How Symantec Endpoint Protection handles EFS

Article:TECH92800  |  Created: 2009-01-10  |  Updated: 2013-01-15  |  Article URL http://www.symantec.com/docs/TECH92800
Article Type
Technical Solution


Issue



You need to know if Symantec Endpoint Protection can detect viruses that are encrypted by Encrypted File System (EFS).


 


Solution



Symantec Endpoint Protection cannot access encrypted files unless the file access is by the user who encrypted the files.

When Rtvscan tries to access a file, the operating system first determines whether the caller has the proper certificate to decrypt the file. If so, then the file is decrypted and access is granted to scan the file. If not, the file is not decrypted, but shows as scanned. When doing a manual or scheduled scan with vpdebug logging enabled, you will see an error similar to "Scan Error - scan engine (520)".

Even if an error is returned, your computer is still protected from EFS-encrypted viruses. This is because an encrypted virus cannot run unless the proper user executes the file. Other users who attempt to run the virus are denied access to the file, and the file does not execute. For the proper user, Rtvscan detects the virus before it is able to execute (assuming that you have the correct definitions to detect the virus).

A user defined manual or scheduled scan that runs when the user is logged-on, detects viruses that were encrypted by that user. This is because Rtvscan impersonates the user who is logged-on when it runs the scan. Additionally, if the file is written to the drive before the file is encrypted, Rtvscan detects the virus. To summarize, have the logged-on users that encrypted the files create a user defined scheduled scan that will decrypt and scan the files successfully.

 

Check the date and version number of the following files in the folder C:\Program Files\Common Files\Symantec Shared\VirusDefs\20xxxxxx.xxx. Note: Check the folder with the latest date.
 
For Eraser engine:
CCERASER.DLL
ERASER.SYS
EECTRL.SYS
 
For AV engine:
NAVEX15.SYS
NAVENG32.DLL
NAVENG.SYS
NAVEX32A.DLL
The DLL and SYS files do not necessarily have the same version for each engine.
The version number can be checked by right-clicking on the file > Properties > Version > Product Version or by adding a column for Product Version.
Technical Information
Symantec Antivirus and Symantec Endpoint Protection contain an AV Scan Engine and an Eraser Engine to provide detection and side effects repair for threats found in the environment. Updates to each of these engines are released via definition update packages (typically, via LiveUpdate): there is no separate manual installation necessary. AV Engine and Eraser releases are scheduled on a quarterly basis with maintenance updates released as needed. A reboot is not usually required for AV Engine or Eraser Engines to be applied.




 



Legacy ID



2009031015234048


Article URL http://www.symantec.com/docs/TECH92800


Terms of use for this information are found in Legal Notices