Security issue with Trend OfficeScan Corporate Edition
Product: Trend OfficeScan
Product Description: Trend OfficeScan is a Corporate Antivirus product from
Trend Microsystems
Vendor URL: http://www.antivirus.com
Versions affected: 3.0 - 6.0 (5.58 is latest version, not fixed until
version 6.5)
Vendor notified: 12th October 2003
Vendor response: Patch supplied - see details
Details:
The default installation of Trend OfficeScan allows a non admin user to
disable the service, stopping the Antivirus software from working due to
weak permissions. The default permissions on a Trend OfficeScan installation
are:
OfficeScan installation directory (c:\officescan client): "Everyone:Full
Control"
OfficeScan registry data
(HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp) "Everyone:Full
Control".
A user (or virus) simply needs to remove files or modify registry keys in
the locations above to cause the antivirus software to stop working.
Additionally, all OfficeScan options are configurable via the registry, e.g.
scan exclusion directories and file extensions to scan (or not scan) can be
configured. It is ironic that a product designed to increase the security of
corporate desktop computers has such weak security itself.
A patch has been developed which tightens security on the registry keys,
however stops certain client functions working (e.g. removes the ability for
the user to see which pattern file is installed, removes the ability to run
a manual scan on the PC). No patch has been supplied to tighten security on
the Trend installation directory. The registry patch is called
"OSCE_Hotfix_RegistryTool.zip" and is available by contacting your Trend
reseller.
Beinning with Trend OfficeScan 6.5 there will be an option to tighten
security, however the default configuration will be to give Everyone:Full
Control on file system and registry keys.