?
Solved

TrendMicro OfficeScan  registry edit

Posted on 2015-01-06
5
Medium Priority
?
596 Views
Last Modified: 2015-01-07
Do to this security vulnerability. "Microsoft Windows Unquoted Service Path Enumeration".
Can I script be ran to unload the OfficeScan which requires a password, make a registry edit, then restart OfficeScan?
0
Comment
Question by:GoHuskers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40535387
not that I know Officescan has such ready script. But there are other script as shared in
a) MS forum - via SCCM DCM using VBscript
https://social.technet.microsoft.com/Forums/en-US/a34855ae-47e5-4567-bb1e-17bf6a97ab75/microsoft-windows-unquoted-service-path-enumeration

or b) Powershell script for detect and remediation
http://www.ryanandjeffshow.com/blog/2013/04/11/powershell-fixing-unquoted-service-paths-complete/
0
 

Author Comment

by:GoHuskers
ID: 40535507
thanks for the info on the scripts. I am using a version of it already to confirm the missing quotes.
you can't make the trend fix unless you unload trend first.
Trends solution is to uninstall/re-install which is way to resource intensive when all we have to do is to unload the trend and add "'s in two places etc.
so running a script to unload and running a script to make the registry changes makes more sense and is my goal.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40535648
In the past, the key Officescan client services below (from the admin guide) where other shared net stop (and some resort to taskkill /F /IM looping till) the services to disable the client eventually.
• OfficeScan NT Listener (TmListen.exe)
• OfficeScan NT RealTime Scan (NTRtScan.exe)
• OfficeScan NT Proxy Service (TmProxy.exe)
• OfficeScan NT Firewall (TmPfw.exe); if the firewall was enabled during installation
• Trend Micro Unauthorized Change Prevention Service (TMBMSRV.exe); only for computers running an x86 type processor

But the later version may already has client protection against such attempt and even after changes, the protection upon detection will revert back to original. in other words, changes to registry will not be possible too - not to say only disabling these client services.

I was separately thinking to rename such TM exe and keep looping till possible. With that window of opportunity, change registry but it may revert back the content so there is no guarantee though.

Another is boot to safe mode and try ...but if the protection is robust enough, this should not make any differences..there may not be necessary a workable yet resource saving mean as it seems to suggest to bypass AV (like a malicious code is attempting)

Maybe better for the TM support to clarify the right approach since this is a gap (there is a CVE for this vul)  in their solution
0
 

Author Comment

by:GoHuskers
ID: 40535797
TM support wants uninstall/re-install and that's all they offer.

And you are right it will not allow me to tskill any of them. The client protection must be in place which is why we have it I guess.

So unfortunately I do not think I can automate this at all.

thanks for the input
0
 
LVL 64

Expert Comment

by:btan
ID: 40535812
thanks for sharing
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
This article was originally published on Monitis Blog, you can check it here . If you have responsibility for software in production, I bet you’d like to know more about it. I don’t mean that you’d like an extra peek into the bowels of the sourc…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question