Marco, You don't have to be an administrator of the local machine to start and stop services. By default, members of the Power Users group have the ability to stop and start services on their local computer, which is probably what you are logged on as. Members of the Users group cannot, by default, stop and start services. I was able to stop my officescan service from a Power User account, but not from a User account (just checked to make sure Trend hadn't put in any proprietary settings). Your net admin should either not be giving out power user status or should be locking down services so that members of the Power Users group cant control their stop/start (which may or may not be possible). Trend is powerless against incorrect configuration, I'd imagine. /Seth Hall -----Original Message----- From: Marco Monicelli [mailto:marco.monicelli@xxxxxxxxxxxxxxx] Sent: Wednesday, July 14, 2004 2:28 AM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Trend Micro Officescan for Win2k strange behaviour Importance: High Hello List! I've noticed the following "weird" behaviour of the Trend Micro Officescan client vers. 5.58 update to pattern 1.936.00 Engine 7.100 for WinXP/2k/NT: The AV client is protected for unloading the Realtime Scan agent prompting for a password (which I don't know of course). Moreover I have NOT admin rights which allows me to perform a full system scan but not to unload the client and/or the realtime protection. Playing with the "net" command on a DOS prompt, I found out that the AV launches itself and the realtime prot as services automatically. Then I tried to stop the services with the simple command net stop "OfficeScanNT Listener" net stop "OfficeScanNT RealTime Scan" Guess what? The two services have been successfully stopped from my system. What do you guys think of this? Should I advise the AV Company of this or this is normal behaviour? Tnx for feedback. Ciao Marco Monicelli MARCEGAGLIA SPA Automotive Sales Department Stainless Steel Division Tel. +39 0376 685369 Fax. +39 0376 685625 email: marco.monicelli@xxxxxxxxxxxxxxx
