Does hips 8 stop conficker virus infection?
As it is well known that this virus spreads via file shares, but we have some users that they have to have full access shares on their machines. Sometimes they have conficker infections reported by vse 8.8 because of the full control file share. If we install hips 8, is it gona help on stopping the virus?
thanks for the help
You could possibly use the HIPS Firewall to block the network traffic ports used to propogate, but that would entail blocking all NETBIOS traffic, which would affect other application needs/uses.
From my theoretical reading that Mcafee hips will block malicious exploits and threats, I wonder if it is able to block the worm even if the port 445 is not blocked?
The short answer is "Not really". If you have Conficker in your enviornment you need to be 100% sure the following settings are done:
1. Self-protection must be on.
2. On-Access Scanning must be enabled for Reads and Writes
3. You MUST perform a full on Demand Scan
4. Buffer Overflow should be turned on
5. Artemis should be enabled at Medium
6. You should perform daily scans of memory (Memory for Rootkits & Running Processes)
7. You should have a DAT within the last 5-7 days (For Conficker something in the last year or two is probably fine)
8. You should be running at least VSE 8.7 or 8.8 (though if you haven't deployed 8.8 you probably need your head examined)
9. You should be current on the engine
10. You must scan "All Files" not just "Default plus additional". The latter option is only for debugging and makes VSE stupid.
Windows patches are worthless against Conficker. Once it gets into the environment it no longer uses the MS 08-067 flaw to spread. Patching is a waste of time if you are already infected. Just do all 10 items above without any exceptions (which everyone should be doing anyways).