firewire wrote:
Can Sophos Endpoint Security Software interfere with EnCase processing particularly if the drive in question contains viruses?
Can it ... yes. Does it ... no idea.
Most AV software checks files that are opened, and sometimes also file that are closed after updates. Often, this is tied to suitably chosen file extensions (.EXE and .DLL files will be checked, .ZIP files may be checked, .TXT files probably aren't). Sometimes, it also depends on file size -- if the file is larger that N gigabytes, it will not be checked. Image files clearly are candidates for such exceptions.
What Sophos does ... it will probably depend on the actual configuration.
But it should be easy enough to check: the EICAR test 'virus' file (download it from the 'net) is identified by all AV solutions: place a copy in an otherwise safe and average sized image, and do your processing.
↧
