I suggest using Access Protection module rules in this respect. Select block and report for selected rules.
The rules I recommend are the following:
Prevent programs registering to autorun - this prevents loading in places like under lsass.exe, winlogon.exe, and tray notification area and also various other places (including under explorer. exe, startup folders, etc.) This will stop Rogue AV from loadin underneath these processes, pop up notifications, etc.
Prevent installation of Browser Helper Objects and Shell Extensions - prevents registering under Interne Explorer search and startup locations, also prevents changing default programs for opening files like .DOC, .TXT etc all kinds of similar stuff. Rogue AV won§t load when you start IE.
Prevent registry editor ans Task Manager from being disabled - useful agains programs that stops you from opening these tools to correct or view any changes or parts in them.
Prevent remote creation of autorun files - no more share hopping autorun worms.
Also turn on every rule that protects McAfee files and settings.
Do enable the "Prevent McAfee services from being stopped" checkbox, otherwise trojans will pause McShield and make changes and starts McShield and you will wonder how it was possible.
Do not ever make the following files as exceptions to any rule:
(the list can be expanded, though)
Because in a rare case when something managed to hide underneath them, that will enable it effectively what the particular rule would block.
Attila had some great suggestions but theres a bit more. Heres a link to a mcafee article that describes all Access Protection rules. that may help a lot
Thanks everyone. Will try some of those settings. The Access Protection Rules document is very helful, but a bit complex for my pay grade. Will have to study further. Wish there was a comparison graph/chart for all those categories in that document that helped narrow down what selections to make for agiven type threat.
This is an interesting thread, I've been having similar problems to you, and have been looking for suggestions. Here are my thoughts...
- In addition to keeping OS, browser and AV up to date, I'd strongly recommend keeping browser helpers up to date too. Many of the problems we're having with fake AV can be traced to vulnerabilities with Java, Flash or Adobe Reader. The Blackhole exploit kit is a good example. I'm dying to update these, but have to wait for Finance to sign off on it first, as so many of their corporate apps depend on Java. Very frustrating.
- Definition based detection is definitely not the answer. Submitting the files responsible to VirusTotal gets an average hit rate of less than 30%. McAfee are usually pretty good at getting an extra.dat out, but by the time I've deployed that everywhere, there's usually a new variant doing the rounds!
- Heuristic detection is problematic. Turning up the Artemis sensitivity level from 'Very Low' to 'Low' in a small trial area has resulted in quite a few false positives, but no additional genuine detections. Certainly won't be going any higher than 'Low'
- I'm interested to hear that MalwareBytes isn't protecting you. I typically find that the free version is pretty good at detecting new variants. We have been considering buying a few licences as a trial, but may not bother if that's the case
- Will definitely look into Access Protection rules. Thanks for the info ekrocket and Attila
Malwarebytes does a great job of detecting after the fact, and and good job removing them after the fact. I want to test its ability to detect and prevent in real time before the Rogue AV appears and gets hold of a system. Scouring the interent now for some known test infections and such to test on this machine. Just have a complete XP system up dated to hilt with updates for OS, JAVA and Flash and a mirrored hard drive of itto restore it post infections. Will report back.
No problem, glad we can help one thing that does affect a lot of people are fake alerts, very annoying. ive noticed that they like to hide in the local user profile local settings\app data. its as easy as deleting the file but submitting a sample is the best way to go. What i like to do is zip up those exe and sys files. Passord protect it (infection all lowercase) and send it to email@example.com like cisrhumb said, theyre pretty fast at replying back.
That's where I tend to find them too (although occasionally they turn up in All Users\App Data). As far as I can tell, there's no legitimate reason for an executable to be created directly under Local Settings\Application Data (as opposed to in a sub-directory), so I was thinking of setting up an Access Protection rule to block creation or execution of *.exe in this location. Any thoughts on that?
Thats excellent thinking! and you are right, theres no reason for legitimate programs to create exe's in that directory. Ive set up various machines the same way as well. I create a user defined rule to block creation of these files. Most of the time they create a sys file also, so ive added an extra rule:
C:\Documents and Settings\*\Local Settings\Application Data\*.exe
C:\Documents and Settings\*\Local Settings\Application Data\*.sys
C:\Documents and Settings\*\Application Data\*.exe
C:\Documents and Settings\*\Application Data\*.sys
Looks like adding one for the all users app data one would be nice too.
I only see these files in the All Users profile if the user logged in at the time of infection is an admin (which most of our users aren't thankfully). Makes sense I guess. In those cases, the infection tends to be a lot more serious. It will often hide the entire contents of the C drive, then pop up a warning saying that the hard disk is faulty, but if you want to get your data back you can enter your credit card details for some recovery software
I've just set these rules up in a test area (the PCs used by our dodgiest staff members!) and will see how they get on. Cheers for the advice, I feel like I've made some headway today, which is unusual for a Friday!