EFS Assistan encypting question

Nov 19, 2008 at 8:33 AM
Edited Nov 19, 2008 at 1:24 PM

I have some questions:
1. When I download a Microsft hotfix from microsoft.com to a folder without encyption, the file will be encrypted. Why? Strange? Is it normal?
2. When I download a file from any other website to the same folder the file (which is not encrypted) the file stay without encrytion. It OK, it's normal.
3. When I download an attachment from e-mail, what is opened in Outlook Web Access, the file will be encypted. (the same unencrypted folder) Why?

Akos Molnar

Nov 23, 2008 at 1:09 AM
Hi Akos,  I'll try my best to address the presumed discrepancy.

In my experience with EFS, this kind of behaviour is usually because the applications that actually write the file to the "folder without encryption" are actually doing different things under different circumstances.  For example, it's typical that in cases (1) and (3), the application performing the download (I'm guessing Internet Explorer for (1), and Outlook Express/IE for (3)) is actually creating a temporary copy of the file as it's being downloaded, and then moves the file to its ultimate destination.  [When a file is EFS-encrypted and then "moved", it will retain its encryption IF the file is moved within the same drive - even if the target folder is not encrypted.]

On the other hand, (2) would normally indicate that the downloaded file was either (a) being downloaded directly to the target folder (with no temporary spooling going on while the download occurs), or (b) being downloaded to a temporary location and then copied to its ultimate destination.  [When a file is EFS-encrypted and then "copied", the original will remain encrypted, but the copy will not be encrypted if the target folder is not encrypted.]

While I agree that (1) and (2) would make more sense if they had the same effect on the downloaded files, I'd bet that under the hood, you'll find there's some slight difference in the behaviour between them.  If you're really looking for a clear answer on why these two are different, I would recommend re-running your download tests while a copy of Process Monitor (from www.sysinternals.com) was running in the background.  It'll give you way more information than you need, but if you get logs for both (1) and (2), filter out all the non-download activity, and look for any differences in behaviour (the columns "Operation" and "Path" will be where you should find the delta), I would bet you'll find evidence of the behaviour difference.

if you have the time to do this investigation, and are able to pinpoint a difference (or no difference), please post your findings here if you can.  I know I'd be curious to find out what the findings are, and I'll bet there are plenty of other EFS admins who'd like to understand weird situations like this as well.