When both SafeGuard Enterprise Data Exchange (SGN DX) and SafeGuard Enterprise Configuration Protection (SGN CP) are active on a machine then all files that are encrypted with SGN DX are recognized as "Other file type" by SGN CP. When a file based encryption policy is defined for a set of files, the type of these files can no longer be determined by the 'file type control' feature of SGN CP.
This means, if a file-type policy is set, the type of the files is no longer determined correctly by 'file type control' and therefore applicable policies cannot be applied or enforced.
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Enterprise Configuration Protection <= 126.96.36.199
SafeGuard Enterprise Data Exchange <= 188.8.131.52
All supported versions.
Both components - encryption as well as file type control - rely on file system filter drivers to hook into the system and be able to intercept all file traffic.
The cause of this problem lies in the order in which the particular drivers are loaded by the system. The encryption driver and the file type control driver register themselves into different driver groups. The file type control driver is by definition 'lower level' than the encryption driver group and is therefore closer to the file system. This leads to the situation that whenever encrypted files are accessed, they are passed through the 'file type control filter' in encrypted format which renders the file-type detection mechanism useless.
- If a file is written, it will be encrypted by the encryption driver before it is passed on to the file-type filter
- If an encrypted file is read, it passes the file-type control filter encrypted and is decrypted afterwards by the encryption filter.
What To Do
As of SafeGuard Enterprise 184.108.40.206, the interoperability of the Data Exchange and the Configuration Protection modules file filterdriver subsystem has been enhanced and therefore the above mentioned issue does not exist anymore.
If you have not already done so, upgrade to SafeGuard Enterprise version 5.50.x.
If you're unable to upgrade to SafeGuard Enterprise 5.50.x and need to stay on version 220.127.116.11 please get in contact with Sophos support.