Educause Security Discussion mailing list archives
Re: Symantec Corporate Antivirus, Vista, and EFS
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 2 Mar 2007 08:42:19 -0500
Allison Henry wrote:
I have confirmed this issue, and opened a case with Symantec Platinum Support. They are aware of the issue and will keep us updated on when a fix is available. I requested that they document the issue in their knowledge base, as obviously it is a serious problem. Excluding EFS encrypted folders from auto-protect will prevent the problem from occurring, but I don't see any way to recover the files since as far as EFS is concerned, they are decrypted.
A gentleman at Va. Tech discovered that uninstalling Symantec would allow the files to be recovered. We confirmed that here. We also opened a case with Symantec.
Allison Henry System and Network Security University of California, Berkeley http://security.berkeley.edu Gary Flynn wrote:Bowden, Zeb wrote:I confirmed this on a Vista Ultimate machine. Most of my files aren't actually inaccessible (i.e. I don't get access denied), they just looklike gibberish.That is what we see here too. I should have been more specific about the definition of "inaccessible" given the behavior when someone tries to access someone else's encrypted file. The problem we experience is that the data inside the file is inaccessible because it appears as random data as though it is not being decrypted. We were testing on Vista Enterprise. Thanks for the confirmation. I was testing one of the new EFS group policy feature toforce users' Documents folders to be encrypted so perhaps that makes a difference as to what gets displayed to the user. Either way, it's still not working and I haven't been successful in recovering any files either. Files encrypted prior to having auto-protect turned on appear to work as expected. On non-OS partitions I'm not seeing consistent behavior. It works properly some of the time (maybe 80%), but not always. I'm using Symantec Corporate Edition 10.2.0.276 as well. Zeb Bowden VT.SETI.MIG:Systems Architect http://vtmig.w2k.vt.edu zbowden () vt edu (540) 231-2503 -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, February 28, 2007 5:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Symantec Corporate Antivirus, Vista, and EFS This is a heads up notification and a check to see if someone can confirm something we've been able to reproduce on two Vista computers here: Files on a Vista computer that are encrypted using EFS while Symantec anti-virus auto-protect feature is enabled become inaccessible after the computer is rebooted. They are inaccessible to all added user accounts and the recovery account. If autoprotect is turned off, the files encrypted while it was turned on remain inaccessible. Newly encrypted files behave as expected. We have not found a way to recover the files encrypted while Symantec was running. Symantec Corporate Edition 10.2.0.276
-- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Symantec Corporate Antivirus, Vista, and EFS Gary Flynn (Feb 28)
- <Possible follow-ups>
- Re: Symantec Corporate Antivirus, Vista, and EFS Bowden, Zeb (Mar 01)
- Re: Symantec Corporate Antivirus, Vista, and EFS Gary Flynn (Mar 01)
- Re: Symantec Corporate Antivirus, Vista, and EFS Allison Henry (Mar 01)
- Re: Symantec Corporate Antivirus, Vista, and EFS Gary Flynn (Mar 02)
- Re: Symantec Corporate Antivirus, Vista, and EFS McKay, Steven R (Mar 12)
- Re: Symantec Corporate Antivirus, Vista, and EFS McKay, Steven R (Mar 13)
- Re: Symantec Corporate Antivirus, Vista, and EFS George Bailey (Mar 13)