SAFEGUARD® PORTPROTECTOR 3.30 SP7

 

1.   System Requirements

                               

The following environment components are required for the correct installation and operation of SafeGuard PortProtector:

 

 

 

2.   Significant Fixes

Genral

·         Encryption Permissions – Security administrators can define which end users in the organizations are allowed to encrypt removable storage devices.

·         Issue #14576 - When the client is set to work in “Stealth Mode”, opening the client UI from the Control Panel fails.

·         Issue #14595 - When using an Athena Smart Card for user authentication, user policies are not enforced.

·         Issue #14701 - When using SafeGuard PortProtector Cleanup Utility on a Windows 7 machine, the Cleanup Token changes after the machine is restarted.

·         Issue #14940 - On rare occasions, following Server upgrade, distributing policies to agents which have not yet been upgraded will result in BSOD.

·         Issue #15050 - On rare occasions following Client installation, the user is unable to login to the machine.

·         In some cases, after Client installation, the boot time on Windows 7 OS is prolonged.

·         When transferring large files to a removable storage device it sometimes results in BSOD.

 

SafeGuard PortProtector Client

·         Issue #14319 and #14228 - In some cases, a message asking the end user to encrypt CD/DVD devices will pop up when it should not.

·         Issue #14703 - When the policy is set to block users from reading “Other File Types” on removable storage devices, device encryption fails.

·         Issue #14738 - After executing the SafeGuard Device Access Utility (used for accessing encrypted removable storage devices on unprotected machines) and terminating the application process via Task Manager, the utility cannot be used again on the same machine.

·         Issue #14785 - When white listing devices using “Free Text Identification”, the system now applies a "starts with" logic instead of "equals".

·         Issue #14939 - When encrypting removable storage devices larger than 500 GB, the encrypted volume will be much smaller than the device.

·         Issue #15077 - On rare occasions, burning an encrypted CD/DVD media fails.

 

3.   Known restrictions

SafeGuard PortPortector Client

·         Installing SafeGuard PortProtector client with elevated privileges (via GPO or application distribution systems) on Windows 2003 OS is not supported.

·         On some occasions, when running the SafeGuard PortProtector client upgrade process manually (and not via GPO), the reboot request message may not appear at the end of the upgrade process. It is important to reboot the machine once the upgrade process is completed, even in cases where the reboot request message does not appear.

·         When uninstalling the SafeGuard PortProtector client with MSI parameters, in order to suppress restart, the correct capitalization of the parameters must be maintained as follows: "/norestart REBOOT=ReallySuppress". Incorrect capitalization may result in an improper uninstall, which will not fully remove the client and will prevent future installations.

·         Certain security and anti-virus applications may block communication between the SafeGuard PortProtector client and the Management Server. In order to solve this issue, the 'SimonPro.exe' process must be allowed by these programs.

·         Installation of HP DeskJet 450 printers on machines protected by SafeGuard PortProtector client is not supported.

·         Upgrading any of the SafeGuard PortProtector components from localized versions to the English version (and vice versa) is not supported.

·         Upgrading from SP3 to SP7 is not supported. However, upgrades from SP6 to SP7 are supported.

·         When the SafeGuard PortProtector client installation is completed, assuming a restart was not required, user information will not appear within the client log files until a Windows 'log on process' is performed.

Removable Storage Encryption

·         Removable Storage Encryption is not supported for Kingston DataTraveler BlackBox on Windows Vista.

·         Since removable media encryption requires end user interaction, enforcing removable media encryption is not supported when the SafeGuard PortProtector Client is set to work in 'Stealth Mode'.

·         When encrypting an external hard disk with multiple partitions, only one partition is encrypted. If the policy is set to ‘encrypt’, the unencrypted partition will either be blocked or have a ‘read only’ access, according to the fallback action defined for unencrypted devices.

·         Formatting encrypted external hard disks through Windows Disk Management will generate two virtual volumes. To avoid this, use the 'Remove Encryption' option through the shell extension, and then format the external hard disk.

·         On rare occasions, after encrypting an external hard disk, a 'low disk space' warning will be shown. Note that this warning has no impact on product functionality.

·         Selecting the 'Backup and Restore Files' option in the Media Encryption Wizard will not backup empty folders and 0kb-size files.

·         On certain types of SD memory cards, encryption using the ‘Volume Encryption’ method cannot be removed once it is applied. To work around this issue, backup the data on the encrypted device and then format the device using an unprotected machine.

·         Encryption of SD memory cards is only supported when connecting the SD card using an external SD card reader (not a built-in card reader).

·         On rare occasions when accessing an encrypted SD memory card on an internal (built-in) card reader, the physical device will not be hidden and the SafeGuard shell extension for this device will not function properly. The Encrypted mounted volume will be displayed and function normally.

·         The 'Remove Encryption' capability is not supported for encrypted devices (USB flash drives) formatted with an exFAT/NTFS file system. In order to remove encryption on these devices, the device must be completely formatted.

·         On removable storage devices encrypted with 'Volume Encryption', deleting a file inside the encrypted virtual volume will not completely remove the file, but will move it to a hidden Recycle Bin on the device, which is also encrypted. The Recycle Bin folder can be seen by enabling "show hidden files and folders" in Windows Explorer.

·         Reading files from encrypted removable storage devices encrypted with 'Volume Encryption' is blocked, when the security policy for storage devices is set to 'Read Only', and the encryption settings in the security policy are set to 'Require Password Inside Organization'.

·         Reading files from storage devices encrypted with 'Volume Encryption' on machines with McAfee VirusScan 8.5 installed on them, may take a long time.

·         When the security policy is set to use the 'Volume Encryption' method, the use of U3 features and applications on encrypted devices is not supported.

·         In some cases, merging policies using different methods of removable storage encryption ('Volume' and 'Partition' methods) will prevent all devices from being encrypted. To avoid this issue, it is recommended that all policies in the organization use the same encryption method, defined in the ‘Global Policy Settings’.

·         When encrypting removable storage formatted with NTFS using 'Volume Encryption', the size of the encrypted volume will be 32 MB smaller than the size of the encrypted device. The remaining space is inaccessible to users, and data cannot be written to it.

·         In some cases, when switching the encryption method between 'Volume' and 'Partition', devices that were connected to the client during the policy update but were yet to be encrypted, can be used unencrypted until they are disconnected or the machine is restarted.

·         When changing the encryption method from 'Partition Encryption' to 'Volume Encryption', removable storage devices that were encrypted under 'Partition Encryption' can be used normally under 'Volume Encryption' as well, and there is no need to re-encrypt the devices. If, however, the user chooses to change the encryption method of the device itself, first it is recommended to backup the data on the device; second remove the encryption from the device; and third, re-encrypt the device in the new ‘Volume Encryption’ mode. Note that this procedure is not mandatory, and is required only in order to change the encryption mode of the device itself.

·         After changing the policy from the ‘Volume Encryption’ method to ‘Partition Encryption’, removable storage devices that were encrypted by ‘Volume Encryption’ will no longer be recognized as encrypted. In order to use these devices, the devices must be re-encrypted using 'Partition Encryption'.

·         When the encryption method is changed from 'Volume Encryption' to 'Partition Encryption', attempting to re-encrypt any storage devices that were connected to the computer during the policy update will fail, until the device is disconnected and reconnected.

·         The 'Backup & Restore Files' option in the Encryption Wizard does not backup or restore files which are blocked by the ‘File Type Control policy: When restoring the files on the device, none of the file types that were blocked according to the security policy will be restored. These files will in the Temp folder on the local client machine.

·         On Windows Vista machines, after updating a policy to require encryption, the encryption process of any devices connected to the computer during the policy update will fail until the device is reconnected. To work around this, simply disconnect and reconnect the device after updating the policy.

·         Removing encryption from devices that were encrypted using encryption keys from another organization, on machines with SafeGuard PortProtector Client is not supported, if the endpoint has more than two internal CD drives.

·         In order to encrypt ‘Hardware Encrypted’ storage devices using the SafeGuard PortProtector Client (two layers of encryption), it is required to first login to the device to open the Hardware Encryption before attempting to encrypt the device using SafeGuard PortProtector.

·         Disconnecting a device during the encryption process is not supported. To stop the encryption process, click “cancel” in the Media Encryption Wizard.

·         During the device encryption process, connecting another, already encrypted device to the machine is not supported.

·         When enforcing removable media encryption on Windows Vista the WPD service will be disabled. The service will be re-enabled when removing the encryption policy. The WPD service is related to Windows Portable Devices.

 

SafeGuard PortProtector Access Secure Data Utility

·         On rare occasions, trying to run the SafeGuard PortProtector Access Secure Data Utility on External HD will trigger the following error message - "Please reconnect the device, automatic restart of device failed”.  To work around this issue, simply disconnect and reconnect the device.

·         In some cases, opening an encrypted volume from a U3 removable storage device on an unprotected computer, and with a user without administrative privileges, will fail on the first attempt. If this happens, simply try opening the volume again.

·         When using the SafeGuard PortProtector Access Secure Data Utility with the 'Volume Encryption' method and with a user that does not have local administrative rights, modifying files on the device is not supported.  In order to modify the files, one must first copy the files to the local computer and then make the changes locally and copy the file back to the device. 

·         When using the SafeGuard PortProtector Access Secure Data Utility with the 'Volume Encryption' method and with a user that does not have local administrative rights, attempting to paste a file to the same location where the file was copied from will result in deletion of that file, instead of duplicating it.

·         Running the Data Access Utility as an administrator on Windows Vista Home Edition (using the 'Run as Administrator' option in the right-click shell extension) is not supported.

·         Under the default configuration, Sophos AV 9.0 blocks the execution of the SafeGuard Data Access Utility when it is used by a user with administrative privileges. To workaround this issue, change Sophos AV configuration in the following way:

 

Under ‘Configure antivirus and HIPS -> on access scanning -> options -> advanced -> new advanced settings’, set ‘behavior malware’ to ‘0’.

 

·         Encrypted external hard drives with an NTFS file system cannot be accessed on unprotected Win2000 machines.

Novell Environments

·         On rare occasions, when logging off and then logging-on to the client machine in a Novell environment, the User Policy will not update until the next reboot is performed, or manually clicking the 'Update Policy' button.

·         In some cases when using SafeGuard PortProtector Client in a Novell environment, the 'Clients World' in the SafeGuard Management Console may display multiple instances of the client, with different host name suffixes. However, this behaviour does not affect agent functionality or security policies.

 

File Shadowing and File Type Control

·         Shadowing files with very long file names will fail, and will jam log traffic. This is due to a known Windows problem, where a user can rename a file with a very long file name and path (255 chars), but afterwards the file cannot be copied/moved. As a result, such files will generate duplicate logs (empty with initial filename, and another two for temp files), but will not be shadowed.

·         When ‘file shadowing’ is enabled on a CD/DVD, attempting to open media files directly from a CD/DVD using old versions of Windows Media Player, will cause the application to hang. Note that this issue is resolved for Windows Media Player version 10 and above.

·         When ‘File Logging’ is enabled in the security policy, opening of specific MS office files directly from CD/DVD media may be slightly slower than on other machines.

·         When enabling 'File Type Control' or 'File Shadowing’ functionality, modifying an MS Office file on a removable storage device will cause logs for that file to be sent under a temporary file name, rather than the actual file name. To open this file from the SafeGuard Management Console, it is required to change the extension of this file from .tmp to the relevant Microsoft Office extension. Copying, modifying and creating files with other applications will not cause this behaviour.

·         Some dictation device models may not work while 'File Type Control' is enabled. To enable such devices, add them to the device white list (according to their PID, VID, or serial number) and remove 'File Type Control' from the white list.

·         When overwriting a file on a removable storage device, while 'File Type Control' is defined to block the writing of that file type, the copy process will fail and the file on the removable device will be deleted.

·         On Windows Vista, when blocking ‘Write’ action of ‘Compressed Files’ or ‘Text Files' using the 'File Type Control' feature, duplicate logs will be received on the Management Console side. The first log indicates a blocked file (as expected) while the second log gives a false indication of an allowed file.

Other Components

·          White-listing of WiFi networks is not supported on Windows Vista/7. Applying a policy that restricts WiFi on a Vista/7 client will cause the WiFi adapters to be blocked.

·          Burning CD's with Nero 7 may cause multiple and redundant client logs. However, this does not affect the behaviour of the security policy or actions.

·          When restricting the WiFi port, all non-WZC WiFi connections will be blocked. A specific known issue with Cisco and TrendNet wireless network adapters (when using their client utility), enables accessing pre-configured WiFi networks even when the SafeGuard PortProtector policy restricts it. In these cases, we recommend changing the policy to 'Block' the WiFi port.

·          When blocking Key Loggers in the security policy, the keyboard functions of some specific models of PS/2 KVMs, and other PS/2 human-interface devices may not work properly. In addition, when switching between machines using the KVM, the first keystroke may be ignored. To avoid this, set the policy to ‘Allow’ on machines where these KVMs are used.

·          When Removable Storage Devices are restricted on Windows Vista, connecting a removable storage device to the machine will create a pop up message prompting the end-user to format the device.

·          On some occasions, when a forced shutdown of a machine occurs, one of the SafeGuard PortProtector Client log files may become corrupted. This will lead to a Missing Logs tampering event in the SafeGuard Management Console.

·          In some cases, when enforcing a ‘Restrict’ policy on CD/DVD media, users will still be able to read data from CD/DVD devices until the next machine reboot.

 

SafeGuard PortProtector Management Server

·          Installing the SafeGuard PortProtector Management Server on a Domain Controller is not supported. We recommend installing the SafeGuard PortProtector Management Server on a dedicated physical or virtual machine.

·          When installing the SafeGuard PortProtector Management Server or the SafeGuard PortProtector Management Console to a non-default installation path, attempting to use a path with more than 256 characters will result in an installation failure.

·          In cases where the SafeGuard PortProtector Management Server is installed with the internal MySQL database, during the DB backup process, a temporary DB dump file is created on the temp folder of the machine. In order to backup the DB using the SafeGuard PortProtector Management Console (either manual backup or scheduled backup), make sure that the temp folder on the SafeGuard PortProtector Management Server machine has sufficient amount of free disk space. The required free space is twice the actual size of the DB.

·          During the installation process, using a domain user that does not have a user profile on the local server machine (i.e. user did not log in to the machine) for server domain credentials, the domain service will fail to start following the SafeGuard PortProtector Management Server installation.  Prior to the installation of the SafeGuard PortProtector Management Server, it is required to verify that the domain user that will be used for the SafeGuard PortProtector Management Server installation has a user profile on the server machine.

·          Some UI elements in the SafeGuard PortProtector Management Console are only partially visible when working with an 800x600-screen resolution or when using non standard DPI settings.  The recommended screen-resolution is 1024x768 and 96 DPI.

·          Network disconnections while using the SafeGuard PortProtector Management Console may cause an error message that will require restarting the SafeGuard PortProtector Management Console.

·         When changing the policy publishing method from 'Publish Policies Directly from Server to Clients' to ‘AD GPO’ without applying a machine policy, attempting to apply a user policy will bring the machine to an inconsistent state (in this case the client protection status shows "Error" and a log event of "Invalid Policy" will be received by the SafeGuard PortProtector Management Console). To avoid this, make sure to publish a policy via GPO to the SafeGuard PortProtector client prior to disabling direct policy publishing from the SafeGuard PortProtector Server.

·         Upgrading from the SafeGuard PortProtector Management Console and Server from SP3 to SP7 are not supported. However, upgrades from SP6 to SP7 are supported.

 

4.   Download Links To Related Third Party Software

Before you can get full benefit from this SafeGuard product you may need some additional software, which is available for free download from third party vendors.

 

Adobe Reader 6.0 or higher

Necessary for reading files in PDF format, e.g. the user manual for this product.

Download: http://get.adobe.com/reader/