1 2 Previous Next 19 Replies Latest reply on Aug 26, 2011 12:20 PM by greatscott

    Rogue AV and Link Poisoning - real options?

      We use VSE 8.7i, but we are still getting slammed by Rogue AV from web link poisoning and Internet search infections.

       

      Taking all the usual measures like keeping OS and AV up to date, educating users, blocking some net activity, etc.  But still battling this with about one system a week.  While I understand no one has actually found a way to prevent these constantly changing real time attacks yet, I would like to know I am doing everything I can with VSE 8.7i.

       

      Are there some other products or specific setting within VSE I should make sure are in place?  A VSE best practices document?  Malwarebytes claims real time protection of Rogue AV and such but hasn't worked either really.

       

      Remember when it was viruses we feared?  I havent suffered a virus in years.  Link/web poisoning make viruses look cute and cuddle.

        • 1. Re: Rogue AV and Link Poisoning - real options?
          Attila Polinger

          Hi,

           

          I suggest using Access Protection module rules in this respect.  Select block and report for selected rules.

           

          The rules I recommend are the following:

           

          Prevent programs registering to autorun - this prevents loading in places like under lsass.exe, winlogon.exe, and tray notification area and also various other places (including under explorer. exe, startup folders, etc.) This will stop Rogue AV from loadin underneath these processes, pop up notifications, etc.

          Prevent installation of Browser Helper Objects and Shell Extensions - prevents registering under Interne Explorer search and startup locations, also prevents changing default programs for opening files like .DOC, .TXT etc all kinds of similar stuff. Rogue AV won§t load when you start IE.

          Prevent registry editor ans Task Manager from being disabled -  useful agains programs that  stops you from opening these tools to correct or view any changes or parts in them.

          Prevent remote creation of autorun files - no more share hopping autorun worms.

           

          Also turn on every rule that protects McAfee files and settings.

          Do enable the "Prevent McAfee services from being stopped" checkbox, otherwise trojans will pause McShield and make changes and starts McShield and you will wonder how it was possible.

           

          Do not ever make the following files as exceptions to any rule:

           

          -svchost.exe

          -lsass.exe

          -winlogon.exe

          -explorer.exe

          (the list can be expanded, though)

           

          Because in a rare case when something managed to hide underneath them, that will enable it effectively what the particular rule would block.

           

          Attila

          • 2. Re: Rogue AV and Link Poisoning - real options?
            ekrocket

            Hi there,

             

            Attila had some great suggestions but theres a bit more. Heres a link to a mcafee article that describes all Access Protection rules. that may help a lot

             

            https://kc.mcafee.com/corporate/index?page=content&id=PD22818&actp=search&viewlo cale=en_US&searchid=1306865258139

            • 3. Re: Rogue AV and Link Poisoning - real options?

              Thanks everyone.  Will try some of those settings.  The Access Protection Rules document is very helful, but a bit complex for my pay grade.  Will have to study further.  Wish there was a comparison graph/chart for all those categories in that document that helped narrow down what selections to make for  agiven type threat.

              • 4. Re: Rogue AV and Link Poisoning - real options?
                cisrhumb

                Hey Gunslinger,

                 

                This is an interesting thread, I've been having similar problems to you, and have been looking for suggestions.  Here are my thoughts...

                • In addition to keeping OS, browser and AV up to date, I'd strongly recommend keeping browser helpers up to date too.  Many of the problems we're having with fake AV can be traced to vulnerabilities with Java, Flash or Adobe Reader.  The Blackhole exploit kit is a good example.  I'm dying to update these, but have to wait for Finance to sign off on it first, as so many of their corporate apps depend on Java.  Very frustrating.
                • Definition based detection is definitely not the answer.  Submitting the files responsible to VirusTotal gets an average hit rate of less than 30%.  McAfee are usually pretty good at getting an extra.dat out, but by the time I've deployed that everywhere, there's usually a new variant doing the rounds! 
                • Heuristic detection is problematic.  Turning up the Artemis sensitivity level from 'Very Low' to 'Low' in a small trial area has resulted in quite a few false positives, but no additional genuine detections.  Certainly won't be going any higher than 'Low'
                • I'm interested to hear that MalwareBytes isn't protecting you.  I typically find that the free version is pretty good at detecting new variants.  We have been considering buying a few licences as a trial, but may not bother if that's the case
                • Will definitely look into Access Protection rules.  Thanks for the info ekrocket and Attila
                • 5. Re: Rogue AV and Link Poisoning - real options?

                  cisrhumb, 

                   

                  Malwarebytes does a great job of detecting after the fact, and and good job removing them after the fact.  I want to test its ability to detect and prevent in real time before the Rogue AV appears and gets hold of a system.  Scouring the interent now for some known test infections and such to test on this machine.  Just have a complete XP system up dated to hilt with updates for OS, JAVA and Flash and a mirrored hard drive of itto restore it post infections.  Will report back.

                  • 6. Re: Rogue AV and Link Poisoning - real options?
                    ekrocket

                    No problem, glad we can help one thing that does affect a lot of people are fake alerts, very annoying. ive noticed that they like to hide in the local user profile local settings\app data. its as easy as deleting the file but submitting a sample is the best way to go. What i like to do is zip up those exe and sys files. Passord protect it (infection all lowercase) and send it to virus_research@avertlabs.com like cisrhumb said, theyre pretty fast at replying back.

                    • 7. Re: Rogue AV and Link Poisoning - real options?
                      cisrhumb

                      Hi ekrocket,

                       

                      That's where I tend to find them too (although occasionally they turn up in All Users\App Data).  As far as I can tell, there's no legitimate reason for an executable to be created directly under Local Settings\Application Data (as opposed to in a sub-directory), so I was thinking of setting up an Access Protection rule to block creation or execution of *.exe in this location.  Any thoughts on that?

                      • 8. Re: Rogue AV and Link Poisoning - real options?
                        ekrocket

                        Crishumb,

                         

                        Thats excellent thinking!  and you are right, theres no reason for legitimate programs to create exe's in that directory. Ive set up various machines the same way as well. I create a user defined rule to block creation of these files. Most of the time they create a sys file also, so ive added an extra rule:

                         

                        Win XP
                        C:\Documents and Settings\*\Local Settings\Application Data\*.exe
                        C:\Documents and Settings\*\Local Settings\Application Data\*.sys

                         

                        Win 7

                        C:\Documents and Settings\*\Application Data\*.exe
                        C:\Documents and Settings\*\Application Data\*.sys

                         

                        Looks like adding one for the all users app data one would be nice too.

                        • 9. Re: Rogue AV and Link Poisoning - real options?
                          cisrhumb

                          I only see these files in the All Users profile if the user logged in at the time of infection is an admin (which most of our users aren't thankfully).  Makes sense I guess.  In those cases, the infection tends to be a lot more serious.  It will often hide the entire contents of the C drive, then pop up a warning saying that the hard disk is faulty, but if you want to get your data back you can enter your credit card details for some recovery software

                           

                          I've just set these rules up in a test area (the PCs used by our dodgiest staff members!) and will see how they get on.  Cheers for the advice, I feel like I've made some headway today, which is unusual for a Friday!

                          1 2 Previous Next