SafeGuard Enterprise 5.60.0 Release Notes

  • Article ID: 112783
  • Updated: 01 Dec 2014

SafeGuard Enterprise 5.60.0 Release Notes

Known to apply to the following Sophos product(s) and version(s)

SafeGuard Management Center / Local Policy Editor 5.60.0
SafeGuard Enterprise Server 5.60.0
SafeGuard Device Encryption 5.60.0
SafeGuard Data Exchange 5.60.0
SafeGuard Configuration Protection 5.60.0

Requirements

Platforms supported x86
32-bit
x86
64-bit
IA-64 (Itanium)
64-bit
recommended
available disk space
Minimum
RAM
SafeGuard Enterprise - Client
Windows 7, SP1 Enterprise/Ultimate/Professional

Yes

Yes

  300 MB* 1 GB***
Windows Vista SP1, SP2 Enterprise/Ultimate/Business

Yes

Yes**

 
Windows XP Professional SP2, SP3

Yes

 

 
SafeGuard Enterprise - Management Console
Windows 7, SP1 Enterprise/Ultimate/Professional

Yes

Yes

 

1 GB 1 GB***
Windows Vista SP1, SP2 Enterprise/Ultimate/Business

Yes

 Yes

 
Windows XP Professional SP2, SP3

Yes


 
Windows Server 2008 SP1, SP2

Yes

Yes

  1 GB

1 GB***

Windows Server 2008 R2, SP1  

Yes

 
Windows Server 2003 SP1, SP2

Yes

Yes

 
Windows Server 2003 R2 SP1, SP2

Yes

Yes

 
Windows Small Business Server 2003, 2008, 2011

 



SafeGuard Enterprise - Server
Windows Server 2008 SP1, SP2

Yes

Yes

  1 GB

1 GB***

Windows Server 2008 R2, SP1  

Yes

 
Windows Server 2003 SP1, SP2

Yes

Yes

 
Windows Server 2003 R2 SP1, SP2

Yes

Yes

 
Windows Small Business Server 2003, 2008, 2011


*  The installation needs at least 300 MB free of hard disk space. For Device Encryption, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.

** No Windows Vista (64-bit) support for Configuration Protection module

*** This memory space is recommended for the PC. Not all of this memory is used by SafeGuard Enterprise. 

 

Required Software:

Client:
Internet Explorer Version 6.0 or higher
.NET Framework 2.0 (Configuration Protection only)

Server/Management Console:
.NET Framework 3.0 SP1
Internet Explorer Version 6.0 or higher (version 7 or higher recommended for SafeGuard Web HelpDesk)

 

Resolved Issues

- Fix for potential security vulnerability described in KBA112655

- Policy backups did not contain assigned white lists

- It was impossible to add arbitrary devices to white lists manually

- The SGNRUNTimeClient caused a BSOD on Vista 64bit under certain circumstances

- The AD-Synchronization of very large structures sometimes failed and lead to a Management Center freeze

- Some special characters in OUs (organizational units) names caused a failing AD-synchronization

- other resolved issues


Known Issues

SafeGuard Management Center

• There are some GUI layout problems on machines configured for resolutions other than 96 DPI.

• Management Console log events may not be created when calling similar functionality concurrently via the SGN API.

• Clients, which have been registered as members of a domain, will not be updated properly in the SafeGuard Management Center, if they are moved to a Windows Workgroup

SafeGuard Enterprise Server

• A reboot is required before reinstalling SGN Server
Although there is no explicit message to do so, a reboot is required after uninstalling SGN Server components and before reinstalling them.
DEF49516

• The method “CreateDirectoryConnection” does not run on a SGN Server alone. The machine must also have the SGN Management Console installed for this API.

SafeGuard Enterprise Data Exchange Client

• User elevation for encrypted executables
If an encrypted executable or installation package is started and requires a user elevation in Windows Vista or Windows 7, it may happen that the elevation doesn't take place and the executable is not started.

• SafeGuard Portable Link on Read-Only Media
The link to the SafeGuard Portable application created in the root of a removable media might not work under certain conditions (on Windows 7 only). When the media is inserted into a device which device letter differs from the one when SafeGuard Portable was copied to, the link does not work if the drive with this letter is available on the device too.For example: The SafeGuard Portable link was created on a media in drive D:. The media is the used on a different machine in drive E:. The link is broken if this machine also has a drive D:, otherwise the link works as expected.

• Access to Key Ring after closing a Remote Session
A user's key ring is no longer accessible after an established remote session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access.

SafeGuard Enterprise Device Encryption Client

• Windows' Safe Mode boot option, graphics driver updates and accessibility from Windows PE may be impaired depending on the installed BIOS version
Current BIOS versions (see detailed information in below mentioned KBA) have been shown to lead to a black screen when the graphics card is controlled by Windows' own generic graphics driver instead of the dedicated manufacturers driver and SafeGuard Enterprise is installed. While this is not a common configuration during normal operation of the operating system, there are scenarios where this is the default: 

    - When the user has chosen to start Windows in Safe Mode 
    - When the machine has been booted into Windows PE from an external medium 
    - When the manufacturers graphics driver is being updated "on the fly" when Windows is running

When the SGN installer detects that the machine's BIOS matches to one that is known to be affected, 
    - and that the generic Windows graphics driver is in operation, it will automatically abort the installation to avoid an inaccessible machine. 
    - and the graphics card's default driver is in operation, it will issue a warning that the BIOS version should be changed and ask the user whether to proceed with the installation.

Workaround:
Install one of the recommended BIOS versions listed in http://www.sophos.com/support/knowledgebase/article/113426.html.
Sophos is in contact with the BIOS and hardware vendors to solve the BIOS issues. Also, a workaround is currently being researched to circumvent these issues in a future version of SafeGuard Enterprise.
DEF69880 

•  Resume from hibernation fails on some Lenovo machines running Win 7 SP1
Sophos recently identified an issue with Windows 7 Service Pack 1 (32bit & 64bit) on Lenovo machines with Core i3/i5/i7 processor and the corresponding chipset. On these machines resume from hibernation does not work when SafeGuard Enterprise Device Encryption is installed. Machines are not able to resume and stay in a black screen after POA. The issue has been reported with these Lenovo models so far: T510, X201, W701ds.

Machines without Service Pack 1 are not affected.

Other vendors (e.g. DELL, HP) equipped with Intel Core Ix processors are not reported to have issues, yet. However, the issue does not only happen with 5.60 but was reported with 5.50.8 as well.
For further information can be found http://www.sophos.com/support/knowledgebase/article/113546.html.
DEF69434

• Wrong Log Time for POA Autologon entries in the Event Viewer of the Management Center
As long as there has been no initial logon to Windows, the POA tags it's events with the timestamp that is available from the BIOS. This timestamp is local to the machine and does not contain any timezone information, which is why the log entries may not appear in the correct chronological order in the Management Center. Once the user has booted into Windows, the POA is updated with the correct timezone settings and subsequent log events appear with the correct Log Time.
DEF69645

• Partition resizing not supported
Resizing any partition on a machine where SafeGuard Enterprise Volume Based Encryption is installed is not supported.

• Local Self Help is silently disabled when user changes password on a different machine
When a SGN user is registered on more than one machine with activated Local Self Help, changing her password on one machine will disable this feature on all machines other than the one where the change was performed. When she logs into one of the other machines, no notification will appear to inform of this change.
Workaround:
Reactivate Local Self Help on all machines. This requires going through answering the LSH Activation Wizard questions again.
DEF62926

• The SGN installation process requires to be started in the context of a Windows administrator’s logon session. Starting the installation via “Run as administrator” is not supported.

• Installation of the client configuration package
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.

• BitLocker To Go-encrypted devices may prevent Device Encryption installation
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SGN, the installation will fail because Windows reports the system as being BitLocker-enabled, which is a valid failure condition for the DE client installation. The solution is to remove any BitLocker to Go-encrypted devices before installing SGN DE.

• Boot time
Boot time increases by about one minute after installing the SGN Client software.

• It is recommended to reboot a SGN Client PC at least once after activating the SGN Power-on Authentication. SGN performs a backup of its kernel data on every Windows boot. This backup would never happen if the PC is only hibernated or transferred into stand-by mode.

SafeGuard Configuration Protection Client

• Erroneous version number for Configuration Protection displayed
In SafeGuard Enterprise 5.60, the version number of the Configuration Protection module is erroneously being reported as 5.50.8
DEF65151

• Configuration Protection white lists fail to be exported from Management Center 5.50
When a user exports a policy containing Configuration Protection white lists, these will be missing in the export file.
Workaround: Do not import CP policies that were exported from the SGN 5.50 Management Center.
DEF58890

• Log-Event regarding open registry handle
Configuration Protection Client (SimonPro.exe) keeps a handle to the registry (for anti tampering reason) which cause this warning on Vista OS

• USB Keyboards classified as Hardware Key-Logging Device
Certain USB keyboards are considered to be hardware key-logging devices and thus blocked making them unavailable for the OS. This issue only arises when the keyboard is un-plugged and attached to a different USB port while the system is running. At the time of writing, the following keyboards are known to cause this issue:

- Dell Keyboard RT7D60
- Dell Keyboard SK-3106

• Devices are not blocked after logon.
User policies are enforced by a process which is started in the user session after logon. If the start of this process is delayed by the operating system, the user may gain the ability to access blocked or access-restricted devices during this delay. To avoid this behavior always apply the restricting policy to both: machine and user.

• BSOD after Installation of SafeGuard Enterprise Configuration Protection
Microsoft has issued a hotfix for a BSOD issue that may also occur after installing the Configuration Protection package. Please refer to http://support.microsoft.com, article id 906866 for further information.

Encryption

• On some Toshiba OPAL disks, OPAL mode encryption may fail if first partition is not located at the beginning of the disk
The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, SafeGuard Enterprise will not be able to activate the OPAL encryption for such a drive.
This issue has been reported to Toshiba and is expected to be fixed in an upcoming firmware version for these drives.
Workaround: Relocate the start partition to the beginning of the disk
DEF69429

• OPAL restrictions
As of version 5.60, the SafeGuard Enterprise support for OPAL self-encrypting drives has the following limitations: 
   - OPAL mode encryption can only be activated for one OPAL drive per machine. 
   - If more than one OPAL drive is present, and an encryption policy is assigned to any of it's volumes, these will be software encrypted just as on a non-self-encrypting drive. 
     This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted. 
   - If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously. 
   - The first sector of the start partition of the disk must be located within the first 128 MB.
DEF69695

• Do not use Windows‘ Hybrid Sleep setting on OPAL machines
On computers with an SGN-managed OPAL self-encrypting drive, activating the “Allow hybrid sleep” option in the Advanced Power Options settings may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep.
DEF70019

• OPAL Self Encrypting Drives become unusable in case of a lost encryption key
According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost.
This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting.
SafeGuard Enterprise will either automatically store encryption keys in its database as soon as an encryption policy has been applied (for managed clients) or prompt the user to back up the key file (for standalone clients), but in case this data is lost, the described scenario applies.
DEF69207

• OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged
Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the deinstallation of SafeGuard Enterprise, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset a SGN-managed OPAL drive. For security reasons, this tool is not included in the tools folder but available from Sophos' customer service.
DEF69207

• Resume from Sleep fails when Windows' MSAHCI driver is installed on a machine with an activated OPAL drive
When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI harddisk driver is installed. MSAHCI has been introduced with Windows Vista, so this issue applies to Windows Vista and Windows 7, but not Windows XP.

Workarounds: 
   - If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully.
   - Change the BIOS setting for the harddisk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...)
DEF66126

• Security concerns when using Solid State Drives
On current SSDs, it is impossible for any software (including the operating system) to determine the exact physical loaction of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally.
This has several implications for the security of the stored data, the details of which are listed in a Knowledge Base Article (KBA113334). The most important one being as follows:
Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of SafeGuard Enterprise starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished.
Please note that this issue is not specific to SafeGuard Enterprise but applies to any software-based full disk encryption system.
DEF68440

• Volume based encryption for removable eSATA drives does not work as expected
Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by SafeGuard Enterprise as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a SafeGuard Enterprise full disk encryption environment unless the applied encryption policies explicitly take this situation into account.
DEF65729, DEF66438, DEF58796

• Device Encryption may fail on some USB sticks
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends to use file-based encryption (DX module) for removable media encryption.

• Encryption of ‘Virtual Drives’
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes’ is defined.

• During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before suspend to disk works properly again.

• Device Protection Policy together with Configuration Protection Policy for non-boot drives
If both volume based encryption and configuration protection features are installed on Windows Vista systems, policies to encrypt non-boot volumes can cause the initial encryption process to freeze. This can be avoided by copying the bootmgr file to these non-boot volumes before the installation of SGN and the encryption policy has to be defined for ‘Bootvolumes’.

General

• SafeGuard Enterprise disables Windows´ AutoAdminLogon feature
Due to security reasons, the SafeGuard Enterprise client actively disables the AutoAdminLogon feature in Windows.

• Novell Client
To use SGN Client in conjunction with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.

• Fast user switching is not supported and must be disabled.

• Floppy drive
After installation of SafeGuard Device Encryption on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.

• The enforcement of the SafeGuard Enterprise password history policy can be avoided by the user during execution of the password change due to enforcement of the system administrator.

• Direct modifications to the original Sophos product MSI Installer Packages are not supported. If you need to modify specific options please do so by applying a Microsoft Transform Files (MST). A list of supported changes can be found in the Sophos Knowledge Database. Deviating modifications are unsupported and might lead to unspecified behavior of the product.

Windows XP

• Microsoft Windows XP up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to machines with SafeGuard Enterprise. This should be fixed with Windows XP SP3.

• Microsoft Windows XP has a technical limitation of its kernel stack. If several file system filter drivers (e.g. antivirus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.

Vista

• User-policy is not loaded
If users do not have to press Ctrl+Alt+Del to log on to Vista (interactive logon setting), the user policy does not get loaded properly. In that scenario the machine policy is used instead.


Compatibility

• SafeGuard LanCrypt needs a repair when uninstalling the SafeGuard Enterprise Client on the same machine
An uninstallation of SafeGuard Enterprise 5.60 on a PC that has the SafeGuard LanCrypt Client (SGLC) installed leads to an internal driver error when the user tries to load his SGLC keyring.
Workaround:
Run a repair installation on the SafeGuard LanCrypt Client package.
DEF69644

• SafeGuard Removable Media and SafeGuard Enterprise cannot be run on the same machine
The discontinued SafeGuard Removable Media product must be uninstalled before using any SafeGuard Enterprise components on the same machine.
DEF69092

• Empirum Security Suite Agent
If SGN 5.50 Client software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:

BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS

This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite.
Please contact Matrix42 support for latest details/updates on this issue.

• Lenovo Rescue and Recovery
For information on compatibility of Rescue and Recovery versions with SafeGuard Enterprise versions see: http://www.sophos.com/support/knowledgebase/article/108383.html

• AbsoluteSoftware Computrace
SGN Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated ‘track-0 based persisent agent’ installed.

• Compatibility to imaging tools has not been tested and is therefore not supported.


Token/Smartcard

• Resuming from hibernation on a Windows XP client can occasionally lead to a BSOD if an Aladdin eToken 72k (Java) is used for authentication. Therefore, hibernation under Windows XP in combination with Aladdin eToken 72k (Java) is currently not supported as unsaved data could be lost when the BSOD occurs.
DEF66421

• Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware
In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected.
DEF66637

• Kerberos Issue with RSA SID 800 tokens
RSA SID 800 tokens which have been issued on Windows 7 x64 for Kerberos logon for non-administrators will not work in the POA if the DC/Kerberos Server is a Windows Server 2003.
DEF67603

• When using the Gemalto Classic middleware, the non-cryptographic logon mode does not work in the POA
DEF67495

• TCOS tokens are not supported on Windows Vista
DEF67397, DEF67386

• PIV Smartcard does not work with Omnikey or OZ711 smartcard readers
DEF63198, DEF66543

• ActivIdentity Notifications cause Winlogon.exe to crash
On some Windows XP systems Winlogon.exe may crash if Notifications in ActivClient are enabled.
Workaround:
Disable ActivClient Notifications in the ActivIdentity’s “Advanced Configuration Manager” under “Notifications Management”
DEF60040

 

Antivirus products tested with SafeGuard Device Encryption
SGN volume-based encryption has been successfully tested against concurrent installations of antivirus products by Sophos as well as the following:

Manufacturer

Product

Version

AVG Free Anti-Virus Small Business Edition 2011 10.0.1153
Computer Associates Security Center Version 6.0.0.285
F-Secure Anti Virus 2011 10.51
G Data AntiVirus 2011 Version 21.1.0.5
Kaspersky Internet Security 2011 Version 11.0.0.232
Symantec Endpoint Protection 11.0.6
Trend Micro Titanium Internet Security 2011  
McAfee Internet Security 2011  
Norman Virus Control 2010.02.22
Microsoft Security Essentials  
 

Back to Sophos SafeGuard ReleaseNotes landing Page

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments