SafeGuard Enterprise Device Encryption without central Management Server – the so-called “standalone mode” now becomes “SafeGuard Easy 5.50” and is meant to be the successor of the SafeGuard Easy 4.x series for those customers who prefer the standalone mode in contrast to the server managed variant. Technically SafeGuard Easy 5.50 is simply the new product name for SafeGuard Enterprise 5.50 standalone mode. It provides Windows Vista, Windows 7 and 64-bit support along with all other SafeGuard Enterprise benefits. Smartcard / crypto token logon however requires the managed variant of SafeGuard Enterprise Device Encryption. Migration from SafeGuard Easy 4.x is supported under the same conditions as with previous SafeGuard Enterprise releases except for the dropped Windows 2000 support.

1.1 What’s included in the SGE 5.50.8 Release

1.1.1 Fast Initial Encryption

A new, optimized handling of initial encryption using full-disk encryption is now available which typically leads to a significantly reduced duration of the initial encryption process. By limiting the initial encryption to hard disk space that is actually 'used' and not all the available physical disk space, the performance gain can be dramatic, of course depending on the percentage of used disk space. This new operation mode can be controlled along with the other encryption policy settings and is deactivated by default.

1.1.2 Improved Encryption Performance

A new, improved and optimized implementation of the AES256 encryption algorithm provides better run-time performance when accessing encrypted data. Since the very same encryption module is used for full-disk as well as file-based encryption both modules (DE and DX) benefit from the improvements and yield better performance figures.

1.2 What’s included in the SGE 5.50.1 Release

1.2.1 64-Bit Platform Support for SafeGuard Data Exchange

SafeGuard Easy 5.50.1 Data Exchange fully supports the 32-bit and 64-bit versions of Microsoft Windows Vista and Microsoft Windows 7 as well as 32-bit Windows XP.

1.3 What’s included in the SGE 5.50 Release

1.3.1 Extended Windows Platform Support: 64 bit and Windows 7

SafeGuard Easy 5.50 Device Encryption fully supports the 32-bit and 64-bit versions of Microsoft Windows Vista and Microsoft Windows 7 as well as 32-bit Windows XP. The SafeGuard Policy Editor also supports the 32-bit and 64-bit versions of Windows Server 2003 and Windows Server 2008/R2.

1.3.2 Service Accounts

SafeGuard Easy 5.50 introduces the capability to assign users to Service Account Lists. When applied to a newly set up client machine where the POA is not yet activated, users on this list will not be added to the POA’s user list and hence not take ownership of the machine or turn on the POA after having logged on to Windows. This enables them to service and configure the machine but leaving the SafeGuard Easy configuration apparently untouched before handing it over to its intended owner, something that is often required in roll-out scenarios.

1.3.3 “POA only” User Accounts

Special accounts (easily recognizable by belonging to a special virtual “<POA>” domain) have been introduced with SGE 5.50 to provide, e.g., administrators with the ability to boot a POA-protected machine without having to know any of the machine’s regular users’ credentials or having to be registered as a regular user themselves on each machine. They are always entitled to boot the machine from external media and when logging onto Windows, this will not trigger any of the default logon actions of the SafeGuard Easy client. For example, the user will not be registered with SGE irrespective of the credentials that were used for the Windows logon.

1.3.4 Improved Hardware/Operating System Compatibility

Compatibility of SafeGuard Easy has been further improved in many ways, e.g.,

Fault tolerance for USB devices that fall short in adhering to USB specifications
Improved performance of the initial encryption process when running on Windows Vista or Windows 7
Extended hardware compatibility list in installer. See knowledge base article here for latest updates http://www.sophos.com/support/knowledgebase/article/65700.html

1.3.5 Windows PE recovery CD (Virtual Client)

The advanced recovery functions for SafeGuard Enterprise encrypted hard drives, e.g., booting a Windows PE recovery environment in case of a broken, mis-configured operating system are now also available for SafeGuard Easy 5.50 clients.

1.3.6 Simplified Installation and Key Backup

A new installation wizard simplifies the first time setup of the management components including default policies. To invoke this wizard for new SGE installations, start “SGNInstallAdvisor.bat” from the root directory of the product DVD. SafeGuard Easy recovery files can now be easily and automatically collected on a central network share if so desired by the administrator. Also options to easily backup and restore the company certificate of new installations have been added.

1.3.7 Various Improvements

Various other improvements in usability, storage use, performance, key management and handling have been made in SafeGuard Easy. These include:

· Initial encryption speed in Windows 7 has been significantly improved over SGN 5.40 for Windows 7 and is now comparable or better than under Windows XP.

Improved UI design and user experience, e.g., a more accurate and comprehensive display of the user state in the client’s tray icon.
Better support for recovering from accidental/unwanted administrative actions by preventing internal SGE keys from being permanently deleted.
SGNState now also reports the version of the SafeGuard client.
A new tool can now roll back the exceptional case of a failed installation that leads to a hang in the POA.
A compatibility fix for the file filter driver layering in SafeGuard Data Exchange (DX) has been added. This allows the concurrent use of file- type based export rules and encrypted files.
The validity period for a challenge/response session has been extended to 30 minutes. The password retry delay now grows by the power of 2 (it was 3). These measures ease the impact of a forgotten password on the user while still maintaining a high security level.
Company certificates of previous installations can now be imported during setup for recovery purposes.
Various performance, security and compatibility improvements throughout the product including all hotfixes issued since SGN 5.40.
Complete Sophos rebranding.

2 Installation

Administrator rights are necessary to install the software. To find out the correct procedure for installing the software, please consult the relevant chapter in the startup guide.

If an existing installation of SGE is modified or selected modules are installed at a later time, the installation program might complain that the certain components (e.g. Safe Guard Removable Media Manager) are currently in use. This message is caused by the fact that these modules share common components that are currently in use and therefore can’t be updated immediately. This message can be ignored since the affected components will be updated upon reboot anyway.

Note: This is also the default behavior when using the unattended installation mode.

Although it is possible to install only a subset of product features initially and add other features later on, it is advised to have the Device Encryption feature installed from the start.

If you are upgrading from SafeGuard Easy 4.x please be sure to read the corresponding section of the administrator help and Knowledge base articles.

3 General Information

3.1 SafeGuard Policy Editor

Hardware:

Intel or AMD X86 CPU

512 MB RAM

1 GB free hard disk space (recommended)

Software:

Microsoft Windows Operating Systems in English, French, German or Japanese

· XP SP2 SP3 32 bit

· Vista SP1 SP2 32 bit 64 bit

· 7 32 bit 64 bit

· 2003 Server SP1 SP2 32 bit 64 bit

· 2003 Server R2 SP1 SP2 32 bit 64 bit

· 2008 Server SP1 SP2 32 bit 64 bit

· 2008 Server R2 64 bit

Microsoft ASP.net

· .NET Framework 3.0 SP1

The Windows user must have R/W access to the database using one of the following authentication methods:

· Windows NT authentication

· SQL database authentication

Tested X.509 certificates

Microsoft PKI (length 384 to 4096 bit – but at least 2048 bit is recommended for security reasons)
MS Base Cryptographic Provider 1.0
MS Strong Cryptographic Provider
OpenSSL

3.2 SafeGuard Easy Device Encryption / Data Exchange Client

Hardware:

Intel or AMD X86 CPU
512 MB RAM (minimum), 1 GB recommended for Windows Vista / 7
The installation needs at least 300 MB free of hard disk space. For Device Encryption, at least 100MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.

Microsoft Windows Operating Systems:

XP SP2 SP3 32 bit

Vista SP1 SP2 32 bit 64 bit Enterprise/Ultimate/Business/Home Premium
7 32 bit 64 bit Enterprise/Ultimate/Professional/Home Premium

Software:

Internet Explorer Version 6.0 or higher

3.3 SGN Update Matrix

The following table shows which previous versions of SGN can be updated with SGN 5.50.8

SGN Update Matrix

Update from

Update To

SGN 5.20

SGN

5.20.1

SGN 5.20.2

SGN 5.20.3

SGN 5.20.4

SGN 5.20.5

SGN 5.21

SGN 5.21.1

SGN 5.30 RC1

SGN 5.30

SGN 5.30.1

SGN 5.30.2

SGN 5.30.3

SGN

5.35

SGN

5.35.x

SGN 5.40.x

SGN 5.50

SGN 5.50.8

SGN 5.50.1

SGN 5.50 GA

SGN 5.40.x

SGN 5.35.x

SGN 5.35 GA

SGN 5.30.3

¢¹

SGN 5.30.2

SGN 5.30.1

SGN 5.30 GA

SGN 5.30 RC 1

SGN 5.21.1 (Patch)

SGN 5.21

SGN 5.20.5 (Patch)

SGN 5.20.4 (Patch)

SGN 5.20.3 (Patch)

SGN 5.20.2 (Patch)

SGN 5.20.1 (Lenovo)

SGN 5.20

Legend:

l Update supported

¢¹Update supported only for SGN Server and SGN Management Console

3.4 SGE Migration Matrix

The following table shows which versions of SafeGuard Easy can be migrated to SGE 5.50.8

SGE Migration Matrix
	IDEA	DES	3DES	AES 128	AES 256	Blowfish	Stealth	XOR
SGE 4.50	l		l	l	l
SGE 4.40	l		l	l	l
SGE 4.30	l		l	l	l
SGE 4.20
SGE 4.1x
SGE 3.x

3.5 SGE Windows Operating System Support

The following table lists all supported operating system platforms along with the SGE modules available on that platform.

	SGE – Microsoft Windows Platform Support
						SGE 5.50.x
						DE	DE BitLocker	DX	PE
XP Professional Edition				SP2 SP3	32 Bit	l		l	.NET 3.0¹
Vista Home Premium Business Enterprise Ultimate				SP1 SP2	32 Bit	l	- - l l	l	.NET 3.0¹
Vista Home Premium Business Enterprise Ultimate				SP1 SP2	64 Bit	l	- - l l	l	.NET 3.0¹
7 Home Premium Professional Enterprise Ultimate					32 Bit	l	- - l l	l	NET 3.0¹
7 Home Premium Professional Enterprise Ultimate					64 Bit	l	- - l l	l	NET 3.0¹
Server 2003 / R2		.NET 3.0	IIS 6	SP1 SP2	32 Bit 64 Bit				l l
Server 2008 Server 2008 R2		.NET 3.0	IIS 7.0 IIS 7.5	SP1	64 Bit 64 Bit				l l

¹ .Net 3.0 SP1 required

Note 1: SafeGuard Easy can be installed and does support systems that are equipped with Solid State Disks (SSDs).

Note 2: SafeGuard Easy can be installed and operated in virtualization environments as well. Please be aware that there’s might be interoperability issues regarding encryption on devices that are attached via the USB bus. Depending on the virtualization environment and the attached device this issue might cause a system fault.

4 Resolved Issues (SGE Release 5.50.x compared to SGN Release 5.40)

4.1 SafeGuard Policy Editor

When appending information text files, no new line was inserted, thus leading to unwanted concatenations.

4.2 SafeGuard Easy Client

Device Encryption

- In some scenarios, the autologon of the POA was broken

- The installer lacked a POACFG property

- There were incorrect log entries indicating that a drive is decrypting when in fact it was encrypting

- Installing (or re-imaging) a machine with a previously used hostname may leave this machine inaccessible and unrecoverable if the “old” machine object has not been deleted in the SGN Management Center beforehand.

SafeGuard Portable

- No plain text folder was created when burning CDs using Windows’ integrated wizard

- The SGPortable shortcut was displayed but did not work

Data Exchange

- Menu items disappeared in Corel Draw X4 after the installation of the Data Exchange client. Similar issues with Adobe fireworks and Candela have also been solved.

- It was not always possible to change the Media Passphrase because the option was not available in the System Tray.

- In Mindjet MindManager, opening the Save As... dialog caused the application to hang.

- Password changes at Windows XP logon were lost when the Evidian SSO watch application was installed on an SGE client. A generic fix has been applied that also solves the issue of invalid password changes after a failed logon attempt.

5 Known Issues

5.1 SGE 5.50 Release

On the Windows Vista and Windows 7 platforms, when updating the client from SGN 5.35 or higher to SGE 5.50, the installer asks the user to stop some running processes. The user should and can safely ignore this. Especially, not doing so on Windows 7 will cause the Windows Explorer to crash after the next reboot.
The SGE installation process requires to be started in the context of a Windows administrator’s logon session. Starting the installation via “Run as administrator” is not supported.
Usage of Caps-Lock in POA: please note that the Caps-Lock key in the POA only alters the case of letters and does not affect the number row on the keyboard. The recommended best practice is to use the Shift key for entering passwords and not rely on the functionality of the Caps-Lock key as this may vary per application.
During an uninstallation of the client, which includes the decryption of encrypted volumes, the machine should not be shut down or rebooted. Doing so will generate an error message from the uninstaller.

For all supported OS versions, if an internal SD card reader is attached to the Secure Digital-Host controller driven by the Standard Microsoft sdbus.sys driver, the inserted card will not be subject to SGE Device Encryption, meaning it can be neither encrypted nor blocked. It will not be visible in the BE Encryption Viewer. However, it will be available and accessible as plaintext device in Windows Explorer. For SD card encryption customers should use file based encryption (SG DX)
The Initial Configuration Wizard for the SafeGuard Policy Editor will fail when started as a local user on a Windows Vista machine.
When importing external keys, these may not contain any special XML characters, such as ‘<’, ’>’, ’&’, ‘\’, ‘”’.
The exFAT file system, introduced by Microsoft with Windows CE 6.0 and Windows Vista Service Pack 1, is not supported by SafeGuard Easy Device Encryption.

On Windows Vista 64-bit, burning encrypted files on optical media (CD/DVD) using the Windows built-in burning Wizard is not supported.

In certain configurations access to remote shares will fail if the SafeGuard DataExchange Module is installed on the remote system. This issue is usually caused by the system’s resource constrains and can be resolved by increasing the IRP stack size using the following registry setting:

                    Hive:      HKEY_LOCAL_MACHINE
                    Key:      SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
       Value Name:      IRPStackSize (DWORD)
                 Value:      21 (or at least 3 higher than the current value)

Please check http://support.microsoft.com/kb/177078/ EN-US/ for further details.

5.2 SafeGuard Policy Editor

· Uninstallation of SGE client on a PE machine renders the PE unusable.
When the SafeGuard Policy Editor is being run on a machine with a SGE client installation, uninstalling the client will leave the PE in an unusable state. This issue does not depend on the order of installation of the two modules. If you want to continue running the PE on such a machine, you must reinstall the PE.

· Policy Editor configuration may fail due to restrictive default SQL Server permissions
When installing the Policy Editor on a Windows Vista or Windows 7 machine, make sure that you have all required administrative privileges for the corresponding SQL Server or SQL Express database engine.

·         Database Naming Scheme
SGE Databases names should comply with the following naming scheme in order to prevent localization issues.

SGE Database names should only contain:
            - Characters (A-Z, a-z)
            - Numbers (0-9)
            - Underscores (_)

· If a Policy Editor is installed on a SGE client machine, both components (client + PE) have to be updated to SGE 5.50, where the client has to be updated first. Updating only the Policy Editor can lead to failed logons at Windows level.

· Please check the SGE software CD (tools folder) on additional information regarding SafeGuard Policy Editor update (please also search the Sophos knowledge base for “SGN & update” to gather detailed instructions).

· Possible configuration of SQL Database access methods:
The Windows NT Authentication option requires further mandatory configuration steps proposed by Microsoft (please search the Sophos knowledge base for “SGN & service account”). The SQL Authentication is the less complex way and does not require additional configuration.

· Certificates provided by the customer and imported into PE are currently not verified according to RFC3280. For example, we do not prevent using signature certificates for encryption purposes.

· Overlapping policies assigned to a group might result in incorrect calculation of the priorities. Please use disjunctive policy settings.

· If you want to allow minimum password durations of less than 2 days please do not change the setting “Password change allowed after min. (days)”. Once changed the minimum is 2 days.

· There are some GUI layout problems on machines configured for resolutions other than 96 DPI.

· Two security officers must not use the same Windows account on the same PC. Otherwise it is not possible to separate their access rights properly.

· After updating the SGE database to version 5.50 old Policy Editors show an error message. They must be updated as well.

· When performing uninstall, some files and registry entries may remain. Please consult the Sophos knowledge database (keywords “SGN & uninstall”) on how to clean the installation manually. Such a cleanup is necessary in order to reinstall SGE on the same computer.

· In rare situations it might be possible to experience timing and/or configuration problems with local SQL Server Express editions, the configuration of the SafeGuard Database in conjunction with SQL Server Authentication might not work. If that is the case, we recommend using Windows authentication with SQL Server Express instead.

5.3 SafeGuard Easy Data Exchange Client

· The installation of DX on a system with SafeGuard Removable Media is not prevented. Both SGRM and SGE DX are file encryption products that are not designed to coexist. However, the DX installer does not check for this condition. SGRM must be uninstalled before the installation of SGE DX.

· Recovery for forgotten passwords
SafeGuard Data Exchange without Device Encryption does not provide Challenge/Response recovery, when the user has forgotten his password. In this case you must change the password in the Active Directory, logon without a Sophos Credential Provider and restore the user configuration on the client. Consult the Sophos knowledge base for further details.

· Compatibility with SG RemovableMedia 1.20
Local keys created with SafeGuard Removable Media older than version 1.20 before switching to SGE Data Exchange can be used in the SGE Client. But they are not transferred to the SGE Database automatically

· Compatibility with SG Easy 4.x
When using SafeGuard Data Exchange together with SafeGuard Easy 4.x note that the SGE GINA mechanisms (especially secure auto logon - SAL) will no longer work, SGE must be installed first and both products should only be uninstalled together (without reboot) to avoid GINA conflicts.

· Compatibility with Microsoft Office 2007
Microsoft Office 2007 applications (e.g. Word, Excel) will abort stating an error when saving modifications to a plain file that actually needs to be encrypted according to the current encryption policy.

Solution:
- Adjust the files encryption status to comply with the policy, or
- add the Office Programs to the Special Rename Processes registry key.

Here is a sample registry setting which adds WinWord.exe and Excel.exe to this key.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO\SGLCENC]
"SpecialRenamePrograms"="winword.exe;excel.exe;"

Please refer to the Sophos knowledge base SGI 109474 for further information.

· User elevation for encrypted executables
If an encrypted executable or installation package is started and requires a user elevation in Windows Vista or Windows 7, it may happen that the elevation does not take place and the executable is not started.

· SafeGuard Portable Link on Read-Only Media
The link to the SafeGuard Portable application created in the root of a removable media might not work under certain conditions (on Windows 7 only). When the media is inserted into a device which device letter differs from the one when SafeGuard Portable was copied to, the link does not work if the drive with this letter is available on the device too. For example: The SafeGuard Portable link was created on a media in drive D:. The media is the used on a different machine in drive E:. The link is broken if this machine also has a drive D:, otherwise the link works as expected.

5.4 SafeGuard Easy Device Encryption Client

· BitLocker To Go - encrypted devices may prevent Device Encryption installation
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SGE, the installation will fail because Windows reports the system as being BitLocker-enabled, which is a valid failure condition for the DE client installation. The solution is to remove any BitLocker to Go-encrypted devices before installing SGE DE.

· Device Encryption may fail on some USB sticks
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends to use file-based encryption (DX module) for removable media encryption.

· The client requires an extra reboot after the first logon to ensure the registration of the logged on user.

· Update
When updating an older version of the SGE Client it is recommended to choose the ‘Custom’ installation mode and manually select all the desired features whether they were already installed by the previous version or not. Optionally, you can use the ‘Complete’ mode instead. If typical mode is chosen, some of the features might not be updated properly.
In case of an unattended installation you have to use the ADDLOCAL= property to select all desired features (existing and new). If this option is not specified, only features installed by the previous version will be updated.

· Installation of the client configuration package
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be complete until rebooting again.

· Local Self Help
For the Local Self Help option the Recovery option in the POA will never be shown if the user who is logged on to the POA has the option to log on with a token or via fingerprint. LSH only works if the user logs on to the POA with user ID and password.

·         Delay Write Errors during Initial Encryption
During the installation of SafeGuard Easy Device Encryption, delayed write failures may be reported by the operating system. This happens right after installing the kernel onto the file system. This may be forced by executing many parallel file I/O operations during the next boot right after manipulating the file system.

Solution:
An alternate way to install the SafeGuard Easy Device Encryption Kernel can be forced by adding the registry value:

            Hive:    HKEY_LOCAL_MACHINE
            Key:     System\CurrentControlSet\Control\Session Manager
Value Name:    AllocMode (DWORD)
            Value:   1

This registry value should be added before executing the SafeGuard Easy Device
Encryption setup

· Device Protection Policy for removable Drives
A policy to encrypt removable Drives volume based that allows the user to choose a key from a list (for example “all keys in key ring”) can be circumvented by the user by not choosing a key. To make sure removable drives are always encrypted the security officer should either use a file based encryption policy, or explicitly set a key in the volume based encryption policy.

· Data Exchange Policy and SafeGuard Easy
Data Exchange policies cannot use the defined machine key on SafeGuard Easy 5.50. Please use a different key if the policy will be applied to SafeGuard Easy clients.

· Novell Client
To use the SGE Client in conjunction with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.

· Fast User Switching
Fast user switching is not supported and must be disabled.

· Built-in floppy drive
After installation of SGE Device Encryption on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.

· Boot time
Boot time increases by about one minute after installing the SGE Client software.

· Encryption of ‘Virtual Drives’
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes’ is defined.

· It is not possible to use Volume-based device encryption together with BitLocker. The SGE Client setup does not allow installing both features simultaneously.

· During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before suspend to disk works properly again.

· You should decrypt all encrypted removable media before uninstalling the last accessible SGE client. Otherwise you may not be able to access your data any more. As long as you keep your SGE database the data on the removable media can be recovered.

· It is recommended to reboot a SGE Client PC at least once after activating the SGE Power-on Authentication. SGE performs a backup of its kernel data on every Windows boot. This backup would never happen if the PC is only hibernated or transferred into stand-by mode.

· The maximum number of registered SGE users on a client is 200.
Please do also consider the following maximum file sizes for files imported to a client by policy:

o Text files should not be larger than 50 kB.

o Banner Bitmaps should not be larger than 100 kB.

o Background bitmaps should not be larger than 500 kB.

Note: Microsoft Windows XP has a technical limitation of its kernel stack. If several file system filter drivers (e.g. antivirus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.

· In the case of volume-based encryption, volumes that are located on "dynamic disks" or “GPT disks” are not supported.

· When performing uninstall, some files and registry entries may remain. Please consult the Sophos knowledge database (keywords “SGE & uninstall”) on how to clean the installation manually. Such a cleanup is necessary in order to reinstall SGE on the same computer

· If an uninstall of the SGE client is triggered via Active Directory it has to be ensured that all volume-based encrypted volumes have been decrypted properly beforehand.

· Compatibility to imaging tools has not been tested and is therefore not supported.

Special characters (e.g. ä,ö,ü,…) have to be entered “case sensitive” at POA level.
Some computers cannot boot from a floppy disk once they have booted the POA from the hard disk. This is a limitation of their BIOS implementation and cannot be solved by Sophos.
Special characters should be used with caution in the legal notice text for the POA. Some of these characters may not be displayed properly.
Before encrypting a partition with volume-based encryption, it is recommended to run chkdsk c: /f /v /l /x in order to touch every sector of the partition. The firmware of the hard disk will then replace every defect sector before SGE tries to encrypt it.
When using SafeGuard Portable in combination with SGE Client, AES-256 algorithm has to be used for encryption of removable media.
Clients using BitLocker encryption will detect USB hard disks as “Other volumes” and not as “Removables”. Do not use encryption policies for “Other volumes” if you want to use USB hard disks on BitLocker clients.
If you have installed SGE Device Encryption and SGE Data Exchange on one client, you cannot uninstall Device Encryption alone. You must uninstall the complete package.
File-based and volume-based encryption have been successfully tested against concurrent installations of antivirus products by Sophos as well as the following:

AVG
AVG Anti-Virus Netzwerk Edition 8.5.386
Computer Associates
CA Anti-Virus 2009
Please use the following registry key

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\INO_FLTR\Setting]
"Controls"=dword:00000003
F-Secure
F-Secure AntiVirus 2009 (Version 9.00 Build 149)
G-Data
G Data Antivirus 2010 (Version 20.0.1.1)
Kaspersky
Kaspersky Internet Security 2010 (Version 9.0.0.459)
Network Associates
McAfee VirusScan Enterprise Version 8.7.0 i
Scanmodul-Version (32-bit): 5300.2777, DAT-Version: 5381.0000
Norman
Norman Virus Control (Version 5.99)
Symantec
Symantec Endpoint Protection 11.0 (Version 11.0.4000)

If problems during startup are encountered, please try the following:

In HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\ Filesystem\RealTimeScan

Set the DWORD value KStackMinFree to 0x2200.

To find a detailed explanation of the key, click this link:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f5ee041a924af12d8825709d00509eb2?OpenDocument

Trend Micro
Trend Micro Internet Security 2009

When you uninstall a SGE Client you must uninstall the client configuration package first.
The BE_RESTORE tool always tries to access disk0. This may not be the hard disk, e.g., if a USB stick is connected or a ram disk is being used.
The BE_RESTORE tool has some limitations on Windows Vista / Windows PE 2.0 if the hard disk is not encrypted yet.
Using the BE_RESTORE tool with Windows PE 2.0 needs at least 512 MB of memory.
A floppy media change is not always detected properly. Try to access the floppy drive, while no media is in the drive (e.g. with the Explorer) to ensure that the media change is detected.
The Windows XP operating system up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to machines with SafeGuard Easy. This should be fixed with Windows XP SP3.
Very rarely the SGE Device Encryption Client setup will end with error 5001. Meaning that your hard disk is too fragmented to install this software. The SGE kernel needs 96MB contiguous, free disk space on the first hard disk.
The enforcement of the SafeGuard Easy password history policy can be avoided by the user during execution of the password change due to enforcement of the system administrator.
Users with “umlaut” characters in the user ID other than the keys on the chosen keyboard layout are not able to logon in POA, e.g. in combination with German keyboard layout.
The following keyboard layouts are supported in the pre-boot authentication module. "x" indicates that the language is fully supported. All other languages will default as specified. Please beware of special characters in passwords if users have an unsupported keyboard which defaults to US keyboard.

Language ID Keyboard Language / Comments

====================================================================

0x0000 US Language Neutral

0x0400 US Process or User Default Language

0x0800 US System Default Language

0x0401 US Arabic (Saudi Arabia)

0x0801 US Arabic (Iraq)

0x0c01 US Arabic (Egypt)

0x1001 US Arabic (Libya)

0x1401 US Arabic (Algeria)

0x1801 US Arabic (Morocco)

0x1c01 US Arabic (Tunisia)

0x2001 US Arabic (Oman)

0x2401 US Arabic (Yemen)

0x2801 US Arabic (Syria)

0x2c01 US Arabic (Jordan)

0x3001 US Arabic (Lebanon)

0x3401 US Arabic (Kuwait)

0x3801 US Arabic (U.A.E.)

0x3c01 US Arabic (Bahrain)

0x4001 US Arabic (Qatar)

US Arabic (102) AZERTY

X 0x0402 BG Bulgarian No font available

0x0403 ES Catalan

0x0404 US Chinese (Taiwan) No font available

0x0804 US Chinese (PRC) No font available

0x0c04 US Chinese (Hong Kong SAR, PRC) “

0x1004 US Chinese (Singapore) No font available

0x1404 US Chinese (Macao SAR) (98/ME,2K/XP)

X 0x0405 cz Czech

X 0x1402 cz_qwerty Czech (QWERTY)

US Czech (Programmers)

X 0x0406 dk Danish

X 0x0407 de German (Standard)

X 0x0807 de_CH German (Switzerland)

0x0c07 de German (Austria)

0x1007 de German (Luxembourg)

0x1407 de German (Liechtenstein)

X 0x0408 el Greek No font available

X 0x0409 us English (United States)

X 0x0809 gb English (United Kingdom)

0x0c09 us English (Australian)

0x1009 us English (Canadian)

0x1409 us English (New Zealand)

X 0x1809 ie English (Ireland)

0x1c09 US English (South Africa)

0x2009 US English (Jamaica)

0x2409 US English (Caribbean)

0x2809 US English (Belize)

0x2c09 US English (Trinidad)

0x3009 US English (Zimbabwe) (98/ME,2K/XP)

0x3409 US English (Philippines) (98/ME,2K/XP)

X 0x040a ES Spanish (Spain, Traditional Sort)

0x080a ES Spanish (Mexican)

0x0c0a ES Spanish (Spain, Modern Sort)

0x100a ES Spanish (Guatemala)

0x140a ES Spanish (Costa Rica)

0x180a ES Spanish (Panama)

0x1c0a ES Spanish (Dominican Republic)

0x200a ES Spanish (Venezuela)

0x240a ES Spanish (Colombia)

0x280a ES Spanish (Peru)

0x2c0a ES Spanish (Argentina)

0x300a ES Spanish (Ecuador)

0x340a ES Spanish (Chile)

0x380a ES Spanish (Uruguay)

0x3c0a ES Spanish (Paraguay)

0x400a ES Spanish (Bolivia)

0x440a ES Spanish (El Salvador)

0x480a ES Spanish (Honduras)

0x4c0a ES Spanish (Nicaragua)

0x500a ES Spanish (Puerto Rico)

X 0x040b fi Finnish

US Finnish (with Sami)

X 0x040c fr French (Standard)

X 0x080c be French (Belgian)

0x1080c be Belgian(Comma)

X 0x0c0c ca_enhanced French (Canadian)

US French (Canadian, Legacy)

US Canadian (Multilingual)

X 0x100c fr_CH French (Switzerland)

0x140c fr_CH French (Luxembourg)

0x180c fr French (Monaco) (98/ME,2K/XP)

0x040d US Hebrew

X 0x040e hu Hungarian

X 0x040f is Icelandic

X 0x0410 it Italian (Standard)

0x0810 it Italian (Switzerland)

X 0x0411 jp Japanese

X 0x0412 ko Korean No font available

0x0812 US Korean (Johab) (95,NT)

X 0x0413 nl Dutch (Netherlands)

X 0x0813 be Dutch (Belgium)

X 0x0414 no Norwegian (Bokmal)

0x0814 no Norwegian (Nynorsk)

X 0x0415 pl Polish No font available

X 0x0416 br Portuguese (Brazil)

X 0x0816 pt Portuguese (Portugal)

X 0x0418 ro Romanian

0x0419 US Russian

0x041a US Croatian

0x081a US Serbian (Latin)

0x0c1a US Serbian (Cyrillic)

0x101a US Croatian (Bosnia and Herzegovina)

0x141a US Bosnian (Bosnia and Herzegovina)

0x181a US Serbian (Latin, Bosnia, and Herzegovina)

0x1c1a US Serbian (Cyrillic, Bosnia, and Herzegovina)

0x041b sk Slovak

0x041c US Albanian

X 0x041d se Swedish

0x081d se Swedish (Finland)

0x041e US Thai

X 0x041f tr Turkish No font available

0x0420 US Urdu (Pakistan) (98/ME,2K/XP)

0x0820 US Urdu (India)

0x0421 US Indonesian

0x0422 uk Ukrainian

0x0423 US Belarusian

0x0424 sl Slovenian

0x0425 US Estonian

0x0426 lv Latvian

0x0427 lt Lithuanian

0x0827 US Lithuanian (Classic) (98)

0x0429 US Farsi

0x042a US Vietnamese (98/ME,NT,2K/XP)

0x042b US Armenian. This is Unicode only. (2K/XP)

US Armenian Eastern

US Armenian Western

0x042c US Azeri (Latin)

0x082c US Azeri (Cyrillic)

0x042d US Basque

0x042f US Macedonian (FYROM)

0x0430 US Sutu

0x0432 US Setswana/Tswana (South Africa)

0x0434 US isiXhosa/Xhosa (South Africa)

0x0435 US isiZulu/Zulu (South Africa)

0x0436 US Afrikaans

0x0437 US Georgian. This is Unicode only. (2K/XP)

0x0438 US Faeroese

0x0439 US Hindi. This is Unicode only. (2K/XP)

0x043a US Maltese (Malta)

0x043b US Sami, Northern (Norway)

0x083b US Sami, Northern (Sweden)

0x0c3b US Sami, Northern (Finland)

0x103b US Sami, Lule (Norway)

0x143b US Sami, Lule (Sweden)

0x183b US Sami, Southern (Norway)

0x1c3b US Sami, Southern (Sweden)

0x203b US Sami, Skolt (Finland)

0x243b US Sami, Inari (Finland)

0x043e US Malay (Malaysian)

0x083e US Malay (Brunei Darussalam)

0x0440 US Kyrgyz. (XP)

0x0441 US Swahili (Kenya)

0x0443 uz Uzbek (Latin)

0x0843 US Uzbek (Cyrillic)

0x0444 US Tatar (Tatarstan)

0x0445 US Bengali (India)

US Bengali (Inscript)

0x0446 US Punjabi. This is Unicode only. (XP)

0x0447 US Gujarati. This is Unicode only. (XP)

0x0449 US Tamil. This is Unicode only. (2K/XP)

0x044a US Telugu. This is Unicode only. (XP)

0x044b US Kannada. This is Unicode only. (XP)

0x044c US Malayalam (India)

0x044e US Marathi. This is Unicode only. (2K/XP)

0x044f US Sanskrit. This is Unicode only. (2K/XP)

0x0450 US Mongolian (XP)

0x0452 US Welsh (United Kingdom)

0x0455 US Burmese

0x0456 US Galician (XP)

0x0457 US Konkani. This is Unicode only. (2K/XP)

0x045a US Syriac. This is Unicode only. (XP)

0x0465 US Divehi. This is Unicode only. (XP)

US Divehi (Phonetic)

US Divehi (Typewriter)

0x046b US Quechua (Bolivia)

0x086b US Quechua (Ecuador)

0x0c6b US Quechua (Peru)

0x046c US Sesotho sa Leboa/Northern Sotho (South Africa)

0x007f US LOCALE_INVARIANT. See MAKELCID.

0x0481 US Maori (New Zealand)

5.5 SafeGuard Easy 4.x

Migration of SafeGuard Easy 4.30 or higher to SGE 5.50
For migration from SafeGuard Easy 4.x to SafeGuard Easy 5.50 the user needs a valid Windows account. In the case that the user does not know his Windows password, because he is using SAL for Windows log on, the user’s Windows password has to be reset and the new value has to be forwarded to the user. Please be sure to read the corresponding administrator help section before proceeding with the upgrade.

5.6 SafeGuard LAN Crypt

· SafeGuard LAN Crypt 3.70 is the first version that is fully compatible with SafeGuard Enterprise Standalone (SafeGuard Easy 5.50). If an older version of SafeGuard LAN Crypt is installed, we do strongly suggest upgrading to the latest version of SafeGuard LAN Crypt first.

· If SafeGuard Easy 5.50 is installed on-top of SafeGuard LAN Crypt the installation program will complain that the component SGLC Profile Loader being upgraded is currently in use. This message is caused by the fact that SafeGuard LAN Crypt and SafeGuard Easy share common components and therefore can be ignored. The affected components will be updated upon reboot.

5.7 Fingerprint Reader

Lenovo ThinkVantage Fingerprint Software
Due to a limitation of UPEK ThinkVantage Fingerprint Software, fingerprint logon is not supported for users having a whitespace in their user names.

5.8 Interoperability Issues

Empirum Security Suite Agent
If SGE 5.50 Client Software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:

BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS

This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite v5.
Please contact Matrix42 support for latest details/updates on this issue.
Lenovo Rescue and Recovery
For information on compatibility of Rescue and Recovery versions with SafeGuard Easy versions see: http://www.sophos.com/support/knowledgebase/article/108383.html.
AbsoluteSoftware Computrace
SGE Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated ‘track-0 based persistent agent’ installed.

5.9 SCSI Hard Drives

SafeGuard Easy Device Encryption Client
The SafeGuard Easy Device Encryption Client does not support systems that are equipped with hard disks that are attached via the SCSI bus.

6 Technical Support

You can find technical support for Sophos products in any of these ways:

Visit the SophosTalk forum at http://community.sophos.com/ and search for other users who are experiencing the same problem.
Visit the Sophos support knowledgebase at http://www.sophos.de/support/
Download the product documentation at http://www.sophos.de/support/docs/
Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages.

Oberursel, November 4th, 2010

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos is a registered trademark of Sophos Plc and the Sophos Group. SafeGuard is a registered trademark of Utimaco Safeware AG - a member of the Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

All SafeGuard products are copyright of Utimaco Safeware AG - a member of the Sophos Group, or, as applicable, its licensors. All other Sophos products are copyright of Sophos plc., or, as applicable, its licensors.

You will find copyright information on third party suppliers in the file entitled Disclaimer and Copyright for 3rd Party Software.rtf in your product directory.