Security issue with Trend OfficeScan Corporate Edition
From: Matt Will Fix It (matt_will_fix_it_at_HOTMAIL.COM)
Date: Thu, 6 May 2004 20:43:51 +0100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Product: Trend OfficeScan
Product Description: Trend OfficeScan is a Corporate Antivirus product from Trend Microsystems
Vendor URL: http://www.antivirus.com
Versions affected: 3.0 - 6.0 (5.58 is latest version, not fixed until version 6.5)
Vendor notified: 12th October 2003
Vendor response: Patch supplied - see details
The default installation of Trend OfficeScan allows a non admin user to disable the service, stopping the Antivirus software from working due to weak permissions. The default permissions on a Trend OfficeScan installation are:
OfficeScan installation directory (c:\officescan client): "Everyone:Full Control"
OfficeScan registry data (HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp) "Everyone:Full Control".
A user (or virus) simply needs to remove files or modify registry keys in the locations above to cause the antivirus software to stop working. Additionally, all OfficeScan options are configurable via the registry, e.g. scan exclusion directories and file extensions to scan (or not scan) can be configured. It is ironic that a product designed to increase the security of corporate desktop computers has such weak security itself.
A patch has been developed which tightens security on the registry keys, however stops certain client functions working (e.g. removes the ability for the user to see which pattern file is installed, removes the ability to run a manual scan on the PC). No patch has been supplied to tighten security on the Trend installation directory. The registry patch is called "OSCE_Hotfix_RegistryTool.zip" and is available by contacting your Trend reseller.
Beinning with Trend OfficeScan 6.5 there will be an option to tighten security, however the default configuration will be to give Everyone:Full Control on file system and registry keys.
Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!