Product: Trend OfficeScan Product Description: Trend OfficeScan is a Corporate Antivirus product from Trend Microsystems Vendor URL: http://www.antivirus.com Versions affected: 3.0 - 6.0 (5.58 is latest version, not fixed until version 6.5) Vendor notified: 12th October 2003 Vendor response: Patch supplied - see details Details: The default installation of Trend OfficeScan allows a non admin user to disable the service, stopping the Antivirus software from working due to weak permissions. The default permissions on a Trend OfficeScan installation are: OfficeScan installation directory (c:\officescan client): "Everyone:Full Control" OfficeScan registry data (HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp) "Everyone:Full Control". A user (or virus) simply needs to remove files or modify registry keys in the locations above to cause the antivirus software to stop working. Additionally, all OfficeScan options are configurable via the registry, e.g. scan exclusion directories and file extensions to scan (or not scan) can be configured. It is ironic that a product designed to increase the security of corporate desktop computers has such weak security itself. A patch has been developed which tightens security on the registry keys, however stops certain client functions working (e.g. removes the ability for the user to see which pattern file is installed, removes the ability to run a manual scan on the PC). No patch has been supplied to tighten security on the Trend installation directory. The registry patch is called "OSCE_Hotfix_RegistryTool.zip" and is available by contacting your Trend reseller. Beinning with Trend OfficeScan 6.5 there will be an option to tighten security, however the default configuration will be to give Everyone:Full Control on file system and registry keys.
