When installing an antivirus on a Windows Server 2003 system with EFS it should first be checked whether the antivirus is capable of scanning for viruses even in encrypted files. If not, encrypting a file would leave the antivirus disarmed in the face of malicious code.
In theory, in order to scan encrypted files, the antivirus must be able to access each and every file encryption key stored on the system. To do this, the antivirus would have to operate as a recovery agent, with access to all encryption keys. Because of the security implications, the indiscriminate creation of recovery agents is not good practice and therefore antiviruses ought to work in other ways. For example, by intercepting and scanning the file when it is opened by the authorized user, with the antivirus acting as the user. In this way, only files accessed with correct authentication (i.e. by a user with the correct encryption key) will be scanned thus minimizing system resource use without jeopardizing security.
The process of scanning and disinfecting is as follows:
1. The file is stored on the hard disk.
2. The user makes a request to the server to recover the file.
3. The server makes a request to the disk with the credentials of the user making the request.
4. The antivirus intercepting activity on the hard disk receives the request. As the file is encrypted, it makes a call to the system to decipher it. This call is made with the user credentials of the user making the request. Once the file is decrypted, it is scanned and, if necessary, disinfected.
5. The system returns the clean file to the system which in turn passes it on the user making the request..