5 Replies Latest reply on Jul 19, 2016 6:37 PM by john.montez

    Malware

    john.montez

      Is anyone having Fake Malware issues? It seems that, I'm getting all the new versions and having to re-image machines before the Dat is released. Any ideas on stopping the new variants? We are a college, so we cannot lock down workstations in the usual way.

        • 1. Re: Malware

          There are lots of tricks for securing "open" systems; some McAfee related and some are just good best practices.

           

          What are you deploying in your software base (which McAfee point products)?

           

          Lots of college campuses use tools like Faronics Deep Freeze to keep systems locked down.  Do you have any unique challenges that prevent you from using a technology like this?

           

          To answer your question about Falke Malware (I'm assuming you're talking about bogus Anti-Virus programs or Ransome-ware)... Yes, there's lots of it out there and new blended threats/attack vectors are popping up every day in my environment.  Some of it can be cleaned easily once you know what you're working with - but other stuff requires too much work to fully remove (violates the 2hr recovery rule) so it's just easier to re-image.

           

          In the academic environment, you likely have the luxury of not needing to recover a ton of client data that's spread all over the HDD.  As long as you perfect your reimaging action plan (if that's the best you can do), then you're doing good things.  I have a friend who worked in a local community college IT dept. who's job was to create a back-up image for every system on a back-up HDD and store these drives on a cart.  The college bought about 150 HDDs to support the systems in their main IT Lab - all identical hardware but lots of different software.  Every PC had a warm-spare HDD to reduce rebuild time (draconian, to be sure, but effective in meeting SLAs).

           

          I helped him to design a project where he recommended a 2-drive hot-swap tray system, where a key controlled which drive was active by a cool little circuit that connected to a PCB with simple leads that connected to the HDD jumper pins in the backs of the drives.  When a drive got infected, all you needed to do was power off, put in a key, switch to the second drive, boot, pull out the infected drive, then reimage it and pop it back in.  The systems stayed up and in production all the time - pretty slick.  The college never implemented the idea from what he told me, but he got an "A" on his project recommendation - lol.

           

          Where there's a will, there's a way. 

           

          List out which products you're working with and of your challenges and maybe someone here can help you find a solution.

           

          Message was edited by: lbolanis on 6/16/11 10:50:57 AM CDT
          • 2. Re: Malware

            If you don't have a baseline, you can't be sure it's reverted to clean short of reimaging.

             

            But, virtualization can make reimaging a hell of a lot faster. Even virtualizing just the e-mail client and the browser (and doing a revert to known good for the client after use) can go a long way.

             

            But yes. The detection is horrible. Not purely with McAfee, but from what we've seen with most vendors. Virustotal is giving us an average of 5/42 for the variants we've pulled this month.

             

            This signature based stuff is not going to save us from these.

             

            There was an article released about some stuff you could do with Access Protection that would mitigate infection. But, it depends on what else you have in your environment, and how much time you can tune. We found that some of the assertions that "this won't affect your environment" didn't hold true in all cases.

            • 3. Re: Malware
              john.montez

              Thanks Ibolanis,

               

              We do use specific images and we do re-image a machine that has been infected. We do use Deep Freeze, but going to try to use Application Blocker more. I like the HD idea and it does sound really cool.  We just have over 10.000, machines. Thanks for your reply it did help.

              • 4. Re: Malware

                Hi John:

                 

                Here's a couple of links that are related to "Fake Alerts":

                 

                PD23178 - Threat Advisory: Combating FakeAlerts

                https://kc.mcafee.com/corporate/index?page=content&id=PD23178

                 

                PD23177 - Threat Advisory: FakeAlert System Defender

                https://kc.mcafee.com/corporate/index?page=content&id=PD23177

                • 5. Re: Malware
                  john.montez

                  That's awesome.