Is the virus risk gone up?

flateric1975 · #1 January 23rd, 2010, 01:09 PM

I am worried can some one a sure me that ESS 4.2 is 100% locks your pc.

I had 2 boxes come up in firefox today.

Says my AV is disabled i have 4 virus on C and 4 virus on D ( dvd rom drive)

A exe file wanted to install i had to cancel it myself...

Box would not go away had to restart pc.

ESS 4.2 did not flag up any risks or threats. I did a full scan with it... found nothing.

Why did it not detect it or flag it ?

If i set ok install i think this exe file would of installed?

Does it block virus installs / trying to?

KIS use to

nikanthpromod · #2 January 23rd, 2010, 10:35 PM

Thats a rogue Antivirus. Just close it. dont install.
Rogue give u fake Alerts.
No Av can effectively block Rogues.

If u think u r infected ,try Eset rogue remover
http://kb.eset.com/esetkb/index?page...&id=SOLN2372#1

And also Try "Malwarebytes Antimalware".
That will remove that rogues.

Marcos: Eset Mod wrote in other thread:

Quote:

Well, since the rogue AVs are changing extremly frequently, it's important not to rely solely on antivirus programs.

Practice safe browsing.
http://www.wilderssecurity.com/showp...94&postcount=4

flateric1975 · #3 January 24th, 2010, 07:29 AM

Thanks for reply.

I just done a clean install of win 7 ( 64bit) and it just shocked me the reason i was worried is because system was not fully setup ie updates though ESS 4.2 is runnning.

I did close it and i read and seen on tv about fake programs. In away it made me laugh cos it said my dvd drive was infected yet no disk in it.... plus i was using firefox 3.5 yet have 3.6 installed.

I feel sorry for the ones who fall for it...

If some one had clicked install in error for example would ess 4 block the install / exe?

nikanthpromod · #4 January 24th, 2010, 10:10 AM

Quote:

Originally Posted by flateric1975

If some one had clicked install in error for example would ess 4 block the install / exe?

I think No.
I already wrote

Quote:

No Av can effectively block Rogues.

U can use Malwarebyte's realtime protection for blocking all type of rogues.
In my opinion MBAM is the only Antimalware that detects all types of rogues.

PaulB2005 · #5 January 24th, 2010, 02:39 PM

Quote:

No Av can effectively block Rogues.

That should read

No Av can effectively block ALL Rogues.

dwmtractor · #6 January 25th, 2010, 02:46 PM

Actually, this notion that "no AV can effectively block (all, some, most, any) rogues" sounds like a cop-out to me. Certainly, no SIGNATURE-BASED algorithm will be able to do so, but what about the much-vaunted heuristics of this and all the other AV programs?

My opinion is neither humble nor unbiased, but it seems to me that ThreatSense ought to be able to tell when a browser-launched app tries to install itself, replicate itself, put ANYTHING in the auto-run portions of the registry, and similar behaviors. I am really not pleased that ESET does not do this.

#7 January 25th, 2010, 05:08 PM

From what it seems, it was only a simple web pop-up on a website... And probably a javascript code that wanted to download a file. If you are not downloading the file, there is no virus on the computer to remove since the messages are only web pages...

Alex

edit: don't know if you will answer to that... but what website were you visiting?

dwmtractor · #8 January 25th, 2010, 06:22 PM

Quote:

Originally Posted by guest

From what it seems, it was only a simple web pop-up on a website... And probably a javascript code that wanted to download a file. If you are not downloading the file, there is no virus on the computer to remove since the messages are only web pages...

Alex

edit: don't know if you will answer to that... but what website were you visiting?

Not entirely true. In my experience at least some of the pop-ups are structured so that the entire pop-up window is a clickable graphic linking to the install of the rogue program. . .this includes clicking on that red X that looks like an XP "close" button. So the unwary user (which is a lot of my users) manages to install the rogue program even while they're trying to close the box. This is true of a number of Antivirus 2010 infections, for sure.

We need an heuristic filter that offers the user the opportunity to accept or reject ANY attempt to install code from a web page. This is a real and currently-evolving problem on the internet, and signatures aren't enough as the zero-day versions keep coming.

#9 January 26th, 2010, 12:07 AM

Well, a pop-up without real controls is only possible to do with javascript right?... I do hate scripting on the internet...

Then... If you click the popup... How can it install the software? I mean... If you click, it should give you another popup from the browser saying that you are downloading something... and ask you where you want to save it.... Then you have to click on execute OR save it and execute it in order to be infected...

Am I missing something?..

Alex

#10 January 26th, 2010, 12:28 AM

What I mean is that, even if there is a flaw in the browser that can do a drive-by download (almost always aused by javascipt), how will the code be execute without the user??..

I must be missing something...

dwmtractor · #11 January 26th, 2010, 11:05 AM

Quote:

Originally Posted by guest

What I mean is that, even if there is a flaw in the browser that can do a drive-by download (almost always aused by javascipt), how will the code be execute without the user??..

I must be missing something...

Actually, sometimes it's simpler, and therefore more insidious than that. I have seen popups that are nothing but a jpg or animated gif which is also an image map. . .with the entire map being one single user-intervention link. No matter where you click: the "OK" button, the "Cancel" button, or the red XP-style "X" the result is the same...a file is downloaded and installed.

I don't know how it happens, but I have also seen Browser Helper Objects installed, and/or files dropped in C:\%windir%\System32 or other directory, with the code to call those files inserted into one of the on-start registry keys, in situations where my users CLAIM to have done nothing but close their browser when the bad screen popped up. I've not been able to replicate it as nobody seems able to tell me which website(s) they were on when it happened; but I can say that not everyone who's told me this story is a complete idiot. I wish I could say more, but without a testbed that I can risk infecting, I have not been able to duplicate it.

I'm gonna have to create a couple of clean VMs just so I can mess with these baddies when they show up; just haven't had time yet. . .

Nevertheless, my point remains, that some of these popups are engineered to make the user think s/he is saying "no" when they are actually performing the necessary "user intervention" to install the malware.

#12 January 26th, 2010, 11:52 AM

Yeah right... So you need a bit of javascript code that will download a file and also a flaw in the browser that will allow that code to be executed!...

AND you need to have UAC disabled in order for it to be completly invisible...

BedreAntivirus · #13 January 26th, 2010, 12:11 PM

Quote:

Originally Posted by flateric1975

Thanks for reply.

I just done a clean install of win 7 ( 64bit) and it just shocked me the reason i was worried is because system was not fully setup ie updates though ESS 4.2 is runnning.

I did close it and i read and seen on tv about fake programs. In away it made me laugh cos it said my dvd drive was infected yet no disk in it.... plus i was using firefox 3.5 yet have 3.6 installed.

I feel sorry for the ones who fall for it...

If some one had clicked install in error for example would ess 4 block the install / exe?

its also fun to get XP style window on Vista/7 Aero :p
if you didnt open it, it didnt happend is what i usely go by

dwmtractor · #14 January 26th, 2010, 12:52 PM

Quote:

Originally Posted by guest

AND you need to have UAC disabled in order for it to be completly invisible...

Can you say "Windows XP?"

My point is, sure there are other lines of defense--some of them user-compliance more than system--if there weren't, I'd have gotten the infections on my own PC which I have not. That does not, IMO, excuse the companies who purport to defend against malware from designing a heuristic that says "browser- or email-launched routines that write to the registry, add a BHO, write to hosts file, or create a local proxy, are usually bad, and should at least be interrupted with a query, if not blocked outright." That simple behavioral screen would interrupt next to no legitimate activity, but it'd stop a lot of malware in its tracks.

dwmtractor · #15 January 26th, 2010, 12:55 PM

Wikipedia's article on UAC says it better than I could:

Quote:

Microsoft home operating systems (such as MS-DOS, Windows 95, Windows 98 and Windows Me) did not have a concept of different user accounts on the same machine, and all actions were performed as super user. Windows NT introduced multiple user accounts, but in practice most users continued to operate as super user administrator for their normal operations. Further, many applications tend to assume that the user is super user, and will simply not work if he or she is not.[

This is true right up to XP. Further, in a business environment, far too much business-critical software is still mis-programmed to require admin-level rights for the day-to-day user. It's bad, but it's true. Result: we need malware defenses that stand in the gap created by computing environments we may not have the opportunity to change, at least for now.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search