Date: Mon, 19 Mar 2007 10:05:11 +0100
From: "Rogheden Anders" <Anders.Rogheden@....com>
To: "3APA3A" <3APA3A@...URITY.NNOV.RU>, <thesinoda@...mail.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Bypassing Mcafee Entreprise Password Protection

Hi!

According to what I can find McAfee has not changed the default
permissions. Users can still not write to
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection. 

Is there anyone trusting the GUI password to be the only thing to keep
the VirusScan settings in an enterprise environment?

All the enterprise VirusScan environments I have seen have been
controlled by ePolicy Orchestrator (ePO) where all the settings have
been defined in ePO policies for the ePO managed McAfee products. These
ePO policies are then enforced on the all systems via the ePO agent in
configurable intervals (by default every 5 minutes).

So even if someone would be able to write to
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection the settings would
be reset (including password) within the choosen interval.

Sure, you can do a lot of bad stuff in 5 minutes but if you had the
access to change the registry would you rather not stop/disable the
services?  

To avoid getting the policies refreshed you would need to stop the
McAfee Framework Service or remove the policy files in C:\Documents and
Settings\All Users\Application Data\McAfee\Common Framework and block
the ePO agent from reaching the ePO server to get the policies again.

In VirusScan 8.5i you can set policies to block the ability to
stop/disable the McAfee service. This also means that local
administrators are not allowed to stop the services and could lead to
support problems.

/Anders
 

Powered by blists - more mailing lists