Antivirus and EFS in Windows Server 2003
by Fernando de la Cuadra - International Technical Editor, Panda Software - 2 June 2003.
The process that is potentially most affected by this limitation is the one that searches for malicious code in the system: the antivirus, which scans all files that could contain viruses and stops them from running if they're infected. To this end, it handles "EXE", "COM" or "DLL", files as well as those data files that could contain executable code such as "DOC" or "XLS" files and their macros. And it is precisely these Word or Excel files that are most likely to need to be encrypted, as they are the typical vehicles for storing important data: budgets, forecasts, etc. If the antivirus system is incapable of scanning these encrypted files, they could remain infected with obvious dangers that this entails.

When installing an antivirus on a Windows Server 2003 system with EFS it should first be checked whether the antivirus is capable of scanning for viruses even in encrypted files. If not, encrypting a file would leave the antivirus disarmed in the face of malicious code.

In theory, in order to scan encrypted files, the antivirus must be able to access each and every file encryption key stored on the system. To do this, the antivirus would have to operate as a recovery agent, with access to all encryption keys. Because of the security implications, the indiscriminate creation of recovery agents is not good practice and therefore antiviruses ought to work in other ways. For example, by intercepting and scanning the file when it is opened by the authorized user, with the antivirus acting as the user. In this way, only files accessed with correct authentication (i.e. by a user with the correct encryption key) will be scanned thus minimizing system resource use without jeopardizing security.

The process of scanning and disinfecting is as follows:

1. The file is stored on the hard disk.

2. The user makes a request to the server to recover the file.

3. The server makes a request to the disk with the credentials of the user making the request.

4. The antivirus intercepting activity on the hard disk receives the request. As the file is encrypted, it makes a call to the system to decipher it. This call is made with the user credentials of the user making the request. Once the file is decrypted, it is scanned and, if necessary, disinfected.

5. The system returns the clean file to the system which in turn passes it on the user making the request..


10 practical security tips for DevOps

By working with the DevOps team, you can ensure that the production environment is more predictable, auditable and more secure than before. The key is to integrate your security requirements into the DevOps pipeline.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Mar 31st