Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
This knowledge base article provides information in regard to the handling of database files on systems with a SafeGuard Enterprise file encryption module.
Applies to the following Sophos product(s) and version(s) SafeGuard File EncryptionSafeGuard Synchronized EncryptionSafeGuard Data ExchangeSafeGuard Cloud Storage
The encryption of database files (e.g. MS Access, SQL, Lotus Notes, Oracle), might result in technical issues, and we therefore strongly advise against it for the following reasons.
Sophos cannot guarantee that any database applications use standard interfaces for file I/ O. By our experience, database applications are usually optimized for performance reasons in regard to read and write access on the database files. In such cases, the SafeGuard Enterprise filter driver fails to encrypt or decrypt all the data transferred. This is because the filter driver might be bypassed. In the worst case this will lead to data loss or crashes. Even if it appears to work in general, the performance impact might be severe.
Furthermore, problems in multi-user operations are to be expected since SafeGuard Enterprise locks certain data-areas with 512 bytes block sizes (due to encryption). Some applications are not developed to deal with sufficient fault tolerance such as restrictions, hence, they cannot be used together with SafeGuard encryption.
Also, we have to assume that a database application must be running in user mode otherwise the encryption key of SafeGuard Enterprise won't be used for encryption. This also applies to client or server applications that run at different address spaces.
Based on these facts SafeGuard Enterprise does not support the encryption of Microsoft SQL Server, Oracle, MS Access, Lotus Notes and other database files.
To encrypt database content with full database functionality, integrated encryption methods of the database application should be used instead. Folders that contain database files should be ignored in the SafeGuard Encryption policy (version 8.0) or bypassed by the file encryption minifilter (as of version 8.10).
Example (based on version 8.10.x + File Encryption Engine update build 25 / 8.20.0):
Create a "Bypass Rule" for a share or folder(s) that should not be touched by the encryption filter driver.
Navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SophosDt2\Parameters] and create a REG_MULTI_SZ key and name it 'BypassRules'. Add the full UNC path as value e.g \\server\share\test\*
Depending on how the client connects to a share it can be required to use the FQDN.
Download the attached file BypassRule.txt, rename it to .reg and apply it to the client. The file creates the required registry key and adds the path \\server\share\test\* to 'BypassRules'. Adapt this value to your requirements.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.