Wherein PGP 10 has a bug, and a workaround exists
by John on Feb.22, 2010, under Personal
As I write this, I realize that its usefulness to most of you who read my blog regularly is limited, at best. For that, I apologize. If you’re not someone interested in information security (and specifically, the technologies involved therein) you can safely skip this without missing anything you care about reading.
Back in January, PGP Corporation released a much anticipated update to their PGP Desktop lineup -PGP Desktop 10.0. This update was much anticipated because it finally added support for Mac OS X 10.6 Snow Leopard. The great benefit here is that those who would be so inclined to utilize whole disk encryption on mac, and choose PGP as their platform of choice, could now upgrade to Snow Leopard and have their drive encrypted.
In testing this new software I discovered a bug, however. When utilizing PGP Desktop 10 for Mac in an environment managed by PGP Universal Server (2.12), I was frequently asked to re-enroll my Mac with the universal server. Until I was able to re-enroll, PGP Desktop was unavailable. Whole Disk Encryption was thankfully NOT affected.
After working fairly closely with PGP support on this issue it was determined to be a bug, and after providing them a wealth of information from our environment they were able to reproduce the issue on their end and provide a list of steps that would reproduce it 100% of the time.
Thankfully, we’ve also been able to determine a successful workaround for this issue.
The underlying cause for this behavior appears to be on-access scanning by antivirus products on the Mac interfering with the PGP plist files in ~/Library/Preferences/
The workaround that has worked in my testing so far has been to create exclusions in the scanning policy for:
~/Library/Preferences/com.pgp.pgp.plist
~/Library/Preferences/com.pgp.desktop.plist
~/Library/Preferences/com.pgp.admin.plist
~/Library/Preferences/com.pgp.engine.plist
With those four files excluded from on-access antivirus scanning, I have been unable to get PGP Desktop to prompt me for re-enrollment, indicating that this does, in fact, provide a workaround for the issue.
A huge thanks goes to the PGP Support team who worked this issue hard and were a pleasure to work with in finding a resolution to this issue.
(note: I am in no way affiliated with PGP Corporation.)
2 Comments for this entry
Leave a Reply
Photos (view gallery)
My Tweets- @jasonbfrench happy birthday frenchie!!
- Love the new menus - so much lighter! (@ Scotty's Brewhouse) http://4sq.com/52j5tI
- Hoping for a good day today (@ ExactTarget w/ 2 others) http://4sq.com/692jRm
- @JoelLesher my fave right now is "The Underdog" by Spoon
- So... I've never played Starcraft before... Should I get Starcraft 2? I will let you all decide.
February 23rd, 2010 on 1:38 pm
Brilliant! Thanks for not only troubleshooting this issue but for posting the results. The re-enrollment has been driving me nuts for more than a week now since I installed PGP. With the four files now excluded from Virex I’ve been able to boot and connect to my corporate network several times without the dreaded popup box.
February 23rd, 2010 on 3:44 pm
Rob,
Glad this fix worked for you as well. I’ve been running into it for several weeks and know how completely and utterly annoying it can be. Thankfully I was able to work with PGP support and QA to find a workaround for it that appears to be working.
Glad I could help!