u.trust LAN Crypt 13.0.2 Client release notes
u.trust LAN Crypt 13.0.2 is a maintenance/service
release, there are no new features included.
The version
can upgrade from V13.0.0, V13.0.1, V11.0.0, V11.0.1, V11.0.2 or the respective
patched versions.
NOTE:
When
upgrading from versions prior to V13.0.1/V11.0.2, be aware that the releases
V13.0.1 and V11.0.2 implement compatibility with Microsoft’s security update
CVE-2024-30098 where Microsoft blocks CSP-based key operation for Smart Card
MFA where some features are not compatible with native CSP-based key operation
(see V13.0.1/V11.0.2 release notes for details).
See manual for further
description of the upgrade process.
It is strongly recommended that V13.0.1 clients are upgraded to V13.0.2
We've
released V13.0.2 with important improvements to enhance your data protection
and system stability. Key benefits of updating:
·
Several improvements in stability, resilience and performance
·
LAN Crypt2Go and LAN Crypt2Go Reader for Windows are included in the LAN
Crypt license (https://help.lancrypt.com/docs/2Go/menu/)
·
For the LAN Crypt non-VS-NfD release
additionally LAN Crypt2Go for Mac and LAN Crypt2Go for Linux can be obtained
via support
A dedicated
version for government customers to operate VS-NfD
data is available.
Quick Update Recommendation
We
suggest updating to
·
Safeguard your data
·
Experience the latest system enhancements
·
Maintain optimal software reliability
Simple Next Steps
·
Download V13.0.2
·
Install the update
·
Potentially update your Smart Card middleware
·
Enjoy improved system security
Older release
notes for LAN Crypt remain valid, if not stated otherwise.
The EULA is
available in English and German only. The English version is valid for all
non-German speaking countries.
The actual
versions can be obtained from:
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported
Windows 64-bit operating system platforms
|
|
Pro/Enterprise
versions of Windows 10 Enterprise LTSC 2021
|
|
Pro/Enterprise
versions of Windows 11 23H2, 24H2, 24H2 LTSC, 25H2
|
|
Windows
Server 2022, 2025
|
|
Supported
Citrix Environments
|
|
Citrix Virtual Apps and
Desktops 2402 LTRS on WS 2022 21H2
|
If a LAN
Crypt Client (LCC) shall be used in combination with LAN Crypt Admin (LCA) on
the same machine, it requires a LAN Crypt Client of the same version. (LC-1546)
Mixed
operation of old and new versions of LCA on the same database is not supported. (LC-3152)
Bugfixes
in LAN Crypt Client release 13.0.2
- Bugfix PreventPlainFiles
no subdirectory access and no overlay icons (LC-5532)
- Removed executable non-paged
pool allocations (LC-5534)
- Fixed the possibility to
encrypt files without write permissions
(LC-5512)
- Fix including code cleanup for LCUser window positions (LC-5504)
- The missing
"SGEApie.exe=1" entry in some "API_ACLS" registry
settings have been added in order to fix the ClearProfile() behavior. (LC-5510)
- Bugfix PreventPlainFiles
rules violation by users without profile (LC-5493)
- Fixed thin race condition in minifilter (LC-5488)
- Implemented workaround for
Windows AppModel Runtime renames (LC-5490)
- Fixed mutex's constructor to be
constexpr. #3824 #4000 #4339 (LC-5440)
§ Fix networkfilter
state machine to correctly handle detach operations (LC-5481)
§ Fixed issue with inconsistent
product codes in multi-language setup (LC-5385)
§ Fixed inconsistency in DirSizeCorrection on DFS shares without DNSRulesCreation
mode for DFS (LC-5333)
§ Installation on unsupported Windows
Version blocked. Windows version needs to support external function used for
v13.x RNG (LC-5357)
§ Fixed BSOD when renaming files on a
network share with OptimizeNetworkCachingMode = 0
(LC-5322)
§ For file copy operations, MSFT
internally sends the IOCTL_LMR_DISABLE_LOCAL_BUFFERING. LAN Crypt now reacts on
this IOCTL by flushing the internal file system cache in
order to direct respective write operations directly to the network
(LC-5351)
§ MUP_FILE_SYSTEM BSOD Fix (LC-5341)
§ Fix for running "Encrypt
according to profile" on folders with already encrypted files to be recrypted could lead to doubly encrypted files, especially
on the network. (LC-5254)
New and known
issues in LAN Crypt Client release 13.0.2
- Event log shows misleading,
harmless error message after LAN Crypt installation. This error message
shall be ignored by the user. (LC-4106)
- Rare BSOD when trying to copy a
file from an encrypted directory to a local directory (LC-5548)
Manuals,
documentation and support
Tickets opened in the old support portal
at https://support.conpal.de will be redirected to
the new Utimaco
support portal (https://support.hsm.utimaco.com/support). Registered customers with active maintenance contracts get access
to downloads, documentation and knowledge items.
Read or download the client
product documentation at
https://help.lancrypt.com/docs/windows/13_0_2/de/ in German language, at
https://help.lancrypt.com/docs/windows/13_0_2/en/ in English language and at
https://help.lancrypt.com/docs/windows/13_0_2/fr/ in French language.
API documentation can be
obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
https://help.lancrypt.com/docs/api/admin/net/index.html
u.trust LAN Crypt 13.0.1 Client release notes
u.trust LAN Crypt 13.0.1 is a feature
release with a strong focus on maintaining compatibility with Microsoft’s security
update CVE-2024-30098 where Microsoft blocks CSP-based key operation for Smart
Card MFA. It is strongly recommended that V13.0.0, V11.0.0 and V11.0.1 clients are
upgraded to V13.0.1 when using Smart Cards as MFA. With previous versions of
LAN Crypt, Smart Card authentication is no longer possible after the MSFT
security update CVE-2024-30098
(caution: this is an external link Utimaco is not responsible
for its content) is rolled out. Potentially an update of your Smart Card
middleware is needed in order to support KSP-based key
operations. Please contact your Smart Card middleware provider. LAN Crypt
13.0.1 has been successfully tested with the following Smart Card middleware:
·
CardOS API 5.5.10
·
CryptoVision 8.3.4
·
Charismathics 6.1.9
·
Nexus Personal 5.17.2
UPDATE
2026-02-10: DisableCapiOverrideForRSA registry key removal
date has been updated from April 2026 to to February
9th, 2027, by MSFT.
The version
can upgrade from V13.0.0, V11.0.0 or V11.0.1 or the respective patched
versions. See manual
for further description of the upgrade process.
Some features of this version are not compatible with native CSP-based key
operation.
We've
released V13.0.1 with important improvements to enhance your data protection
and system stability. Key benefits of updating:
·
Support for KSP (Key Storage Provider) key operations
·
Several improvements in stability, resilience and performance
·
LAN Crypt2Go and LAN Crypt2Go Reader for Windows are included in the LAN
Crypt license (https://help.lancrypt.com/docs/2Go/menu/)
·
For the LAN Crypt non-VS-NfD release
additionally LAN Crypt2Go for Mac and LAN Crypt2Go for Linux can be obtained
via support.
A dedicated
version for government customers to operate VS-NfD
data is available.
Quick Update Recommendation
We
suggest updating to
·
Safeguard your data
·
Experience the latest system enhancements
·
Maintain optimal software reliability
Simple Next Steps
·
Download V13.0.1
·
Install the update
·
Potentially update your Smart Card middleware
·
Enjoy improved system security
Older release
notes for LAN Crypt remain valid, if not stated otherwise.
The EULA is
available in English and German only. The English version is valid for all
non-German speaking countries.
The actual
versions can be obtained from:
Requirements
The below listed
platforms have been tested and are officially supported. Other Service Pack
levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported
Windows 64-bit operating system platforms
|
|
Pro/Enterprise
versions of Windows 10 Enterprise LTSC 2021
|
|
Pro/Enterprise
versions of Windows 11 23H2, 24H2, 24H2 LTSC, 25H2
|
|
Windows
Server 2022, 2025
|
|
Supported
Citrix Environments
|
|
Citrix Virtual Apps and
Desktops 2402 LTRS on WS 2022 21H2
|
|
Supported
Database Servers
|
|
MS SQL 2022,
2025
|
|
Oracle 19
|
If a LAN
Crypt Client (LCC) shall be used in combination with LAN Crypt Admin (LCA) on
the same machine, it requires a LAN Crypt Client of the same version. (LC-1546)
Mixed
operation of old and new versions of LCA on the same database is not supported. (LC-3152)
New functionalities and
changes in LAN Crypt Client
release
13.0.1
- Replaced deprecated CryptoAPI
with CNG for asymmetric Cryptography (LC-4974)
- LCC: InfoCache:
architectural improvements (LC-5007)
- Registry key cleanup (LC-4971)
- Extend CryptoVerification
to CNG (LC-5044)
- LCC does not longer import
Smart Card certificates on terminal server (LC-5063)
- Fix INF file issue to comply
with current MSFT driver signing conventions (LC-5011)
Bugfixes
in LAN Crypt Client release 13.0.1
- A bug that caused memory
corruption when opening network files with ADS has been fixed.
When opening network files with ADS (Alternative Data Streams, such as
"Zone.Identifier"),
one of our text formatting functions wrote two zero bytes to a random
memory address, which
caused later crashes in third-party drivers (such as SophosED.sys)
(LC-5110)
- Fixed performance bug when
handling encrypted SMB (LC-4969)
- Shell extension message box
text "Unknown Error Nr. 1B(hex)" replaced by reasonable error
message (LC-5055)
- LaodProf profile cache "Cache
Expiration" and LoadProf "Update
Interval" have not been working in v13.0.0 and are restored to a
functional state (LC-5061)
- Bugfix for BSOD when activating
tracing (LC-4983)
- In the minifilter,
a Windows Update file operation was wrongly denied due to an overzealous
access protection mechanism for encrypted files. Specifically, rename
operations in the case of existing target files, incorrectly triggered the
access protection on the existing target file due to faulty error handling
(LC-4968, LC-4923)
- Bugfix for rare BSOD caused by
a null pointer in the minifilter (LC-4869)
New and known
issues in LAN Crypt Client release 13.0.1
- Performance issues when moving many files and folders with LAN
Crypt – the PC freezes. The applied fix might be received as incomplete,
however, as the operations work asynchronously and no resource management
has yet been made available. This has been requested as a feature for a
future version. (LC-3678)
- Files encrypted with the new CBC-uIV
format cannot be decrypted by v11 clients (and older). This
incompatibility cannot be fixed.
- CheckDatabase cannot check some tables when the
name for the database contains a period. This will be fixed in the next
version. (LC-4851)
- Running "Encrypt according
to profile" on folders with already encrypted files that need to be recrypted can lead to doubly encrypted files,
especially in the network (LC-4980)
- Windows Server 2019:
Installation of LAN Crypt Client v13.0.x will lead to Windows-Recovery
(LC-5171)
- For some smart card related
trace messages the severity is set too high; Charismatics Middleware: SmartcardPin cache deletion not working, smart card
pin dialog does not pop up (LC-5102)
- Right click | encrypt according
to profile is slow for a large amount of files
that have not been correctly encrypted prior (LC-5132)
- slow execution of lcinit (LC-5030)
Manuals,
documentation and support
Tickets opened in the old support portal
at https://support.conpal.de will be redirected to
the new Utimaco
support portal (https://support.hsm.utimaco.com/support). Registered customers with active maintenance contracts get access
to downloads, documentation and knowledge items.
Japanese versions must be obtained from our partner Next Security https://next-security.jp
Read or download the client
product documentation at
https://help.lancrypt.com/docs/windows/13_0_1/de/ in German language, at
https://help.lancrypt.com/docs/windows/13_0_1/en/ in English language and at
https://help.lancrypt.com/docs/windows/13_0_1/fr/ in French language.
API documentation can be
obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
https://help.lancrypt.com/docs/api/admin/net/index.html
u.trust LAN Crypt 13.0.0 Client release notes
u.trust LAN Crypt 13.0.0 is a feature
release with a strong focus on improving security. There are some features
that break compatibility to prior versions.
The version
can upgrade from V11.0.0 or V11.0.1 or the respective patched versions.
Some features of this
version are not compatible with previous LAN Crypt product versions or their
database schema.
We've
released V13.0.0 with important improvements to enhance your data protection
and system stability. Key benefits of updating:
·
Default “SuperRandom” Random Number Generator
·
New symmetric encryption algorithm, default for new users (not compatible with LAN Crypt V11 and previous versions)
·
Cryptographic self-tests
·
Modernized cryptographic database protection
·
Transparent and fast upgrade procedures
·
Several improvements in stability and resilience
·
LAN Crypt2Go and LAN Crypt2Go Reader for Windows are included in the LAN
Crypt license (https://help.lancrypt.com/docs/2Go/menu/).
·
The non-VS-NfD release of LAN Crypt now also
contains LAN Crypt2Go for Mac and Linux.
A dedicated version
for government customers to operate VS-NfD data is
available.
Quick
Update Recommendation
We
suggest updating to
·
Safeguard your data
·
Experience the latest system enhancements
·
Maintain optimal software reliability
Simple
Next Steps
·
Download V13.0.0
·
Install the update
·
Migrate your database to the new structure
·
Enjoy improved system security
Older release
notes for LAN Crypt remain valid, if not stated otherwise.
The EULA is
available in English and German only. The English version is valid for all non-German
speaking countries.
The actual
versions can be obtained from:
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported Windows 64-bit operating system platforms
|
|
Pro/Enterprise
versions of Windows 10 22H2 (VS-NfD version only), Enterprise
LTSC 2021
|
|
Pro/Enterprise
versions of Windows 11 22H2 (VS-NfD version only),
23H2, 24H2, 24H2 LTSC
|
|
Windows Server 2022, 2025
|
|
Supported
Citrix Environments
|
|
Citrix Virtual Apps and
Desktops 2402 LTRS on WS 2022 21H2
|
New functionalities and changes
in LAN Crypt Client release 13.0.0
- Support has
been added for the new
CBC-uIV encryption mode, which is incompatible with v4 and v11 clients.
This algorithm is the default setting for new installations. (LC-3827, LC-4446, LC-4456)
- C++ runtime has been updated. (LC-4503)
- 3rd party components updated. (LC-4749, LC-4472)
- Improved detection of LAN Crypt encrypted files for future versions
(LC-4648)
- You can now use the
new error codes in LoadProf error messages to extend them with your own custom messages. These messages are maintained and distributed via the registry. See manual for further description.
(LC-4525)
- “SuperRandom” added as default RNG.
(LC-4397)
- Self-check of RNG added. (LC-4400)
- Added
supervisor functions for the RNG. (LC-4340)
- Implemented health checks for RNG functionality.
(LC-4407)
- Added verification of the
crypto algorithms at program start-up. (LC-4614)
- Added BoxDrive
executable to “IgnoredCloudSyncApps”. (LC-4368)
- DNS rules generator outsourced to a separate thread for better
profile loading performance. (LC-3894)
- Some additional AV configuration checks have been implemented.
(LC-4513)
- Debugger
protection functionality has been reactivated. (LC-4020)
- Protected processes can now be configured
via the registry. (LC-4319)
- LoadProf.exe now has its own
exit codes, which are error codes returned when the program is called from
the command line. A knowledge base article will
be available with further information. (LC-4123)
- Support for keys that can be created by
and stored in a self-hosted
key store like Utimaco’s
ESKM. This only affects the Cloud Client. (LC-4336)
- For standardisation
purposes, the default policy file cache path for the cloud variant has
been changed from 'LAN Crypt' to 'u.trust
LAN Crypt'. This only affects the Cloud Client. (LC-4373)
- For diagnostic
purposes, we provide (via Support) a set of scripts orchestrated by a central script named the 'Log Collector Utility'. This should
be made available to clients where diagnostic data needs to be
collected. (LC-3165)
Bugfixes in LAN Crypt Client release
13.0.0
- The wrong file state was displayed for Unhandled
Drives and Devices. This bug has been fixed. (LC-4538)
- Fixed memory leak in minifilter. (LC-4184)
- Microsoft MsSense performed an OpLock operation on a disk volume. In certain
situations, LAN Crypt did not react properly to such a request, which
eventually resulted in a BSOD. Microsoft has fixed this malfunction; we
have added additional checks to detect and prevent such behavior for better
resilience of the file system interface. (LC-4605)
- Performance issues when moving many files and folders with LAN
Crypt – the PC freezes. The applied fix might be received as incomplete, however,
as the operations work asynchronously and no resource management has yet
been made available. This has been requested as a feature for a future
version. (LC-3678)
- The performance issue in the network driver that
affected the initial encryption, among other things, has been resolved. (LC-4254)
- A bug has been fixed in the SGFEApi tool
when trying to explicitly encrypt a file covered by an encryption rule
with a key whose name is longer than 16 characters. (LC-4253)
- If file names are identical, encrypted files with the red key icon
could be overwritten by plain text files. This bug has been fixed.
(LC-4172)
- Fixed a data corruption issue that occurred when recrypting files smaller than 4 KB on a DFS share
using the same algorithm and cipher mode. (LC-4596)
- Bug when saving certain CAD files fixed. (LC-4586)
- Fixed: Outlook freezing with Citrix VDI. (LC-4295)
- Fixed the BSOD occurring with ignored FAT drives. (LC-4248)
- Fixed a bug that caused sporadic BSODs when accessing files on
network shares concurrently. (LC-4481)
- The sporadic BSOD when deleting or renaming files on a Windows
share has been fixed. (LC-4591)
- BSOD fixed,
when Verifier has been used
with Ignored Devices. (LC-4585)
- A bug that could lead to BSODs in very rare cases when renaming an encrypted file has been fixed.
(LC-4805)
- The crash of LoadProf after checking a
revoked certificate has been fixed. (LC-4518)
- If the 'Policy file cache directory’ for the client was configured
with an invalid path via a GPO, an error occurred when the client loaded
the profile. This behavior has been made more resilient. (LC-4812,
LC-4817)
- The issue of the 'Insufficient system resources' message appearing
sporadically when opening files while the profile is not loaded has been
fixed. (LC-4522)
- During the initial encryption process, clicking in the list box
will no longer activate the 'Retry' button, as this previously caused an error.
(LC-4265)
- When you exit the LCUser application, any
open dialogue boxes are closed properly to prevent the program from
crashing unexpectedly. (LC-4136)
- The result message
for an unavailable key in LCInit has been improved
from “key n.a.” to “encrypted with an unavailable key".
(LC-3968)
- Cache issues
that occurred when renaming files in combination with antivirus apps have been fixed. These errors may have occurred when saving Office files. (LC-4815)
New and known issues in LAN Crypt Client release
13.0.0
- A bugfix for a rare BSOD caused
by a null pointer in the minifilter has been
fixed for the v11.0.x Patch1 but is unfortunately not part of this v13.0.0
release. The fix will be added (again) in the next version. (LC-4560,
LC-4869)
- Performance issues when moving many files and folders with LAN
Crypt – the PC freezes. The applied fix might be received as incomplete,
however, as the operations work asynchronously and no resource management has
yet been made available. This has been requested as a feature for a future
version. (LC-3678)
- The 3rd
party inventory “3rd_party_software.pdf” is present and up to date in the
LCA and LCC deployment folders. The “3rd_party_software.pdf” installed with the LC product
is unfortunately an older version. (LC-4828)
- Files encrypted with the new CBC-uIV
format cannot be decrypted by v11 clients (and older). This
incompatibility cannot be fixed.
Manuals, documentation and support
Tickets opened in the old support portal
at https://support.conpal.de will be redirected to
the new Utimaco
support portal (https://support.hsm.utimaco.com/support). Registered customers with active maintenance contracts get access
to downloads, documentation and knowledge items.
Japanese versions must be obtained from our partner Next Security https://next-security.jp
Read or download the client
product documentation at
https://help.lancrypt.com/docs/windows/13_0_0/de/ in German language, at
https://help.lancrypt.com/docs/windows/13_0_0/en/ in English language and at
https://help.lancrypt.com/docs/windows/13_0_0/fr/ in French language.
API documentation can be
obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
https://help.lancrypt.com/docs/api/admin/net/index.html
u.trust LAN Crypt 11.0.1 Client release notes
u.trust LAN Crypt 11.0.1 is a maintenance/service
release, there are no new features included.
The version can upgrade from V11.0.0 or V4.2.1.
It is strongly recommended that V11.0.0 clients are upgraded to V11.0.1
We've
released V11.0.1 with important improvements to enhance your data protection
and system stability. Key benefits of updating:
·
Prevents potential data risks
·
Ensures smoother system performance
·
Protects your valuable information
Quick
Update Recommendation
We
suggest updating to V11.0.1 to:
·
Safeguard your data
·
Experience the latest system enhancements
·
Maintain optimal software reliability
Simple
Next Steps
·
Install the update
·
Enjoy improved system security
Please also
refer to the u.trust LAN
Crypt 11.0.0 part of the release notes.
Older release notes for LAN Crypt remain valid, if not stated otherwise.
u.trust LAN Crypt 11.0.1 comes with several bugfixes.
The EULA is
available in English and German only. The English version is valid for all
non-German speaking countries.
The actual versions
can be obtained from:
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported Windows 64-bit operating system platforms
|
|
Pro/Enterprise
versions of Windows 10 21H2 (LTSC), 22H2
|
|
Pro/Enterprise
versions of Windows 11 22H2, 23H2, 24H2, 24H2 LTSC
|
|
Windows Server 2022, 2025
|
|
Supported
Citrix Environments
|
|
Citrix Virtual Apps and
Desktop 7 1912 LTSR CU2
on WS 2019
|
Changes in LAN Crypt Client release 11.0.1
- C++ runtime has been updated (LC-4505).
- 3rd party components updated
- Initial profile loading via ClientAPI RefreshPolicy function enabled and improvements in the
RefreshPolicy function. This allows service users
to load the profile without a user process loading the profile first
(LC-4120, LC-4263)
Bugfixes in LAN Crypt Client release
11.0.1
- Textual changes (LC-3916, LC-4196)
- Security Officer certificates are imported again, including Base64
encoded certificates or certificates with a non-LAN Crypt-standard file
name (LC-4249, LC-4268)
- User certificate import is case-insensitive again (LC-4279)
- Fixed encryption state for BoxDrive (LC-4234, LC-4299)
- The GPO “Strong private key protection“ (“CertUserProtected”)
is back to functioning correctly, when using the import function for user certificates of the LC client. (LC-4213)
- Fixed BSOD for ignored FAT drives (LC-4248)
- Fixed a sync bug in LCServ that sometimes
caused:
- profile loading to fail when AntiVirus
was configured with a wildcard (LC-4320)
- a red LC tray icon after installing V11.0.0 and
loading the profile; and only a second restart of the Windows 11 client
resulted in the green LC tray icon (LC-4311, LC-4288)
- A performance issue in the network driver that impacted (among
others) the initial encryption has been resolved (LC-4254)
- Fixed BSOD when Cortex XDR (Palo Alto Networks) is used (LC-4233,
LC-4277, LC-4477)
- Fixes a problem when Microsoft Office, specifically Word, is used
with Google NetApp storage in combination with the NTFS file system. In
this combination, Office applications sometimes store additional
information in the alternate data stream. LAN Crypt did not correctly
account for this additional data, which could result in incorrect file
size calculations and inconsistent data (LC-4246)
- Fix for a potential data corruption error when recrypting
with the same key type. This error occurred when recrypting
multiple files on network shares using the Encryption Wizard or
right-clicking in Explorer. This only affected the onPremise
(Classic) client. (LC-4406)
- GetEncryptionState
bug fixed. Manual encryption (according to profile) via multi-select did not
encrypt all files (affected Windows 10 only). (LC-4383)
- Fixed wrong file state displayed on USB Sticks with unhandled
devices set to "15" (LC-4548)
New and known issues in LAN Crypt Client
release 11.0.1
- LAN Crypt is not yet operatable
with Windows Sandbox, a BSOD might occur (LC-4497)
- MultiPolicy profiles should not be
distributed to clients before V11.0.0 (LC-3717)
- Wrong file state and context
menu displayed on USB Sticks when Unhandled Devices are set to "Local
Volumes"/"8".
"Local Volumes" have accidentally
been described as "All Local Volumes" in the admin manual.
The group policy "Unhandled Devices" with setting "Local
Volumes"/"8" and the "<Local Volumes>" option
for encryption rules are currently applied to local drives and opticals but not (correctly) applied to removables.
This will be fixed in the next major version. (LC-4538)
Manuals, documentation and support
The support portal at https://support.conpal.de
will redirect you to the new Utimaco
support portal. Registered customers with active maintenance contracts get
access to downloads, documentation and knowledge items.
The Japanese version can be obtained from our partner Next Security https://next-security.jp
Read or download the client
product documentation at
https://help.lancrypt.com/docs/windows/11_0_1/de/ in German language, at
https://help.lancrypt.com/docs/windows/11_0_1/en/ in English language and at
https://help.lancrypt.com/docs/windows/11_0_1/fr/ in French language.
API documentation can be
obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
https://help.lancrypt.com/docs/api/admin/net/index.html
u.trust LAN Crypt 11.0.0 Client release notes
After the
acquisition of conpal GmbH in 4/2023 by Utimaco, the product conpal LAN
Crypt has been rebranded and will be continued under the different brand name u.trust LAN Crypt.
Version 11.0.0 is the first rebranded version, a feature release and replaces
the conpal LAN Crypt product.
The product is able to upgrade from the previous conpal LAN Crypt 4.2.1.
The Legacyfilter has been abandoned, and
is not supported anymore.
Administration versions earlier than conpal LAN Crypt
4.1.1 are EOL.
Clients earlier than conpal LAN Crypt 4.1.3 are EOL.
It is
mandatory to
upgrade the clients to 4.2.1 and the administration to 4.2.0 before upgrading
to u.trust LAN Crypt 11.0.0.
u.trust LAN Crypt 11.0.0 also comes with improved security
functionality and several bugfixes.
New features:
§
Support for new versions of operating systems
§
64 Bit .NET API
§
Several enhancements and extensions
for .NET API
§
LCSendP12Password helper tool, automatically send P12 passwords by email
§
New database tool CheckDatabase.exe
§
Improved CreateTables
§
Log Collector Utility
§
Client Performance Improvements, options to cache files for encrypted
SMB shares, DsStateCache for caching unencrypted
files
§
Rebranding
§
Detail work on dialogs and error messages
§ Option to renew assigned
certificates
§ Most important cloud
apps pre-registered and maintainable via registry
§ Support for multiple
policies
§
Show "Bypass" flag for rules in "Show Profile"
Changes/Improvements
in V11:
§ u.trust LAN Crypt2Go replaces conpal
LAN Crypt Portable
§
Improvement of accessibility
§
Accelerated create-profile functionality
§
Improved certificate handling
§
Accelerated certificate creation
§
Support for certificates in computer-store,
e.g. for services
§
Optimizations, additional verifications and acceleration of CreateTables for MS SQL and Oracle
§
ClearCache Option for DsStateCache
§
Removed support for
§
deprecated Oracle versions
§
profiles in legacy format
§
Improved messages
§
.Net API update to support version 8
§
Throttling when creating certificates to preserve resources for OS
accessibility
§
Performance tracing
§
When importing certificates (p12) from a file server, certificates are
now checked in true descending order (by number suffix).
§
Default ignored apps can be maintained via registry
The EULA has
been updated and is now only available in English and German.
The English
version is valid for all non-German speaking countries.
The actual
versions can be obtained from:
Older release
notes for LAN Crypt remain valid, if not stated otherwise.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported Windows 64-bit operating system platforms
|
|
Pro/Enterprise
versions of Windows 10 21H2 (LTSC), 22H2
|
|
Pro/Enterprise
versions of Windows 11 21H2, 22H2, 23H2
|
|
Windows Server 2022
|
|
Supported
Citrix Environments
|
|
Citrix Virtual Apps and
Desktop 7 1912 LTSR CU2
on WS 2019
|
New in LAN Crypt Client release 11.0.0
- Protection of LCUser
and LoadProf from being terminated by TaskManager (LC-3107)
- DsStateCache
is cleared when profile is unloaded (LC-3191)
- Show bypass rules in Show profile dialogue (LC-3122)
- Support functions for Box Drive (LC-3282)
- Rebranding GUI, icons, GPOs, EULA, file header
and messages to u.trust
LAN Crypt (LC-3156, LC-3299, LC-3595)
- MultiPolicy support - load and merge
secondary profiles (LC-2094, LC-3455, LC-3515, LC-3744, LC-3719, LC-3614,
LC-3830, LC-3829, LC-3790, LC-3579)
- LCStatus can show meta information of a
primary/classic policy in Status tab (LC-3446)
- Company name of a primary
policy is configurable via registry (LC-3722)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\conpal\LAN Crypt
Value: CompanyName
Type:
REG_SZ
- Setting cloud sync apps as
ignored apps is configurable via registry, default apps: see manual
(LC-3638)
- Overlay icons now scale when
the desktop scaling is changed (LC-2998)
- The “OptimizeNetworkDelayedClose” optimization can provide significant performance benefits for
applications that repeatedly open network files at short intervals. It is
only active when “OptimizeNetworkCachingMode” is
not set to FESF_DEFAULT.
All network files (encrypted or not) appear closed
to the upper layers on the client, but in reality they remain open for a short time so that they can
be read from the cache when they are accessed quickly again. The maximum time
to final closure is about 30 seconds. If someone on the network accesses the
file during this time, the network driver will immediately report the access to
the minifilter, and the minifilter
will attempt to close the file as quickly as possible. Unfortunately, this is not
always successful, and in this case the accessing application from the other
client may receive a SHARING_VIOLATION message on the first access. The next
attempt would be successful, but may be too late for
some applications. For this case, the “DelayedCloseExcludedPaths”
registry parameter is provided, where you can configure the paths that are
excluded from this optimization. Please contact support for
details. (LC-4074)
- New support tool Log Collector
Utility (LC-3165)
- Support for caching
on encrypted SMB Shares can be enabled via registry. Please contact
support for details. (LC-3226, LC-3772)
Changes in LAN Crypt Client release 11.0.0
- For SO and user certificates without
x509v3 key usage option (keyUsage=keyEncipherment, dataEncipherment)
If
the 'Check certificate extension' group policy is not configured, this policy
is treated as 'Enabled'.
Certificates
without an appropriate key usage will be rejected.
This
applies to
Importing a user certificate into the LC
Client
Importing a SO
certificate into the LC Client
Assigning a user certificate in the LC
Administration Console
Assigning a SO
certificate in the LC Administration Console
Logging in to the LC Administration Console
Starting
with LC v4.2.0, the behaviour was inadvertently
treated as "disabled" if the "Check certificate extension"
group policy was not configured.
With
LC v11.0.0 this has been fixed so that LC behaves as it did before LC v4.2.0.
(LC-3938)
Therefore,
before upgrading LCA and LCC to v11.0.0, make sure that the group policy is set
to "disabled" when using certificates without the x509v3 key usage
option.
- C++ runtime has been updated (LC-3295).
- 3rd party components updated, old
components removed (LC-3747, LC-2680, LC-3144, LC-3315, LC-3221, LC-3222,
LC-3223, LC-3366, LC-3748, LC-3749, LC-3484, LC-4109, LC-4179)
- Rename from inWebo to Trustbuilder
for 3rd party MFA (LC-3196)
- When "Load encryption
rules" is selected from the tray icon, the PIN entry window for the user .p12 import now has keyboard focus (LC-11)
- Improved
rigidity of the initial encryption wizard (LC-3150)
- Buffer overflow prevention measurements (LC-3314, LC-3450)
- Improved and accelerated signature handling in LoadProf
(LC-3439, LC-3584)
- Instead of a warning, only a note (icon) is displayed if the path
to the profile file is (temporarily) unavailable (LC-3527)
- Improved error message when MFA authentication fails due to timeout
(LC-3382)
- Default WPP tracing session disabled to save kernel memory
(LC-3653)
- Improved serial number handling when importing certificates,
especially for incorrect numbers according to RFC 5280 (LC-3632, LC-4139)
- Improved error message when loading policy from webserver failed
(LC-3427)
- Removed check for old policy file if policy could
not be loaded from websesrver (LC-3404)
- Improved signature check for future backwards compatibility when
loading a policy (LC-3716)
- No more creating new headers with 512 bytes of padding, instead set
padding length to 0 (which is basically the same, but MacOS and Android LC
can handle it better) (LC-3849)
- Default Ignored Apps (except
SearchProtocolHost.exe) will be set in the registry by the setup at:
HKLM\SYSTEM\CurrentControlSet\Services\cplcdt2\Parameters\DefaultIgnoredApplications and can be modified by the
customer in case of need (LC-3935)
- The search order of the
p12-file on a file share has been changed so that "newer" p12 are
imported first (according to the number suffix (higher number first))
(LC-120)
- Restricted access to named pipe
of LAN Crypt service (LC-3997)
- Improved performance,
especially when reading large network files (LC-4040)
- New CopyFile
feature implemented to overcome unusually long initial encryption time for
OneDrive files when used with Sophos Endpoint Protection (LC-4043)
- Extended trace for time
validity errors in certificate chain (LC-4147)
- Antivirus: In general,anti-malware software has
to be configured according to what you want them to do. The part
that needs to scan files needs to be added to the Virus Scanner settings
of LAN Crypt, preferably along with the authenticode
of their manufacturers.
|
Virus Scanner
|
Executable
|
Authenticode
|
|
Sophos Endpoint Security and
Control
|
Old:
SavService.exe
Now:
SophosFileScanner.exe
e.g.:
C:\Program Files\Sophos\Endpoint
Defense\SEDService.exe
C:\Program Files\Sophos\Sophos File Scanner\SophosFS.exe
C:\Program Files\Sophos\Sophos File Scanner\SophosfileScanner.exe
C:\Program Files\Sophos\Endpoint Defense\SSPService.exe
C:\Program Files\Sophos\Clean\SophosCleanM64.exe
C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
|
Yes
|
|
Microsoft
Defender
|
MsMpEng.exe
|
|
|
CrowdStrike
|
CsScan.exe
|
|
In case EDR, XDR, or MDR is used, it makes sense to
exclude them or some of their processes from decrypting files and at the same
time allow these processes to access them. This is done by adding the
executable names to the unhandled applications settings in the LC Group Policy
|
EDR/XDR/MDR
|
Executable
|
GPO unhandled applications recommended
|
|
Sophos XDR
|
OsQuery.exe
|
Yes
|
|
Palo Alto Cortex
|
cyserver.exe*
|
Yes
|
* Guess, not verified at release time
Bugfixes in LAN Crypt Client release
11.0.0
- Made the path to the default policy file
cache visible in Client Status (LC-3262)
- Fixed BSOD when drive has less space available than required
(LC-3184)
- Policy file
cache folder is now correctly ignored (LC-3379)
- Fixed registry write error for DATAID_LCINIT_FILETYPES_USER
(LC-3431)
- Improved spelling in lcinit help
(LC-3494)
- Fixed memory leak (LC-3533)
- Fixed BSOD of cplcisolate.sys in Horizon VDI (LC-3597)
- Create file in plain when created on a volume with ignored drive
letter that was mapped after boot (LC-3657)
- Wordpad
'File In Use' issue fix for files on network
shares (LC-3937)
- BSOD with Clear Case fixed: GetEncState
stack reduced by 1K+ (LC-3982)
- Fixed potential hang when moving a large number
of plain files by cutting and pasting to the same SMB share
(LC-3678)
- Encryption status of a file can now be queried with SGFEApi for imported LC2GO keys (LC-4042)
- Nx-Pool
leak fixed to allow activation of HVCI - hypervisor-protected code
integrity (LC-3679)
- Bug fixes for compatibility with Microsoft’s Driver Verifier
(LC-4127)
- Fixed BSOD when copying files using the CopyDeploymentManager
tool (LC-4055)
- Fixed memory leak in mini filter. (LC-3625)
- Driver Verifier Exception during OneNote Sync fixed (LC-4163)
- Fixed inability to save Office documents to a network drive,
corrupted Office files, especially Excel files - more common in
environments with Sophos AV (LC-3793)
- Fixed BSOD when moving files to an encrypted DFS share where files
already exist (LC-4192)
- Exception handled in LCUser when
iterating over directory for async encryption (LC-4188, LC-4037)
New and known issues in LAN Crypt Client
release 11.0.0
- Some debugger protection functionality
has been deactivated due to interoperability issues (LC-4063, LC-4020).
- In very specific situations,
the new DelayedClose functionality will cause an
access error when quickly closing, opening, and modifying files on the
network, which will not occur if you try to save a file a second time or
if you wait a little while between actions. (LC-3937)
"The purpose of the DelayedClose
optimization is to keep the files in our driver open for a short time so that
they can be opened more quickly if they are accessed again during that
time.
However, if another application or
somebody in the network accesses the file earlier and wants to open it
exclusively, this can in rare cases lead to an error.
Important note: In any case, all
data is "flushed" (written to disk) but not "purged"
(deleted from cache), so no data is lost in the event of a system crash.
- When copying LC-encrypted text
files (via multiselect or via parent directory) from a VM environment with
no LC client installed to an outbound share or to a different VM with LC
client installed, some AES-XTS encrypted files can end up
double-encrypted. Double encryption can be removed using the wizard.
(LC-4157)
- API: When using “SetTemporaryRule” via the API, the rule is not removed
after access or within 15 seconds, as described in the manual. The rule
may be persistent for the session. (LC-4122)
- The PreventPlainFiles functionality has
been officially supported and released for LAN Crypt version 4.2. Administration
is done solely via ADMX templates.
Since previous versions were only made available on a project basis to
very few customers, no migration of existing settings was implemented.
The settings in older versions were stored under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Utimaco\SGLCENC
"PreventPlainFiles"=....
Now, the settings are stored under
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cplcdt2\Parameters]
"PreventPlainFiles"="...", they can be managed via ADMX.
Note that the newer settings use a REG_MULTI_SZ.
(LC-3792)
- Explorer crashes when a local
drive is moved using LC “Secure move”, affects LAN Crypt 4.2 as well
(LC-3225)
- Profiles cannot be created for
users in subgroups with depth greater than or equal to 80. Affects Lan
Crypt 4.1.1, 4.2 and 11.0 (LC-3193)
- Non-standard screen scaling may
result in incorrect display of menus and setup (LC-4190)
- For the administration, the rules and the managed paths, there is a restriction of <260 characters (Microsoft MAX_PATH). The client also checks for this length
restriction. (LC-2500, LC-3844)
- The GPO “Strong private key protection“
(“CertUserProtected”)
is currently not applied, when using the import function for user certificates
of the LC client. (LC-4213)
- We have identified two problems
that appear to be related to the “OptimizeNetworkDelayedClose”
optimization (This optimization keeps a file in the cache for a short time
after closing which speeds up some use cases significantly.):
- Building a C++
project on a network share with Visual Studio may fail with the message
'File already in use'.
- If CSC
(client-side caching - offline files) is enabled, moving network
directories (cut-paste) may fail with the message 'File already in use by
another process'.
With the setting OptimizeNetworkDelayedClose=0, this behaviour
does not occur in either case. (LC-4201)
- Unfortunately, LCC can only
evaluate the IP addresses in the rules correctly if the RemoveDomainFromRules flag is not set, otherwise only \172*
of the rule \172.20.2.23* remains. With normal rules, this functionality
can be controlled via the registry, but this is not possible with PreventPlainFiles rules in the current version
(LC-3626).
Manuals, documentation and support
At https://support.conpal.de
registered customers with active maintenance contracts
get access to downloads, documentation and knowledge items.
Read or download the client
product documentation at
https://help.lancrypt.com/docs/windows/11_0_0/de/ in German language, at
https://help.lancrypt.com/docs/windows/11_0_0/en/ in English language and at
https://help.lancrypt.com/docs/windows/11_0_0/fr/ in French language.
API documentation can be
obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
conpal LAN Crypt 4.2.1 Client
release notes
conpal LAN Crypt 4.2.1 is a maintenance release,
there are no new features included.
Please refer to the conpal
LAN Crypt 4.2.0 part of the release notes.
Older release
notes for LAN Crypt remain valid, if not stated otherwise.
LAN Crypt
4.2.1 was built solely to provide workarounds for behavioral changes of
Microsoft technologies.
We recommend that all LAN Crypt clients, that are operated with MiniFilter, should be updated, when affected by the
described issue.
IMPORTANT LAN Crypt Notice:
Windows Update results in changed behavior with LAN Crypt
Issue
In rare cases, copying files to
network shares results in a change in the size of the destination file. This is
increased to the next 512-byte limit. The behavior is independent of the
encryption status. It does not occur without LAN Crypt installed, nor does it
affect file operations on local media. Removable media or cloud storage
likewise are not affected according to our tests.
Affected
systems
Windows
10 and 11 with KB505221 or KB5023774 or KB5025239 in combination with
LAN Crypt Client (4.x with MiniFilter).
Other
systems/combinations are not affected to our current
knowledge.
Countermeasures/fixes:
LAN
Crypt 4.2.1 contains a workaround for that behavior.
We are
categorizing this issue as a potential data corruption
and classify it as critical. We advise installing the LAN
Crypt client version 4.2.1 on affected systems.
There
are currently no other known workarounds, despite delaying the referenced
Microsoft patches.
Background:
Microsoft
continues to make significant changes to Windows to increase the performance of
file copy operations*. While this is mostly transparent to file system filter
drivers, in our testing we have discovered an incompatibility between our
drivers and a recent change to this code path in the OS.
Example:
A
non-cached copy operation of a 7-byte source file to a network share will
result in a 512-byte destination file.
xcopy /v /j localsource
networkdestination
Occurrence:
The
issue affects Windows machines with all LAN Crypt versions using MiniFilter (4.0 - 4.2). We have
determined the change in OS behavior was introduced to Windows 10 via
KB5025221. Further testing shows that this issue is also present in recent
releases of Windows 11 21H2 and can be traced back to KB5023774. For Windows 11 22H2, the issue seems to be present since
at least KB502523.
Severity:
The
issue arises sporadically, in most cases the change in file size is
inconsequential or easily remedied by the associated app.
Related
Links:
2023-04
Cumulative Update for Windows 10 *** Systems (KB5025221)
https://support.microsoft.com/help/5025221
KB5025221
- Microsoft Update Catalog
2023-03
Cumulative Update Preview for Windows 11 21H2 *** Systems (KB5023774)
https://support.microsoft.com/help/5023774
KB5023774
- Microsoft Update Catalog
2023-04
Cumulative Update for Windows 11 Version 22H2 *** Systems (KB5025239)
https://support.microsoft.com/help/5025239
KB5025239
- Microsoft Update Catalog
*Further
details about these changes by Microsoft in general can be found here:
Changes in conpal
LAN Crypt Client release 4.2.1
§
Based
on the recent OS changes it is no longer valid to clear the
FO_NO_INTERMEDIATE_BUFFERING bit in non-cached opens to network files. LAN
Crypt previously cleared this bit to have better control over caching on
network files, however the I/O subsystem now uses the presence of this bit to
determine if files should or should not be truncated to a non-aligned size
during non-cached copies. While we do not believe that the I/O subsystem should
be using this bit for the determination, the OS
releases are now in the wild and we must change our handling within LAN Crypt.
Using different mechanisms for the operations (LC-3337)
§ Due to a bug in the current sysinternals Sysmon version (14.6), LC performance problems
may occur. A workaround has been implemented (LC-3173). The workaround might be
benefcial for other situations, where users face
performance problems when opening and saving files
In
general Sophos virus scanners have to be configured
differently:
|
Virus
Scanner
|
Executable
|
Authenticode
|
|
Sophos
Endpoint Security and Control
|
Old:
SavService.exe
Now:
SophosFileScanner.exe
|
Yes
|
conpal LAN Crypt 4.2.0 Client
release notes
conpal LAN Crypt 4.2.0 is a
feature release that also comes with improved security functionality and
several bugfixes. New features:
- Malware Protection
- OneDrive Settings package
- LAN Crypt 2Go Key Import
- Adding Multiple Encryption Groups to a User
- Bypass Rules Deployment
- Multiple Virus Scanner Configurations
- PreventPlainFilesPath Option
- New Operating Systems Support
- Additional Database Support
- API extensions
- Localization Support for MFA
- Client Performance Improvements
- HTML-Based Client Help
- On-Premise
OneNote Support
- Search field for groups
- Network filter installation without network interruption
- Detail work on icons, dialogs and error messages
- LCA 64-bit .NET API
- Several enhancements for .NET API
- Support of Server-Side Copy
- DsStateCache
for caching unencrypted files
- Renewal of assigned certificates
Please note the LAN
Crypt 4.2.0 Administration release notes.
Older release notes for
LAN Crypt remain valid, if not stated otherwise.
Important information, if you
had early access to LAN Crypt Client 4.2.0
During the release of LAN Crypt v4.2.0.5550, we
detected a data corruption,
if encrypted files were copied from an unregulated server share
to an unregulated folder on the same server share, when server side copy was
utilized by the LCC.
Shipment of the version has been stopped, but it is possible that this version
still arrived at individual customers or partners.
We strongly advise against productive use of LAN Crypt for Windows Client
v4.2.0.5550.
The version can be identified by the build number of the binaries,
the information in the info/about-box of the client or you can already
distinguish the MSI:
The client of the defective version 4.2.0.5550 has the revision number
{2F4D80EF-733F-48B1-AA67-8EABD636C7C6}.
The root cause for the possible corruption has been found
and the problem is fixed with LAN Crypt v4.2.0.5559,
which is currently available as a released version.
The MSI of the released LAN Crypt client version 4.2.0.5559 has the revision
number {BAFCA5AD-9B37-4BBE-A8B9-973ED914A50F}.
The defective version cannot be updated to the released version, so it would
have to be uninstalled and reinstalled.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported Windows 64-bit operating system platforms
|
|
Pro/Enterprise versions of
Windows 10 1809 (LTSC), 20H2, 21H2, 21H2 (LTSC), 22H2
|
|
Pro/Enterprise versions of
Windows 11 21H2, 22H2
|
|
Windows
Server 2019
|
|
Windows
Server 2022
|
|
Supported Citrix Environments
|
|
Citrix Virtual Apps and Desktop 7 1912 LTSR CU2 on WS 2019
|
- Rule for Import/Malware Protection (No Plain File
Access on Removable) (LC-2861)
- OneDrive Settings can be applied as an optional
package with the setup (OneDrive HKCU configuration for the user running
the setup) (LC-2904)
- LAN Crypt 2Go Key Import: Key value, GUID, name and encryption
algorithm can be imported from a file encrypted with LC2Go. This enables
the LAN Crypt client to read and decrypt files encrypted by LC2Go with a
password and vice versa (LC-2859).
- Bypass rules can be provided within the profile
(LC-2864)
- Configuration of multiple Virus Scanners without delays when
profile is loaded (LC-2925)
- InWebo/TrustBuilder: Localization support for error messages
(2FA) (LC-2800, LC-2793, LC-2792).
- Windows 10 and Windows 11 – 22H2 support
- Support for On-Premise MS OneNote (NB: The
OneNote Cache must be deleted, before using the functionality with encrypted
OneNote files with 4.2).
- In addition, there are further speed improvements, special
adjustments for NetAPP file shares, Citrix and
terminal server environments and several bug fixes.
- Documentation and help are provided HTML
based online, including API documentation. (LC-3013, LC-3060).
- LoadProf
assistant prevents black screens on terminal servers (LC-2433, LC-469,
LC-2686).
Changes in conpal
LAN Crypt Client release 4.2.0
- DsStateCache now enabled
by default for local and network drives (LC-93, LC-2771, LC-3185)
DsStateCache is a mechanism to save constant
header reading for non-encrypted files. When DsStateCache
is active, the header of each unencrypted file is read only once in 10
minutes (local [45s on network drives]) and all subsequent calls are
served by the cache. That is, once a local file is detected as
unencrypted, it is considered unencrypted for the next 10 minutes until
either event occurs:
- The file is explicitly encrypted by our EncryptFile
function.
- The file is overwritten, renamed or otherwise replaced by an encrypted
file with the same name.
There is a registry setting available to switch the Caching off in case of
problems. Contact the support in such cases.
- Significantly improved
activation of virus scanners. Multiple anti-virus scanners configuration
activated without delay when loading a profile (LC-2925)
- There are some specific system
paths that are excluded from encryption. If you need more information
about which paths these are, please get in touch
with conpal support. However, starting from LC
version 4.2.0, it is now possible to enable encryption for the root
folder, Windows folder, and Program Files folders. To do this, you need to
set the following registry keys to "1" underneath
"HKLM/System/CCS/Services/cplcdt2/Parameters/": “AllowEncryptionOfRootFolder”, “AllowEncryptionOfWindowsFolder”,
and “AllowEncryptionOfProgramFilesFolders”
(LC-3011).
- Specific locking behavior (NetworkLockRounding) can now be configured
based on the application (LC-2645).
- LAN Crypt Message changed, when
"Deactivate encryption” is selected in the taskbar options (LC-58).
Also, the title bar of those messages now shows the product name again
(LC-2889).
- Updated
Windows start menu folder names. Changed to “conpal LAN Crypt Administration” and “conpal
LAN Crypt Client” (LC-1261).
- Change of the build numbering (LC-2927).
- Product icons modified
(LC-2860, LC-2978).
- Embedded libraries updated
(LC-2922, LC-3000).
- Import function of intermediate
and root certificates stores these certificates in the correct certificate
stores now (LC-2611).
- Minifilter now evaluates sorting methods
correctly, as used to in 3.x versions (Rules with
no/less wildcards (*) are listed first) (LC-2449).
- SGFEApi.exe: Encryption of data
files on UNC paths is now possible (LC-2843).
- Profile remains active after
crash/termination of LoadProf/LCUser, when user is not allowed to “Clear encryption rules”
(set via GPO “Enable Menu Entries”) (LC-3106).
- Support Server-Side Copy: works
for all non-controlled network directories, i.e. for all directories where
no encryption state change can take place during copying (LC-2657).
- Minifilter performance improvements
(LC-2844)
Bugfixes in conpal
LAN Crypt Client release 4.2.0
- Profiles that cannot be loaded with SO
certificate with expiration date >3100 now receive a corresponding
error message (LC-2458).
- Issues fixed when LAN Crypt installation path changed for an
upgrade. Minifilter ACL is now updated correctly
(LC-3024).
- If files are written to an Azure and LAN Crypt controlled share,
they are now handled correctly (LC-2879).
- Data corruptions and sync errors, that
occurred when multiple users work on the same OneNote (on-premises)
document in parallel, have been fixed (LC-1256, LC-3062).
- BSOD fixed on Citrix machines, as soon as files with red key are
listed in Explorer (LC-2888).
- Network filter installation works without network interruption during
install and filter components are now correctly removed from the "DriverStore" during LC uninstallation (LC-2476,
LC-2659, LC-2660, LC-2397, LC-2326, LC-2448, LC-2934).
- Installation of NDIS driver
failed when LC Client was installed outside the default installation
directory. This has been fixed (LC-2448).
- Explorer extension 32-bit
registry entries now get repaired, when deleted accidently
(HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced)
(LC-3061).
- Setup:
32-bit components now installed in correct "LAN Crypt" subfolder
(LC-2779).
- InWebo/TrustBuilder:
Sometimes appearing error message when MFA login
was already performed fixed (LC-2768).
- When trying to encrypt a
read-only file, the error message “You don't have any permission to access
this file” is now displayed instead of “Unknown Error” (LC-2485).
- Sometimes
the client froze when many plaintext files were encrypted/decrypted in a
LAN Crypt controlled environment (LC-3042).
- When saving a PowerPoint file
to a NetApp file share while CSC (Offline Client-Side Cache) is enabled
for that directory, PowerPoint got stuck while saving. The process could
still be cancelled via UI, but the thread hung, and the file could not be
deleted. This deadlock got fixed (LC-2722, LC-2781).
- Explorer
extension: registry entries were installed despite the feature being deselected
(LC-2427).
- When
using Intel CPU integrated graphics Intel(R) iRIS(R)
Xe or Intel(R) HD 530 the encryption information box did not show the full
text (LC-2442).
- Citrix encryption status errors
occurred repeatedly on DFS shares and slowed down file processes such as
opening documents or data encryption (LC-3019).
- When the
Visual Studio runtime were
not be available, deinstallation of the LAN Crypt Client could sometimes not be possible.
This issue has been fixed (LC-2447).
- Unzipping files to a LC controlled network share sometimes caused a freeze (LC-3108).
- BSoD with network filter driver when
saving with Autodesk VRED and Adobe After Effects fixed (LC-2846).
- Trying to create files in an
encrypted Azure share was not possible with error “file too large for
target system”. This has been fixed (LC-2837).
- Avoiding a BSOD in Citrix on
locally mapped drives (LC-2785).
- Client hang was fixed, that
could occur when a rule using a drive letter exists, CSC (local offline
cache for network files) is enabled, and the network upon reboot is
unavailable (LC-2698).
- LoadProfService handle
issue fixed, which prohibited deletion of a
second service (LC-2465).
- Secure File moving was not
possible on Isilon and NetApp shares - fixed (LC-2758).
- The 3rd party inventory “3rd_party_software.pdf” is
present and up to date in the LCA and LCC deployment folders. The “3rd_party_software.pdf” installed with the LC product
is missing an entry:
“libkmip/BSD license” (LC-2696).
- The
joint installation of LAN Crypt Administration V3.97 (or earlier) and LAN
Crypt Client V4.x is not supported. The connection to LCSERVN.exe might
get lost (LC-1929).
- The
initial encryption wizard does not encrypt files, when a network problem
accessing these files occurs. In this case the file is reported correctly
as unencrypted. The wizard should be used again, until the desired
encryption state is achieved (LC-3150).
- Moving
a folder to the Recycle Bin, whose files were encrypted without a rule,
results in decryption of the files during recovery, when Windows 10 1809
is used (LC-2471).
- The
LCC MSI cannot be executed correctly in repair mode from an encrypted
drive or when a rule exists for this location (LC-3157).
- When
a file is encrypted with a key that cannot be accessed, the
hex error 1B might erroneously be reported (LC-1884).
- When
a predefined PIN for .P12 files is used, on client
side not necessarily the newest user certificate gets imported and the
error "User certificate not found" is presented (LC-120,
LC-1995)
- LAN Crypt Client does not
support changing the display scaling without a user logging off and on. If
a user does not log off and log on, the icon in the taskbar cannot work
properly and the message boxes cannot display the full text (LC-3020).
- An uninstall after an upgrade
of the product might leave some orphaned directories of the previous
version (LC-2264).
- BSOD might occur when not
enough disk space is available while extracting files with WinRAR
(LC-3184).
- When using DFS services in
certain configurations, the LAN Crypt network filter might only work
without caching leading to a reduced performance (LC-3167).
- When using „No plain file
access on removables” while having an ignore
rule for a path on that removable, the ignore rule has higher priority and
plain files can still be created there (LC-3201).
Manuals, documentation and support
At https://support.conpal.de
registered customers with active maintenance contracts
get access to downloads, documentation and knowledge items.
Read or download the client
product documentation at
https://help.lancrypt.com/docs/windows/4_2_0/de/ in German language, at
https://help.lancrypt.com/docs/windows/4_2_0/en/ in English language and at
https://help.lancrypt.com/docs/windows/4_2_0/fr/ in French language.
API documentation can be
obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
conpal LAN Crypt 4.1.2 Client
release notes
conpal LAN Crypt 4.1.2 is a Japanese
language version and functional identical to LAN Crypt 4.1.1.
Please refer to the conpal LAN Crypt 4.1.1 part of
the release notes.
Please note the LAN
Crypt 4.1.2 Administration release notes.
Older release notes for
LAN Crypt remain valid, if not stated otherwise.
Manuals, documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
Download the client product documentation at
https://docs.lancrypt.com/ja/client/lc_412_hjpn.pdf in Japanese language,
at
https://docs.lancrypt.com/de/client/lc_411_hdeu.pdf in German language, at
https://docs.lancrypt.com/en/client/lc_411_heng.pdf in English language and
at
https://docs.lancrypt.com/fr/client/lc_411_hfra.pdf in French language.
Please note, the French manual will be published delayed, for the time being
use the English manual
conpal LAN Crypt 4.1.1 Client
release notes
conpal LAN Crypt 4.1.1 is a
maintenance release, there are no new features
included.
Please refer to the conpal LAN Crypt 4.1.0 part of the
release notes.
Please note the LAN
Crypt 4.1.1 Administration release notes.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Pro/Enterprise
versions of Windows 10 1809 (LTSC), 20H2, 21H1, 21H2, Windows 11
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Windows Server 2022
|
No
|
Yes
|
|
Citrix XenApp, Citrix XenApp LTSR *
|
No
|
Yes
|
*Citrix Environments are supported, but
have not been extensively retested
Bugfixes in conpal
LAN Crypt Client, Release 4.1.1
- File system issues fixed on NetApp,
Isilon and other non-Windows filers (LC-2688, LC-2133, LC-2681, LC-2398,
LC-2574, LC-2234, LC-2687)
- Links in File Properties are now active (LC-2676)
- Versioninfo
and missing productnames fixed (LC-2623)
- File info in explorer shows now correct copyright information
(LC-2621)
- The wizard (lcinit) report now includes
files, where the keys are not available and sums up correctly (LC-2523)
- SysInternals PsExec after version
v2.34 can now be supported by a specific registry key (to be provided by
support) (LC-2505).
- A very few,
very specific files encrypted with old LAN Crypt versions can now be opened
and will not be corrupted (LC-2492)
- Deleting files on network without key access (red key) while the
profile is loaded, is now correctly not permitted. (LC-2464).
- Client status: DefaultIgnoreRule
default value (*) is now correctly displayed again (LC-2459)
- Potential handle leak in network filter fixed (LC-2450)
- Virtual Smart Card: Cancel the dialog for PIN entry now does not
attempt smart card logon anymore (LC-2408)
- Files
encrypted with LC Client Version 2.00, are encrypted with the encryption mode
OFB. The operation with these legacy files is now possible, when DoNotHashkeys is enabled. This affects i.e. DES and
IDEA encrypted files, and some legacy encryption keys (more than 10 years
old) can now be used with LC again.
(LC-2365, LC-1872, LC-2052)
- Fix of another OFB specific decryption misbehaviour,
related to old file formats (LC-2761)
- Slowed down
performance, browser hangs and black screens fixed, especially for terminalservers (LC-2133)
- Caching
for non-encrypted files on local drives can be tested with registry key,
to be provided on request by support (LC-93)
Manuals, documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
Download the client product documentation at
https://docs.lancrypt.com/de/client/lc_411_hdeu.pdf in German language, at
https://docs.lancrypt.com/en/client/lc_411_heng.pdf in English language and
at
https://docs.lancrypt.com/fr/client/lc_411_hfra.pdf in French language.
Please note, the French manual will be published delayed, for the time being
use the English manual
conpal LAN Crypt 4.1.0 Client
release notes
conpal LAN Crypt 4.1.0 comes with
support for new operating systems new functionality,
improved security functionality and new features
e.g.
·
Support for SGN/SafeGuard Fileshare
customers
·
Portable file encryption
·
Minifilter with
caching capabilities for SMB network shares
·
New .NET Administration API
·
Client API login with user context
·
LAN Crypt-Service functionality
·
Manipulation protection for processes
·
Multi factor Authentication based on 3rd party technology
·
Oracle 19 Support
The Legacyfilter
has been abandoned, but is still supported with the
4.00.x version of the product.
Older release notes for
LAN Crypt 4.00.x remain valid, if not stated otherwise.
Please note the LAN
Crypt 4.1.0 Administration release notes.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Pro/Enterprise
versions of Windows 10 1809 (LTSC), 1909 (19H2), 20H2, 21H1, 21H2, Windows 11
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Windows Server 2022
|
No
|
Yes
|
|
Citrix XenApp
7.18 on Windows Server 2016*
|
No
|
Yes
|
|
Citrix XenApp
7.15 LTSR on Windows Server 2016*
|
No
|
Yes
|
*Citrix Environments are supported, but
have not been extensively retested
New in conpal LAN Crypt
Client release 4.1.0
- Support for SGN/SafeGuard
FileShare keys. In combination with a key export
and an key import tool Fileshare
encrypted files can be handled by conpal LAN
Crypt Client 4.00.3 or newer with Minifilter.
- The legacy filter is deprecated by
Microsoft. Starting with LAN Crypt 4.1 the Legacy driver is not
part of the LAN Crypt Client anymore. LAN Crypt 4.1 comes with a Minifilter. Legacyfilter is
no longer referenced in the code / called by any component. Legacyfilter is removed from the installation package(s).
Information about Legacy driver is removed from customer facing
documentation. New installations are configured to use Minfilter
driver. Upgrades of existing installations use Minifilter
driver.
Non-default Legacy-filter registry settings are migrated to respective Minifilter Settings (where necessary) (LC-1681)
- LAN Crypt V4.1 comes with a new functionality that – in some cases
– can significantly improve the performance of accessing files on network
shares:
LAN Crypt version 4.1 supports cached access to SMB V2/SMB V3 network
shares (for this functionality it is required, that the SMB intrinsic
encryption functionality is not used). In LC version 4.1 Caching Mode
WINDOWS_NATIVE default is supported (LC-1506, LC-1559, LC-1560).
- Code security, replacement of functions (LC-1299, LC-1295,
LC-1286).
- Client
API login with user context is now possible. For example, a RunAs in user
context will have a LAN Crypt profile (LC-1501).
Changes in 4.1.0
- The Legacy
driver is not part of LAN Crypt 4.1.0 anymore. If older products are
updated, settings will be migrated automatically for the Minifilter functionality. In some rare cases, there
might be compatibility issues, which will be fixed over the
time. For the time being in such cases it is recommended to stay
with the LAN Crypt 4.00.x Legacyfilter.
(LC-1681)
- Like in earlier LAN Crypt
versions NTFS Compression is not supported. Differently
to earlier versions files on network shares
will not be automatically decompressed any more (LC-2384, LC-1437).
- Improvements for IBM Doors have
been implemented (LC-1403)
- The ‘old’ OptimizeNetwork
switches should be removed and only be reactivated, when essential for the
specific use case. Corresponding switches should be removed from the
registry as well (LC-1928). Please contact support in case of doubt.
- RemoveDomainFromRules works now as initially
designed. When switched off, full domainnames
are used in rules and not cut off (LC-1417).
- Further significant performance
improvements for the Amesim application due to
cached access of SMB fileshares
in the network (LC-1364)
- Boost library removed for
better maintenance of security relevant functions (LC-474).
- Removal of the "Created
with operating system" field in the client
status (LC-1344)
- DNSRuleCreationMode did not create
corresponding rules for all IP addresses of all found DFS targets (LC-1476)
- ServicesDefaultIgnoreRules with value "*" were not
applied correctly. Accessing encrypted files with a service in folders
(and subfolders) having a DefaultIgnoreRule
would lead to an "access denied" (not correct), in other folders
the cipher text could be read (correct). (LC-2256). The wrong behaviour has been corrected.
- Display and export of DefaultIgnoredRules did not work properly in the
client (LC-1311)
- Client status: "Cached Policyfile Lifetime"/"Profile Update
Interval" showed period in rounded weeks instead of days (LC-1112)
- Secure Move - Confirm
File/Folder Replace contained complete target path instead of file/folder
name (LC-902).
- The Minifilter
driver had a conflict with the VirtualBox Shared Folders Redirector
VBoxSF.sys. (LC-1217)
- The client setup was not able to install or modify single packages, when
Minifilter was used in VirtualBox.
The client with Minifilter had to be installed
with all components, otherwise it led to BSOD (LC-2291).
- Upgrade installation LCA and
LCC v3 -> v4: MSI ProductCode did not match with Registry ProductCode
(LC-1324).
- When opening files from an
application other than Windows Explorer, no key symbols were displayed in
the Explorer window (LC-1245).
- lcsdel.exe feedback regarding
deleting files from C:\Windows\ was incorrect (LC-1277).
- Explorer Extension: `Initialverschlüsselung` vs. `Encrypt according to profile`. The message
has been aligned between English and German version of the LCC (LC-1005).
- Plaintext files existing in the
PreventPlainFiles path are now displayed without
the key icon (local and network). In the Explorer context menu, the LAN
Crypt option "Encrypt according to profile" is no longer offered
(local and network) (LC-1513).
- ClientAPI function "SetTemporaryRule" key passing did not work
(LC-1514).
- If the PolicyCache
data is not available, a load of a profile from the shared folder is
requested (LC-117).
- Links to web addresses could
not be created on network drives (LC-66)
New known
issues
- The joint installation of LAN Crypt
Administration V3.97 (or earlier) and LAN Crypt Client V4.x is not
supported. The connection to LCSERVN.exe might get lost (LC-1929).
- When a file is encrypted with a key that cannot be accessed, the hex error 1B is erroneously reported (LC-1884)
- There is a difference between Legacy and Minifilter.
With Legacy, deleting files on network without key access (red key) while
the profile is loaded, is not permitted.
With Minifilter the behaviour
is different, these files can be deleted. Opening, renaming, copying is
still not possible. This affects LAN Crypt 4.0.x and 4.1.(LC-2464).
- The VisualStudio runtime might not be
available on some machines. In this case e.g. deinstallation of the
product might not be possible.
https://docs.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170
https://aka.ms/vs/17/release/vc_redist.x86.exe
https://aka.ms/vs/17/release/vc_redist.x64.exe
Manuals,
documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
The
client manuals in French language will be available in form of a pdf manual a
couple of days after release for download. For the time being an old manual
with a testpage will be available at the link for the
French manual.
Download
the client product documentation at
https://docs.lancrypt.com/de/client/lc_410_hdeu.pdf in German language, at
https://docs.lancrypt.com/en/client/lc_410_heng.pdf in English language and at
https://docs.lancrypt.com/fr/client/lc_410_hfra.pdf in French language. Please note, the French manual will be published
delayed, for the time being use the English manual
conpal LAN Crypt 4.00.3 Client release notes
conpal LAN Crypt 4.00.3 comes with support for additional
operating systems, support for SGN/SafeGuard FileShare and bugfixes. Older release notes for LAN Crypt
4.00.x remain valid, if not stated otherwise.
Please note the LAN Crypt 4.00.3 Administration
release notes.
Requirements
The below listed platforms have been tested and are
officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case
of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1909 (19H2), 2004
(20H1) Pro/Enterprise, 20H2 Pro/Enterprise, 21H2 Pro/Enterprise, Windows 11
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Citrix XenApp
7.9 on Windows Server 2012 R2
|
No
|
Yes
|
|
Citrix XenApp
7.18 on Windows Server 2016
|
No
|
Yes
|
|
Citrix XenApp
7.15 LTSR on Windows Server 2016
|
No
|
Yes
|
New in conpal LAN Crypt
Client release 4.00.3
- Windows 11 support
- Windows 10 21H2 support
- Support for SGN/SafeGuard
FileShare keys. In combination with a key export
and an key import tool Fileshare
encrypted files can be handled by conpal LAN
Crypt 4.00.3 with Minifilter.
Changes in 4.00.3
- Minifilter: When verifying permission for the AntiVirus
programs, configured short names led to a complete search for the
configured files in the protected directories (windows, program files,
program files (x86)). The verification process has been changed to improve
the loading time of the profile (LC-1846 Determine AV full path in Verify
procedure)
Bugfixes in 4.00.3
- Minifilter: When USB keys are inserted the first time and forced to a specific driver letter, which got LAN Crypt
encryption rules, encryption is not executed. After inserting the USB key
the second time, the encryption rule is enforced. (LC-1965)
Manuals,
documentation and support
At https://support.conpal.de registered customers
with active maintenance contracts get access to downloads, documentation and
knowledge items.
The client manuals in French language will be
available in form of a pdf manual a couple of days after release for download.
For the time being an old manual with a testpage will
be available at the link for the French manual.
Download the client product documentation at
https://docs.lancrypt.com/de/client/lc_400_hdeu.pdf in German language, at
https://docs.lancrypt.com/en/client/lc_400_heng.pdf in English language and
at
https://docs.lancrypt.com/fr/client/lc_400_hfra.pdf in French language.
conpal LAN Crypt 4.00.2
Client release notes
conpal LAN Crypt 4.00.2 is a
maintenance release.Older
release notes for LAN Crypt 4.00.x remain valid, if not stated otherwise.
Please note the LAN
Crypt 4.00.2 Administration release notes.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Citrix XenApp
7.9 on Windows Server 2012 R2
|
No
|
Yes
|
|
Citrix XenApp
7.18 on Windows Server 2016
|
No
|
Yes
|
|
Citrix XenApp
7.15 LTSR on Windows Server 2016
|
No
|
Yes
|
Bugfixes in 4.00.2
- Minifilter:
Office files are not decrypted when preview window in file explorer is
active and registrykey IgnoredApplicationsChildProcs =2 (LC-1603)
- Minifilter: FSLogix profiles are not created /
mounted (LC-1717)
- Minifilter: Loadprof crashes sporadically without
loading rules (LC-1730)
- Minifilter and Legacyfilter: encrypted p12pwlog.csv
sometimes gets filled with garbage (LC-1793, LC-1825)
- Client cannot find user certificate if
profile was created with LAN Crypt Administration 4.00.x, client cannot
load the profile with the error message: " User certificate not found
(LC-1597, LC-1686)
- V4.00.1 Minifilter:
Explorer crashes sporadically when accessing encrypted directory (LC-1688)
- Minifilter: Isilon 8.x shows wrong behaviour handling
timestamps. Isilon 9.x fixes this issue. As a workaround the registrykeys NovellSupport /
Alwayswritethroughonmup corrects the wrong
Isilon timestamp handling in older versions (LC-1758)
- Client cannot find SO certificate if
profile was created with LCA 4.00.x (LC-1860)
Manuals,
documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
The client manuals in French language will be
available in form of a pdf manual a couple of days after release for download.
For the time being an old manual with a testpage will
be available at the link for the French manual.
Download the client product documentation at
https://docs.lancrypt.com/de/client/lc_400_hdeu.pdf in German language, at
https://docs.lancrypt.com/en/client/lc_400_heng.pdf in English language and
at
https://docs.lancrypt.com/fr/client/lc_400_hfra.pdf in French language.
conpal LAN Crypt 4.00.1
Client release notes
conpal LAN Crypt 4.00.1 is in
focus a maintenance release and brings support for W10 20H2. If not referenced
in the sections New in conpal LAN Crypt Client
release 4.00.1, changes in 4.00.1, Bugfixes in 4.00.1 the release notes for LAN
Crypt 4.00 remain valid.
Please note the LAN
Crypt 4.00.1 Administration release notes.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1803 (RS4), 1809 (RS5), 1903 (19H1), 1909 (19H2), 2004 (20H1)
Pro/Enterprise, 20H2 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Citrix XenApp
7.9 on Windows Server 2012 R2
|
No
|
Yes
|
|
Citrix XenApp
7.18 on Windows Server 2016
|
No
|
Yes
|
|
Citrix XenApp
7.15 LTSR on Windows Server 2016
|
No
|
Yes
|
New in conpal
LAN Crypt Client release 4.00.1
- Windows 10 20H2 support
- Significant performance improvements especially in large network
environments
- DefaultIgnoreRules and ServicesDefaultIgnoreRules for Minifilter (LC-1238)
- Enable PreventPlainFiles Rules for local
drives (LC-1156)
- Separate Legacy components from Utimaco
DiskEncrypt (LC-1275)
- Add IBM ClearCase redirector to the list of ignored NetworkNames (LC-1413)
- Add translations for error message on
unsupported OS (LC-1251)
- (Re-)Enable Windows File
Indexing support on Clients (LC-1323)
- Limited support for VMWare Shared
Folders (LC-1338)
- Allow FECGetTrustedVendors
as Minifilter internal ClientAPI
ACL (LC-1529)
- Configure which network names should be
resolved and create additional rules for certain/all possible access ways
automatically. The Registry-Entry DNSRuleCreationMode has been created to offer fine
grained administration. (LC-1476)
- remove client api docs from setup (LC-1436)
- Configuration options for unsupported EFS collaboration (LC-1429)
- Default DFS handling changed to "Do not normalize network
names" (LC-1395)
- Do not load PreventPlainFiles
for internal System SIDs (LC-1156)
- Adjust encryption state
messages and overlay icons for PreventPlainFiles
(Minifilter only) (L C-1513)
- FECGetTrustedVendors for SGFEApi
set by Setup (LC-1503)
Bugfixes
in 4.00.1
- BSOD "bad pool
caller" when switching from Minifilter to
legacy driver (LC-1358)
- Incompatibility of the Minifilter with
the VirtualBox Shared Folders Redirector VBoxSF.sys. (LC-1217)
- When opening a file, no key icons are displayed in the Explorer
window. (LC-1245)
- ignore child processes in Minifilter
driver (LC-1270)
- Empty REG_MULTI_SZ settings are handled properly (LC-1238)
- Problem with DirSizeCorrection = PROFILE
(LC-1346)
- Rules that start with an asterisk and do not have a path are not
correctly executed(LC-1396)
- Fix Minifilter Network Performance Issues
(LC-1346, LC-1364)
- CertificateVerification Switches did not execute correctly in V4.00.0 (LC-1318)
- Broken German in context menu(LC-1005)
- Performance problems when enumerating directory in shares with
large number of files (LC-1346)
- Incorrect handling of rules
starting-with-angle-brackets (LC-1407)
- lcsdel gives the impression that
files can be deleted from C:\Windows /corrected error message (LC-1277)
- Key wrapping could not be
disabled (LC-1231)
- Setup issues (LC-1424, LC-1312,
LC-1391, LC-1392)
- Fix for PreventPlainFiles
parsing error (LC-1156)
- Install edc
files without ReadOnly flag (LC-1452)
- Minifilter Driver sometimes stores wrong padding
information for large files (>16777216 bytes) (LC-1500)
- Client-API-Dll
can handle long pathnames now (LC-1454)
- Branding topics (LC-1518) (LC-1537)
- Fixed issue with the LAN Crypt PreventPlainFiles (LC-1237).
New known issues
- Overlay Icons might not be
displayed correctly, depending on total number of registered icons and
position in the Microsoft registry entries (LC-1370)
- The known issues remain valid,
if not listed in the above chapters
- Under VMWare Shared Folders,
both the Minifilter and Legacy drivers have
issues with Notepad. Both filters seem to affect memory mapped
functionality, not only with Notepad, but overall. (LC-1442)
- DNSRuleCreationMode does not yet create corresponding rules for all IP addresses of
all found DFS targets (LC-1476)
- Unhandled Applications can be
registered. How they are handled, can be
configured with IgnoredApplicationsChildProcs. 0
means switched off, 1 means apps are handled untrusted and 2 means childs are handled untrusted as well. LAN Crypt comes with
default registered applications (e.g. svchost, onedrive, WindowsSearchHost).
The switch IgnoredApplicationsChildProcs
is used for the internal default processes as well.
That leads to problems especially with Office applications, when preview and
accessing lead to concurrent access.
The workaround recommendation is to avoid the setting 2 for inheritance to childs and to use 1 instead. (LC-1603).
Manuals,
documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
The
client manuals in French language will be available in form of a pdf manual a
couple of days after release for download. For the time being an old manual
with a testpage will be available at the link for the
French manual.
Download
the client product documentation at
https://docs.lancrypt.com/de/client/lc_400_hdeu.pdf in German language, at
https://docs.lancrypt.com/en/client/lc_400_heng.pdf in English language and at
https://docs.lancrypt.com/fr/client/lc_400_hfra.pdf in French language.
conpal LAN Crypt 4.00.0 Client release notes
Please note the LAN Crypt 4.00.0 Administration
release notes.
conpal LAN Crypt is the successor of SafeGuard
LAN Crypt.
conpal LAN Crypt 3.97 Client was the initial release of conpal for the client. It contained fixes and hotfixes of
the previous SafeGuard LAN Crypt 3.95 Client version,
fixed several known issues and came with support for current operating
systems.
conpal LAN Crypt 4.00 Client is a significant rework of the
client technology. The cryptographic base has been reworked for potential certifications
and approvals. The underlying filter technology has been built on Minifilter technology to be future-proof and assure long term support for the technology by Microsoft.
conpal will develop new client features based on the Minifilter technology.
Due to the strong customer demand, even stronger
during Corona times, we have decided to deliver legacy and Minifilter
technology with the client and also to implement some
features, which were originally only intended for the Minifilter,
also for the legacy filter.
This was done primarily in order to
offer business continuity for the client based on the legacy filter.
We recommend the use of the legacy filter for existing
customers, if Minifilter functionality is not
essentially required.
We have invested a great effort in compatibility with
old encryption methods from LAN Crypt and were able to ensure extensive
compatibility and thus also simple migration.
Nevertheless, we strongly recommend piloting the use
of the new technologies.
Manuals, documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
The client manuals in
French language will be available in form of a pdf manual a couple of days
after release for download. For the time being an old manual with a testpage will be available at the link for the French
manual.
Download the client
product documentation at
https://docs.lancrypt.com/de/client/lc_400_hdeu.pdf in
German language, at
https://docs.lancrypt.com/en/client/lc_400_heng.pdf in
English language and at
https://docs.lancrypt.com/fr/client/lc_400_hfra.pdf in
French language.
Last
minute changes
Due to recently urgent customer
requests, we decided at the very last moment to consider the legacy driver as
the primary filter driver, which is now also installed by default. This was
requested by the clients mainly because new technologies are currently
difficult or impossible to pilot.
In this context, we therefore recommend that the
necessity for the use of the Minifilter be carefully
examined once again.
Requirements
The below listed platforms have been tested and are officially
supported. Other Service Pack levels might work as well but have not run
through a QA cycle and won´t be analysed in case of
occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1803 (RS4), 1809 (RS5),
1903 (19H1), 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Citrix XenApp
7.9 on Windows Server 2012 R2
|
No
|
Yes
|
|
Citrix XenApp
7.18 on Windows Server 2016
|
No
|
Yes
|
|
Citrix XenApp
7.15 LTSR on Windows Server 2016
|
No
|
Yes
|
Upgrade
conpal LAN Crypt 4.00 Client has been essentially tested to upgrade conpal LAN Crypt 3.97. SafeGuard
LAN Crypt 3.95.3.2. or newer might be upgraded to conpal
LAN Crypt 4.00 on the supported platforms, but the upgrades have not been
tested on a broader base and might require paid professional service.
We recommend
that you install the latest Windows security patches on your clients before
installing the conpal LAN Crypt Client release.
New in conpal
LAN Crypt Client release 4.00.0
- Windows 10 2004 (20H1) support
- Support of OneDrive Files on demand (the OneDrive
sync app must be unhandled application)
- New crypto libraries (for security reasons, to be
future-proof and for potential certification and approval)
- Replacement and updates of 3rd party libraries
- Integration of earlier patches for LAN Crypt
- Support of Removables,
Opticals, Local Volumes, Boot Volume and Network
Shares as keywords in rules.
This functionality was developed for the Minifilter
and has been adopted due to strong customer demand in the legacy filter.
Some behaviour is different. Opticals
are supported for the Minifilter
only. Ignored Device types are supported with Minifilter
only.
- With Minifilter
Office365 print-to-pdf-functionality is supported
- One client installation package for standard and terminal server
clients
Operation of LAN Crypt 4.00 environments
A mixed operation of LAN Crypt v4 Admin and LAN Crypt v3.x Admin is not supported.
It is possible to run a v3.97 Admin with
v4 Clients and v3 Clients.
It is possible to run a v4.00 Admin with
v4 Clients and v3 Clients.
XML is the only supported policy file
format of v4.00 Admin and v4.00 Clients.
New profile files are created by v4.00,
with sections for v3 and v4 Clients.
The new encryption rules for Removables, Opticals etc. are
transported in the new section.
Once new rules have been created with
v4.00, it is no longer possible to create profiles with a v3 Admin. Doing so would
potentially have negative effects on the client.
Changes
- LAN Crypt 4.00 Client makes use of conpal
registry keys
- The LAN Crypt 4.00 Administration still uses Utimaco/Sophos settings
- Client-side a service copies the settings into
the new, appropriate paths
- This way, customer-side no migration of registry
keys is needed
- Integration of new cryptographic libraries (for security reasons)
- Renewal of 3rd party libraries (for security reasons)
- Integration of a new random number generator (for security reasons)
- The usage of the Client API must be configured in the LAN Crypt
Administration and – in case the Minifilter is
used on client-side - the included script to enable permissions for
specific applications has to be adopted and
executed on the client-side.
- New client API function ClearProfile
- The EULA has been updated (German, English and French)
- The 3rd parties' inventory has
been consolidated and updated
- The Minifilter behaves different
in details, compared to the Legacyfilter,
most of the differences in respect to a more correct handling of
encryption
- LAN Crypt tools have been moved to the folder LAN Crypt\tools
(LC-694)
- EFS Encryption is not supported with the Minifilter
(LC-1240)
- Some Registrykeys have been changed
Bugfixes
- BSOD "bad pool caller" when configuring
python3-cryptography fixed (LC-263)
- The LAN Crypt Filter is not "attached” in certain
configurations (LC-101)
- Warning indicates loading of a cached
profile although none is in the cache (LC-1117)
- Better error message when loading from cached profile (LC-1026)
- Login to DB (Azure SQL) with
Azure AD Interactive authentication leads to crash (LC-1015)
- Display error in encryption
status (LC-428)
- Offlinefolder: Officefiles
cannot be saved (LC-225)
- Several spelling errors and
wordings in the product and error messages
- "sglcinit.exe -D" not
all sub directory levels are processed (LC-486)
- Explorer Extension à Encryption status: Gaps / incorrect results with multi-select of
directories (LC-1001)
- Office files cannot be written,
temporary files remain (LC-696)
- New MSO cert is not loaded on
client after recovery (LC-248)
- The displayed drives, apps and
devices in the client status were limited to a string length of 260. This lead to the problem that e.g. not all apps were
displayed when the character limit was reached. The character limit has
now been removed. (LC-29)
- LAN Crypt Registry settings for explorer integration are lost
during Windows 10 in-place upgrade:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\LC
Settings (LC-198)
Known issues
- Opticals:
DVD+RW media is set to read-only state after few accesses, when the legacy
filter is used.
Opticals rule is not supported with the legacy
filter (LC-1158).
- AES-OFB (LC-715)
- AES-OFB encrypted files can be read and can be reencrypted to more modern AES modes, like CBC and
XTS.
- Existing OFB encrypted files might get reencrypted automatically to the configured CBC or
XTS mode, when opened.
- We strongly recommend, to
do an initial encryption with the wizard to
migrate files encrypted with weak algorithms to state-of-the-art
algorithms.
- OneDrive:
- SharePoint synchronization must be switched off
- Files stored on the local file systems are
handled by the LAN Crypt driver. Browser and WebDAV-Transport is not handled. Storing encrypted files by downloading
it with SharePoint or the browser might lead to
double-encrypted files (which can be decrypted with the wizard).
- Microsoft’s
handling of overlay icons is buggy. The LAN Crypt icons
can therefore not be shown correctly.
(LC-121)
- FilesOnDemand is supported with Minifilter driver
only (LC-1258).
- Microsoft’s Vault is handled by Minifilter only. The Legacyfilter
displays the wrong encryption state (LC-1258).
- OneNote (LC-1256, LC-1243)
- Encryption of OneNote is not supported. Especially
multiuse might lead to corrupted data.
- Windows 10 upgrades:
When an upgrade to Windows 10 is
done or a feature update is applied to Windows 10 all data stored in the
registry hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Utimaco will be removed.
- After
applying the current group policies to the client, these registry
settings will be configured again. If there were some custom settings
made in this registry hive, these settings must be manually applied after
the Windows 10 upgrade has finished.
- Due to the
client-sided copy into the new paths, the functionality remains. For the
time being the key should be restored by GPO. In a follow-on version the
administration will be based on the conpal path
in the registry (LC-63)
- Utimaco
Disk Encryption (UDE)
- Interaction with Utimaco
Disk Encryption requires pre- and post-installation care during
installation, uninstallation, and upgrades. Please contact support to
ensure clean operation. (LC-1229)
- Overlay Icons might not be displayed (LC-1370)
- Windows 2004 (20H1):
- Windows W10 20H1 Bug when renaming files on
network shares (LC-1006)
The problem occurs when an unencrypted file on a network drive is moved
(=renamed) to an encrypted folder.
In this case the driver should encrypt the file when moving / renaming.
With 20H1, however, this does not happen because it cannot determine the name
of the target file due to an error in the filter manager of Microsoft.
The error was fixed by Microsoft with KB4557957
https://support.microsoft.com/de-de/help/4557957/windows-10-update-kb4557957
https://support.microsoft.com/en-us/help/4557957/windows-10-update-kb4557957
- Minifilter
and Legacyfilter (LC-281, LC-1234):
Some regular expressions in rules might be handled differently than in 3.97,
and different between legacy- and Minifilter:
- Some
(exotic) expressions are handled different in
the filters of v4 and v3
- Minifilter
differences to Legacyfilter (1106)
- Move encrypted file from an unregulated to a
regulated network directory: File is stored encrypted
- Move an encrypted file from a regular network
directory to a different one: File is stored encrypted
- Now it finally behaves as you would expect it
to, but it doesn't match with the legacy drivers behaviour.
- Minifilter
(LC-1360)
- Wrong handling of explicit rules for file
extensions
- The Minifilter does
not execute rules like *.ext correctly for
encryption and ignore rules.
- As a workaround, we recommend to
add an additional rule like *\*.ext
- Having both rules, *.ext
and *\*.ext active, works as well for V3.9x and
V4.0 clients
- Minifilter
(LC-1262, LC-1323)
- Indexing was and is default switched off with
the legacy filter (V3.97, V4.0)
- The Minifilter
requires to add Searchprotocolhost.exe as an unhandled application to
prohibit indexing.
- Further versions will implement the original behaviour of the Legacyfilter,
where Indexing has to be switched explicitly on
(Parameter AllowIndexing).
- Minifilter
(LC-1169):
Files are not handled properly according to the profile rules:
- If <Boot Volume> and <Local Volume>
and <Network Shares> are configured as ignored devices at the same
time, files may no longer be handled correctly according to the
encryption rules, or a wrong encryption status is determined.
- Minifilter
(LC-1293)
- EFS is not supported. The EFS attribute can
neither be set nor removed from files or folders, and access to EFS
encrypted files is denied.
- NTFS Compression is not supported,
files will be automatically decompressed.
- Minifilter
(LC-1156):
Shared folders in VMware virtual machines are not supported properly:
- Prevent
plain files not executed properly.
- Encryption
rules are not applied correctly.
- Ignore
rules are not applied correctly.
- Minifilter (LC-1217)
- There is an
incompatibility of the Minifilter with the VirtualBox
Shared Folders Redirector VBoxSF.sys.
Minifilter leads to a BSOD with Oracle Box
(tested with 5.238, 6.1.14).
- Minifilter
(LC-1106):
Encryption behaviour has changed when moving
files:
- Move
encrypted file from an unregulated to a regulated network directory: File
is stored encrypted.
- Move
encrypted file from a regular network directory to another regular
network directory: File is dropped in an encoded file.
- The behaviour is correct, but may
differ from the description in the manual and from the legacy filter.
- Minifilter
(LC-1000)
The registry key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LCENCM\Parameters]
"NovellSupport"=dword:00000001
used
for a different timestamp handling, compared to
windows fileservers, e.g. for Isilon support, has been removed for the Minifilter.
Please use instead
[HKLM\SYSTEM\CurrentControlSet\Services\cplcisolate]
"AlwaysWriteThroughOnMUP"=dword:00000001
- Minifilter
and Legacy Filter (LC-802):
Key visualization and handling in recycle bin might be different to LAN
Crypt version 3.97 and in particular wrong (red key
symbol visible, when key is accessible).
- Deleted
files might end up in the recycle bin with a red key, differently
to Version 3.97
- Restoring
and deleting from the recycle bin works anyway.
- Support of placeholders in the legacy filter (LC-857)
- The <Network>,
<Bootvolume>, <Removable>, <Optical>, <Local> placeholders are decoded in the legacy filter and translated into the
corresponding directory names or drive letters
- Minifilter
missing functionality compared to Legacyfilter
- DefaultIgnoreRules and ServicesDefaultIgnoreRules are not
yet supported (LC-1238)
- Ignored Drives (LC-1060):
The encryption status of legacy and Minifilter
is determined and visualized differently.
- The Minifilter correctly determines the encryption status
of encrypted files on ignored shares as ENCRYPTED_IGNORED and displays
the red key.
- The legacy filter
determines the encryption status of encrypted files on ignored shares as
PLAIN_IGNORED and does not display an overlay key. The behaviour of the legacy filter is basically wrong (at
least since SafeGuard LAN Crypt 3.95) but will
not be corrected.
- Ignored Device Types (LC-1242)
Ignored device types are not supported with the legacy filter
- Legacyfilter
- AES with Legacyfilter installed may lead
to wrong encryption method displayed when files are moved into a folder
with different AES rule. (LC-1177)
If the legacy filter is operated with CBC and a file encrypted with a
respective rule is moved (cut and pasted) to a folder with a different AES rule
(XTS), the display of the encryption method remains on CBC.
Moving XTS encrypted files to CBC ruled folders as well display the
wrong initial method.
- LAN Crypt loads a certificate
based on the provided PIN, not necessarily the newest p12-file (LC-120)
- LAN Crypt
searches a sorted list of the users p12 files until it finds the first p12
file that can be accessed with the entered PIN. If not every p12 file has
a different PIN, an older certificate can be loaded.
- Citrix Terminal Server:
- Client Drive Redirection:
Encryption of files on client drives mapped on a Citrix Terminal Server
is not supported and these drives will be ignored by the LAN Crypt
encryption filter driver.
- Streamed applications:
Citrix application streaming is not supported.
- Virus scanners:
- Virus scanner services:
Virus scanner services need to be explicitly authorized to have access to
encrypted files in order to be able to find
viruses inside.
- There is a changed behaviour
regarding permissions for security improvement:
Long path names can be used for. For convenience reasons
short names are internally completed by searching some protected paths when
program names are configured without path information. The client will search
in the following directories:
CSIDL_SYSTEM (typical C:\Windows\System32,
non-recursive)
CSIDL_WINDOWS (typical C:\Windows, non-recursive)
CSIDL_PROGRAM_FILES (typical C:\Program Files,
recursive)
If an EXE file with the specified name is found, the
full path will be internally added.
Other paths are now untrusted for short file names. (LC-1218).
When mixed environments (LAN Crypt 3.9x and 4.0) are administrated by LAN Crypt
Administration 4.00.0, it is best practice to add the executable names for
virus scanners in short form (executable name only), when the virus scanner is
located in one of the referenced paths (note, that program files on 64 bit system includes the 64 bit
path only). When the scanner executables are in other paths, the long pathname
including the executable and a second entry with a short name should be used.
The long name for the version 4 clients and the short
name for the version 3 clients.
- We recommend on-access and background scanning
tests
- LAN Crypt Tools:
- The LAN Crypt executables DriveNotifier.exe,
lchelper.exe, lcinit.exe, lcsdel.exe, lcstatus.exe, lcuser.exe,
loadprof.exe, SGFEApi.exe, lcservn.exe should be trusted by the antivirus
software.
- Minifilter:
A new random number generator was implemented (LC-881, LC-882).
This may have some effects on runtimes when encrypting while the virus
scanner is running.
- Tested virus scanners (among others):
The following virus scanners have been tested with the LAN Crypt Client:
|
Virus Scanner
|
Executable
|
Authenticode
|
|
Avast
20.6.2420 (Build 20.6.2420.5495.561)
|
AvastSVC.exe
|
Yes
|
|
TotalAV(5.8.7)
|
SecurityService.exe
|
No
|
|
Norton
Security (22.17.3.50)
|
NortonSecurity.exe;
nsWscSvc.exe
|
No
|
|
BullGuard
(20.0.0.381)
|
BullGuardCore.exe; BullGuardScanner.exe;
BullGuardFileScanner.exe
|
No
|
|
Microsoft
Defender
|
msseces.exe
MsMpEng.exe
or
without configuration
|
|
|
FSecure v17.8
|
fsulprothoster.exe,
fshoster64.exe, fshoster32.exe, fsorsp64.exe
|
No
|
|
Kaspersky Antivirus 20.0.14.1085
|
avp.exe
avpui.exe
|
Yes
Yes
|
|
TrendMicro
16.0.1151
|
|
|
|
Eset
NOD32 Antivirus
|
ekrn.exe,
egui.exe, eguiProxy.exe
|
No
|
|
McAfee
Total Protection 16.0 R25
|
Mcshield.exe
mfeavfk.sys
|
Yes
Yes
|
|
Symantec Endpoint Protection 14.2
|
ccSvcHst.exe
|
|
|
|
|
|
- Configuration of other virus scanners tested
with earlier versions (not tested with this release):
|
Virus Scanner
|
Executable
|
Authenticode
|
|
Sophos
Endpoint Security and Control, Version 10.8.4
|
SavService.exe
|
Yes
|
|
McAfee
Security Center v16.0, McAfee SC 17.8
|
Mcshield.exe
mfeavfk.sys
|
Yes
Yes
|
|
Symantec Endpoint Protection 14.2
|
ccSvcHst.exe
srtsp.sys
|
Yes
No
|
|
Trend Micro Antivirus+ 15.0.1163
|
coreServiceShell.exe
|
Yes
|
|
Microsoft Security Essentials 4.8.1904.1
|
msseces.exe
MsMpEng.exe
|
Yes
Yes
|
|
FSecure v17.6
|
Fshoster32.exe
Fshoster64.exe
|
Yes
Yes
|
|
Kaspersky v19.0.0.1088(b)
|
avp.exe
avpui.exe
|
Yes
Yes
|
|
Sophos Endpoint Security and Control, Version 11.3.1 Cloud
|
SavService.exe
|
Yes
|
|
Symantec Endpoint Protection 11.0.6 MP1
|
rtvscan.exe
|
Yes
|
|
McAfee Endpoint
Security 10.2
|
Mcshield.exe
mfeavfk.sys
|
Yes
Yes
|
|
Microsoft Forefront client
|
msseces.exe
MsMpEng.exe
|
Yes
Yes
|
- Known issues:
- There might be an issue with the LAN Crypt PreventPlainFiles functionality with some virus
scanners when the legacy filter is used. This behaviour
is the same in conpal LAN Crypt 3.97, SafeGuard LAN Crypt 3.95 and probably earlier
versions (LC-1237).
- FSecure SAFE 17.8: viruses are detected and deleted during scanning, zipped files are detected and deleted when
opened
- There is an issue with Sophos Anti-Virus that
may cause encrypted files to be locked (either only for write or for read and write access). This is caused by a timing issue of
Sophos Anti-Virus if the on-access scanning level is set to 'intensive'.
- There is an issue with Sophos Anti-Virus that
may lead to damaged Microsoft Office documents when saving them in a
folder that is made available when offline (“OfflineFolder”).
To avoid this issue please configure the Sophos Anti-Virus on-access
scanner to exclude the folder “C:\Windows\CSC”.
- After receiving a new virus scanner executable
via the policy file, the client has to be
rebooted.
- If Antivirus and LAN Crypt are installed on
Windows, it may happen that the LAN Crypt profile cannot be loaded. As a
workaround, the folder for the policy file cache (default
"%LOCALAPPDATA%\conpal\LAN Crypt\Local
Policy Cache") must be excluded from the virus scan. Alternatively
registering the LAN Crypt processes with Antivirus to be trustworthy, might solve the problem.
- DFS:
- Domain-based DFS:
In a domain-based DFS, you can access the DFS either via the server name or via the domain name.
The encryption rules must always be created in the same way as used to
access DFS.
If the DFS is accessed via the server name, the
encryption rule must be based on a server name. If DFS is accessed via
the domain name, the rule must be domain name based.
If you want to access the DFS both ways, you must define two encryption
rules, one with the domain name and one with the server
name.
e.g.:
Y: is mapped to \\DOMAIN\DFSROOT
Encryption rule:
Y:\*.*
or
\\DOMAIN\DFSROOT\*.*
Z: is mapped to \\SERVER.DOMAIN\DFSROOT
Encryption rule:
Z:\*.*
or
\\SERVER\DFSROOT\*.*
- Nested DFS links:
Nested DFS links (DFS links to other DFS links or DFS roots) can be used
but encryption rules must not include a physical path to the DFS link and
there are some known problems in combination with persistent encryption.
When copying an encrypted file to a plain folder it may become decrypted.
When moving encrypted files to an ignored/excluded folder it may stay
encrypted.
- Rules using IP address:
It is not possible to use rules for DFS that contain the IP address of
the server hosting the DFS share.
- DFS and persistent encryption:
When copying encrypted files to ignored or excluded folders on DFS drives they may not be stored
decrypted.
- Viewing folders in Windows Explorer:
Viewing folders on a DFS share cause problems that either the display
takes very long or the folder selection jumps to the root folder after a
while.
In this case the following registry value can be set:
[HKEY_LOCAL_MACHINE\Software\Policies\Utimaco\SGLANCrypt\LCShellx]
IgnoreBuildInOverlayIcons=dword:00000001
A reboot is necessary to activate the change. Afterwards the Windows
overlay icons for shared folders and links are not displayed if a LAN
Crypt overlay icon is displayed.
- Network Attached Storage (NAS) devices:
In general, LAN Crypt will operate with network shares hosted on NAS
devices. If it is planned to use a NAS device, conpal
recommends the execution of intensive tests prior to using LAN Crypt in a
productive environment.
However, due to various SAMBA implementations and versions, not every NAS
device will act like a Windows Server. Protocol variations are possible
and therefore a few special cases might not work properly in combination
with LAN Crypt; for example, a user’s “my documents” folder might not be
encrypted on a file share. Therefore, conpal
does not guarantee that encrypted file shares on NAS devices will work in
every condition and only provides limited support in cases where issues
arise.
- Volume mount points:
LAN Crypt does not support volume mount points. (An encryption rule for a
directory that is a volume mount point will not work.)
The same is true for virtual drives generated with the SUBST.exe command.
- EFS encryption and NTFS compression:
LAN Crypt encrypted files cannot be (additionally) EFS encrypted or NTFS
compressed.
It is possible to EFS decrypt (provided that the EFS key is available)
and/or NTFS decompress files during initial encryption.
- NTFS rights:
While Windows is able to create new files or copy files to a folder where
the NTFS rights
- Traverse Folder / Execute File
- List Folder / Read Data
- Read Attributes
- Read Extended Attributes
- Create Files / Write Data
- Read Permissions
are granted to a user, the following additional rights have to be granted
if there is an encryption rule on a folder:
- Create Folders / Append Data
- Write Attributes
- Write Extended Attributes
- Backup programs:
Backup programs should be configured as unhandled applications. If you do
this, the files will retain their encryption state after a restore. The
backup applications from Windows should be automatically treated as
unhandled application.
The backup target files themselves must not be encrypted, because they
cannot be restored by the backup application as it does not decrypt the
backup files. Because the files included in the backup are already
encrypted, it is not necessary to encrypt the backup target files itself.
- Configuration data:
Because the client reads the configuration data from the Registry during
the boot and login process, you may need to reboot the PC to include any
changes to this data.
In some cases two reboots are necessary.
- SafeGuard
Enterprise:
- There is no tested compatibility with SafeGuard products.
- It is likely, that
newer SafeGuard products like Central are
interoperable.
- Piloting is essential, there are no guarantees
for compatibility.
- SafeGuard
PrivateDisk:
LAN Crypt cannot be used to encrypt SafeGuard PrivateDisk volume files (*.vol).
- <Opticals>:
- The Opticals rule
works for Minifilter only.
- The Opticals rule
leads to errors with the legacy filter, e.g.
when using UDF formatted DVD+RW media, with installed LAN Crypt Legacyfilter massive problems occur after a few accesses.
(LC-1138)
- CD burning with legacy filter or tools:
- Burning encrypted CDs with Windows Explorer
built-in mechanism
To create a CD with LAN Crypt encrypted files, use a separate burning
application that you must add to the list of unhandled applications. All
encrypted files remain encrypted if you now burn them onto a CD.
As the Windows native burning tool is implemented as an Explorer
Extension, you cannot use this tool for creating encrypted CDs (you would
have to specify Explorer as an unhandled application, which has a huge
number of unwanted side effects).
- Known problem with Nero InCD
There is an issue with Nero InCD and Office
2003 together with LAN Crypt when encryption rules are set for the CD
drive. If an Office 2003 file is stored on the CD a BSOD may occur during
processing the file (e.g. open, save).
- Certificates:
User and administrator certificates must be located in
the current user’s certificate store. Certificates located in the local computer’s certificate store cannot be used for LAN
Crypt.
- Folder overlay icons:
Overlay icons for folder icons in the left-hand tree-view are sometimes
missing.
- No key column in Explorer:
It is not possible to have a column added in Explorer that shows key names
or GUIDs for encrypted files.
- Offline files:
On some machines it may happen that some encrypted offline files are not
accessible in offline mode.
To avoid this problem please disable indexing of offline files.
- UAC dialog on not accessible encrypted files:
If an encrypted file is renamed or deleted and the corresponding key is
not available in the LAN Crypt profile, a User Account Control dialog is
shown because the file is not accessible.
Providing credentials of an administrator does not allow the file
operation in this case, because even as administrator the file cannot be
modified as the proper key is not available.
- Manual/Helpfile
- Client help is provided by default via
https://docs.lancrypt.com/de/client/lc_400_hdeu.pdf,
https://docs.lancrypt.com/en/client/lc_400_heng.pdf
or
https://docs.lancrypt.com/fr/client/lc_400_hfra.pdf,
depending on the language.
The first part of the URL (domain name) can be specified in strictly internally
operated environments in the registry under "HKLM\SOFTWARE\Policies\conpal\LAN Crypt\HelpURL”
- Offline Folders:
If Windows Offline Folders are used it may happen that not all files get
synchronized if LAN Crypt is installed. Subsequent synchronization
requests should complete the synchronization.
If the default location of the offline folder cache (usually
C:\Windows\CSC) is changed, an ignore rule should be set on this folder
(e.g. D:\CSC).
- Known problem with crypto.sys:
The driver crypto.sys is shipped with different products, like SafeNet Netscreen Remote, SafeNet VPN and others. There is a
known problem with this driver that can lead to a BSOD.
- Multiple smartcard PIN entries:
When LAN Crypt is used together with certain smartcard middlewares,
e.g. Nexus Personal Edition 4.0.1, it may happen that the user has to enter the smartcard PIN multiple times.
- Compatibility issues with Microsoft SharePoint:
Downloading documents from a SharePoint server may fail if there is an encryption
rule set on the folder containing the temporary internet files.
- Restricted support of short path names:
Following restrictions exist in relation to short path names:
- The path used in the encryption rule must exist
at profile load time (except paths on shares)
- The path used in the encryption rule must not be
renamed after the profile was loaded, otherwise it may happen that the
short path name will not work anymore on this path
- Only for absolute path rules the short path name
is also handled (relative path rules are only considered in the way they
are entered during profile creation)
- Encrypted applications on network shares:
If an executable file is started which is stored encrypted on a network
share, it may happen that the file remains to be used, even if the
application is no longer running.
To replace such files it is necessary to rename the existing executable
file at first and then copy the new file.
- User elevation for encrypted executables:
If an encrypted executable or installation package is started and requires
a user elevation, it may happen that the elevation doesn’t take place and
the executable is not started.
- Profile expiration:
If the folder where the LAN Crypt user profiles are stored is made
available for offline access, the profile expiration will not work if
there is no network connection available.
- Deletion of files using psexec.exe:
LAN Crypt prevents the deletion of files which are encrypted and the user is
not in possession of the proper key. However, if psexec.exe is used to
connect to a machine where LAN Crypt is installed, it is possible to
delete encrypted files without having the proper key. Opening encrypted
files is not possible in such a way.
- Encryption rules on %USERPROFILE%\AppData\Roaming:
Setting encryption rules on %USERPROFILE%\AppData\Roaming
may result in several error situations, as some of these files (e.g.
desktop background image) are already accessed by Windows at a very early logon
stage where the LAN Crypt profile is not yet loaded.
In general it is not recommended to encrypt files in this folder.
Encryption will only work for files which are accessed after the LAN Crypt
profile was loaded.
- Multiple rules for the same target:
If more than one rule is defined for the same target path (e.g. rule 1 for
x:\*.*, rule 2 for y:\*.*, x: and y: are both mapped to the same share),
only the first matching rule according to the current rule sort order is
applied.
- Missing overlay icons:
The number of different overlay icons is limited by Windows, so if another
application is installed which also uses overlay icons (e.g. SharePoint
extension in Microsoft Office and OneDrive) the LAN Crypt overlay icons
may disappear.
Please see the following knowledgebase article how you can enable the
overlay icons again: https://www.sophos.com/en-us/support/knowledgebase/108784.aspx
- When a shortcut to a web page is right clicked, no LAN Crypt entry
is visible in the Explorer context menu.
- Rules using IP addresses (v4/v6) will only match if the network
share was mapped using the IP address. There is no DNS resolving done in
the filter driver, so when the very same network share is mapped using the
server name, the rule will not match.
- Verification of the encryption status using the Initial Encryption
Wizard:
- Encrypted files for which the user has no key
are counted as "failed to open" instead of "already
encrypted".
- Encrypted files which are encrypted with an
algorithm which is not the current configured one (e.g. encrypted with
XTS-AES, but configured is CBC), are reported as "Encrypted with
another key" instead of "Encrypted with another algorithm".
- Encryption of VHD (Virtual Hard Disk) and WIM (Windows Imaging
Format) files is not supported.
- Paths which are longer than 259 characters are not supported.
- Legacy filter and Minifilter might behave
different in visualization of encryption status, and behaviour
and features.
- API
- If a key KEY_NAME_WITH_SPECIAL_CHAR = "key!§$%&()=}][{@üäö" in a
group GROUP_NAME_WITH_SPECIAL_CHAR ="group!§$%&()=}][{@üäö" is
assigned by calling the API, group and key are created without errors, but
the assignment does not take place.
- lcapi.WriteKey(GROUP_NAME_WITH_SPECIAL_CHARS, KEY_NAME_WITH_SPECIAL_CHAR, 3, 1, isSpecific, "", COMMENT, strKeyShortName)
(LC-541)
- The rebranding of Sophos SafeGuard to conpal is comprehensive but may inadvertently be
incomplete.