OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Responding to BugTraq ID 2014 - "Trend Micro InterScan VirusWall Shared Directory Vulnerability"
From: Richard Sheng (PM-US) (Richard_ShengTRENDMICRO.COM)
Date: Fri Dec 01 2000 - 17:58:02 CST


Hello,

This is to respond to BugTraq ID: 2014, "Trend Micro InterScan VirusWall
Shared Directory Vulnerability", posted on SecurityFocus.com on November 28,
2000.

Overview:
Trend Micro has acknowledged that during installation, by default, InterScan
VirusWall for Windows NT creates "Intscan" share to the "\InterScan"
directory, and assigns the 'Everyone' group with 'Full Control' permission
to the "Intscan" share. The purpose was to enable and faciliate InterScan
plug-in, eManager, to access and process files in the InterScan directory.

This had already been documented in the InterScan VirusWall Read Me:

        Product Notes
        ====================================================================
        1. During installation, InterScan creates and shares certain
directories
           for access by the optional eManager (e-mail content filter)
plug-in.
           By default, these shares are accessible to all domain members.
           However, you can restrict access to only specific accounts, or
remove
           them altogether if eManager will not be installed.

Workaround:
To tighten security of the InterScan directory following its installation,
please the follow the instructions below.

If you're not using Trend eManager with InterScan NT, you may remove the
"Intscan" share completely.

If you're using Trend eManager with InterScan NT , you may remove the
"Everyone" group from the "Intscan" share, but make sure you do assign a
restricted account with Full Control permission to the "Intscan" share, and
provide this account credential to the eManager service. This will allow
eManager service to log using this restricted account, and have access to
the "Intscan" share. An example is to setup "Intscan" share to allow Domain
Administrator with Full Control, and then setting up eManager service to
startup using the Domain Administrator credential.

Trend Online Knowledge Base also contains information related to this topic.

        
http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=71
23

        
http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=41
93

Solution:
Trend Micro is currently incorporating changes to its next version of
InterScan VirusWall for NT, which will address this shared directory issue.
Users will be prompted with an option to share the InterScan directory if
they plan to install the eManager module.

Best Regards,

Richard Sheng
Product Manager
Trend Micro, Inc.
tel: 408-863-6353
fax: 408-257-1500