Symantec recently shared details regarding an attack that takes advantage of the Encrypting File System (EFS) to prevent forensic analysis. Can you provide details on the Windows EFS? How exactly can enterprises go about identifying such attacks?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
EFS is Microsoft's encrypted file system. This is where Windows is able to encrypt files and folders based on x.509 certificates. If an EFS encrypted file is copied off of a system or accessed by any account other the one used to encrypt the file, the data will be inaccessible. The Backdoor.Tranwos Trojan uses EFS to make it difficult for malware analysts to get a copy of the malicious files other than by running the system infected with the malware.
Enterprises can identify similar attacks or malware that leverage EFS by scanning systems for encrypted files or non-standard EFS usage. There are several different techniques that accomplish this, but it essentially takes checking to see if each file and folder on a file system is encrypted. If an encrypted file or folder is found, the encryption key must be recovered or the files decrypted. The command-line utility cipher can be used for both approaches, but it only works if you are logged in as the user who was logged in at the time of infection. This will make it much more likely that the decryption key (private key) is available to be exported or for decrypting the files.
Alternately, rogue use of EFS can be detected with the cipher command. Start by looking for users with EFS setup and an EFS-specific encryption key (the private key setup to be used for EFS). If one was not intentionally setup for the user, it is critical to conduct further investigation.
Dig deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis, Enterprise Threats
A new variant of Java-based malware can execute regardless of the operating system used. Nick Lewis explains how to limit the threat.continue reading
A variant of malware on Android devices removes and reinstalls itself when a device powers on or off. Learn how to completely eradicate the threat.continue reading
Expert Nick Lewis explains how to avoid a detrimental VPN bypass flaw that allows malicious apps to infiltrate Android devices.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.