hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
May 8 2004, 12:59 AM
QUOTE


Product:                   Trend OfficeScan
Product Description:  Trend OfficeScan is a Corporate Antivirus product from
Trend Microsystems
Vendor URL:              http://www.antivirus.com
Versions affected:      3.0 - 6.0 (5.58 is latest version, not fixed until version 6.5)

Details:

The default installation of Trend OfficeScan allows a non admin user to
disable the service, stopping the Antivirus software from working due to
weak permissions. The default permissions on a Trend OfficeScan installation
are:

OfficeScan installation directory (c:\officescan client): "Everyone:Full
Control"
OfficeScan registry data
(HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp) "Everyone:Full
Control".

A user (or virus) simply needs to remove files or modify registry keys in
the locations above to cause the antivirus software to stop working.
Additionally, all OfficeScan options are configurable via the registry, e.g.
scan exclusion directories and file extensions to scan (or not scan) can be
configured. It is ironic that a product designed to increase the security of
corporate desktop computers has such weak security itself.

A patch has been developed which tightens security on the registry keys,
however stops certain client functions working (e.g. removes the ability for
the user to see which pattern file is installed, removes the ability to run
a manual scan on the PC). No patch has been supplied to tighten security on
the Trend installation directory. The registry patch is called
"OSCE_Hotfix_RegistryTool.zip" and is available by contacting your Trend
reseller.

Beinning with Trend OfficeScan 6.5 there will be an option to tighten
security, however the default configuration will be to give Everyone:Full
Control on file system and registry keys.

tweakz20
May 8 2004, 01:13 AM
That's on a default installation though... I agree it should be set somehow different, but they take for granted that you would be smart enough to configure it before depending on it to secure your system
qcred11
May 8 2004, 02:18 AM
but.. you know sometimes admins just don't really care about or don't have enough knowledge to do that biggrin.gif .
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.