SafeGuard LAN Crypt 3.95.3 Client release notes

Requirements

The below listed platforms have been tested and are officially supported. Other Service Pack levels might work as well but have not run through a QA cycle and won´t be analyzed in case of occurring issues.

Compatibility with SafeGuard Enterprise

SafeGuard LAN Crypt 3.95.1 can be installed together with SafeGuard Enterprise 7.0.2 or 8.0.

Please note that SafeGuard LAN Crypt 3.95 cannot be used together with SafeGuard Enterprise Synchronized Encryption or the File Encryption module from SafeGuard Enterprise Location Based File Encryption. These features have to be removed before SafeGuard LAN Crypt can be installed. LAN Crypt can be used together with the Data Exchange (DX) and Cloud Storage (CS) modules from SafeGuard Enterprise.

Upgrade

LAN Crypt clients version 3.71.64 or newer can be upgraded to version 3.95.1 on the supported platforms.

Windows 10 Support

When an upgrade to Windows 10 is done or a feature update is applied to Windows 10 (e.g. update from RS2 to RS4), all data stored in the registry hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Utimaco will be removed.

After applying the current group policies to the client, these registry settings will be configured again. If there were some custom settings made in this registry hive, these settings have to be manually applied after the Windows 10 upgrade has finished.

New in SafeGuard LAN Crypt Release 3.95.3

• Windows 10 RS3/RS4 Support
• Windows Server 2016 Support
• Integration of bugfixes

This patch requires the SafeGuard LAN Crypt Client 3.95.1 to be installed.

New in SafeGuard LAN Crypt Release 3.95.2

This Client Patch addresses some security issues with SafeGuard LAN Crypt 3.95.1, which theoretically could be used to obtain local privilege escalations. It also contains all previously released hotfixes for SafeGuard LAN Crypt 3.95.1, which solve several smaller issues.

For more information, refer to Windows Client Patch 1804 for SafeGuard products.

We recommend that you install the latest Windows security patches on your clients before installing the SafeGuard client security patch. For clients running Windows 7, you must install all Windows security patches first.

This patch requires the SafeGuard LAN Crypt client 3.95.1 to be installed.

New in SafeGuard LAN Crypt Release 3.95.1

• Windows 10 Creators Update Support
• Integration of bugfixes

Known Issues

• Citrix Terminal Server
• Client Drive Redirection
  Encryption of files on client drives mapped on a Citrix Terminal Server is not supported and these drives will be ignored by the SafeGuard LAN Crypt encryption filter driver.
• Streamed applications not supported
  Citrix application streaming is not supported.
• Virus scanners
• Virus scanner services
  Virus scanner services need to be explicitly allowed to have access to encrypted files in order to be able to find viruses inside.

o    Tested virus scanners
The following virus scanners have been tested with the SafeGuard LAN Crypt Client:

o    Configuration of other virus scanners (not tested with this release):

• Known issues
• There is an issue with Sophos Anti-Virus that may cause encrypted files to be locked (either only for write or for read and write access). This is caused by a timing issue of Sophos Anti-Virus if the on-access scanning level is set to 'intensive'.
• There is an issue with Sophos Anti-Virus that may lead to damaged Microsoft Office documents when saving them in a folder that is made available when offline (“OfflineFolder”). To avoid this issue please configure the Sophos Anti-Virus on-access scanner to exclude the folder “C:\Windows\CSC”.
• On a SafeGuard LAN Crypt Client in combination with Symantec Endpoint Protection 11 and Office 2003 a BSOD may occur when a document is saved on an USB stick. With Symantec Endpoint Protection 11.0.5 (11.0.5002.333) the BSOD does not occur.
• After receiving a new virus scanner executable via the policy file, the client has to be rebooted.
• If McAfee Endpoint Security 10.2 and SafeGuard LAN Crypt 3.95 are installed on the same machine, Windows 7 clients stop booting with a pulsating windows logo.
• If TrendMicro AntiVirus+ and SafeGuard LAN Crypt 3.95 are installed on Windows 7, it may happen that the LAN Crypt profile cannot be loaded. As a workaround, the folder for the policy file cache (default "%LOCALAPPDATA%\Utimaco\SafeGuard LAN Crypt\Local Policy Cache") must be excluded from the virus scan.
• DFS
• Domain-based DFS
  In a domain-based DFS, you can access the DFS either via the server name or via the domain name.
  The encryption rules must always be created in the same way as used to access DFS.
  If the DFS is accessed via the server name, the encryption rule must be based on a server name. If DFS is accessed via the domain name, the rule must be domain name based.
  If you want to access the DFS both ways, you must define two encryption rules, one with the domain name and one with the server name.
  e.g.:
  Y: is mapped to \\DOMAIN\DFSROOT
  Encryption rule:
  Y:*.*
  or
  \\DOMAIN\DFSROOT*.*
  Z: is mapped to \\SERVER.DOMAIN\DFSROOT
  Encryption rule:
  Z:*.*
  or
  \\SERVER\DFSROOT*.*
• Nested DFS links
  Nested DFS links (DFS links to other DFS links or DFS roots) can be used but encryption rules must not include a physical path to the DFS link and there are some known problems in combination with persistent encryption. When copying an encrypted file to a plain folder it may become decrypted. When moving encrypted files to an ignored/excluded folder it may stay encrypted.
• Rules using IP address not supported
  it is not possible to use rules for DFS that contain the IP address of the server hosting the DFS share.
• DFS and persistent encryption
  When copying encrypted files to ignored or excluded folders on DFS drives they may not be stored decrypted.
• Viewing folders in Windows Explorer
  Viewing folders on a DFS share cause problems that either the display takes very long or the folder selection jumps to the root folder after a while.
  In this case the following registry value can be set:
  [HKEY_LOCAL_MACHINE\Software\Policies\Utimaco\SGLANCrypt\LCShellx]
  IgnoreBuildInOverlayIcons=dword:00000001
  A reboot is necessary to activate the change. Afterwards the Windows overlay icons for shared folders and links are not displayed if a SafeGuard LAN Crypt overlay icon is displayed.
• Network Attached Storage (NAS) devices
  In general, SafeGuard LAN Crypt will operate with network shares hosted on NAS devices. If it is planned to use a NAS device, Sophos recommends the execution of intensive tests prior to using SafeGuard LAN Crypt in a productive environment.
  However, due to various SAMBA implementations and versions, not every NAS device will act like a Windows Server. Protocol variations are possible and therefore a few special cases might not work properly in combination with SafeGuard LAN Crypt; for example, a user’s “my documents” folder might not be encrypted on a filer share. Therefore Sophos does not guarantee that encrypted file shares on NAS devices will work in every condition and only provides limited support in cases where issues arise.
• Volume mount points
  SafeGuard LAN Crypt does not support volume mount points. (An encryption rule for a directory that is a volume mount point will not work.)
  The same is true for virtual drives generated with the SUBST.exe command.
• EFS encryption and NTFS compression
  SafeGuard LAN Crypt encrypted files cannot be (additionally) EFS encrypted or NTFS compressed.
  It is possible to EFS decrypt (provided that the EFS key is available) and/or NTFS decompress files during initial encryption.
• NTFS rights
  While Windows is able to create new files or copy files to a folder where the NTFS rights
  - Traverse Folder / Execute File
  - List Folder / Read Data
  - Read Attributes
  - Read Extended Attributes
  - Create Files / Write Data
  - Read Permissions
  are granted to a user, the following additional rights have to be granted if there is an encryption rule on a folder:
  - Create Folders / Append Data
  - Write Attributes
  - Write Extended Attributes
• Backup programs
  Backup programs should be configured as unhandled applications. If you do this, the files will retain their encryption state after a restore. The backup applications from Windows 7 and higher are automatically treated as unhandled application.
  The backup target files themselves must not be encrypted, because they cannot be restored by the backup application as it does not decrypt the backup files. Because the files included in the backup are already encrypted, it is not necessary to encrypt the backup target files itself.
• Configuration data
  Because the client reads the configuration data from the Registry during the boot and login process, you may need to reboot the PC to include any changes to this data.
• SafeGuard Enterprise Data Exchange
• Profile without key causes problem with SafeGuard Enterprise DX
  There is a known problem when SafeGuard LAN Crypt and SafeGuard Enterprise Data Exchange are installed. If a SafeGuard LAN Crypt profile without a key is loaded, it is not possible to open or create new files that are SafeGuard Enterprise DX encrypted.
  Workaround: Instead of providing an empty dummy profile for users who shall not encrypt data using SafeGuard LAN Crypt, please disable the error message that no profile was found (“SilentMode”) using a group policy.
• Default Ignore Rules not active after user logon with SafeGuard Enterprise DX
  Please note that SafeGuard Enterprise Data Exchange suppresses SafeGuard LAN Crypt Default Ignore Rules after user logon, even if no SafeGuard LAN Crypt user profile is loaded. The Default Ignore Rules are active during system boot but as soon as the user logs on to the system and SafeGuard Enterprise DX is active they become disabled. This is always the case, even if there are no DX policies.
• SafeGuard Enterprise DX Encryption Wizard
  If the encryption priority is changed from SGLC to SGNDX, after the next reboot the SafeGuard Enterprise DX encryption wizard starts to re-encrypt files on removable media which were encrypted by SafeGuard LAN Crypt before. This operation fails, because the SafeGuard LAN Crypt keys are not loaded at this time.
  After the SafeGuard LAN Crypt profile was loaded, the re-encryption is possible.
• SafeGuard PrivateDisk
  SafeGuard LAN Crypt cannot be used to encrypt SafeGuard PrivateDisk volume files (*.vol).
• CD burning
• Burning encrypted CDs with Windows Explorer built-in mechanism
  To create a CD with SafeGuard LAN Crypt encrypted files, use a separate burning application that you must add to the list of unhandled applications. All encrypted files remain encrypted if you now burn them onto a CD.
  As the Windows native burning tool is implemented as an Explorer Extension, you cannot use this tool for creating encrypted CDs (you would have to specify Explorer as an unhandled application, which has a huge number of unwanted side effects).
• Known problem with Nero InCD
  There is an issue with Nero InCD and Office 2003 together with SafeGuard LAN Crypt when encryption rules are set for the CD drive. If an Office 2003 file is stored on the CD a BSOD may occur during processing the file (e.g. open, save).
• Certificates
  User and administrator certificates must be located in the current user’s certificate store. Certificates located in the local computer’s certificate store cannot be used for SafeGuard LAN Crypt.
• Windows 7 and higher
• Folder overlay icons
  Overlay icons for folder icons in the left-hand tree-view are sometimes missing.
• No key column in Explorer
  It is no longer possible to have a column added in Explorer that shows key names or GUIDs for encrypted files.
• Offline files
  On some machines it may happen that some encrypted offline files are not accessible in offline mode.
  To avoid this problem please disable indexing of offline files.
• UAC dialog on not accessible encrypted files
  If an encrypted file is renamed or deleted and the corresponding key is not available in the SafeGuard LAN Crypt profile, a User Account Control dialog is shown because the file is not accessible.
  Providing credentials of an administrator does not allow the file operation in this case, because even as administrator the file cannot be modified as the proper key is not available.
• Offline Folders
  If Windows Offline Folders are used it may happen that not all files get synchronized if SafeGuard LAN Crypt is installed. Subsequent synchronization requests should complete the synchronization.
  If the default location of the offline folder cache (usually C:\Windows\CSC) is changed, an ignore rule should be set on this folder (e.g. D:\CSC).
• Known problem with crypto.sys
  The driver crypto.sys is shipped with different products, like SafeNet Netscreen Remote, SafeNet VPN and others. There is a known problem with this driver that can lead to a BSOD.
• Multiple smartcard PIN entries
  When SafeGuard LAN Crypt is used together with certain smartcard middlewares, e.g. Nexus Personal Edition 4.0.1, it may happen that the user has to enter the smartcard PIN multiple times.
• Compatibility issues with Microsoft SharePoint
  Downloading documents from a SharePoint server may fail if there is an encryption rule set on the folder containing the temporary internet files.
• Restricted support of short path names
  Following restrictions exist in relation to short path names:
  The path used in the encryption rule must exist at profile load time (except paths on shares)
  The path used in the encryption rule must not be renamed after the profile was loaded, otherwise it may happen that the short path name will not work anymore on this path
  Only for absolute path rules the short path name is also handled (relative path rules are only considered in the way they are entered during profile creation)
• Encrypted applications on network shares
  If an executable file is started which is stored encrypted on a network share, it may happen that the file remains to be used, even if the application is no longer running.
  To replace such files it is necessary to rename the existing executable file at first and then copy the new file.
• User elevation for encrypted executables
  If an encrypted executable or installation package is started and requires a user elevation in Windows 7 or higher, it may happen that the elevation doesn’t take place and the executable is not started.
• Profile expiration
  If the folder where the SafeGuard LAN Crypt user profiles are stored is made available for offline access, the profile expiration will not work if there is no network connection available.
• Deletion of files using psexec.exe
  SafeGuard LAN Crypt prevents the deletion of files which are encrypted and the user is not in possession of the proper key. However if psexec.exe is used to connect to a machine where SafeGuard LAN Crypt is installed, it is possible to delete encrypted files without having the proper key. Opening encrypted files is not possible in such a way.
• Encryption rules on %USERPROFILE%\AppData\Roaming
  Setting encryption rules on %USERPROFILE%\AppData\Roaming may result in several error situations, as some of these files (e.g. desktop background image) are already accessed by Windows at a very early logon stage where the SafeGuard LAN Crypt profile is not yet loaded.
  In general it is not recommended to encrypt files in this folder. Encryption will only work for files which are accessed after the SafeGuard LAN Crypt profile was loaded.
• Multiple rules for the same target
  If more than one rule is defined for the same target path (e.g. rule 1 for x:\*.*, rule 2 for y:\*.*, x: and y: are both mapped to the same share), only the first matching rule according to the current rule sort order is applied.
• Missing overlay icons
  The number of different overlay icons is limited by Windows, so if another application is installed which also uses overlay icons (e.g. SharePoint extension in Microsoft Office) the SafeGuard LAN Crypt overlay icons may disappear.
  Please see the following knowledgebase article how you can enable the overlay icons again: http://www.sophos.com/en-us/support/knowledgebase/108784.aspx
• When a shortcut to an web page is right clicked, no SafeGuard LAN Crypt entry is visible in the Explorer context menu.
• Rules using IP addresses (v4/v6) will only match if the network share was mapped using the IP address. There is no DNS resolving done in the filter driver, so when the very same network share is mapped using the server name, the rule will not match.
• Verification of the encryption status using the Initial Encryption Wizard
• Encrypted files for which the user has no key are counted as "failed to open" instead of "already encrypted".
• Encrypted files which are encrypted with an algorithm which is not the current configured one (e.g. encrypted with XTS-AES, but configured is CBC), are reported as "Encrypted with another key" instead of "Encrypted with another algorithm". 
• Encryption of VHD (Virtual Hard Disk) and WIM (Windows Imaging Format) files is not supported.
• Microsoft Virtual Desktop Infrastructure is not supported.
• Client API
• The location of the client API has changed from <Program Files (x86)>\Sophos\SafeGuard Shared to <Program Files (x86)>\Sophos.
• Installation of the Client API fails on Windows 7 64-bit if Sophos Endpoint 11.5 (managed by Central) is also installed on the same machine
• Paths which are longer than 520 characters are not supported.
• If features are added or removed from an existing installation, a warning dialog is displayed that this operating system is not supported. This dialog can be ignored.