When RTVScan tries to access a file, the operating system first determines whether the caller has the proper certificate to decrypt the file. If so, then the file is decrypted and access is granted. If not, the file is not decrypted, and an "Access denied" error is most likely returned to the program that tried to access the file. A manual or scheduled scan in RTVScan will log a Scan Omission error in the event log similar to "Scan could not open
Even if an error is returned, your computer is still protected from EFS-encrypted viruses. This is because an encrypted virus cannot run unless the proper user executes the file. Other users who attempt to run the virus are denied access to the file, and the file does not execute. For the proper user, RTVScan detects the virus before it is able to execute (assuming that you have the correct definitions to detect the virus).
A manual scan, or a scheduled scan that runs when the user that scheduled it is logged on, detects any viruses that were encrypted by that user. This is because RTVScan impersonates the user who is logged on when it runs the scan. Additionally, if the file is written to the drive before the file is encrypted, RTVScan detects the virus.