TrendMicro OfficeScan Default Permissions Let Local Users Modify the Configuration
SecurityTracker Alert ID: 1010093|
SecurityTracker URL: http://securitytracker.com/id/1010093
(Links to External Site)
Date: May 7 2004
Denial of service via local system, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 6.5|
A configuration vulnerability was reported in Trend Micro's OfficeScan. A local user can modify or disable the anti-virus service.|
Matt reported that the default installation of OfficeScan assigns 'Everyone:Full Control' privileges to the installation directory (e.g., c:\officescan) and the 'HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp' registry entry. As a result, a local user can delete files or modify registry keys to change the anti-virus service configuration or cause the service to fail.
The vendor was reportedly notified on October 12, 2003.
A local user can modify the configuration settings or product files.|
According to the report, the vendor has developed a patch to provide access controls for the registry keys, available from the vendor and from resellers:|
This patch reportedly restricts certain client functions, such as the ability to run a manual scan.
According to the report, there is no fix available for the installation directory permission flaw.
Vendor URL: www.trendmicro.com/ (Links to External Site)
Access control error, Configuration error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Security issue with Trend OfficeScan Corporate Edition|
Product: Trend OfficeScan
Product Description: Trend OfficeScan is a Corporate Antivirus product from
Vendor URL: http://www.antivirus.com
Versions affected: 3.0 - 6.0 (5.58 is latest version, not fixed until
Vendor notified: 12th October 2003
Vendor response: Patch supplied - see details
The default installation of Trend OfficeScan allows a non admin user to
disable the service, stopping the Antivirus software from working due to
weak permissions. The default permissions on a Trend OfficeScan installation
OfficeScan installation directory (c:\officescan client): "Everyone:Full
OfficeScan registry data
A user (or virus) simply needs to remove files or modify registry keys in
the locations above to cause the antivirus software to stop working.
Additionally, all OfficeScan options are configurable via the registry, e.g.
scan exclusion directories and file extensions to scan (or not scan) can be
configured. It is ironic that a product designed to increase the security of
corporate desktop computers has such weak security itself.
A patch has been developed which tightens security on the registry keys,
however stops certain client functions working (e.g. removes the ability for
the user to see which pattern file is installed, removes the ability to run
a manual scan on the PC). No patch has been supplied to tighten security on
the Trend installation directory. The registry patch is called
"OSCE_Hotfix_RegistryTool.zip" and is available by contacting your Trend
Beinning with Trend OfficeScan 6.5 there will be an option to tighten
security, however the default configuration will be to give Everyone:Full
Control on file system and registry keys.