SafeGuard Lan Crypt
Client 3.90.3 release notes
Requirements
The below listed platforms have been tested and are officially supported.
Other Service Pack levels might work as well but have not run through a QA
cycle and won´t be analyzed in case of occurring issues.
Platforms supported
|
32-bit
|
64-bit
|
Windows
XP SP3
|
Yes
|
No
|
Windows 7
(Ultimate / Enterprise / Professional) SP1
|
Yes
|
Yes
|
Windows 8
|
Yes
|
Yes
|
Windows 8.1
|
Yes
|
Yes
|
Windows
Server 2008 R2 SP1
|
No
|
Yes
|
Windows
Server 2012
|
No
|
Yes
|
Citrix
XenApp 6.5 on Windows Server 2008 R2 SP1
|
No
|
Yes
|
Citrix
Project Avalon Excalibur Technology Preview on Windows Server 2012
No released version was available at the time of this client release. 07.01.2013
|
No
|
Yes
|
New in SafeGuard LAN Crypt Client 3.90.3
This Client Patch addresses some security issues with SafeGuard LAN Crypt 3.90.2, which theoretically could be used to obtain local privilege escalations. It also contains all previously released hotfixes for SafeGuard LAN Crypt 3.90.2, which solve several smaller issues.
For more information, refer to Windows Client Patch 1804 for SafeGuard products.
We recommend that you install the latest Windows security patches on your clients before installing the SafeGuard client security patch. For clients running Windows 7, you must install all Windows security patches first.
This patch requires the SafeGuard LAN Crypt client 3.90.2 to be installed.
If SGLC 3.90 is used on a Terminal Server, this patch cannot be applied. For Terminal Server SafeGuard LAN Crypt 3.90.1.13 (TS) must be used.
New in SafeGuard LAN Crypt Client 3.90.2
Refer to SafeGuard LAN Crypt Client 3.90.2 Release Notes.
New in SafeGuard LAN Crypt Client 3.90.1
- The
client supports Windows 8 and Windows Server 2012 and several new Windows
features (e.g. ReFS, file history and pause/restart function during copy
operation).
- Office
2013 is now also supported.
- Files can
now be encrypted using XTS-AES instead of AES.
- New icons
and bitmaps in the graphical user interface.
- Persistent
encryption now works also without the use of Windows Explorer (e.g.
xcopy.exe).
Note: A warning message is no longer displayed if an encrypted file is
copied to an ignored destination and the target file becomes plain.
- Configuration
of Microsoft Office as special rename application is no longer necessary.
- Performance
improvement by using AES-NI on supported processors.
- New file
format for user policies (xml), which provide a faster and more robust
policy loading.
Note: Please configure the SafeGuard LAN Crypt Administration to
generate xml.bz2 policy files, because this client version can no longer
load legacy policy files (pol or pol.bz2).
- The initial
encryption wizard has a new filter to display only files which are not
encrypted.
- The Group
Policy option Silent
mode if user profile is missing hides now also the balloon
tips. If the user initiates the loading of a policy file from the tray
icon menu, always a message box and a balloon tip is displayed in case of
an error.
- User key
files (.p12) can be downloaded from a web server using http or https.
- Downloading
policy files and security officer certificates supports now also https.
- If no
default ignore rule is configured, "*" is now used in this case.
- The
client API was extended and may be used by other products, e.g. DLP
solutions.
- Overlay
icons can now already be disabled during installation.
- Encryption
on Novell shares is no longer supported.
Resolved Issues (from 3.71.64)
- Application
failure in loadprof.exe if a policy with more than 200 rules and/or keys
was loaded.
- Encryption
rules did not work on some DFS shares.
- Fixed
some sharing violations when Office documents are saved.
- SGLCInit
did not handle some special characters in the reported files.
- Saving an
encrypted file on a network share with Microsoft OneNote 2010 resulted in
an error.
- Minimized
the number of file reads while displaying overlay icons.
- A BSOD
occurred if the short name (8.3 notation) of an encryption rule was longer
than the original name.
- A BSOD
occurred when a file was copied to a local redirected client drive within
a Citrix terminal server session.
- PIN
dialog was not displayed for some middlewares.
Known Issues
- Citrix
Terminal Server
- Client
Drive Redirection
Encryption of files on client drives mapped on a Citrix Terminal Server
is not supported and these drives will be ignored by the SafeGuard LAN
Crypt encryption filter driver.
- Streamed
applications not supported
Citrix application streaming is not supported.
- Virus
scanners
- Virus
scanner services
Virus scanner services need to be explicitly allowed to have access to
encrypted files in order to be able to find viruses inside.
- Tested
virus scanners
The following virus scanners have been tested with the SafeGuard LAN
Crypt Client:
Virus Scanner
|
Executable
|
Authenticode
|
Sophos
Endpoint Security and Data Protection 10.2
|
SavService.exe
|
Yes
|
McAfee
VirusScan Enterprise 8.8
|
Mcshield.exe
|
Yes
|
Symantec
Endpoint Protection 12.1.1101.401, 32bit
|
ccSrvHst.exe
srtsp.sys
|
Yes
No
|
Symantec
Endpoint Protection 12.1.2015.2015
|
ccSvcHst.exe
srtsp.sys
|
Yes
No
|
Microsoft
Security Essentials 4.0.1526.0
|
msseces.exe
MsMpEng.exe
|
Yes
Yes
|
- Configuration
of other virus scanners (not tested with this release):
Virus Scanner
|
Executable
|
Authenticode
|
Symantec
Endpoint Protection 11.0.6 MP1
|
rtvscan.exe
|
Yes
|
Trend
Micro Office Scan 10.5 1083 GM repack 1
|
NTRtScan.exe
tmfilter.sys
|
Yes
No
|
- Known
issues
- There
is an issue with Sophos Anti-Virus that may cause encrypted files to be
locked (either only for write or for read and write access). This is
caused by a timing issue of Sophos Anti-Virus if the on-access scanning
level is set to 'intensive'.
- There
is an issue with Sophos Anti-Virus that may lead to damaged Microsoft
Office documents when saving them in a folder that is made available
when offline (“OfflineFolder”). To avoid this issue please configure the
Sophos Anti-Virus on-access scanner to exclude the folder
“C:\Windows\CSC”.
- On a
SafeGuard LAN Crypt Client in combination with Symantec Endpoint
Protection 11 and Office 2003 a BSOD may occur when a document is saved
on an USB stick. With Symantec Endpoint Protection 11.0.5
(11.0.5002.333) the BSOD does not occur.
- McAfee
VirusScan Enterprise 8.7i does not find viruses in encrypted files on
DFS shares during on demand scan.
- McAfee
VirusScan Enterprise 8.7i Patch 3 finds viruses in encrypted files on
network shares, but it may happen that no notification to the user is
shown that a virus was found.
The content of the infected file is deleted, but the deletion of the
file itself may fail. In this case an empty encrypted file remains on
the network share after a virus was found. The original file is
available in the quarantine and can be restored, if this action is
configured in the virus scanner.
- After
receiving a new virus scanner executable via the policy file, the client
has to be rebooted.
- DFS
- Domain-based
DFS
In a domain-based DFS, you can access the DFS either via the server name
or via the domain name.
The encryption rules must always be created in the same way as used to
access DFS.
If the DFS is accessed via the server name, the encryption rule must be
based on a server name. If DFS is accessed via the domain name, the rule
must be domain name based.
If you want to access the DFS both ways, you must define two encryption
rules, one with the domain name and one with the server name.
e.g.:
Y: is mapped to \\DOMAIN\DFSROOT
Encryption rule:
Y:*.*
or
\\DOMAIN\DFSROOT*.*
Z: is mapped to \\SERVER.DOMAIN\DFSROOT
Encryption rule:
Z:*.*
or
\\SERVER\DFSROOT*.*
- Nested
DFS links
Nested DFS links (DFS links to other DFS links or DFS roots) can be used
but encryption rules must not include a physical path to the DFS link and
there are some known problems in combination with persistent encryption.
When copying an encrypted file to a plain folder it may become decrypted.
When moving encrypted files to an ignored/excluded folder it may stay
encrypted.
- Rules
using IP address not supported
it is not possible to use rules for DFS that contain the IP address of
the server hosting the DFS share.
- DFS and
persistent encryption
When copying encrypted files to ignored or excluded folders on DFS drives
they may not be stored decrypted.
- Viewing
folders in Windows Explorer
Viewing folders on a DFS share cause problems that either the display
takes very long or the folder selection jumps to the root folder after a
while.
In this case the following registry value can be set:
[HKEY_LOCAL_MACHINE\Software\Policies\Utimaco\SGLANCrypt\LCShellx]
IgnoreBuildInOverlayIcons=dword:00000001
A reboot is necessary to activate the change. Afterwards the Windows
overlay icons for shared folders and links are not displayed if a
SafeGuard LAN Crypt overlay icon is displayed.
- Network
Attached Storage (NAS) devices
In general, SafeGuard LAN Crypt will operate with network shares hosted on
NAS devices. If it is planned to use a NAS device, Sophos recommends the
execution of intensive tests prior to using SafeGuard LAN Crypt in a
productive environment.
However, due to various SAMBA implementations and versions, not every NAS
device will act like a Windows Server. Protocol variations are possible
and therefore a few special cases might not work properly in combination
with SafeGuard LAN Crypt; for example, a user’s “my documents” folder
might not be encrypted on a filer share. Therefore Sophos does not
guarantee that encrypted file shares on NAS devices will work in every
condition and only provides limited support in cases where issues arise.
- Volume
mount points
SafeGuard LAN Crypt does not support volume mount points. (An encryption
rule for a directory that is a volume mount point will not work.)
The same is true for virtual drives generated with the SUBST.exe command.
- EFS
encryption and NTFS compression
SafeGuard LAN Crypt encrypted files cannot be (additionally) EFS encrypted
or NTFS compressed.
It is possible to EFS decrypt (provided that the EFS key is available)
and/or NTFS decompress files during initial encryption.
- NTFS
rights
While Windows is able to create new files or copy files to a folder where
the NTFS rights
- Traverse Folder / Execute File
- List Folder / Read Data
- Read Attributes
- Read Extended Attributes
- Create Files / Write Data
- Read Permissions
are granted to a user, the following additional rights have to be granted
if there is an encryption rule on a folder:
- Create Folders / Append Data
- Write Attributes
- Write Extended Attributes
- Backup
programs
Backup programs should be configured as unhandled applications. If you do
this, the files will retain their encryption state after a restore. The
backup applications from Windows 7 and higher are automatically treated as
unhandled application.
The backup target files themselves must not be encrypted, because they
cannot be restored by the backup application as it does not decrypt the
backup files. Because the files included in the backup are already
encrypted, it is not necessary to encrypt the backup target files itself.
- Configuration
data
Because the client reads the configuration data from the Registry during
the boot and login process, you may need to reboot the PC to include any
changes to this data.
- SafeGuard
Enterprise Data Exchange
- Profile
without key causes problem with SafeGuard Enterprise DX
There is a known problem when SafeGuard LAN Crypt and SafeGuard Enterprise
Data Exchange are installed. If a SafeGuard LAN Crypt profile without a
key is loaded, it is not possible to open or create new files that are
SafeGuard Enterprise DX encrypted.
Workaround: Instead of providing an empty dummy profile for users who
shall not encrypt data using SafeGuard LAN Crypt, please disable the
error message that no profile was found (“SilentMode”) using a group
policy.
- Default
Ignore Rules not active after user logon with SafeGuard Enterprise DX
Please note that SafeGuard Enterprise Data Exchange suppresses SafeGuard
LAN Crypt Default Ignore Rules after user logon, even if no SafeGuard LAN
Crypt user profile is loaded. The Default Ignore Rules are active during
system boot but as soon as the user logs on to the system and SafeGuard Enterprise
DX is active they become disabled. This is always the case, even if there
are no DX policies.
- SafeGuard
Enterprise DX Encryption Wizard
If the encryption priority is changed from SGLC to SGNDX, after the next
reboot the SafeGuard Enterprise DX encryption wizard starts to re-encrypt
files on removable media which were encrypted by SafeGuard LAN Crypt
before. This operation fails, because the SafeGuard LAN Crypt keys are
not loaded at this time.
After the SafeGuard LAN Crypt profile was loaded, the re-encryption is
possible.
- SafeGuard
Port Protector
There are following issues if SafeGuard LAN Crypt and SafeGuard Port
Protector are installed in parallel:
- Shadowing
of SafeGuard LAN Crypt encrypted files does not work sometimes.
- It is
possible to open files which should be blocked by a SafeGuard Port
Protector policy if they are encrypted
- SafeGuard
PrivateDisk
SafeGuard LAN Crypt cannot be used to encrypt SafeGuard PrivateDisk volume
files (*.vol).
- CD
burning
- Burning
encrypted CDs with Windows Explorer built-in mechanism
To create a CD with SafeGuard LAN Crypt encrypted files, use a separate
burning application that you must add to the list of unhandled
applications. All encrypted files remain encrypted if you now burn them
onto a CD.
As the Windows native burning tool is implemented as an Explorer
Extension, you cannot use this tool for creating encrypted CDs (you would
have to specify Explorer as an unhandled application, which has a huge
number of unwanted side effects).
- Known
problem with Nero InCD
There is an issue with Nero InCD and Office 2003 together with SafeGuard
LAN Crypt when encryption rules are set for the CD drive. If an Office
2003 file is stored on the CD a BSOD may occur during processing the file
(e.g. open, save).
- Certificates
User and administrator certificates must be located in the current user’s
certificate store. Certificates located in the local computer’s
certificate store cannot be used for SafeGuard LAN Crypt.
- Windows 7
and higher
- Folder
overlay icons
Overlay icons for folder icons in the left-hand tree-view are sometimes
missing.
- No key
column in Explorer
It is no longer possible to have a column added in Explorer that shows
key names or GUIDs for encrypted files.
- Offline
files
On some machines it may happen that some encrypted offline files are not
accessible in offline mode.
To avoid this problem please disable indexing of offline files.
- UAC
dialog on not accessible encrypted files
If an encrypted file is renamed or deleted and the corresponding key is
not available in the SafeGuard LAN Crypt profile, a User Account Control
dialog is shown because the file is not accessible.
Providing credentials of an administrator does not allow the file
operation in this case, because even as administrator the file cannot be
modified as the proper key is not available.
- Offline
Folders
If Windows Offline Folders are used it may happen that not all files get
synchronized if SafeGuard LAN Crypt is installed. Subsequent
synchronization requests should complete the synchronization.
If the default location of the offline folder cache (usually
C:\Windows\CSC) is changed, an ignore rule should be set on this folder
(e.g. D:\CSC).
- Known
problem with crypto.sys
The driver crypto.sys is shipped with different products, like SafeNet
Netscreen Remote, SafeNet VPN and others. There is a known problem with
this driver that can lead to a BSOD.
- Multiple
smartcard PIN entries
When SafeGuard LAN Crypt is used together with certain smartcard
middlewares, e.g. Nexus Personal Edition 4.0.1, it may happen that the
user has to enter the smartcard PIN multiple times.
- Compatibility
issues with Microsoft SharePoint
Downloading documents from a SharePoint server may fail if there is an
encryption rule set on the folder containing the temporary internet files.
- Restricted
support of short path names
Following restrictions exist in relation to short path names:
The path used in the encryption rule must exist at profile load time
(except paths on shares)
The path used in the encryption rule must not be renamed after the profile
was loaded, otherwise it may happen that the short path name will not work
anymore on this path
Only for absolute path rules the short path name is also handled (relative
path rules are only considered in the way they are entered during profile
creation)
- Encrypted
applications on network shares
If an executable file is started which is stored encrypted on a network
share, it may happen that the file remains to be used, even if the
application is no longer running.
To replace such files it is necessary to rename the existing executable
file at first and then copy the new file.
- User
elevation for encrypted executables
If an encrypted executable or installation package is started and requires
a user elevation in Windows 7 or higher, it may happen that the elevation
doesn’t take place and the executable is not started.
- Profile
expiration
If the folder where the SafeGuard LAN Crypt user profiles are stored is
made available for offline access, the profile expiration will not work if
there is no network connection available.
- Deletion
of files using psexec.exe
SafeGuard LAN Crypt prevents the deletion of files which are encrypted and
the user is not in possession of the proper key. However if psexec.exe is
used to connect to a machine where SafeGuard LAN Crypt is installed, it is
possible to delete encrypted files without having the proper key. Opening
encrypted files is not possible in such a way.
- Encryption
rules on %USERPROFILE%\AppData\Roaming
Setting encryption rules on %USERPROFILE%\AppData\Roaming may result in
several error situations, as some of these files (e.g. desktop background
image) are already accessed by Windows at a very early logon stage where
the SafeGuard LAN Crypt profile is not yet loaded.
In general it is not recommended to encrypt files in this folder.
Encryption will only work for files which are accessed after the SafeGuard
LAN Crypt profile was loaded.
- Multiple
rules for the same target
If more than one rule is defined for the same target path (e.g. rule 1 for
x:\*.*, rule 2 for y:\*.*, x: and y: are both mapped to the same share),
only the first matching rule according to the current rule sort order is
applied.
- Missing
overlay icons
The number of different overlay icons is limited by Windows, so if another
application is installed which also uses overlay icons (e.g. SharePoint
extension in Microsoft Office) the SafeGuard LAN Crypt overlay icons may
disappear.
Please see the following knowledgebase article how you can enable the
overlay icons again: http://www.sophos.com/en-us/support/knowledgebase/108784.aspx
- Encryption
of VHD (Virtual Hard Disk) and WIM (Windows Imaging Format) files is not
supported.
- Microsoft
Virtual Desktop Infrastructure is not supported.