SafeGuard PrivateDisk 3.0 release notes
1. System Requirements
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 8
Pro/Enterprise
|
Yes
|
Yes
|
|
Windows 7
Enterprise/Ultimate/Professional/Home Premium
|
Yes
|
Yes
|
|
Windows
XP Professional
|
Yes
|
No
|
Please consider:
The latest service pack must be installed on the supported platforms
Windows Server operating systems are not supported
Apple computers are not supported
3. Version Information
SafeGuard PrivateDisk 3.00 contains the following improvements over
version 2.50:
- Sophos
DNA re-branding
- Support
for Windows 8
- Single
installer for x86/x64 and all supported languages
- Bugfixes
SafeGuard PrivateDisk 2.50 contains the following improvements over
version 2.30:
- Reduced
file operations in the background
- "pdcmd.exe
new": Area background initialization corrected
- "pdcmd.exe
new": No more adding an administrator certificate to the volume
- Volume
Files on removable medias are marked as "hotplug" to disable the
write cache of the operating system
- PDPortable
performance for NTFS Volumes optimized
- PDPortable
problem on large NTFS Volumes on removable media solved
- PDPortable
support for keyring implemented
- Shell
extension for 64 Bit operating systems corrected
- New GPO
attribute: maximum container size
- New GPO
attribute: container only allowed on specified directories
- New
branding for Sophos
- New setup
for Japanese
4. Installation and Upgrade
- Administrative
privileges required
Administrative privileges are required to install the software. Simply
execute the SafeGuard PrivateDisk MSI package to install the software.
- Installation
via Active Directory
When installing the software with Active Directory (GPO), the following
issues should be considered:
- SafeGuard
PrivateDisk can only be installed per computer (Computer Configuration),
not for single users (User Configuration).
- If a
program package has a different language than the operating system of the
client machine, then the setting “Ignore language when deploying this
package” must be enabled for the package, otherwise the software will not
be installed automatically.
- Installation
from network location not recommended
It is possible to install the software from a network location, but it is
not recommended. The installation might fail if the network connection is
interrupted or files might be left over in the installation directory
after uninstallation.
- Upgrade
from previous versions
Upgrades are only supported from PrivateDisk 2.30, 2.40 and 2.50 Enterprise
Edition. Upgrades from Demo or Personal Editions are not supported.
5. Limitations
- Single
login password
The single login password is not shared between the multiple modules of
SafeGuard PrivateDisk. If you mount some disks from within the main application
and some others using the tray icon or the shell extension and you are
using the single login feature, then you will have to enter the single
login password more than once.
- Recovery
certificate
The administrative template (ADM) can be used to define a recovery
certificate, which is added automatically to new PrivateDisk volumes. This
feature can be used by security administrators to gain access to encrypted
data of users, e.g. after a user left the company or when a user forgets
his password. Note that the recovery certificate is only identified by its
serial number, which is not always unique (there might be multiple
certificates with identical serial numbers from different issuers). In
case multiple certificates match the serial number, PrivateDisk chooses
any of these, which might be the wrong one.
- Secure
LDAP access
LDAP over SSL (port 636) and global catalog search over SSL (port 3269)
are not standardized in LDAPv2 and therefore not supported by PrivateDisk.
Instead use LDAP with StartTLS which works by default with port 389 or
3268 (global catalog).
6. Known Issues
- Sharing
of removable volumes
In Windows 7 and Windows 8 users can share removable media. This feature
is not yet supported by PrivateDisk. Currently only drives with the
attribute "fixed disk" can be shared by the administrator.
- Sophos
SafeGuard LAN Crypt and Sophos SafeGuard Enterprises DX/CS/FS
PrivateDisk volume files (*.vol) should not be encrypted additionally with
any Sophos file-encryption product. In certain circumstances encrypted
volume files can get corrupted being used concurrently by PrivateDisk. In
order to ensure that volume files don't get encrypted accidentally via an
encryption policy, *.vol files have to be excluded from encryption.
Although not really necessary, files that reside within a PrivateDisk
volume can be encrypted with Sophos file-based encryption products like SG
LAN Crypt or SGN File Share.
- Drive
label for PrivateDisk drive replaced by removable storage device label
In some situations, the drive label assigned to a PrivateDisk might get
re-assigned to another removable storage device. When this occurs, the
drive letter for the PrivateDisk will display the drive label for a newly
attached device, even though the PrivateDisk can be accessed using the
drive and not the newly attached device. If this occurs, un-mount the
affected PrivateDisk and re-mount it to ensure access to both devices.
- PrivateDisk
volume files on removable media with changed drive letter
PrivateDisk keeps a list of previously used volume files using their fully
qualified path name. In case that the volume file resides on a removable
media which drive letter has changed, e.g. a USB memory stick or a network
share, the volume file can no longer be located using its original file
name, thus marking its entry in PrivateDisk accordingly. In order to mount
this particular volume file again it has to be imported from the new drive
with the changed drive letter using the ‘File Import…’ function.
- Possible
loss of data caused by delayed write operations
When storing data onto a PrivateDisk drive where the volume file is
located on a removable USB drive or a network share connected via WiFi, it
may happen that data is lost if no preparations are taken. It it caused by
pending delayed write operations in the file system cache in conjunction
with a abrupt interruption of the connection to the volume file. This can
happen if a removable media is removed suddenly after the write operation
has finished, or the connection via WiFi is broken. Therefore it is
strongly recommended not to remove any removable storage device that has a
PrivateDisk drive mounted without un-mounting it before. Besides that it
is not recommended to access PrivateDisk volume files via WiFi that can
not ensure trouble-free operation.
- Unnecessary
event in Windows system event log
When using an automatically mounted NTFS formatted PrivateDisk volume, an
error with ID 137 is written into the Windows system event log with every
logon to this volume. The event has the text "The default transaction
resource manager on volume XYZ encountered a non-retryable error and could
not start". This event can be safely ignored. It is a false alarm
from the NTFS driver.
- Windows
8 start screen
A tile in the Windows 8 start screen is only created for the user in which
context the installation of PrivateDisk was executed. All other users can
still launch PrivateDisk through the icon in the Windows notification
area. Alternatively a tile can also be created manually.
- No
administrative installation on 64-bit Windows
The administrative installation (MSIEXEC /A SGPD300_e.msi) on 64-bit
Windows is not supported and leads to the situation that the wrong drivers
get installed. Therefore on 64-bit Windows only use the normal MSI
installation mode (without /A).
- PDPortable
may fail to open keystore
If a private disk was created on a computer with SafeGuard Enterprise
installed and secured with a local key, then PDPortable might have a
problem to open that disk. The issue only occurs randomly.
- Ceation
of a volume with a property "Fixed Disk" may fail on a network
share
Creation of PrivateDisk volume with the option "Fixed Disk"
enabled will fail on a network share that is mounted to a drive letter. In
this case do not enable the "Fixed Disk" option (the default).
- Files
exported with PDPortable may have the wrong modified time
When files are exported with PDPortable, the modified time of the
resulting files may be wrong. It depends on the time zone where PDPortable
is executed and may lead to a difference of up to a few hours.
7. Security Note
Due to its character as a roaming program, PDPortable may be used in target
OS environments whose security state is not known up-front. Consequently, a
special flavour of ‘DLL preloading’ (http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx,
a.k.a. ‘DLL Hijacking’) may apply: PDPortable (involuntarily) attempts to load
certain OS DLLs from its application directory (i.e. the directory where it
actually resides) before it attempts to load them from the OS directory where
they actually reside (e.g. <Windows>\System32). If an attacker manages to
place a malicious DLL in the application directory, its code may get executed
when PDPortable starts. Please note that a malicious DLL even gets found and
loaded when it is set to hidden!
PDPortable provides all available mechanisms to mitigate this vulnerability.
Nevertheless, several attack vectors remain open: The vulnerability is
unconditionally present in Windows XP (and before). Beginning with Windows
Vista and Windows Server 2008, the vulnerability is mitigated when Microsoft
Security Patch KB2533623 has been installed on the system. In Windows 8 and
Windows Server 2012, there is no such vulnerability.
As a general advice, always install all available Security Patches for the
systems under your control. If PDPortable shall run on systems where the
vulnerability exists, the user needs to be aware that any DLL (even a hidden
one) of unknown or dubious origin in the application directory means a risk.
Accordingly, make sure that PDPortable does not get started in such
environments.