My family pc was infected Mon. with Antivirus Soft. It was time consuming to research how to remove it. (finally removed).
.... My Family PC was fully updated with latest AV definitions, but pc was infected anyway with the rogue "Antivirus Soft (part of the family of Antivirus Live rogue).

Question:
1. Which 2nd layer security pgm would have stopped Antivirus Soft from infecting my pc on monday (not sure how this rogue has been around) and also other stop unknown rogue pgms, before the defintions of my AV pgm is updated with definitions to prevent and detect it ? ... and at the same time be easy for other family members to use:

...A) Would one of these sandbox pgms have stopped it as early as Monday, if my browser was sandboxed - Sandboxie, DefenseWall, Geswall ?

...b) Would one of these Real-Time Scanner Pgms have stopped it as early as this past monday - SuperAntiSpware - Real Time component, MBAM - real-time component ?

mbam pro kills almost all of the rouges software and fake antivirus in real time;)

-{ Quote: "

...A) Would one of these sandbox pgms have stopped it as early as Monday, if my browser was sandboxed - Sandboxie, DefenseWall, Geswall ?" }-

yup....it would have been rendered useless by the said programmes

-{ Quote: "...b) Would one of these Real-Time Scanner Pgms have stopped it as early as this past monday - SuperAntiSpware - Real Time component, MBAM - real-time component ?" }-
well mbam pro's ip protection in the first place would not let you even get to the site hosting/spreading these and both sas and mbam are pretty efficient in what they do

The easiest program to install for your family would be MBAM's full version with IP protection, blocking harmful sites. And it has scheduled daily scanning.

The others mentioned would stop the program, such as sandboxie, but there are always situations where a family member can 'recover' a file and install it thinking it is safe.

Easiest option, I'd go for MBAM real-time. Family members won't know what happened (unless they see MBAM's alert), the malicious page just won't load.

good recomendations friends;) :thumb:

returnil2008 the one i use
returnil2010classic

both will stop it
i also run browser sandboxed and returnil2008 on

A friends similar experience convinced me to run MBAM. I am not doing so, and also SAS Pro.

Regards,
Jerry

With Antivirus Soft you can navigate to MBAM's program's folder and rename mbam.exe to firefox.exe or opera.exe and it should run.

If on XP then Icesword can run after a coupla tries and the AV Soft process can be terminated through Icesword's GUI.

Or download and run this version of RKill. You may have to execute it a coupla times but it will eventually kill the rogue's process allowing a scan with MBAM.
http://download.bleepingcomputer.com/grinler/iExplore.exe

If after getting rid of any rogue and you still have some strife with the internet go to Internet Options - Connections tab - LAN Settings then untick Use a proxy server....

If you are succesful with renaming mbam.exe don't forget to rename back to the original after you're clean.

Checked again just now and mbam.exe will run as opera.exe with Antivirus Soft active but this could change with any future morphed versions of the rogue as they change installers and tactics quite often :

215317

-{ Quote: "if my browser was sandboxed - Sandboxie, DefenseWall, Geswall " }-

I would personally suggest using one of those 3 you mentioned above and throw in a fourth; AppGuard. All 4 will protect you against rogues (IMO better than a blacklist scanner). DW and AG are very easy to use without requiring the user to answer technical questions. SB, DW, and AG all have excellent support from the developers as well as help from other users here. I think that each of these programs are worth the money they cost for the paid versions. The best way to proceed would be to study each of them, pick one, try it out on the system you will be using it on and see how the family responds (or even notices) to the new program.

if you decide to use appguard dont forget to include spoolsv.exe to the guarded applications list to block or prevent the TDL3 rootkit infection ;)

-{ Quote: "if you decide to use appguard dont forget to include spoolsv.exe to the guarded applications list to block or prevent the TDL3 rootkit infection ;)" }-

will that cause any issues with printing? Good call mate. :thumb:

i dont use any printer but if you guys do test it;) and see :) i guarded it to avoid this malware for just in case and for those who dont use appguard and dont use a printer just disable the print spooler service within msconfig to avoid getting infected;D

It's all well and good recommending which anti-malware programs could stop this particular piece of rogue software, but my first reaction on reading the OP's comments that the family PC "was fully updated with latest AV definitions", unless I'm missing something, was to ask why did they have Antivirus Soft on their PC at all?

Had they searched for alternative AVs? Clicked on a link in an email or on another site taking you to the Antivirus Soft site to download it? If it's either of those, I don't understand why you would do it when you already have an AV installed.

This is a widespread problem; users who are not clued up on these things are searching and downloading stuff like this that isn't necessary when they've already got adequate protection in place.

-{ Quote: "My family pc was infected Mon. with Antivirus Soft. It was time consuming to research how to remove it. (finally removed).
.... My Family PC was fully updated with latest AV definitions, but pc was infected anyway with the rogue "Antivirus Soft (part of the family of Antivirus Live rogue).
" }-

Joseph, why try a new fake Anti Virus when you have one up and running? ;D

Seriously,

There a two approaches
Denyning installs
simply forbidding installs by other family members, run as limited user or buy an anti executable sort of program.

Allowing only known good installs
Defensewall is also great for limiting the damage. Version 3 has a white list and a firewall. The whitelist lets them install safe problems automatically. Unknow programs can only install in a sort of limited user environment. When they ask for admin rights, DW will deny it and the install wil fail. Best is to add a password on DW, so your family members can't install

Online Armour paid wil provide simular objective (also a HIPS plus FireWall) and the upcoming version of CIS4 (free) will also provide this (simply do not allow rights elevation = uncheck in the sandbox)

Sandboxie would not fit your need, becasue you have to allow your family members to save files in the real system (unless you keep everything in the sandbox and check afterwards with buster sandbox analyser for instance). When they save something out of the sandbox, your are unprotected by Sandboxie

Partition virtualisation
With Shadow Defender, Returnil (free) it is possible to throw away all changes of the programs partition. You have to move your data to another partition to get it working allright


Undoing possible installs afterwards
You could use Commodo's Time machine (free) Rollback, Aez-fix, First Defense to roll back to a known good snapshot instantly

-{ Quote: "

...A) Would one of these sandbox pgms have stopped it as early as Monday, if my browser was sandboxed - Sandboxie, DefenseWall, Geswall ?" }-

Absolutely.
I was surfing the web looking for something the other day and got hit with one of these rogues (Security something or other) and as it claimed that I had 700 or so infections I knew what had to be done. So I rebooted. ShadowDefender saved the day here.
So my advice would be to add something in the lines of Sandboxing, Virtualization or HIPS.

-{ Quote: "...b) Would one of these Real-Time Scanner Pgms have stopped it as early as this past monday - SuperAntiSpware - Real Time component, MBAM - real-time component ?" }-

I would add those for on demand scanning,, nothing wrong with a second opinion.

-{ Quote: "The easiest program to install for your family would be MBAM's full version with IP protection, blocking harmful sites. And it has scheduled daily scanning.

The others mentioned would stop the program, such as sandboxie, but there are always situations where a family member can 'recover' a file and install it thinking it is safe.

Easiest option, I'd go for MBAM real-time. Family members won't know what happened (unless they see MBAM's alert), the malicious page just won't load." }-
Totally agree :thumb:

Tony, Kees1958,

FYI,

No, Family member, was *not* trying to install any program. They said the infection came soon after either one or two last activities - either accessing a page from a google search or accessing a pdf from a google search.

-{ Quote: "Tony, Kees1958,

FYI,

No, Family member, was *not* trying to install any program. They said the infection came soon after either one or two last activities - either accessing a page from a google search or accessing a pdf from a google search." }-

There have exploits periodically with Adobe Reader so it could have been a pdf that caused this (I am by far no exploit expert). You also don't have to be installing anything for this to occur. For example a few months ago I was looking for a song for my wife and when I went to a certain page a rogue was downloaded and attempted to install without any interaction from me. Fortunately, I had GW Pro which contained it and auto-terminated the rogue's install process. I simply closed my browser and cleared my cache and it was like it never happened.

-{ Quote: "They said the infection came soon after either one or two last activities - either accessing a page from a google search or accessing a pdf from a google search." }-Thanks for the information. It clearly shows one has to be on their guard at all times, along with using secondary protection measures such as the ones being suggested.

The installation of such rogue programs does happen far too often though, which is what made me think that might have happened in your case.

kees1958, and all,

So that I can contrast the pluses and minuses of various approaches:

1. What are the differences (if any) in the security model approaches used by "Defensewall" and "Online Armor" ?

2. Do they both fall into the sandbox pgm style category ?

3. How are malware coming in via the browser handled by these 2 pgms (Defensewall and Online Armor) to protect you ?

4. What is difference in how user would interact to handle things ? Advantages/disadvantages ?

-{ Quote: "It's all well and good recommending which anti-malware programs could stop this particular piece of rogue software, but my first reaction on reading the OP's comments that the family PC "was fully updated with latest AV definitions", unless I'm missing something, was to ask why did they have Antivirus Soft on their PC at all?

Had they searched for alternative AVs? Clicked on a link in an email or on another site taking you to the Antivirus Soft site to download it? If it's either of those, I don't understand why you would do it when you already have an AV installed.

This is a widespread problem; users who are not clued up on these things are searching and downloading stuff like this that isn't necessary when they've already got adequate protection in place." }-
That's a fair point you make but you're looking at it through the eyes of an advanced user rather than an average one.

When they see something pop-up that looks very similar to a standard Windows security centre/dialogue box,the tendency is for them to believe what the warning says.When they read a dire warning that their system has been infected they're likely to click the button to remove said infection.They won't pay heed to such matters as the type of security software already installed just that their AV has failed (correctly as it happens).

Socially engineered malware is hugely prevalent for a good reason,like a confidence trickster it plays on peoples natural inclinations.

-{ Quote: "kees1958, and all,

So that I can contrast the pluses and minuses of various approaches:

1. What are the differences (if any) in the security model approaches used by "Defensewall" and "Online Armor" ?

2. Do they both fall into the sandbox pgm style category ?

3. How are malware coming in via the browser handled by these 2 pgms (Defensewall and Online Armor) to protect you ?

4. What is difference in how user would interact to handle things ? Advantages/disadvantages ?" }-


Defense Wall originated from a policy HIPS (a 'sandbox') while OA originated from an Anti Executable. Main difference is that DW only defends threat gate programs, but also protects you from all data downloaded by these selected programs. OA protecs system wide, with some emphasis on browser protection. The paid version of OA has a superb option to make it very quiet running normal programs:
a) the white list
b) You can set OA to allow unknown programs to run, but run them as a limited user. Together with the OA protection on intrusions, this makes it nearly as easy to use with simular protection as DW. I think it is one of the best OA options, which is not much used, but really superb in effectiveness.

I think it are both two great programs (best in their class), so you should really have to try them both to see what suites you best. Out of the box, DW is the easiest to use, but when you tell OA to run unknow programs as RUN SAFER, it is as easy to use as DW.

trojam nice avatar:thumb:

Fake alert installed by the rogue "Antivirus" which I think would fool most non-Wilders folks.

wscsvc32.exe - Result: 17/40

215345

hey ;D that looks real:) maybe i even get fool that;D ;)

-{ Quote: "hey ;D that looks real:) maybe i even get fool that;D ;)" }-
LOL. :)

Yep, I probably would too if I didn't have the security center disabled along with the firewall and auto updates.

agree man,thanks for the screenshot sample:thumb:

-{ Quote: "Fake alert installed by the rogue "Antivirus" which I think would fool most non-Wilders folks.

wscsvc32.exe - Result: 17/40

215345" }-
Most definitely the bulk of casual users would presume this to be a standard security center and many would act upon the recommendation.You'd need to have a suspicious nature not to take it at face value.

-{ Quote: "LOL. :)

Yep, I probably would too if I didn't have the security center disabled along with the firewall and auto updates." }-

Haha nearly same here, no auto update and no security center, so cutting down on automatic startup of useless services can be an security measure also ;D

-{ Quote: "will that cause any issues with printing? Good call mate. :thumb:" }-

You just have to try, spoolserver is often injected by regular programs. Could well be that printing from regular documents like Word will work, but trying to print from a preview (or PDF) will fail.

Regards Kees

-{ Quote: "Out of the box, DW is the easiest to use, but when you tell OA to run unknown programs as RUN SAFER, it is as easy to use as DW." }-Kees, can you comment as to:

1- Which of these (DW or OA) uses less CPU than the other?

2- Which of these (DW or OA) seems to cause less DRAG when surfing the internet?

-{ Quote: "Kees, can you comment as to:

1- Which of these (DW or OA) uses less CPU than the other?

2- Which of these (DW or OA) seems to cause less DRAG when surfing the internet?" }-

It is comparing Apples with Pears (at least when the saying is the same in English).

AD 1
OA protects programs system wide, while DW protects selected programs and selected files, so in theory OA should generate a little more overhead.

AD 2
OA has more real firewall features, while DW will score very, very good in the Matousec 'Firewall HIPS (apologize Nick, Stem, Seer and other FW experts) tests. They both have little drag in my experience. In theory DW should generate a little more overhead when starting a browser than OA.

As outlined the differences are close in theory, so one should test it on its own PC to get a real feel about the differences.



Regards Kees

if you are concern about your bother installing malware ;D get kee's registry tweak for the browser to block installtion of software it works i tested;)

-{ Quote: "Haha nearly same here, no auto update and no security center, so cutting down on automatic startup of useless services can be an security measure also ;D" }-

is ok disabling security center?...does it save resources?

-{ Quote: "
When they see something pop-up that looks very similar to a standard Windows security centre/dialogue box,the tendency is for them to believe what the warning says.When they read a dire warning that their system has been infected they're likely to click the button to remove said infection.They won't pay heed to such matters as the type of security software already installed just that their AV has failed (correctly as it happens).
" }-

good post. Also, lots of programs miss rogues. MBAM is regarded as excellent against rogues but I wouldn't put 100% trust in that either. As the pic of windows security center shows, or as we all have been to sites where in the middle of the screen is an alert that 'your pc has been infected, click OK to scan now'. The best anti-rogue is user education IMO. Put Web of Trust on their browser and instruct them to only visit pages marked green. WOT isn't 100% either, so if something seems off like a weird popup they can't get out of tell the to reboot or use task manager to kill their browser. If this seems too complicated then the other methods recommended in this post will be more applicable. I always try to follow the 'give man fish he eats for a day, teach man how to fish he eats for a lifetime' philosophy and teach others who use your pc.

Kees1958,

DefenseWall - basic questions:

1. So, when using DefenseWall with IE browser and Outlook Express email client, you would then have both IE browser and Outlook Express email client set to "Un-Trusted" ???

2. What happens when IE browser set to run as "Un-Trusted," uses Flash plugin, Shockwave plugin, or opens an MS Office document on a particular site ??? Are you protected fron Flash, Shockwave, Adobe Exploits and MS Office Documents Exploits ?
...... Does DefenseWall run these plug-ins as Un-Trusted because you marked IE Browser to run Un-trusted --or-- do you need to somehow mark these IE plugins (Flash, Shockwave, Adobe), as "Un-Trusted somewhere within the Defensewall program ?

3. To protect against pdf files downloaded and then viewed in Adobe, is it best to also set Adobe reader as Un-trusted ? ... any disadvantages/adobe usage limitations to doing this ?


4. What about MS Office (Word, Excel, Powerpoint) ? To protect against word, excel, powerpoint files containing malware (making use of an office file explioit ) which are downloaded and then viewed in its respective office application ? Is it best to set the three office pgms as "un-trusted ?
... Any disadvantages/MS Office usage limitations to doing this ?

-{ Quote: " The best anti-rogue is user education IMO. Put Web of Trust on their browser and instruct them to only visit pages marked green." }-


Hello,

I have to sort of disagree with part of your assertions. It's not about user education, it's not about not surfing shady web sites [porn, warez, etc.]. It's a new tactic those scammers are using to trick the average Joe/Jane Internet users into thinking whatever they want those users to think.

I'm almost certain that we, Wilders Forums members have a little bit more common sense than, let's say my grandmother [86 years old lady]. How would my grandmother know that while surfing the Internet and seeing a pup-up window telling her that her PC is “infected” not to click on it? She doesn't even know what the Windows Task Manager is or what it does and probably wouldn't want to learn what it is. She just wants to surf the Net. Thus, it's very difficult for the average person not to get infected by those Fake AVs.

That is what the Fake AV creators are using at their advantage. The little computer knowledge the average PC user has. Check out the facts: the majority of the infected web pages are not the ones with porn or warez but Facebook, Tweeter, MySpace, etc.

Even some people with the right skills to determine what is harmful and what is harmless on the Interner, fall for these scams.

Check out this article and you'll see what I mean:

http://blog.avast.com/2010/02/10/is-george-clooney-getting-oscar-this-year/


Kind regards,


Carlos

Good points about the 86 year old & I see how that would be difficult. At the end of the day, to be strong and in good shape you have to go to the gym, on the same note to keep scareware and rogues off your machine you should have some general knowledge. I don't think the problem can be permanently fixed without user education.

-{ Quote: " Also, lots of programs miss rogues. MBAM is regarded as excellent against rogues but I wouldn't put 100% trust in that either. As the pic of windows security center shows, or as we all have been to sites where in the middle of the screen is an alert that 'your pc has been infected, click OK to scan now'. The best anti-rogue is user education IMO. Put Web of Trust on their browser and instruct them to only visit pages marked green. WOT isn't 100% either, so if something seems off like a weird popup they can't get out of tell the to reboot or use task manager to kill their browser. If this seems too complicated then the other methods recommended in this post will be more applicable. I always try to follow the 'give man fish he eats for a day, teach man how to fish he eats for a lifetime' philosophy and teach others who use your pc." }-
Alas most folks don't pay any attention to security matters until after they've paid a large bill to clean up their system.

An unknowing user is looking for an AV and comes across the below.

At least an Aussie didn't write a glowing review. ;D

215388

215389

Kees1958,

Have you tested the new "Kaspersky Internet Security 2010" ?

According to its description it has all of the following features:

1. New Sandbox ("Safe Run").
2. HIPS - Folder/File Access (user can specify additional Folders/files).
3. HIPS - Registry Keys Acccess (user can specify additional keys).
4. HIPS - Application Access Control.

5. Firewall and Anti-Virus (of course).


.... Has anyone tested the new KIS 2010 with New "Safe Run" - Sandbox and HIPS features to determine how it stacks up in terms of effectiveness against the current "tough" Rogues, Malware, as a 2nd line of defense - in terms of its "Sandbox" and HIPS components ?
... I noticed that it is listed in the top 4 of the most recent test at Matousec.com.

Its an excellent suite. It also has a low CPU usage. I think that it is currently one of the best suites out there.

-{ Quote: "Tony, Kees1958,

FYI,

No, Family member, was *not* trying to install any program. They said the infection came soon after either one or two last activities - either accessing a page from a google search or accessing a pdf from a google search." }-

You might want to peruse the charts on this page:
http://www.blade-defender.org/eval-lab/

Adobe Reader is one of the primary attack vectors for drive-by exploits in recent times. Personally I have removed it and use Foxit Reader instead (with java disabled, which should be done on Adobe Reader also if you insist on using it).

A sandbox program will make your system very secure as far as drive-by exploits, but it won't protect you against things saved outside the sandbox. A sandbox is a great idea, but should be used in combination with either a good suite, or a traditional AV paired with either a behavior-based anti-malware product or a HIPS (Host Intrusion Prevention System)