Release Notes & News

Safeguard Enterprise: File Encryption Engine updates for versions 8.10 / 8.20 / 8.30

2021-06-24T00:27:00Z

Hello Community, With the introduction of the mini file filter driver, which is part of SafeGuard Enterprise as of version 8.10, Sophos provides regular File Encryption Engine updates that just contain improved filter drivers. These updates are prov...(read more)

SafeGuard Enterprise- SafeGuard Client v8.3.1 (Mac only) / macOS 11 support released

2021-01-06T15:50:00Z

Hi Community, Sophos SafeGuard File Encryption for Mac v8.3.1 and Sophos SafeGuard Device Encryption for Mac v8.3.1 has been released which adds platform support for macOS 11(Big Sur)This release is supported on the following platform...(read more)

SafeGuard Enterprise – Added platform support for Windows 10 version 2009 / 20H2

2020-12-03T22:50:00Z

Hello Community, Overview The SafeGuard Clients 8.00.6.2, 8.10.2.55, 8.20.0.83 and 8.30.0.76 have been successfully tested on the latest Windows 10 feature release version 2009 a.k.a. 20H2 and are now officially supported. Applies to the following S...(read more)

SafeGuard File Encryption: Engine build 32 for SafeGuard 8.1.x / 8.2.x / 8.3.x

2020-06-25T14:28:00Z

Overview

With the introduction of the mini file filter driver, which is part of SafeGuard Enterprise as of version 8.10, Sophos provides regular File Encryption Engine updates that just contain improved filter drivers. These updates are provided as Windows Installer Patch files (*.msp) to allow an easy installation and deployment. As these updates are cumulative, Sophos recommends using the latest version.

In this KBA you can download build version 32 of the filter driver engine. An overview of all File Encryption Engine Updates is available here.

The following sections are covered:

Applies to the following Sophos products and versions
SafeGuard Synchronized Encryption 8.1
SafeGuard Synchronized Encryption 8.2
SafeGuard Synchronized Encryption 8.3
SafeGuard File Encryption 8.1
SafeGuard File Encryption 8.2
SafeGuard File Encryption 8.3
SafeGuard Data Exchange 8.1
SafeGuard Data Exchange 8.2
SafeGuard Data Exchange 8.3

Resolved issues (new in File Encryption Engine build 32)

Reference	Symptom / Summary
DPSGN-15562	Adobe InDesign fails to save / open documents on a network share covered by an encryption rule
DPSGN-15340	SafeGuard 8.10 clients sporadically lock GPO
DPSGN-15613	Performance improvements in combination with SolidWorks (requires additional configuration)
DPSGN-15659	Windows Defender update might fail as long as minifilter is active
DPSGN-15715	Using SGPortable on Clients with File Encryption Engine build 31 might cause issues

Resolved issues (already part of File Encryption Engine build 31)

Reference	Symptom or Summary
DPFEE-1173	Local cache corruptions during an update to Windows 10 October 2018 update (W10 version `1809`)
DPSGN-14307	Explorer performance issues in combination with cached files from Windows Quick Access
DPSGN-14462	Increased saving time for files located on network locations (specific applications).
DPSGN-14525	Access rights issues when running specific applications.
DPSGN-14639	`Bluescreen Bugcheck 0x3b (SYSTEM_SERVICE_EXCEPTION)` on Windows 10 version `1809` endpoints
DPSGN-14511	Performance improvements (boot and runtime)
DPSGN-14853	Cannot open encrypted Quickbooks project (other applications potentially affected as well), when SafeGuard File Encryption filter driver is active.
DPSGN-14771 DPSGN-14806 DPSGN-14842	Several boot performance improvements.
DPSGN-14995	High performance impact when accessing files on network shares which are not covered by an encryption rule (requires BypassFilesWithoutPolicyVolumes registry key - see KB133022 for details).
DPSGN-14945	User is unable to save file certain file types (e.g. docx, xlsx).
DPSGN-14987 DPSGN-15016	User gets file in use error when opening or saving xlsx files on network location.
DPSGN-14513	License check of 3rd party application (Dataflex) fails - (requires BypassFilesWithoutPolicyVolumes registry key)
DPSGN-14856 DPSGN-15051	File Encryption driver slows down Windows explorer and search operations on network shares.
DPSGN-15186 DPSGN-15188 DPSGN-15189 DPSGN-15190	Important security fixes and improvements.
DPSGN-15245	Files located on a WebDAV share, occasionally cannot be deleted when file encryption minifilter is active.
DPSGN-15014	Compatibility improvements (requires additional registry modification)
DPSGN-15265	System might become unresponsive after re-inserting an encrypted optical media
DPSGN-15261	SGPortable.exe (and msvcr71.dll and msvcp71.dll) get encrypted by initial encryption
DPSGN-15241	SafeGuard Services not running after update to Windows 10 version 1903 (19H1). This only affects installations of File Encryption Engine build 26.
DPSGN-15209	Compatibility improvement for Sophos Central Intercept X with EDR.
DPSGN-15267	Potential file corruptions when creating PDFs from Catia (Dassault Systèmes).
DPSGN-15306	File encryption filter removes SmartScreen block functionality from file properties.
DPSGN-15338	Sporadic file corruptions when storing XLS files using Microsoft Office 2003 or 2007
DPSGN-15014	Generic improvements to prevent file locks during shutdown/restart.
DPSGN-15436	Deleted encrypted files occasionally cannot be recovered and show huge size in recycle bin
DPSGN-15441	Bluescreen / BSOD (Bugcheck 0xd4) on endpoints with Xerox Docushare software installed
DPSGN-15431	Windows subsystem for linux no longer working (lxssmanager does not start) on Windows 10 version 1903 (19H1)
DPSGN-15454	Bluescreen / BSOD SYSTEM_SERVICE_EXCEPTION (`Bugcheck 0x3b`) when drag and drop is used for attachments (from MS Outlook to an encrypted folder)
DPSGN-15468, DPSGN-15472, DPSGN-15471, DPPSGN-15462	3rd party software compatibility fixes for issues introduced in File Encryption Engine build 29
DPSGN-15383	Opening encrypted docx / xlsx files may change timestamp (date changed)
DPSGN-15553	Printing on remote printer (from Homeoffice) not working when minifilter is active

Download and installation

The installers for version 8.10.x (separate msp files for 32 and 64bit) can be obtained from this download link.

The installer for version 8.20.x / 8.30.x (one msp file which can be applied to all versions) can be obtained from this download link.

Installation for 32-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 32.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 32.msp"
Reboot the endpoint for the changes to take effect

Installation for 64-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 32_x64.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient_x64.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 32_x64.msp"
Reboot the endpoint for the changes to take effect

How to verify if the patch is applied

After the installation, you can see the new File Encryption Engine in the Installed Updates section of Programs and Features.

As this package just contains new filter drivers and no other products components, this update does not change the version or build number of the installed SafeGuard Client. In the SafeGuard Management Center as of version 8.20, the file filter engine version of this update (3.0.0.45) is also listed in the installed features list of the Client.

Related information

SafeGuard File Encryption: Engine build 31 for SafeGuard 8.1.x / 8.2.x / 8.3.x

2020-03-06T09:49:00Z

Overview

With the introduction of the mini file filter driver, which is part of SafeGuard Enterprise as of version 8.10, Sophos provides regular File Encryption Engine updates that just contain improved filter drivers. These updates are provided as Windows Installer Patch files (*.msp) to allow easy installation and deployment. As these updates are cumulative, Sophos recommends using the latest version.

In this KBA you can download build version 31 of the filter driver engine. An overview of all File Encryption Engine Updates is available here.

Applies to the following Sophos products and versions
SafeGuard File Encryption 8.3
SafeGuard File Encryption 8.2
SafeGuard File Encryption 8.1
SafeGuard Synchronized Encryption 8.1
SafeGuard Synchronized Encryption 8.2
SafeGuard Synchronized Encryption 8.3
SafeGuard Data Exchange 8.1
SafeGuard Data Exchange 8.2
SafeGuard Data Exchange 8.3

Resolved issues (new in File Encryption Engine build 31)

Reference	Symptom / Summary
DPSGN-15383	Opening encrypted docx / xlsx files may change timestamp (date changed)
DPSGN-15553	Printing on remote printer (from Homeoffice) not working when minifilter is active

Improvements

This File Encryption Engine update adds File Header Caching, to improve performance (enabled by default).

Resolved issues (already part of File Encryption Engine build 30)

Reference	Symptom or Summary
DPFEE-1173	Local cache corruptions during an update to Windows 10 October 2018 update (W10 version `1809`)
DPSGN-14307	Explorer performance issues in combination with cached files from Windows Quick Access
DPSGN-14462	Increased saving time for files located on network locations (specific applications).
DPSGN-14525	Access rights issues when running specific applications.
DPSGN-14639	`Bluescreen Bugcheck 0x3b (SYSTEM_SERVICE_EXCEPTION)` on Windows 10 version `1809` endpoints
DPSGN-14511	Performance improvements (boot and runtime)
DPSGN-14853	Cannot open encrypted Quickbooks project (other applications potentially affected as well), when SafeGuard File Encryption filter driver is active.
DPSGN-14771 DPSGN-14806 DPSGN-14842	Several boot performance improvements.
DPSGN-14995	High performance impact when accessing files on network shares which are not covered by an encryption rule (requires BypassFilesWithoutPolicyVolumes registry key - see KB133022 for details).
DPSGN-14945	User is unable to save file certain file types (e.g. docx, xlsx).
DPSGN-14987 DPSGN-15016	User gets file in use error when opening or saving xlsx files on network location.
DPSGN-14513	License check of 3rd party application (Dataflex) fails - (requires BypassFilesWithoutPolicyVolumes registry key)
DPSGN-14856 DPSGN-15051	File Encryption driver slows down Windows explorer and search operations on network shares.
DPSGN-15186 DPSGN-15188 DPSGN-15189 DPSGN-15190	Important security fixes and improvements.
DPSGN-15245	Files located on a WebDAV share, occasionally cannot be deleted when file encryption minifilter is active.
DPSGN-15014	Compatibility improvements (requires additional registry modification)
DPSGN-15265	System might become unresponsive after re-inserting an encrypted optical media
DPSGN-15261	SGPortable.exe (and msvcr71.dll and msvcp71.dll) get encrypted by initial encryption
DPSGN-15241	SafeGuard Services not running after update to Windows 10 version 1903 (19H1). This only affects installations of File Encryption Engine build 26.
DPSGN-15209	Compatibility improvement for Sophos Central Intercept X with EDR.
DPSGN-15267	Potential file corruptions when creating PDFs from Catia (Dassault Systèmes).
DPSGN-15306	File encryption filter removes SmartScreen block functionality from file properties.
DPSGN-15338	Sporadic file corruptions when storing XLS files using Microsoft Office 2003 or 2007
DPSGN-15014	Generic improvements to prevent file locks during shutdown/restart.
DPSGN-15436	Deleted encrypted files occasionally cannot be recovered and show huge size in recycle bin
DPSGN-15441	Bluescreen / BSOD (Bugcheck 0xd4) on endpoints with Xerox Docushare software installed
DPSGN-15431	Windows subsystem for linux no longer working (lxssmanager does not start) on Windows 10 version 1903 (19H1)
DPSGN-15454	Bluescreen / BSOD SYSTEM_SERVICE_EXCEPTION (`Bugcheck 0x3b`) when drag and drop is used for attachments (from MS Outlook to an encrypted folder)
DPSGN-15468, DPSGN-15472, DPSGN-15471, DPPSGN-15462	3rd party software compatibility fixes for issues introduced in File Encryption Engine build 29

Download and installation

The installers for version 8.10.x (separate msp files for 32 and 64bit) can be obtained from this download link.

The installer for version 8.20.x / 8.30.x (one msp file which can be applied to all versions) be obtained from this download link.

Installation for 32-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 31.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 31.msp"
Reboot the endpoint for the changes to take effect

Installation for 64-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 31_x64.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient_x64.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 31_x64.msp"
Reboot the endpoint for the changes to take effect

How to verify if the patch is applied

After the installation, you can see the new File Encryption Engine in the Installed Updates section of Programs and Features.

As this package just contains new filter drivers and no other products components, this update does not change the version or build number of the installed SafeGuard Client. In the SafeGuard Management Center as of version 8.20, the file filter engine version of this update (3.0.0.38) is also listed in the installed features list of the Client.

Related information

Impact of LDAP Channel Binding and LDAP Signing Requirements on SafeGuard Enterprise

2020-01-20T19:03:00Z

Hi Community,

In March 2020 Microsoft plans to release a security update on Windows Update that by default enables LDAP channel binding and LDAP signing hardening changes for Active Directory.
Details and technical background of these changes are described in the Microsoft articles linked in the related information section of this KBA.

When the security settings are enabled and the pre-conditions are not met, especially if SafeGuard Server and computers running the SafeGuard Management Center are not updated with the required Microsoft Security Updates (see CVE-2017-8563), the SSL directory authentication does not work any longer.

For SafeGuard this means that,

the Active Directory synchronization may fail with the error "The user name or password is incorrect.".
Creating a new Directory connection, using SSL, may fail with the error message "The connection to the requested directory failed. Additional info: The user name or password is incorrect.".
Setting up the LDAP Authentication in the Management Center Wizard may fail with the error message "The connection to the requested directory failed. Additional info: The user name or password is incorrect.".

Example error messages:

What to do

Ensure that all involved computers are patched with the relevant Microsoft security update for CVE-2017-8563.

Alternatively you can:

Disable SSL for the AD connection in the SafeGuard Management Center (not recommended).
Disable this security setting to switch back to the previous behavior (not recommended).
To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero). Details are described in the Microsoft articles, linked in the related information section of this KBA.

Related information

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Note: Information above taken from KBA 135029

Safeguard Enterprise v8.30 Release Notes

2019-11-28T17:14:00Z

Hi Community,

Safeguard Enterprise v8.30 has been released.

Note: This version supports Mac OS 10.15 (Catalina).

Requirements

Platforms supported	Recommended available disk space	Recommended minimum RAM
SafeGuard Client (Windows)
Windows 8.1 Pro, Enterprise Edition	100MB	2GB*
Windows 10 RS3, Windows 10 RS4, Windows 10 RS5, Windows 10 19H1, Windows 10 19H2 Pro, Enterprise, Education Windows 10 Enterprise 2015 LTSB, Windows 10 Enterprise 2016 LTSB, Windows 10 Enterprise LTSC 2019	100MB	2GB*
SafeGuard Client (Mac OS X)
Mac OS High Sierra (OS X 10.13)	100MB	4GB*
Mac OS Mojave (OS X 10.14)	100MB	8GB*
Mac OS Catalina (OS X 10.15)	100MB	8GB*
SafeGuard Management Center
Windows 8.1 Pro, Enterprise Edition	1GB	1GB*
Windows 10 RS3, Windows 10 RS4, Windows 10 RS5, Windows 10 19H1, Windows 10 19H2 Pro, Enterprise, Education Windows 10 Enterprise 2015 LTSB, Windows 10 Enterprise 2016 LTSB, Windows 10 Enterprise LTSC 2019	1GB	1GB*
Windows Server 2012 / Server 2012 R2	1GB	2GB*
Windows Server 2016	1GB	2GB*
Windows Server 2019	2GB	4GB*
SafeGuard Enterprise Server
Windows Server 2012 / Server 2012 R2	1GB	2GB*
Windows Server 2016	1GB	2GB*
Windows Server 2019	2GB	4GB*

Windows Small Business Server and Windows Server Essentials are not supported.

* Not all of this memory is used by SafeGuard Enterprise.

Windows (Client and Backend)

Client

Internet Explorer Version 10 or higher
Supported Web browsers for password encrypted files are MS Internet Explorer 11, MS Edge (Windows), Chrome (Windows, Android, OS X), Firefox (Windows, Android, OS X) and Opera (Windows, Android, OS X)
.NET Framework 4.5

Server/Management Center

.NET Framework 4.5
Internet Explorer Version 10 or higher

SafeGuard Database

The supported SQL Server versions can be found here.

Noticeable Changes / New Features

Added support for macOS 10.15 (Catalina)
Added support for Windows 10 November 2019 Update (also known as Windows 10 19H2, Windows 10 version 1909)
Encryption keys of a machine with a Sophos endpoint that supports reporting a health state, can now also be automatically removed when using Location Based Encryption.
It is now possible for a security officer that has been promoted from Active Directory to authenticate and allow an action when additional officer authentication has been defined.
The “About” box now shows the installed modules and the versions of the driver and the modules.
BitLocker Password Protector can now also be configured as primary logon method.
Changes in the HTML5 Wrapper (“Password Protect a File”)
- Supports putting more than one file in one HTML5 encrypted file
- Password rules are now displayed
- Support for Safari
OpenSSL components are upgraded to version 1.1.1
Bitlocker Challenge/Response module has been removed
Improved Outlook Add-In (32bit MS Outlook only)

Known Issues

SafeGuard Management Center

There are some GUI layout problems on machines configured for resolutions other than 96 DPI.
Management Console log events may not be created when calling similar functionality concurrently via the SafeGuard API.
Clients which have been registered as members of a domain, will not be updated properly in the SafeGuard Management Center, if they are moved to a Windows Workgroup.
Starting a new remote desktop session to a computer where a Management Center or Server upgrade is in progress will cause the upgrade to fail. The new remote desktop session will execute RunOnce registry entries to delete the Local Cache and the SafeGuard registry entries.
User auto-registration of SafeGuard 6.0 Clients.
When the SafeGuard Client has version 6.0 and users log on using the format name@domain or domain\name, then auto-registration of these users leads to a problem with the Active Directory synchronization later. Instead of moving the auto-registered user to the correct organizational unit, the Active Directory synchronization instead will generate a duplicate user object. This issue can be solved by importing new users into the Management Center before they do their first logon on the Client. Another workaround would be to correct the pre-Windows 2000 user name of the user in the auto-registered folder in the Management Center (via Context Menu > Properties). If a duplicate user object already exists, the one imported from Active Directory should be deleted.
When the database schema is automatically upgraded during the first start of an upgraded Management Center, a backup is created. If there is an automatic backup scheduled, this needs to be adapted again afterwards. DPSGN-4728
File Encryption policies still offers <Program Files> as placeholder, this is in there for compatibility reasons with older clients, but will no longer have an effect for SafeGuard 8.1 or newer Clients. DPSGN-13725

SafeGuard Enterprise Server

A reboot is required before re-installing the SafeGuard Server
Although there is no explicit message to do so, a reboot is required after uninstalling SafeGuard Server components and before reinstalling them. (DEF49516)
The method CreateDirectoryConnection does not run on a SafeGuard Server alone. The machine must also have the SafeGuard Management Console installed for this API.
Slow upgrade process of SafeGuard Server and Management Center. DPSGN-3884
The upgrade of the SafeGuard Server and Management Center may take a long time. Do not cancel or interrupt the upgrade process.
When using Internet Explorer on a Server 2016 / 2019 to open the WebHelpDesk Website, it needs to be ensured that https://<servername>" and/or "https://<server IP>" are added to the "Trusted sites".

SafeGuard Data Exchange Client

Not all options are shown when operating a device as Portable Device.
When operating a removable media in Portable Device mode, some of the options of SafeGuard DX are not available in Windows Explorer. Overlay icons indicating a file's encryption status are missing as well as the menu option introduced by SafeGuard DX in a file's context menu. Nevertheless any applicable encryption policy is enforced for files that reside on the removable device, regardless whether it is referenced via the Portable Device tree or the assigned drive letter.
User elevation for encrypted executable.
If an encrypted executable or installation package is started and requires a user elevation, it may happen that the elevation doesn't take place and the executable is not started.
Access to key ring after closing a remote session (RDP).
A user's key ring is no longer accessible after an established remote session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access to the key ring.

SafeGuard Synchronized Encryption

SafeGuard Outlook Add-in: When sending more than one encrypted file (for example, textfile.txt and spreadsheet.xls) the file contents could get interchanged. The Texfile.txt includes the Excel content and spreadsheet.xls includes the textfile content. DPSGN-7503
This issue can be avoided by installing the recommended MS Office Updates.
Update for Microsoft Outlook 2010 (KB3114570) 32-Bit Edition --> Microsoft Outlook 2010 (14.0.7165.5000) SP2 MSO (14.0.7165.5000).
Update for Microsoft Outlook 2010 (KB3114756) --> Microsoft Outlook 2010 (14.0.7166.5000) SP2 MSO (14.0.7166.5000).
Under certain circumstances the Outlook Add-In might take to long to load and automatically gets disabled by Outlook.
Files do not get encrypted when uploaded using the Send to Dropbox option of the context menu. This happens, because the application that performs the upload (Dropbox.exe) is configured as ignored application and therefore the file encryption status does not change. DPSGN-6326
Defining web browsers as in application is not recommended. Because of the variety of existing browsers and their plugins this might cause compatibility issues. DPSGN-9673
Encryption of files fails in a OneDrive synchronization folder if a new file is created using the Windows Explorer Extension (for example, right mouse click|New|Microsoft Word Document|). DPSGN-6091
Using ZIP files in Office documents.
If a ZIP archive included in an encrypted Office Document, is moved out of the document it will contain plain files, regardless of encryption policy. Reason: When a ZIP file is drag and dropped into, for example MS Word, then the ZIP file will be read by Word and therefore it is unencrypted in Word. When the ZIP file later on is drag and dropped out from Word into a directory, Win Explorer (not authenticated application) takes over and the file will be created unencrypted. Workaround: Encrypt the file manually (context menu of the file). DPSGN-9179
Password encryption / decryption with MS Edge browser is not working on Windows computers with a single core processor.
In MS Office documents embedded objects (for example, MS Excel objects in MS Word) requires the definition of the corresponding application as in application as well. DPSGN-7085

SafeGuard File Encryption

EFS is not supported. The EFS attribute can neither be set nor removed from files or folders and access to EFS encrypted files is denied. DPFEE-1149
Encrypted MS Office files stored on SharePoint get decrypted when they are modified. DPSGN-13628
NTFS Compression is not supported, files will be automatically decompressed.
Sophos recommends the use of SSD drives for best possible performance.
SafeGuard file encryption modules are not compatible with MarkAny's file filter driver cbfltfs.sys. Using both products together can result in BSODs or a not starting operating system.
UAC virtualization is not supported, which can result in compatibility issues with 3rd party software (applies to all file encryption modules).

General

Fast user switching is not supported and must be disabled.
The Windows 10 feature Improved Boot Up Experience is not supported and can cause several issues on clients that are part of a workgroup, it therefore needs to be disabled see SafeGuard File Encryption, SafeGuard BitLocker Client: Login to SafeGuard Credential Provider fails to unlock the User's keyring on Windows 10 (version 1709) when the machine is part of a Workgroup for details.
Direct modifications to the original Sophos product MSI Installer Packages are not supported.
SafeGuard 6.0 Clients cannot auto-register new users who log in with an alternate user principle name (UPN) suffix. It is recommended to use NetBIOS usernames on SafeGuard 6.0 Clients or older.
Internet Explorer Warning when downloading SGPortable
SafeGuard Cloud Storage automatically uploads SGPortable.exe to the Cloud. However, if downloaded with Internet Explorer, its Smart Screen Filter may block the download. Please ignore the warning, that SGPortable.exe is not trusted and accept the download anyway. After download SGPortable.exe reports that MSVCP71.dll is missing. Downloading this DLL from the internet will finally resolve the problem.
SafeGuard Enterprise is not fully compatible to using Windows accounts with an empty password. If a computer is member of a workgroup (i.e. not in a domain) and the last user tile on the logon screen represents a user with an empty password at all, any password entered in the Safeguard credential provider for this user will successfully log on this user. Moreover, if a wrong password is entered for a different user, this can result in the user with the empty password being logged on instead of the selected user.
The SafeGuard Credential Provider used to logon to the OS offers Username and Password fields in the Set up a PIN dialog on Windows 10. Workaround: Use the SafeGuard Token tile for logon with Token. DPSGN-5823
File Tracking events are note reported when writing files on optical media fails, if the medium is burned in mastered mode. The File Tracking feature supports the Live File System format only and not the Mastered Disc Format. DPSGN-9709
BitLocker recovery keys are not rotated after use if the recovery is not done using the Management Center or WebHelpDesk (for example, using Sophos Secure Workspace). DPSGN-9902

Compatibility

Sophos SafeGuard LAN Crypt is not compatible with SafeGuard 8.3.
Synchronization of keyring is possible with Sophos Mobile Control 8.0 an newer versions (requires at least Sophos Secure Workspace 8.5 on the mobile device).
Synchronization of BitLocker recovery keys requires at least Sophos Mobile Control 8.0.
SafeGuard Enterprise has not been tested in conjunction with an installed Novell Client for Windows. Restrictions may apply as there is no intercommunication between the logon components of both products.
AbsoluteSoftware Computrace.
SafeGuard Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated track-0 based persistent agent installed.
Compatibility to imaging tools has not been tested and is therefore not supported by Sophos.
Windows Defender: The Controlled Folder Access feature is not supported and can interfere with SafeGuard.
BitLocker Management is not supported on Apple's Boot Camp

Token/Smart card

Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware.
In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected. (DEF66637)
Smart Card/Token PIN with special characters does not work with some middlewares (DPSGN-3674).
Defining a PIN that contains special characters (for example, ä, ü, ö) might lead to issues with several middlewares.

Not supported

The SafeGuard Client does not support logon with Microsoft accounts (formally known as Windows Live ID).
The SafeGuard Client does not support the Windows 8.1 / Windows 10 logon methods like PIN and Picture, MS Hello, Virtual Smartcards, MS Passport, etc.
Microsoft Azure based SQL database and Azure based Active Directory
If BitLocker is managed by SafeGuard, it is not allowed to manage it in parallel via MBAM (Microsoft BitLocker Administration and Monitoring), the manage-bde command line tool, Group Policies (besides the settings listed in the ReleaseNotes) or the Windows Control Panel.
Only the Bitlocker Logon modes listed in the authentication policy in the Management Center are supported.
The BitLocker C/R dialog in UEFI cannot be used with touch screens as it has no on-screen keyboard. The dialog has to be used with a physical keyboard.
When storing the BitLocker startup key on a SafeGuard Data Exchange (DX) encrypted USB stick, then it won't be possible to use it to unlock the boot volume. This is because the unlock is executed before Windows starts and at this phase no DX filter driver for decryption of the key exists.
The fingerprint reader Validity VFS5011 is not supported by the SafeGuard Client for logon.
Defining File Encryption rules for a domain DFS is not possible.
The encryption of files in a Box cloud storage folder is no longer possible due to changes in the Box client. DPSGN-14331
Google Drive file stream is not supported. The local file cache location must be excluded from file encryption to avoid data corruption. DPSGN-15116
The auto-detection of OneDrive / OneDrive for Business as Cloud Storage provider does not work in the latest versions of Onedrive. A workaround is described in KB125710

Limitations

BitLocker configuration via GPOs.
Only BitLocker group policies settings (GPOs) mentioned below, should be configured if BitLocker is managed by SafeGuard. Required settings are automatically applied during the installation of the client.

Require additional authentication at startup
Allow BitLocker without a compatible TPM
Enable use of BitLocker authentication requiring pre-boot keyboard input on slates
Configure minimum PIN length for startup
Turn on TPM backup to Active Directory Domain Services

All other BitLocker group policies must be left to default. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management.

When enabling the SafeGuard policy BitLocker Logon mode with the setting TPM + PIN (default), consider that tablet PCs require an external keyboard to enter the TPM PIN during Pre-Boot phase. The on screen keyboard cannot be used to enter the PIN. It is recommended to use a TPM only policy for such devices.
BitLocker encryption dialog keeps reappearing on Windows Slate computers (for example, MS Surface Pro 5) - DPSGN-3922
On Windows Slate computers, the BitLocker encryption dialog keeps reappearing and encryption does not start. This occurs when the group policy setting Enable use of BitLocker authentication requiring pre-boot keyboard input on slates is not set and TPM+PIN or password authentication is mandated by the authentication policy. Enabling the group policy setting or changing the authentication policy resolves this issue.
Virtualization platform support.
The SafeGuard Client only supports VMware Workstation and Player as virtualization platform. All other platforms like VMware ESX/ESXi Server, Microsoft Virtual PC, Microsoft Hyper-V are not supported. VirtualBox is incompatible with SafeGuard 8.3 and might cause BSODs (IRQL_NOT_LESS_OR_EQUAL).
Takeover of BitLocker data drives in standalone mode
When the SafeGuard Client is run in standalone mode, then already encrypted BitLocker data drives are taken over in the moment when the client config package is applied. In order that this can succeed, all data drives must be unlocked before the client config package is applied. Locked data drives are ignored which means that their recovery password won't be written to the key backup file.
Rotation of the recovery password.
The recovery password is changed automatically for managed clients once a recovery is executed. For standalone clients the recovery password remains unchanged after a recovery, but it can be changed manually be uninstalling the client config package and installing it again.
Windows 8.1 / Windows 10 fast startup option affects some behavior of SafeGuard Enterprise
If the new Fast startup option in Windows 8.1 and higher is turned on as Microsoft recommends, some behavior in SafeGuard Enterprise is affected. For system services like the SafeGuard Authentication service the fast startup is technically seen identical with hibernation. So all SafeGuard Enterprise functionality triggered by the boot process is affected and needs a restart instead of shutdown/boot. One example is the registration of new users as SafeGuard user during first Windows logon after machine boot process. In order to have the self-enrollment enabled upon next boot a warm-boot has to be initiated or a complete shutdown/cold-boot has to be forced.
According to the recommendation of Intel, also Sophos recommends, to disable Intel Rapid Start Technology when using software-based encryption.
Recovery of unmanaged BitLocker volumes not supported for standalone configurations - DPSGN-3901
Access to BitLocker-encrypted volumes which have not been taken over by SafeGuard (i.e., when no SafeGuard encryption policy for them exists) cannot be recovered via the SafeGuard Management Center. This issue is limited to standalone client configurations.
Trusted application configuration breaks when update changes application path. DPSGN-3720
Some application updates change the absolute path of their executables. In these cases, SGN's policy configuration for trusted applications needs to be updated as well. For example,
Symantec Anti-Virus installs to a directory path containing its version number. The configuration for SafeGuard trusted applications needs to be changed to point to the new path where the executable is found.
Microsoft Internet Explorer fails to download encrypted files from Dropbox - DPSGN-2088
Files encrypted with SafeGuard Cloud Storage cannot be downloaded using Microsoft Internet Explorer.
FIPS mode not supported on Windows 8 clients. DPSGN-1257
SafeGuard Enterprise does not support managing BitLocker encryption on Windows 8 clients with enabled GPO setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Recovery of such clients, using the SafeGuard Management Center, is not possible. Note that FIPS mode on Windows 8.1 and Windows 10 clients is supported.
User workflow is affected when uploading encrypted files using a browser
- Encrypted documents that are uploaded using a browser end-up encrypted on the server. This may break some functionality users are used to (for example, document preview, server-side document indexing, in-browser editing etc.).
- The plain content of encrypted documents can’t be accessed by server-side processes. This, for example prevents servers from indexing documents and thus breaks/limits search capabilities.
MS Office 365 offers direct storing of files in the cloud (OneDrive). If this functionality is used and the Office 365 apps, for example, MS Word, are defined as In application you have to configure the path <Local App Data>\Microsoft in the application based policy as an exclusion from encryption. This avoids an unencrypted upload of files to the cloud. DPSGN-9615
Windows Search cannot look into encrypted files and is therefore not able to index content of encrypted files.
SafeGuard file encryption modules are incompatible with OneDrive's Files On-Demand feature (introduced with Windows 10 Fall Creators Updated). Please refer to Incompatibility of SafeGuard File Encryption modules and OneDrive Files On-Demand feature for full details.
The SafeGuard file encryption related modules do not support roaming profiles or folder re-directions.
The SafeGuard Outlook Add-In is only available for 32 bit versions of Outlook.
When copying files from a local location to either a Network Share or a Removable Media, the Explorer's calculation of speed and time remaining might not be working correctly anymore. DPSGN-14821

Anti-Virus products tested with SafeGuard Enterprise

SafeGuard Enterprise has been successfully tested together with the Anti-Virus products by Sophos as well as the following:

Manufacturer	Product	Version
Symantec	Endpoint Protection	14.2.4815.1101.105
McAfee	Total Protection	16.0 R20
Microsoft	Defender	Antimalware Client Version: 4.18.1909.6 Engine Version: 1.1.16400.2 Antivirus Version: 1.303.1727.0 Antispyware Version: 1.303.1727.0
Trend-Micro	Anti-virus+ Security	16.0.1151
Kaspersky	Internet Security	20.0.14.1085

Mac OS X Device Encryption Client

Limitations

Directory users

FileVault 2 requires either a local account or a mobile account. Please create a mobile account for Active Directory users if they should be able to activate FileVault 2 or if they should be enabled for FileVault 2.

Inventory reporting

Drives are only reported if they reside on a GUID partition table. Volumes within an Apple Partition Map or Master Boot Record Partition scheme are not visible in the drive inventory.
The encryption status is sometimes not updated in the inventory view until the Mac is rebooted.

Limitations on macOS 10.13

The FileVault recovery key is not changed after usage if the system disk is formatted using APFS.

Apple Open Directory

Open Directory users/computers are not supported.
Pure Open Directory network users (without a mobile account) are asked for their password to enable FileVault 2 or to get enabled for FileVault 2, even though the operation will fail.

Encryption

Only the system disk (partition) will be encrypted.

Known Issues

It may happen that the recovery key is not available in SafeGuard during the very first restart after enabling the disk encryption, it will be available after a subsequent restart in this case.

When the SafeGuard system menu is activated, it may take some time until the SafeGuard icon is displayed in the system menu bar.

It may take up to 5 minutes until the correct encryption state is shown in the SafeGuard preference pane after FileVault 2 encryption has finished.

Adding the currently logged in user is only provided when the synchronization with the SafeGuard Server is working.

The Decrypt System Disk button in the preference pane may be enabled while the encryption is currently running and the preference pane is opened immediately after login and the security officer has assigned a No Encryption policy. Pressing the button will result in an error and the encryption continues. After some minutes, the button will be disabled.

The installation, upgrade and uninstallation of SafeGuard Disk Encryption for Mac can take longer (up to 5 - 20 minutes), if your Mac is located behind a firewall. In order to speed up the installation, either disconnect it from any network or allow direct Internet access. Please note that this is a general OS X issue and is caused by the verification of the digital signature via Apple servers, with which SafeGuard’s files are signed.

No users are added if FileVault2 was enabled with disk-password: If the system disk is encrypted using the command line tool 'diskutil cs convert / -passphrase ..', a FileVault2 POA gets activated which asks for the disk password.In general it is possible to add additional users when the disk password is known, but this is currently not implemented by SGDE. This would require a new dialog which asks for the users password and for the disk password. Once a user is available in FileVault2, adding additional users works.

User & Computers: On a Mac, the Owner flag has no effect! Only the first user FV2-user will be reported as Owner. It's not possible to switch the Owner!

VMware Fusion: If Sophos SafeGuard Native Device Encryption is installed in a virtual machine, please ensure that virtual hard disks are configured with the bus type SCSI. Otherwise the disks appear as external drive and they are not reported in the inventory of the management center. To change the bus type, shut down the virtual machine and the go to Virtual Machine > Settings > Hard Drive > Advanced options > Bus type: change to SCSI

SafeGuard Device Encryption for Mac does not support Apple bootcamp.

Mac OS X File Encryption Client

System requirements

Sophos SafeGuard Enterprise: SafeGuard File Encryption for Mac needs a SafeGuard Enterprise backend, from which it obtains its encryption policies and the encryption keys. During the installation process of the Mac client you will be required to provide and import a SafeGuard Enterprise Client Configuration ZIP file, in order to bind the Mac to its SafeGuard backend.

SSL trust to the SafeGuard Server must be configured on client. Please make certain that the correct SSL certificates of the SafeGuard Server(s) are imported into the Mac’s System keychain only, and not in the user’s Login keychain.
Communication between SafeGuard OS X Client and SafeGuard Server is only supported with IPv4.

Supported client languages: The supported client languages are English, German, and French.

Compatibility and upgrades

The compatibility of this release of SafeGuard File Encryption for Mac with previous releases and modules of Sophos is as follows:

Only SafeGuard File Encryption for Mac is used:

Install SafeGuard File Encryption for Mac and import the SafeGuard Enterprise Client Configuration ZIP file.

SafeGuard File Encryption for Mac and SafeGuard Disk Encryption for Mac version 8.3 are used together on the same Mac:

Both products take care of each other and can be installed, and uninstalled in any order.
If one product is upgraded from a previous version to 8.3 the second product needs to be upgraded as well.

Anti-Virus software

Usually anti-virus software works in two modes:

Manual or scheduled mode or
Real time scanning or On-access scan mode

The following applies for both modes:

Whichever scanning mode you are using, it is not recommended to scan the encrypted files in their original location. This is because you cannot find a virus within an encrypted file.
Instead, it is strictly recommended to scan all files in the corresponding SafeGuard Secured volumes. This returns the unencrypted file content and therefore viruses can be detected.
Please test, whether the on-access scanner of the installed anti-virus product finds a virus in files on SafeGuard Secured volumes. Please see instructions about the EICAR test file below.

Sophos Enterprise Anti-Virus for Mac / Sophos Central as well as the below mentioned anti-virus products have been tested with SafeGuard File Encryption for Mac and detect viruses on SafeGuard Secured volumes in both modes under the following circumstances:

Scan now or Scan local drives:

Make sure you always scan the SafeGuard Secured volumes or you risk missed detection. If you happen to scan it through the original path, you can do so, it won’t do any harm, but you won’t find any virus, as the file content you scan is encrypted.

On-access scanning:

If you have installed SafeGuard File Encryption for Mac, please make sure that the on-access scanner of Sophos Anti-Virus for Mac is turned on and its feature Scan Files on network volumes is switched on as well. This will allow the file content on a SafeGuard Secured volume to be scanned on-access.

If you are using other anti-virus software, make sure that your product is able to detect viruses, too. You can use the EICAR Anti-Malware test file for testing purposes.

Manufacturer	Product	Version
Symantec	Endpoint Protection Cloud	8.3 Build 45
Kaspersky	Endpoint Security	11.0.0.501c
Trend-Micro	Anti-Virus for Mac	10.0.1681

Virus Scanner limitations

Virus Scanners option move to Quarantine will not work for all Virus Scanners

Most of the virus scanners stop their manual scan if they would leave the current file system. Because the secured mount points act as a file system boundary, they will not be included in the manual scan and must be scanned separately.

Particularities and limitations

The menu icons in the Finder right-click menu do not change the color when "Dark Mode" is enabled (macOS10.14)
Files can be accessed via two different paths: the original path and the SafeGuard File Encryption Secured Volume (mount point). Transparent encryption works only on the SafeGuard Secured Volumes.
Blacklisted folders: SafeGuard File Encryption for Mac OS X makes certain that folders that are important for OS X to function properly are not and cannot be encrypted by a SafeGuard administrator. Even if a SafeGuard Security Officer specifies an encryption policy for a folder on the blacklist, the client software of SafeGuard File Encryption for Mac OS X will not encrypt file is this folder. This is the list of folders on the blacklist:
- Folders without sub-folders:
  - <Root>/
  - <Root>/Volumes/
  - <User Profile>/

Folders including their sub-folders:

<Root>/bin/
<Root>/sbin/
<Root>/usr/
<Root>/private/etc/
<Root>/dev/
<Root>/Applications/
<Root>/System/
<Root>/Library/
<User Profile>/Library/
<Removables>/Backups.backupdb/
<Removables>/SGPortable/
<Removables>/System Volume Information/

OSXFuse provides its Secured Volumes as devices.This has several consequences:
- Volumes will be shown on your OS X Desktop, if configured in the Finder Preferences. Or you can find them using the Finder option Go > Computer
- The OS X feature Browse All Versions is not supported in Secured Volumes.

It is not guaranteed that policies for SafeGuard File Encryption for Mac can be applied immediately (for example, a mounted Secured Folder cannot be unmounted, because files in it are open.) To be on the safe side, please log out and log in again.

General Settings policies for Mac must be assigned to the corresponding machines. Assigning the policies to a user has no effect (for example, to define the connection interval).
File Encryption policies must be assigned/activated for users or groups that contain the corresponding user objects.
Resetting user password without using Account Preferences (for example resetting password with Active Directory) leads to following problem described in OS X Support KB entry TS5362. As long as you do not apply the solution mentioned there, you will not be able to read encrypted files and will get errors like A keychain cannot be found to store KEK.

When you move files from one mount point to another, files will be copied and not moved

After fully restoring a Mac with an Apple Time Machine backup on which SafeGuard 8.3 was active (either Device Encryption or File Encryption) it might be that the synchronization with the SafeGuard Enterprise Server does not work anymore.

This is because the spool daemon user (_sgsd) is wrongly created with a different numerical UID compared to the original installation in some cases by the Time Machine recovery process.

To resolve this issue please perform the following steps as root user on the terminal (using sudo) until synchronization works again (not all steps may be required):
- Re-inforce the permissions of the spool directory: #chown -R root:_sgsd /var/spool/sg
- Delete the current spool directory such that permissions are re-created: #rm –rf /var/spool/sg
- Delete the stale PID-lock file of the SGSD daemon: # rm –f /tmp/sgsd.pid

Cloud Storage Provider

The synchronization folder of a cloud storage provider must not be located beneath another encryption rule, for example, it is not possible to set encryption rules on <Documents> and <Documents>/SyncFolder. To encrypt data stored in a cloud, the cloud synchronization folder must be stored somewhere else, for example, ~/SyncFolder.

Terminal points to the wrong cloud folder.

The overlay icons of the Cloud Storage Provider are no longer visible if an encryption rule for the Cloud folder exists.

Folders with encryption rule cannot be shared with SMB. (DPSGN-1114)

Folders that can be accessed by multiple users (aka shared folder, for example, /opt/secured): Only the first user gets a secured mount point. The second user gets an error message (Folder is already in use).
For the other user to get the mount point the user currently having it needs to log out first. Note: This does not affect folders that only belong to one user (like the majority of folders underneath the user home directory (/Users/username/).

If iTunes is running while a mount point is created on Documents, the iTunes database cannot be accessed afterwards, because iTunes follows the renamed folder and tries to open the encrypted database.

Reopening applications when logging out and back in is not supported (shut down/restart/logoff-logon) (Keep applications open feature)

Terminal: When a mount point for some path like for example, ~/Documents is created any terminal whose current working directory (cwd) points to this very path should be exited and re-opened.

Finder & Dock will be restarted if a new local file system mount point is created. (This means that the restart does not happen for cloud provider, network and removable mount points)

The SafeGuard encryption file system doesn't support permanent version storage (only HFS). Copying a file to a mount point will erase existing previous versions. (This is also the case when copying to a network share)

Time Machine: restore must be done using the .sophos_safeguard_xxx Folder

Encryption rules on NFS-Shares are not supported

Encrypted removable devices formatted with NTFS can only be mounted read only

You cannot set up an encryption rule on the root path of an internal disk

Writing encrypted files on CD/DVD is not supported

Over-mounted folders show the size (capacity and available space) of the disk on which the mount point is created instead of the actual folder size (DPSGN-1095). for example, if an encryption rule for ~/Documents exists, showing the file system info of the directory with Get Info in the Finder will show the capacity of the system disk instead of the actual size used by ~/Documents.
Workaround: Navigate into the secured mount point, select all files and then do right click Get Info in the Finder. This will show the correct size of the directory occupied on disk.

Moving an over-mounted directory in the icon view creates an alias (DPSGN-941)

~/Public/Drop Box encryption rules are not supported

Every user who can access our mount point is impersonated as the user who started the mount point – even the root user!

Only the user who started the mount point as well as the root user may access the mount point (FUSE allow_root option)
However every file system request from our mount point towards the original/underyling FS is issued as the user who started the mount point

Some examples:

A file in a directory /enc root:wheel rwx r-x r-x can not be written even if the user elevated privileges with sudo and issues the commando as root
Touching a file as root in this directory will end up with the privileges john:wheel rw r r instead of the expected root:wheel rw r r

The path of an encryption rule must not contain a comma (DPSGN-2757)

Finder: Tag search doesn't work

The name of a Secured Folder (this is usually the name of the last directory of an encryption rule) must not exceed 238 characters.

Network shares which have a policy applied and are automatically mounted at startup cannot be detected by Sophos File Encryption. It is not possible to overmount such mount points. The original mount point can't be removed (also see Finder: does not have an eject button). There is no difference if auto mount point is created in /mnt/ or /Volumes/.

Aliases/symlinks to a directory where the alias/symlink is assigned a different key than the target directory should be avoided as it represents a conflict in which key to use.
The Mac FE client will do an alphabetic sorting on the rules and the one that comes last alphabetically will be applied, for example:

Create a folder for example, /Users/john/enc
Create a symlink to that folder, for example, /Users/john/lnkenc
Create an encryption rule for <User Profile>\enc with Personal Key
Create an encryption rule for the link with a different key, for example, <User Profile>\lnkenc with Root Key
-> In this case the Root Key is used as encryption key as lnkenc comes alphabetically after enc

If Sophos SafeGuard File Encryption is installed in a VMware Fusion virtual machine, please ensure that virtual hard disks are configured with the bus type SCSI. Otherwise the disks appear as external drive and encryption rules won't be applied correctly. To change the bus type, shut down the virtual machine and the go to Virtual Machine > Settings > Hard Drive > Advanced options > Bus type: change to SCSI

In contrast to Windows, OS X does not support file filter drivers which can be used to provide transparent encryption on all locations. To get transparent encryption on OS X, SafeGuard creates mount points for a set of commonly used locations (Desktop, Documents, Pictures, Music, Movies, Downloads, cloud storage provider synchronization folders, removable devices and network shares) which replace the original folder. Now all file operations are redirected through this mount point and the content can be read as usually, because encryption and decryption will be done automatically. If these locations do not fit the requirements, some locations can be excluded from encryption or a policy with defined locations can be used instead (recommended). Use of that technology can lead to the scenario that encrypted files that are moved to folders where no encryption rule is defined, and therefor no mount point for transparent decryption exists, stays encrypted (persistent encryption) and cannot read instantly. They have to be decrypted manually first.

Interoperabilty with Cloud Storage Provider
- Most of the Cloud Storage Providers and SafeGuard are using so called Finder Sync Extensions to display a badge for the files in the Finder. OS X can only handle one single Finder Sync Extension per folder to show badges for the files. As encrypted files can be on every location, SafeGuard registers for the root directory which includes also the cloud storage provider sync folders and this prevents the cloud storage provider sync folders from displaying their status badges and an error notification from the cloud storage provider may be displayed. This can be ignored.

Permanent Version Storage Error.
Permanent Version Storage is only available on Apple’s own file system HFS+. As SafeGuard replaces the original folder with a mount point OS X displays a warning message that the version storage is not available for this file. But these files are still included in Time Machine backups. They can be accessed on a hidden folder. For each mount point SafeGuard creates, there exists also a hidden folder .sophos_safeguard_[Folder Name] on the same location. To restore a single file, the hidden folder has to be selected in Time Machine, for example, Instead of ~/Documents/MyDoc.docx ~/.sophos_safeguard_Documents/MyDoc.docx has to be restored.

It is not possible to execute script or applications from a mount point. To get separation of access between allowed applications and not allowed applications from reading encrypted content it was necessary to deactivate caches of the OS. Otherwise not allowed applications are able to read content in plain and IN apps may get encrypted content. Workaround: the executables have to moved from the mount point to a normal folder or the executables have to be started using the hidden folder, instead of ~/Downloads/test.sh ~/.sophos_safeguard_Downloads/test.sh has to be used.

When a removable device is plugged in or a network share gets mounted, there may be a password prompt for an administrative account from sgfsa. This password prompt can be ignored. If there is no mount point created for the device or network share, please re-insert the device or connect again to the the network share.

AirDrop creates empty files on Downloads mount point. DPSGN-15254

Known issues

Check the known issues for this SafeGuard Enterprise release, since improper configuration of certain options may cause unexpected behaviour.

Note the following additional known issues:

SafeGuard File Encryption for Mac 8.3 supports a maximum of 24 secured mount points. Note that this limit only applies to the top level mount points – Nested encryption rules are not affected and can be unlimited (e.g. the rules ~/Documents, ~/Documents/keyA, ~/Documents/keyB will result in only one secured mount point being created).

The installation, upgrade and uninstallation of SafeGuard File Encryption for Mac can take longer (up to 5 – 20 minutes), if your Mac is located behind a firewall, which prevents direct access to the Internet. In order to speed up the installation in such a case, either disconnect it from any network or allow direct Internet access. Please note that this is a general issue with OSX Gatekeeper and is caused by the verification of the digital signature via Apple servers, with which SafeGuard’s files are signed.

Creation of mobile user accounts at OS X login with confirmation by user: Do not require confirmation of the OS X user before creating a mobile account, as the user can select Don’t Create. Selecting this option will create an incomplete OS X user, for example a user that does not have a local home directory.

Show icon preview
For performance reasons it is recommended to turn off the Finder option Show icon preview.
This is particularly valid for slow devices or network shares, on which a big number of encrypted files are located.
Note that application-specific icons (for example Microsoft Office for Mac) are also influenced by the Finder option Show icon preview.

If a file was received with MS Outlook, sent by an GMail Web Client, the attached, encrypted file can not be transparently decrypted. Workaround: Decrypt the file manually, via context menu. DPSGN-7449.

Mounted DMG files, which are located in a Secured Folder (mount point), are invalidated during the upgrade of SafeGuard Device or File Encryption, because the mount point is re-created during the upgrade. When the client installers are upgraded, the DMG files of the product should either be stored outside of a mount point or only the DMG file for the product which is currently installed should be mounted. DPSGN-7675

It is not supported to run virtual machine images stored on secured mount points. Doing so may cause the virtualization application to fail or even freeze your Mac and require a hard reboot. Workaround: Move the virtual machine image to a location that is not covered by a SafeGuard encryption rule (secured mount point).

When SafeGuard Synchronized Encryption policy rules are applied it is not possible to execute applications that are located on secured mount points. This applies to executing applications both with the OS X Finder as well as from the Terminal. Workaround: Move the application to a location that is not covered by a SafeGuard Synchronized Encryption policy rule. This limitation does not apply to location based encryption policies.

Copy performance on network shares covered by a SafeGuard Encryption policy may under certain circumstances (very large and/or many files) be considerably lower than the usual native network performance. Workaround: When experiencing such a situation please use the new Direct Paste functionality offered in the right click context menu of the Finder or use the Terminal to copy the files.

Mac OS 10.13 and SafeGuard File Encryption 8.30
- Secured Folders (mount points) may appear in the Devices section of the Finder sidebar. Those entries can be removed manually (contextual menu, Remove from Sidebar), but reappear again with the next login.
- It may happen, that the encryption icons are not displayed in the Finder. This is especially the case when the machine was rebooted or when the Cover Flow view (⌘4) is enabled in Finder. To show the icons again you can either switch to another folder and then back to the original folder or disable and enable the Sophos SafeGuard Finder extension in the Extensions system preferences.
- Note: the encryption icons are only displayed for local folders in the home directory (/Users/username), for example Documents, and for encrypted files on data volumes, removable devices and network shares.
- The performance on network shares may be very poor. This is caused by the smb implementation in macOS 10.13. When copy&paste or duplicate several files in parallel, timeouts may happen which result in partly copied files. In general cifs seems to be more robust instead of smb, i.e. instead of connecting to smb://server/share use cifs://server/share.
- Several log entries from osascript may be written to the system.log file when encryption rules on a network share or removable device are configured (osascript[xxxx]: AppleEvents: received mach msg which wasn't complex type as expected in getMemoryReference).

SafeGuard File Encryption: Engine build 30 for SafeGuard 8.1.x / 8.2.x

2019-11-14T15:42:00Z

Overview

With the introduction of the mini file filter driver, which is part of SafeGuard Enterprise as of version 8.10, Sophos provides regular File Encryption Engine updates that just contain improved filter drivers. These updates are provided as Windows Installer Patch files (*.msp) to allow easy installation and deployment. As these updates are cumulative, Sophos recommends using the latest version.

In this blog post, you can download build version 30 of the filter driver engine. An overview of all File Encryption Engine Updates is available here.

Resolved issues (new in File Encryption Engine build 30)

Reference	Symptom / Summary
DPSGN-15338	Sporadic file corruptions when storing XLS files using Microsoft Office 2003 or 2007
DPSGN-15014	Generic improvements to prevent file locks during shutdown/restart.
DPSGN-15436	Deleted encrypted files occasionally cannot be recovered and show huge size in recycle bin
DPSGN-15441	Bluescreen / BSOD (`Bugcheck 0xd4`) on endpoints with Xerox Docushare software installed
DPSGN-15431	Windows subsystem for linux no longer working (lxssmanager does not start) on Windows 10 version 1903 (19H1)
DPSGN-15454	Bluescreen / BSOD `SYSTEM_SERVICE_EXCEPTION (Bugcheck 0x3b)` when drag and drop is used for attachments (from MS Outlook to an encrypted folder)
DPSGN-15468, DPSGN-15472, DPSGN-15471, DPPSGN-15462	3rd party software compatibility fixes for issues introduced in File Encryption Engine build 29

Resolved issues (already part of File Encryption Engine build 28)

Reference	Symptom or Summary
DPFEE-1173	Local cache corruptions during an update to Windows 10 October 2018 update (W10 version `1809`)
DPSGN-14307	Explorer performance issues in combination with cached files from Windows Quick Access
DPSGN-14462	Increased saving time for files located on network locations (specific applications).
DPSGN-14525	Access rights issues when running specific applications.
DPSGN-14639	`Bluescreen Bugcheck 0x3b (SYSTEM_SERVICE_EXCEPTION)` on Windows 10 version `1809` endpoints
DPSGN-14511	Performance improvements (boot and runtime)
DPSGN-14853	Cannot open encrypted Quickbooks project (other applications potentially affected as well), when SafeGuard File Encryption filter driver is active.
DPSGN-14771 DPSGN-14806 DPSGN-14842	Several boot performance improvements.
DPSGN-14995	High performance impact when accessing files on network shares which are not covered by an encryption rule (requires BypassFilesWithoutPolicyVolumes registry key - see KB133022 for details).
DPSGN-14945	User is unable to save file certain file types (e.g. docx, xlsx).
DPSGN-14987 DPSGN-15016	User gets file in use error when opening or saving xlsx files on network location.
DPSGN-14513	License check of 3rd party application (Dataflex) fails - (requires BypassFilesWithoutPolicyVolumes registry key)
DPSGN-14856 DPSGN-15051	File Encryption driver slows down Windows explorer and search operations on network shares.
DPSGN-15186 DPSGN-15188 DPSGN-15189 DPSGN-15190	Important security fixes and improvements.
DPSGN-15245	Files located on a WebDAV share, occasionally cannot be deleted when file encryption minifilter is active.
DPSGN-15014	Compatibility improvements (requires additional registry modification)
DPSGN-15265	System might become unresponsive after re-inserting an encrypted optical media
DPSGN-15261	SGPortable.exe (and msvcr71.dll and msvcp71.dll) get encrypted by initial encryption
DPSGN-15241	SafeGuard Services not running after update to Windows 10 version 1903 (19H1). This only affects installations of File Encryption Engine build 26.
DPSGN-15209	Compatibility improvement for Sophos Central Intercept X with EDR.
DPSGN-15267	Potential file corruptions when creating PDFs from Catia (Dassault Systèmes).
DPSGN-15306	File encryption filter removes SmartScreen block functionality from file properties.

Download and installation

The installers for version 8.10.x can be obtained from this download link.

The installers for version 8.20.x can be obtained from this download link.

Installation for 32-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 30.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 30.msp"
Reboot the endpoint for the changes to take effect

Installation for 64-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 30_x64.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient_x64.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 30_x64.msp"
Reboot the endpoint for the changes to take effect

How to verify if the patch is applied

After the installation, you can see the new File Encryption Engine in the Installed Updates section of Programs and Features.

As this package just contains new filter drivers and no other products components, this update does not change the version or build number of the installed SafeGuard Client. In the SafeGuard Management Center version 8.20, the file filter engine version of this update (3.0.0.34) is also listed in the installed features list of the Client.

Related information

SafeGuard Enterprise: macOS Catalina support

2019-10-22T17:40:00Z

Overview

Apple has released macOS version 10.15 (Catalina) on the 11th of October 2019. SafeGuard version 8.20.0 and previous versions of SafeGuard Disk Encryption and File Encryption for Mac, do not support this new Operating System and may not function correctly.

To be able to use macOS Catalina (10.15) together with SafeGuard Enterprise, you need to install version 8.30 which is currently planned to be available in November 2019.

Note: SafeGuard Enterprise 8.30 will support macOS 10.13, 10.14 and 10.15.

What to do

Sophos is planning to release a new version of SafeGuard, version 8.30, that supports this new operating system, in November 2019.

Until this version is available, we recommend to refrain from updating existing systems to macOS 10.15 or installing a not supported SafeGuard Client on the new Operating System.

SafeGuard File Encryption: Engine build 29 for SafeGuard 8.1.x / 8.2.x

2019-10-18T20:57:00Z

Please note: Advisory: SafeGuard File Encryption Engine - build 29 withdrawn

Overview

In this post you can download build version 29 of the filter driver engine. An overview of all File Encryption Engine Updates is available here.

Resolved issues (new in File Encryption Engine build 29)

Reference	Symptom / Summary
DPSGN-15338	Sporadic file corruptions when storing XLS files using Microsoft Office 2003 or 2007
DPSGN-15014	Generic improvements to prevent file locks during shutdown/restart.
DPSGN-15436	Deleted encrypted files occasionally cannot be recovered and show huge size in recycle bin
DPSGN-15441	Bluescreen / BSOD (Bugcheck 0xd4) on endpoints with Xerox Docushare software installed
DPSGN-15431	Windows subsystem for linux no longer working (lxssmanager does not start) on Windows 10 version 1903 (19H1)

Resolved issues (already part of File Encryption Engine build 28)

Reference	Symptom or Summary
DPFEE-1173	Local cache corruptions during an update to Windows 10 October 2018 update (W10 version `1809`)
DPSGN-14307	Explorer performance issues in combination with cached files from Windows Quick Access
DPSGN-14462	Increased saving time for files located on network locations (specific applications).
DPSGN-14525	Access rights issues when running specific applications.
DPSGN-14639	`Bluescreen Bugcheck 0x3b (SYSTEM_SERVICE_EXCEPTION)` on Windows 10 version `1809` endpoints
DPSGN-14511	Performance improvements (boot and runtime)
DPSGN-14853	Cannot open encrypted Quickbooks project (other applications potentially affected as well), when SafeGuard File Encryption filter driver is active.
DPSGN-14771 DPSGN-14806 DPSGN-14842	Several boot performance improvements.
DPSGN-14995	High performance impact when accessing files on network shares which are not covered by an encryption rule (requires BypassFilesWithoutPolicyVolumes registry key - see KB132922 for details).
DPSGN-14945	User is unable to save file certain file types (e.g. docx, xlsx).
DPSGN-14987 DPSGN-15016	User gets file in use error when opening or saving xlsx files on network location.
DPSGN-14513	License check of 3rd party application (Dataflex) fails - (requires BypassFilesWithoutPolicyVolumes registry key)
DPSGN-14856 DPSGN-15051	File Encryption driver slows down Windows explorer and search operations on network shares.
DPSGN-15186 DPSGN-15188 DPSGN-15189 DPSGN-15190	Important security fixes and improvements.
DPSGN-15245	Files located on a WebDAV share, occasionally cannot be deleted when file encryption minifilter is active.
DPSGN-15014	Compatibility improvements (requires additional registry modification)
DPSGN-15265	System might become unresponsive after re-inserting an encrypted optical media
DPSGN-15261	SGPortable.exe (and msvcr71.dll and msvcp71.dll) get encrypted by initial encryption
DPSGN-15241	SafeGuard Services not running after update to Windows 10 version 1903 (19H1). This only affects installations of File Encryption Engine build 26.
DPSGN-15209	Compatibility improvement for Sophos Central Intercept X with EDR.
DPSGN-15267	Potential file corruptions when creating PDFs from Catia (Dassault Systèmes).
DPSGN-15306	File encryption filter removes SmartScreen block functionality from file properties.

Download and installation

The File Encryption Engine Update build 29 can be applied to SafeGuard Client version 8.10.0.323, 8.10.2.55 and 8.20.0.83. It automatically updates previously installed File Encryption Engine Updates.

The installers for version 8.10.x can be obtained from this download link.

The installers for version 8.20.x can be obtained from this download link.

Installation for 32-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 29.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 29.msp"
Reboot the endpoint for the changes to take effect

Installation for 64-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 29_x64.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient_x64.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 29_x64.msp"
Reboot the endpoint for the changes to take effect

How to verify if the patch is applied

After the installation, you can see the new File Encryption Engine in the Installed Updates section of Programs and Features.

As this package just contains new filter drivers and no other products components, this update does not change the version or build number of the installed SafeGuard Client. In the SafeGuard Management Center version 8.20, the file filter engine version of this update (3.0.0.31) is also listed in the installed features list of the Client.

Related information

SafeGuard Enterprise Windows Client Patch 1908 version 8.00.6

2019-09-30T23:08:00Z

Overview

A security and compatibility patch for SafeGuard Enterprise Windows Client version 8.00.0.251 and SafeGuard Enterprise Windows Client 8.00.5 has been released to address numerous issues.

The 8.00.6 security and compatibility patch includes all fixes from the previous 8.00.5 Client Rollup patch.

It is highly recommended to upgrade all SafeGuard Client installations running version 8.00.0.251 or 8.00.5.x on Microsoft Windows.

Applies to the following Sophos products and versions
SafeGuard BitLocker Client 8.0
SafeGuard Cloud Storage 8.0
SafeGuard File Encryption 8.0
SafeGuard Synchronized Encryption 8.0
SafeGuard Data Exchange 8.0

Resolved issues (compared to SafeGuard version 8.00.0.251)

Reference	Symptom / Summary
DPSGN-10618	SGN Authentication Service crashes
DPSGN-12668	SafeGuard services fail to start, referencing the WS2_32.dll
DPSGN-11347	Saving encrypted files occasionally fails
DPSGN-12230	Task Manager hangs during shutdown
DPSGN-10120	Numerous Smartcard/Token logon related issues
DPSGN-11686	Significant delay when locking the desktop
DPSGN-11064	Outlook Add-In not working reliably
DPSGN-12036	Outlook Add-In strips file extensions
DPSGN-11848	SGN Master Service crashes
DPSGN-12233	Password change for other user than logged on not possible
DPSGN-12033	HTML Re-cryption not working in latest versions of Firefox and Google Chrome
DPSGN-11404	BEDevCtl.exe crashes, causing a missing SafeGuard Credential Provider
DPSGN-10874	Data partitions not encrypted on NVME drives (BitLocker)
DPSGN-11839	BitLocker rollout improvements
DPSGN-10599	BitLocker Challenge/Response: Encryption not starting if no recovery partition is available
DPSGN-10918	BSOD: PAGE_FAULT_IN_NONPAGED_AREA (referencing lcencvm.sys) BugCheck 50
DPSGN-12782	LocalCache corruptions on machines running File Based Encryption
DPSGN-13146 DPSGN-13154	Improved compatibility with Sophos Endpoint and Sophos Central
DPSGN-12619	BSOD: BEFlt.sys - 0x00000050 PAGE_FAULT_IN_NONPAGED_AREA
DPSGN-13775	Credential Provider issues with Windows 10 built-in VPN when using UID and Password authentication
DPSGN-13128	BSOD: BugCheck 50 in combination with SafeGuard File Encryption driver (referencing lcencvm.sys)
DPSGN-13714	BitLocker PIN reset not working after recovery
DPSGN-13748	Encrypt according to policy option and initial encryption wizard not working

Resolved issues (compared to SafeGuard version 8.00.5)

Reference	Symptom / Summary
DPSGN-14137	SGFileEncWizard.exe appears to hang when trying manually to encrypt the files
DPSGN-14365	sgn_masterservicen.exe crashed due to an unhandled exception (0xc0000005)
DPSGN-14822	Password change fails with the error message "The specified account does not exist" in specific scenarios.
DPSGN-13606	Credential Provider interface empty after SGNAuthService crash/restart
DPSGN-11436	User chooses 'Sign out' but does not get signed out (lParam = 0xC0000000)
DPSGN-14156	Blue screen UNEXPECTED_KERNEL_MODE_TRAP (7f) after upgrade or installation on Windows 10 version 1803 /1809 /1903
DPSGN-15312	File encryption related issues after cumulative updates (as of July 2019) on Windows 10 version 1809 / 1903

Download and installation

Download:

The package can be obtained from the SafeGuard Enterprise download section on sophos.com or directly using this link: Download

Installation:

The client security and compatibility patch can be applied to SafeGuard Client version 8.00.0.251 and 8.00.5.x running on Microsoft Windows only.

Important: For clients running Windows 7 SP1, it is critical to install all Windows security patches before applying the patch.

If the SafeGuard Client 8.00.0.251 is already installed

Copy the installer patch file to the corresponding computer(s).
Apply the SafeGuard Client Rollup patch.
Example: msiexec /update C:\Install\SGN8006Patch1908_x64.msp
Reboot the machine for the changes to take effect. After installing, the machine gets automated reboot if installation done via command line. If you want to control the reboot, use the /norestart switch.

If the SafeGuard Client 8.00.5.x is already installed

Copy the installer patch file and the SGN8006Patch1908.cmd to the corresponding computer(s).
Run the SGN8006Patch1908.cmd in an administrative CMD. This will ensure that the pre-requisites are met and the Patch gets installed.
Reboot the machine for the changes to take effect.

Installation of SafeGuard Client with the patch

Copy the SafeGuard Client and the installer patch files to the corresponding computer(s).
Install the SafeGuard Client with the Rollup patch.
For example: msiexec /i C:\Install\SGNClient_x64.msi PATCH=C:\Install\SGN8006Patch1908_x64.msp
Reboot the machine for the changes to take effect. After installing, the machine gets automatically rebooted if the installation is done via command line. If you want to control the reboot, use the /norestart switch.

How to verify if the patch is applied

The security and compatibility patch comes in the form of a Windows Installer Minor Upgrade Patch and updates the version number of the Sophos SafeGuard Client that is displayed in Apps & features / Programs and Features to 8.00.6.2

Additionally the version in the SafeGuard about box has been updated and the clients report the new version using the machine inventory, which can be displayed in the SafeGuard Management Center.

Limitations: This Hotfix Rollup is not compatible with SafeGuard LAN Crypt.

Related information

File Encryption Engine updates for SafeGuard 8.10 / 8.20

2019-09-25T20:17:00Z

Overview

With the introduction of the mini file filter driver, which is part of SafeGuard Enterprise as of version 8.10, Sophos provides regular File Encryption Engine updates that just contain improved filter drivers. These updates are provided as Windows Installer Patch files (*.msp) to allow an easy installation and deployment.

In this post, you can find links to all available updates of the filter driver engine. As these updates are cumulative, Sophos recommends using the latest version.

Resolved issues in latest build version (compared to SafeGuard version 8.10.0.323)

Reference	Symptom / Summary
DPFEE-1173	Local cache corruptions during an update to Windows 10 October 2018 update (W10 version 1809)
DPSGN-14307	Explorer performance issues in combination with cached files from Windows Quick Access
DPSGN-14462	Increased saving time for files located on network locations (specific applications).
DPSGN-14525	Access rights issues when running specific applications.
DPSGN-14639	Bluescreen Bugcheck 0x3b (SYSTEM_SERVICE_EXCEPTION) on Windows 10 version 1809 endpoints
DPSGN-14511	Performance improvements (boot and runtime)
DPSGN-14853	Cannot open encrypted Quickbooks project (other applications potentially affected as well), when SafeGuard File Encryption filter driver is active.
DPSGN-14771 DPSGN-14806 DPSGN-14842	Several boot performance improvements.
DPSGN-14995	High performance impact when accessing files not covered by an encryption rule (requires BypassFilesWithoutPolicyVolumes registry key)
DPSGN-14945	User is unable to save file certain file types (e.g. docx, xlsx).
DPSGN-14987 DPSGN-15016	User gets file in use error when opening or saving xlsx files on network location.
DPSGN-14513	License check of 3rd party application (Dataflex) fails - (requires BypassFilesWithoutPolicyVolumes registry key)
DPSGN-14856 DPSGN-15051	File Encryption driver slows down Windows explorer and search operations on network shares.
DPSGN-15186 DPSGN-15188 DPSGN-15189 DPSGN-15190	Important security fixes and improvements.
DPSGN - 15245	Files located on a WebDAV share, occasionally cannot be deleted when file encryption minifilter is active.
DPSGN -15014	Compatibility improvements
DPSGN - 15265	System might become unresponsive after re-inserting an encrypted optical media
DPSGN - 15261	SGPortable.exe (and msvcr71.dll and msvcp71.dll) get encrypted by initial encryption
DPSGN - 15241	SafeGuard Services not running after update to Windows 10 version 1903 (19H1). This only affects installations of File Encryption Engine build 26.
DPSGN-15209	Compatibility improvement for Sophos Central Intercept X with EDR.
DPSGN-15267	Potential file corruptions when creating PDFs from Catia.
DPSGN-15306	File encryption filter removes SmartScreen block functionality from file properties.

Available File Encryption Engine updates

File Encryption Engine build 28 for SafeGuard 8.1 / 8.2

File Encryption Engine build 27 for SafeGuard 8.1 / 8.2

File Encryption Engine build 25 for SafeGuard 8.1.0 - This File Encryption Engine update contains the same filter driver as SafeGuard version 8.20.0

File Encryption Engine build 24 for SafeGuard 8.1.0

File Encryption Engine build 23 for SafeGuard 8.1.0

File Encryption Engine build 22 for SafeGuard 8.1.0 - Important: This update has been integrated in the SafeGuard Client Hotfix Rollup 1901.

File Encryption Engine build 19 for SafeGuard 8.1.0

Related information

SafeGuard File Encryption: Engine build 28 for SafeGuard 8.1.x / 8.2.x

2019-09-25T20:14:00Z

Overview

In this post, you can download build version 28 of the filter driver engine. An overview of all File Encryption Engine Updates is available here.

Applies to the following Sophos products and versions
SafeGuard File Encryption 8.1
SafeGuard File Encryption 8.2
SafeGuard Synchronized Encryption 8.1
SafeGuard Synchronized Encryption 8.2
SafeGuard Data Exchange 8.1
SafeGuard Data Exchange 8.2
SafeGuard Cloud Storage 8.1
SafeGuard Cloud Storage 8.2

Resolved issues (new in File Encryption Engine build 28)

Reference	Symptom / Summary
DPSGN-15209	Compatibility improvement for Sophos Central Intercept X with EDR.
DPSGN-15267	Potential file corruptions when creating PDFs from Catia (Dassault Systèmes).
DPSGN-15306	File encryption filter removes SmartScreen block functionality from file properties.

Resolved issues (already part of File Encryption Engine build 27)

Reference	Symptom or Summary
DPFEE-1173	Local cache corruptions during an update to Windows 10 October 2018 update (W10 version `1809`)
DPSGN-14307	Explorer performance issues in combination with cached files from Windows Quick Access
DPSGN-14462	Increased saving time for files located on network locations (specific applications).
DPSGN-14525	Access rights issues when running specific applications.
DPSGN-14639	`Bluescreen Bugcheck 0x3b (SYSTEM_SERVICE_EXCEPTION)` on Windows 10 version `1809` endpoints
DPSGN-14511	Performance improvements (boot and runtime)
DPSGN-14853	Cannot open encrypted Quickbooks project (other applications potentially affected as well), when SafeGuard File Encryption filter driver is active.
DPSGN-14771 DPSGN-14806 DPSGN-14842	Several boot performance improvements.
DPSGN-14995	High performance impact when accessing files on network shares which are not covered by an encryption rule (requires BypassFilesWithoutPolicyVolumes registry key - see KB132922 for details).
DPSGN-14945	User is unable to save file certain file types (e.g. docx, xlsx).
DPSGN-14987 DPSGN-15016	User gets file in use error when opening or saving xlsx files on network location.
DPSGN-14513	License check of 3rd party application (Dataflex) fails - (requires BypassFilesWithoutPolicyVolumes registry key)
DPSGN-14856 DPSGN-15051	File Encryption driver slows down Windows explorer and search operations on network shares.
DPSGN-15186 DPSGN-15188 DPSGN-15189 DPSGN-15190	Important security fixes and improvements.
DPSGN - 15245	Files located on a WebDAV share, occasionally cannot be deleted when file encryption minifilter is active.
DPSGN -15014	Compatibility improvements
DPSGN - 15265	System might become unresponsive after re-inserting an encrypted optical media
DPSGN - 15261	SGPortable.exe (and msvcr71.dll and msvcp71.dll) get encrypted by initial encryption
DPSGN - 15241	SafeGuard Services not running after update to Windows 10 version 1903 (19H1). This only affects installations of File Encryption Engine build 26.

Download and installation

The File Encryption Engine Update build 28 can be applied to SafeGuard Client version 8.10.0.323, 8.10.2.55 and 8.20.0.83. It automatically updates previously installed File Encryption Engine Updates.

The installers for version 8.10.x can be obtained from this download link.

The installers for version 8.20.x can be obtained from this download link.

Installation for 32-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 28.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 28.msp"
Reboot the endpoint for the changes to take effect

Installation for 64-bit OS

If the SafeGuard Client is already installed

Copy the installer patch files to the corresponding endpoint(s)
Apply the SafeGuard File Encryption Engine update. Example (based on version 8.10): msiexec /update "C:\Install\File Encryption Engine for SGN 8.1 Build 28_x64.msp"
Reboot the endpoint for the changes to take effect

Installation together with SafeGuard Client

Copy the SafeGuard Client and the installer patch files to the corresponding endpoint(s)
Install the SafeGuard Client together with the File Encryption Engine update. Example (based on version 8.10): msiexec /i C:\Install\SGNClient_x64.msi PATCH="C:\Install\File Encryption Engine for SGN 8.1 Build 28_x64.msp"
Reboot the endpoint for the changes to take effect

How to verify if the patch is applied

After the installation, you can see the new File Encryption Engine in the Installed Updates section of Programs and Features.

As this package just contains new filter drivers and no other products components, this update does not change the version or build number of the installed SafeGuard Client. In the SafeGuard Management Center version 8.20, the file filter engine version of this update (3.0.0.28) is also listed in the installed features list of the Client.

Related information

What’s new in Central Device Encryption (CDE) 2.0?

2019-09-04T14:18:00Z

We’re delighted to announce the launch of Central Device Encryption 2.0 for Windows. Among the great new functionality is secure document sharing – enabling users to encrypt Outlook attachments and files before sharing them with internal or external colleagues. Admin enhancements include the ability to prompt for a BitLocker password reset, along with greater visibility into device encryption types. Read on for more details!

Please note, these features are Windows only.

Secure document sharing

With a few clicks, users can create a password-protected file. Encrypted files can only be opened by a recipient with the correct password, they simply need a web browser and valid password to access the documents. Furthermore, a new Outlook add-in enables users to encrypt email attachments before sharing them with internal or external colleagues, safe in the knowledge they remain secure.

Trigger BitLocker password reset

Prompt users to change BitLocker passwords on a regular basis. Admins select the desired reset frequency and receive alerts for users who choose to repeatedly postpone the password change. An immediate password reset prompt can also be sent to specific devices.

Enhanced reporting

Sophos Central now provides details of encryption type, either software-based or hardware-based, along with the algorithm used. For example, admins can see that a device’s hard drive has been encrypted using software-based AES 256-bit encryption.

Software-based encryption

Sophos Central Device Encryption will now apply software-based encryption by default, even if devices support hardware-based encryption. Note that existing devices, already encrypted with hardware based encryption, will not be affected.