System instability with Virus and EFS

[Mun]

Hi there.

I think I found a problem with Avast detecting a virus, and Microsoft's EFS (Encrypted File System) built into Windows. The problem results in severe system instability that (for me) requires physically pressing the reset button to get the system back. The steps to duplicate the problem are as follows:

1. Make an encrypted folder.
2. Put a file infected with a virus into that folder (eg, download a virus from the internet and save it to that folder. I think because the avast service is running under SYSTEM, it cannot check the file, it is encrypted. Only the user can transparently access it).
3. Right click the virus file and click properties.
4. In "Attributes", click Advanced.
5. In "Compress or Encrypt Attributes" untick "Encrypt contents to secure data" and click OK.
6. Click Apply on the properties window.

At this point the EFS system is called to decrypt the file. Avast immediately detects the virus and asks what you want to do. I tried deleting the file and on another occasion moving it to chest, but both ways result in the properties window to hang. At this point the system becomes unstable.

I'm not sure whats going on inside, but I this is what I think. Avast has blocked EFS, and some code in EFS has trouble when it finds the file is abruptly removed. This causes EFS to hang, and has a knock on effect on explorer.exe. A lot of my files are encrypted with EFS, so this may be why my crashes are so severe. Possibly if it was just the 1 file, the crash would just take down explorer.exe, which can be restarted. Thats all my guess, I don't know whats actually happening.

I'm running:
AMD Athlon 2500+ XP
512MB DDR SDRAM
Windows XP SP2
Avast build 4.6.623

I searched the forum but found no mention of EFS. Has Avast been tested with EFS? If you need more info please ask.

Thank you.

[DavidR]

I can't see the point in putting a virus in an encrypted folder, avast can't scan encrypted data, it doesn't know the encryption algorithm.

If you unencrypt the file inside the encrypted folder avast will be able to scan the unencrypted file, if it detects the virus, it will stop everything in its tracks and the unencryption routine may not have completed its work so it hangs.

What happens if you move the file to a normal folder wouldn't that also unencrypt the file allowing avast to scan it.

Perhaps the moral would be never to download files into an encrypted folder so they can be scanned first, then moved to an encrypted folder if required.

I have a folder that all my downloads go to first, not just to scan them but so they are easier to find, then they are moved to an appropriate folder, utilities, actioned, pdfs, drivers, etc.

[Lisandro]

Can you please, go to folder \windows\minidump and see it you have any .mdmp files?
Is so, can you send them to vlk@avast.com or rypacek@asw.cz for further analysis?
Alternatively, you can upload the file(s) to Alwil anonymous ftp servers:
ftp://ftp.asw.cz/incoming
ftp://www2.asw.cz/incoming

Is there anything of interest into avast! Log Viewer?

[Mun]

Well my desktop is encrypted, and often I download files onto my desktop thereby encrypting them. Today I downloaded a zip file that had a virus executable in it. When I moved the executable into Program Files (that is unencrypted), it remained encrypted (Windows does not decrypt a file that was encrypted if you move it to an unencrypted folder. The file will still be encrypted. See Microsoft's excellent document on EFS for more info). I think you're right about avast stopping the decryption routine, but it is causing problems.

I can see two solutions, although both are not ideal. There are most likely more ways round.

1. Add SYSTEM as a user that can access EFS data transparently held on the computer by editing the Security Policy. The disadvantage here is a naughty admin can code a special service that runs under SYSTEM and steals the user's data. Also, I have seen ways people can hack into a Windows machine and run under SYSTEM. In theory, this would allow them access EFS data.
2. Make another avast process that runs under the user, which communicates with the avast service, bridging the access problem. The disadvantage here is a necessity for another process (taking up more resources), and probably lots of coding and testing.

Hi Technical. No process crashed, nor did the system. It just hung, and gradually made the computer unusable. As a result, there was no Minidump created. When the system hung, I tried pressing the "X" on the properties window, and told the system to End Task for explorer.exe, but it couldn't end the task. The system just gradually got worse - I tried shutting down, but then lost access to the start menu,  couldn't do Winkey+R etc.

I don't think the avast log viewer has anything special. When clicking "Ok" when avast reports the virus, the system does not crash. So I tried that now and these are in the log:

Error:
14/04/2005 16:57:40   SYSTEM   1696   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Mun\Desktop\start.exe failed, 00000005. 
14/04/2005 16:57:35   SYSTEM   1696   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Mun\Desktop\start.exe failed, 00000005. 
14/04/2005 16:57:35   SYSTEM   1696   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Mun\Desktop\start.exe failed, 00000005.

Warning:
14/04/2005 16:58:22   SYSTEM   1696   Sign of "Win32:IstBar-AC [Trj]" has been found in "C:\Documents and Settings\Mun\Desktop\start.exe" file. 
14/04/2005 16:57:51   SYSTEM   1696   Sign of "Win32:IstBar-AC [Trj]" has been found in "C:\Documents and Settings\Mun\Desktop\start.exe" file. 
14/04/2005 16:57:40   SYSTEM   1696   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Mun\Desktop\start.exe (C:\Documents and Settings\Mun\Desktop\start.exe) returning error, 00000005. 
14/04/2005 16:57:35   SYSTEM   1696   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Mun\Desktop\start.exe (C:\Documents and Settings\Mun\Desktop\start.exe) returning error, 00000005. 
14/04/2005 16:57:35   SYSTEM   1696   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Mun\Desktop\start.exe (C:\Documents and Settings\Mun\Desktop\start.exe) returning error, 00000005.   

I also think its impossible to encrypt a virus with EFS from an unencrypted state on the hard drive. One keeps getting thrown back and forth between Windows unable to access the file, and avast reporting a virus. Not that anyone would want to encrypt a virus but it might help diagnoses.

[Lisandro]

Hi Technical. No process crashed, nor did the system. It just hung, and gradually made the computer unusable. As a result, there was no Minidump created. When the system hung, I tried pressing the "X" on the properties window, and told the system to End Task for explorer.exe, but it couldn't end the task. The system just gradually got worse - I tried shutting down, but then lost access to the start menu,  couldn't do Winkey+R etc.

I see... It's on the limit of my knowleadge... I'll need help from Alwil team. Sorry.
Anyway, can you send the file start.exe for Alwil analysis? (you can use the email and/or uploading sites I've posted before).

[Mun]

Ok, I sent an email with it to Vlk. I tried uploading to the FTP servers but couldn't do it. It might be there, i'm not sure.