Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY NOTE: Potential Security Bypass Issues with Windows EFS

    • Updated:
    • 22 Jan 2020
    • Product/Version:
    • Platform:
Summary

Release Date: January 13, 2019
Platform: Microsoft Windows

Trend Micro has been made aware of some recent research that illustrates that an attacker could potentially abuse a weakness in Windows’ Encrypting File System (EFS) to try and encrypt supposedly protected files, bypassing many vendors’ endpoint security products.

Details
Public

Based on Trend Micro’s analysis of the research, it does appear that a specific attack technique may be able to take advantage of the weakness in Windows EFS to try and circumvent some of the anti-ransomware capabilities of endpoint protection software.

Trend Micro is currently researching and working on implementing some enhancements to our endpoint protection products with anti-ransomware capabilities to try and prevent these types of attacks (ETA still in development).

 
Mitigation Techniques

Exploiting these types of vulnerabilities require that an attacker has access (physical or remote) to a vulnerable machine; however, administrators and individual users may also want to carefully consider whether the benefits outweigh the potential risks of continuing to use Windows’ EFS.

One potential mitigation strategy is to disable Windows’ EFS or utilize another 3rd party file encryption system until enhancements are made either at the Windows OS or security vendor level.  Disabling EFS can be done via registry key, command line, group policy or via Windows Services (depending on whichever method is most suitable for an environment). 

 
Acknowledgement

Trend Micro would like to thank the following individuals and/or organizations for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

  • Amit Klein of SafeBreach Labs

 

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000238693
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.