How Symantec AntiVirus handles encrypted file systems

Article:TECH100573  |  Created: 2004-01-09  |  Updated: 2005-01-14  |  Article URL http://www.symantec.com/docs/TECH100573
Article Type
Technical Solution


Environment

Issue



You need to know whether Norton AntiVirus Corporate Edition or Symantec AntiVirus Corporate Edition can detect viruses that are encrypted by an encrypted file system (EFS).


Solution



Norton AntiVirus Corporate Edition and Symantec AntiVirus Corporate Edition cannot access encrypted files unless the file access is by the user who encrypted the files.

When RTVScan tries to access a file, the operating system first determines whether the caller has the proper certificate to decrypt the file. If so, then the file is decrypted and access is granted. If not, the file is not decrypted, and an "Access denied" error is most likely returned to the program that tried to access the file. A manual or scheduled scan in RTVScan will log a Scan Omission error in the event log similar to "Scan could not open [00000003]".

Even if an error is returned, your computer is still protected from EFS-encrypted viruses. This is because an encrypted virus cannot run unless the proper user executes the file. Other users who attempt to run the virus are denied access to the file, and the file does not execute. For the proper user, RTVScan detects the virus before it is able to execute (assuming that you have the correct definitions to detect the virus).

A manual scan, or a scheduled scan that runs when the user that scheduled it is logged on, detects any viruses that were encrypted by that user. This is because RTVScan impersonates the user who is logged on when it runs the scan. Additionally, if the file is written to the drive before the file is encrypted, RTVScan detects the virus.






Legacy ID



2004030906404948


Article URL http://www.symantec.com/docs/TECH100573


Terms of use for this information are found in Legal Notices