|
Posted by Roger Abell [MVP] on March 1, 2007, 11:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Roger Abell [MVP] wrote:
>> For what it is worth there is a bit that when set indicates the file as
>> EFS encrypted. The open but scrambled state you described is what
>> happens when that bit is not, but should be, set.
>
> Thanks. There are certainly interesting issues surrounding
> AV and EFS, or any type of encryption for that matter.
>
> Subsequent experimentation discovered that if Symantec
> was completely uninstalled, the data became
> intelligible again.
>
now that is interesting . . . thanks
> Symantec has been made aware of the problem.
>
>
>
>
>
>>
>>> Disabling Symantec anti-virus autoprotect made the
>>> problem go away. This has been verified several
>>> times and also on a second Vista workstation.
>>>
>>> Symantec Corporate Edition 10.2.0.276
>>>
>>> Once auto-protect is turned off, newly encrypted files
>>> can be read after a reboot. Any files encrypted while
>>> auto-protect is enabled, cannot be decrypted.
>>>
>>> One of our Security Engineers noticed a Microsoft
>>> KB article related to anti-virus changing meta-data
>>> associated with another problem and figured what
>>> the heck, lets disable it and see what happens.
>>>
>>>
>>>
>>>> We've been wrestling with a problem computer for a few
>>>> days now and was hoping these symptoms ring a bell with
>>>> someone.
>>>>
>>>> After a reboot, when we attempt to read files in an directory
>>>> with the encryption property set, the data is does not appear
>>>> to be decrypted. That is, we see junk where we should see
>>>> simple ascii text.
>>>>
>>>> Everything works fine until the computer is rebooted. It
>>>> works fine after logouts and logins. After a reboot, none
>>>> of the accounts formerly able to access the file, including
>>>> manually added certs and the recovery agent, are able to read
>>>> anything but garbage from the file. We create a new account
>>>> and encrypt files and it works fine until the computer
>>>> is rebooted again.
>>>>
>>>> This is true of local or domain accounts. When the problem
>>>> first appeared, the computer was not joined to a domain.
>>>>
>>>> All EFS certs are of the automatically generated, self-signed
>>>> type.
>>>>
>>>> The computer is a new Vista computer.
>>>>
>>>> All the account certs and thumb prints appear unchanged before
>>>> and after the reboot.
>>>>
>>>> I suspect the problem would go away if we rebuilt the
>>>> computer but as we're familiarizing ourselves with EFS
>>>> before a wider roll-out, I'd really like to define
>>>> the problem and what caused it in case we run into it again.
>>>>
>>>
>>> --
>>> Gary Flynn
>>> Security Engineer
>>> James Madison University
>>> www.jmu.edu/computing/security
>>
>>
>
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security
| 
XML site map