lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9FBE22385DA7F84B98F392C319DB3601735B@iota.iota.com>
Date: Thu, 15 Jul 2004 17:09:49 -0700
From: "Seth Hall" <seth@...aengineering.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Trend Micro Officescan for Win2k strange behaviour



Marco,

You don't have to be an administrator of the local machine to start and
stop services.

By default, members of the Power Users group have the ability to stop
and start services on their local computer, which is probably what you
are logged on as. Members of the Users group cannot, by default, stop
and start services. I was able to stop my officescan service from a
Power User account, but not from a User account (just checked to make
sure Trend hadn't put in any proprietary settings).

Your net admin should either not be giving out power user status or
should be locking down services so that members of the Power Users group
cant control their stop/start (which may or may not be possible).

Trend is powerless against incorrect configuration, I'd imagine.

/Seth Hall


-----Original Message-----
From: Marco Monicelli [mailto:marco.monicelli@...cegaglia.com] 
Sent: Wednesday, July 14, 2004 2:28 AM
To: bugtraq@...urityfocus.com
Subject: Trend Micro Officescan for Win2k strange behaviour
Importance: High





Hello List!

I've noticed the following "weird" behaviour of the Trend Micro
Officescan
client vers. 5.58 update to pattern 1.936.00 Engine 7.100 for
WinXP/2k/NT:

The AV client is protected for unloading the Realtime Scan agent
prompting
for a password (which I don't know of course). Moreover I have NOT admin
rights which allows me to perform a full system scan but not to unload
the
client and/or the realtime protection.
Playing with the "net" command on a DOS prompt, I found out that the AV
launches itself and the realtime prot as services automatically. Then I
tried to stop the services with the simple command

net stop "OfficeScanNT Listener"
net stop "OfficeScanNT RealTime Scan"

Guess what? The two services have been successfully stopped from my
system.

What do you guys think of this? Should I advise the AV Company of this
or
this is normal behaviour?

Tnx for feedback.

Ciao

Marco Monicelli
MARCEGAGLIA SPA
Automotive Sales Department
Stainless Steel Division
Tel. +39 0376 685369
Fax. +39 0376 685625
email: marco.monicelli@...cegaglia.com






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ