Antivirus and EFS in Windows Server 2003
by Fernando de la Cuadra - International Technical Editor, Panda Software - 2 June 2003.
The process that is potentially most affected by this limitation is the one that searches for malicious code in the system: the antivirus, which scans all files that could contain viruses and stops them from running if they're infected. To this end, it handles "EXE", "COM" or "DLL", files as well as those data files that could contain executable code such as "DOC" or "XLS" files and their macros. And it is precisely these Word or Excel files that are most likely to need to be encrypted, as they are the typical vehicles for storing important data: budgets, forecasts, etc. If the antivirus system is incapable of scanning these encrypted files, they could remain infected with obvious dangers that this entails.

When installing an antivirus on a Windows Server 2003 system with EFS it should first be checked whether the antivirus is capable of scanning for viruses even in encrypted files. If not, encrypting a file would leave the antivirus disarmed in the face of malicious code.

In theory, in order to scan encrypted files, the antivirus must be able to access each and every file encryption key stored on the system. To do this, the antivirus would have to operate as a recovery agent, with access to all encryption keys. Because of the security implications, the indiscriminate creation of recovery agents is not good practice and therefore antiviruses ought to work in other ways. For example, by intercepting and scanning the file when it is opened by the authorized user, with the antivirus acting as the user. In this way, only files accessed with correct authentication (i.e. by a user with the correct encryption key) will be scanned thus minimizing system resource use without jeopardizing security.

The process of scanning and disinfecting is as follows:

1. The file is stored on the hard disk.

2. The user makes a request to the server to recover the file.

3. The server makes a request to the disk with the credentials of the user making the request.

4. The antivirus intercepting activity on the hard disk receives the request. As the file is encrypted, it makes a call to the system to decipher it. This call is made with the user credentials of the user making the request. Once the file is decrypted, it is scanned and, if necessary, disinfected.

5. The system returns the clean file to the system which in turn passes it on the user making the request..


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th