Re: Responding to BugTraq ID 2014 - "Trend Micro InterScan VirusWall Shared Directory Vulnerability"

["Michael W. Shaffer" <shaffer () LABS AGILENT COM>]

On Fri, 1 Dec 2000, Richard Sheng (PM-US) wrote:

> Overview:
> Trend Micro has acknowledged that during installation, by default, InterScan
> VirusWall for Windows NT creates "Intscan" share to the "\InterScan"
> directory, and assigns the 'Everyone' group with 'Full Control' permission
> to the "Intscan" share. The purpose was to enable and faciliate InterScan
> plug-in, eManager, to access and process files in the InterScan directory.
>
> This had already been documented in the InterScan VirusWall Read Me:

I agree that the purpose of this action is both obvious and documented, and
I am willing to admit a certain amount of responsibility on the part of the
administrator for not reading the README thoroughly at each install and for
not catching this *sooner*.

However, the issue I have with this installer's behavior is that it seems to
me to be nothing more than a lazy way for the vendor to reduce the number of
calls to their support center related to the eManager plug-in. I understand
how your product does what it does, and I don't have a problem with a
*reasonable* level of access being added to the filesystem and the share.
IMO, the proper thing to do here would have been to add to the README for
the eManager plugin a note that the administrator must *add* a group to
the ACL for the share which corresponds to the users who will run eManager.
That way, the system is safe *by default* and not wide open by default.

As an administrator, I would much rather have a product installed in a
safe and even inactive mode and then go back to the docs to find out how
to activate features and loosen up security as needed rather than have
everything installed wide open so that it 'just works' and have to chase
around making sure all the holes are closed.

Finally, I found it especially ironic and irritating that I would have
to babysit a product in this manner which is supposed to be expressly
designed to *increase* the security of my environment. Does it not seem
particularly silly for an *AntiVirus* product to take an action by default
which almost guarantees that it will itself be infected by a network aware
virus sooner or later?

FWIW, I don't personally think that the product should ever, under
*any* circumstances, add 'Everyone' to anything. If you are going to
prompt for creation of the share, make the user select a group or user
ID to add to the share for access control. This would make it clear to
the user what they are doing and would place the decision in the
administrator's hands as to what level of privilege they wish to assign
for this function. Something like the eManager system is *not* point
and click simple; the administrator *should* have to consciously think
about what they are doing.