cancel
Showing results for 
Search instead for 
Did you mean: 

Undetected files associated with FakeAlert-FakeSpy!env.a detections

Hi,

We're getting a lot of undetected files in user's temp folders related to detections of FakeAlert-FakeSpy!env.a in other locations.  The files in the temp folder are apparently the install/dropper files for what is being detected.  We're submitting these to McAfee and get Extra.dat's for detections but it's not really helping us address the root cause which is how are these install/dropper files getting on the PC to install.  We do a good job of keeping the PCs updated for Microsoft security patches using SCCM so I don't believe it's a Microosft issue.  We also recently updated Flash and Shockwave to the most recent versions due to some news that their were possible issues with these being exploited through ads, but we're still having problems.  We are a few versions behind on Java which is a possibility since the file java_install_reg.log is often modified at the same time.

Is anyone else having problems like this or had problems like this?

Scott

3 Replies
Highlighted

Re: Undetected files associated with FakeAlert-FakeSpy!env.a detections

Scott,

You have mentioned you do a good job with Microsoft patches and that you recently updated Flash and Shockwave, but have you checked what versions of Adobe Reader and Adobe Acrobat are in your environment?  We have seen a lot of malicious PDF files which are not getting detected by McAfee on a consistent bases and the only way we were able to reduce the number of infections was by updating our 3rd part software more frequently, and remove administrator rights from users that do not need it.

Re: Undetected files associated with FakeAlert-FakeSpy!env.a detections

I wish we could remove Administrator rights but that is not possible at this time (we'll be looking at it again with Windows 7).   I know that they did send out an update for Acrobat but I'll have to confirm that it was the latest version and that older vulnerable versions were removed.

Thanks for taking the time to reply.

Scott

Re: Undetected files associated with FakeAlert-FakeSpy!env.a detections

Disappointed to hear that your users retain admin rights.  If you use XP pro, have you considered making your users Power Users instead of admins?  Still gives them the ability to install print drivers, but keeps them from having full blown admin rights (although we had to concede adding read/write permissions for Power Users on Program Files).

Regardless, the bad guys use a lot of methods to get in to your machines.  In lieu of taking away internet access (wouldn't that make it a lot safer?), you could consider a gateway device on your internet access.  Also, Adobe Reader is often exploited by using obfuscated (hidden) java or java script code within the document...I think Reader has an option to disable java in pdf documents.

I see a lot of infections initially downloaded in the temp cache in the user's profile, often with a .tmp extension.  Hopefully you don't have .tmp as a file type extension exclusion.  Good Luck.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community