We are also fighting an outbreak, as of 02/13/2012. I have opened a SR with Platinum support. The first thing I was asked, if scan file when reading from disk was enable. No it was not. Support stated, it needed turned on. the reason it was off, was due to the application installed on the server. Yes now it is turned on. Support stated " I would need to create a new User-Defined rule". Below is new rule. After applying the rule, we have not seen any information for anything in the Access protection log, but that doesn't mean its still not out there. One of our other hospitals is still showing infections.
Name Conficker Block
Process to include, All.
Process to exclude, McShield.exe, scan.exe, Scan32.exe.
File or folder name to block, C:\WINDOWS\Tasks\At*.job
Check, File Actions to prevent
Check, Read access to files
Check, Write access to files
Check, Files being executed
Check, New files being created
Do not Check Files being deleted
What we have seen, are schedule task being run from scheduler. On one of the servers on the ODS, it found this below and deleted. With the other servers there were several Task that tried to run and were caught and deleted.
2/13/2012 8:57:53 AM Deleted Administrator ODS(Full Scan) c:\WINDOWS\Tasks\At1.job W32/Conficker.worm!job (Virus)
Will keep pluging away. Thanks for the information.
may I ask if you use Access Protection rules within VirusScan and which version of VirusScan do you use?
In my opinion quite a few trojans can be effectively prevented to get planted/activated by a few Access Protection rules even in the lack of new DAT files and frequent scanning.
The rule given to us <unsuccesfully> was
For the Scheduled tasks / run32dll.exe running issue we would recommend the lower Access Protection rule to be created:
Open Access Protection
Create an User Defined Rule
Select File/Folder Rule
Provide Rule Name: Block Tasks Creation
Processes to include: *
Processes to exclude:
File or folder: C:\WINDOWS\Tasks
File Actions to prevent: New File from being created
After two weeks a new DAT file has been created and I beleive distributed to the Mcafee community.
Support was extremely poor - MacAfee logged into PC's - left the viruses there - didn't respond to support calls
It took 5 days for this to pass the 1st line helpdesk people.
If you get a live issue you really are up the creek without a paddle with Macafee
We had a major Conficker storm with the second variant in 2010 (I think).
Cleaning up was a tedious task.
What I had in mind by asking is that whether you use the following access protection settings and rules in place (i.e. block AND report) for workstations (and servers):
Prevent McAfee services from being stopped (checkbox ticked) ( a must)
- prevent programs registering to autorun
- prevent creation of remote autorun files
- prevent registry editor and task manager from being disabled
- prevent modifications of mcafee /common management agent / scan engine files and settings / prevent
- prevent termination of mcafee processes
- prevent installation of browser helper objects and shell extensions
I would recommend the "prevent installation of new CLSID, TYPELIBS and APPIDS" rule but with caution, this controls installation of device drivers among other things, which trojans also invariably like to use to get planted (or if not that, the places that rule #1 here covers). There are many legitim exceptions to this rule, but if you choose to use this, legitim installation might be affected (until installer put to exclusion list of the rule by you).
Also, with Patch 1 of VirusScan 8.8 - should you use that version - there is a new AR rule: "Prevent hooking of McAfee processes", which is on by default and is meant to stop the last gap in compromising McAfee files/processes.
W32/Conficker.worm!job is grtting detect Latest DAT
kindly use the conflicker tool from McAfee to find out how many Pc's gotinfect by conflicker .
Also you can request Extra DAT for this conflicker (W32/Conficker.worm!job) and deploy the ED thru ePO to all the clients
Thanks everyone for the information. I know I didn't create the original post. We have it under control. Speical thanks largecorporate for creating the post. Interesting that dat 6620 was updated on the 14th for
W32/Conficker.worm!job. Have a great day.
Can i ask if your machines were up to date with MS patches? Question goes to original poster too.
As said by jmcleish its must we need to update latest MS patches we don let our PCs wit too many loop holes..... :-)