5 Replies Latest reply on Feb 22, 2011 12:55 PM by MikeyLikesIt522

    VSE 8.5 and FakeAV - why doesn't VSE detect it?

    kjhurni

      We have this happening more often lately, unfortunately.

       

      User visits a website, and starts getting the FakeAV stuff come up

      McAfee VSE 8.5 with Anti-Spyware finds/detects/prevents NONE of this.

       

      We can run a full scan, and it still won't find/detect anything

       

      Run Malwarebytes and voila, problem solved.

       

      I see some people claim that Artemis (in 8.7 I believe) may address this (we're in the process of rolling out 8.7, but performance is terrible, so we put it on hold and are checking into 8.8 instead).

       

      Others say SiteAdvisor.

       

      I just want to know why VSE 8.5i with Anti-Spyware won't detect/find one of the more prevelant malware out there?

       

      I'd submit something to McAfee, but I can't get the "virus" per se (it's not like it announces that it's saving file ABC to your computer and that's the virus).  I have the website one can go to and try to infect themselves however.

       

      It just seems fairly sad (as others have noted) that VSE with anti-spyware just doesn't seem to do much good against a lot (not all) of malware, whereas other software (malwarebytes, for example) seems to do a stellar job.

        • 1. Re: VSE 8.5 and FakeAV - why doesn't VSE detect it?
          joeleisenlipz

          I have certainly seen my share of missed detections with McAfee, but McAfee has always proven to quickly and accurately review/include submitted samples, and generally respond the same day with an Extra.DAT. That type of turn around with other vendors is, um, well -- let's be nice -- not always as prompt.

           

          I quick spin through http://vil.nai.com gives me more than a 1000 results for FakeAV malware. I would suggest that you focus you're efforts on collecting a sample and submitting it either to McAfee, or to a community site like VirusTotal.com that will submit it to many vendors in a single shot.

          • 2. Re: VSE 8.5 and FakeAV - why doesn't VSE detect it?
            kjhurni

            Thanks for the info, but did you see my statement about how one goes about submitting a sample to McAfee, when they REQUIRE the actual "file" to send to them?  In this case, it doesn't seem to be an easily identifiable file on the actual workstation (seems to be something that gets loaded into memory rather than written to the hard drive and THEN loaded into memory).

            • 3. Re: VSE 8.5 and FakeAV - why doesn't VSE detect it?
              Attila Polinger

              Let me share my thoughts on this. I personally caught twice FakeAV on my computer and twice needed to fully reinstall. On second infection I realized that this is what Access Protection may be for in the first place and when my computer was still infected I engaged some Access Protection rules and I could see live what is being done by this malware by looking at the access Protection log. I could identify the root .DLL and one other file that worked within Internet Explorer. Both were rewriting certain registry branches with their values every 3 seconds.

               

              I even could cripple the IE-related file with AP rules, but the root DLL was so deep in registered device drivers (CLSID) that it loaded always before VirusScan device drivers so even an AP rules was active, the file just got loaded before the McAfee AP device driver would have loaded. Therefore I decided to reinstall on second occasion, too.(I should mention that I tried disinfecting with NOD32, which identified the file and said that it'd be deleted on reboot, but that never happened on reboot).

               

              so I strongly suggest you use Access Protection in the future and try to engage some of them to see which is doing what and maybe you could identify the root file. On uninfected systems this can prevent embedding of the malware entirely or to great extent.

               

              I consider such a trojan an ever changing blended one, so do not expect that you'd be protected just because you have all the latest signatures and even Artemis, please use also Access Protection and please harden it also by ticking "Prevent McAfee Services from being stopped" .

               

              Upon investigation for any suspicious malware I recommend using (psst) ESET's Sysinspector, I found this more handy over other tools.

               

              Attila

               

              Message was edited by: apoling on 18/02/11 09:28:55 CET

               

              Message was edited by: apoling on 18/02/11 09:32:49 CET
              • 4. Re: VSE 8.5 and FakeAV - why doesn't VSE detect it?
                kjhurni

                Thanks for the info. We already use Access Protection and we do already prevent McAfee services from being stopped (if you look at another thread in this forum you will see that even that setting can be circumvented).

                • 5. VSE 8.5 and FakeAV - why doesn't VSE detect it?

                  It seems there are so many variations of Fake AV that the signature changes at a pace far to rapidly to deploy successful signatures.  The problem  can be cirvumvented via other methods blocking webtraffic to certain domain extensions, once you have an affected PC take a look at their browsing history, somewhere in there you will see that they were inadvertantly re-directed via scripting to some foreign domain.  once we started implementing blocking of various domains ie.  *.cc we saw the number of incidents go down dramaticallys, from minimum of 5 a week to maybe 1 every two weeks if at all.   Don't just mitigate the problem, figure out where it is coming from.  That is half the battle.... ALSO ensure your PC's are patched regularly, JS vulnerabilities are exploited regularly.