Moved to VSE for better attention.
Ok, so thanks to being redirected to this VSE discussion, I can now mostly anwer my own question. This White paper of Fake Alerts is extremely informative:
But still, I wonder what is making this particular computer so vulnerable? Or more generally, what factors make a computer vulnerable to Fake Alerts that install without user intervention?
I can't answer that I'm afraid as I only deal with the consumer products. Someone should be along shortly with VSE expertise.
I would add that from the consumer standpoint there is no way to block the Fake Alert entities as they do in fact rely on human intervention, even in the slightest way, to be activated and they really aren't trojans or viruses in the normal sense, simply an extreme nuisance.
McAfee SiteAdvisor and any one of its rivals such as MyWoT will usually give ample warning to anyone that the site is dangerous. I have both installed here.
McAfee has its own Fake Alert Stinger tool which is updated pretty regularly which you can try, but you must install a fresh copy each time it is used.
I also keep a copy of the free version of THIS tool installed and regularly updated, just in case, as it makes a very useful addition to any anti-virus protection.
However as I do not use VSE I have no idea what protection, if any, can be configured into it against this sort of thing.
Hee are links to White Papers on combatting FakeAlert malware
How to combat FakeAlert malware
A better question is "why are my systems getting fake AV trojans?"
In many cases, they're not being installed with user interaction at all, but instead are leveraging known and patchable vulnerabilities in third party web plugins.
A client of mine who had a large issue with these (and happened to be a mcafee shop) only tamed the fake AV shrew once they got religion about patch management on the desktop that didn't just include running windows update.
AV coverage against these fakeav prodcuts is pretty miserable. Sadly, Mcafee's not a tremendous exception on this front, though they are detecting it a lot better than they did, say, 18 months ago.
On the infected machine, point the web browser(s) you use at:
and update (or uninstall) any out of date plugins / software listed.
Common infection vectors are via Adobe Flash, Adobe Reader, and Oracle Java.
in my opinion these type of (or perhaps any) trojans are today are what is called blended threats, so many pieces work together for the final result (if I interpret the term correctly). Therefore I would understand if the file that start the game won't be recognized immediately, since these files often changed by their authors, etc. precisely for the cause of making detection difficult.
I suggest you review your AV configuration and see if you use the followings:
- access protection ( a must so to speak)
I would say that with some Access Protection rules you could save the majority of headaches over reinfection concerns.
So make sure that you configure Access Protection (and scriptscan) rules to block and report:
- McAfee processes cannot be killed, services cannot be stopped (separate checkboxes)
- PRevent Programs registering to autorun, PRevent installation of Browser Helper Objects and Shell extensions (as minimum)
- Rules that protects McAfee files and processes
- Also recommended to protect task manager and registry editor by respective rules, I've seen malware that disabled them.
I cannot recommend using the new AP rule introduced by VSE 8.8 P1 since I have no experience with using it, but this could be a last peg to secure everything (it is positively useful I assume).
Please understand that some legitim programs may have to get included afterwards as exclusons within these rules but it is okay, this is how it should go.