COMMAND

    InterScan VirusWall

SYSTEMS AFFECTED

    TrendMicro InterScan VirusWall

PROBLEM

    Michael W. Shaffer found  following.  This advisory  concerns what
    seems to  be a  security 'feature'  in all  versions of  InterScan
    SMTP VirusWall for Windows NT  at least through version 3.4.   The
    problem is not with the functionality of the product but with  the
    behavior  of  its  installer.   This  issue  probably also affects
    installations of the FTP and  HTTP VirusWall options as well,  but
    our site only uses the SMTP 'module' of this product.

    The issue is  that the ISVW  installer appears to  use the 'cacls'
    command  to  adjust  the  permissions  of  the  InterScan  program
    directory after it completes the installation.  The alarming thing
    is  that  the  adjustment  which  is  made  is  the  addition   of
    'Everyone - Full  Control' to the  ACL.  This  action is taken  by
    the installer without any notification or question to the user and
    regardless  of  what  filesystem  permissions  were  set  on   the
    filesystem or parent  directory before the  install.  This  action
    also appears to be taken during  the course of an upgrade as  well
    as a clean install.

    As if this were not bad  enough, the installer also creates a  new
    file share  which exports  the same  InterScan program  directory;
    again with 'Everyone - Full Control' in the ACL and again  without
    any notification to the user during the installation.

    The result  of these  two actions  is that  immediately after  the
    installation  is  completed  there  will  be  a gaping hole in the
    machine on  which ISVW  resides which  allows access  to the  ISVW
    executables for anyone.   This share includes the  executables for
    the ISVW  service which  normally would  be started  each time the
    machine is booted.  The possibilities are easily imagined...

    In the real world, this feature affected one of our machines  when
    our Exchange administrator performed  an install.  Because  of the
    'Everyone - Full Control' share, all of the ISVW executables  were
    infected by a  wandering copy of  Win32 FunLove within  minutes of
    installation, and the entire server was subsequently infected when
    the ISVW service was started.

    Compounding this problem  is the fact  that in normal  operation a
    machine  running  ISVW   cannot  have  any   sort  of   anti-virus
    'auto-protect' system  turned on  since ISVW  and the auto-protect
    would fight over any temporary files used by ISVW to scan infected
    messages.  In  this case You  can only detect  the infection while
    running a manual virus scan a day or so after the installation.

SOLUTION

    Trend Micro has acknowledged that during installation, by default,
    InterScan VirusWall for Windows NT creates "Intscan" share to  the
    "\InterScan"  directory,  and  assigns  the  'Everyone' group with
    'Full Control' permission to the "Intscan" share.  The purpose was
    to enable and faciliate InterScan plug-in, eManager, to access and
    process files in the InterScan  directory.  This had already  been
    documented in the InterScan VirusWall Read Me:

        Product Notes
        ==============================================================
        1. During installation,  InterScan creates and  shares certain
           directories  for  access  by  the optional eManager (e-mail
           content  filter)  plug-in.   By  default,  these shares are
           accessible  to  all  domain  members.   However,  you   can
           restrict access to only  specific accounts, or remove  them
           altogether if eManager will not be installed.

    To  tighten  security  of  the  InterScan  directory following its
    installation, please the follow the instructions below.  If you're
    not using  Trend eManager  with InterScan  NT, you  may remove the
    "Intscan" share completely.

    If you're using Trend eManager with InterScan NT , you may  remove
    the "Everyone" group from the  "Intscan" share, but make sure  you
    do assign  a restricted  account with  Full Control  permission to
    the "Intscan" share,  and provide this  account credential to  the
    eManager service.  This will  allow eManager service to log  using
    this restricted account, and  have access to the  "Intscan" share.
    An  example  is   to  setup  "Intscan"   share  to  allow   Domain
    Administrator  with  Full  Control,  and  then setting up eManager
    service to startup using the Domain Administrator credential.

    Trend Online Knowledge Base  also contains information related  to
    this topic:

        http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=7123
        http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=4193

    Trend  Micro  is  currently  incorporating  changes  to  its  next
    version of  InterScan VirusWall  for NT,  which will  address this
    shared directory issue.  Users will be prompted with an option  to
    share the InterScan directory if they plan to install the eManager
    module.