what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Oct 9, 2006
Authored by Eitan Caspi

A flaw affects VirusScan Enterprise 7.1.0 where a local user can change administrative settings thereby disabling the "VirusScan On-Access Scan"

tags | advisory, local
SHA-256 | 00e002ff0b6f8425cb87a5ca755c48a9f993416f962538b2fc8a4ee618ae8bf8


Change Mirror Download
Suggested Risk Level: Low

Type of Risk: Disabling security component.

Affected Software: VirusScan Enterprise 7.1.0 (client side, managed
centrally by ePolicy Orchestrator), Scan Engine: 4.4.00, the "VirusScan
On-Access Scan" component.
OS Environment: Windows 2000 workstation w/SP4 and all the up-to-date
windows update security and operational patches (May be valid on Windows XP
as well, but was not tested on XP).

Local / Remote activated: Local.

A McAfee administrator can choose to prevent a local user of the VirusScan
client to disable the "On-Access Scan" (the real-time memory virus
monitoring and cleaning component) by making the "disable" button un-active
within the "VirusScan On-Access Scan Statistics" dialog box.

But, just after a user logs on locally to the desktop, and after any period
of time, until the first time the "VirusScan On-Access Scan Statistics"
dialog box is opened – the user can double click the "VirusScan On-Access
Scan" icon on the task bar and then the "disable" button will be active for
about 5 seconds, a sufficient time for the user to press the this button.

After pressing the "disable" button, the button will change its interface
text to "enable", the "On-Access Scan" icon will present a "no entrance"
sign, stating it is disabled, and the "Network Associates McShield" service
will be in a "paused" mode.

Once the 5 seconds period has passed – the button will become disabled
(grayed out) in whatever state it is at that time, stabilizing the
"On-Access Scan" component to its last state, which is one of two:
1. The button was not pressed -> Button shows "disable" ; the "On-Access
Scan" is active and the "Network Associates McShield" service will be in a
"started" mode.
2. The button was pressed -> Button shows "enable" ; the "On-Access Scan" is
disabled and the "Network Associates McShield" service will be in a "paused"

I rated this issue as "low" because it is mostly an interface related issue,
and the user must be a member of a local users group that can pause a
service, i.e. "power users" or "Administrators", which are the most
privileged users groups in the OS.

This issue is relevant only in a cases where the OS, particularly the
interface, was heavily hardened (especially preventing access to the
"services" console and preventing running any command line interface), but
the user has access to the "VirusScan On-Access Scan Statistics" dialog box
and is a member of the "power users" or "Administrators" groups.

Possible Abuses: Disabling the VirusScan real-time virus protection,
exposing the OS to virus infection.

1. Make sure the VirusScan policy is prohibiting users from disabling the
"On-Access Scan" component.
2. Log on locally to the OS with a user that is a member of the "power
users" or "administrators" group.
3. Wait any period time you wish.
4. Double click the "VirusScan On-Access Scan Statistics" icon placed on the
task bar.
5. Click the "disable" button within 5 seconds.
6. Wait a few seconds for the button to gray out, stabilizing the "On-Access
Scan" component in a "disabled" mode.

Exploit Code: No need.

Direct resolution: None at the time of publishing this advisory.

Workarounds: Enable the "Do not show the system tray icon" policy option –
to prevent your users from opening the "VirusScan On-Access Scan Statistics"
dialog box, and thus prevent them from reaching the "disable" button.
(Using this workaround may alarm the users that the sudden absence of the
icon is a sign of a possible harm to the virus protection and thus
initiating multiple support calls).

Vendor Notification: McAfee was notified in May 2006 and has approved my
findings. McAfee choose to include a fix for this issue as part of a major
product update, which is scheduled to be released in the coming

Eitan Caspi
Email: eitancaspi@yahoo.com

Past security advisories:








You can find some articles I have written at
(filter: Author = Eitan Caspi (second name set), From year = 2000 , Until
year = 2002)

Eitan Caspi

Current Blog (Hebrew): http://www.notes.co.il/eitan
Past Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Dead Blog (English): http://eitancaspi.blogspot.com

"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By