Well my desktop is encrypted, and often I download files onto my desktop thereby encrypting them. Today I downloaded a zip file that had a virus executable in it. When I moved the executable into Program Files (that is unencrypted), it remained encrypted (Windows does not decrypt a file that was encrypted if you move it to an unencrypted folder. The file will still be encrypted. See Microsoft's excellent document on EFS for more info). I think you're right about avast stopping the decryption routine, but it is causing problems.
I can see two solutions, although both are not ideal. There are most likely more ways round.
1. Add SYSTEM as a user that can access EFS data transparently held on the computer by editing the Security Policy. The disadvantage here is a naughty admin can code a special service that runs under SYSTEM and steals the user's data. Also, I have seen ways people can hack into a Windows machine and run under SYSTEM. In theory, this would allow them access EFS data.
2. Make another avast process that runs under the user, which communicates with the avast service, bridging the access problem. The disadvantage here is a necessity for another process (taking up more resources), and probably lots of coding and testing.
Hi Technical. No process crashed, nor did the system. It just hung, and gradually made the computer unusable. As a result, there was no Minidump created. When the system hung, I tried pressing the "X" on the properties window, and told the system to End Task for explorer.exe, but it couldn't end the task. The system just gradually got worse - I tried shutting down, but then lost access to the start menu, couldn't do Winkey+R etc.
I don't think the avast log viewer has anything special. When clicking "Ok" when avast reports the virus, the system does not crash. So I tried that now and these are in the log:
Error:
14/04/2005 16:57:40 SYSTEM 1696 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Mun\Desktop\start.exe failed, 00000005.
14/04/2005 16:57:35 SYSTEM 1696 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Mun\Desktop\start.exe failed, 00000005.
14/04/2005 16:57:35 SYSTEM 1696 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Mun\Desktop\start.exe failed, 00000005.
Warning:
14/04/2005 16:58:22 SYSTEM 1696 Sign of "Win32:IstBar-AC [Trj]" has been found in "C:\Documents and Settings\Mun\Desktop\start.exe" file.
14/04/2005 16:57:51 SYSTEM 1696 Sign of "Win32:IstBar-AC [Trj]" has been found in "C:\Documents and Settings\Mun\Desktop\start.exe" file.
14/04/2005 16:57:40 SYSTEM 1696 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Mun\Desktop\start.exe (C:\Documents and Settings\Mun\Desktop\start.exe) returning error, 00000005.
14/04/2005 16:57:35 SYSTEM 1696 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Mun\Desktop\start.exe (C:\Documents and Settings\Mun\Desktop\start.exe) returning error, 00000005.
14/04/2005 16:57:35 SYSTEM 1696 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Mun\Desktop\start.exe (C:\Documents and Settings\Mun\Desktop\start.exe) returning error, 00000005.
I also think its impossible to encrypt a virus with EFS from an unencrypted state on the hard drive. One keeps getting thrown back and forth between Windows unable to access the file, and avast reporting a virus. Not that anyone would want to encrypt a virus
but it might help diagnoses.