Safeguard Enterprise v8.30 Release Notes

Hi Community,

Safeguard Enterprise v8.30 has been released.

Note: This version supports Mac OS 10.15 (Catalina).

Requirements

Platforms supported 32 bit 64 bit Recommended
available
disk space
Recommended
minimum
RAM
SafeGuard Client (Windows)
Windows 8.1
Pro, Enterprise Edition
  100MB 2GB*
Windows 10 RS3Windows 10 RS4Windows 10 RS5Windows 10 19H1Windows 10 19H2
Pro, Enterprise, Education

Windows 10 Enterprise 2015 LTSB, Windows 10 Enterprise 2016 LTSB, Windows 10 Enterprise LTSC 2019
  100MB 2GB*
SafeGuard Client (Mac OS X)
Mac OS High Sierra (OS X 10.13)    100MB  4GB*
Mac OS Mojave (OS X 10.14)    100MB  8GB*
Mac OS Catalina (OS X 10.15)    100MB  8GB*
SafeGuard Management Center
Windows 8.1
Pro, Enterprise Edition
  1GB 1GB*
Windows 10 RS3Windows 10 RS4Windows 10 RS5Windows 10 19H1Windows 10 19H2
Pro, Enterprise, Education

Windows 10 Enterprise 2015 LTSB, Windows 10 Enterprise 2016 LTSB, Windows 10 Enterprise LTSC 2019
  1GB 1GB*
Windows Server 2012 / Server 2012 R2    1GB 2GB*
Windows Server 2016     1GB 2GB*
Windows Server 2019    2GB 4GB*
SafeGuard Enterprise Server
Windows Server 2012 / Server 2012 R2    1GB 2GB*
Windows Server 2016    1GB 2GB*
Windows Server 2019    2GB 4GB*

Windows Small Business Server and Windows Server Essentials are not supported. 

* Not all of this memory is used by SafeGuard Enterprise.

Windows (Client and Backend)

Client

  • Internet Explorer Version 10 or higher
  • Supported Web browsers for password encrypted files are MS Internet Explorer 11, MS Edge (Windows), Chrome (Windows, Android, OS X), Firefox (Windows, Android, OS X) and Opera (Windows, Android, OS X)
  • .NET Framework 4.5

Server/Management Center

  • .NET Framework 4.5
  • Internet Explorer Version 10 or higher

SafeGuard Database

The supported SQL Server versions can be found here.

Noticeable Changes / New Features

  • Added support for macOS 10.15 (Catalina)
  • Added support for Windows 10 November 2019 Update (also known as Windows 10 19H2, Windows 10 version 1909)
  • Encryption keys of a machine with a Sophos endpoint that supports reporting a health state, can now also be automatically removed when using Location Based Encryption.
  • It is now possible for a security officer that has been promoted from Active Directory to authenticate and allow an action when additional officer authentication has been defined.
  • The “About” box now shows the installed modules and the versions of the driver and the modules.
  • BitLocker Password Protector can now also be configured as primary logon method.
  • Changes in the HTML5 Wrapper (“Password Protect a File”)
    • Supports putting more than one file in one HTML5 encrypted file
    • Password rules are now displayed
    • Support for Safari
  • OpenSSL components are upgraded to version 1.1.1
  • Bitlocker Challenge/Response module has been removed 
  • Improved Outlook Add-In (32bit MS Outlook only)

Known Issues

SafeGuard Management Center

  • There are some GUI layout problems on machines configured for resolutions other than 96 DPI.
  • Management Console log events may not be created when calling similar functionality concurrently via the SafeGuard API.
  • Clients which have been registered as members of a domain, will not be updated properly in the SafeGuard Management Center, if they are moved to a Windows Workgroup.
  • Starting a new remote desktop session to a computer where a Management Center or Server upgrade is in progress will cause the upgrade to fail. The new remote desktop session will execute RunOnce registry entries to delete the Local Cache and the SafeGuard registry entries.
  • User auto-registration of SafeGuard 6.0 Clients.
    When the SafeGuard Client has version 6.0 and users log on using the format name@domain or domain\name, then auto-registration of these users leads to a problem with the Active Directory synchronization later. Instead of moving the auto-registered user to the correct organizational unit, the Active Directory synchronization instead will generate a duplicate user object. This issue can be solved by importing new users into the Management Center before they do their first logon on the Client. Another workaround would be to correct the pre-Windows 2000 user name of the user in the auto-registered folder in the Management Center (via Context Menu > Properties). If a duplicate user object already exists, the one imported from Active Directory should be deleted.
  • When the database schema is automatically upgraded during the first start of an upgraded Management Center, a backup is created. If there is an automatic backup scheduled, this needs to be adapted again afterwards. DPSGN-4728
  • File Encryption policies still offers <Program Files> as placeholder, this is in there for compatibility reasons with older clients, but will no longer have an effect for SafeGuard 8.1 or newer Clients. DPSGN-13725

SafeGuard Enterprise Server

  • A reboot is required before re-installing the SafeGuard Server
    Although there is no explicit message to do so, a reboot is required after uninstalling SafeGuard Server components and before reinstalling them. (DEF49516)
  • The method CreateDirectoryConnection does not run on a SafeGuard Server alone. The machine must also have the SafeGuard Management Console installed for this API.
  • Slow upgrade process of SafeGuard Server and Management Center. DPSGN-3884
    The upgrade of the SafeGuard Server and Management Center may take a long time. Do not cancel or interrupt the upgrade process.
  • When using Internet Explorer on a Server 2016 / 2019 to open the WebHelpDesk Website, it needs to be ensured that https://<servername>" and/or "https://<server IP>" are added to the "Trusted sites".

SafeGuard Data Exchange Client

  • Not all options are shown when operating a device as Portable Device.
    When operating a removable media in Portable Device mode, some of the options of SafeGuard DX are not available in Windows Explorer. Overlay icons indicating a file's encryption status are missing as well as the menu option introduced by SafeGuard DX in a file's context menu. Nevertheless any applicable encryption policy is enforced for files that reside on the removable device, regardless whether it is referenced via the Portable Device tree or the assigned drive letter.
  • User elevation for encrypted executable.
    If an encrypted executable or installation package is started and requires a user elevation, it may happen that the elevation doesn't take place and the executable is not started.
  • Access to key ring after closing a remote session (RDP).
    A user's key ring is no longer accessible after an established remote session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access to the key ring.

SafeGuard Synchronized Encryption

  • SafeGuard Outlook Add-in: When sending more than one encrypted file (for example, textfile.txt and spreadsheet.xls) the file contents could get interchanged. The Texfile.txt includes the Excel content and spreadsheet.xls includes the textfile content. DPSGN-7503
    This issue can be avoided by installing the recommended MS Office Updates.
    Update for Microsoft Outlook 2010 (KB3114570) 32-Bit Edition --> Microsoft Outlook 2010 (14.0.7165.5000) SP2 MSO (14.0.7165.5000).
    Update for Microsoft Outlook 2010 (KB3114756) --> Microsoft Outlook 2010 (14.0.7166.5000) SP2 MSO (14.0.7166.5000).
  • Under certain circumstances the Outlook Add-In might take to long to load and automatically gets disabled by Outlook.
  • Files do not get encrypted when uploaded using the Send to Dropbox option of the context menu. This happens, because the application that performs the upload (Dropbox.exe) is configured as ignored application and therefore the file encryption status does not change. DPSGN-6326
  • Defining web browsers as in application is not recommended. Because of the variety of existing browsers and their plugins this might cause compatibility issues. DPSGN-9673
  • Encryption of files fails in a OneDrive synchronization folder if a new file is created using the Windows Explorer Extension (for example, right mouse click|New|Microsoft Word Document|). DPSGN-6091
  • Using ZIP files in Office documents.
    If a ZIP archive included in an encrypted Office Document, is moved out of the document it will contain plain files, regardless of encryption policy. Reason: When a ZIP file is drag and dropped into, for example MS Word, then the ZIP file will be read by Word and therefore it is unencrypted in Word. When the ZIP file later on is drag and dropped out from Word into a directory, Win Explorer (not authenticated application) takes over and the file will be created unencrypted. Workaround: Encrypt the file manually (context menu of the file). DPSGN-9179
  • Password encryption / decryption with MS Edge browser is not working on Windows computers with a single core processor.
  • In MS Office documents embedded objects (for example, MS Excel objects in MS Word) requires the definition of the corresponding application as in application as well. DPSGN-7085

SafeGuard File Encryption

  • EFS is not supported. The EFS attribute can neither be set nor removed from files or folders and access to EFS encrypted files is denied. DPFEE-1149
  • Encrypted MS Office files stored on SharePoint get decrypted when they are modified. DPSGN-13628
  • NTFS Compression is not supported, files will be automatically decompressed.
  • Sophos recommends the use of SSD drives for best possible performance.
  • SafeGuard file encryption modules are not compatible with MarkAny's file filter driver cbfltfs.sys. Using both products together can result in BSODs or a not starting operating system. 
  • UAC virtualization is not supported, which can result in compatibility issues with 3rd party software (applies to all file encryption modules).

General

  • Fast user switching is not supported and must be disabled.
  • The Windows 10 feature Improved Boot Up Experience is not supported and can cause several issues on clients that are part of a workgroup, it therefore needs to be disabled see SafeGuard File Encryption, SafeGuard BitLocker Client: Login to SafeGuard Credential Provider fails to unlock the User's keyring on Windows 10 (version 1709) when the machine is part of a Workgroup for details.
  • Direct modifications to the original Sophos product MSI Installer Packages are not supported.  
  • SafeGuard 6.0 Clients cannot auto-register new users who log in with an alternate user principle name (UPN) suffix. It is recommended to use NetBIOS usernames on SafeGuard 6.0 Clients or older.
  • Internet Explorer Warning when downloading SGPortable
    SafeGuard Cloud Storage automatically uploads SGPortable.exe to the Cloud. However, if downloaded with Internet Explorer, its Smart Screen Filter may block the download. Please ignore the warning, that SGPortable.exe is not trusted and accept the download anyway. After download SGPortable.exe reports that MSVCP71.dll is missing. Downloading this DLL from the internet will finally resolve the problem.
  • SafeGuard Enterprise is not fully compatible to using Windows accounts with an empty password. If a computer is member of a workgroup (i.e. not in a domain) and the last user tile on the logon screen represents a user with an empty password at all, any password entered in the Safeguard credential provider for this user will successfully log on this user. Moreover, if a wrong password is entered for a different user, this can result in the user with the empty password being logged on instead of the selected user.
  • The SafeGuard Credential Provider used to logon to the OS offers  Username and Password fields in the Set up a PIN dialog on Windows 10. Workaround: Use the SafeGuard Token tile for logon with Token. DPSGN-5823
  • File Tracking events are note reported when writing files on optical media fails, if the medium is burned in mastered mode. The File Tracking feature supports the Live File System format only and not the Mastered Disc Format.  DPSGN-9709
  • BitLocker recovery keys are not rotated after use if the recovery is not done using the Management Center or WebHelpDesk (for example, using Sophos Secure Workspace). DPSGN-9902

Compatibility

  • Sophos SafeGuard LAN Crypt is not compatible with SafeGuard 8.3.
  • Synchronization of keyring is possible with Sophos Mobile Control 8.0 an newer versions (requires at least Sophos Secure Workspace 8.5 on the mobile device).
  • Synchronization of BitLocker recovery keys requires at least Sophos Mobile Control 8.0.
  • SafeGuard Enterprise has not been tested in conjunction with an installed Novell Client for Windows. Restrictions may apply as there is no intercommunication between the logon components of both products.
  • AbsoluteSoftware Computrace.
    SafeGuard Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated track-0 based persistent agent installed.
  • Compatibility to imaging tools has not been tested and is therefore not supported by Sophos.
  • Windows Defender: The Controlled Folder Access feature is not supported and can interfere with SafeGuard. 
  • BitLocker Management is not supported on Apple's Boot Camp 

Token/Smart card

  • Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware.
    In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected. (DEF66637)
  • Smart Card/Token PIN with special characters does not work with some middlewares (DPSGN-3674).
    Defining a PIN that contains special characters (for example, ä, ü, ö) might lead to issues with several middlewares.

Not supported

  • The SafeGuard Client does not support logon with Microsoft accounts (formally known as Windows Live ID).
  • The SafeGuard Client does not support the Windows 8.1 / Windows 10 logon methods like PIN and Picture, MS Hello, Virtual Smartcards, MS Passport, etc.
  • Microsoft Azure based SQL database and Azure based Active Directory
  • If BitLocker is managed by SafeGuard, it is not allowed to manage it in parallel via MBAM (Microsoft BitLocker Administration and Monitoring), the manage-bde command line tool, Group Policies (besides the settings listed in the ReleaseNotes) or the Windows Control Panel.
  • Only the Bitlocker Logon modes listed in the authentication policy in the Management Center are supported. 
  • The BitLocker C/R dialog in UEFI cannot be used with touch screens as it has no on-screen keyboard. The dialog has to be used with a physical keyboard.
  • When storing the BitLocker startup key on a SafeGuard Data Exchange (DX) encrypted USB stick, then it won't be possible to use it to unlock the boot volume. This is because the unlock is executed before Windows starts and at this phase no DX filter driver for decryption of the key exists.
  • The fingerprint reader Validity VFS5011 is not supported by the SafeGuard Client for logon.
  • Defining File Encryption rules for a domain DFS is not possible.
  • The encryption of files in a Box cloud storage folder is no longer possible due to changes in the Box client. DPSGN-14331
  • Google Drive file stream is not supported. The local file cache location must be excluded from file encryption to avoid data corruption. DPSGN-15116
  • The auto-detection of OneDrive / OneDrive for Business as Cloud Storage provider does not work in the latest versions of Onedrive. A workaround is described in KB125710

Limitations 

  • BitLocker configuration via GPOs.
    Only BitLocker group policies settings (GPOs) mentioned below, should be configured if BitLocker is managed by SafeGuard. Required settings are automatically applied during the installation of the client.
  • Require additional authentication at startup
  • Allow BitLocker without a compatible TPM
  • Enable use of BitLocker authentication requiring pre-boot keyboard input on slates
  • Configure minimum PIN length for startup
  • Turn on TPM backup to Active Directory Domain Services

All other BitLocker group policies must be left to default. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management. 

  • When enabling the SafeGuard policy BitLocker Logon mode with the setting TPM + PIN (default), consider that tablet PCs require an external keyboard to enter the TPM PIN during Pre-Boot phase. The on screen keyboard cannot be used to enter the PIN. It is recommended to use a TPM only policy for such devices.
  • BitLocker encryption dialog keeps reappearing on Windows Slate computers (for example, MS Surface Pro 5) - DPSGN-3922
    On Windows Slate computers, the BitLocker encryption dialog keeps reappearing and encryption does not start. This occurs when the group policy setting Enable use of BitLocker authentication requiring pre-boot keyboard input on slates is not set and TPM+PIN or password authentication is mandated by the authentication policy. Enabling the group policy setting or changing the authentication policy resolves this issue. 
  • Virtualization platform support.
    The SafeGuard Client only supports VMware Workstation and Player as virtualization platform. All other platforms like VMware ESX/ESXi Server, Microsoft Virtual PC, Microsoft Hyper-V are not supported. VirtualBox is incompatible with SafeGuard 8.3 and might cause BSODs (IRQL_NOT_LESS_OR_EQUAL).
  • Takeover of BitLocker data drives in standalone mode
    When the SafeGuard Client is run in standalone mode, then already encrypted BitLocker data drives are taken over in the moment when the client config package is applied. In order that this can succeed, all data drives must be unlocked before the client config package is applied. Locked data drives are ignored which means that their recovery password won't be written to the key backup file.
  • Rotation of the recovery password.
    The recovery password is changed automatically for managed clients once a recovery is executed. For standalone clients the recovery password remains unchanged after a recovery, but it can be changed manually be uninstalling the client config package and installing it again.
  • Windows 8.1 / Windows 10 fast startup option affects some behavior of SafeGuard Enterprise
    If the new Fast startup option in Windows 8.1 and higher is turned on as Microsoft recommends, some behavior in SafeGuard Enterprise is affected. For system services like the SafeGuard Authentication service the fast startup is technically seen identical with hibernation. So all SafeGuard Enterprise functionality triggered by the boot process is affected and needs a restart instead of shutdown/boot. One example is the registration of new users as SafeGuard user during first Windows logon after machine boot process. In order to have the self-enrollment enabled upon next boot a warm-boot has to be initiated or a complete shutdown/cold-boot has to be forced.
  • According to the recommendation of Intel, also Sophos recommends, to disable Intel Rapid Start Technology when using software-based encryption.  
  • Recovery of unmanaged BitLocker volumes not supported for standalone configurations - DPSGN-3901
    Access to BitLocker-encrypted volumes which have not been taken over by SafeGuard (i.e., when no SafeGuard encryption policy for them exists) cannot be recovered via the SafeGuard Management Center. This issue is limited to standalone client configurations.
  • Trusted application configuration breaks when update changes application path. DPSGN-3720
    Some application updates change the absolute path of their executables. In these cases, SGN's policy configuration for trusted applications needs to be updated as well. For example,
    Symantec Anti-Virus installs to a directory path containing its version number. The configuration for SafeGuard trusted applications needs to be changed to point to the new path where the executable is found.
  • Microsoft Internet Explorer fails to download encrypted files from Dropbox - DPSGN-2088
    Files encrypted with SafeGuard Cloud Storage cannot be downloaded using Microsoft Internet Explorer.
  • FIPS mode not supported on Windows 8 clients. DPSGN-1257
    SafeGuard Enterprise does not support managing BitLocker encryption on Windows 8 clients with enabled GPO setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Recovery of such clients, using the SafeGuard Management Center, is not possible. Note that FIPS mode on Windows 8.1 and Windows 10 clients is supported.
  • User workflow is affected when uploading encrypted files using a browser
    • Encrypted documents that are uploaded using a browser end-up encrypted on the server. This may break some functionality users are used to (for example, document preview, server-side document indexing, in-browser editing etc.).
    • The plain content of encrypted documents can’t be accessed by server-side processes. This, for example prevents servers from indexing documents and thus breaks/limits search capabilities.
  • MS Office 365 offers direct storing of files in the cloud (OneDrive). If this functionality is used and the Office 365 apps, for example, MS Word, are defined as In application you have to configure the path <Local App Data>\Microsoft in the application based policy as an exclusion from encryption. This avoids an unencrypted upload of files to the cloud. DPSGN-9615
  • Windows Search cannot look into encrypted files and is therefore not able to index content of encrypted files.
  • SafeGuard file encryption modules are incompatible with OneDrive's Files On-Demand feature (introduced with Windows 10 Fall Creators Updated). Please refer to Incompatibility of SafeGuard File Encryption modules and OneDrive Files On-Demand feature for full details.
  • The SafeGuard file encryption related modules do not support roaming profiles or folder re-directions.
  • The SafeGuard Outlook Add-In is only available for 32 bit versions of Outlook.
  • When copying files from a local location to either a Network Share or a Removable Media, the Explorer's calculation of speed and time remaining might not be working correctly anymore. DPSGN-14821

Anti-Virus products tested with SafeGuard Enterprise

SafeGuard Enterprise has been successfully tested together with the Anti-Virus products by Sophos as well as the following:

Manufacturer

Product

Version

Symantec Endpoint Protection 14.2.4815.1101.105
McAfee Total Protection 16.0 R20
Microsoft Defender  Antimalware Client Version: 4.18.1909.6
Engine Version: 1.1.16400.2
Antivirus Version: 1.303.1727.0
Antispyware Version: 1.303.1727.0
Trend-Micro Anti-virus+ Security 16.0.1151
Kaspersky Internet Security  20.0.14.1085
  

 

Mac OS X Device Encryption Client

Limitations

Directory users

  • FileVault 2 requires either a local account or a mobile account. Please create a mobile account for Active Directory users if they should be able to activate FileVault 2 or if they should be enabled for FileVault 2.

Inventory reporting

  • Drives are only reported if they reside on a GUID partition table. Volumes within an Apple Partition Map or Master Boot Record Partition scheme are not visible in the drive inventory.
  • The encryption status is sometimes not updated in the inventory view until the Mac is rebooted.

Limitations on macOS 10.13

  • The FileVault recovery key is not changed after usage if the system disk is formatted using APFS. 

Apple Open Directory

  • Open Directory users/computers are not supported.
    Pure Open Directory network users (without a mobile account) are asked for their password to enable FileVault 2 or to get enabled for FileVault 2, even though the operation will fail.

Encryption

  • Only the system disk (partition) will be encrypted.

Known Issues

  • It may happen that the recovery key is not available in SafeGuard during the very first restart after enabling the disk encryption, it will be available after a subsequent restart in this case.
  • When the SafeGuard system menu is activated, it may take some time until the SafeGuard icon is displayed in the system menu bar.
  • It may take up to 5 minutes until the correct encryption state is shown in the SafeGuard preference pane after FileVault 2 encryption has finished.
  • Adding the currently logged in user is only provided when the synchronization with the SafeGuard Server is working.
  • The Decrypt System Disk button in the preference pane may be enabled while the encryption is currently running and the preference pane is opened immediately after login and the security officer has assigned a No Encryption policy. Pressing the button will result in an error and the encryption continues. After some minutes, the button will be disabled.
  • The installation, upgrade and uninstallation of SafeGuard Disk Encryption for Mac can take longer (up to 5 - 20 minutes), if your Mac is located behind a firewall. In order to speed up the installation, either disconnect it from any network or allow direct Internet access. Please note that this is a general OS X issue and is caused by the verification of the digital signature via Apple servers, with which SafeGuard’s files are signed.
  • No users are added if FileVault2 was enabled with disk-password: If the system disk is encrypted using the command line tool 'diskutil cs convert / -passphrase ..', a FileVault2 POA gets activated which asks for the disk password.In general it is possible to add additional users when the disk password is known, but this is currently not implemented by SGDE. This would require a new dialog which asks for the users password and for the disk password. Once a user is available in FileVault2, adding additional users works.
  • User & Computers: On a Mac, the Owner flag has no effect! Only the first user FV2-user will be reported as Owner. It's not possible to switch the Owner!
  • VMware Fusion: If Sophos SafeGuard Native Device Encryption is installed in a virtual machine, please ensure that virtual hard disks are configured with the bus type SCSI. Otherwise the disks appear as external drive and they are not reported in the inventory of the management center. To change the bus type, shut down the virtual machine and the go to Virtual Machine > Settings > Hard Drive > Advanced options > Bus type: change to SCSI
  • SafeGuard Device Encryption for Mac does not support Apple bootcamp.

Mac OS X File Encryption Client

System requirements

  • Sophos SafeGuard Enterprise: SafeGuard File Encryption for Mac needs a SafeGuard Enterprise backend, from which it obtains its encryption policies and the encryption keys. During the installation process of the Mac client you will be required to provide and import a SafeGuard Enterprise Client Configuration ZIP file, in order to bind the Mac to its SafeGuard backend.
  • SSL trust to the SafeGuard Server must be configured on client. Please make certain that the correct SSL certificates of the SafeGuard Server(s) are imported into the Mac’s System keychain only, and not in the user’s Login keychain.

  • Communication between SafeGuard OS X Client and SafeGuard Server is only supported with IPv4.
  • Supported client languages: The supported client languages are English, German, and French.

 

Compatibility and upgrades

The compatibility of this release of SafeGuard File Encryption for Mac with previous releases and modules of Sophos is as follows:

  • Only SafeGuard File Encryption for Mac is used:
  • Install SafeGuard File Encryption for Mac and import the SafeGuard Enterprise Client Configuration ZIP file.
  • SafeGuard File Encryption for Mac and SafeGuard Disk Encryption for Mac version 8.3 are used together on the same Mac:
  • Both products take care of each other and can be installed, and uninstalled in any order.
  • If one product is upgraded from a previous version to 8.3 the second product needs to be upgraded as well.

Anti-Virus software

Usually anti-virus software works in two modes:

  • Manual or scheduled mode or
  • Real time scanning or On-access scan mode

The following applies for both modes:

  • Whichever scanning mode you are using, it is not recommended to scan the encrypted files in their original location. This is because you cannot find a virus within an encrypted file.
  • Instead, it is strictly recommended to scan all files in the corresponding SafeGuard Secured volumes. This returns the unencrypted file content and therefore viruses can be detected.
  • Please test, whether the on-access scanner of the installed anti-virus product finds a virus in files on SafeGuard Secured volumes. Please see instructions about the EICAR test file below. 

Sophos Enterprise Anti-Virus for Mac / Sophos Central as well as the below mentioned anti-virus products have been tested with SafeGuard File Encryption for Mac and detect viruses on SafeGuard Secured volumes in both modes under the following circumstances:

  • Scan now or Scan local drives:

Make sure you always scan the SafeGuard Secured volumes or you risk missed detection. If you happen to scan it through the original path, you can do so, it won’t do any harm, but you won’t find any virus, as the file content you scan is encrypted.

  • On-access scanning:

If you have installed SafeGuard File Encryption for Mac, please make sure that the on-access scanner of Sophos Anti-Virus for Mac is turned on and its feature Scan Files on network volumes is switched on as well. This will allow the file content on a SafeGuard Secured volume to be scanned on-access.

If you are using other anti-virus software, make sure that your product is able to detect viruses, too. You can use the EICAR Anti-Malware test file for testing purposes.

Manufacturer

Product

Version

Symantec Endpoint Protection Cloud 8.3 Build 45
Kaspersky Endpoint Security 11.0.0.501c
Trend-Micro Anti-Virus for Mac 10.0.1681

Virus Scanner limitations

  • Virus Scanners option move to Quarantine will not work for all Virus Scanners
  • Most of the virus scanners stop their manual scan if they would leave the current file system. Because the secured mount points act as a file system boundary, they will not be included in the manual scan and must be scanned separately. 

Particularities and limitations

  • The menu icons in the Finder right-click menu do not change the color when "Dark Mode" is enabled (macOS10.14)
  • Files can be accessed via two different paths: the original path and the SafeGuard File Encryption Secured Volume (mount point). Transparent encryption works only on the SafeGuard Secured Volumes.
  • Blacklisted folders: SafeGuard File Encryption for Mac OS X makes certain that folders that are important for OS X to function properly are not and cannot be encrypted by a SafeGuard administrator. Even if a SafeGuard Security Officer specifies an encryption policy for a folder on the blacklist, the client software of SafeGuard File Encryption for Mac OS X will not encrypt file is this folder. This is the list of folders on the blacklist:
    • Folders without sub-folders:
      • <Root>/
      • <Root>/Volumes/
      • <User Profile>/ 
  • Folders including their sub-folders:
  • <Root>/bin/
  • <Root>/sbin/
  • <Root>/usr/
  • <Root>/private/etc/
  • <Root>/dev/
  • <Root>/Applications/
  • <Root>/System/
  • <Root>/Library/
  • <User Profile>/Library/
  • <Removables>/Backups.backupdb/
  • <Removables>/SGPortable/
  • <Removables>/System Volume Information/

  • OSXFuse provides its Secured Volumes as devices.This has several consequences:
    • Volumes will be shown on your OS X Desktop, if configured in the Finder Preferences. Or you can find them using the Finder option Go > Computer
    • The OS X feature Browse All Versions is not supported in Secured Volumes.
  • It is not guaranteed that policies for SafeGuard File Encryption for Mac can be applied immediately (for example, a mounted Secured Folder cannot be unmounted, because files in it are open.) To be on the safe side, please log out and log in again.
  • General Settings policies for Mac must be assigned to the corresponding machines. Assigning the policies to a user has no effect (for example, to define the connection interval).

  • File Encryption policies must be assigned/activated for users or groups that contain the corresponding user objects. 

  • Resetting user password without using Account Preferences (for example resetting password with Active Directory) leads to following problem described in OS X Support KB entry TS5362. As long as you do not apply the solution mentioned there, you will not be able to read encrypted files and will get errors like A keychain cannot be found to store KEK.
  • When you move files from one mount point to another, files will be copied and not moved
  • After fully restoring a Mac with an Apple Time Machine backup on which SafeGuard 8.3 was active (either Device Encryption or File Encryption) it might be that the synchronization with the SafeGuard Enterprise Server does not work anymore.

    This is because the spool daemon user (_sgsd) is wrongly created with a different numerical UID compared to the original installation in some cases by the Time Machine recovery process.

    To resolve this issue please perform the following steps as root user on the terminal (using sudo) until synchronization works again (not all steps may be required):
    • Re-inforce the permissions of the spool directory: #chown -R root:_sgsd /var/spool/sg
    • Delete the current spool directory such that permissions are re-created: #rm –rf /var/spool/sg
    • Delete the stale PID-lock file of the SGSD daemon: # rm –f /tmp/sgsd.pid
  • Cloud Storage Provider
  • The synchronization folder of a cloud storage provider must not be located beneath another encryption rule, for example, it is not possible to set encryption rules on <Documents> and <Documents>/SyncFolder. To encrypt data stored in a cloud, the cloud synchronization folder must be stored somewhere else, for example, ~/SyncFolder.
  • Terminal points to the wrong cloud folder.
  • The overlay icons of the Cloud Storage Provider are no longer visible if an encryption rule for the Cloud folder exists.
  • Folders with encryption rule cannot be shared with SMB. (DPSGN-1114)
  • Folders that can be accessed by multiple users (aka shared folder, for example, /opt/secured): Only the first user gets a secured mount point. The second user gets an error message (Folder is already in use).
    For the other user to get the mount point the user currently having it needs to log out first. Note: This does not affect folders that only belong to one user (like the majority of folders underneath the user home directory (/Users/username/).
  • If iTunes is running while a mount point is created on Documents, the iTunes database cannot be accessed afterwards, because iTunes follows the renamed folder and tries to open the encrypted database.
  • Reopening applications when logging out and back in is not supported (shut down/restart/logoff-logon) (Keep applications open feature)
  • Terminal: When a mount point for some path like for example, ~/Documents is created any terminal whose current working directory (cwd) points to this very path should be exited and re-opened.
  • Finder & Dock will be restarted if a new local file system mount point is created. (This means that the restart does not happen for cloud provider, network and removable mount points)
  • The SafeGuard encryption file system doesn't support permanent version storage (only HFS). Copying a file to a mount point will erase existing previous versions. (This is also the case when copying to a network share)
  • Time Machine: restore must be done using the .sophos_safeguard_xxx Folder
  • Encryption rules on NFS-Shares are not supported
  • Encrypted removable devices formatted with NTFS can only be mounted read only
  • You cannot set up an encryption rule on the root path of an internal disk
  • Writing encrypted files on CD/DVD is not supported
  • Over-mounted folders show the size (capacity and available space) of the disk on which the mount point is created instead of the actual folder size (DPSGN-1095). for example, if an encryption rule for ~/Documents exists, showing the file system info of the directory with Get Info in the Finder will show the capacity of the system disk instead of the actual size used by ~/Documents.
    Workaround: Navigate into the secured mount point, select all files and then do right click Get Info in the Finder. This will show the correct size of the directory occupied on disk.
  • Moving an over-mounted directory in the icon view creates an alias (DPSGN-941)
  • ~/Public/Drop Box encryption rules are not supported
  • Every user who can access our mount point is impersonated as the user who started the mount point – even the root user!
  • Only the user who started the mount point as well as the root user may access the mount point (FUSE allow_root option)
  • However every file system request from our mount point towards the original/underyling FS is issued as the user who started the mount point

Some examples:

  • A file in a directory /enc root:wheel rwx r-x r-x can not be written even if the user elevated privileges with sudo and issues the commando as root
  • Touching a file as root in this directory will end up with the privileges john:wheel rw r r instead of the expected root:wheel rw r r
  • The path of an encryption rule must not contain a comma (DPSGN-2757)
  • Finder: Tag search doesn't work
  • The name of a Secured Folder (this is usually the name of the last directory of an encryption rule) must not exceed 238 characters.
  • Network shares which have a policy applied and are automatically mounted at startup cannot be detected by Sophos File Encryption. It is not possible to overmount such mount points. The original mount point can't be removed (also see Finder: does not have an eject button). There is no difference if auto mount point is created in /mnt/ or /Volumes/.
  • Aliases/symlinks to a directory where the alias/symlink is assigned a different key than the target directory should be avoided as it represents a conflict in which key to use.
    The Mac FE client will do an alphabetic sorting on the rules and the one that comes last alphabetically will be applied, for example:
  • Create a folder for example, /Users/john/enc
  • Create a symlink to that folder, for example, /Users/john/lnkenc
  • Create an encryption rule for <User Profile>\enc with Personal Key
  • Create an encryption rule for the link with a different key, for example, <User Profile>\lnkenc with Root Key
  • -> In this case the Root Key is used as encryption key as lnkenc comes alphabetically after enc
  • If Sophos SafeGuard File Encryption is installed in a VMware Fusion virtual machine, please ensure that virtual hard disks are configured with the bus type SCSI. Otherwise the disks appear as external drive and encryption rules won't be applied correctly. To change the bus type, shut down the virtual machine and the go to Virtual Machine > Settings > Hard Drive > Advanced options > Bus type: change to SCSI
  • In contrast to Windows, OS X does not support file filter drivers which can be used to provide transparent encryption on all locations. To get transparent encryption on OS X, SafeGuard creates mount points for a set of commonly used locations (Desktop, Documents, Pictures, Music, Movies, Downloads, cloud storage provider synchronization folders, removable devices and network shares) which replace the original folder. Now all file operations are redirected through this mount point and the content can be read as usually, because encryption and decryption will be done automatically. If these locations do not fit the requirements, some locations can be excluded from encryption or a policy with defined locations can be used instead (recommended). Use of that technology can lead to the scenario that encrypted files that are moved to folders where no encryption rule is defined, and therefor no mount point for transparent decryption exists, stays encrypted (persistent encryption) and cannot read instantly. They have to be decrypted manually first.
  • Interoperabilty with Cloud Storage Provider
    • Most of the Cloud Storage Providers and SafeGuard are using so called Finder Sync Extensions to display a badge for the files in the Finder. OS X can only handle one single Finder Sync Extension per folder to show badges for the files. As encrypted files can be on every location, SafeGuard registers for the root directory which includes also the cloud storage provider sync folders and this prevents the cloud storage provider sync folders from displaying their status badges and an error notification from the cloud storage provider may be displayed. This can be ignored.
  • Permanent Version Storage Error.
    Permanent Version Storage is only available on Apple’s own file system HFS+. As SafeGuard replaces the original folder with a mount point OS X displays a warning message that the version storage is not available for this file. But these files are still included in Time Machine backups. They can be accessed on a hidden folder. For each mount point SafeGuard creates, there exists also a hidden folder .sophos_safeguard_[Folder Name] on the same location. To restore a single file, the hidden folder has to be selected in Time Machine, for example, Instead of ~/Documents/MyDoc.docx ~/.sophos_safeguard_Documents/MyDoc.docx has to be restored.
  • It is not possible to execute script or applications from a mount point. To get separation of access between allowed applications and not allowed applications from reading encrypted content it was necessary to deactivate caches of the OS. Otherwise not allowed applications are able to read content in plain and IN apps may get encrypted content. Workaround: the executables have to moved from the mount point to a normal folder or the executables have to be started using the hidden folder,  instead of ~/Downloads/test.sh ~/.sophos_safeguard_Downloads/test.sh has to be used.
  • When a removable device is plugged in or a network share gets mounted, there may be a password prompt for an administrative account from sgfsa. This password prompt can be ignored. If there is no mount point created for the device or network share, please re-insert the device or connect again to the the network share.
  • AirDrop creates empty files on Downloads mount point. DPSGN-15254

 

Known issues

Check the known issues for this SafeGuard Enterprise release, since improper configuration of certain options may cause unexpected behaviour.

Note the following additional known issues:

  • SafeGuard File Encryption for Mac 8.3 supports a maximum of 24 secured mount points. Note that this limit only applies to the top level mount points – Nested encryption rules are not affected and can be unlimited (e.g. the rules ~/Documents, ~/Documents/keyA, ~/Documents/keyB will result in only one secured mount point being created).
  • The installation, upgrade and uninstallation of SafeGuard File Encryption for Mac can take longer (up to 5 – 20 minutes), if your Mac is located behind a firewall, which prevents direct access to the Internet. In order to speed up the installation in such a case, either disconnect it from any network or allow direct Internet access. Please note that this is a general issue with OSX Gatekeeper and is caused by the verification of the digital signature via Apple servers, with which SafeGuard’s files are signed.
  • Creation of mobile user accounts at OS X login with confirmation by user: Do not require confirmation of the OS X user before creating a mobile account, as the user can select Don’t Create. Selecting this option will create an incomplete OS X user, for example a user that does not have a local home directory.
  • Show icon preview
    For performance reasons it is recommended to turn off the Finder option Show icon preview.
    This is particularly valid for slow devices or network shares, on which a big number of encrypted files are located.
    Note that application-specific icons (for example Microsoft Office for Mac) are also influenced by the Finder option Show icon preview.
  • If a file was received with MS Outlook, sent by an GMail Web Client, the attached, encrypted file can not be transparently decrypted. Workaround: Decrypt the file manually, via context menu. DPSGN-7449.
  • Mounted DMG files, which are located in a Secured Folder (mount point), are invalidated during the upgrade of SafeGuard Device or File Encryption, because the mount point is re-created during the upgrade. When the client installers are upgraded, the DMG files of the product should either be stored outside of a mount point or only the DMG file for the product which is currently installed should be mounted. DPSGN-7675
  • It is not supported to run virtual machine images stored on secured mount points. Doing so may cause the virtualization application to fail or even freeze your Mac and require a hard reboot. Workaround: Move the virtual machine image to a location that is not covered by a SafeGuard encryption rule (secured mount point).
  • When SafeGuard Synchronized Encryption policy rules are applied it is not possible to execute applications that are located on secured mount points. This applies to executing applications both with the OS X Finder as well as from the Terminal. Workaround: Move the application to a location that is not covered by a SafeGuard Synchronized Encryption policy rule. This limitation does not apply to location based encryption policies. 
  • Copy performance on network shares covered by a SafeGuard Encryption policy may under certain circumstances (very large and/or many files) be considerably lower than the usual native network performance. Workaround: When experiencing such a situation please use the new Direct Paste functionality offered in the right click context menu of the Finder or use the Terminal to copy the files.
  • Mac OS 10.13 and SafeGuard File Encryption 8.30
    • Secured Folders (mount points) may appear in the Devices section of the Finder sidebar. Those entries can be removed manually (contextual menu, Remove from Sidebar), but reappear again with the next login.
    • It may happen, that the encryption icons are not displayed in the Finder. This is especially the case when the machine was rebooted or when the Cover Flow view (⌘4) is enabled in Finder. To show the icons again you can either switch to another folder and then back to the original folder or disable and enable the Sophos SafeGuard Finder extension in the Extensions system preferences.
    • Note: the encryption icons are only displayed for local folders in the home directory (/Users/username), for example Documents, and for encrypted files on data volumes, removable devices and network shares.
    • The performance on network shares may be very poor. This is caused by the smb implementation in macOS 10.13. When copy&paste or duplicate several files in parallel, timeouts may happen which result in partly copied files. In general cifs seems to be more robust instead of smb, i.e. instead of connecting to smb://server/share use cifs://server/share.
    • Several log entries from osascript may be written to the system.log file when encryption rules on a network share or removable device are configured (osascript[xxxx]: AppleEvents: received mach msg which wasn't complex type as expected in getMemoryReference).