Joined
Oct 31, 2018
Messages
101
Operating System
Windows 10
Antivirus
Sophos
#1
Hi,

I was wondering is there a bootable AV that works with BitLocker ?

AV companies tend to give these as free products but would they work with a hard drive that’s encrypt with BitLocker ?
 
Likes: BryanB

Eddie Morra

Level 10
Content Creator
Joined
Aug 28, 2018
Messages
455
#2
If a bootable AV can access the decrypted contents of the encrypted hard drive (e.g. by knowing the password for decryption) then it would be a security flaw. If an AV can do it, so can anyone else.

Bootable AV (e.g. via recovery disk) will not be able to access the decrypted contents of the hard disk which is protected - there won't be any decrypted contents for it to try and access because you'd need to firstly know it was encrypted before you attempt to decrypt and would need to calculate a key to use for the decryption using a password.

However, if you're referring to simply a normal AV solution starting up at boot, then it will work fine because that is after the initial decryption procedure at boot (since only after the decryption procedure will Windows truly start up properly -> eventually you reach the AV kernel-mode software starting up early -> user-mode services for Session 0 -> login and the auto-spawned GUI in the background if it does that).

So unless you meant like those bootable scanners, then everything should work fine in theory.
 
Joined
Oct 31, 2018
Messages
101
Operating System
Windows 10
Antivirus
Sophos
#3
If a bootable AV can access the decrypted contents of the encrypted hard drive (e.g. by knowing the password for decryption) then it would be a huge security flaw.

Bootable AV (e.g. via recovery disk) will not be able to access the decrypted contents of the hard disk which is protected - there won't be any decrypted contents for it to try and access because you'd need to firstly know it was encrypted before you attempt to decrypt and would need to calculate a key to use for the decryption using a password.

However, if you're referring to simply a normal AV solution starting up at boot, then it will work fine because that is after the initial decryption procedure at boot (since only after the decryption procedure will Windows truly start up properly -> eventually you reach the AV kernel-mode software starting up early -> user-mode services for Session 0 -> login and the auto-spawned GUI in the background if it does that).

So unless you meant like those bootable scanners, then everything should work fine in theory.
Thanks- I am referring to whether there is an AV which can operate from a USB stick after the disk has been decrypted ( and thus boot choice already has been made ) but before windows kernel begins loading or at least just a minimal part has been loaded. This should be feasible if the AV has also been installed instead of using it first time via a usb stick.

As the boot is not from a usb it could equally well be a hidden disk partition that has the AV but a fresh USB is less likely to be compromised ( leaving open to vulnerability only the AV’s kernel modules ) - so not referring to booting via usb.
 

Eddie Morra

Level 10
Content Creator
Joined
Aug 28, 2018
Messages
455
#4
As long as the decryption procedures have been completed then anything after that should in theory work fine to my knowledge... however anything before the decryption procedures, instant no to it working properly in terms of being able to access the contents of the protected hard disk in an non-encrypted state as far as I am aware.
 
Joined
Oct 31, 2018
Messages
101
Operating System
Windows 10
Antivirus
Sophos
#5
As long as the decryption procedures have been completed then anything after that should in theory work fine to my knowledge... however anything before the decryption procedures, instant no to it working properly in terms of being able to access the contents of the protected hard disk in an non-encrypted state as far as I am aware.
Indeed before encryption it’s impossible, which is what complicates things - in principle what we say is doable , is there any AV vendor consumer product currently in the market that does it though ?