsec PC-to-Windowspassword synchronizationand Novell single sign-on(SSO) do not work together.Environment:Middleware: SafeNet AS470MU20PC: Lenovo T61pPartition set: 9 volumesAlgorithm: BlowfishIf you deploy Pointsec PC to non-tablet EW/MI clients, and thedeployment contains HID drivers; the clients might not be able toboot into PPBE.Workaround: disable the HIB drivers in the double-shift menu onthe non-tablet PC EW/MI clients that have experienced theproblem.If you log on to Windows Vista using an UNC username forexample,"maer@pmt-test.pointsec.com",password synchronization will not function.Workaround: Log in as, for example,"maer\pmt-test.pointsec.com" and password synchronization willfunction correctly.A 2048 bit certificate will fail on the ActivIdentity ActivkeyDisplay token. The token supports 2048 bit certificates, and youcan install the certificate on the token; but when authenticatingin preboot the message "Invalid logon - The token or reader driverentered an unexpected error condition" is displayed. With a 1024bit certificate, the ActivIdentity Activkey Display token workswithout problems.When an update profile is successfully deployed to a PC, eventID 1002 'Configuration update by profile' is logged in the localevent database. However, it was not logged on the central log.The scenario that produces the problem is:1. Install Novell Client 4.91 SP3.2. Install Pointsec PC.3. Enable "Synchronize Preboot Password to Windows" and"Enable SSO" on a user account.4. Make sure to initially have the same password in Windows,Novell and Pointsec PC.5. Establish the SSO chain between Pointsec PC and Novell.6. Change Pointsec PC password in preboot. During logon toNovell/Windows you get the message that Windows password hasbeen synchronized with Pointsec PC.7. Reboot and logon with new password in preboot. During logonto Novell/Windows a message that SSO is enabled pops up (thisis ok) but authentication halts on the Windows credentials (sinceit has been synchronized). Enter the new Windows password andyou will logon but SSO will not re-establish. Reboot and re-enterthe new Windows password several times but SSO chain will stillbe down.Note: The other password synchronization feature "SynchronizeWindows to Preboot Password" works with SSO.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 12

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details433899 Important to understand howGroup Authority Level (GAL)settings function beforedeploying it and beforechanging existing settings ina live environment.433879 Creation of recovery mediavia a set fails in themanagement console.After deployment of GAL, the authority levels have been set forusers and groups on the system and any changes to this structuremust be well planned before being executed.It is important to understand the consequenses of lowering thegroup authority levels for certain groups such as administratorsand system administrators. Not fully understanding this featurethere is a risk that an adminsitrator with full authority creates anew group of administrators with a lower level than he/she hasand then gives the new group higher authority level then he/shehas and/or lowers his/her own GAL at the same time. We want tostress the importance of understanding the correct usage of theGAL feature and its benefits/risks before it is deployed andupdated in a live environment.Using Windows 2000 SP3 and after opening the PCMC, chooseRemote --> Set --> Recovery and double click on one of therecovery files. Then authenticate with a user account that has thepermissions required to create a recovery media. Afterauthentication you will be notified that you have successfullyunlocked the first step. But when you click OK to authenticate inthe second step, the utility aborts and the recovery media cannotbe created.429292 Hibernating a computerduring encryption causes abluescreen.417558 Exceeding Max failed logonin Windows Integrated Logontriggered Error 0x5000000.416560 Possible to recordcredentials for an SSO userin Windows logon screen viaRadmin.400016 A memory error delaysbooting of Pointsec PCimmediately afterinstallation on a Dell D830laptop with Flash Cacheactive.399936 Recovery file not writtenafter resetting the value ofthe 'Logon authorized'setting.Workaround: Creating the recovery through the Start menu works,do that until this issue has been resolved.A bluescreen (stop error) occurs when a computer is hibernatedduring the encryption after installing Pointsec PC on Vista SP1.Workaround: do not initiate hibernation until the encryption iscomplete.Exceeding Max failed logon in Windows Integrated Logontriggered Pointsec PC error 0x5000000 followed by a bluescreen.It is possible to record the credentials for an SSO user inWindows logon screen via Radmin. The credentials are recordedin the SSO chain after logging on with an SSO, connecting viaRadmin, and rebooting.If Pointsec EW/MI is installed on a Dell D830 that uses a FlashCache module, a memory error occurs on the first reboot afterinstalling. If the PC is turned off after the error message isdisplayed and then is started again, the PPBE code is written,and Pointsec PC is installed successfully.This occurs on Dell D830s with the flash cache module enabledin BIOS.After setting 'Logon Authorized' to 'No' for a user account, a newrecovery file is written. But if you then change this setting byright clicking and selecting 'Reset value' so that you once againinherit the value (in this case YES) from the group, a newrecovery file is not written. If you however set the value to YESyou will get a new recovery file. Resetting the value does notseem to trigger the writing of a new recovery file even though thevalue has changed from 'No' to 'Yes'.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 13

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details399894 Sanity check warning isissued when it should not beissued.399878 Cannot install Pointsec PCon some Windows 2000clients if Pointsec PC haspreviously been installed.399872 Recovery file not written torecovery paths added afterthe installation.399820 Exception occurs whenupgrading from the PointsecPC 6x series if a USBmemory stick is inserted onDell Inspiron 9400.The sanity check which appears when closing PCMC warns thatfewer then two user accounts have permission to performuninstall in the following scenario:1. For the System group, specify the settings "Uninstall" and"Create recovery media" to: No.2. On two user accounts in the System group, set "Uninstall" and"Create recovery media" to: Yes.3. According to the new inheritance rules, the user accountsettings should override the group settings.4. Close PCMC, and a Sanity check will be displayed warningthat fewer than two user accounts have permission to performuninstall.Sometimes it is not possible to install Pointsec PC 6.3.1 on aWindows 2000 client which previously had Pointsec PC 6.3.1installed and subsequently successfully decrypted and removed.This problem only occurs if the client had been upgraded firstfrom version 5.2.3 to 6.3.0 and then to 6.3.1.If you add new additional recovery paths after installation, newrecovery files should be written to the directories addressed bythe new paths. Three new paths were added after installation butrecovery files were not written to the paths. Neither logging on toWindows several times nor running crerec.exe manually resolvedthe problem. The recovery file was written only after changing avalue that triggers a recovery file update.The scenario that produces the error is:1. Upgrade from Pointsec PC 6.2HF2 to 6.3.1 on a Dell Inspiron9400 with Vista installed.2. Insert a USB memory stick (in this case, a SanDisk Cruzer).3. Reboot.4. An exception occurs (green screen) prior to display of thePPBE.5. Press a key and the PPBE is displayed and normal operationproceeds. Thus the green screen occurs only once.The problem also occurs when trying to upgrade from 6.1.1 to6.3.1 on same type of PC but with Windows 2K as the OS.399732 Error message in RemoteHelp session in PCMC.The green screen you only get once. When the USB memory stickis removed and you boot the machine, a black screen isdisplayed. This can be fixed by rebooting and disabling USBlegacy in the BIOS.When providing Remote Help from PCMC and navigating with thekeyboard and Tab key (the mouse is not used) you got an errormessage with code 1280.The scenario that produces the error is:1. Open the PCMC.2. Go to Remote Help.3. Enter the End user account name and Helper account name.4. Select Dynamic token in the Type of helper authenticationfield.4. Select Dynamic token in the Type of helper authenticationfield.5. Use the keyboard and tab to generate the response.6. Press Enter.7. Error with code 1280 is displayed.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 14

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details399654 The Windows IntegratedLogon (WIL) setting on theclient is overridden by anymanual update from the MIFramework.399600 The keyboard and mouse donot both work in PPBE if"Mouse support" is enabledin PABM on HP DX2000MT.399560 The Wake-on-LAN (WOL)setting "Set Max Number ofLogons Allowed" is notupdated in the MIFramework.399120 Hibernation start fails whenusing 3DES.If Windows Integrated Logon (WIL) is enabled on an MI client,and then WIL is temporarily disabled using the tray, WIL isre-enabled by any manual update sent from the MI Framework tothe client.Note: If you want to use WIL, ensure that the WIL setting in theMIMC is enabled. It is not enough to enable WIL for an end userusing only the WIL switch in the PPBE.If "Mouse support" is enabled in the PABM on a HP DX2000MTeither the USB/PS2 Keyboard or the USB mouse works, but notboth, in PPBE. If you disable "Mouse support", the keyboardworks. If "Mouse support" is enabled and BIOS "USB legacysupport" is disabled, both the mouse and the keyboard work inPPBE.After a Wake-on-LAN (WOL) logon, the number of remainingallowed WOL logons is not reported to the MI Framework. Thenext time an update is sent to the MI client, the number oflogons allowed on the client will be erroneously reset to theoriginal number of allowed WOL logons.The scenario that produces the error is:Note: If you want to use WIL, ensure that the WIL setting in theMIMC is enabled. It is not enough to enable WIL for an end userusing only the WIL switch in the PPBE.1. Install Pointsec and encrypt the system volume using the3DES algorithm.2. Once encryption has finished, hibernate the PC.3. Start the PC, and log on to PPBE.Note that it says "Starting Windows" instead of "ResumingWindows" as it should. Apparently the PC can be hibernated, butit can not be restored afterwards. Unsaved documents etc. at thetime of hibernation are lost.Hibernation using the CAST algorithm on XP SP2 and using theAES algorithm on 2000 UR1 works fine.399058 After upgrading, theCreRec.exe fails upon startof the tray application.Environment:OS: 2000 UR1FS: FAT32/NTFSHDD/Vol: 1/3 (First hidden)Algo: 3DESPC: Dell D830 and Dell D600.The scenario that produces the problem is:1. Install Pointsec for PC 6.0.0.2. Upgrade to Pointsec PC 6.2 HFA1.A few seconds after the first start of the Pointsec tray applicationafter the upgrade, CreRec.exe fails with the following message:"CreRec.exe has generated errors and will be closed byWindows...". After a minute or two, the error message disappears.The error can be reproduced by logging off and on again.If CreRec is run manually, the error message isn't displayed anymore.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 15

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details397785 Token removal handling doesnot function with all testedsmart cards and smart cardreaders.Tested different settings of the token removal feature on threedifferent PC's using two different sets of smart cards/readers.Only the token removal setting "Do nothing" worked. It seemed towork only the first time because only the first attempt was addedto the logs.This feature has been tested earlier on Windows 2003 Server andWindows Vista with Alladin eToken middleware, and was reportedthat it worked.397774(9958)Clearing System Settingswhen creating a profilebased on another profile oron local settings creates aninstallation that fails.Environment info:PC1: Dell D370PC2: IBM T60PC3: Dell D620OS: Windows XP SP2 on all PC'sMiddleware 1: RSA authenticator 1.0B25Middleware 2: AuthentIC 3.6.2Smart card 1: RSA 5200Smart card 2: Oberthur Cosmo 64 RSA v5.3Create a profile (e.g. upgrade) and base it on an Upgrade profileand clear the System Settings check box when creating it. AllSystem settings are blank in the new profile.When using this profile, Pointsec upgrades; but the installationcrashes when a user tries to use any of the System Settings.397727 Impossible to createrecovery media on an MIserver.Workaround: When making an upgrade profile, make sure toinclude all settings if it's based on another profile or on the localinstallation's settings. Do not clear any of the 'Base on' checkboxes.Description:Administrators cannot use the UseRec.exe application directly onthe MI server to create recovery floppy disks, etc.Two problems:1. In the directory: 1_Pointsec for PC\Tools\Reco_img\6.3.0,ccore32.bin is missing. This makes it impossible to run theUseRec tool directly from, for instance, a Pointsec installationCD.2. The Visual Studio 2005 runtime files are not installed with thePointsec PC 6 module. They need to be added as merge modulesin the installer in order to run UseRec.exe.This means that the admin has to use a deployed client to createrecovery media for other clients.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 16

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details395374 Novell SSO needs 3 rebootsto re-establish the SSOchain.If the SSO chain between Pointsec and the Novell Client isestablished and password synchronization is performed, it willtake 3 reboots to re-establish SSO.The scenario that produces the problem is:1. Establish the SSO chain between P4PC and Novell Client.2. Activate password sync. with Windows.3. Change password in Novell/Windows.4. Reboot and SSO chain will be broken. It will take twoadditional reboots before SSO is established again.Note that performing the same scenario with Windows GINAinstead of Novell GINA requires only 2 reboots.372217 Pointsec PC and Imprivatacompatibility issue.9975 Cannot use "&" in the profilename when creating aprofile.9958(397774)Clearing System Settingswhen creating a profilebased on another profile oron local settings creates aninstallation that fails.9935 DoD CAC Smart Card userwith Token RemovalHandling enabled is lockedout of Windows afterapproximately 5 min.Environment info:P4PC version: 6.1.3 build 1108PC: HP T3350USB controller: OHCIOS: XP SP2FS: NTFSMSI: Windows Installer 3.1.NET: 1.1 & 2.0Novell Client:A blue screen is displayed when Windows boots after installingPointsec PC, Imprivata, and the registry has been modified.An ampersand (&) cannot be used in a profile name whencreating a profile.Workaround: use only English upper- and lowercase charactersand the digits 0-9.Create a profile (e.g. upgrade) and base it on an Upgrade profileand clear the System Settings check box when creating it. AllSystem settings are blank in the new profile.When using this profile, Pointsec upgrades; but the installationcrashes when a user tries to use any of the System Settings.Workaround: When making an upgrade profile, make sure toinclude all settings if it's based on another profile or on the localinstallation's settings. Do not clear any of the 'Base on' checkboxes.When a smart card user is configured with "Use Pointsec TokenInsertion / Removal Handling" enabled, and uses a DoD CAC withActivCard Gold for DoD CAC middleware, once the system takesthe setting, the removal of the smart card takes a short while tolock the system (a few minutes), but then locks the system. Ifthe card is inserted, the system will automatically "lock" (i.e. goto screen saver mode) after a few minutes (about 3-5 minutes),regardless of user activity, so it is not behaving like the screensaver. The screen saver setting is configured for 10 minutes, butchanging that value has no effect.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 17

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details9872 Unable to change installedwin language packUnder Windows XP and Vista, if, for example, you install theEurope1 language pack and then realize that you wantedEurope2; you will not be able to install the Windows part of theEurope2 pack. When running the command shell as anadministrator, you run the pscontrol command"install-win-language" and it fails with the error message "Cannotcreate the file when that file already exist"9864 Ctrl+Alt+Delete requiredwhen logging on in Vistawith SSO.9752 Issue with RSA smart cardsand Pointsec TokenInsertion/Removal handling.Workaround: Remove the existing plang32. file from C:/Programfiles/Pointsec/Pointsec for PC/ and from C:/Windows/System32/,and run the command again.In some circumstances even though SSO is enabled in PointsecPC, Vista forces the logged in user to press "Ctrl + Alt + Delete".After pressing "Ctrl + Alt + Delete", the user is l automaticallylogged in.To eliminate the "Ctrl + Alt + Delete" step, go to the ControlPanel -> User Accounts. Click "Manage User Accounts" and clickthe "Advanced" tab. To eliminate the need to press "Ctrl + Alt +Delete", clear the "Require users to press Ctrl + Alt + Delete"check box.The Pointsec Token Insertion/Removal handling does not workwith RSA smartcards. The problem is due to incompatibilitieswith the RSA middleware used to access the RSA smart cards.Workaround: Utilize similar Token Insertion/Removal handling inRSA middleware.9607 Upgrade only silent in Vista. Pointsec PC 6.2 contains an Automatic upgrade function. Thisfunction is used to for perform upgrade by distributing anUpgrade package to the "Upgrade path" or the "Work folder". InWindows 2000 and Windows XP, the end user is notified of theprogress of the Automatic upgrade and is notified when theupgrade has been finalized. In Vista the upgrade does not displaythis information.9411 PME setting "Use SSO withP4PC" issue.9403 PPBE hangs when a dockingstation is attached to the PCAcer TM 4400.9137 Cannot perform SSO withEntrust smart card user.8980 The windows driver(prot_2k.sys) crashes if thesystem contains only 4.x/5.xvolumes.8965 Possible failure of RemoteHelp with legacy usersThe PME setting "Use SSO with P4PC" works only when PointsecPC is installed before PME.The PPBE hangs if a docking station is attached to the PC AcerTM 4400 and USB is enabled. If USB is disabled, the PPBEdoes not hang. However, in this latter case, the keyboard andmouse attached to the docking station do not work.Workaround:Disable USB support in PPBE via the PCMC setting "EnableUSB".Cannot perform SSO with Entrust smart card user.The reason for this is that an error occurs when an attempt ismade to store an Entrust profile required for SSO, on the smartcard.The Windows driver (prot_2k.sys) crashes if the system containsonly 4.x/5.x volumes. This situation may occur if an upgrade isaborted in the PPBE and recovery is not performed on allvolumes.The situation can be fixed by performing recovery on all volumes.A user account with password authentication and the settingCase sensitivity = No or Convert to uppercase in 4.x/5.x = Yesmay experience trouble providing Remote Help if he/she has notentered the password in uppercase letters.Workaround: Request that the person providing Remote Help usecapital letters when entering the password in his/her system.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 18

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details8811 Incorrect message displayedwhen disabling WIL8183 Proventia Desktop stops thePointsec PC installation.When disabling WIL via the tray menu, the message "Access toyour user account failed" is displayed. This message is incorrect;the message should request the user to log off.The installation of Pointsec PC is stopped if the ProventiaDesktop version 8 or 9 is installed.8012 No PPBE logon displayed onDell Inspiron when using aneToken NG Flash7813 A Pointsec for PC upgradefails if the machine ishibernated.7773 Unable to read logs afterupgrading from Pointsec forPC 6.0.0 to 6.1.3.7510 Re-establishing singlesign-on after passwordsynchronization requiresthree reboots when SSOchain is between Pointsecfor PC and a Novell Client.7367 Deselected volumedisappears from list.7261 PPBE - Machine stopsduring the Pointsec for PCload screen --compatibilityissue with Computracesoftware.6934 Access to Local and Accessto Remote settingsWorkaround:There are two possible workarounds for this issue:1. Disable the Proventia Desktop during installation of PointsecPC.2. Add prot_ins.sys to Proventia Desktop exclusion list duringinstallation.No PPBE logon screen is displayed if an eToken NG Flash USBsmart card is used on a Dell Inspiron 9400. After PC boot, thescreen goes black and the PPBE screen is displayed.Workaround: Set the BIOS setting "USB Emulation" under POSTbehavior to "OFF" to avoid the problem.Hibernation should not be allowed to start during an upgrade, butPointsec for PC does not inhibit it.Workaround: Disable hibernation during upgrade.If you upgrade directly from Pointsec for PC 6.0.0 to 6.1.3, thesystem, local, and remote logs will be unreadable.Workaround: Upgrade from 6.0.0 to 6.0.1 first, then upgradefrom 6.0.1 to 6.1.3, and the logs will be readable.If the single sign-on (SSO) chain between Pointsec for PC and aNovell Client is established and the following passwordsynchronization scenario occurs, it will take three reboots tore-establish SSO.Here is the scenario:1. Establish the SSO chain between Pointsec for PC and a NovellClient.2. Activate password synchronization with Windows.3. Change the password in Novell/Windows.4. Reboot and the SSO chain will be broken. It will take twoadditional reboots before SSO is established again.The same scenario with Windows GINA instead of Novell GINArequires only two reboots.While deselecting volumes one of the volumes suddenlydisappeared from the list. The "lost volume" reappears after anykey is pressed.Due to architectural difference between Pointsec for PC andComputrace software, there is compatibility issue betweenPointsec for PC and Computrace software when Computrace isrun in software persistence mode.Workaround: Rewriting the master boot record makes themachine boot normally, for example, fdisk /mbr.Note that when upgrading from 6.0.0 or 6.0.1 to 6.1, the valuesof Access to Local setting and Access to Remote setting are, bydefault, set to "Yes". These settings can of course be set to "No"after installationWorkaround:Deploy a profile where you set this permission to NO for yourend-users as soon as you have successfully upgraded yourclients.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 19

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details6905 Interoperability problem withPME and recovery mediacreationWhen creating recovery media to a USB memory stick whilehaving PME installed, there may be a problem after the first partof the creation is done.6844 RRU boots before PPBEwhen ordering restore fromWindows.5437 Difficulties when creating aninstallation profile based onlocal settings for smart cardusers.5239 Do not remove PCMCIAreader or smart card untilauthentication is completedin PPBE.5233 Changing the password inWindows temporarilydisables single sign-on.5135 Problems when opening arecovery file.After unplugging and re-inserting the USB memory as instructedby the program, a blank (all white) PME window will sometimespop up after you have pressed OK. Both windows (PME andPointsec recovery media) will stop responding, and you will haveto close the applications via the Task Manager.When ordering a restore from within the Windows part of RRU,the computer restarts and then boots into RRU before allowingyou to authenticate in PPBE. If you reboot from within RRU, youwill get to PPBE; and then you will boot into RRU and it willperform the requested restoration.You can experience difficulties when creating an installationprofile that is based on local settings when you are required toprovide new authentication for the profile and you want to use asmart card you have used previously. In this case, Pointsecrequires that you re-associate the smart card (plus certificate)and the user; and this it may not always be possible to acquireall the certificates needed for all the users.Workaround:Rather than trying to re-assign the smart card to the user, assignthe user a fixed password and switch to smart card andcertificate later. Alternatively, define a temporary smart card userso the user can reassign the certificate him/herself on the nextboot of the PC.Do not remove the PCMCIA reader or smart card whileauthenticating. They can be removed when authentication hasbeen completed in PPBE.When single sign-on is enabled, if you change your password inWindows, single sign-on will be temporarily be disabled. The nexttime you log on, a message will be displayed saying that Pointseccannot log on to Windows - please enter your Windows password.After you correctly enter your Windows password, single sign-onwill again function.Users can encounter problems when attempting to open a file bydouble clicking it.Workaround:Start the recovery program, and open the recovery file there.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 20

Known Issues in this ReleaseTable 4Known General Issues in This ReleaseID About Details5019 Password rules conflict withUnicode support4679 RRUinstall.msi installerinstalls driver on wrongvolume.* "Allow Special Characters". The current description in thePCMC of this setting is: "Besides a-z, A-Z and 0-9, allow the useof the semicolon and the following other special characters: ! " #$ % & ' ( ) * + , - . / : < = > ? @ { }". As described, the settingwould not allow the full range of Unicode characters to be usedwhether set to "On" or "Off". With regards to actual Pointsecfunctionality, the following is a more accurate description: "Allowuse of the following special characters: ; ! " # $ % & ' ( ) * + , -. / : < = > ? @ { }." If this setting is set to "No", these specialcharacters are not allowed in passwords. However, all otherUnicode characters are allowed regardless of the setting.* "Require upper and lower case". This only makes sense inalphabets that have case forms.* "Allow password of adjoining characters." This is meant toprevent entering series of characters from adjoining keys on thekeyboard. However, only the US keyboard layout is used to detectadjoining characters.The RRUinstall.msi installer installs the driver required byPointsec for PC to support RRU, on the wrong volume.Workaround: specify the target drive with the MSI PropertyTARGETDIR=C:\4298 Difficulties recoveringselected volumes whenrunning the RecoveryprogramFor example: msiexec /i InstallRRU.msi TARGETDIR=C:If you lose mouse functionality when running the recoveryprogram individual volumes cannot be selected.Workaround:Recover all volumes rather than selected volumes.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 21

Known Issues in this ReleaseKnown Hardware-Related Issues in This ReleaseThe following are known hardware-related issues in this release:Table 5Known Hardware-Related Issues in This ReleaseID About Details398232 No support for hybrid disk Description:If 'NV cache' is enabled, the installation will fail to install.The Pointsec SA seems to be written on a cache part. So the SAseems to be flushed and the installation fails.Disable NV cache and install Pointsec, then enable NV cachegives database corrupt randomly in preboot.398074(10259)The combination of anAxalto Cyberflex Access 64KPegasus v2c smart card anda Schlumberger USB ReflexVersion 1. smart card readerfails in preboot.7909 Dell D410 does not alwaysboot into PPBE whenconnected to a Dell externalUSB bay.7891 Blinking cursor on the MPCClientPro 365.7633 PPBE authenticationwindow freezes when both asmart card reader andIomega USB BXXU0130floppy disk drive arepresent.7532 PCMC crashes after logon inthe Windows environmentwith a with Setec EID IP2smart card.7464 Mouse does not work whencreating a recovery file on aUSB memory stick on anAcer TM4401.7396 USB optical mousemalfunction in the PPBE.Environment info:Znote 6224wVista UltimateHDD: Samsung HM16HJI ATA Hybrid Hard DiskPreboot authentication using the combination of an AxaltoCyberflex Access 64K Pegasus v2c smart card and aSchlumberger USB Reflex Ver 1. smart card reader fails.Connecting a Dell D410 to a Dell external USB bay can preventthe machine from booting into PPBE. If the bay is connected inPPBE, the machine can terminate with a black screenimmediately after PPBE logon. Both behaviors are intermittent,and both occurred when a CD-ROM (with no CD) was connectedto the bay.Using a smart card on an MCP ClientPro 365 machine with thefollowing BIOS settings, will cause the cursor to blink:plug and play os = nolegacy usb = disabledWorkaround: Use the factory BIOS settings, which are:plug and play os = yeslegacy usb = enabled.The PPBE authentication window freezes when both a smart cardreader and an Iomega USB BXXU0130 floppy disk drive areattached to the machine. Removing the Iomega USB floppy diskdrive will activate the PPBE authentication window again, and youcan proceed.This problem has occurred on the following PCs: Dell Inspiron9400, Dell Latitude D600, Sony Vaio Z1.Logon in Windows environment with the Setec EID IP2 smart cardwill crash the PCMC/tray because of problems with the CSP.When creating a recovery file with a USB memory stick on AcerTM4401 the mouse does not work. When the recovery menu isdisplayed, neither the keyboard nor the mouse works for the first2-3 minutes. After this delay, it is possible to use keys and to tabbut it is not possible to select volumes to recover -- you have toselect all volumes.The USB mouse does not work in PPBE on the Acer Ferrari 3200.The optical USB mouse has its light on in the BIOS, the operatingsystem, and in the Pointsec alternative boot menu; but not in thePPBE.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 22

Known Issues in this ReleaseTable 5Known Hardware-Related Issues in This ReleaseID About Details7388 Unregistered characterswhen entering keystrokeswith a USB enabledkeyboard with built in smartcard reader.If setting for USB is enabled in PCMC (under Hardware) and akeyboard with built in smart card reader is used, the followingbehavior occurs in the PPBE: when entering the user accountname, the first character is not registered or visible. For example,if the user account name is ADMIN you must enter AADMIN for itto be interpreted as ADMIN.7215 Hot plugging of USB devicesdoes not work on theIBM-Lenovo ThinkPad T60.7164 PCMC logon fails whenusing a Setec EID IP2 smartcard together with aCardMan 4040 reader.Tested on Hewlett Packard T3350 and T3350-2.Hot plugging of USB devices does not work on the IBM-LenovoThinkPad T60.You can log on with a USB token if it is plugged in from start.The PCMC crashes when trying to read the certificates stored onsmart card "Setec EID IP2". The PPBE does not recognize anycertificates stored on smart card "Setec EID IP2" when usingsmart card reader: CardMan 4040 (PCMCIA) together with thefollowing drivers:cm4040.bin and opensc.bin.6883 USB keyboard intermittentlymalfunctions in PPBE on aHewlett Packard T3350Workaround: Copy the certificate to Windows the personal storeusing smart card middleware.The USB keyboard intermittently stops functioning in PPBE on aHewlett Packard T3350. This happens in the followingenvironment:- USB mouse was connected and worked flawlessly in PPBE- USB was enabled in PCMC- USB legacy support was enabled in BIOS- Plug n Play OS was disabled in BIOS6854 Not possible to log on inPPBE with RSA SID 800and Ferrari 32006779 USB hub Targus PAUH210does not work with the HPT3350.6701 HP T3350 hangs beforePPBE with USB smart cardsupport enabledWorkaround:Unplug the keyboard in PPBE and then plug it in again.The following scenario produces the problem:1. Install Pointsec for PC using an interactive profile with onesmart card account. The files: msc_p11.bin and prd_ccid wereadded to precheck.txt.2. Middleware was installed after installation of Pointsec for PC.3. After reboot, with the smart card inserted, no pin code dialogbox is displayed in the PPBE.4. Nor is the pin code dialog box displayed when the smart cardis inserted after reboot but before logging in to PPBE.This problem concerns RSA SID 800 and Ferrari 3200.The USB hub Targus PAUH210 does not work with the HP T3350in the PPBE (the Pointsec for PC preboot environment).When USB smart card support is enabled, and no PPBE smartcard drivers are installed, the HP T3350 desktop PC may hangbefore the PPBE authentication is displayed.Workaround:Specify the following BIOS settings:"PNP operating system should be set to YES"USB legacy support should be set to ONNote that the above settings are the factory settings.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 23

Known Issues in this ReleaseTable 5Known Hardware-Related Issues in This ReleaseID About Details6693 Recovery fails when usingcertain USB devices onsome machines6690 Not possible to use USBmouse/keyboard in PPBEwhen they are connected viaUSB hub Targus PAUH210to a Fujitsu Siemens 7020.6679 Error with recovery usingUSB media on IBM A51.The recovery program can fail when creating a recovery mediumon certain USB devices. For example, the recovery program failedwhen using a USB memory stick on an IBM x60s machine, but itran successfully on the same machine using a USB floppy disk.Workaround: BIOS upgrade to 2.10 resolves this issue.On a Fujitsu Siemens 7020, a USB mouse/keyboard will not workin PPBE if they are connected via a Targus PAUH210 hub. USBmouse and keyboards did work when connected via other hubs.When USB media is used to perform recovery on the IBM A51, anerror occurs when you boot into the recovery program. The errormessage is as follows:Divide error***Program terminated, rc=03***This seems to have to do with the startup device menu, where theUSB media must come before the HDDs instead of after them.Workaround: It is possible to perform recovery with USB media ifyou ensure that the USB device comes before the HDDs in thestartup device menu.6570 Keyboard function lost Unable to use the keyboard in the preboot customization menuafter USB smart card support has been enabled on an ACER TM4401 notebook. The keyboard does not function in the PPBEeither, so you cannot logon. The problem does not occur on eachreboot. It appears more frequently when other USB devices areconnected or used or both during preboot.6553 Wrong smart card driver forsmart cards with identicalATR string in PPBE.In the PPBE smart cards are handled via loadable drivers.The driver that is used for a specific smart card is set up viaregistry (.inf) files. The registry files may contain one or moresmart card entries. Each entry consists of the smart card ATRstring and the name of the PPBE driver that will be used for thesmart card. Unfortunately, several smart cards may use the sameATR string, and therefore the same ATR string may be present inseveral entries, which each identify a different driver. When asmart card is detected in the PPBE, the ATR string is extracted.The first driver, according to the registry file, that is available inthe PPBE is thereafter loaded and used to handle the smart card.6266 Error if a SanDiskCompactFlash® PC CardAdapter is present atpreboot authentication.6255 RSA SecurID dynamic tokennot detected on Acer Ferrari3200, Dell Inspiron 6400,and Dell P670 wheninserted in PPBE.This means that if several smart card drivers which support thesame ATR string are available in the PPBE, the wrong driver maybe used. To minimize the probability of this happening, thenumber of smart card drivers in the PPBE should be minimized.If a SanDisk CompactFlash® PC Card Adapter is present atpreboot authentication, a fatal error occurs with error code0x50010DA during Windows boot. This occurs even if PCMCIAsupport is disabled in preboot.An RSA SecurID dynamic token is not detected on an Acer Ferrari3200, a Dell Inspiron 6400, and a Dell P670 when inserted inPPBE.Workaround: insert the RSA SecurID dynamic token before youturn on the PC.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 24

FYITable 5Known Hardware-Related Issues in This ReleaseID About Details6199 Pointsec for PC prebootenvironment does not detecta smart card token, forexample´, an RSA SecurID800 authenticator.On certain machines, Pointsec for PC does not detect thepresence of a smart card token and does not display the PINdialog in the preboot environment. This can happen in thefollowing two scenarios:Scenario one:1. The machine is on and the preboot logon dialog is displayed.2. Insert the smart card token, but no PIN dialog is displayedWorkaround:With the smart card token still inserted, turn the power off andwait a few seconds. Then turn the power on while the smart cardtoken is still inserted, and the PIN dialog will be displayed.Scenario two:Insert the smart card token and turn the machine on. The prebootlogon dialog is displayed, but the PIN dialog is not displayed.6035 Booting from a USB memorystick fails immediately afterauthentication on an HPdx5150.5513 eTokens do not function onAcer Ferrari 3200 PCs.Workaround:Remove the smart card token, turn the power off, and wait a fewseconds. Turn the machine on again. The Pointsec PC prebootlogon dialog is displayed. Insert the token and the PIN dialog willbe displayed.Booting from a USB memory stick recovery medium created bythe create recovery program fails on the HP dx5150. The machinehangs after you have entered your user account name andpassword.Workaround: using a floppy disk in a floppy disk drive connectedvia the USB port.eTokens do not function on Acer Ferrari 3200 PCs.FYIThis section contains information that may be valuable in certain situations.Table 6FYIID Short Description Description/Info397163 Errors when copying files toa local copy during theinstallation of the PointsecPC 6 module into the MIframeworkErrors may occur during installation of the Pointsec PC 6 moduleinto the MI framework when copying files to a local copy. If theerror message says "The file name is too long" and "Fails to copyfiles to specified directory", the problem is due to long paths tothe installation package.If the error occurs, the installation cannot be stopped. You willhave to copy the Pointsec PC 6 files manually from theinstallation package afterwards. The folder containing thePointsec PC files is called "PPC6 MI Client".Workaround:Initiate the installation from C:\ or from a CD.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 25

Documentation FeedbackTable 6FYIID Short Description Description/Info2291 Issue with Windows XPrestore points.Documentation FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us bysending your comments to:techpub_swe@checkpoint.comPointsec PC handles Windows XP restore points in the followingway:• Restore points that exist prior to the installation ofPointsec are removed.• Restore points created after Pointsec has beeninstalled can be used to restore Windows. IfPointsec is uninstalled, these restore points areremoved.Pointsec PC 6.3.1 HFA7 Release Notes. Last Update — July 1, 2009 26