SafeGuard Enterprise: How to improve the performance on a client when using Data Exchange / File Encryption

  • Article ID: 108998
  • Updated: 20 Jan 2016

How to improve the performance of a computer running SafeGuard Data Exchange/File Encryption.

Known to apply to the following Sophos product(s) and version(s)
SafeGuard File Encryption
SafeGuard Data Exchange
SafeGuard Cloud Storage

Operating systems
All supported operating systems

What To Do

The following should help improve performance:

1. The default 'Ignore Rules' should include all drives which you do not intend to be "file-based" encrypted. By default, the system and the bootvolume are automatically excluded. Additional drives can be added by modifying the following registry key:


2. Define applications which interfere with the SafeGuard File Encryption as "unhandled applications".

Applications that are registered as "unhandled" are ignored by the SafeGuard Enterprise file-filter driver and file access, and are thereby excluded from transparent encryption/decryption.

The 2 main sets of circumstances in which you would do this are where you have:

  • Applications that cannot read unencrypted data (e.g. a backup program that is installed on the client would in this case back up the files encrypted).
  • Applications which might trigger malfunctions when used alongside SafeGuard File Encryption, but do not require encryption, can generally be exempted from encryption (e.g. AV scanners).

The full name of the executable file (optionally including path information) must be used to specify an exempted application.

As of version 6.00, this is defined in the 'General Settings' policy

3. Define System Ignore Rules for folders which are used for example to compile data (e.g. MS Visual Studio) or that contain databases.

System Ignore Rules apply to "transparent encryption" and also "initial encryption". That means that no file in a System Ignore Rule can be "initial encrypted" even if an "encryption rule" exists for this file. If there exists an encrypted file in a "System Ignore Rules" directory (maybe the System Ignore Rule was added later) the user just gets the encrypted data of the file.

If an administrator wants to add files or directories to the System Ignore Rules he has to add the following registry key:






Wildcards for filenames can be used, multiple values must be separated by a semicolon if REG_SZ is used:



Value Name Type Value IgnorePaths REG_MULTI_SZ c:\Program Files*.*



This example adds the two directories c:\Program Files and c:\Users\Public\Desktop as well as the file c:\Users\administrator\desktop.ini to the System Ignore Rules.

Note: The System Ignore Rules which are added by the Registry are always valid also for subdirectories!

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent