Re: Symantec Corporate Antivirus, Vista, and EFS

[Gary Flynn <flynngn () JMU EDU>]

Allison Henry wrote:
> I have confirmed this issue, and opened a case with Symantec Platinum
> Support. They are aware of the issue and will keep us updated on when a
> fix is available. I requested that they document the issue in their
> knowledge base, as obviously it is a serious problem.
>
> Excluding EFS encrypted folders from auto-protect will prevent the
> problem from occurring, but I don't see any way to recover the files
> since as far as EFS is concerned, they are decrypted.

A gentleman at Va. Tech discovered that uninstalling
Symantec would allow the files to be recovered. We
confirmed that here.

We also opened a case with Symantec.


> Allison Henry
> System and Network Security
> University of California, Berkeley
> http://security.berkeley.edu
>
> Gary Flynn wrote:
> > Bowden, Zeb wrote:
> > > I confirmed this on a Vista Ultimate machine. Most of my files aren't
> > > actually inaccessible (i.e. I do
> n't get access denied), they just look
> > > like gibberish.
> > That is what we see here too. I should have been more specific
> > about the definition of "inaccessible" given the behavior when
> > someone tries to access someone else's encrypted file.
> >
> > The problem we experience is that the data inside the file
> > is inaccessible because it appears as random data as though
> > it is not being decrypted.
> >
> > We were testing on Vista Enterprise.
> >
> > Thanks for the confirmation.
> >
> >  I was testing one of the new EFS group policy feature to
> > > force users' Documents folders to be encrypted so perhaps that makes a
> > > difference as to what gets displayed to the user. Either way, it's still
> > > not working and I haven't been successful in recovering any files
> > > either.
> > >
> > > Files encrypted prior to having auto-protect turned on appear to work as
> > > expected.
> > >
> > > On non-OS partitions I'm not seeing consistent behavior. It works
> > > properly some of the time (maybe 80%), but not always.
> > >
> > > I'm using Symantec Corporate Edition 10.2.0.276 as well.
> > >
> > > Zeb Bowden
> > > VT.SETI.MIG:Systems Architect
> > > http://vtmig.w2k.vt.edu
> > > zbowden () vt edu
> > > (540) 231-2503
> > >
> > > -----Original Message-----
> > > From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, February
> > > 28, 2007 5:14 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: [SECURITY] Symantec Corporate Antivirus, Vista, and EFS
> > >
> > > This is a heads up notification and a check to see if
> > > someone can confirm something we've been able to
> > > reproduce on two Vista computers here:
> > >
> > > Files on a Vista computer that are encrypted using EFS
> > > while Symantec anti-virus auto-protect feature is enabled
> > > become inaccessible after the computer is rebooted. They
> > > are inaccessible to all added user accounts and the
> > > recovery account.
> > >
> > > If autoprotect is turned off, the files encrypted while
> > > it was turned on remain inaccessible. Newly encrypted
> > > files behave as expected.
> > >
> > > We have not found a way to recover the files encrypted
> > > while Symantec was running.
> > >
> > > Symantec Corporate Edition 10.2.0.276


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security