conpal LAN Crypt 3.97.0 Client release notes
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analyzed in case of occurring issues.
Platforms
supported
|
32-bit
|
64-bit
|
Windows 7 (Ultimate / Enterprise / Professional) SP1
(support added Oct 2016)
|
No
|
Yes
|
Windows
10 1607 (RS1), 1703 (RS2), 1709 (RS3), 1803 (RS4), 1809* (RS5)
Pro/Enterprise, 1903* (19H1) Pro/Enterprise, 1909* (19H2) Pro/Enterprise,
2004* (20H1) Pro/Enterprise
*
The Patch 20190815_KB4505658 is mandatory
|
No
|
Yes
|
Windows Server 2012 R2
|
No
|
Yes
|
Windows Server 2016
|
No
|
Yes
|
Citrix XenApp
7.9 on Windows Server 2012 R2
|
No
|
Yes
|
Citrix XenApp
7.18 on Windows Server 2016
|
No
|
Yes
|
Compatibility with SafeGuard Enterprise
SafeGuard LAN
Crypt 3.95.3.2 has been tested with SafeGuard Enterprise 7.02 and 8.0. As there
are no relevant changes in technology, conpal LAN Crypt 3.97.0 is supported
together with SafeGuard Enterprise 8.0.
Please note
that conpal LAN Crypt 3.97.0 cannot be used together with SafeGuard Enterprise
Synchronized Encryption or the File Encryption module from SafeGuard Enterprise
Location Based File Encryption. These features have to be removed before conpal
LAN Crypt can be installed. LAN Crypt can be used together with the Data
Exchange (DX) and Cloud Storage (CS) modules from SafeGuard Enterprise. Later
Versions of SafeGuard Enterprise have not been tested with conpal LAN Crypt.
Upgrade
conpal
LAN Crypt client has been tested to upgrade SafeGuard LAN Crypt 3.95.3.2. LAN
Crypt client version 3.71.64 or newer might be upgraded to conpal LAN Crypt
3.97.0 on the supported platforms, but the upgrades have not been tested on a
broader base.
Windows 10 Support limitation
When an upgrade
to Windows 10 is done or a feature update is applied to Windows 10 (e.g. update
from RS2 to RS4), all data stored in the registry hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Utimaco
will be removed.
After applying
the current group policies to the client, these registry settings will be
configured again. If there were some custom settings made in this registry
hive, these settings have to be manually applied after the Windows 10 upgrade
has finished.
New
in conpal LAN Crypt Release 3.97.0
- Windows 10 RS5 Support
- Basic Support of OneDrive (Files on demand and
Sharepoint synchronization has to be switched off, the OneDrive sync app
must be unhandled application). Files stored on the local file systems are
handled by the LAN Crypt driver. Browser and WebDav-Transport is not
handled. Storing encrypted files by downloading it with SharePoint or the
browser might lead to double-encrypted files (which can be decrypted with
the wizard).
- Integration of bugfixes (BSOD, wrong timestamps,
especially in Windows 10 1809)
- Integration of security fixes (persistent
encryption with Office).
- Integration of earlier patches for SafeGuard LAN
Crypt.
This client is the
foundation for any further support of conpal for LAN Crypt.
We recommend that you
install the latest Windows security patches on your clients before installing
the conpal Upgrade Release. For clients running Windows 7, you must install all
Windows security patches first.
For Upgrades from former
SafeGuard versions this Upgrade Release requires the SafeGuard LAN Crypt Client
3.95.3.2 to be installed and SafeGUard LAN Crypt Administration 3.90 to be
used.
New
in SafeGuard LAN Crypt Release 3.95.3
- Windows 10 RS3/RS4 Support
- Windows Server 2016 Support
- Integration of bugfixes
For more information, refer
to SafeGuard
LAN Crypt Windows Client Patch 1806.
We recommend that you
install the latest Windows security patches on your clients before installing
the SafeGuard client security patch. For clients running Windows 7, you must
install all Windows security patches first.
This patch requires the
SafeGuard LAN Crypt Client 3.95.1 to be installed.
New
in SafeGuard LAN Crypt Release 3.95.2
This Client Patch addresses
some security issues with SafeGuard LAN Crypt 3.95.1, which theoretically could
be used to obtain local privilege escalations. It also contains all previously
released hotfixes for SafeGuard LAN Crypt 3.95.1, which solve several smaller
issues.
For more information, refer
to Windows
Client Patch 1804 for SafeGuard products.
We recommend that you
install the latest Windows security patches on your clients before installing
the SafeGuard client security patch. For clients running Windows 7, you must
install all Windows security patches first.
This patch requires the
SafeGuard LAN Crypt client 3.95.1 to be installed.
New
in SafeGuard LAN Crypt Release 3.95.1
- Windows 10 Creators Update Support
- Integration of bugfixes
Known Issues
- Citrix Terminal Server
- Client Drive Redirection
Encryption of files on client drives mapped on
a Citrix Terminal Server is not supported and these drives will be ignored
by the SafeGuard LAN Crypt encryption filter driver.
- Streamed applications not supported
Citrix application streaming is not supported.
- Virus scanners
- Virus scanner services
Virus scanner services need to be explicitly
allowed to have access to encrypted files in order to be able to find
viruses inside.
o Tested virus scanners
The following virus scanners have been tested with
the SafeGuard LAN Crypt Client:
Virus
Scanner
|
Executable
|
Authenticode
|
Sophos
Endpoint Security and Control, Version 10.8.4
|
SavService.exe
|
Yes
|
McAfee
Security Center v16.0, McAfee SC 17.8
|
Mcshield.exe
mfeavfk.sys
|
Yes
Yes
|
Symantec Endpoint Protection 14.2
|
ccSvcHst.exe
srtsp.sys
|
Yes
No
|
Trend Micro Antivirus+ 15.0.1163
|
coreServiceShell.exe
|
Yes
|
Microsoft Security Essentials 4.8.1904.1
|
msseces.exe
MsMpEng.exe
|
Yes
Yes
|
FSecure v17.6
|
Fshoster32.exe
Fshoster64.exe
|
Yes
Yes
|
Kaspersky v19.0.0.1088(b)
|
avp.exe
avpui.exe
|
Yes
Yes
|
o
Configuration
of other virus scanners (not tested with this release):
Virus
Scanner
|
Executable
|
Authenticode
|
Sophos Endpoint Security and Control, Version 11.3.1 Cloud
|
SavService.exe
|
Yes
|
Symantec Endpoint Protection 11.0.6 MP1
|
rtvscan.exe
|
Yes
|
McAfee Endpoint Security 10.2
|
Mcshield.exe
mfeavfk.sys
|
Yes
Yes
|
Microsoft Forefront client
|
msseces.exe
MsMpEng.exe
|
Yes
Yes
|
- Known issues
- Kaspersky was not able to detect an encrypted
virus with it's real time protection on local storage..
- There is an issue with Sophos Anti-Virus that
may cause encrypted files to be locked (either only for write or for
read and write access). This is caused by a timing issue of Sophos
Anti-Virus if the on-access scanning level is set to 'intensive'.
- There is an issue with Sophos Anti-Virus that
may lead to damaged Microsoft Office documents when saving them in a
folder that is made available when offline (“OfflineFolder”). To avoid
this issue please configure the Sophos Anti-Virus on-access scanner to
exclude the folder “C:\Windows\CSC”.
- On a LAN Crypt Client in combination with
Symantec Endpoint Protection 11 and Office 2003 a BSOD may occur when a
document is saved on an USB stick. With Symantec Endpoint Protection
11.0.5 (11.0.5002.333) the BSOD does not occur.
- After receiving a new virus scanner executable
via the policy file, the client has to be rebooted.
- If McAfee Endpoint Security 10.2 and LAN
Crypt 3.97.0 are installed on the same machine, Windows 7 clients stop
booting with a pulsating windows logo.
- If TrendMicro AntiVirus+ and LAN Crypt 3.97.0
are installed on Windows 7, it may happen that the LAN Crypt profile
cannot be loaded. As a workaround, the folder for the policy file cache
(default "%LOCALAPPDATA%\Utimaco\SafeGuard LAN Crypt\Local Policy
Cache") must be excluded from the virus scan.
- DFS
- Domain-based DFS
In a domain-based DFS, you can access the DFS
either via the server name or via the domain name.
The encryption rules must always be created in
the same way as used to access DFS.
If the DFS is accessed via the server name, the
encryption rule must be based on a server name. If DFS is accessed via
the domain name, the rule must be domain name based.
If you want to access the DFS both ways, you
must define two encryption rules, one with the domain name and one with the
server name.
e.g.:
Y: is mapped to \\DOMAIN\DFSROOT
Encryption rule:
Y:*.*
or
\\DOMAIN\DFSROOT*.*
Z: is mapped to \\SERVER.DOMAIN\DFSROOT
Encryption rule:
Z:*.*
or
\\SERVER\DFSROOT*.*
- Nested DFS links
Nested DFS links (DFS links to other DFS links
or DFS roots) can be used but encryption rules must not include a
physical path to the DFS link and there are some known problems in
combination with persistent encryption. When copying an encrypted file to
a plain folder it may become decrypted. When moving encrypted files to an
ignored/excluded folder it may stay encrypted.
- Rules using IP address not supported
it is not possible to use rules for DFS that
contain the IP address of the server hosting the DFS share.
- DFS and persistent encryption
When copying encrypted files to ignored or
excluded folders on DFS drives they may not be stored decrypted.
- Viewing folders in Windows Explorer
Viewing folders on a DFS share cause problems
that either the display takes very long or the folder selection jumps to
the root folder after a while.
In this case the following registry value can
be set:
[HKEY_LOCAL_MACHINE\Software\Policies\Utimaco\SGLANCrypt\LCShellx]
IgnoreBuildInOverlayIcons=dword:00000001
A reboot is necessary to activate the change.
Afterwards the Windows overlay icons for shared folders and links are not
displayed if a LAN Crypt overlay icon is displayed.
- Network Attached Storage (NAS) devices
In general, LAN Crypt will operate with network
shares hosted on NAS devices. If it is planned to use a NAS device, conpal
recommends the execution of intensive tests prior to using LAN Crypt in a
productive environment.
However, due to various SAMBA implementations
and versions, not every NAS device will act like a Windows Server.
Protocol variations are possible and therefore a few special cases might
not work properly in combination with LAN Crypt; for example, a user’s “my
documents” folder might not be encrypted on a filer share. Therefore
conpal does not guarantee that encrypted file shares on NAS devices will
work in every condition and only provides limited support in cases where
issues arise.
- Volume mount points
LAN Crypt does not support volume mount points.
(An encryption rule for a directory that is a volume mount point will not
work.)
The same is true for virtual drives generated
with the SUBST.exe command.
- EFS encryption and NTFS compression
LAN Crypt encrypted files cannot be
(additionally) EFS encrypted or NTFS compressed.
It is possible to EFS decrypt (provided that the
EFS key is available) and/or NTFS decompress files during initial
encryption.
- NTFS rights
While Windows is able to create new files or
copy files to a folder where the NTFS rights
- Traverse Folder / Execute File
- List Folder / Read Data
- Read Attributes
- Read Extended Attributes
- Create Files / Write Data
- Read Permissions
are granted to a user, the following additional
rights have to be granted if there is an encryption rule on a folder:
- Create Folders / Append Data
- Write Attributes
- Write Extended Attributes
- Backup programs
Backup programs should be configured as
unhandled applications. If you do this, the files will retain their
encryption state after a restore. The backup applications from Windows 7
and higher are automatically treated as unhandled application.
The backup target files themselves must not be
encrypted, because they cannot be restored by the backup application as it
does not decrypt the backup files. Because the files included in the
backup are already encrypted, it is not necessary to encrypt the backup
target files itself.
- Configuration data
Because the client reads the configuration data
from the Registry during the boot and login process, you may need to
reboot the PC to include any changes to this data.
- SafeGuard Enterprise Data Exchange
- Profile without key causes problem with
SafeGuard Enterprise DX
There is a known problem when LAN Crypt and
SafeGuard Enterprise Data Exchange are installed. If a LAN Crypt profile
without a key is loaded, it is not possible to open or create new files
that are SafeGuard Enterprise DX encrypted.
Workaround: Instead of providing an empty dummy
profile for users who shall not encrypt data using LAN Crypt, please
disable the error message that no profile was found (“SilentMode”) using
a group policy.
- Default Ignore Rules not active after user logon
with SafeGuard Enterprise DX
Please note that SafeGuard Enterprise Data
Exchange suppresses LAN Crypt Default Ignore Rules after user logon, even
if no LAN Crypt user profile is loaded. The Default Ignore Rules are
active during system boot but as soon as the user logs on to the system
and SafeGuard Enterprise DX is active they become disabled. This is
always the case, even if there are no DX policies.
- SafeGuard Enterprise DX Encryption Wizard
If the encryption priority is changed from SGLC
to SGNDX, after the next reboot the SafeGuard Enterprise DX encryption
wizard starts to re-encrypt files on removable media which were encrypted
by LAN Crypt before. This operation fails, because the LAN Crypt keys are
not loaded at this time.
After the LAN Crypt profile was loaded, the
re-encryption is possible.
- SafeGuard PrivateDisk
LAN Crypt cannot be used to encrypt SafeGuard
PrivateDisk volume files (*.vol).
- CD burning
- Burning encrypted CDs with Windows Explorer
built-in mechanism
To create a CD with LAN Crypt encrypted files,
use a separate burning application that you must add to the list of
unhandled applications. All encrypted files remain encrypted if you now
burn them onto a CD.
As the Windows native burning tool is
implemented as an Explorer Extension, you cannot use this tool for
creating encrypted CDs (you would have to specify Explorer as an
unhandled application, which has a huge number of unwanted side effects).
- Known problem with Nero InCD
There is an issue with Nero InCD and Office
2003 together with LAN Crypt when encryption rules are set for the CD
drive. If an Office 2003 file is stored on the CD a BSOD may occur during
processing the file (e.g. open, save).
- Certificates
User and administrator certificates must be
located in the current user’s certificate store. Certificates located in
the local computer’s certificate store cannot be used for LAN Crypt.
- Windows 7 and higher
- Folder overlay icons
Overlay icons for folder icons in the left-hand
tree-view are sometimes missing.
- No key column in Explorer
It is no longer possible to have a column added
in Explorer that shows key names or GUIDs for encrypted files.
- Offline files
On some machines it may happen that some
encrypted offline files are not accessible in offline mode.
To avoid this problem please disable indexing
of offline files.
- UAC dialog on not accessible encrypted files
If an encrypted file is renamed or deleted and
the corresponding key is not available in the LAN Crypt profile, a User
Account Control dialog is shown because the file is not accessible.
Providing credentials of an administrator does
not allow the file operation in this case, because even as administrator
the file cannot be modified as the proper key is not available.
- Offline Folders
If Windows Offline Folders are used it may
happen that not all files get synchronized if LAN Crypt is installed.
Subsequent synchronization requests should complete the synchronization.
If the default location of the offline folder
cache (usually C:\Windows\CSC) is changed, an ignore rule should be set on
this folder (e.g. D:\CSC).
- Known problem with crypto.sys
The driver crypto.sys is shipped with different
products, like SafeNet Netscreen Remote, SafeNet VPN and others. There is
a known problem with this driver that can lead to a BSOD.
- Multiple smartcard PIN entries
When LAN Crypt is used together with certain
smartcard middlewares, e.g. Nexus Personal Edition 4.0.1, it may happen
that the user has to enter the smartcard PIN multiple times.
- Compatibility issues with Microsoft SharePoint
Downloading documents from a SharePoint server
may fail if there is an encryption rule set on the folder containing the
temporary internet files.
- Restricted support of short path names
Following restrictions exist in relation to
short path names:
The path used in the encryption rule must exist
at profile load time (except paths on shares)
The path used in the encryption rule must not be
renamed after the profile was loaded, otherwise it may happen that the
short path name will not work anymore on this path
Only for absolute path rules the short path name
is also handled (relative path rules are only considered in the way they
are entered during profile creation)
- Encrypted applications on network shares
If an executable file is started which is stored
encrypted on a network share, it may happen that the file remains to be
used, even if the application is no longer running.
To replace such files it is necessary to rename
the existing executable file at first and then copy the new file.
- User elevation for encrypted executables
If an encrypted executable or installation package
is started and requires a user elevation in Windows 7 or higher, it may
happen that the elevation doesn’t take place and the executable is not
started.
- Profile expiration
If the folder where the LAN Crypt user profiles
are stored is made available for offline access, the profile expiration
will not work if there is no network connection available.
- Deletion of files using psexec.exe
LAN Crypt prevents the deletion of files which
are encrypted and the user is not in possession of the proper key. However
if psexec.exe is used to connect to a machine where SafeGuard LAN Crypt is
installed, it is possible to delete encrypted files without having the
proper key. Opening encrypted files is not possible in such a way.
- Encryption rules on %USERPROFILE%\AppData\Roaming
Setting encryption rules on
%USERPROFILE%\AppData\Roaming may result in several error situations, as
some of these files (e.g. desktop background image) are already accessed
by Windows at a very early logon stage where the LAN Crypt profile is not
yet loaded.
In general it is not recommended to encrypt
files in this folder. Encryption will only work for files which are
accessed after the LAN Crypt profile was loaded.
- Multiple rules for the same target
If more than one rule is defined for the same
target path (e.g. rule 1 for x:\*.*, rule 2 for y:\*.*, x: and y: are both
mapped to the same share), only the first matching rule according to the
current rule sort order is applied.
- Missing overlay icons
The number of different overlay icons is limited
by Windows, so if another application is installed which also uses overlay
icons (e.g. SharePoint extension in Microsoft Office) the LAN Crypt
overlay icons may disappear.
Please see the following knowledgebase article
how you can enable the overlay icons again: http://www.sophos.com/en-us/support/knowledgebase/108784.aspx
- When a shortcut to an web page is right clicked,
no LAN Crypt entry is visible in the Explorer context menu.
- Rules using IP addresses (v4/v6) will only match
if the network share was mapped using the IP address. There is no DNS
resolving done in the filter driver, so when the very same network share
is mapped using the server name, the rule will not match.
- Verification of the encryption status using the
Initial Encryption Wizard
- Encrypted files for which the user has no key
are counted as "failed to open" instead of "already
encrypted".
- Encrypted files which are encrypted with an
algorithm which is not the current configured one (e.g. encrypted with
XTS-AES, but configured is CBC), are reported as "Encrypted with
another key" instead of "Encrypted with another
algorithm".
- Encryption of VHD (Virtual Hard Disk) and WIM
(Windows Imaging Format) files is not supported.
- Microsoft Virtual Desktop Infrastructure is not
supported.
- Client API
- Installation of the Client API fails on Windows
7 64-bit if Sophos Endpoint 11.5 (managed by Central) is also installed
on the same machine
- Paths which are longer than 520 characters are
not supported.
- If features are added or removed from an existing
installation, a warning dialog is displayed that this operating system is
not supported. This dialog can be ignored.
- conpal LAN Crypt 3.97.0 does not attach the
encryption filter to the system drive, when only one partition is
configured. This behaviour is known since SafeGuard LAN Crypt 3.95.3.2.
- The rebranding from Sophos SafeGuard to conpal
has been started, but is intentionally incomplete. The rebranding will be
completed in a later version.
- 3rd party licence agreement not up-to-date in
Client 3.97.0. The relevant newer version of the 3rd party licence
agreement (with conpal 2019 branding) exists in the install folder of the
client CD but the old version (SG 2017 branding) will be installed in
C:\Program Files (x86)\Sophos\SafeGuard LAN Crypt.