2 Replies Latest reply on May 4, 2011 4:49 PM by mkadel

    Plague with XP Security 2011 / Help with User Defined Rules

      Hello Everyone,


      I really need help with a problem I am having with this XP Security 2011 FakeAlert malware. We are having numerous workstations in our corporate location being infected by this.  By the use of Process Explorer, I have identified the file.  The filename is random each time it infects a new workstation and is only 3 characters long.  It also has the extension of .exe. 


      We have a pretty strong lockdown of our workstations, for instance, via the EPO server we have the setting enabled “Prevent all programs from running files from the Temp folder.”  Normally this blocks most FakeAlert malware, but this XP Security 2011 is circumventing this by executing the payload from C:\documents and settings\*\local settings\Application Data folder. 


      Now if this malware used the same filename, this would be an easy fix.  I would just create a User-defined Rule telling McAfee not to run the executable named xxx.exe.  Or even create the rule to not execute by doing C:\document and settings\**\local settings\Application data\filename.exe to ensure I don’t break anything else. 


      So what I can’t figure out is how to prevent an executable file, that is changing filenames, from running in the C:\document and settings\**\local settings\Application data directory.  I have gone as far as created a rule to prevent an executable to run by the following rule:


      C:\document and settings\**\local settings\Application data\*.exe


      Yes, this prevents the malware from executing from this directory but unfortunately this prevents normal day to day programs from running like Microsoft Office applications for an example, though I don’t understand why this is as the executable for Microsoft Word isn’t located in the C:\document and settings\**\local settings\Application data folder.  So there seems to be some side effect in having this rule in place. 

      My question, is there a way to make this rule just work in the root of the Application data folder?  Or is there another way to accomplish this?    I am at a lost and I am open to suggestions.  I have sent this file to McAfee via their website but have not had any response back from them.  And when a workstation is infected by this FakeAlert malware, McAfee has no idea it is infected.  After doing ODS scans, nothing is detected.


      Thank you for your help and suggestions in advance!





        • 1. Re: Plague with XP Security 2011 / Help with User Defined Rules

          I would just like to say that my organization has also had issues with McAfee not catching this type of malware. Unfortunately I do not have any suggestions on how to prevent this randomly named executable from running without impacting other applications in the same directory. I realize that there are new variants created everyday and that McAfee is not going to catch everything immediately it just seems that sometimes McAfee tends to lag behind in identifying some infections that others catch.

          • 2. Re: Plague with XP Security 2011 / Help with User Defined Rules

            I'm trying to do the same thing. I used the rule path as alexmartin0 stated (C:\document and settings\**\local settings\Application data\*.exe) and it seems to only apply to the root of the folder. But instead of denying the execution of exe files I'm denying creation of exe files. I'm testing now before I roll it out.