Educause Security Discussion mailing list archives

Re: Symantec Corporate Antivirus, Vista, and EFS

From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 1 Mar 2007 09:35:53 -0500

Bowden, Zeb wrote:

I confirmed this on a Vista Ultimate machine. Most of my files aren't
actually inaccessible (i.e. I don't get access denied), they just look
like gibberish.


That is what we see here too. I should have been more specific
about the definition of "inaccessible" given the behavior when
someone tries to access someone else's encrypted file.

The problem we experience is that the data inside the file
is inaccessible because it appears as random data as though
it is not being decrypted.

We were testing on Vista Enterprise.

Thanks for the confirmation.

 I was testing one of the new EFS group policy feature to

force users' Documents folders to be encrypted so perhaps that makes a
difference as to what gets displayed to the user. Either way, it's still
not working and I haven't been successful in recovering any files
either.

Files encrypted prior to having auto-protect turned on appear to work as
expected.

On non-OS partitions I'm not seeing consistent behavior. It works
properly some of the time (maybe 80%), but not always.

I'm using Symantec Corporate Edition 10.2.0.276 as well.

Zeb Bowden
VT.SETI.MIG:Systems Architect
http://vtmig.w2k.vt.edu
zbowden () vt edu
(540) 231-2503


-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU]
Sent: Wednesday, February 28, 2007 5:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Symantec Corporate Antivirus, Vista, and EFS

This is a heads up notification and a check to see if
someone can confirm something we've been able to
reproduce on two Vista computers here:

Files on a Vista computer that are encrypted using EFS
while Symantec anti-virus auto-protect feature is enabled
become inaccessible after the computer is rebooted. They
are inaccessible to all added user accounts and the
recovery account.

If autoprotect is turned off, the files encrypted while
it was turned on remain inaccessible. Newly encrypted
files behave as expected.

We have not found a way to recover the files encrypted
while Symantec was running.

Symantec Corporate Edition 10.2.0.276



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Current thread:

Symantec Corporate Antivirus, Vista, and EFS Gary Flynn (Feb 28)
- <Possible follow-ups>
- Re: Symantec Corporate Antivirus, Vista, and EFS Bowden, Zeb (Mar 01)
- Re: Symantec Corporate Antivirus, Vista, and EFS Gary Flynn (Mar 01)
- Re: Symantec Corporate Antivirus, Vista, and EFS Allison Henry (Mar 01)
- Re: Symantec Corporate Antivirus, Vista, and EFS Gary Flynn (Mar 02)
- Re: Symantec Corporate Antivirus, Vista, and EFS McKay, Steven R (Mar 12)
- Re: Symantec Corporate Antivirus, Vista, and EFS McKay, Steven R (Mar 13)
- Re: Symantec Corporate Antivirus, Vista, and EFS George Bailey (Mar 13)