SafeGuard Easy (SGE) 6.0 Release Notes
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Easy 6.0
|Platforms supported ||32-bit ||64-bit ||IA-64 (Itanium) |
available disk space
|SafeGuard Easy - Device Encryption / Data Exchange / Cloud Storage |
|Windows 7, SP1 Enterprise/Ultimate/Professional/Home Premium |
| Yes || Yes || not supported ||300 MB* ||1 GB** |
|Windows Vista SP1, SP2 Enterprise/Ultimate/Business || Yes || Yes || not supported |
|Windows XP Professional SP2, SP3 || Yes || |
| not supported |
|SafeGuard Easy - Policy Editor |
|Windows 7, SP1 Enterprise/Ultimate/Professional || |
| Yes || |
|1 GB ||1 GB** |
|Windows Vista SP1, SP2 Enterprise/Ultimate/Business || Yes || |
| not supported |
|Windows XP Professional SP2, SP3 || Yes || |
| not supported |
|Windows Server 2008 SP1, SP2 || Yes || Yes || not supported ||1 GB || |
|Windows Server 2008 R2, SP1 || no || Yes || not supported |
|Windows Server 2003 SP1, SP2 || Yes || Yes || not supported |
|Windows Server 2003 R2 SP1, SP2 || Yes || Yes || not supported |
|Windows Small Business Server 2003, 2008, 2011 || not supported |
* The installation needs at least 300 MB of free hard disk space. For Device Encryption, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space' and cannot be supported.
** This memory space is recommended for the PC. Not all of this memory is used by SafeGuard Easy.
- SafeGuard Device Encryption / Data Exchange / Cloud Storage:
Internet Explorer version 6.0 or higher
- SafeGuard Policy Editor:
.NET Framework 4.0
The following features have been changed with regard to their default behavior:
Failed Logon Counter
The distinct user and machine failed logon counters have been combined into a single one. This means that the "max failed logons" policy setting is only evaluated for the machine and no longer for individual users. Subsequently access to the machine is blocked and not only for an individual user if the given number of successive false logon attempts is exceeded. Previously defined policy settings for a 'per user' counter are no longer evaluated.
The policy setting in the 'Device Protection' policy for specifying certain applications from being excluded from the file-based encryption (i.e. DX) has been removed from this policy type. Since this setting also applies to the newly introduced file-based encryption module Cloud Storage, this setting has been moved into the 'General Settings' policy. The old policy setting is no longer evaluated by newer clients (SGE 6.0 or later) and therefore these applications now have to be specified in a 'General Settings' policy using the 'Ignored Applications' policy setting.
Client Configuration Packages
In SafeGuard Easy prior version 6.0 it was possible to install a client configuration package that was created with an earlier version on a newer client (e.g. installing a package which was created in 5.50.8 on a 5.60.1 client). As of 6.0 this won't be possible anymore! The version of the client configuration package must match the client version. Upgraded clients however don't need a new client configuration package.
SafeGuard Data Exchange
Not all options are shown when operating a device as 'Portable Device'
When operating a removable device in 'Portable Device' mode, some of the SafeGuard Data Exchange specific options are not available in Windows Explorer. Overlay icons indicating a file's encryption status and the SG DX menu option on a file's context menu are not displayed. Nevertheless any applicable encryption policy is enforced for files that reside on the removable device, regardless whether it is referenced via the 'Portable Device' tree or the assigned drive letter.
- User elevation for encrypted executables
If an encrypted executable or installation package is started and requires a user elevation in Windows Vista or Windows 7, it may happen that the elevation doesn't take place and the executable is not started.
- Access to key ring after closing a Remote Session
A user's key-ring is no longer accessible after an established remote-session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access to the key ring.
SafeGuard Device Encryption
- (DEF69645) Wrong log time for POA Autologon entries in the Event Viewer of the Management Center
As long as there has been no initial logon to Windows, the POA tags its events with the timestamp that is available from the BIOS. This timestamp is local to the machine and does not contain any timezone information, which is why the log entries may not appear in the correct chronological order in the Management Center. Once the user has booted into Windows, the POA is updated with the correct timezone settings and subsequent log events appear with the correct Log Time.
- Partition resizing not supported
Resizing any partition on a machine where SafeGuard Easy Volume Based Encryption is installed is not supported.
- (DEF62926 ) Local Self Help is silently disabled when user changes password on a different machine
When a SafeGuard Easy user is registered on more than one machine with activated Local Self Help, changing their password on one machine will disable this feature on all machines other than the one where the change was performed. When they log on to one of the other machines, no notification will appear to inform of this change.
Reactivate Local Self Help on all machines. This requires starting the LSH Activation Wizard and answering all the questions again.
- The SafeGuard Easy installation process requires to be started in the context of a Windows administrator's logon session. Starting the installation via 'Run as administrator' is not supported.
- Installation of the client configuration package
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.
- BitLocker To Go-encrypted devices may prevent Device Encryption installation
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SafeGuard Easy, the installation will fail because Windows reports the system as being BitLocker-enabled, which causes the Device Encryption client installation to fail. The solution is to remove any BitLocker to Go-encrypted devices before installing SafeGuard Device Encryption.
- Boot time
Boot time increases by about one minute after installing the SafeGuard Easy Client software.
- It is recommended to reboot a SafeGuard Easy Client PC at least once after activating the Power-on Authentication. SafeGuard Easy performs a backup of its kernel data on every Windows boot. This backup will never happen if the PC is only set to hibernation or stand-by mode.
- In rare situations it can happen that access to exFAT formatted USB flash drives is not consistently blocked when applying a volume-encryption policy in combination with a "user defined key". In approx. 2 out of 10 USB save removal/reattach sessions, SafeGuard Easy does not enforce the "access denied" policy properly.(DEF54324)
- (DEF69429) On some Toshiba OPAL disks, OPAL mode encryption may fail if the first partition is not located at the beginning of the disk
The TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal) requires a so-called Shadow MBR area of at least 128 MB size. If this area is not completely accessible for reading and writing, which is the case for Toshiba OPAL disks with firmware version MGT00A, and the start sector of the disk's start partition falls in the range of sector numbers of the unaccessible area, SafeGuard Easy will not be able to activate the OPAL encryption for such a drive.
This issue has been reported to Toshiba and is expected to be fixed in an upcoming firmware version for these drives.
Workaround: Relocate the start partition to the beginning of the disk.
- (DEF69695) OPAL restrictions
As of version 5.60, the SafeGuard Easy support for OPAL self-encrypting drives has the following limitations:
- OPAL mode encryption can only be activated for one OPAL drive per machine.
- If more than one OPAL drive is present, and an encryption policy is assigned to any of its volumes, these will be software encrypted just as on a non-self-encrypting drive.
This implies that a RAID configuration with more than one OPAL drive will always be software-encrypted.
- If an OPAL drive contains more than one volume, the OPAL encryption activation state applies to all volumes simultaneously.
- The first sector of the start partition of the disk must be located within the first 128 MB.
- (DEF70019) Do not use Windows Hybrid Sleep setting on OPAL machines
On computers with an SGE-managed OPAL self-encrypting drive, activating the 'Allow hybrid sleep' option in the Advanced Power Options settings may lead to errors during the wake-from-sleep (resume) procedure. This implies the loss of all data that has not been saved to disk before the computer was put to sleep.
- (DEF69207) OPAL Self Encrypting Drives become unusable in case of a lost encryption key
According to the TCG Storage OPAL specification for Self Encrypting Drives (http://www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal), there is no way to access an activated drive in case the credentials for unlocking the drive are lost.
This means the disk becomes completely unusable, a fact that stands in contrast to a disk that has been encrypted via software, where the data is lost, too, but the hardware can be reused after reformatting.
SafeGuard Easy will either automatically store encryption keys in its database as soon as an encryption policy has been applied (for managed clients) or prompt the user to back up the key file (for standalone clients), but in case this data is lost, the described scenario applies.
- (DEF69207) OPAL Self Encrypting Drives need to be permanently unlocked before being reformatted/reimaged
Self Encrypting Drives must be reset to their factory state before they can be reformatted or reimaged. For those scenarios where this cannot be achieved by a "regular" decryption or the uninstallation of SafeGuard Easy, a tool (OPALEmergencyDecrypt.exe) is available to permanently reset a SafeGuard Easy-managed OPAL drive. For security reasons, this tool is only available from Sophos' customer service.
- (DEF66126) Resume from Sleep fails when Windows' MSAHCI driver is installed on a machine with an activated OPAL drive
When a machine is being suspended into Sleep mode, the resume will fail if Microsoft's MSAHCI harddisk driver is installed. MSAHCI has been introduced with Windows Vista, so this issue applies to Windows Vista and Windows 7, but not Windows XP.
- If applicable for the hardware configuration, use the appropriate IAStore driver instead. The "Intel RST driver package v10.1.0.1008" has been tested successfully.
- Change the BIOS setting for the harddisk controller (e.g. SATA Mode, ATA Controller Mode, IDE Controller Mode, ...) to Compatibility Mode. On most BIOSes this means selecting a value other than AHCI (e.g. IDE, Compatibility, ...)
- (DEF68440) Security concerns when using Solid State Drives (SSD's)
On current SSD's, it is impossible for any software (including the operating system) to determine the exact physical location of where any data is being stored on the SSD. A controller, which is an essential component of any SSD, simulates the external behavior of a platter drive while doing something completely different internally.
This has several implications for the security of the stored data, the details of which are listed in a Knowledge Base Article (KBA113334). The most important one being as follows:
Only data that has been written to a SSD volume after an encryption policy has been activated is cryptographically secure. This means in turn that any data that is already on the SSD before the initial encryption process of SafeGuard Easy starts cannot be guaranteed to have been completely physically erased from the SSD once the initial encryption has finished.
Please note that this issue is not specific to SafeGuard Easy but applies to any software-based full disk encryption system.
- (DEF65729, DEF66438, DEF58796) Volume-based encryption for removable eSATA drives does not work as expected
Currently, most external eSATA drives fail to advertise themselves as a removable device. This leads to those drives being treated by SafeGuard Easy as an internal drive and all corresponding policies will apply. We do not recommend to use eSATA drives in a SafeGuard Easy full disk encryption environment unless the applied encryption policies explicitly take this situation into account.
- Device Encryption may fail on some USB sticks
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends to use file-based encryption (DX module) for removable media.
- Encryption of ‘Virtual Drives'
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes' is defined.
- During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before suspend to disk works properly again.
- (DEF68409) After updating a SafeGuard Easy client, a reboot is required before a new configuration package can be applied
Updating the client to a new version and applying a configuration package in one go is not supported. After an update, a reboot is mandatory before applying a new configuration package. Otherwise, the intended configuration changes will be ignored.
- Fast user switching is not supported and must be disabled.
- Modifications to the original Sophos product MSI installer Packages are not supported.
- Floppy drive
After installation of SafeGuard Device Encryption on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.
- Microsoft Windows XP up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to machines with SafeGuard Easy. This should be fixed with Windows XP SP3.
- Microsoft Windows XP has a technical limitation of its kernel stack. If several file system filter drivers (e.g. antivirus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.
- SafeGuard LAN Crypt compatibilty with SafeGuard Easy 6.0 Data Exchange (DX) and Cloud Storage (CS):
For SafeGuard LAN Crypt 3.70/3.71 a separate patch is available, that re-enables compatibility of the DX and CS modules. In case SafeGuard LAN Crypt needs to be installed in combination with SafeGuard Easy 6.0 DX and/or CS please install the separate Compatibility Package after SG LAN Crypt has been installed. The patch is available in the SafeGuard Easy 6.0 download section on mysophos.com.
Older versions of SafeGuard LAN Crypt (up to version 3.60) are no longer compatible with the relevant file-encryption modules of SafeGuard Easy 6.0 (DX and CS). These versions are only compatible with the SafeGuard Device Encryption.
- SafeGuard LAN Crypt needs a repair when uninstalling the Sophos SafeGuard Client on the same machine
An uninstallation of SafeGuard Easy 6.0 on a PC that has the SafeGuard LAN Crypt Client (SGLC) installed leads to an internal driver error when the user tries to load their SGLC keyring.
Run a repair installation on the SafeGuard LAN Crypt Client package. (DEF69644)
- SafeGuard RemovableMedia and SafeGuard Easy cannot be run on the same machine
The discontinued SafeGuard RemovableMedia product must be uninstalled before using any SafeGuard Easy components on the same machine. (DEF69092)
- SafeGuard Easy has not been tested in conjunction with an installed Novell Client for Windows. Restrictions may apply as there is no intercommunication between the logon components of both products.
Empirum Security Suite Agent
- If SafeGuard Easy 6 Client software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:
BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS
This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite.
Please contact Matrix42 support for latest details/updates on this issue.
- Lenovo Rescue and Recovery
For information on compatibility of Rescue and Recovery versions with SafeGuard Easy versions see: http://www.sophos.com/support/knowledgebase/article/108383.html
- Compatibility with imaging tools has not been tested and is therefore not supported by Sophos.
- (DEF66421) Resuming from hibernation on a Windows XP client can occasionally lead to a BSOD if an Aladdin eToken 72k (Java) is used for authentication. Therefore, hibernation under Windows XP in combination with Aladdin eToken 72k (Java) is currently not supported as unsaved data could be lost when the BSOD occurs.
- (DEF66637) Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware
In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected.
- (DEF67495) When using the Gemalto Classic middleware, the non-cryptographic logon mode does not work in the POA
- (DEF67397, DEF67386 ) TCOS tokens are not supported on Windows Vista
- ActivIdentity Notifications cause Winlogon.exe to crash
On some Windows XP systems Winlogon.exe may crash if Notifications in ActivClient are enabled.
Disable ActivClient Notifications in the ActivIdentity's 'Advanced Configuration Manager' under 'Notifications Management'
Antivirus products tested with SafeGuard Device Encryption
SGE volume-based encryption has been successfully tested against concurrent installations of Sophos Anti-virus products, and the following:
|F-Secure ||Client Security || 9.10 B249 |
|Kaspersky ||Business Space Security - AntiVirus |
|Symantec ||Endpoint Protection ||12.1 |
|Trend Micro ||Enterprise Security for Endpoints - Office Scan |
|McAfee ||McAfee VirusScan Enterprise + AntiSpyware Enterprise ||8.8 |
Back to Sophos SafeGuard Release Notes Landing Page