https://jetico.freshdesk.com/a/tickets/44523      RedMine7838


 

Summary:
Investigate Microsoft Defender Offline scan on an encrypted system.
Usually process is unable to start and the system reboots. Even after the correct boot prompt password.
The user claims that it works on his Win 10 and doesn't work on Win 11.
But I wasn't able to make it work on both the 10 and 11 systems.

STR:
1. Encrypt system disk
2. Run Offline scan
3. Reboot
4. Boot prompt password
Result:
Windows loading, CMD window, blue recovery-like screen, and crash (reboot again).


In my experiment, Windows Defender's Offline Scan cannot operate on an encrypted volume as follows. When the computer is rebooted, Offline Scan starts (as it should), but quickly realizes that the sectors on the volume contain random data and reboots.


As it turned out, Windows Defender only recognizes BitLocker and asks for the key for the system disk in order to scan it.

Windows Defender is not aware of other programs capable of encrypting the system disk, such as BCVE or VeraCrypt.

The same issue has been discussed by VeraCrypt users: https://sourceforge.net/p/veracrypt/discussion/technical/thread/b1bc59294a/


There, in particular, such thoughts were expressed:

"decrypting my system drive (took many hours) has allowed Defender Offline Scan to proceed."

"Anyway, I wouldn't use the built-in antivirus software of the infected system in the first place, as you cannot guarantee

that it's not been compromised. You should put the affected drive into another, clean computer as a secondary drive, mount

it and perform an offline scan from this clean system."


Apparently, without some effort from the authors of Windows Defender, the problem cannot be solved. The efforts could be as follows:

1) Ask manufacturers of third-party encryption software how to mount an encrypted system disk, as they do for BitLocker.

or:

2) Use UEFI subsystem drivers during its scanning. Not only BCVE but also other programs, by the time Windows Defender starts, have already requested the password and are on-the-fly decrypting data read from the disk through UEFI drivers. Thus, by using UEFI drivers, Windows Defender would not have any issues.