SafeGuard Enterprise 6.00.1: Release Notes

  • Article ID: 117643
  • Rating:
  • 6 customers rated this article 3.8 out of 6
  • Updated: 17 Dec 2014

SafeGuard Enterprise 6.00.1 Release Notes

Known to apply to the following Sophos product(s) and version(s)

SafeGuard Management Center / Local Policy Editor 6.00.1
SafeGuard File Encryption 6.00.1
SafeGuard Enterprise Server 6.00.1
SafeGuard Data Exchange 6.00.1
SafeGuard Cloud Storage 6.00.1
SafeGuard  Web Helpdesk 6.00.1
SafeGuard  Device Encryption 6.00.1
SafeGuard  Configuration Protection 6.00.1

Requirements

Platforms supported 32-bit 64-bit IA-64 (Itanium)
64-bit
Recommended
available disk space
Minimum
RAM
SafeGuard Enterprise - Client
Windows 7, SP1 Enterprise/Ultimate/Professional/Home Premium
Yes Yes  not supported
300 MB* 1 GB***
Windows Vista SP1, SP2 Enterprise/Ultimate/Business Yes Yes**  not supported
Windows XP Professional SP2, SP3 Yes  no  not supported
SafeGuard Enterprise - Management Console
Windows 7, SP1 Enterprise/Ultimate/Professional Yes Yes  not supported 1 GB 1 GB***
Windows Vista SP1, SP2 Enterprise/Ultimate/Business Yes Yes  not supported
Windows XP Professional SP2, SP3 Yes  no  not supported
Windows Server 2008 SP1, SP2 Yes Yes  not supported 1 GB 1 GB***
Windows Server 2008 R2, SP1  no Yes  not supported
Windows Server 2003 SP1, SP2 Yes Yes  not supported
Windows Server 2003 R2 SP1, SP2 Yes Yes  not supported
Windows Small Business Server 2003, 2008, 2011 Not supported
SafeGuard Enterprise - Server
Windows Server 2008 SP1, SP2 Yes Yes  not supported 1 GB 1 GB***
Windows Server 2008 R2, SP1  no Yes  not supported
Windows Server 2003 SP1, SP2 Yes Yes  not supported
Windows Server 2003 R2 SP1, SP2 Yes Yes  not supported
Windows Small Business Server 2003, 2008, 2011 Not supported

*  The installation needs at least 300 MB of free hard disk space. For Device Encryption, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.

** No Windows Vista (64-bit) support for the Configuration Protection module.

*** This memory space is recommended for the PC. Not all of this memory is used by SafeGuard Enterprise.

Software requirements

Client:
  • Internet Explorer Version 6.0 or higher
  • Firefox Version 3 or higher
  • .NET Framework 2.0 (Configuration Protection only)
  • .NET Framework 4.0 (BitLocker support only)

Server/Management Console:

  • .NET Framework 4.0
  • Internet Explorer Version 6.0 or higher (version 7 or higher recommended for SafeGuard Web HelpDesk)

Noticeable Changes

The following features have been changed with regard to their default behavior:

Persistent Encryption

The policy setting "Enable Persistent Encryption" was introduced with SafeGuard Enterprise 6 and is enabled by default. Details about this feature and the behavior of the file-filterdriver are described in KBA 117783

Installation / Upgrade - special scenarios

Certain scenarios like installations including the Configuration Protection module or Installations in FIPS-compliant mode require additional steps as described in KBA 118085

Failed Logon Counter

The distinct user and machine failed logon counters have been combined into a single one. This means that the "Maximum no. of failed logons" policy setting is only evaluated for the machine and no longer for individual users. Subsequently, access to the machine is blocked and not only for an individual user if the given number of successive false logon attempts is exceeded. Previously defined policy settings for a 'per user' counter are no longer evaluated.

Unhandled Applications

The policy setting in the 'Device Protection' policy for specifying certain applications from being excluded from the file-based encryption (i.e. DX) has been removed from this policy type. Since this setting also applies to the newly introduced file-based encryption modules like File Share and Cloud Storage, this setting has been moved into 'General Settings' policy. The old policy setting is no longer evaluated by newer clients (SGN 6.0 or later) and therefore applications now have to be specified in a 'General Settings' policy using the 'Ignored Applications' policy setting.

Client Configuration Packages

In SafeGuard Enterprise prior version 6.0 it was possible to install a client configuration package that was created with an earlier version on a newer client (e.g. installing a package which was created in 5.50.8 on a 5.60.1 client). As of 6.0 this won’t be possible anymore! The version of the client configuration package must match the client version. Upgraded clients however don´t need a new client configuration package.

Resolved Issues (from 6.0)

  • Internal FP Reader does not work with SGN on a T430 DEF81758
  • SGN MC: MC usage slow after upgrade to SGN6 DEF82796
  • POA trap after SGN Upgrade from 5.60.0 to 6.00 and fresh installation of SGN 6.0 DEF82912
  • Error 1935 during upgrade from 5.60.1 to 6.0 DEF82808
  • SGN MC: MC crashes in suspension wizard DEF82809
  • Endless reboot-loop after SGN Client Installation on several hardware models (e.g.Lenovo ThinkPad T430,... ) DEF82799
  • SGN 6 on Lenovo X220 machines Windows XP (halts after POA -safeguard is loading windows) DEF82801
  • DX: Set default key via "Create New Key..." explorer context menu does not work DEF82619
  • SGN MC:Crash in SGN MC  security officers tab DEF83229
  • Unable to select some local users when using WHD C/R wizard DEF82177
  • adding/removing imported machine/user to/from a group not possible DEF81164
  • SGN FS: Explorer issues during "Show enryption state" for a network drive DEF83396
  • SGN CP: Unable to block Wifi connection DEF70425
  • Unable to launch AccessSecureData on a system with SGN Configuration Protection installed DEF83152
  • Encryption does not start if CP client / policy is active DEF83153
  • SGN CP: CP client not working unless a new policy is assigned to the client DEF83154
  • SG FS: BSOD - 0x00000050  DEF82703
  • local user cannot logon w/o network (with assigned SA list) DEF83092
  • "No Encryption" Policy cannot be applied to whitelists DEF82802
  • Available Keys filter only usable as MSO - all other SO roles will not find any key DEF82804
  • Directory Tab within Options producing Unknown DSN / Object Reference messages DEF82807
  • MC crashes when you filter the log time in the report section DEF82810
  • SGN MC: Event filter doesn't work in the report section DEF82811
  • MC crashes when "Show auto filter row" is chosen DEF82812
  • BSOD (or hang) when an encrypted file is duplicated many times using Ctrl+V DEF82815
  • "User is allowed to decide about encryption" not correctly applied in upgraded env. DEF82816
  • Japanese text of installer wizard is incorrect DEF80308
  • SGN Event ID 2648 ("Policy changed") is not triggered if a policy value was changed DEF82819
  • Lenovo: POA not accepting key entries any more after leaving it alone over night DEF82821
  • other resolved issues

 

Known Issues

SafeGuard Management Center

  • There are some GUI layout problems on machines configured for resolutions other than 96 DPI.
  • Management Console log events may not be created when calling similar functionality concurrently via the SGN API.
  • Clients which have been registered as members of a domain, will not be updated properly in the SafeGuard Management Center, if they are moved to a Windows Workgroup.
  • SafeGuard Enterprise groups will be deleted automatically upon AD synchronization if any of the Organizational Units (OUs) of the hierarchy they belong to is deleted in the AD. (DEF79147)

SafeGuard Enterprise Server

  • Installation on Windows Server 2008 and Windows Server 2008 R2 using the SGNServer.msi has to be started with already elevated privileges, otherwise the installation may fail and browsing the SGNSRV website might display an HTTP-Error 500.19 - Internal Server Error. Alternatively the SGNServer.exe can be used for the installation to avoid this issue. (DEF66120)
  • A reboot is required before reinstalling SGN Server
    Although there is no explicit message to do so, a reboot is required after uninstalling SGN Server components and before reinstalling them. (DEF49516)
  • The method 'CreateDirectoryConnection' does not run on a SGN Server alone. The machine must also have the SGN Management Console installed for this API.

SafeGuard Data Exchange Client

  • Not all options are shown when operating a device as 'Portable Device'
    When operating a removable media in 'Portable Device' mode, some of the options of SGN DX are not available in Windows Explorer. verlay icons indicating a file's encryption status are missing as well as the menu option introduced by SGN DX in a file's context menu. Nevertheless any applicable encryption policy is enforced for files that reside on the removable device, regardless whether it is referenced via the 'Portable Device' tree or the assigned drive letter.
  • User elevation for encrypted executables
    If an encrypted executable or installation package is started and requires a user elevation in Windows Vista or Windows 7, it may happen that the elevation doesn't take place and the executable is not started.
  • Access to key ring after closing a remote session
    A user's key ring is no longer accessible after an established remote session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access to the key ring.

SafeGuard Device Encryption Client

  • Wrong log time for POA Autologon entries in the Event Viewer of the Management Center
    As long as there has been no initial logon to Windows, the POA tags its events with the timestamp that is available from the BIOS. This timestamp is local to the machine and does not contain any timezone information, which is why the log entries may not appear in the correct chronological order in the Management Center. Once the user has booted into Windows, the POA is updated with the correct timezone settings and subsequent log events appear with the correct Log Time. (DEF69645)
  • Partition resizing not supported
    Resizing any partition on a machine where SafeGuard Enterprise Volume Based Encryption is installed is not supported.
  • Local Self Help is silently disabled when user changes password on a different machine
    When a SGN user is registered on more than one machine with activated Local Self Help, changing their password on one machine will disable this feature on all machines other than the one where the change was performed. When they log into one of the other machines, no notification will appear to inform of this change. Workaround:
    Reactivate Local Self Help on all machines. This requires starting the LSH Activation Wizard and answering all the questions again. (DEF62926)
  • The SGN installation process requires to be started in the context of a Windows administrator’s logon session. Starting the installation via 'Run as administrator' is not supported.
  • Installation of the client configuration package
    After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.
  • BitLocker To Go-encrypted devices may prevent Device Encryption installation
    If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SGN, the installation will fail because Windows reports the system as being BitLocker-enabled, which causes the DE client installation to fail. The solution is to remove any BitLocker to Go-encrypted devices before installing SGN Device Encryption.
  • Boot time
    Boot time increases by about one minute after installing the SGN Client software.
  • It is recommended to reboot a SGN Client PC at least once after activating the SGN Power-on Authentication. SGN performs a backup of its kernel data on every Windows boot. This backup will never happen if the PC is only set to hibernation or stand-by mode.
  • In rare situations it can happen that access to exFAT formatted USB flash drives is not consistently blocked when applying a volume-based encryption policy in combination with a "user defined key". In approx. 2 out of 10 USB save removal/reattach sessions, SGN does not enforce the "access denied" policy properly. (DEF54324)

SafeGuard Configuration Protection Client

  • Configuration Protection white lists cannot be exported from Management Center 5.50
    When a user exports a policy containing Configuration Protection (CP) white lists, these will be missing from the export file.
    Workaround: Do not import CP policies that were exported from the SGN 5.50 Management Center. Policies which were exported from version 5.60 can be used. (DEF58890V)
  • Log event regarding open registry handle
    Configuration Protection Client (SimonPro.exe) keeps a handle to the registry (for anti tampering reason) which cause this warning on Vista OS.
  • USB keyboards classified as Hardware Key-Logging Device
    Certain USB keyboards are considered to be hardware key-logging devices and thus blocked making them unavailable for the OS. This issue only arises when the keyboard is un-plugged and attached to a different USB port while the system is running. The following keyboards are known to us at this time:
    • Dell Keyboard RT7D60
    • Dell Keyboard SK-3106
  • Devices are not blocked after logon.
    User policies are enforced by a process which is started in the user session after logon. If the start of this process is delayed by the operating system, the user may gain the ability to access blocked or access-restricted devices during this delay. To avoid this behavior always apply the restricting policy to both: machine and user.
  • BSOD after installation of SafeGuard Configuration Protection
    Microsoft has issued a hotfix for a BSOD issue that may also occur after installing the Configuration Protection package. Please refer to http://support.microsoft.com, article ID 906866 for further information.
  • Windows might offer users to have a removable storage device formatted that is actually blocked by a Configuration Protection policy. Formatting is then actually blocked, no data are destroyed and the device remains blocked. (DEF78809)
  • The Configuration Protection Module in the SafeGuard Client Setup must not be removed in the course of an upgrade from SafeGuard 5.x to SafeGuard 6.0. In case that this module is no longer required, it has to be removed either before upgrading to SafeGuard 6.0 or after the upgrade. The upgrade will fail in case the Configuration Protection Module is removed in the process of the upgrade itself. (DEF78177)

Encryption

  • On some Toshiba OPAL disks, OPAL mode encryption may fail if the first partition is not located at the beginning of the disk
    The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, SafeGuard Enterprise will not be able to activate the OPAL encryption for such a drive.
    This issue has been reported to Toshiba and is expected to be fixed in an upcoming firmware version for these drives.
    Workaround: Relocate the start partition to the beginning of the disk. (DEF69429)
  • OPAL restrictions
    As of version 5.60, the SafeGuard Enterprise support for OPAL self-encrypting drives has the following limitations:
    • OPAL mode encryption can only be activated for one OPAL drive per machine.
    • If more than one OPAL drive is present and an encryption policy is assigned to any of its volumes, these will be software encrypted just as on a non-self-encrypting drive. This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted.
    • If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously.
    • The first sector of the start partition of the disk must be located within the first 128 MB. (DEF69695)
  • Do not use Windows Hybrid Sleep setting on OPAL machines
    On computers with an SGN-managed OPAL self-encrypting drive, activating the Allow hybrid sleep option in the Advanced Power Options settings may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep. (DEF70019)
  • OPAL Self Encrypting Drives become unusable in case of a lost encryption key
    According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost.
    This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting.
    SafeGuard Enterprise will either automatically store encryption keys in its database as soon as an encryption policy has been applied (for managed clients) or prompt the user to back up the key file (for standalone clients), but in case this data is lost, the described scenario applies. (DEF6920)
  • OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged
    Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the uninstallation of SafeGuard Enterprise, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset a SGN-managed OPAL drive. For security reasons, this tool is only available from Sophos' customer service. (DEF6920)
  • Resume from Sleep fails when Windows' MSAHCI driver is installed on a machine with an activated OPAL drive
    When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI harddisk driver is installed. MSAHCI has been introduced with Windows Vista, so this issue applies to Windows Vista and Windows 7, but not Windows XP.

    Workarounds:

    • If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully.
    • Change the BIOS setting for the harddisk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...) (DEF66126)
  • Security concerns when using Solid State Drives (SSD's)
    On current SSD's, it is impossible for any software (including the operating system) to determine the exact physical location of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally.
    This has several implications for the security of the stored data, the details of which are listed in a Knowledge Base Article (KBA113334). The most important one being as follows:
    Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of SafeGuard Enterprise starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished.
    Please note that this issue is not specific to SafeGuard Enterprise but applies to any software-based full disk encryption system. (DEF68440)
  • Volume-based encryption for removable eSATA drives does not work as expected
    Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by SafeGuard Enterprise as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a SafeGuard Enterprise full disk encryption environment unless the applied encryption policies explicitly take this situation into account.
    (DEF65729, DEF66438, DEF5879)
  • Device Encryption may fail on some USB sticks
    Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends to use file-based encryption (DX module) for removable media.
  • Encryption of 'Virtual Drives'
    Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes’ is defined.
  • During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) Suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before Suspend to disk works properly again.
  • Device Protection policy together with Configuration Protection policy for non-boot drives
    If both Device Protection and Configuration Protection are installed on Windows Vista or Windows 7 systems, policies to encrypt non-boot volumes can cause the initial encryption process to freeze. This can be avoided by copying the bootmgr file to these non-boot volumes before the installation of SGN and the encryption policy has to be defined for ‘Bootvolumes’.

General

  • Fast user switching is not supported and must be disabled.
  • Direct modifications to the original Sophos product MSI Installer Packages are not supported. If you need to modify specific options please do so by applying a Microsoft Transform Files (MST). A list of supported changes can be found in the Sophos Knowledge Database. Deviating modifications are unsupported and might lead to unspecified behavior of the product.

Windows XP

  • Microsoft Windows XP up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to machines with SafeGuard Enterprise. This should be fixed with Windows XP SP3.
  • Microsoft Windows XP has a technical limitation in its kernel stack. If several file system filter drivers (e.g. antivirus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.

Windows Vista

  • User-policy is not loaded
    If users do not have to press Ctrl+Alt+Del to log on to Windows Vista (interactive logon setting), the user policy does not get loaded properly. In this scenario the machine policy is used instead.
  • Floppy drive
    After installing SafeGuard Device Encryption on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.

Compatibility

  • SafeGuard LAN Crypt compatibilty with SGN 6.0 Data Exchange (DX), File Share (FS) and Cloud Storage (CS)
    For SafeGuard LAN Crypt 3.70/3.71 a separate patch is available, that re-enables compatibility of the DX and CS modules. In case SafeGuard LAN Crypt needs to be installed in combination with SGN 6.0 DX and/or SGN CS please install the separate Compatibility Package after SG LAN Crypt has been installed. The patch is available in the SafeGuard Enterprise 6.0 download section on mysophos.com.

    Note: A new version of the compatibility patch is available for SafeGuard Enterprise 6.00.1. This is required for new installations, and before upgrading to version 6.00.1.
    After the installation of the client you must run a repair installation on the compatibility patch. Detailed information about the installation order is available in the readme file which is part of the download.

    Older versions of SafeGuard LAN Crypt (up to version 3.60) are no longer compatible with the relevant file-encryption modules of SGN 6.0 (DX, FS and CS). These versions are only compatible with the SafeGuard Device Encryption and Configuration Protection module.
  • SafeGuard RemovableMedia and SafeGuard Enterprise cannot be run on the same machine
    The discontinued SafeGuard RemovableMedia product must be uninstalled before using any SafeGuard Enterprise components on the same machine. (DEF69092)
  • SafeGuard Enterprise has not been tested in conjunction with an installed Novell Client for Windows. Restrictions may apply as there is no intercommunication between the logon components of both products.
  • Empirum Security Suite Agent
    If SGN 6.0 Client software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:

    BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS

    This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite.
    Please contact Matrix42 support for latest details/updates on this issue.

  • Lenovo Rescue and Recovery
    For information on compatibility of Rescue and Recovery versions with SafeGuard Enterprise versions see: http://www.sophos.com/en-us/support/knowledgebase/108383.aspx
  • AbsoluteSoftware Computrace
    SGN Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated 'track-0 based persistent agent' installed.
  • Compatibility to imaging tools has not been tested and is therefore not supported by Sophos.

Token/Smartcard

  • Resuming from hibernation on a Windows XP client can occasionally lead to a BSOD if an Aladdin eToken 72k (Java) is used for authentication. Therefore, hibernation under Windows XP in combination with Aladdin eToken 72k (Java) is currently not supported as unsaved data could be lost when the BSOD occurs. (DEF66421)
  • Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware.
    In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected. (DEF66637)
  • When using the Gemalto Classic middleware, the non-cryptographic logon mode does not work in the POA. (DEF67495)
  • TCOS tokens are not supported on Windows Vista. (DEF67397, DEF67386)
  • PIV Smartcard does not work with Omnikey or OZ711 smartcard readers. (DEF63198, DEF66543)
  • ActivIdentity Notifications cause Winlogon.exe to crash. On some Windows XP systems Winlogon.exe may crash if Notifications in ActivClient are enabled.
    Workaround: Disable ActivClient Notifications in the ActivIdentity's 'Advanced Configuration Manager' under 'Notifications Management'. (DEF60040)

Antivirus products tested with SafeGuard Device Encryption

SGN volume-based encryption has been successfully tested against concurrent installations of antivirus products by Sophos as well as the following:

 

Manufacturer Product Version
F-Secure Client Security 9.10 B249
Kaspersky Business Space Security - AntiVirus 6.0.4.1424
Symantec Endpoint Protection 12.1
Trend Micro Enterprise Security for Endpoints - Office Scan 10.5
McAfee McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8

Back to Sophos SafeGuard Release Notes landing Page

 

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments