Some third-party file-based encryption software is incompatible with VirusScan Enterprise

Technical Articles ID: KB73825
Last Modified: 6/7/2022

Environment

VirusScan Enterprise (VSE) 8.8 Patch 1 and later

For details of VSE 8.x supported environments, see KB51111 - Supported platforms for VirusScan Enterprise.

Summary

VSE and File Encryption Products Interoperability

With the release of VSE 8.8 Patch 1, the VSE kernel-level drivers have adopted the Microsoft Filter Manager minifilter driver model to improve supportability and compatibility with Windows and Windows applications. The Microsoft Logo Kit revision 1.6 and later also mandate this change for all antivirus solutions that want to obtain the Windows Logo. Adopting the minifilter driver model has exposed latent issues with some other third-party applications where the drivers for these products can't handle some of the nuances of Windows' internal functionality. This situation has been observed most commonly with file-based encryption products.

VSE is compatible with most file encryption products on the market. But, a small minority of file encryption products have issues when VSE is installed. Some of these incompatibility issues from several vendors have been analyzed, and some general themes (flaws) in the file encryption products' implementations have been detected. This article describes the underlying technical issues involved with implementing a file encryption product on the Windows operating system. It also addresses how these underlying issues can interact with VSE or any competing enterprise 'on access' antivirus product.

Problem

Data corruption occurs when files are written to disk. When the data corruption occurs, data files can contain random characters instead of the expected text.

A typical symptom of the issue is the corruption of file data when the application reads the data. This problem can cause applications to halt unexpectedly because they're reading unexpected file contents.

System Change

Applied VSE 8.8 Patch 1.

Cause

You might notice that these events coincide with an update of the VSE software. So, you might arrive at the incorrect conclusion that VSE causes the data corruption.

The actual cause is that encrypted data is written to the operating system's file cache and then returned to the user without undergoing the expected decryption step. This scenario can occur if the file encryption product fails to implement the layered file system model. The layered file system model maintains two cached representations of the file — one in encrypted form and the other in decrypted form. The encryption product fails to sufficiently segregate the file data from users and processes that should and shouldn't see the decrypted form of the file data.

This problem is a widely known one within the Windows File System development community hosted by Open System Resources.
This issue is discussed in some technical detail in the FAQ posted at this OSR Online article.

Solution

The product development team recommends that you uninstall any third party file-based encryption applications that aren't compatible with a layered file system model. If you fail to uninstall incompatible third-party applications, it can lead to data corruption. A user application might operate on the decrypted form of the data and then flush the modified data from memory back to disk.

Why is this behavior associated with updates to VSE?

VSE uses a driver technology called a 'file system filter driver.' It intercepts the opening and closing of all files on the system to perform on-access antivirus scans. The Windows operating system creates a 'stack' of filter drivers. Flawed file encryption drivers are sensitive to their location in this stack. The location exposes the data corruption problem if they're above the VSE filter driver in the stack.

The Microsoft Filter Manager provides the VSE filter with a consistent and predictable location in the filter stack. Microsoft assigns the VSE location within this stack through a "filter altitude" value that's specific to VSE. This value can't be changed. Sometimes, the location of the VSE filter is below the filters for the encryption software. In the past, VSE used a more traditional file system filter technology that tended to be at the top of the file system filter stack.

For security purposes, the product development team doesn't use encryption software that places filters above VSE. When VSE is below the encryption software in the filter stack, it only sees the encrypted data and doesn't function properly, putting the system at risk of infection and data corruption.

IMPORTANT: Other products unrelated to antivirus, such as backup applications, also use filter drivers. They can expose the same problem in a file encryption product that doesn't implement the layered file system model. VSE is unable to work around encryption products that don't implement the layered file system model. The reason is that the compatibility issue exists between the encryption product and the Windows family of operating systems. So, we recommend that you don't use file encryption products that don't implement the layered file system model alongside VSE. They aren't compatible with the technical requirements of the Windows operating systems.

We conform with the best practices as outlined in the Windows Logo Kit, and are committed to the mini-filter model design change. Endpoint Encryption is an example of a file encryption product that implements the layered file system model.

Related Information

For Developers:
OSR Online is a reputable source for tips, advice, and best practices of kernel driver development. The IFS FAQ lists a common error in file-based encryption filters. If you're a vendor of such an application and experience issues, we recommend that you review this article.

We always have representation at Microsoft-hosted Filter Plugfest events, where driver developers from ISVs can solve interoperability issues. We welcome any inquiry from third-party vendors who want to explore solutions to compatibility issues with our software.

We also monitor the relevant OSR forums for queries seeking technical assistance with proprietary driver software. We try to respond to relevant queries on that forum or directly via Technical Support.

Affected Products

VirusScan Enterprise 8.8 (EOL)

Languages:

This article is available in the following languages:

English United States
Japanese

Knowledge Center

Some third-party file-based encryption software is incompatible with VirusScan Enterprise

Environment

Summary

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Some third-party file-based encryption software is incompatible with VirusScan Enterprise

Environment

Summary

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Choose your region

Title

Title