SafeGuard Data Exchange Client
- Not all options are shown when operating a device as 'Portable Device'
When operating a removable media in 'Portable Device' mode, some of the options of SafeGuard Data Exchange are not available in Windows Explorer. Overlay icons indicating a file's encryption status are missing as well as the menu option introduced by SafeGuard Data Exchange in a file's context menu. Nevertheless any applicable encryption policy is enforced for files that reside on the removable device, regardless whether it is referenced via the 'Portable Device' tree or the assigned drive letter.
- User elevation for encrypted executables
If an encrypted executable or installation package is started and requires a user elevation, it may happen that the elevation doesn't take place and the executable is not started.
- Access to key ring after closing a remote session
A user's key ring is no longer accessible after an established remote session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access to the key ring.
SafeGuard Device Encryption Client
- Partition resizing not supported
Resizing any partition on a machine where SafeGuard Easy Volume Based Encryption is installed is not supported.
- The SGE installation process requires to be started in the context of a Windows administrator’s logon session. Starting the installation via 'Run as administrator' is not supported.
- Installation of the client configuration package
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.
- BitLocker To Go-encrypted devices may prevent Device Encryption installation
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SGE, the installation will fail because Windows reports the system as being BitLocker-enabled, which causes the DE client installation to fail. The solution is to remove any BitLocker to Go-encrypted devices before installing SGE Device Encryption.
- Boot time
Boot time increases by about one minute after installing the SGE Client software (incl. POA).
- It is recommended to reboot a SGE Client PC at least once after activating the SGE Power-on Authentication. SGE performs a backup of its kernel data on every Windows boot. This backup will never happen if the PC is only set to hibernation or stand-by mode.
- In rare situations it can happen that access to exFAT formatted USB flash drives is not consistently blocked when applying a volume-based encryption policy in combination with a "user defined key". In approx. 2 out of 10 USB save removal/reattach sessions, SGE does not enforce the "access denied" policy properly. (DEF54324)
- On some Toshiba OPAL disks, OPAL mode encryption may fail if the first partition is not located at the beginning of the disk
The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, SafeGuard Easy will not be able to activate the OPAL encryption for such a drive.
This issue has been reported to Toshiba and is expected to be fixed in an upcoming firmware version for these drives.
Workaround: Relocate the start partition to the beginning of the disk. (DEF69429)
- OPAL restrictions
As of version 5.60, the SafeGuard Easy support for OPAL self-encrypting drives has the following limitations:
- OPAL mode encryption can only be activated for one OPAL drive per machine.
- If more than one OPAL drive is present and an encryption policy is assigned to any of its volumes, these will be software encrypted just as on a non-self-encrypting drive. This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted.
- If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously.
- The first sector of the start partition of the disk must be located within the first 128 MB. (DEF69695)
- Do not use Windows Hybrid Sleep setting on OPAL machines
On computers with an SGE-managed OPAL self-encrypting drive, activating the Allow hybrid sleep option in the Advanced Power Options settings may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep. (DEF70019)
- OPAL Self Encrypting Drives become unusable in case of a lost encryption key
According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost.
This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting.
SafeGuard Easy will prompt the user to back up the key file, but in case this data is lost, the described scenario applies. (DEF6920)
- OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged
Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the uninstallation of SafeGuard Easy, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset a SGE-managed OPAL drive. For security reasons, this tool is only available from Sophos' customer service. (DEF6920)
- Resume from Sleep fails when Windows' MSAHCI driver is installed on a machine with an activated OPAL drive
When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI harddisk driver is installed. MSAHCI has been introduced with Windows Vista and also apply to Windows 7.
- If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully.
- Change the BIOS setting for the harddisk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...) (DEF66126)
- Security concerns when using Solid State Drives (SSD's)
On current SSD's, it is impossible for any software (including the operating system) to determine the exact physical location of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally.
This has several implications for the security of the stored data, the details of which are listed in a Knowledge Base Article (KBA113334). The most important one being as follows:
Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of SafeGuard Easy starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished.
Please note that this issue is not specific to SafeGuard Easy but applies to any software-based full disk encryption system. (DEF68440)
- Volume-based encryption for removable eSATA drives does not work as expected
Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by SafeGuard Easy as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a SafeGuard Easy full disk encryption environment unless the applied encryption policies explicitly take this situation into account.
(DEF65729, DEF66438, DEF5879)
- Device Encryption may fail on some USB sticks
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends to use file-based encryption (DX module) for removable media.
- Encryption of 'Virtual Drives'
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes’ is defined.
- During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) Suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before Suspend to disk works properly again.
- OPAL: Resume from S3 not working on Windows 7
When using self-encrypting drives according the OPAL standard under Windows 7, resume from S3 sleep mode will lead to a blue screen. Please disable the S3 mode when using OPAL drives on Windows 7.
- BitLocker C/R startup screen on Microsoft Surface Pro 1 + 2, Samsung ATIV Book 9, others using Firmware from AMI
When booting one of these tablets, the message "Press any key in 3 seconds to start C/R for BitLocker Recovery" will be displayed twice. To initiate challenge/response wait 3 seconds without pressing a key until the first message disappears (it will count down the seconds from 3 to 0). Then the message will appear again (starting counting down from 3 again) and challenge/response can be started by pressing a key.
This can be avoided on Samsung ATIV Book 9 by disabling the boot option "Fast Bios Mode" in the Firmware Setup.
- Shift+Tab in Challenge/Response screen on Microsoft Surface Pro 2, Samsung ATIV Book 9, others using Firmware from AMI
The Shift+Tab keyboard shortcut is not supported in the Challenge/Response screen on these models. This shortcut will behave like Tab and move focus to the next UI control instead of the previous.
- AutoPlay dialog may appear for internal BitLocker data drives
After initial encryption and a reboot an AutoPlay dialog may appear for each internal BitLocker data drive.
- Fast user switching is not supported and must be disabled.
- Direct modifications to the original Sophos product MSI Installer Packages are not supported. If you need to modify specific options please do so by applying a Microsoft Transform Files (MST). A list of supported changes can be found in the Sophos Knowledge Database. Deviating modifications are unsupported and might lead to unspecified behavior of the product.
- After update from Windows 8 to 8.1 an additional reboot is necessary
When the SafeGuard Client is updated from Windows 8 to 8.1 beside the reboot triggered by this update itself an additional reboot is necessary in some circumstances to get the SafeGuard Windows authentication and Single Sign On working again.
- Internet Explorer Warning when downloading SGPortable
SafeGuard Cloud Storage automatically uploads SGPortable.exe to the Cloud. However, if downloaded with Internet Explorer, its Smart Screen Filter may block the download. Please ignore the warning, that SGPortable.exe is not trusted and accept the download anyway. After download SGPortable.exe reports that MSVCP71.dll is missing. Downloading this DLL from the internet will finally resolve the problem.
- SafeGuard LAN Crypt compatibility with SGE 6.10 Device Encryption (DE), Data Exchange (DX) and Cloud Storage (CS)
SafeGuard LanCrypt 3.90 is compatible with SafeGuard Easy 6.10.
Older versions of SafeGuard LAN Crypt (up to version 3.71) are no longer compatible with SGE 6.10 (DE, DX and CS).
- SafeGuard RemovableMedia and SafeGuard Easy cannot be run on the same machine
The discontinued SafeGuard RemovableMedia product must be uninstalled before using any SafeGuard Easy components on the same machine. (DEF69092)
- SafeGuard Easy has not been tested in conjunction with an installed Novell Client for Windows. Restrictions may apply as there is no intercommunication between the logon components of both products.
- Empirum Security Suite Agent
If SGE 6.1 Client software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:
BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS
This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite.
Please contact Matrix42 support for latest details/updates on this issue.
- Lenovo Rescue and Recovery
For information on compatibility of Rescue and Recovery versions with SafeGuard Easy versions see: http://www.sophos.com/en-us/support/knowledgebase/108383.aspx
- AbsoluteSoftware Computrace
SGE Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated 'track-0 based persistent agent' installed.
- Compatibility to imaging tools has not been tested and is therefore not supported by Sophos.
- Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware.
In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected. (DEF66637)
- When using the Gemalto Classic middleware, the non-cryptographic logon mode does not work in the POA. (DEF67495)
- PIV Smartcard does not work with Omnikey or OZ711 smartcard readers. (DEF63198, DEF66543)
- The SGE Client does not support logon with Microsoft accounts (formally known as Windows Live ID).
- The SGE Client does not support the new Windows 8 logon method PIN and Picture.
- The SGE Client only supports one Kerberos certificate on one token.
- If BitLocker is managed by SGE it is not allowed to manage it in parallel via MBAM (Microsoft BitLocker Administration and Monitoring), the manage-bde command line tool,Group Policies (besides the settings listed in the ReleaseNotes) or the Windows Control Panel.
- Only the Bitlocker Logon modes listed in the authentication policy in the Policy Editor are supported. Therefore the new Windows 8 password protector is not supported.
- SafeGuard Easy currently does not support managing Bitlocker Clients with enabled GPO setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”. A recovery of such clients, using the SafeGuard Policy Editor, is not possible.
- Communication between SGE Client and SGE Server is only possible with IPv4.
- The SGE Client does not support dynamic disks. Installation will be aborted if such a disk is found. To avoid damage the user must take care that such a disk is not added to the system at a later point in time.
- SafeGuard volume-based encryption does not support GPT disks (in contrast to SafeGuard BitLocker). Installation will be aborted if such a disk is found. To avoid damage the customer must take care that such a disk is not added to the system at a later point in time. A conversion of a of an encrypted basic disk to dynamic is not supported (SafeGuard volume based encryption and Bitlocker).
- The BitLocker C/R dialog in UEFI cannot be used with touch screens as it has no on-screen keyboard. The dialog has to be used with a physical keyboard.
- When storing the BitLocker startup key on a SafeGuard Data Exchange (DX) encrypted USB stick, then it won't be possible to use it to unlock the boot volume. This is because the unlock is executed before Windows starts and at this phase no DX filter driver for decryption of the key exists.
- The fingerprint reader Validity VFS5011 is not support by the SafeGuard Client for logon. It is used in some newer Lenovo models.
- When the SafeGuard Client is installed, the operating system must not be upgraded (e.g. from Windows 7 to 8).
- When the SafeGuard Client with the BitLocker Challenge/Response feature is installed, Windows 8 must not be updated to 8.1.
- BitLocker configuration via GPOs
Only the following BitLocker group policies (GPOs) might be configured if BitLocker is managed by SGE (required settings are applied during the installation of the client):
- Require additional authentication at startup
- Allow BitLocker without a compatible TPM
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Configure minimum PIN length for startup
- Turn on TPM backup to Active Directory Domain Services
All other BitLocker group policies must be left to default. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management.
Example: Activating the Group Policy setting "Do not enable Bitlocker until recovery information is stored to AD for operating system drives" leads to a not starting encryption when SafeGuard Bitlocker Challenge/Reponse is installed.
- When enabling the SafeGuard policy "Bitlocker Logon mode" with the setting "TPM + PIN" (default), consider that tablet PCs require an external keyboard to enter the TPM PIN during Pre-Boot phase. The on screen keyboard cannot be used to enter the PIN. This is a BitLocker limitation, we recommend using a TPM only policy for such devices.
- Only numeric PIN allowed in SafeGuard PIN Setter dialog
Due to possible incompatibilities with different keyboards during Pre Boot Phase and in the loaded OS, only numeric PIN is allowed when using Bitlocker logon method "TPM and PIN".
- Virtualization platform support
The SGE Client only supports VMware Workstation and Player as virtualization platform. All other platforms like VMware ESX/ESXi Server, Microsoft Virtual PC or Microsoft Hyper-V are not supported.
- Takeover of BitLocker data drives
Already encrypted BitLocker data drives are taken over in the moment when the client config package is applied. In order that this can succeed, all data drives must be unlocked before the client config package is applied. Locked data drives are ignored which means that their recovery password won't be written to the key backup file.
- Rotation of the recovery password
For SGE clients the recovery password remains unchanged after a recovery, but it can be changed manually be uninstalling the client config package and installing it again.
- Hardware support for BitLocker C/R
As BitLocker C/R has special requirements on the UEFI BIOS certain hardware models are currently not supported, even though they have UEFI 2.3.1. On these models BitLocker will run without Challenge/Response.
Currently these models are known to not support BitLocker C/R:
Toshiba L50-A-100, HP EliteBook 850, LENOVO ThinCentre M92p, Acer Iconia W700 with inactive secure boot (workaround exists)
Since only a minority of the installed base does satisfy this requirement at the time of the release, C/R is not part of the default setup but has to be selected purposely for installation. In order to avoid problems caused by incompatibility or lack of support it is strongly advised to run a test-installation on desired hardware models before deploying this feature in a production system.
- Windows 8 "fast startup" option affects some behavior of SafeGuard Easy
If the new "fast startup" option in Windows 8 and higher is turned on as Microsoft recommends, some behavior in SafeGuard Easy is affected. For system services like the SafeGuard Authentication service the "fast startup" is technically seen identical with hibernation. So all SafeGuard Easy functionality triggered by the boot process is affected and needs a restart instead of shutdown/boot. One example is the registration of new users as SGE user during first Windows logon after machine boot process.
- Machine Ownership and Windows 8
The SGE client supports self-enrollment of new users. This process is usually initiated by an existing user that already has ownership for that machine and involves a boot or re-boot. Windows 8 introduced the hybrid shutdown/fast boot feature to improve boot-time. Instead of going through a complete boot-up sequence the system only has to boot a small portion following and then wake-up the previously hibernated kernel. The SGN client does not consider this boot-up scenario to qualify for initiating the user self-enrollment process. In order to have the self-enrollment enabled upon next boot a warm-boot has to be initiated or a complete shutdown/cold-boot has to be forced.
- According to the recommendation of Intel also Sophos recommends, to disable Intel Rapid Start Technology when using software-based encryption.
For more information: www.intel.com/support/go/chipsets/rst.htm
Due to its character as a roaming program, SGPortable may be used in target OS environments whose security state is not known up-front. Consequently, a special flavour of ‘DLL preloading’ (http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx, a.k.a. ‘DLL Hijacking’) may apply: SGPortable (involuntarily) attempts to load certain OS DLLs from its application directory (i.e. the directory where it actually resides) before it attempts to load them from the OS directory where they actually reside (e.g. <Windows>\System32). If an attacker manages to place a malicious DLL in the application directory, its code may get executed when SGPortable starts. Unfortunately, a malicious DLL even gets found and loaded when it is set to hidden! Please note that MSVCP71.dll andMSVCR71.dll are legitimate runtime DLLs that SGPortable loads by default.
In the common case, the program's application directory is the hidden 'SGPortable' (same name!) directory that has been created on the target medium or location by the SGE client. It contains the SGPortable executable itself, the two runtime DLLs, and possibly an SGNKeyTable data file, but no further DLLs. Alternatively, SGPortable (possibly together with its runtime DLLs if they are not already present on the target system) may reside in any arbitrary directory, and get called from there. Especially in that case, DLLs of unknown or dubious origin may already exist in the application directory.
SGPortable provides all available mechanisms to mitigate this vulnerability. Nevertheless, several attack vectors remain open: The vulnerability is unconditionally present in Windows XP (and before). Beginning with Windows Vista and Windows Server 2008, the vulnerability is mitigated when Microsoft Security Patch KB2533623 has been installed on the system. In Windows 8 and Windows Server 2012, there is no such vulnerability.
As a general advice, always install all available Security Patches for the systems under your control. If SGPortable shall run on systems where the vulnerability exists, the user needs to be aware that any DLL (even a hidden one) of unknown or dubious origin in the application directory means a risk. Accordingly, make sure that SGPortable does not get started in such environments.
Antivirus products tested with SafeGuard Easy
SGE has been successfully tested against concurrent installations of antivirus products by Sophos as well as the following:
|Microsoft ||Forefront Endpoint Protection || 2010 |
|Kaspersky ||AntiVirus |
|Symantec ||Norton Internet Security ||126.96.36.199 |
|McAfee ||VirusScan Enterprise |
Back to Sophos SafeGuard Release Notes landing Page