Antivirus and EFS in Windows Server 2003

The need to transmit secret or sensitive information has been around for a long time, and cryptography, in one shape or form, has been around for almost as long. The Spartans for example, around 400BC, used a system involving a long length of papyrus wrapped around a cylindrical rod. Words were then written on the paper lengthwise along the rod. When the strip was unrolled, one could only see an arrangement of apparently meaningless letters. To decrypt the message the papyrus had to placed around a rod of the same diameter in exactly the same way as when it was encrypted.

Since the advent of PCs, encryption technology has evolved at a spectacular rate. Whereas before, the real problem in deciphering an encrypted message lay in the need to make large-scale calculations, computers have made it possible to carry out such calculations at amazing speeds. These same machines have also enabled encryption systems to be made both more accurate and complex.

Nowadays, it is unthinkable that data of any consequence should be transmitted without having previously been encrypted to prevent exposure to the prying eye. Unfortunately though, the common perception of data transmission is limited to the Internet and therefore many other systems that can and should be protected with encryption are generally ignored.

Laptop computers have now become a standard accessory for today’s highly mobile business people, meaning also that all information stored on these computers is highly mobile and needs to be adequately protected. Although passwords can be used to impeded unauthorized access, they are little obstacle to the skilled and determined intruder.

With these kinds of problems in mind, Microsoft has incorporated an encryption system in its operating systems to prevent unauthorized access to information on disk. This system, the ‘Encryption File System’ (EFS), allows files and folders to be encrypted so that if a laptop or disk were to fall into the wrong hands, it would be impossible to decipher the information it contained.

To further heighten security, EFS includes various layers of encryption. Each file has its own unique encryption key, which is essential in order to be able to work with the file. This key, which is also encrypted, is only available to users authorized to access each file. EFS is actually integrated into the file system, thus reinforcing security against unauthorized access and at the same time making administration easier for users. The encryption and decryption of data is completely transparent and requires no user interaction other than selecting the file to encrypt.

One of the biggest potential problems presented by any file encryption system concerns access to these files after encryption, not just by the users who encrypted them, but also by others, such as network administrators or company bosses. If the password holder is unavailable at any time, even the IT staff will not be to access the encrypted files. To prevent such situations from occurring, the EFS in Windows XP and Windows Server 2003 allows the administrator to recuperate encrypted files using ‘recovery agents’ that can access all users’ passwords.

Even though EFS, or any other encryption system, can offer great security advantages, they are also negative implications for protection against viruses. When a file is encrypted, its content becomes unintelligible, not just to people but also to any processes that don’t know either the file’s password or the generic administrator password.

The process that is potentially most affected by this limitation is the one that searches for malicious code in the system: the antivirus, which scans all files that could contain viruses and stops them from running if they’re infected. To this end, it handles “EXE”, “COM” or “DLL”, files as well as those data files that could contain executable code such as “DOC” or “XLS” files and their macros. And it is precisely these Word or Excel files that are most likely to need to be encrypted, as they are the typical vehicles for storing important data: budgets, forecasts, etc. If the antivirus system is incapable of scanning these encrypted files, they could remain infected with obvious dangers that this entails.

When installing an antivirus on a Windows Server 2003 system with EFS it should first be checked whether the antivirus is capable of scanning for viruses even in encrypted files. If not, encrypting a file would leave the antivirus disarmed in the face of malicious code.

In theory, in order to scan encrypted files, the antivirus must be able to access each and every file encryption key stored on the system. To do this, the antivirus would have to operate as a recovery agent, with access to all encryption keys. Because of the security implications, the indiscriminate creation of recovery agents is not good practice and therefore antiviruses ought to work in other ways. For example, by intercepting and scanning the file when it is opened by the authorized user, with the antivirus acting as the user. In this way, only files accessed with correct authentication (i.e. by a user with the correct encryption key) will be scanned thus minimizing system resource use without jeopardizing security.

The process of scanning and disinfecting is as follows:

1. The file is stored on the hard disk.
2. The user makes a request to the server to recover the file.
3. The server makes a request to the disk with the credentials of the user making the request.
4. The antivirus intercepting activity on the hard disk receives the request. As the file is encrypted, it makes a call to the system to decipher it. This call is made with the user credentials of the user making the request. Once the file is decrypted, it is scanned and, if necessary, disinfected.
5. The system returns the clean file to the system which in turn passes it on the user making the request..

Don't miss