SafeGuard Enterprise 6.10.0 Release Notes
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Management Center / Local Policy Editor 6.10.0
SafeGuard File Encryption 6.10.0
SafeGuard Enterprise Server 6.10.0
SafeGuard Data Exchange 6.10.0
SafeGuard Cloud Storage 6.10.0
SafeGuard BitLocker Client 6.10.0
SafeGuard Web Helpdesk 6.10.0
SafeGuard Device Encryption 6.10.0
|Platforms supported ||32 bit ||64 bit ||Recommended |
|SafeGuard Client |
|Windows 7 SP1 |
Enterprise, Ultimate Edition
|Yes ||Yes ||300MB* ||1GB** |
|Windows 8, 8.1 |
Pro, Enterprise Edition
|Yes ||Yes ||100MB ||2GB** |
|SafeGuard Management Center |
|Windows 7 SP1 |
Enterprise, Ultimate Edition
|Yes ||Yes ||1GB ||1GB** |
|Windows 8, 8.1 |
Pro, Enterprise Edition
|Yes ||Yes ||1GB ||1GB** |
|Windows Server 2008 SP1, SP2 ||Yes ||Yes ||1GB ||1GB** |
|Windows Server 2008 R2, SP1 ||No ||Yes ||1GB ||1GB** |
|Windows Server 2012 / Server 2012 R2 ||No ||Yes ||1GB ||2GB** |
|SafeGuard Enterprise Server |
|Windows Server 2008 SP1, SP2 ||Yes ||Yes ||1GB ||2GB** |
|Windows Server 2008 R2 SP1, SP2 ||No ||Yes ||1GB ||2GB** |
|Windows Server 2012 /Server 2012 R2 ||No ||Yes ||1GB ||2GB** |
Windows Small Business Server and Windows Server Essentials are not supported.
* The installation needs at least 300 MB of free hard disk space. For Device Encryption, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.
** This memory space is recommended for the PC. Not all of this memory is used by SafeGuard Enterprise.
Software requirements Client:
- Internet Explorer Version 8.0 or higher
- .NET Framework 4.0 (BitLocker support only)
Information about the MAC OSx clients can be found here:
Sophos SafeGuard File Encryption for Mac 6.10: Release Notes
Sophos SafeGuard Disk Encryption for Mac 6.10: Release Notes
Additional BitLocker Challenge/Response Requirements
- PC is running 64-bit Windows
- Windows installed in GPT mode
- The hardware is not listed in the POACFG.xml file. Sophos delivers a default file embedded in the setup, but it is recommended to download the newest file from the Sophos FTP server and apply it with the installation of the Client.
- Microsoft UEFI certificate is available or Secure Boot is disabled
- NVRAM boot entries accessible from Windows
- UEFI has version 2.3.1 or newer
If the BitLocker Challenge/Response requirements are not fulfilled, SafeGuard BitLocker will run in a mode without Challenge/Response.
- .NET Framework 4.0
- Internet Explorer Version 8.0 or higher
SafeGuard Management Center
- The usability of the Management Center has been improved to support drag'n'drop when assigning objects. Users, computers or keys can now be assigned intuitively by simply dragging them from the from the selection tree and dropping them onto the target object.
The following features have been changed with regard to their default behavior:
- SafeGuard Configuration Protection Module not longer Part of the SafeGuard Enterprise Client
Interoperability of SafeGuard Client running on Windows XP with SGN 6.10 backend
SGN Clients version 6.01, 6.0 and 5.60, installed on Windows XP are supported with an SGN 6.10 backend in general.
Because of the now used SHA-256 algorithm for certificate signing, introduced to increase the level of security, you have to consider the interoperatibility with older SGN Clients:
1. When upgrading the SGN backend from SafeGuard Enterprise 6 or earlier, hash algorithm SHA-1 is still automatically used for self-signed certificates. SGN Clients 6.10. 6.01. 6.0 5.60.1 and 5.60.0 are working with this setting.
If only new SGN 6.10 clients will be used then you can change the setting to SHA-256 (Management Center/Options). You have to create SGN configuration packages new, if already done before that change.
2. With a new installation of SGN 6.10 backend and the need to use older SGN clients, because of e.g. running clients with Windows XP, you have to setup the MC installation by changing the default setting to SHA-1.
SafeGuard Management Center
- There are some GUI layout problems on machines configured for resolutions other than 96 DPI.
- Management Console log events may not be created when calling similar functionality concurrently via the SGN API.
- Clients which have been registered as members of a domain, will not be updated properly in the SafeGuard Management Center, if they are moved to a Windows Workgroup.
- If a computer or user is auto-registered while an Active Directory (AD) sync is performed, two objects may be generated in the SafeGuard directory. The situation can be solved by deleting the object that was added by the AD sync and leaving the one in the ".Auto registered" folder. The next AD sync will correctly move the object from the ".Auto registered" folder into the desired organizational unit.
- Starting a new remote desktop session to a computer where a Management Center or Server upgrade is in progress will cause the upgrade to fail. The new remote desktop session will execute RunOnce registry entries to delete the Local Cache and the SafeGuard registry entries.
- User auto-registration from 5.60 and 6.0 Clients
When the SGN Client has version 5.60 or 6.0 and users log on using the format name@domain or domain\name, then auto-registration of these users leads to a problem with the Active Directory synchronization later. Instead of moving the auto-registered user to the correct organizational unit, the Active Directory synchronization instead will generate a duplicate user object. This issue can be solved by importing new users into the Management Center before they do their first logon on the Client. Another workaround would be to correct the pre-Windows 2000 user name of the user in the auto-registered folder in the Management Center (via context menu > Properties). If a duplicate user object already exists, the one imported from Active Directory should be deleted.
SafeGuard Enterprise Server
- A reboot is required before reinstalling SGN Server
Although there is no explicit message to do so, a reboot is required after uninstalling SGN Server components and before reinstalling them. (DEF49516)
- The method 'CreateDirectoryConnection' does not run on a SGN Server alone. The machine must also have the SGN Management Console installed for this API.
SafeGuard Data Exchange Client
- Not all options are shown when operating a device as 'Portable Device'
When operating a removable media in 'Portable Device' mode, some of the options of SGN DX are not available in Windows Explorer. verlay icons indicating a file's encryption status are missing as well as the menu option introduced by SGN DX in a file's context menu. Nevertheless any applicable encryption policy is enforced for files that reside on the removable device, regardless whether it is referenced via the 'Portable Device' tree or the assigned drive letter.
- User elevation for encrypted executables
If an encrypted executable or installation package is started and requires a user elevation, it may happen that the elevation doesn't take place and the executable is not started.
- Access to key ring after closing a remote session
A user's key ring is no longer accessible after an established remote session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access to the key ring.
SafeGuard Configuration Protection Client
- As SafeGuard Configuration Protection is no longer part of the SafeGuard 6.10 Client, the module gets automatically removed during an upgrade from previous versions. However, removing Configuration Protection during an upgrade from 5.60 will not generate the uninstall password for the Configuration Protection Client.
Due to an unsolvable issue in the 5.60 installation, the uninstall password, needed to uninstall the Configuration Protection Client, will not be generated if Configuration Protection is removed during the upgrade to 6.10. It is recommended to first uninstall Configuration Protection in 5.60 and then upgrade to 6.10. Upgrades from 6.00 do not suffer from this limitation.
SafeGuard Device Encryption Client
- Wrong log time for POA Autologon entries in the Event Viewer of the Management Center
As long as there has been no initial logon to Windows, the POA tags its events with the timestamp that is available from the BIOS. This timestamp is local to the machine and does not contain any timezone information, which is why the log entries may not appear in the correct chronological order in the Management Center. Once the user has booted into Windows, the POA is updated with the correct timezone settings and subsequent log events appear with the correct Log Time. (DEF69645)
- Partition resizing not supported
Resizing any partition on a machine where SafeGuard Enterprise Volume Based Encryption is installed is not supported.
- The SGN installation process requires to be started in the context of a Windows administrator’s logon session. Starting the installation via 'Run as administrator' is not supported.
- Installation of the client configuration package
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.
- BitLocker To Go-encrypted devices may prevent Device Encryption installation
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SGN, the installation will fail because Windows reports the system as being BitLocker-enabled, which causes the DE client installation to fail. The solution is to remove any BitLocker to Go-encrypted devices before installing SGN Device Encryption.
- Boot time
Boot time increases by about one minute after installing the SGN Client software (incl. POA).
- It is recommended to reboot a SGN Client PC at least once after activating the SGN Power-on Authentication. SGN performs a backup of its kernel data on every Windows boot. This backup will never happen if the PC is only set to hibernation or stand-by mode.
- In rare situations it can happen that access to exFAT formatted USB flash drives is not consistently blocked when applying a volume-based encryption policy in combination with a "user defined key". In approx. 2 out of 10 USB save removal/reattach sessions, SGN does not enforce the "access denied" policy properly. (DEF54324)
- On some Toshiba OPAL disks, OPAL mode encryption may fail if the first partition is not located at the beginning of the disk
The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, SafeGuard Enterprise will not be able to activate the OPAL encryption for such a drive.
This issue has been reported to Toshiba and is expected to be fixed in an upcoming firmware version for these drives.
Workaround: Relocate the start partition to the beginning of the disk. (DEF69429)
- OPAL restrictions
As of version 5.60, the SafeGuard Enterprise support for OPAL self-encrypting drives has the following limitations:
- OPAL mode encryption can only be activated for one OPAL drive per machine.
- If more than one OPAL drive is present and an encryption policy is assigned to any of its volumes, these will be software encrypted just as on a non-self-encrypting drive. This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted.
- If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously.
- The first sector of the start partition of the disk must be located within the first 128 MB. (DEF69695)
- Do not use Windows Hybrid Sleep setting on OPAL machines
On computers with an SGN-managed OPAL self-encrypting drive, activating the Allow hybrid sleep option in the Advanced Power Options settings may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep. (DEF70019)
- OPAL Self Encrypting Drives become unusable in case of a lost encryption key
According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost.
This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting.
SafeGuard Enterprise will either automatically store encryption keys in its database as soon as an encryption policy has been applied (for managed clients) or prompt the user to back up the key file (for standalone clients), but in case this data is lost, the described scenario applies. (DEF6920)
- OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged
Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the uninstallation of SafeGuard Enterprise, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset a SGN-managed OPAL drive. For security reasons, this tool is only available from Sophos' customer service. (DEF6920)
- Resume from Sleep fails when Windows' MSAHCI driver is installed on a machine with an activated OPAL drive
When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI harddisk driver is installed. MSAHCI has been introduced with Windows Vista and also apply to Windows 7.
- If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully.
- Change the BIOS setting for the harddisk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...) (DEF66126)
- Security concerns when using Solid State Drives (SSD's)
On current SSD's, it is impossible for any software (including the operating system) to determine the exact physical location of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally.
This has several implications for the security of the stored data, the details of which are listed in a Knowledge Base Article (KBA113334). The most important one being as follows:
Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of SafeGuard Enterprise starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished.
Please note that this issue is not specific to SafeGuard Enterprise but applies to any software-based full disk encryption system. (DEF68440)
- Volume-based encryption for removable eSATA drives does not work as expected
Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by SafeGuard Enterprise as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a SafeGuard Enterprise full disk encryption environment unless the applied encryption policies explicitly take this situation into account.
(DEF65729, DEF66438, DEF5879)
- Device Encryption may fail on some USB sticks
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends to use file-based encryption (DX module) for removable media.
- Encryption of 'Virtual Drives'
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes’ is defined.
- During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) Suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before Suspend to disk works properly again.
- OPAL: Resume from S3 not working on Windows 7
When using self-encrypting drives according the OPAL standard under Windows 7, resume from S3 sleep mode will lead to a blue screen. Please disable the S3 mode when using OPAL drives on Windows 7.
- BitLocker C/R startup screen on Microsoft Surface Pro 1 + 2, Samsung ATIV Book 9, others using Firmware from AMI
When booting one of these tablets, the message "Press any key in 3 seconds to start C/R for BitLocker Recovery" will be displayed twice. To initiate challenge/response wait 3 seconds without pressing a key until the first message disappears (it will count down the seconds from 3 to 0). Then the message will appear again (starting counting down from 3 again) and challenge/response can be started by pressing a key.
This can be avoided on Samsung ATIV Book 9 by disabling the boot option "Fast Bios Mode" in the Firmware Setup.
- Shift+Tab in Challenge/Response screen on Microsoft Surface Pro 2, Samsung ATIV Book 9, others using Firmware from AMI
The Shift+Tab keyboard shortcut is not supported in the Challenge/Response screen on these models. This shortcut will behave like Tab and move focus to the next UI control instead of the previous.
- AutoPlay dialog may appear for internal BitLocker data drives
After initial encryption and a reboot an AutoPlay dialog may appear for each internal BitLocker data drive.
- Fast user switching is not supported and must be disabled.
- Direct modifications to the original Sophos product MSI Installer Packages are not supported. If you need to modify specific options please do so by applying a Microsoft Transform Files (MST). A list of supported changes can be found in the Sophos Knowledge Database. Deviating modifications are unsupported and might lead to unspecified behavior of the product.
- SGN 6.0 Clients or older cannot auto-register new users who log in with an alternate user principle name (UPN) suffix. It is recommended to use NetBIOS usernames on SGN 6.0 Clients or older.
- After update from Windows 8 to 8.1 an additional reboot is necessary
When the SafeGuard Client is updated from Windows 8 to 8.1 beside the reboot triggered by this update itself an additional reboot is necessary in some circumstances to get the SafeGuard Windows authentication and Single Sign On working again.
- Internet Explorer Warning when downloading SGPortable
SafeGuard Cloud Storage automatically uploads SGPortable.exe to the Cloud. However, if downloaded with Internet Explorer, its Smart Screen Filter may block the download. Please ignore the warning, that SGPortable.exe is not trusted and accept the download anyway. After download SGPortable.exe reports that MSVCP71.dll is missing. Downloading this DLL from the internet will finally resolve the problem.
- SafeGuard Enterprise is not fully compatible to using Windows accounts with an empty password. If a computer is member of a workgroup (i.e. not in a domain) and the last user tile on the logon screen represents a user with an empty password at all, any password entered in the Safeguard credential provider for this user will successfully log on this user. Moreover, if a wrong password is entered for a different user, this can result in the user with the empty password being logged on instead of the selected user.
- SafeGuard LAN Crypt compatibility with SGN 6.10 Device Encryption (DE), Data Exchange (DX) and Cloud Storage (CS)
SafeGuard LanCrypt 3.90 is compatible with SafeGuard Enterprise 6.10.
Older versions of SafeGuard LAN Crypt (up to version 3.71) are no longer compatible with SGN 6.10 (DE, DX and CS).
- SafeGuard RemovableMedia and SafeGuard Enterprise cannot be run on the same machine
The discontinued SafeGuard RemovableMedia product must be uninstalled before using any SafeGuard Enterprise components on the same machine. (DEF69092)
- SafeGuard Enterprise has not been tested in conjunction with an installed Novell Client for Windows. Restrictions may apply as there is no intercommunication between the logon components of both products.
- Empirum Security Suite Agent
If SGN 6.10 Client software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:
BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS
This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite.
Please contact Matrix42 support for latest details/updates on this issue.
- Lenovo Rescue and Recovery
For information on compatibility of Rescue and Recovery versions with SafeGuard Enterprise versions see: http://www.sophos.com/en-us/support/knowledgebase/108383.aspx
- AbsoluteSoftware Computrace
SGN Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated 'track-0 based persistent agent' installed.
- Compatibility to imaging tools has not been tested and is therefore not supported by Sophos.
- Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware.
In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected. (DEF66637)
- When using the Gemalto Classic middleware, the non-cryptographic logon mode does not work in the POA. (DEF67495)
- PIV Smartcard does not work with Omnikey or OZ711 smartcard readers. (DEF63198, DEF66543)
- The SGN Client does not support logon with Microsoft accounts (formally known as Windows Live ID).
- The SGN Client does not support the new Windows 8 logon method PIN and Picture.
- The SGN Client only supports one Kerberos certificate on one token.
- If BitLocker is managed by SGN it is not allowed to manage it in parallel via MBAM (Microsoft BitLocker Administration and Monitoring), the manage-bde command line tool, Group Policies (besides the settings listed in the ReleaseNotes) or the Windows Control Panel.
- Only the Bitlocker Logon modes listed in the authentication policy in the Management Center are supported. Therefore the new Windows 8 password protector is not supported.
- SafeGuard Enterprise currently does not support managing Bitlocker Clients with enabled GPO setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”. A recovery of such clients, using the SafeGuard Management Center, is not possible.
- Communication between SGN Client and SGN Server is only possible with IPv4.
- SGN Client does not support dynamic disks. The installation will be aborted if such a disk is found. To avoid damage the user must take care that such a disk is not added to the system at a later point in time. A conversion of a of an encrypted basic disk to dynamic is not supported (SafeGuard volume based encryption and Bitlocker).
- SafeGuard volume-based encryption does not support GPT disks (in contrast to SafeGuard BitLocker). Installation will be aborted if such a disk is found. To avoid damage the customer must take care that such a disk is not added to the system at a later point in time.
- The BitLocker C/R dialog in UEFI cannot be used with touch screens as it has no on-screen keyboard. The dialog has to be used with a physical keyboard.
- When storing the BitLocker startup key on a SafeGuard Data Exchange (DX) encrypted USB stick, then it won't be possible to use it to unlock the boot volume. This is because the unlock is executed before Windows starts and at this phase no DX filter driver for decryption of the key exists.
- The fingerprint reader Validity VFS5011 is not support by the SafeGuard Client for logon. It is used in some newer Lenovo models.
- When the SafeGuard Client is installed, the operating system must not be upgraded (e.g. from Windows 7 to 8).
- When the SafeGuard Client with the BitLocker Challenge/Response feature is installed, Windows 8 must not be updated to 8.1.
- Defining FileShare encryption rules for a domain DFS is not possible.
- BitLocker configuration via GPOs
Only the following BitLocker group policies (GPOs) might be configured if BitLocker is managed by SGN (required settings are applied during the installation of the client):
- Require additional authentication at startup
- Allow BitLocker without a compatible TPM
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Configure minimum PIN length for startup
- Turn on TPM backup to Active Directory Domain Services
All other BitLocker group policies must be left to default. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management.
Example: Activating the Group Policy setting "Do not enable Bitlocker until recovery information is stored to AD for operating system drives" leads to a not starting encryption when SafeGuard Bitlocker Challenge/Reponse is installed.
- When enabling the SafeGuard policy "Bitlocker Logon mode" with the setting "TPM + PIN" (default), consider that tablet PCs require an external keyboard to enter the TPM PIN during Pre-Boot phase. The on screen keyboard cannot be used to enter the PIN. This is a BitLocker limitation, we recommend using a TPM only policy for such devices.
- Only numeric PIN allowed in SafeGuard PIN Setter dialog
Due to possible incompatibilities with different keyboards during Pre Boot Phase and in the loaded OS, only numeric PIN is allowed when using Bitlocker logon method "TPM and PIN".
- Virtualization platform support
The SGN Client only supports VMware Workstation and Player as virtualization platform. All other platforms like VMware ESX/ESXi Server, Microsoft Virtual PC or Microsoft Hyper-V are not supported.
- Takeover of BitLocker data drives in standalone mode
When the SGN Client is run in standalone mode, then already encrypted BitLocker data drives are taken over in the moment when the client config package is applied. In order that this can succeed, all data drives must be unlocked before the client config package is applied. Locked data drives are ignored which means that their recovery password won't be written to the key backup file.
- Rotation of the recovery password
The recovery password is changed automatically for managed clients once a recovery is executed. For standalone clients the recovery password remains unchanged after a recovery, but it can be changed manually be uninstalling the client config package and installing it again.
- Hardware support for BitLocker C/R
As BitLocker C/R has special requirements on the UEFI BIOS certain hardware models are currently not supported, even though they have UEFI 2.3.1. On these models BitLocker will run without Challenge/Response.
Currently these models are known to not support BitLocker C/R (a fallback to BitLocker is done automatically):
Toshiba L50-A-100, HP EliteBook 850, LENOVO ThinCentre M92p, Acer Iconia W700 with inactive secure boot (workaround exists)
Since only a minority of the installed base does satisfy this requirement at the time of the release, C/R is not part of the default setup but has to be selected purposely for installation. In order to avoid problems caused by incompatibility or lack of support it is strongly advised to run a test-installation on desired hardware models before deploying this feature in a production system.
- Windows 8 "fast startup" option affects some behavior of SafeGuard Enterprise
If the new "fast startup" option in Windows 8 and higher is turned on as Microsoft recommends, some behavior in SafeGuard Enterprise is affected. For system services like the SafeGuard Authentication service the "fast startup" is technically seen identical with hibernation. So all SafeGuard Enterprise functionality triggered by the boot process is affected and needs a restart instead of shutdown/boot. One example is the registration of new users as SGN user during first Windows logon after machine boot process. In order to have the self-enrollment enabled upon next boot a warm-boot has to be initiated or a complete shutdown/cold-boot has to be forced.
- According to the recommendation of Intel also Sophos recommends, to disable Intel Rapid Start Technology when using software-based encryption.
For more information: www.intel.com/support/go/chipsets/rst.htm
Due to its character as a roaming program, SGPortable may be used in target OS environments whose security state is not known up-front. Consequently, a special flavour of ‘DLL preloading’ (http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx, a.k.a. ‘DLL Hijacking’) may apply: SGPortable (involuntarily) attempts to load certain OS DLLs from its application directory (i.e. the directory where it actually resides) before it attempts to load them from the OS directory where they actually reside (e.g. <Windows>\System32). If an attacker manages to place a malicious DLL in the application directory, its code may get executed when SGPortable starts. Unfortunately, a malicious DLL even gets found and loaded when it is set to hidden! Please note that MSVCP71.dll andMSVCR71.dll are legitimate runtime DLLs that SGPortable loads by default.
In the common case, the program's application directory is the hidden 'SGPortable' (same name!) directory that has been created on the target medium or location by the SGN client. It contains the SGPortable executable itself, the two runtime DLLs, and possibly an SGNKeyTable data file, but no further DLLs. Alternatively, SGPortable (possibly together with its runtime DLLs if they are not already present on the target system) may reside in any arbitrary directory, and get called from there. Especially in that case, DLLs of unknown or dubious origin may already exist in the application directory.
SGPortable provides all available mechanisms to mitigate this vulnerability. Nevertheless, several attack vectors remain open: The vulnerability is unconditionally present in Windows XP (and before). Beginning with Windows Vista and Windows Server 2008, the vulnerability is mitigated when Microsoft Security Patch KB2533623 has been installed on the system. In Windows 8 and Windows Server 2012, there is no such vulnerability.
As a general advice, always install all available Security Patches for the systems under your control. If SGPortable shall run on systems where the vulnerability exists, the user needs to be aware that any DLL (even a hidden one) of unknown or dubious origin in the application directory means a risk. Accordingly, make sure that SGPortable does not get started in such environments.
Antivirus products tested with the SafeGuard Enterprise
SGN has been successfully tested against concurrent installations of antivirus products by Sophos as well as the following:
|Microsoft ||Forefront Endpoint Protection || 2010 |
|Kaspersky ||AntiVirus |
|Symantec ||Norton Internet Security ||18.104.22.168 |
|McAfee ||VirusScan Enterprise |
Back to Sophos SafeGuard Release Notes landing Page