5 Replies Latest reply on Jul 18, 2011 6:45 AM by exbrit

    What setting are you using to combat the fake AV malware

    rdefino

      I'm running 8.7i with epo server 4.5.

       

      Now we are getting pounded by these fake av program like xp security tool, xp AV 2011. these program show the fake av screen that your infected and it usually hide your programs and user data.

       

      what setting are all of you setting for you policies that you see helping to combat this infection?

       

      thanks for any help

        • 1. Re: What setting are you using to combat the fake AV malware
          Stanw

          McAfee released a 20 page pdf on this topic last week.  It contains some info for epo policy settings in Access Protection to fight the fake alerts. 

           

          https://kc.mcafee.com/corporate/index?page=content&id=PD23178

          • 2. Re: What setting are you using to combat the fake AV malware
            Regis

            rdefino,   what is your desktop patching strategy, and are you promptly patching all common web plugins (adobe reader/ adobe flash/ quicktime/ java), or are you making the mistake of many environments and only patching Microsoft stuff?

             

            FakeAV leverages exploit packs that use javascript to fingerprint the browser stack, identify vulnerable plugins or browsers, and dynamically redirect  to a relevant exploit for that plugin. Malware authors test test their dropper code against all the major AV's and don't release em till they pass through. They are very good at evading signature detection.  The exploit pack vendors also have better technical support and release frequency than a lot of the AV vendors do!   So it's a cat and mouse game the AV vendors are losing badly.

             

            An environment I did some work for was getting their butts handed to them on fake AV (they were mcafee customers too) and after a large effort of implementing vulnerability scanning and getting religion about patching third party web plugins,  it's not a big problem any more.     That's probably where the biggest bang for the buck is on time spend for the fake AV issue.

            • 3. Re: What setting are you using to combat the fake AV malware
              exbrit

              I know I am only a Moderator on the consumer side but I read that PDF out of interest and am surprised that it only mentions the regular Stinger tool and not the Fake_Alert one.   When it was written I believe they were possibly one and the same, but now they are two distinct entities;

              Stinger

              Fake-Alert Stinger
              I'll alert the powers that be to have it revised.

               

               

               

              .

               


               

              Message was edited by: Ex_Brit on 16/07/11 9:00:52 EDT AM
              • 4. Re: What setting are you using to combat the fake AV malware
                SamSwift

                Hi,

                 

                Thanks for picking up on this Peter. The doc was produced prior to the most recent changes made to the fake alert stinger - smart scan and fix to scan being the really important for Fake AV. I've asked the KB folks to amend the doc.

                 

                We're really keen to get feedback on the new Fake Alert Stinger - if you do have the opportunity to use it please come and post about your experience in the new Top Threats space. I'm going to move this thread over there now.

                 

                Thanks,

                 

                Sam

                • 5. Re: What setting are you using to combat the fake AV malware
                  exbrit

                  Thanks Sam, I guess you got my email on it.