Thanks for the document. I have been looking into it.
Indeed, I wouldn't depend on AV alone either but with the MS security updates and with a 3rd party piece of software\plugin with a name that implies protection from certain kinds of threats, it's a little disapointing when the software is still oblivious to this threat for this amount of time.
I'm starting to wonder if the AntiSpyware module for 8.5i is really worth the money or not at this point if it can't protect against AntiVirus 2009. I just don't see why they can't throw it into their dat database like they do with other threats.
I looked at the document you referenced for lockdown and I have to say it is quite involved and possibly quite overkill for most IT teams that may not have the time to set all those policies. And not to mention home users, who surely will not go through that entire document.
I know that if a new regular virus\worm\trojan was released today, that I could rely on Mcafee to release an extra.dat file by tomorrow or Friday or incorporate the threat into one of their next dat releases.
With AntiVirus 2009, it has been months and months and still no detection for it. Doesn't make any sense to me, which is why I still refuse to believe there is no setting to allow the VirusScan 8.5i AntiSpyware module to catch it. There has to be some extra settings that will catch it \ protect against it.
Quote: "There is no magic bullet which finds everything, all the time" -Grif
Very true. Remember WinFixer?
I added 50 user defined detections to the ASE module via ePO, with executable names I gathered from various places. This Rogueware still gets in.
Educating users was also a bit helpful. I found that if they are told they can press Alt-F4 to close fake warning pop-ups, they just might do it. Last week I encountered a user who received an XP AntiVirus warning while browsing MySpace. AntiVirus/AntiSpyware XP 2008, 2009 and Vista flavors are very prevalent right now.
I've used a combo of VSE 8.5i with the McAfee AntiSpyware Module and Windows Defender on machines with some success. Decent hardware is required though.
I'm testing Access Protection rules on the Run Once registry key and All Users Start Up folders (ProgramData~Startup for Vista) right now, but these rules require allot of patience.
Has anyone tried the paid version RougeRemoverPro from Malwarebytes? From what I've read it features some level real-time protection, scanning for Rogue Software only.
I guess the main thing I don't understand is why they don't add the required signatures to the dat files so that the AntiSpyware module can detect these threats. I mean having to lock down desktops so tightly and notify users seems kinda like the last hope, the very last line of defense. It can be time consuming enough just having all the MS updates \ vscan dats updated, let alone adding another piece of software to the mix.
I think these pop-ups should be stopped the second they make it to a users desktop regardless of what the user does at that point. They shouldn't have to be told to hit the F4 key to abort. The antispyware module should kick in at that moment and do what it is designed to do, stop threats from reaching the desktop. It should stop the infection from occuring at that moment.
I think the product in question, specifically, AntiVirus 8.5i loaded with the antispyware module should be able to detect\remove these threats. What is making AntiVirus 2009 so special that it can not be stopped, even after all these months?
So the signature morphs and changes, Mcafee has dealt with viruses and worms that do the exact same thing and effective dats usually catch them a few days after the threats are released. This AntiVirus 2009 should be able to be stopped by Mcafee and it is very disapointing it isn't.
Has anyone had this type of luck with Trend products as well? Anyone here who has used both products? Are you having the same issues with AntiVirus 2009 as well where your primary antivirus\spyware software fails to detect\clean this threat and you have to use MBAM instead?
I mean, lets take it one step farther. Let's say MBAM could catch AntiVirus 2009 (which it does just perfectly). Now lets say another piece of spyware comes along that it can't catch, but some other software product comes out similar to MBAM that can catch that threat, and so on, and so on. Pretty soon we will have to load our machines up with a ridiculous number of third party apps to catch all this spyware.
Isn't this the whole reason the Mcafee Anti-Spyware module was designed for?
I shouldn't have to load up MBAM and others on every desktop when I have a premium product like Vscan 8.5i and the AntiSpyware module installed. Am I the only person who thinks this way?
Depending on your internal software etc, here are some options to try that have limited our cases of AV 2009 from being installed on the machines 1 case in last 10 months since we did this.
In McAfee 8.5i under Access Protection / Common Standard Protection
enable blocking for the following:
Prevent common files from running from the temp folder Protect Internet Explorer settings Prevent installation of Browser helper objects
Under Max Protection section
Prevent new EXE files under the Windows folder Prevent autorun programs
Make sure you users are "Power User" rights only on the PC not local Administrators
This will help harden the OS / IE area so it cannot install on the machine
I agree more frequent DAT updates should be coming out as this is a very annoying malware package but we also need to harden our desktops and servers to reduce the variants
Granted by doing this it can cause issues with your desktop technicians installing new programs, but just provide them the ability to disable the AV to do updates / installs then they can re-enable the software and problem is solved.
My issue there is many of these tools were not designed for enterprise management - SpyBot, Lavasoft, Windows Defender... out of the box they may/will block parts of McAfee and systems management tools such as SMS/SCCM.
In our environment where filed users and develoeprs are local admins many people are installing the above tools as they discover McAfee is providing rudimentary at best and in reality next to no current Spy/Malware protection and does not keep pace with current issues. This leads to an Abott & Costello routine where the machines may be more secure than if we managed them but we can no longer fully manage them...
Agree McAfee has a long way to go in the Spyware biz, but Spybot does have an enterprise management tool (see below).
So you can always drop the support for McAfee spyware protection and change to another product. Granted it is another tool to use and manage, but until the big 3 as I call them come up to the plate what choices do we really have.
I have tested Norton, Trend, Kaspersky, and Mcafee with AV2009 and none of them catch it consistantly...:eek:
The Spybot S&D Corporate Edition consists of two programs:
The Spybot S&D Update and Configuration Server The Spybot S&D Corporate Edition client
Spybot S&D Update and Configuration Server is a web server offering Spybot-S&D updates for a local network, thus avoiding that every client needs to download the updates from the Internet. It either requests them from our servers in a user-defined interval or synchronizes on user (the admin in this case) request only, in case the admin wants to test the updates before releasing them to his network.
It can either use the web server integrated into the tool, or an external web server or a file share the tool has write access to.
Exactly. Another tool that we shouldn't have to manage from another company and I doubt Mcafee is going to give a refund on the Anti-Spyware component that seems useless.
We trust Mcafee with our antivirus needs, yet if they can't manage malware, it makes one wonder if they are losing their touch at protecting our machines from anything. I know that sounds bitter, but I also know I am not the only one that feels a little ripped of by Mcafee on this one. I mean c'mon, Antivirus2009 has been out forever now.
Anyone know if 8.7i Vscan Antispyware component catches\stop AntiVirus 2009 yet? I haven't upgraded yet.