Tuesday, October 27, 2009

Full Disk Encryption: Cannot install due to previous installation.

Well I finally got the licensing issues that I was having with Check Point worked out, and I finally got some of that "time" stuff that I hear other people have, so I got back to work on testing and configuring Check Point Full Disk Encryption R72. Sure enough, I didn't get too far into the process before I had some kind of problem, but I was able to figure out the solution and now I'm sharing it with you.

So first off, how did I create the problem? Well I installed the R72 software on my Windows 7 computer and everything loaded properly. After rebooting, I opened the Management Console created a set and installation profile so that I could get started on remote installation. Then I uninstalled the software from my computer and rebooted. The problem showed up when I tried to install the software a second time, this time using the installation profile. The Wizard came up and said that the installation was halted before the software could be installed. Then I looked around and found a log file named after the FQDN of my machine. The log file was located on the server where I was trying to install the software from. I looked in the log file and it told me that I cannot upgrade my machine from Pointsec version 4/5.

Well I know that I didn't have Pointsec for PC version 4 or 5 on my computer ever, so I thought this might be something buggy. The first thing I tried doing was modifying the precheck.txt file that is in the folder with the installation MSI. I changed line five so that it read IgnoreOldInstallation=Yes. I admit, this is not something I would feel comfortable with in production, but I thought I was just doing this to make my computer work. However, another crack at the installation got me the same error. I changed my precheck.txt back to the way it was and started looking for something else.

I thought there must be something in the registry that was not properly removed after I uninstalled Full Disk Encryption. So I searched the Registry for "Check Point" and "CheckPoint" but found nothing. Finally I looked in the tools folder that came with the FDE software and saw a program called CPClean.exe. In a nutshell, you use this program to forcibly remove all of the Pointsec/FDE components that are on your computer. This is suicidal if your disk is encrypted, but mine was not. I ran the program, rebooted and tried the installation again. It was successful this time.

So keep in mind that if you remove Full Disk Encryption from a machine where you might wish to reinstall later, you may have to use CPClean to completely remove components and have a successful 2nd installation.

1 comment:

carl said...

Not so much the components, cpclean actually removes all registry entries - its a script