3 Replies Latest reply on Aug 3, 2010 8:03 PM by tmckinney

    Undetected files associated with FakeAlert-FakeSpy!env.a detections



      We're getting a lot of undetected files in user's temp folders related to detections of FakeAlert-FakeSpy!env.a in other locations.  The files in the temp folder are apparently the install/dropper files for what is being detected.  We're submitting these to McAfee and get Extra.dat's for detections but it's not really helping us address the root cause which is how are these install/dropper files getting on the PC to install.  We do a good job of keeping the PCs updated for Microsoft security patches using SCCM so I don't believe it's a Microosft issue.  We also recently updated Flash and Shockwave to the most recent versions due to some news that their were possible issues with these being exploited through ads, but we're still having problems.  We are a few versions behind on Java which is a possibility since the file java_install_reg.log is often modified at the same time.


      Is anyone else having problems like this or had problems like this?



        • 1. Re: Undetected files associated with FakeAlert-FakeSpy!env.a detections



          You have mentioned you do a good job with Microsoft patches and that you recently updated Flash and Shockwave, but have you checked what versions of Adobe Reader and Adobe Acrobat are in your environment?  We have seen a lot of malicious PDF files which are not getting detected by McAfee on a consistent bases and the only way we were able to reduce the number of infections was by updating our 3rd part software more frequently, and remove administrator rights from users that do not need it.

          • 2. Re: Undetected files associated with FakeAlert-FakeSpy!env.a detections

            I wish we could remove Administrator rights but that is not possible at this time (we'll be looking at it again with Windows 7).   I know that they did send out an update for Acrobat but I'll have to confirm that it was the latest version and that older vulnerable versions were removed.


            Thanks for taking the time to reply.



            • 3. Re: Undetected files associated with FakeAlert-FakeSpy!env.a detections

              Disappointed to hear that your users retain admin rights.  If you use XP pro, have you considered making your users Power Users instead of admins?  Still gives them the ability to install print drivers, but keeps them from having full blown admin rights (although we had to concede adding read/write permissions for Power Users on Program Files).


              Regardless, the bad guys use a lot of methods to get in to your machines.  In lieu of taking away internet access (wouldn't that make it a lot safer?), you could consider a gateway device on your internet access.  Also, Adobe Reader is often exploited by using obfuscated (hidden) java or java script code within the document...I think Reader has an option to disable java in pdf documents.


              I see a lot of infections initially downloaded in the temp cache in the user's profile, often with a .tmp extension.  Hopefully you don't have .tmp as a file type extension exclusion.  Good Luck.