TrendMicro InterScan VirusWall shared folder problem

Type securityvulns
Reporter Securityvulns
Modified 2000-12-05T00:00:00


I could not find any reference to this particular issue on bugtraq, and as it seems rather serious I decided to submit it.

This message concerns what seems to be a security 'feature' in all versions of InterScan SMTP VirusWall for Windows NT at least through version 3.4. The problem is not with the functionality of the product but with the behavior of its installer. This issue probably also affects installations of the FTP and HTTP VirusWall options as well, but our site only uses the SMTP 'module' of this product.

The issue is that the ISVW installer appears to use the 'cacls' command to adjust the permissions of the InterScan program directory after it completes the installation. The alarming thing is that the adjustment which is made is the addition of 'Everyone - Full Control' to the ACL. This action is taken by the installer without any notification or question to the user and regardless of what filesystem permissions were set on the filesystem or parent directory before the install. This action also appears to be taken during the course of an upgrade as well as a clean install.

As if this were not bad enough, the installer also creates a new file share which exports the same InterScan program directory; again with 'Everyone - Full Control' in the ACL and again without any notification to the user during the installation.

The result of these two actions is that immediately after the installation is completed there will be a gaping hole in the machine on which ISVW resides which allows access to the ISVW executables for anyone. This share includes the executables for the ISVW service which normally would be started each time the machine is booted. The possibilities are easily imagined...

In the real world, this feature affected one of our machines when our Exchange administrator performed an install. Because of the 'Everyone - Full Control' share, all of the ISVW executables were infected by a wandering copy of Win32 FunLove within minutes of installation, and the entire server was subsequently infected when the ISVW service was started.

Compounding this problem is the fact that in normal operation a machine running ISVW cannot have any sort of anti-virus 'auto-protect' system turned on since ISVW and the auto-protect would fight over any temporary files used by ISVW to scan infected messages. In this case we only detected the infection while running a manual virus scan a day or so after the installation.

Our exchange administrator has had an ongoing dialogue with the support department at TrendMicro over the last several weeks, but they have yet to produce either a fix or an explanation for this behavior. The last communication we received from them stated that this problem would be fixed in version 3.4, but our testing indicates that this is not the case.

The only workaround we have found so far is:

  1. If at all possible, disconnect your machine from any network connections before the install.
  2. Run the install.
  3. Manually remove the share and adjust the filesystem ACL on the InterScan program directory to more sane values.
  4. Run a manual virus scan of the entire machine.
  5. Reconnect to the network and reboot or start the service.

As long as the share is removed and the filesystem permissions are adjusted manually, there should be no ongoing threat from this issue (at least until the next upgrade or install...).

If any of this appears to be innaccurate based on other experiences with this product, please do not hesitate to let me know.

-- Michael W. Shaffer email: Research Computing Services phone: +1 650.485.2955 Agilent Laboratories, Palo Alto fax: +1 650.485.5568