Suggested Risk Level: Low Type of Risk: Disabling security component. Affected Software: VirusScan Enterprise 7.1.0 (client side, managed centrally by ePolicy Orchestrator), Scan Engine: 4.4.00, the "VirusScan On-Access Scan" component. OS Environment: Windows 2000 workstation w/SP4 and all the up-to-date windows update security and operational patches (May be valid on Windows XP as well, but was not tested on XP). Local / Remote activated: Local. Summary: A McAfee administrator can choose to prevent a local user of the VirusScan client to disable the "On-Access Scan" (the real-time memory virus monitoring and cleaning component) by making the "disable" button un-active within the "VirusScan On-Access Scan Statistics" dialog box. But, just after a user logs on locally to the desktop, and after any period of time, until the first time the "VirusScan On-Access Scan Statistics" dialog box is opened – the user can double click the "VirusScan On-Access Scan" icon on the task bar and then the "disable" button will be active for about 5 seconds, a sufficient time for the user to press the this button. After pressing the "disable" button, the button will change its interface text to "enable", the "On-Access Scan" icon will present a "no entrance" sign, stating it is disabled, and the "Network Associates McShield" service will be in a "paused" mode. Once the 5 seconds period has passed – the button will become disabled (grayed out) in whatever state it is at that time, stabilizing the "On-Access Scan" component to its last state, which is one of two: 1. The button was not pressed -> Button shows "disable" ; the "On-Access Scan" is active and the "Network Associates McShield" service will be in a "started" mode. 2. The button was pressed -> Button shows "enable" ; the "On-Access Scan" is disabled and the "Network Associates McShield" service will be in a "paused" mode. I rated this issue as "low" because it is mostly an interface related issue, and the user must be a member of a local users group that can pause a service, i.e. "power users" or "Administrators", which are the most privileged users groups in the OS. This issue is relevant only in a cases where the OS, particularly the interface, was heavily hardened (especially preventing access to the "services" console and preventing running any command line interface), but the user has access to the "VirusScan On-Access Scan Statistics" dialog box and is a member of the "power users" or "Administrators" groups. Possible Abuses: Disabling the VirusScan real-time virus protection, exposing the OS to virus infection. Reproduction: 1. Make sure the VirusScan policy is prohibiting users from disabling the "On-Access Scan" component. 2. Log on locally to the OS with a user that is a member of the "power users" or "administrators" group. 3. Wait any period time you wish. 4. Double click the "VirusScan On-Access Scan Statistics" icon placed on the task bar. 5. Click the "disable" button within 5 seconds. 6. Wait a few seconds for the button to gray out, stabilizing the "On-Access Scan" component in a "disabled" mode. Exploit Code: No need. Direct resolution: None at the time of publishing this advisory.   Workarounds: Enable the "Do not show the system tray icon" policy option – to prevent your users from opening the "VirusScan On-Access Scan Statistics" dialog box, and thus prevent them from reaching the "disable" button. (Using this workaround may alarm the users that the sudden absence of the icon is a sign of a possible harm to the virus protection and thus initiating multiple support calls). Vendor Notification: McAfee was notified in May 2006 and has approved my findings. McAfee choose to include a fix for this issue as part of a major product update, which is scheduled to be released in the coming month/months. Credit: Eitan Caspi Israel Email: eitancaspi@yahoo.com   Past security advisories: 1. http://online.securityfocus.com/bid/4053 http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx http://support.microsoft.com/kb/315085/en-us 2. http://online.securityfocus.com/bid/5972 http://support.microsoft.com/?kbid=329350 3. http://online.securityfocus.com/bid/6280 http://www.securityfocus.com/archive/1/301624 4. http://online.securityfocus.com/bid/6736 http://online.securityfocus.com/archive/1/309442 5. http://www.securityfocus.com/bid/7046 http://www.securityfocus.com/archive/1/314361 6. http://www.securityfocus.com/archive/1/393800 7. http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded Articles: You can find some articles I have written at http://www.themarker.com/eng/archive/one.jhtml (filter: Author = Eitan Caspi (second name set), From year = 2000 , Until year = 2002) Eitan Caspi Israel Current Blog (Hebrew): http://www.notes.co.il/eitan Past Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi Dead Blog (English): http://eitancaspi.blogspot.com "Technology is like sex. No Hands On - No Fun." (Eitan Caspi)