How Symantec Endpoint Protection handles EFS
|Article:TECH92800|||||Created: 2009-01-10|||||Updated: 2013-01-15|||||Article URL http://www.symantec.com/docs/TECH92800|
You need to know if Symantec Endpoint Protection can detect viruses that are encrypted by Encrypted File System (EFS).
Symantec Endpoint Protection cannot access encrypted files unless the file access is by the user who encrypted the files.
When Rtvscan tries to access a file, the operating system first determines whether the caller has the proper certificate to decrypt the file. If so, then the file is decrypted and access is granted to scan the file. If not, the file is not decrypted, but shows as scanned. When doing a manual or scheduled scan with vpdebug logging enabled, you will see an error similar to "Scan Error - scan engine (520)".
Even if an error is returned, your computer is still protected from EFS-encrypted viruses. This is because an encrypted virus cannot run unless the proper user executes the file. Other users who attempt to run the virus are denied access to the file, and the file does not execute. For the proper user, Rtvscan detects the virus before it is able to execute (assuming that you have the correct definitions to detect the virus).
A user defined manual or scheduled scan that runs when the user is logged-on, detects viruses that were encrypted by that user. This is because Rtvscan impersonates the user who is logged-on when it runs the scan. Additionally, if the file is written to the drive before the file is encrypted, Rtvscan detects the virus. To summarize, have the logged-on users that encrypted the files create a user defined scheduled scan that will decrypt and scan the files successfully.
Article URL http://www.symantec.com/docs/TECH92800