Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Symantec Corporate Antivirus, Vista, and EFS
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 2 Mar 2007 08:42:19 -0500

Allison Henry wrote:
I have confirmed this issue, and opened a case with Symantec Platinum
Support. They are aware of the issue and will keep us updated on when a
fix is available. I requested that they document the issue in their
knowledge base, as obviously it is a serious problem.

Excluding EFS encrypted folders from auto-protect will prevent the
problem from occurring, but I don't see any way to recover the files
since as far as EFS is concerned, they are decrypted.

A gentleman at Va. Tech discovered that uninstalling
Symantec would allow the files to be recovered. We
confirmed that here.

We also opened a case with Symantec.

Allison Henry
System and Network Security
University of California, Berkeley

Gary Flynn wrote:
Bowden, Zeb wrote:
I confirmed this on a Vista Ultimate machine. Most of my files aren't
actually inaccessible (i.e. I do
n't get access denied), they just look
like gibberish.
That is what we see here too. I should have been more specific
about the definition of "inaccessible" given the behavior when
someone tries to access someone else's encrypted file.

The problem we experience is that the data inside the file
is inaccessible because it appears as random data as though
it is not being decrypted.

We were testing on Vista Enterprise.

Thanks for the confirmation.

 I was testing one of the new EFS group policy feature to
force users' Documents folders to be encrypted so perhaps that makes a
difference as to what gets displayed to the user. Either way, it's still
not working and I haven't been successful in recovering any files

Files encrypted prior to having auto-protect turned on appear to work as

On non-OS partitions I'm not seeing consistent behavior. It works
properly some of the time (maybe 80%), but not always.

I'm using Symantec Corporate Edition as well.

Zeb Bowden
VT.SETI.MIG:Systems Architect
zbowden () vt edu
(540) 231-2503

-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, February
28, 2007 5:14 PM
Subject: [SECURITY] Symantec Corporate Antivirus, Vista, and EFS

This is a heads up notification and a check to see if
someone can confirm something we've been able to
reproduce on two Vista computers here:

Files on a Vista computer that are encrypted using EFS
while Symantec anti-virus auto-protect feature is enabled
become inaccessible after the computer is rebooted. They
are inaccessible to all added user accounts and the
recovery account.

If autoprotect is turned off, the files encrypted while
it was turned on remain inaccessible. Newly encrypted
files behave as expected.

We have not found a way to recover the files encrypted
while Symantec was running.

Symantec Corporate Edition

Gary Flynn
Security Engineer
James Madison University

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]