Persistent encryption feature in SafeGuard Data Exchange, File Share and Cloud Storage modules as of version 6.0
Known to apply to the following Sophos product(s) and version(s)
SafeGuard File Share 6.0
SafeGuard Cloud Storage 6.0
SafeGuard Data Exchange 6.0
What To Do
SafeGuard Enterprise 6.0 introduces a feature called Persistent Encryption to file based encryption used by the Data Exchange, File Share and Cloud Storage modules. When copying encrypted files to locations not covered by a file based encryption rule, the copied files will be automatically stored encrypted like the copied source file.
Applications create files internally themselves which could cause unexpected behaviour in some situations, resulting in encrypted files where they should be plain. In such cases, the registry key below can be used to exclude applications from Persistent Encryption as a whole:
Set NoPersistentApplication to a semicolon separated list of fully qualified paths for applications to be excluded from persistent encryption and reboot the operating system to activate the new setting.
Placeholders %SYSTEM% at the beginning of a name are replaced by the paths to the 32-bit and 64-bit system folders (system32 and syswow64).
The default setting after installation is %SYSTEM%\MSPAINT.EXE. MSPAINT is excluded from persistent encryption since it creates temporary files in the user profile directory when saving files to a different position. When encrypting the user profile as a whole, this leads a situation where all files saved by MSPAINT would be encrypted.