cancel
Showing results for 
Search instead for 
Did you mean: 

What setting are you using to combat the fake AV malware

I'm running 8.7i with epo server 4.5.

Now we are getting pounded by these fake av program like xp security tool, xp AV 2011. these program show the fake av screen that your infected and it usually hide your programs and user data.

what setting are all of you setting for you policies that you see helping to combat this infection?

thanks for any help

5 Replies
Stanw
Level 7
Report Inappropriate Content
Message 2 of 6

Re: What setting are you using to combat the fake AV malware

McAfee released a 20 page pdf on this topic last week.  It contains some info for epo policy settings in Access Protection to fight the fake alerts. 

https://kc.mcafee.com/corporate/index?page=content&id=PD23178

Regis
Level 12
Report Inappropriate Content
Message 3 of 6

Re: What setting are you using to combat the fake AV malware

rdefino,   what is your desktop patching strategy, and are you promptly patching all common web plugins (adobe reader/ adobe flash/ quicktime/ java), or are you making the mistake of many environments and only patching Microsoft stuff?

FakeAV leverages exploit packs that use javascript to fingerprint the browser stack, identify vulnerable plugins or browsers, and dynamically redirect  to a relevant exploit for that plugin. Malware authors test test their dropper code against all the major AV's and don't release em till they pass through. They are very good at evading signature detection.  The exploit pack vendors also have better technical support and release frequency than a lot of the AV vendors do!   So it's a cat and mouse game the AV vendors are losing badly.

An environment I did some work for was getting their butts handed to them on fake AV (they were mcafee customers too) and after a large effort of implementing vulnerability scanning and getting religion about patching third party web plugins,  it's not a big problem any more.     That's probably where the biggest bang for the buck is on time spend for the fake AV issue.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: What setting are you using to combat the fake AV malware

I know I am only a Moderator on the consumer side but I read that PDF out of interest and am surprised that it only mentions the regular Stinger tool and not the Fake_Alert one.   When it was written I believe they were possibly one and the same, but now they are two distinct entities;

Stinger

Fake-Alert Stinger
I'll alert the powers that be to have it revised.

.


Message was edited by: Ex_Brit on 16/07/11 9:00:52 EDT AM

Re: What setting are you using to combat the fake AV malware

Hi,

Thanks for picking up on this Peter. The doc was produced prior to the most recent changes made to the fake alert stinger - smart scan and fix to scan being the really important for Fake AV. I've asked the KB folks to amend the doc.

We're really keen to get feedback on the new Fake Alert Stinger - if you do have the opportunity to use it please come and post about your experience in the new Top Threats space. I'm going to move this thread over there now.

Thanks,

Sam

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: What setting are you using to combat the fake AV malware

Thanks Sam, I guess you got my email on it.