Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Known issues in Securecloud

    • Updated:
    • 2 Mar 2015
    • Product/Version:
    • SecureCloud as a Service 3.7
    • SecureCloud On-Premise 3.7
    • Platform:
    • Linux - Red Hat RHEL 5.8 32-bit
    • Linux - Red Hat RHEL 5.8 64-bit
    • Linux - SuSE 11
    • Ubuntu 10.04 32-bit
    • Ubuntu 10.04 64-bit
    • Ubuntu 12.04 32-bit
    • Ubuntu 12.04 64-bit
    • Windows 2008 Server R2
    • Windows 2012 Enterprise
    • Windows 7 32-bit
    • Windows 7 64-bit
Summary

This article lists the known issues in SecureCloud.

Details
Public

Issue:

SecureCloud Agent service does not start after upgrading to version 3.7.

Workaround:

If the old agent is registered to SecureCloud server before the upgrade, however it did not encrypt any device and the agent service is started, register agent again after you upgrade to version 3.7.

Issue: Orphan Devices

Scenario 1: In SecureCloud 3.7, you encrypted a device but did not assign it to any image(only AWS).

Scenario 2: In SecureCloud 3.7, you encrypted a device but did not start the Agent service.

Workaround:

Scenario 1: In the Orphan Device page, select the orphan device and attach it to the 3.7 Agent image. Encrypt the device again.

Scenario 2: Upgrade your agent to version 3.7, then the orphan device will convert to normal device.

Issue:

SecureCloud Agent service does not start after upgrading to version 3.7. The old agent's path is not the default.

Workaround:

When you upgrade the agent, the installer changes the path to the default. Change the all the file path/directory link in config.xml to the path for version 3.7:
<files>
   <file path="-----"/>
   <file path="-----"/>

   <file path="-----"/>
<files> 

Issue:

The legacy agent's device list for the image still shows deleted devices in the console.

Workaround:

If there is a volume removed from the image or from device.conf (device list file for provisioning tool), the changes does not reflect in the console. You need to request for a new key to rebind the image-device relation and update the list.

Issue:

While using the Legacy Provision Tool, you receive the error message "Skipping device, state is not encrypted".

Workaround:

The error occurs because you entered an incorrect device ID. To resolve the issue, re-run the Provision Tool again with the correct ID.

Issue:

Legacy agent provisioning tool does not run successfully.

Workaround:

If there is a missing parameter while using the Provision Tool, you can no longer run the tool successfully. To resolve the issue, re-register the agent to SecureCloud server using the config tool. Enter "Yes" to all yes or no questions, and then run the provision tool again.

Use the config tool 

Issue:

The Legacy Provision Tool shows the error "Invalid passphrase, please re-enter again”.

Workaround:

Stop the Provision Tool and re-reun with the correct passphrase.

Issue:

When running the Provision Tool, you receive the error "No module named expat; use SimpleXMLTreeBuilder instead"ImportError: No module named expat; use SimpleXMLTreeBuilder instead”.

Workaround:

Install the expat module.

Issue:

AWS EC2 instance with boot volume encryption does not start and has a “409 conflict” error.

Workaround:

If an AWS EC2 instance with boot volume encryption is not stopped cleanly and it starts within 17 mins of the unscheduled stopped, the mini-OS key request is blocked by the “409 conflict” error.

You need wait after 17 minutes after initial instance stopped before starting the instance again.

Issue:

When you install SecureCloud agent in Ubuntu 12.04 or a higher verison, dmesg shows a kernel debug message.

Workaround:

This will not affect you.You can ignore the message.

Issue:

You cannot encrypt the boot volume in AWS Linux instance.

Workaround:

If AWS Linux instance is already running and does not attach the IAM role. This instance will not allow you to enable boot volume encryption.

Create an image for the running instance and launch a new instance from that image. Before starting the new instance, attach Ithe AM role for it.

Issue:

Encryption progress always shows 0% in “dmesg”.

Workaround:

Reboot the instance so that the encyrption will continue.

Issue:

If the boot volume is encrypted, GRUB upgrade or reinstallation may modify the encrypted boot volume master boot record (MBR) and cause a system failrure.

Workaround:

There is no workaround at this time.

Issue:

In certain circumstances, Windows computers with SecureCloud Agents are unable to start when joining the domain after boot volume encryption. This issue occurs when the SecureCloud Agent connects to the on-premises SecureCloud server, but the SecureCloud server has an AD self-signed Secure Socket Layer (SSL) certificate. In this case, AD is unable to validate that SSL certificate.

Workaround:

To resolve this issue:

  1. Go to the agent installation path and open config.xml.
  2. Change the value of ignore_ssl_error to:

    ignore_ssl_error=True

  3. Restart the OS.

Issue:

RAID devices are not being detected after being moved.

Workaround:

Encrypted RAID devices cannot be recognized. These will be treated as individual and not encrypted devices. There is no workaround for this.

Issue:

A moved device is not recognized as encrypted.

Workaround:

An encrypted device is not recognized if the source VM device or device encryption keys are deleted.

Issue:

A moved device encrypted by legacy agent is not recognized as encrypted.

Workaround:

Devices encrypted by earlier than SC 3.7 agent are not recognized and treated as "not encrypted" devices. You have to manually export and import the encryption keys for those devices encrypted prior SC agent 3.7.

Issue:

After a device is moved or cloned, if the previously used mount point of the newly-added device is identical to the mount point of an existing volume on the new host, one of those devices has no mount point.

Workaround:

Manually assign a mount point to the device.

The SecureCloud agent leaves the first partition only and max to 2TB.

Issue:

There is no DSM status for DSA agent is installed in an encrypted disk.

Workaround:

Grant the device key then trigger on demand ICM to validate if the host complies with the policy.

Issue:

While querying the DSM server API, the scheduled scan of the Antimalware module is "on", so policy evaluation is successful even if the Antimalware state is set to real-time or manual scan.

Workaround:

There is no workaround at this time.

Issue:

You cannot unmount the Windows device after an agent shuts down.

Workaround:

This issue happens because of a Windows daemon (mount/un-mount process). To resolve the issue, you need to reboot Windows or re-open the wizard before provisioning the disk to get the newest status from Windows.

Issue:

The device status in the console is not synchronized.

Workaround:

If you use scprov/wizard and setup mount point using auto-detect, it may cause duplicate value delivered from the SecureCloud console. Use one tool to configure and wait for the mount point/file system already to be uploaded in the Securecloud console if you want to trigger another one.

Issue:

You cannot assign mount points E,F,G,H in order by hard disk number.

Workaround:

Mount point will continuously assign to random hard disk number. Use scprov config file to assign MP manually.

Issue:

The disk Mount Point/File System on wizard is not the same value shown on Windows disk manager.

Workaround:

This issue happens because of a Windows daemon (mount/un-mount process). To resolve the issue, you need to reboot Windows.

Issue:

There is along wait to upload the nventory automatically in the console.

Workaround:

The agent service reports disk status every 15 minutes. The agent uploads the disk status if there is a change (Mount Point/File System) in OS level.

Issue:

Unable to upload the inventory because of the error "Not enough available drive letter for raw disk".

Workaround:

Windows only supports mount point A-Z. If the raw disk is more than the assigned mount point, auto-assigned MP will not work in scprov. To resolve the issue, decrease the disk or use configure file to manually assign mount point.

Issue:

After the key is destroyed, an encrypted disk cannot be formatted and mounted by OS.

Workaround:

The issue happens because the disk is already located by the DA driver. To resolve the issue, do any of the following:

  • Option 1: Use low-level format to zero out the disk after the agent stops.
  • Option 2: Re-provision the disk (format-easing or in-place).

Issue:

When using format-erasing encryption, the disk has an extra unallocated space.

Workaround:

There is no workaround at this time.

Issue:

During do-release-upgrade and dist-upgrade, the system may upgrade some packages causing it to not work properly. If the boot volume is encrypted, it may fail to boot in the main OS.

Workaround:

Disable the do-release-upgrade and prevent apt-get to install the kernel packages.

Issue:

If the boot volume is encrypted, upgrade GRUB related packages may cause agent notto boot up.

Workaround:

The SC agent adjusts the boot volume MBR if the boot is encrypted. GRUB upgrade may modify the MBR so that the SC agent will be patched. Create a snapshot or backup before the kernel upgrade and exclude the GRUB packages during the upgrade.

Issue:

Image does not boot with the encrypted boot volume.

Workaround:

If kernel and Securecloud agent are both upgraded before a reboot, both can be done successfully. During reboot, only the agent upgrade process is executed. The agent will not re-build the MA module based on the new kernel. Boot volume will still use the old kernel even if the new MA module is created after second reboot.

After you upgrade the kernel, make sure to reboot first before you upgrade the SecureCloud agent.

Issue:

After the kernel is upgraded from 3.2.0 or 3.5.0 to 3.8.0 in Ubuntu, encryption module does not function after the upgrade.

Workaround:

In kernel 3.8.0, SC agent uses the new Ubuntu 13 build. Upgrade the Securecloud agent to Ubuntu 13 build then perform the kernel upgrade to 3.8.0.

Issue:

Unexpected shutdown before reboot

Workaround:

The SecureCloud encryption module re-build is triggered during the system reboot process. If VM is shut down unexpectedly before the reboot, the re-build process is not triggered. The system boots with the old MA encryption module and may not work properly.

Boot into the old kernel and reboot the system. SC agent will build all existing kernel versions no matter is currently using or not. After the kernels are built successfully, you can boot into the new and upgraded kernel.

Workaround:

There is no workaround at this time.

Issue:

The SecureCloud Agent is unable to provision or mount an NFS device.

Workaround:

There is no workaround at this time.

Issue:

The SecureCloud Agent is unable to stop services if users implement a teardown user script without specifying a valid return code.

Workaround:

When using a teardown user script, verify that you specified a return code.

Issue:

Device synchronization performance may be affected if you detach an encrypted device and attach a new unencrypted device to the same location.

Workaround:

If the cache times out during this process, perform device synchronization again.

To resolve the issue, manually reconstruct device.xml:

  1. Stop the SecureCloud Agent service.
  2. Terminate the configuration tool or encryption wizard process.
  3. Go to the agent installation path and open config.xml
  4. Locate and remove the incorrect device element:
  5. Start the configuration tool or encryption wizard and try again.

Issue:

The selfprov.py tool only recognizes encrypted devices on legacy agents for Amazon EC2 cloud environments.

Workaround:

There is no workaround at this time.

Issue:

SecureCloud does not support multiple partitioned dynamic disks in Windows boot volumes.

Workaround:

Avoid using multiple partitioned dynamic disks with SecureCloud.

Issue:

When running the encryption wizard to configure the SecureCloud Agent on a Windows system, the protocol header is required for proxy settings.

Workaround:

If you are using proxy settings, go to the Global Settings tab and verify that you are using the protocol header, such as "http://".

Issue:

The SecureCloud Agent does not report devices that are marked “active” and does not report boot devices of another system. Because of this, the SecureCloud Agent is unable to encrypt boot devices of other systems and general devices that are marked “active”.

Workaround:

If you intend to encrypt a general device, verify that the device is not marked “active”. If you intend to encrypt a boot device, encrypt the device on its own system.

Issue:

When accessing the web console on Google Chrome, you see an incorrect set of rules on the Edit Policy page and cannot modify policies. This occurs on Google Chrome 31.0.1650.57.

Workaround:

Update Chrome to the latest version. You can also use Firefox or Internet Explorer to modify policies in the the web console.

Issue:

Only supports 1 partition in a raw disk.

Workaround:

SecureCloud agent leaves the first partition only up to a maximum of 2TB.

Issue:

After you enable boot volume encryption, the device encryption progress stays at 0% which is due to pre-boot network detection failure.

Workaround:

It occurs when agent VM is using a static IP which is under the same subnet with the On-Premise KMS server.

To resolve this issue:

  • Separate the agent VM and OP KMS server to different network (Ex: Communication between agent and OP KMS must go through gateway).
  • When agent and OP KMS server are in the same network, do not use static IP in agent VM.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Install; Upgrade
Solution Id:
1099887
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.