cancel
Showing results for 
Search instead for 
Did you mean: 

Malware execution from Remote desktop

Hi all,

Detections from windows 7 to server were identified  "exploit-cve 2010-2568", scanned the souce machine ans not found any detections with VSE and stinger scan.

Created AP rule to block creation of new .lnk files and identified this is executing by mstsc.exe, user of windows 7 machine is taken RDP to one of the infected machine.

7/24/2014    11:19:45 AM    Blocked by Access Protection rule       C:\Windows\system32\mstsc.exe    E:\Old_Data_E\code\Misc_code\code_CI\B_C_I_1_2_0_new\libs\FlashUpgrade\NetFx_30_SP1_ENU_License.rtf.lnk    User-defined Rules:Ink being created    Action blocked : Create


Please suggest if this copying .lnk files from remote desktop , or else is it executing from same machine only.

5 Replies

Re: Malware execution from Remote desktop

Morning,

If the current DAT does not detect the infection, I would suggest to collect 5 or 10 .lnk files and submitt them to McAfee Labs to be analyzed. They will send an extraDAT if the files are new detection.

https://kc.mcafee.com/corporate/index?page=content&id=KB68030

Best regards,

José María

Re: Malware execution from Remote desktop

Hi Jose,

current DAT is detecting the infections, i wanted know that ... is there any possbility that RDP can copy infections from one machine to another?

As observed in the AP logs, it is executing by mstsc.exe.

Regards

Pradeep

Re: Malware execution from Remote desktop

It will done only when you are doing any write option with infected RDP machine, by doing normal RDP will not impact you existing machine.

Re: Malware execution from Remote desktop

If I understood correctly from AP logs, mstsc.exe trying to create some junk files and rule blocking the same.

IF we isolate this machine and  scan with any tool , no detections were appeared.

in that case mstsc.exe is only executed for Remote Desktop to infected machine and which is creating problem.

Re: Malware execution from Remote desktop

Hi there,

You need to create an AP user difined rule like this:

Sense títol.jpg

Please, check the screenshot

Best regards,

Jose Maria