Even though EFS, or any other encryption system, can offer great security advantages, they are also negative implications for protection against viruses. When a file is encrypted, its content becomes unintelligible, not just to people but also to any processes that don't know either the file's password or the generic administrator password.
The process that is potentially most affected by this limitation is the one that searches for malicious code in the system: the antivirus, which scans all files that could contain viruses and stops them from running if they're infected. To this end, it handles "EXE", "COM" or "DLL", files as well as those data files that could contain executable code such as "DOC" or "XLS" files and their macros. And it is precisely these Word or Excel files that are most likely to need to be encrypted, as they are the typical vehicles for storing important data: budgets, forecasts, etc. If the antivirus system is incapable of scanning these encrypted files, they could remain infected with obvious dangers that this entails.
When installing an antivirus on a Windows Server 2003 system with EFS it should first be checked whether the antivirus is capable of scanning for viruses even in encrypted files. If not, encrypting a file would leave the antivirus disarmed in the face of malicious code.
In theory, in order to scan encrypted files, the antivirus must be able to access each and every file encryption key stored on the system. To do this, the antivirus would have to operate as a recovery agent, with access to all encryption keys. Because of the security implications, the indiscriminate creation of recovery agents is not good practice and therefore antiviruses ought to work in other ways. For example, by intercepting and scanning the file when it is opened by the authorized user, with the antivirus acting as the user. In this way, only files accessed with correct authentication (i.e. by a user with the correct encryption key) will be scanned thus minimizing system resource use without jeopardizing security.
The process of scanning and disinfecting is as follows:
1. The file is stored on the hard disk.
2. The user makes a request to the server to recover the file.
3. The server makes a request to the disk with the credentials of the user making the request.
4. The antivirus intercepting activity on the hard disk receives the request. As the file is encrypted, it makes a call to the system to decipher it. This call is made with the user credentials of the user making the request. Once the file is decrypted, it is scanned and, if necessary, disinfected.
5. The system returns the clean file to the system which in turn passes it on the user making the request..
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.