<<< Date Index >>>     <<< Thread Index >>>

McAfee VirusScan Enterprise - disabling the client side "On-Access Scan"



Suggested Risk Level: Low


Type of Risk: Disabling security component.


Affected Software: VirusScan Enterprise 7.1.0 (client side, managed
centrally by ePolicy Orchestrator), Scan Engine: 4.4.00, the "VirusScan
On-Access Scan" component.
OS Environment: Windows 2000 workstation w/SP4 and all the up-to-date
windows update security and operational patches (May be valid on Windows XP
as well, but was not tested on XP).


Local / Remote activated: Local.


Summary:
A McAfee administrator can choose to prevent a local user of the VirusScan
client to disable the "On-Access Scan" (the real-time memory virus
monitoring and cleaning component) by making the "disable" button un-active
within the "VirusScan On-Access Scan Statistics" dialog box.

But, just after a user logs on locally to the desktop, and after any period
of time, until the first time the "VirusScan On-Access Scan Statistics"
dialog box is opened – the user can double click the "VirusScan On-Access
Scan" icon on the task bar and then the "disable" button will be active for
about 5 seconds, a sufficient time for the user to press the this button.

After pressing the "disable" button, the button will change its interface
text to "enable", the "On-Access Scan" icon will present a "no entrance"
sign, stating it is disabled, and the "Network Associates McShield" service
will be in a "paused" mode.

Once the 5 seconds period has passed – the button will become disabled
(grayed out) in whatever state it is at that time, stabilizing the
"On-Access Scan" component to its last state, which is one of two:
1. The button was not pressed -> Button shows "disable" ; the "On-Access
Scan" is active and the "Network Associates McShield" service will be in a
"started" mode.
2. The button was pressed -> Button shows "enable" ; the "On-Access Scan" is
disabled and the "Network Associates McShield" service will be in a "paused"
mode.

I rated this issue as "low" because it is mostly an interface related issue,
and the user must be a member of a local users group that can pause a
service, i.e. "power users" or "Administrators", which are the most
privileged users groups in the OS.

This issue is relevant only in a cases where the OS, particularly the
interface, was heavily hardened (especially preventing access to the
"services" console and preventing running any command line interface), but
the user has access to the "VirusScan On-Access Scan Statistics" dialog box
and is a member of the "power users" or "Administrators" groups.


Possible Abuses: Disabling the VirusScan real-time virus protection,
exposing the OS to virus infection.


Reproduction:
1. Make sure the VirusScan policy is prohibiting users from disabling the
"On-Access Scan" component.
2. Log on locally to the OS with a user that is a member of the "power
users" or "administrators" group.
3. Wait any period time you wish.
4. Double click the "VirusScan On-Access Scan Statistics" icon placed on the
task bar.
5. Click the "disable" button within 5 seconds.
6. Wait a few seconds for the button to gray out, stabilizing the "On-Access
Scan" component in a "disabled" mode.


Exploit Code: No need.


Direct resolution: None at the time of publishing this advisory.
 

Workarounds: Enable the "Do not show the system tray icon" policy option –
to prevent your users from opening the "VirusScan On-Access Scan Statistics"
dialog box, and thus prevent them from reaching the "disable" button.
(Using this workaround may alarm the users that the sudden absence of the
icon is a sign of a possible harm to the virus protection and thus
initiating multiple support calls).


Vendor Notification: McAfee was notified in May 2006 and has approved my
findings. McAfee choose to include a fix for this issue as part of a major
product update, which is scheduled to be released in the coming
month/months.


Credit:
Eitan Caspi
Israel
Email: eitancaspi@xxxxxxxxx


 
Past security advisories:

1.
http://online.securityfocus.com/bid/4053
http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx
http://support.microsoft.com/kb/315085/en-us

2.
http://online.securityfocus.com/bid/5972
http://support.microsoft.com/?kbid=329350

3.
http://online.securityfocus.com/bid/6280
http://www.securityfocus.com/archive/1/301624

4.
http://online.securityfocus.com/bid/6736
http://online.securityfocus.com/archive/1/309442

5.
http://www.securityfocus.com/bid/7046
http://www.securityfocus.com/archive/1/314361

6.
http://www.securityfocus.com/archive/1/393800

7.
http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded


Articles:
You can find some articles I have written at
http://www.themarker.com/eng/archive/one.jhtml
(filter: Author = Eitan Caspi (second name set), From year = 2000 , Until
year = 2002)


Eitan Caspi
Israel

Current Blog (Hebrew): http://www.notes.co.il/eitan
Past Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Dead Blog (English): http://eitancaspi.blogspot.com

"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)