Encrypted files corrupted by Kaspersky Endpoint Security V10 SP2 and earlier

Description

Endpoint Cloud leverages EFS (The Encrypted File System available in Microsoft Windows Operating Systems) to encrypt the files on the user’s computer.

Customers running Kaspersky Antivirus may have their encrypted files corrupted due to an issue in Kaspersky 10 SP2 and earlier versions that corrupts EFS files after scanning.

The following video demonstrates this:

Cause

It is important to note that the corruption of files is caused by a known issue in Kaspersky Endpoint Security version 10 SP2 and earlier as documented on the Kaspersky Knowledge Base:

PF1369, PF1536 Files encrypted by EFS are corrupted after scanning

d6141f9d-0107-4263-8418-20e0422aa97b.png

 

The following entry in the Kaspersky log file shows the installed version:

Exec launched pid: 8568, "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe" -e -nsp

How to identify your version/installation history of Kaspersky: https://support.kaspersky.com/9342

Impact

When running Kaspersky Version 10 SP2 or earlier, a user's encrypted files may be corrupted.

This affects:

  • User’s choosing to enable the encryption option (from Windows explorer) on their files.

  • Endpoint Cloud customers with the DLP encryption option enabled where Endpoint Cloud is managing the encryption of user devices.

  • Any other product or service that leverages EFS to encrypt the user’s files.

Solution

  • Kaspersky has no documented solution for users that have already been affected by this. Customers are required to restore a working copy of their files.

  • It is important to ensure that a later version than Kaspersky 10 SP2 is running before enabling encryption.

  • It is also recommended that Endpoint Cloud customers allow backups to be completed for each user before enabling encryption.