COMMAND

    VirusScan

SYSTEMS AFFECTED

    McAfee VirusScan

PROBLEM

    Jesper M. Johansson found following.  The SHSTAT.EXE component  of
    Virus Scan that  launches when a  user logs on  attempts to access
    the  registry  with  too  high  a  permission.   It  accesses  the
    following key:

        HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\McShield\CURRENTVERSION

    with Set Value and Create  Sub-Key permissions.  By default  under
    Windows 2000 Professional,  members of the  Users group have  only
    read permissions  on this  key.   This causes  SHSTAT.EXE to  fail
    when the user logs on and  throw up a dialog that says  "Unable to
    access local server".  If you audit failed accesses to this key in
    the registry, you get the following Security Event Log entry:

        Event Type:     Failure Audit
        Event Source:   Security
        Event Category: Object Access
        Event ID:       560
        Date:           4/14/2000
        Time:           7:46:30 AM
        User:           <DOMAIN>\<USER>
        Computer:       <COMPUTER>
        Description:
        Object Open:
                Object Server:  Security
                Object Type:    Key
                Object Name:    \REGISTRY\MACHINE\SOFTWARE\McAfee\VirusScan\McShield\CURRENTVERSION
                New Handle ID:  -
                Operation ID:   {0,972168}
                Process ID:     1168
                Primary User Name:      <USER>
                Primary Domain: <DOMAIN>
                Primary Logon ID:       (0x0,0xC2A75)
                Client User Name:       -
                Client Domain:  -
                Client Logon ID:        -
                Accesses                READ_CONTROL
                                Query key value
                                Set key value
                                Create sub-key
                                Enumerate sub-keys
                                Notify about changes to keys

                Privileges              -

    It  is  unclear  why  SHSTAT.EXE  would  need set value and create
    sub-key  permission  on  this  key.  Furthermore,  it  is   highly
    undesirable from  a security  standpoint to  allow ordinary  users
    set value permission  on this sub-key  since the key  contains the
    list of  items to  exclude from  scanning, the  list of extensions
    considered to be programs, and other sensitive information.

    Tested version  for all  this was  on 4.03a,  which apparently is,
    and is not, the most recent release that runs on NT, depending  on
    who you are.

    The subject  registry key  is in  a different  place in  VirusScan
    4.5.0.  It's in

        HKLM\Software\Network Associates\TVD\Shared Components\On Access Scanner\McShield\Configuration

    The USER rights on this key are READ ONLY - Query Value, Enumerate
    Subkeys, Notify and Read Control.   The rights for POWER USER  are
    SPECIAL  -  Query  Value,  Set  Value,  Create  Subkey,  Enumerate
    Subkeys, Notify, Delete and Read Control.  CREATOR OWNER has  FULL
    CONTROL **of subkeys only**.   ADMINISTRATOR and SYSTEM have  FULL
    CONTROL.   That's because  those rights  _under Windows  2000_ are
    inherited from  above.   From HKLM\Software  in fact.   Under NT 4
    those  permissions  are  considerably  loser  and actually include
    Create  Subkey,  Set   Value,  and  Delete,   by  default  on   NT
    Workstation.

    In 4.5 the  problem is basically  still there.   The program STILL
    tries to  access this  key with  Set Value  permission; apparently
    not  with  Create  Subkey  permission,  however.  Furthermore, the
    program actually runs  now, rather than  giving the error  message
    that you  got in  4.03a.   However, apparently  NAI still believes
    that  unprivileged  users  should  be  able  to override the virus
    scanner.

SOLUTION

    Nothing yet.