8 Replies Latest reply on Feb 16, 2012 9:09 PM by Lakshmanan Sathyamoorthy

    Poor Support to Corporate with New CONFICKER Virus Variant

      Hi McAffe

       

      Our organisation identified a virus outbreak 11 days ago - this transpired to be a new variant of the conficker virus and was confirmed by Mcafee

       

      http://en.wikipedia.org/wiki/Conficker

       

      11 days later we are still waiting for a fix for this Virus - numerous deadlines have come and gone we are still waiting for a fix

       

      The Call Ref for this is:

       

      3-1986383493 Conficker Virus infection

       

      We pay ££££ to Mcafee for our endpoint protection but clearly when you are hit with the worst the support is very poor.

       

      Welcome any responses and updates from either McAfee or the wider Mcafee community.

       


        • 1. Re: Poor Support to Corporate with New CONFICKER Virus Variant
          mrandolp

          We are also fighting an outbreak, as of 02/13/2012.  I have opened a SR with Platinum support.  The first thing I was asked, if scan file when reading from disk was enable.  No it was not.  Support stated, it needed turned on.  the reason it was off, was due to the application installed on the server.  Yes now it is turned on.  Support stated " I would need to create a new User-Defined rule".  Below is new rule.  After applying the rule, we have not seen any information for anything in the Access protection log, but that doesn't mean its still not out there.  One of our other hospitals is still showing infections.

           

          Name Conficker Block

          Process to include, All.

          Process to exclude, McShield.exe, scan.exe, Scan32.exe.

          File or folder name to block, C:\WINDOWS\Tasks\At*.job

          Check, File Actions to prevent

          Check, Read access to files

          Check, Write access to files

          Check, Files being executed

          Check, New files being created

          Do not Check Files being deleted

           

          What we have seen, are schedule task being run from scheduler.  On one of the servers on the ODS, it found this below and deleted.  With the other servers there were several Task that tried to run and were caught and deleted.

           

          2/13/2012 8:57:53 AM Deleted  Administrator ODS(Full Scan) c:\WINDOWS\Tasks\At1.job W32/Conficker.worm!job (Virus)

           

          Will keep pluging away.  Thanks for the information.

          • 2. Re: Poor Support to Corporate with New CONFICKER Virus Variant
            Attila Polinger

            Hello,

             

            may I ask if you use Access Protection rules within VirusScan and which version of VirusScan do you use?

             

            In my opinion quite a few trojans can be effectively prevented to get planted/activated by a few Access Protection rules even in the lack of new DAT files and frequent scanning.

             

            Attila

            • 3. Re: Poor Support to Corporate with New CONFICKER Virus Variant

              The rule given to us <unsuccesfully> was

               

              For the Scheduled tasks / run32dll.exe running issue we would recommend the lower Access Protection rule to be created:

               

              Open Access Protection

              Create an User Defined Rule

              Select File/Folder Rule

               

              Provide Rule Name: Block Tasks Creation

              Processes to include: *

              Processes to exclude:

              File or folder: C:\WINDOWS\Tasks

              File Actions to prevent:  New File from being created

               

              After two weeks a new DAT file has been created and I beleive distributed to the Mcafee community.

               

              Support was extremely poor - MacAfee logged into PC's - left the viruses there - didn't respond to support calls

               

              It took 5 days for this to pass the 1st line helpdesk people.

               

              If you get a live issue you really are up the creek without a paddle with Macafee

              • 4. Re: Poor Support to Corporate with New CONFICKER Virus Variant
                Attila Polinger

                We had a major Conficker storm with the second variant in 2010 (I think).

                 

                Cleaning up was a tedious task.

                 

                What I had in mind by asking is that whether you use the following access protection settings and rules in place (i.e. block AND report) for workstations (and servers):

                 

                Prevent McAfee services from being stopped (checkbox ticked) ( a must)

                 

                - prevent programs registering to autorun

                - prevent creation of remote autorun files

                - prevent registry editor and task manager from being disabled

                - prevent modifications of mcafee /common management agent / scan engine files and settings / prevent

                - prevent termination of mcafee processes

                - prevent installation of browser helper objects and shell extensions

                 

                I would recommend the "prevent installation of new CLSID, TYPELIBS and APPIDS" rule but with caution, this controls installation of device drivers among other things, which trojans also invariably like to use to get planted (or if not that, the places that rule #1 here covers). There are many legitim exceptions to this rule, but if you choose to use this, legitim installation might be affected (until installer put to exclusion list of the rule by you).

                 

                Also, with Patch 1 of VirusScan 8.8 - should you use that version -  there is a new AR rule: "Prevent hooking of McAfee processes", which is on by default and is meant to stop the last gap in compromising McAfee files/processes.

                 

                Attila

                 

                Message was edited by: apoling on 15/02/12 10:35:58 CET
                • 5. Re: Poor Support to Corporate with New CONFICKER Virus Variant

                  Hi Largecorparate,

                   

                  W32/Conficker.worm!job is grtting detect  Latest DAT

                  http://vil.nai.com/vil/content/v_153725.htm

                   

                  kindly use the conflicker tool from McAfee to find out how many Pc's gotinfect by conflicker .

                  http://www.mcafee.com/us/downloads/free-tools/conficker-detection.aspx

                   

                  Also you can request  Extra DAT for this conflicker (W32/Conficker.worm!job) and deploy the ED thru  ePO to all the clients

                  • 6. Re: Poor Support to Corporate with New CONFICKER Virus Variant
                    mrandolp

                    Thanks everyone for the information.  I know I didn't create the original post.  We have it under control.  Speical thanks largecorporate for creating the post. Interesting that dat 6620 was updated on the 14th for

                    W32/Conficker.worm!job.  Have a great day.

                     

                    Mike

                    • 7. Re: Poor Support to Corporate with New CONFICKER Virus Variant
                      jmcleish

                      Can i ask if your machines were up to date with MS patches? Question goes to original poster too.

                       

                      Message was edited by: jmcleish on 16/02/12 08:03:25 CST
                      • 8. Re: Poor Support to Corporate with New CONFICKER Virus Variant

                        Hi Largecorparate,

                         

                        As said by jmcleish its must we need to update latest MS patches we don let our PCs wit too many loop holes..... :-)