Release Date: January 13, 2019
Platform: Microsoft Windows
Trend Micro has been made aware of some recent research that illustrates that an attacker could potentially abuse a weakness in Windows’ Encrypting File System (EFS) to try and encrypt supposedly protected files, bypassing many vendors’ endpoint security products.
Based on Trend Micro’s analysis of the research, it does appear that a specific attack technique may be able to take advantage of the weakness in Windows EFS to try and circumvent some of the anti-ransomware capabilities of endpoint protection software.
Trend Micro is currently researching and working on implementing some enhancements to our endpoint protection products with anti-ransomware capabilities to try and prevent these types of attacks (ETA still in development).
Exploiting these types of vulnerabilities require that an attacker has access (physical or remote) to a vulnerable machine; however, administrators and individual users may also want to carefully consider whether the benefits outweigh the potential risks of continuing to use Windows’ EFS.
One potential mitigation strategy is to disable Windows’ EFS or utilize another 3rd party file encryption system until enhancements are made either at the Windows OS or security vendor level. Disabling EFS can be done via registry key, command line, group policy or via Windows Services (depending on whichever method is most suitable for an environment).
Trend Micro would like to thank the following individuals and/or organizations for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- Amit Klein of SafeBreach Labs
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.