conpal LAN Crypt 4.00.0 Client
release notes
Please note the LAN
Crypt 4.00.0 Administration release notes.
conpal LAN Crypt is the
successor of SafeGuard LAN Crypt.
conpal LAN Crypt 3.97
Client was the initial release of conpal for the client. It contained fixes and
hotfixes of the previous SafeGuard LAN Crypt 3.95 Client version, fixed several
known issues and came with support for current operating systems.
conpal LAN Crypt 4.00
Client is a significant rework of the client technology. The cryptographic base
has been reworked for potential certifications and approvals. The underlying
filter technology has been built on minifilter
technology to be future-proof and assure long term support for the technology
by Microsoft.
conpal will develop new client
features based on the minifilter technology.
Due to the strong customer demand,
even stronger during Corona times, we have decided to deliver legacy and minifilter technology with the client and also to implement
some features, which were originally only intended for the minifilter,
also for the legacy filter.
This was done primarily in order to
offer business continuity for the client based on the legacy filter.
We recommend the use of the legacy filter
for existing customers, if minifilter functionality
is not essentially required.
We have invested a great effort in
compatibility with old encryption methods from LAN Crypt and were able to
ensure extensive compatibility and thus also simple migration.
Nevertheless, we strongly recommend
piloting the use of the new technologies.
Manuals,
documentation and support
At https://support.conpal.de registered customers
with active maintenance contracts get access to downloads, documentation and
knowledge items.
The
client manuals in French language will be available in form of a pdf manual a
couple of days after release for download. For the time being an old manual
with a testpage will be available at the link for the
French manual.
Download
the client product documentation at
https://docs.lancrypt.com/de/client/lc_400_hdeu.pdf in German language, at
https://docs.lancrypt.com/en/client/lc_400_heng.pdf in English language and at
https://docs.lancrypt.com/fr/client/lc_400_hfra.pdf in French language.
Last minute changes
Due to recently urgent
customer requests, we decided at the very last moment to consider the legacy
driver as the primary filter driver, which is now also installed by default.
This was requested by the clients mainly because new technologies are currently
difficult or impossible to pilot.
In this context, we
therefore recommend that the necessity for the use of the minifilter
be carefully examined once again.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
Platforms supported
|
32-bit
|
64-bit
|
Windows 10 1803 (RS4),
1809 (RS5), 1903 (19H1), 1909 (19H2), 2004 (20H1) Pro/Enterprise
|
No
|
Yes
|
Windows
Server 2012 R2
|
No
|
Yes
|
Windows
Server 2016
|
No
|
Yes
|
Windows
Server 2019
|
No
|
Yes
|
Citrix XenApp
7.9 on Windows Server 2012 R2
|
No
|
Yes
|
Citrix XenApp
7.18 on Windows Server 2016
|
No
|
Yes
|
Citrix XenApp
7.15 LTSR on Windows Server 2016
|
No
|
Yes
|
Upgrade
conpal LAN Crypt 4.00
Client has been essentially tested to upgrade conpal LAN Crypt 3.97. SafeGuard
LAN Crypt 3.95.3.2. or newer might be upgraded to conpal LAN Crypt 4.00 on the
supported platforms, but the upgrades have not been tested on a broader base
and might require paid professional service.
We recommend that you
install the latest Windows security patches on your clients before installing
the conpal LAN Crypt Client release.
New in conpal LAN Crypt Client release 4.00.0
- Windows 10 2004 (20H1) support
- Support of OneDrive Files on demand (the OneDrive
sync app must be unhandled application)
- New crypto libraries (for security reasons, to be
future-proof and for potential certification and approval)
- Replacement and updates of 3rd party libraries
- Integration of earlier patches for LAN Crypt
- Support of
Removables, Opticals, Local Volumes, Boot Volume
and Network Shares as keywords
in rules.
This functionality was developed
for the minifilter and has been adopted due to strong customer demand in the legacy filter. Some behaviour is different. Opticals
are supported for the minifilter
only. Ignored Device types are supported with minifilter
only.
- With minifilter
Office365 print-to-pdf-functionality is supported
- One client installation package for standard and terminal server
clients
Operation of LAN Crypt 4.00 environments
A mixed operation of LAN Crypt v4 Admin and
LAN Crypt v3.x Admin is not supported.
It is possible to run a v3.97 Admin with v4 Clients
and v3 Clients.
It is possible to run a v4.00 Admin with v4 Clients
and v3 Clients.
XML is the only supported policy file format of v4.00
Admin and v4.00 Clients.
New profile files are created by v4.00, with sections
for v3 and v4 Clients.
The new encryption rules for Removables,
Opticals etc. are transported in the new section.
Once new rules have been created with v4.00, it is no
longer possible to create profiles with a v3 Admin. Doing so would potentially
have negative effects on the client.
Changes
- LAN Crypt 4.00 Client makes use of conpal registry keys
- The LAN Crypt 4.00 Administration still uses Utimaco/Sophos
settings
- Client-side a service copies the settings into the new,
appropriate paths
- This way, customer-side no migration of registry keys is needed
- Integration of new cryptographic libraries (for security reasons)
- Renewal of 3rd party libraries (for security reasons)
- Integration of a new random number generator (for security reasons)
- The usage of the Client API must be configured in the LAN Crypt
Administration and – in case the minifilter is
used on client-side - the included script to enable permissions for
specific applications has to be adopted and executed on the client-side.
- New client API function ClearProfile
- The EULA has been updated (German, English and French)
- The 3rd parties' inventory has been consolidated and
updated
- The minifilter behaves different in details,
compared to the legacyfilter, most of the
differences in respect to a more correct handling of encryption
- LAN Crypt tools have been moved to the folder LAN Crypt\tools
(LC-694)
- EFS Encryption is not supported with the Minifilter (LC-1240)
- Some Registrykeys have been changed
Bugfixes
- BSOD "bad pool caller" when configuring
python3-cryptography fixed (LC-263)
- The LAN Crypt Filter is not "attached” in certain
configurations (LC-101)
- Warning indicates loading of a
cached profile although none is in the cache (LC-1117)
- Better error message when loading from cached profile (LC-1026)
- Login to DB (Azure SQL) with Azure
AD Interactive authentication leads to crash (LC-1015)
- Display error in encryption
status (LC-428)
- Offlinefolder: Officefiles
cannot be saved (LC-225)
- Several spelling errors and
wordings in the product and error messages
- "sglcinit.exe -D" not
all sub directory levels are processed (LC-486)
- Explorer Extension à Encryption status: Gaps / incorrect results with multi-select of
directories (LC-1001)
- Office files cannot be written,
temporary files remain (LC-696)
- New MSO cert is not loaded on
client after recovery (LC-248)
- The displayed drives, apps and
devices in the client status were limited to a string length of 260. This
lead to the problem that e.g. not all apps were displayed when the
character limit was reached. The character
limit has now been removed. (LC-29)
- LAN Crypt Registry settings for explorer integration are lost
during Windows 10 in-place upgrade:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\LC
Settings (LC-198)
Known issues
- AES-OFB (LC-715)
- AES-OFB encrypted files can be read and can be reencrypted to more
modern AES modes, like CBC and XTS.
- Existing OFB encrypted files might get reencrypted automatically
to the configured CBC or XTS mode, when opened.
- We strongly recommend, to do an initial encryption with the wizard
to migrate files encrypted with weak algorithms to state-of-the-art
algorithms.
- OneDrive:
- SharePoint synchronization must be switched off
- Files stored on the local file systems are handled by the LAN
Crypt driver. Browser and WebDAV-Transport is not handled. Storing
encrypted files by downloading it with SharePoint or the browser might
lead to double-encrypted files (which can be decrypted with the wizard).
- Microsoft’s handling of
overlay icons is buggy. The LAN Crypt icons can therefore not be shown
correctly. (LC-121)
- FilesOnDemand
is supported with MiniFilter driver only
(LC-1258).
- Microsoft’s Vault is handled by Minifilter only. The Legacyfilter displays the wrong encryption state
(LC-1258).
- OneNote (LC-1256, LC-1243)
- Encryption of OneNote is not supported. Especially multiuse might
lead to corrupted data.
- Windows 10 upgrades:
When an upgrade to Windows 10 is
done or a feature update is applied to Windows 10 all data stored in the registry
hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Utimaco will be removed.
- After applying the
current group policies to the client, these registry settings will be
configured again. If there were some custom settings made in this
registry hive, these settings must be manually applied after the Windows
10 upgrade has finished.
- Due to the
client-sided copy into the new paths, the functionality remains. For the
time being the key should be restored by GPO. In a follow-on version the
administration will be based on the conpal path in the registry (LC-63)
- Utimaco
Disk Encryption (UDE)
- Interaction with Utimaco Disk Encryption
requires pre- and post-installation care during installation,
uninstallation, and upgrades. Please contact support to ensure clean
operation. (LC-1229)
- Windows 2004 (20H1):
- Windows W10 20H1 Bug when renaming files on network shares
(LC-1006)
The
problem occurs when an unencrypted file on a network drive is moved (=renamed)
to an encrypted folder.
In
this case the driver should encrypt the file when moving / renaming. With 20H1,
however, this does not happen because it cannot determine the name of the
target file due to an error in the filter manager of Microsoft.
The
error was fixed by Microsoft with KB4557957
https://support.microsoft.com/de-de/help/4557957/windows-10-update-kb4557957
https://support.microsoft.com/en-us/help/4557957/windows-10-update-kb4557957
- Minifilter and Legacyfilter (LC-281,
LC-1234):
Some
regular expressions in rules might be handled differently than in 3.97, and
different between legacy- and minifilter:
- Some
(exotic) expressions are handled different in the filters of v4 and v3
- Minifilter differences to legacyfilter
(1106)
- Move encrypted file from an unregulated to a regulated network
directory: File is stored encrypted
- Move an encrypted file from a regular network directory to a
different one: File is stored encrypted
- Now it finally behaves as you would expect it to, but it doesn't
match with the legacy drivers behaviour.
- Minifilter (LC-1360)
- Wrong handling of explicit rules for file extensions
- The Minifilter does not execute rules like *.ext
correctly for encryption and ignore rules.
- As a workaround, we recommend to add an additional rule like *\*.ext
- Having both rules, *.ext and *\*.ext active, works as well for V3.9x and V4.0 clients
- MiniFilter
(LC-1262, LC-1323)
- Indexing was and is default switched off with the legacy filter
(V3.97, V4.0)
- The Minifilter requires to add Searchprotocolhost.exe as an
unhandled application to prohibit indexing.
- Further versions will implement the original behaviour of the legacyfilter, where Indexing has to be switched explicitly
on (Parameter AllowIndexing).
- Minifilter (LC-1169):
Files
are not handled properly according to the profile rules:
- If <Boot Volume> and <Local Volume> and <Network
Shares> are configured as ignored devices at the same time, files may
no longer be handled correctly according to the encryption rules, or a
wrong encryption status is determined.
- Minifilter (LC-1293)
- EFS is not supported. The EFS attribute can neither be set nor
removed from files or folders, and access to EFS encrypted files is
denied.
- NTFS Compression is not supported, files will be automatically
decompressed.
- Minifilter (LC-1156):
Shared
folders in VMware virtual machines are not supported properly:
- Prevent
plain files not executed properly.
- Encryption
rules are not applied correctly.
- Ignore
rules are not applied correctly.
- Minifilter (LC-1217)
- There is an
incompatibility of the Minifilter with the VirtualBox Shared
Folders Redirector VBoxSF.sys.
Minifilter leads to a BSOD with Oracle Box (tested with 5.238, 6.1.14).
- Minifilter (LC-1106):
Encryption
behaviour has changed when moving files:
- Move
encrypted file from an unregulated to a regulated network directory: File
is stored encrypted.
- Move
encrypted file from a regular network directory to another regular
network directory: File is dropped in an encoded file.
- The
behaviour is correct, but may differ from the description in the manual
and from the legacy filter.
- Minifilter (LC-1000)
The
registry key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LCENCM\Parameters]
"NovellSupport"=dword:00000001
used
for a different timestamp handling, compared to windows fileservers, e.g. for
Isilon support, has been removed for the Minifilter.
Please use instead
[HKLM\SYSTEM\CurrentControlSet\Services\cplcisolate]
"AlwaysWriteThroughOnMUP"=dword:00000001
- Minifilter and Legacy Filter (LC-802):
Key
visualization and handling in recycle bin might be different to LAN Crypt
version 3.97 and in particular wrong (red key symbol visible, when key is
accessible).
- Deleted
files might end up in the recycle bin with a red key, differently to
Version 3.97
- Restoring
and deleting from the recycle bin works anyway.
- Support of placeholders in the legacy filter (LC-857)
- The <Network>, <Bootvolume>, <Removable>, <Optical>,
<Local> placeholders are decoded in
the legacy filter and translated into the corresponding directory names
or drive letters
- Minifilter missing functionality compared to Legacyfilter
- DefaultIgnoreRules and ServicesDefaultIgnoreRules are not
yet supported (LC-1238)
- Ignored Drives (LC-1060):
The
encryption status of legacy and minifilter is
determined and visualized differently.
- The minifilter correctly determines the encryption status
of encrypted files on ignored shares as ENCRYPTED_IGNORED and displays
the red key.
- The legacy
filter determines the encryption status of encrypted files on ignored
shares as PLAIN_IGNORED and does not display an overlay key. The
behaviour of the legacy filter is basically wrong (at least since
SafeGuard LAN Crypt 3.95) but will not be corrected.
- Ignored Device Types (LC-1242)
Ignored
device types are not supported with the legacy filter
- Legacyfilter
- AES with Legacyfilter installed may lead
to wrong encryption method displayed when files are moved into a folder
with different AES rule. (LC-1177)
If
the legacy filter is operated with CBC and a file encrypted with a respective
rule is moved (cut and pasted) to a folder with a different AES rule (XTS), the
display of the encryption method remains on CBC.
Moving
XTS encrypted files to CBC ruled folders as well display the wrong initial
method.
- LAN Crypt loads a certificate
based on the provided PIN, not necessarily the newest p12-file (LC-120)
- LAN Crypt searches a sorted
list of the users p12 files until it finds the first p12 file that can be
accessed with the entered PIN. If not every p12 file has a different PIN,
an older certificate can be loaded.
- Citrix Terminal Server:
- Client Drive Redirection:
Encryption of files on client drives mapped on
a Citrix Terminal Server is not supported and these drives will be
ignored by the LAN Crypt encryption filter driver.
- Streamed applications:
Citrix application streaming is not supported.
- Virus scanners:
- Virus scanner services:
Virus scanner services need to be explicitly
authorized to have access to encrypted files in order to be able to find
viruses inside.
- There is a changed behaviour regarding permissions for security
improvement:
Long
path names can be used for. For convenience reasons short names are internally
completed by searching some protected paths when program names are configured
without path information. The client will search in the following directories:
CSIDL_SYSTEM (typical C:\Windows\System32, non-recursive)
CSIDL_WINDOWS (typical C:\Windows, non-recursive)
CSIDL_PROGRAM_FILES (typical C:\Program Files, recursive)
If an EXE file with the specified name is found, the full path will be
internally added.
Other
paths are now untrusted for short file names. (LC-1218).
When mixed environments (LAN Crypt 3.9x and 4.0) are administrated by LAN Crypt
Administration 4.00.0, it is best practice to add the executable names for
virus scanners in short form (executable name only), when the virus scanner is
located in one of the referenced paths (note, that program files on 64 bit
system includes the 64 bit path only). When the scanner executables are in
other paths, the long pathname including the executable and a second entry with
a short name should be used. The long name for the version 4 clients and the
short name for the version 3 clients.
- We recommend on-access and background scanning
tests
- LAN Crypt Tools:
- The LAN Crypt executables DriveNotifier.exe,
lchelper.exe, lcinit.exe, lcsdel.exe, lcstatus.exe, lcuser.exe,
loadprof.exe, SGFEApi.exe, lcservn.exe should be trusted by the antivirus
software.
- Minifilter:
A new random number generator was implemented (LC-881, LC-882).
This may have some effects on runtimes when encrypting while the virus
scanner is running.
- Tested virus scanners (among others):
The following virus scanners have been tested with the LAN Crypt Client:
Virus Scanner
|
Executable
|
Authenticode
|
Avast 20.6.2420 (Build 20.6.2420.5495.561)
|
AvastSVC.exe
|
Yes
|
TotalAV(5.8.7)
|
SecurityService.exe
|
No
|
Norton
Security (22.17.3.50)
|
NortonSecurity.exe;
nsWscSvc.exe
|
No
|
BullGuard (20.0.0.381)
|
BullGuardCore.exe; BullGuardScanner.exe;
BullGuardFileScanner.exe
|
No
|
Microsoft Defender
|
msseces.exe
MsMpEng.exe
or
without configuration
|
|
FSecure v17.8
|
fsulprothoster.exe,
fshoster64.exe, fshoster32.exe, fsorsp64.exe
|
No
|
Kaspersky Antivirus 20.0.14.1085
|
avp.exe
avpui.exe
|
Yes
Yes
|
TrendMicro
16.0.1151
|
|
|
Eset
NOD32 Antivirus
|
ekrn.exe,
egui.exe, eguiProxy.exe
|
No
|
McAfee Total Protection 16.0 R25
|
Mcshield.exe
mfeavfk.sys
|
Yes
Yes
|
Symantec Endpoint Protection 14.2
|
ccSvcHst.exe
|
|
|
|
|
- Configuration
of other virus scanners tested with earlier versions (not tested with
this release):
Virus Scanner
|
Executable
|
Authenticode
|
Sophos
Endpoint Security and Control, Version 10.8.4
|
SavService.exe
|
Yes
|
McAfee
Security Center v16.0, McAfee SC 17.8
|
Mcshield.exe
mfeavfk.sys
|
Yes
Yes
|
Symantec
Endpoint Protection 14.2
|
ccSvcHst.exe
srtsp.sys
|
Yes
No
|
Trend Micro
Antivirus+ 15.0.1163
|
coreServiceShell.exe
|
Yes
|
Microsoft
Security Essentials 4.8.1904.1
|
msseces.exe
MsMpEng.exe
|
Yes
Yes
|
FSecure v17.6
|
Fshoster32.exe
Fshoster64.exe
|
Yes
Yes
|
Kaspersky
v19.0.0.1088(b)
|
avp.exe
avpui.exe
|
Yes
Yes
|
Sophos Endpoint Security and Control, Version 11.3.1 Cloud
|
SavService.exe
|
Yes
|
Symantec
Endpoint Protection 11.0.6 MP1
|
rtvscan.exe
|
Yes
|
McAfee Endpoint
Security 10.2
|
Mcshield.exe
mfeavfk.sys
|
Yes
Yes
|
Microsoft
Forefront client
|
msseces.exe
MsMpEng.exe
|
Yes
Yes
|
- Known issues:
- There might be an issue with the LAN Crypt PreventPlainFiles functionality with some virus
scanners when the legacy filter is used. This behaviour is the same in
conpal LAN Crypt 3.97, SafeGuard LAN Crypt 3.95 and probably earlier
versions (LC-1237).
- FSecure
SAFE 17.8: viruses are detected and deleted during scanning, zipped
files are detected and deleted when opened
- There is an issue with Sophos Anti-Virus that
may cause encrypted files to be locked (either only for write or for
read and write access). This is caused by a timing issue of Sophos
Anti-Virus if the on-access scanning level is set to 'intensive'.
- There is an issue with Sophos Anti-Virus that
may lead to damaged Microsoft Office documents when saving them in a
folder that is made available when offline (“OfflineFolder”).
To avoid this issue please configure the Sophos Anti-Virus on-access
scanner to exclude the folder “C:\Windows\CSC”.
- After receiving a new virus scanner executable
via the policy file, the client has to be rebooted.
- If Antivirus and LAN Crypt are installed on
Windows, it may happen that the LAN Crypt profile cannot be loaded. As a
workaround, the folder for the policy file cache (default
"%LOCALAPPDATA%\conpal\LAN Crypt\Local Policy Cache") must be
excluded from the virus scan. Alternatively registering
the LAN Crypt processes with Antivirus to be trustworthy, might solve
the problem.
- DFS:
- Domain-based DFS:
In a domain-based DFS, you can access the DFS
either via the server name or via the domain name.
The encryption rules must always be created in
the same way as used to access DFS.
If the DFS is accessed via the server name, the
encryption rule must be based on a server name. If DFS is accessed via
the domain name, the rule must be domain name based.
If you want to access the DFS both ways, you
must define two encryption rules, one with the domain name and one with
the server name.
e.g.:
Y: is mapped to \\DOMAIN\DFSROOT
Encryption rule:
Y:\*.*
or
\\DOMAIN\DFSROOT\*.*
Z: is mapped to \\SERVER.DOMAIN\DFSROOT
Encryption rule:
Z:\*.*
or
\\SERVER\DFSROOT\*.*
- Nested DFS links:
Nested DFS links (DFS links to other DFS links
or DFS roots) can be used but encryption rules must not include a
physical path to the DFS link and there are some known problems in
combination with persistent encryption. When copying an encrypted file to
a plain folder it may become decrypted. When moving encrypted files to an
ignored/excluded folder it may stay encrypted.
- Rules using IP address:
It is not possible to use rules for DFS that contain the IP address of
the server hosting the DFS share.
- DFS and persistent encryption:
When copying encrypted files to ignored or
excluded folders on DFS drives they may not be stored decrypted.
- Viewing folders in Windows Explorer:
Viewing folders on a DFS share cause problems
that either the display takes very long or the folder selection jumps to
the root folder after a while.
In this case the following registry value can
be set:
[HKEY_LOCAL_MACHINE\Software\Policies\Utimaco\SGLANCrypt\LCShellx]
IgnoreBuildInOverlayIcons=dword:00000001
A reboot is necessary to activate the change.
Afterwards the Windows overlay icons for shared folders and links are not
displayed if a LAN Crypt overlay icon is displayed.
- Network Attached Storage (NAS) devices:
In general, LAN Crypt will operate with network
shares hosted on NAS devices. If it is planned to use a NAS device, conpal
recommends the execution of intensive tests prior to using LAN Crypt in a
productive environment.
However, due to various SAMBA implementations
and versions, not every NAS device will act like a Windows Server.
Protocol variations are possible and therefore a few special cases might
not work properly in combination with LAN Crypt; for example, a user’s “my
documents” folder might not be encrypted on a file share. Therefore,
conpal does not guarantee that encrypted file shares on NAS devices will
work in every condition and only provides limited support in cases where
issues arise.
- Volume mount points:
LAN Crypt does not support volume mount points. (An
encryption rule for a directory that is a volume mount point will not
work.)
The same is true for virtual drives generated
with the SUBST.exe command.
- EFS encryption and NTFS compression:
LAN Crypt encrypted files cannot be
(additionally) EFS encrypted or NTFS compressed.
It is possible to EFS decrypt (provided that the
EFS key is available) and/or NTFS decompress files during initial
encryption.
- NTFS rights:
While Windows is able to create new files or
copy files to a folder where the NTFS rights
- Traverse Folder / Execute File
- List Folder / Read Data
- Read Attributes
- Read Extended Attributes
- Create Files / Write Data
- Read Permissions
are granted to a user, the following additional
rights have to be granted if there is an encryption rule on a folder:
- Create Folders / Append Data
- Write Attributes
- Write Extended Attributes
- Backup programs:
Backup programs should be configured as
unhandled applications. If you do this, the files will retain their
encryption state after a restore. The backup applications from Windows
should be automatically treated as unhandled application.
The backup target files themselves must not be
encrypted, because they cannot be restored by the backup application as it
does not decrypt the backup files. Because the files included in the
backup are already encrypted, it is not necessary to encrypt the backup
target files itself.
- Configuration data:
Because the client reads the configuration data
from the Registry during the boot and login process, you may need to
reboot the PC to include any changes to this data.
In some cases two reboots are necessary.
- SafeGuard Enterprise:
- There is no tested compatibility with SafeGuard
products.
- It is likely, that newer SafeGuard products like
Central are interoperable.
- Piloting is essential, there are no guarantees
for compatibility.
- SafeGuard PrivateDisk:
LAN Crypt cannot be used to encrypt SafeGuard PrivateDisk volume files (*.vol).
- <Opticals>:
- The Opticals rule works for minifilter only.
- The Opticals rule leads to errors with
the legacy filter, e.g.
when
using UDF formatted DVD+RW media, with installed LAN Crypt Legacyfilter
massive problems occur after a few accesses. (LC-1138)
- CD burning
with legacy filter or tools:
- Burning encrypted CDs with Windows Explorer
built-in mechanism
To create a CD with LAN Crypt encrypted files,
use a separate burning application that you must add to the list of
unhandled applications. All encrypted files remain encrypted if you now
burn them onto a CD.
As the Windows native burning tool is
implemented as an Explorer Extension, you cannot use this tool for
creating encrypted CDs (you would have to specify Explorer as an
unhandled application, which has a huge number of unwanted side effects).
- Known problem with Nero InCD
There is an issue with Nero InCD
and Office 2003 together with LAN Crypt when encryption rules are set for
the CD drive. If an Office 2003 file is stored on the CD a BSOD may occur
during processing the file (e.g. open, save).
- Certificates:
User and administrator certificates must be
located in the current user’s certificate store. Certificates located in
the local computer’s certificate store cannot be used for LAN Crypt.
- Folder overlay icons:
Overlay icons for folder icons in the left-hand
tree-view are sometimes missing.
- No key column in Explorer:
It is not possible to have a column added in
Explorer that shows key names or GUIDs for encrypted files.
- Offline files:
On some machines it may happen that some
encrypted offline files are not accessible in offline mode.
To avoid this problem please disable indexing of
offline files.
- UAC dialog on not accessible encrypted files:
If an encrypted file is renamed or deleted and
the corresponding key is not available in the LAN Crypt profile, a User
Account Control dialog is shown because the file is not accessible.
Providing credentials of an administrator does
not allow the file operation in this case, because even as administrator
the file cannot be modified as the proper key is not available.
- Manual/Helpfile
- Client help is provided by default via
https://docs.lancrypt.com/de/client/lc_400_hdeu.pdf,
https://docs.lancrypt.com/en/client/lc_400_heng.pdf
or
https://docs.lancrypt.com/fr/client/lc_400_hfra.pdf,
depending on the language.
The first
part of the URL (domain name) can be specified in strictly internally operated
environments in the registry under "HKLM\SOFTWARE\Policies\conpal\LAN
Crypt\HelpURL”
- Offline Folders:
If Windows Offline Folders are used it may
happen that not all files get synchronized if LAN Crypt is installed.
Subsequent synchronization requests should complete the synchronization.
If the default location of the offline folder
cache (usually C:\Windows\CSC) is changed, an ignore rule should be set on
this folder (e.g. D:\CSC).
- Known problem with crypto.sys:
The driver crypto.sys is shipped with different
products, like SafeNet Netscreen Remote, SafeNet
VPN and others. There is a known problem with this driver that can lead to
a BSOD.
- Multiple smartcard PIN entries:
When LAN Crypt is used together with certain
smartcard middlewares, e.g. Nexus Personal
Edition 4.0.1, it may happen that the user has to enter the smartcard PIN
multiple times.
- Compatibility issues with Microsoft SharePoint:
Downloading documents from a SharePoint server
may fail if there is an encryption rule set on the folder containing the
temporary internet files.
- Restricted support of short path names:
Following restrictions exist in relation to
short path names:
- The path used in the encryption rule must exist at profile load
time (except paths on shares)
- The path used in the encryption rule must not be renamed after the
profile was loaded, otherwise it may happen that the short path name will
not work anymore on this path
- Only for absolute path rules the short path name is also handled
(relative path rules are only considered in the way they are entered
during profile creation)
- Encrypted applications on network shares:
If an executable file is started which is stored
encrypted on a network share, it may happen that the file remains to be
used, even if the application is no longer running.
To replace such files it is necessary to rename
the existing executable file at first and then copy the new file.
- User elevation for encrypted executables:
If an encrypted executable or installation
package is started and requires a user elevation, it may happen that the
elevation doesn’t take place and the executable is not started.
- Profile expiration:
If the folder where the LAN Crypt user profiles
are stored is made available for offline access, the profile expiration
will not work if there is no network connection available.
- Deletion of files using psexec.exe:
LAN Crypt prevents the deletion of files which
are encrypted and the user is not in possession of the proper key.
However, if psexec.exe is used to connect to a machine where LAN Crypt is
installed, it is possible to delete encrypted files without having the
proper key. Opening encrypted files is not possible in such a way.
- Encryption rules on %USERPROFILE%\AppData\Roaming:
Setting encryption rules on %USERPROFILE%\AppData\Roaming may result in several error
situations, as some of these files (e.g. desktop background image) are
already accessed by Windows at a very early logon stage where the LAN
Crypt profile is not yet loaded.
In general it is not recommended to encrypt
files in this folder. Encryption will only work for files which are
accessed after the LAN Crypt profile was loaded.
- Multiple rules for the same target:
If more than one rule is defined for the same
target path (e.g. rule 1 for x:\*.*, rule 2 for y:\*.*, x: and y: are both
mapped to the same share), only the first matching rule according to the
current rule sort order is applied.
- Missing overlay icons:
The number of different overlay icons is limited
by Windows, so if another application is installed which also uses overlay
icons (e.g. SharePoint extension in Microsoft Office and OneDrive) the LAN
Crypt overlay icons may disappear.
Please see the following knowledgebase article
how you can enable the overlay icons again: http://www.sophos.com/en-us/support/knowledgebase/108784.aspx
- When a shortcut to a web page is right clicked,
no LAN Crypt entry is visible in the Explorer context menu.
- Rules using IP addresses (v4/v6) will only match
if the network share was mapped using the IP address. There is no DNS
resolving done in the filter driver, so when the very same network share
is mapped using the server name, the rule will not match.
- Verification of the encryption status using the
Initial Encryption Wizard:
- Encrypted files for which the user has no key
are counted as "failed to open" instead of "already
encrypted".
- Encrypted files which are encrypted with an
algorithm which is not the current configured one (e.g. encrypted with
XTS-AES, but configured is CBC), are reported as "Encrypted with
another key" instead of "Encrypted with another algorithm".
- Encryption of VHD (Virtual Hard Disk) and WIM
(Windows Imaging Format) files is not supported.
- Paths which are longer than 259 characters are not supported.
- Legacy filter and minifilter might behave
different in visualization of encryption status, and behaviour and features.
- API
- If a key KEY_NAME_WITH_SPECIAL_CHAR =
"key!§$%&()=}][{@üäö" in a group
GROUP_NAME_WITH_SPECIAL_CHAR ="group!§$%&()=}][{@üäö" is
assigned by calling the API, group and key are created without errors, but
the assignment does not take place.
- lcapi.WriteKey(GROUP_NAME_WITH_SPECIAL_CHARS,
KEY_NAME_WITH_SPECIAL_CHAR, 3, 1, isSpecific,
"", COMMENT, strKeyShortName) (LC-541)
- The rebranding of Sophos SafeGuard to conpal is comprehensive but
may inadvertently be incomplete.