SafeGuard Enterprise 6.10.0 Release Notes
Known to apply to the following Sophos product(s) and version(s) SafeGuard Enterprise Server 6.10.0SafeGuard BitLocker Client 6.10.0SafeGuard Cloud Storage 6.10.0SafeGuard Device Encryption 6.10.0SafeGuard File Encryption 6.10.0SafeGuard Management Center / Local Policy Editor 6.10.0SafeGuard Web Helpdesk 6.10.0SafeGuard Data Exchange 6.10.0
Windows Small Business Server and Windows Server Essentials are not supported.
* The installation needs at least 300 MB of free hard disk space. For Device Encryption, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to "not enough free contiguous space” and cannot be supported.
** This memory space is recommended for the PC. Not all of this memory is used by SafeGuard Enterprise.
Information about the MAC OSx clients can be found here:
Sophos SafeGuard File Encryption for Mac 6.10: Release Notes
Sophos SafeGuard Disk Encryption for Mac 6.10: Release Notes
Additional BitLocker Challenge/Response Requirements
If the BitLocker Challenge/Response requirements are not fulfilled, SafeGuard BitLocker will run in a mode without Challenge/Response.
SafeGuard Management Center
The following features have been changed with regard to their default behavior:
Interoperability of SafeGuard Client running on Windows XP with SGN 6.10 backend SGN Clients version 6.01, 6.0 and 5.60, installed on Windows XP are supported with an SGN 6.10 backend in general. Because of the now used SHA-256 algorithm for certificate signing, introduced to increase the level of security, you have to consider the interoperatibility with older SGN Clients: 1. When upgrading the SGN backend from SafeGuard Enterprise 6 or earlier, hash algorithm SHA-1 is still automatically used for self-signed certificates. SGN Clients 6.10. 6.01. 6.0 5.60.1 and 5.60.0 are working with this setting. If only new SGN 6.10 clients will be used then you can change the setting to SHA-256 (Management Center/Options). You have to create SGN configuration packages new, if already done before that change. 2. With a new installation of SGN 6.10 backend and the need to use older SGN clients, because of e.g. running clients with Windows XP, you have to setup the MC installation by changing the default setting to SHA-1.
BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS
This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite. Please contact Matrix42 support for latest details/updates on this issue.
All other BitLocker group policies must be left to default. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management. Example: Activating the Group Policy setting "Do not enable Bitlocker until recovery information is stored to AD for operating system drives" leads to a not starting encryption when SafeGuard Bitlocker Challenge/Reponse is installed.
Currently these models are known to not support BitLocker C/R (a fallback to BitLocker is done automatically):
Toshiba L50-A-100, HP EliteBook 850, LENOVO ThinCentre M92p, Acer Iconia W700 with inactive secure boot (workaround exists) Since only a minority of the installed base does satisfy this requirement at the time of the release, C/R is not part of the default setup but has to be selected purposely for installation. In order to avoid problems caused by incompatibility or lack of support it is strongly advised to run a test-installation on desired hardware models before deploying this feature in a production system.
Due to its character as a roaming program, SGPortable may be used in target OS environments whose security state is not known up-front. Consequently, a special flavour of ‘DLL preloading’ (http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx, a.k.a. ‘DLL Hijacking’) may apply: SGPortable (involuntarily) attempts to load certain OS DLLs from its application directory (i.e. the directory where it actually resides) before it attempts to load them from the OS directory where they actually reside (e.g. <Windows>\System32). If an attacker manages to place a malicious DLL in the application directory, its code may get executed when SGPortable starts. Unfortunately, a malicious DLL even gets found and loaded when it is set to hidden! Please note that MSVCP71.dll andMSVCR71.dll are legitimate runtime DLLs that SGPortable loads by default.
In the common case, the program's application directory is the hidden 'SGPortable' (same name!) directory that has been created on the target medium or location by the SGN client. It contains the SGPortable executable itself, the two runtime DLLs, and possibly an SGNKeyTable data file, but no further DLLs. Alternatively, SGPortable (possibly together with its runtime DLLs if they are not already present on the target system) may reside in any arbitrary directory, and get called from there. Especially in that case, DLLs of unknown or dubious origin may already exist in the application directory.
SGPortable provides all available mechanisms to mitigate this vulnerability. Nevertheless, several attack vectors remain open: The vulnerability is unconditionally present in Windows XP (and before). Beginning with Windows Vista and Windows Server 2008, the vulnerability is mitigated when Microsoft Security Patch KB2533623 has been installed on the system. In Windows 8 and Windows Server 2012, there is no such vulnerability.
As a general advice, always install all available Security Patches for the systems under your control. If SGPortable shall run on systems where the vulnerability exists, the user needs to be aware that any DLL (even a hidden one) of unknown or dubious origin in the application directory means a risk. Accordingly, make sure that SGPortable does not get started in such environments.
Back to Sophos SafeGuard Release Notes landing Page
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.