Administrator Guide
the device where they were created. The User Roaming key makes les accessible only to the user who created them, on any Shielded
Windows (or Mac) device.
Encryption Sweep - An encryption sweep is the process of scanning the folders to be encrypted on a managed endpoint to ensure the
contained les are in the proper encryption state. Ordinary le creation and rename operations do not trigger an encryption sweep. It is
important to understand when an encryption sweep may happen and what may aect the resulting sweep times, as follows: - An
encryption sweep will occur upon initial receipt of a policy that has encryption enabled. This can occur immediately after activation if your
policy has encryption enabled. - If the Scan Workstation on Logon policy is enabled, folders specied for encryption will be swept on each
user logon. - A sweep can be re-triggered under certain subsequent policy changes. Any policy change related to the denition of the
encryption folders, encryption algorithms, encryption key usage (common versus user), will trigger a sweep. In addition, toggling between
encryption enabled and disabled will trigger an encryption sweep.
Malware Protection (Full Scan) -Malware Protection Full Scan scans the following locations for threats:
• The computer memory for installed rootkits.
• Hidden processes, and other behavior that suggests malware is attempting to hide itself.
• The memory of all running processes, all drives and their subfolders on the computer.
Malware Protection (Quick Scan) -Malware Protection Quick Scan scans the following locations for threats:
• The memory of all running processes.
• The les that the Windows Registry references.
• The contents of the Windows folder.
• The contents of the Temp folder.
On-Access Malware Protection - When a user accesses les, folders, and programs, the on-access scanner intercepts the operation and
scans the item.
Preboot Authentication (PBA) - Preboot Authentication serves as an extension of the BIOS or boot rmware and guarantees a secure,
tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from
the hard disk, such as the operating system, until the user has conrmed they have the correct credentials.
SED Management - SED Management provides a platform for securely managing self-encrypting drives. Although SEDs provide their own
encryption, they lack a platform to manage their encryption and available policies. SED Management is a central, scalable management
component, which allows you to more eectively protect and manage your data. SED Management ensures that you will be able to
administer your enterprise more quickly and easily.
System Data Encryption (SDE) - SDE is designed to encrypt the operating system and program les. To accomplish this purpose, SDE
must be able to open its key while the operating system is booting. Its intent is to prevent alteration or oine attacks on the operating
system by an attacker. SDE is not intended for user data. Common and User key encryption are intended for sensitive user data because
they require a user password in order to unlock encryption keys. SDE policies do not encrypt the les needed by the operating system to
start the boot process. SDE policies do not require preboot authentication or interfere with the Master Boot Record in any way. When the
computer boots up, the encrypted les are available before any user logs in (to enable patch management, SMS, backup and recovery
tools). Disabling SDE encryption triggers automatic decryption of all SDE encrypted les and directories for the relevant users, regardless of
other SDE policies, such as SDE Encryption Rules.
Threat Protection - The Threat Protection product is based on centrally managed policies that protect enterprise computers against
security threats. Threat Protection consists of: - Malware Protection - Checks for viruses, spyware, unwanted programs, and other threats
by automatically scanning items when accessed or based on schedules dened in policy. - Client Firewall - Monitors communication
between the computer and resources on the network and the Internet and intercepts potentially malicious communications. - Web
Protection - Blocks unsafe websites and downloads from those websites during online browsing and searching, based on safety ratings and
reports for websites.
Trusted Platform Module (TPM) - TPM is a security chip with three major functions: secure storage, measurement, and attestation. The
Encryption client uses TPM for its secure storage function. The TPM can also provide encrypted containers for the software vault.
Dell Data Security Endpoint Security Suite Pro
Glossary
125