RE: Trend Micro Officescan for Win2k strange behaviour

From: Seth Hall (seth_at_iotaengineering.com)
Date: 07/16/04

  • Next message: OpenPKG: "[OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache)" 
    To: <bugtraq@securityfocus.com>
Date: Thu, 15 Jul 2004 17:09:49 -0700

    Marco,

    You don't have to be an administrator of the local machine to start and
    stop services.

    By default, members of the Power Users group have the ability to stop
    and start services on their local computer, which is probably what you
    are logged on as. Members of the Users group cannot, by default, stop
    and start services. I was able to stop my officescan service from a
    Power User account, but not from a User account (just checked to make
    sure Trend hadn't put in any proprietary settings).

    Your net admin should either not be giving out power user status or
    should be locking down services so that members of the Power Users group
    cant control their stop/start (which may or may not be possible).

    Trend is powerless against incorrect configuration, I'd imagine.

    /Seth Hall

    -----Original Message-----
    From: Marco Monicelli [mailto:marco.monicelli@marcegaglia.com]
    Sent: Wednesday, July 14, 2004 2:28 AM
    To: bugtraq@securityfocus.com
    Subject: Trend Micro Officescan for Win2k strange behaviour
    Importance: High

    Hello List!

    I've noticed the following "weird" behaviour of the Trend Micro
    Officescan
    client vers. 5.58 update to pattern 1.936.00 Engine 7.100 for
    WinXP/2k/NT:

    The AV client is protected for unloading the Realtime Scan agent
    prompting
    for a password (which I don't know of course). Moreover I have NOT admin
    rights which allows me to perform a full system scan but not to unload
    the
    client and/or the realtime protection.
    Playing with the "net" command on a DOS prompt, I found out that the AV
    launches itself and the realtime prot as services automatically. Then I
    tried to stop the services with the simple command

    net stop "OfficeScanNT Listener"
    net stop "OfficeScanNT RealTime Scan"

    Guess what? The two services have been successfully stopped from my
    system.

    What do you guys think of this? Should I advise the AV Company of this
    or
    this is normal behaviour?

    Tnx for feedback.

    Ciao

    Marco Monicelli
    MARCEGAGLIA SPA
    Automotive Sales Department
    Stainless Steel Division
    Tel. +39 0376 685369
    Fax. +39 0376 685625
    email: marco.monicelli@marcegaglia.com

  • Next message: OpenPKG: "[OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache)"

    Relevant Pages

    • Re: How can i give rigths to my users like Local Power User?
      ... add my group here and add Power Users to members ... restricted groups then user still belong to power users group. ... MVP - Directory Services ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
      (microsoft.public.windows.server.active_directory)
    • Re: user account types
      ... XP Home or Pro in the mode you indicate (i.e. domain members), ... very result you describe when an account was in Power Users, ... which it does not for a fresh account I just defined on a test XP ... Pro stand-alone. ...
      (microsoft.public.security)
    • Re: Domain Users rights on local machine
      ... The domain Users are just members of the Users group. ... groups -> groups -> Power Users and add to the list of members the Domain ... Power Users Access, if yes how so? ... is a Domain Admin given ...
      (microsoft.public.windowsxp.setup_deployment)
    • RE: Send As permissions getting overwritten
      ... The issue should be caused that the users are members of the 'Domain ... Apply the 'Users' template to the existing power users using the Change ... User Permissions Wizard. ... >I've set up the security auditing as you've specified, ...
      (microsoft.public.windows.server.sbs)
    • Re: Add multiple users from AD to Local Group
      ... I would recommend making all of the users that should be "Power Users" ... members of a domain group, then make this one group a member of the "Power ... You must use the WinNT provider. ...
      (microsoft.public.windows.server.scripting)