Antivirus XP 2010 not blocked?

Discussion in 'ESET NOD32 Antivirus' started by jimwillsher, Mar 16, 2010.

Thread Status:
Not open for further replies.
  1. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    WOW !!!

    What a nice theory coming from some “Security EXPERTS”/ “Computer EXPERTS” [all in quotation marks].

    So, based on your assertions ALL the users that get their computers infected by Rogue AVs is because they want to intall those things so badly that they would be willing to give up their lives to install the Fake AVs...WOW !!! I am astonished !

    Long story short. At work, I share cubicle with a female colleague that very often makes POs [Purchase Orders] for our Department. Recently, our supervisor requested her to get a quotation from a vendor to purchase stationeries for our offices. She browsed to Google and found a link to a reputable big company that sells all these kind of materials. She just clicked on the link and entered the web site and started browsing for materials to purchase. All of a sudden a pop-up window telling her that her computer was “infected” appeared on her computer screen.
    She was given two choices: Click OK or Click Cancel. She clicked on the latter to make it go away and...Bang !!! You guessed it right, her PC got infected with a Rogue named “Antivirus Soft”.

    Was she looking forward to get infected? Did she want to install a Rogue AV so badly on her PC?

    Our PCs at work run Windows XP Pro SP-3 and IE7. All of us are running as Restricted Users [an IT requirement here] on our work PCs. They have installed McAfee VSE 8.7 patch 1 on our PCs and they manage that software through ePO.

    To finish the story, her PC was trashed so badly that IT had to re-load an image of the OS. Yes, that's right. Her PC got Vundo, and Koobface alongside with the Rogue AV and it even placed some files on the System32 folder on Windows root. Besides, the Rogue AV and its acquaintances or guests destroyed the WinSock and TCP stack....and...she WASN'T running as Administrator !!!

    How do you guys “know it all” explain that?

    Thanks,

    Carlos
     
  2. jeremyf

    jeremyf Registered Member

    Joined:
    Jul 14, 2008
    Posts:
    61

    All I want to know is who you are talking to (at)?
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I personally dont give a crap what AV you use, it will let a rogue by sooner or later. DO NOT punish one when all are in the same boat. Trying to equate rogue sites to the ability of a AV product is like wiping without toilet paper. Ya just cant do it.

    I have preached earlier, to deaf ears, that this is the biggest threat on the internet. Play it down or play it up, but a sandbox is the only way right now to solve it. Dont blame the AV vendors.:mad:
     
  4. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Read between the lines, gentleman. If you feel yourself affected by my posts then you may have something to hide.

    Anyways, I think we are diverting from the original thread and all this is becoming apparently a troll and you know what happens here at Wilders when threads go off topic...don't you?

    The OP wanted to know why NOD32 let a Fake AV slip through infecting his PC and I think the answer should be given by a ESET Moderator or a ESET employee.

    Good night.

    Carlos
     
  5. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    I believe the necessary information for eradicating this Rogue has been addressed here and here
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    well I apologize as I am on my way out to buy a roll of Charmin. Please dont troll-inize those of us, that I can assure you have 4 times the amount of Esets licences which make us something more I hope.
     
  7. jeremyf

    jeremyf Registered Member

    Joined:
    Jul 14, 2008
    Posts:
    61
    Thanks for clarifying...
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    @spm - im a "support specialist" - not "security expert".
    at first - i have some doubt that in general its possible to clean it up 100%,
    but i dont deny that you in special can do it.

    >> I am talking about new clients

    "clients" in your job or at work? (some kind of software office or administrating?)

    ofc the client has no imagination what malicious software can do so in most
    times he only want to clean it up with no data loss.
    for me that is only cosmetics - it does not remove the vulnerability.
    ofc the clients will is my order at least but as a supporter i will suggest him
    another solution too - its his money and time.
    as an admin i would trust you to make the right choice, nothing else to say.

    words of Zyrtec
    not really a choice if such a website plops up. i experienced that last week
    in a sandbox and java did the trick - with out java nothing.
    (there was some script which started via java the malicious webseite trying to install some antimalware)
    idd - cant answer that too.
    for me is the point - how did that rogue hit the computer?
    ok, its off the wanted answer but it can help to prevent it next time.

    i know the business versions - i know eras and the rest too.
    as i already mentioned it runs on all win-os included server and client os.
    without a license file it behaves like the home (except the server installation)
    so its possible to run eras on a client os - i did with the public beta4.
    and yes - the BE comes with another license modell.

    the point for me that i would install a client version (Eset Home) on a client os
    and a BE on a server os or the remote accessing computer for administrating
    the clients - that can also be done with eras - i would prefer eras.
    sorry for inconvenience - its your business - sometimes im thinking loud.
     
  9. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    You might be able to close the browser, avoiding clicking on any part of the popup, but I don't know for sure that would work.
     
  10. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    EAVB is a bundle for business networks, the same installers goes on servers as well as client desktop OS's. It's the same package, just licensed to be able to be installed on servers too, and be managed and updated by the RAS/RAC.
     
  11. mrogowski

    mrogowski Registered Member

    Joined:
    Mar 22, 2010
    Posts:
    1
    This is an interesting topic, one that I think will continue to plague us as time goes on. It seems that these malware writers are and will be one step ahead of the game regardless what happens on the AV front.

    In our situation, we have Trend on the desktop and a Fortigate on our edge and this garbage still makes its way through. We will be migrating our 1500+ systems to Eset shortly but from the looks of it, we will still be facing the fake AV problem.

    We've tried to minimize our exposure by telling our users not to use Internet Explorer whenever possible. It seems however, that these fake AV writers are catching on and modifying their scripts in a way that actually launches IE in a minimized state in order to install their software. This of course is done with no user prompt whatsoever.

    So long as Internet Explorer maintains more rights to the OS than any user, we will be plagued by this problem. You can of course disable Javascript in your browser, but the usability goes down the drain as a result.

    Windows 7 does offer some hope as I recall reading where Microsoft has placed a "risk assessment module" between the OS and IE. This effectively decouples the browser from the OS without removing it completely, something MS obviously did not want to do.
    m
     
  12. Arkh

    Arkh Registered Member

    Joined:
    Jun 2, 2009
    Posts:
    10
    90% of Windows 7 Security Flaws, eliminated by removing Admin rights - 100% of IE8 vulnerabilities are also resolved. According to the article listed below. Whitepaper is listed below.

    Trolling seems to be abundant in this thread. :cautious:

    Article) http://arstechnica.com/microsoft/ne...-flaws-mitigated-by-removing-admin-rights.ars

    Whitepaper) http://www.beyondtrust.com/download...ust_2009_Microsoft_Vulnerability_Analysis.pdf

    To OP, if you haven't already submitted a log to the Sysinspector, please do so.
     
  13. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    As I stated in my earlier reply...you can get whacked if you're using Firefox. ;)
    IE8 is actually more immune to these. They're exploiting flash and java, and pdfs.

    On my SMB clients that I have more control and regular maintenance over....I've cut down substantially on these rogues my implementing a few other things.
    *I use OpenDNS for their DNS forwarders. Be it on the router with peer to peer networks...or if I'm using active directory..I set the DNS forwarders to OpenDNS. Since OpenDNS can help cut down on malware by blocking known malware distri sites....frequently updated.
    *Untangle UTM appliance at the edge of the network....additional antivirus/malware/spyware scanning done at the gateway. The days of plain old NAT routers for SMB networks are dead IMO, UTM appliances at the edge are needed these days.
    *Keep Flash, Java, and Adobe Reader updated.
    *Maintain Microsoft Updates (WSUS FTW)
     
  14. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,405
    Some interesting discussion. I know users who have firefox, and by default they think that's enough.

    How many actually change the default option from saving files to 'asking where to save files?' It's a simple option that will provide an additional prompt where the user can select 'cancel', 'I didn't ask or mean to save that!!'.

    Send an email out to staff, those using firefox, please change the default setting. Install the WOT addon, that will help. I can't tell you how many rogue links I've tried that are blocked by WOT ( www.mywot.com ) or McAfee's site advisor ( http://www.siteadvisor.com/download/windows.html ) which will redirect a threat to McAfee's page.

    Encourage users, eg person working next to you, to install the free version of WinPatrol. http://www.winpatrol.com/

    If they don't know how to click alt+ctrl+del and shut down an active task, they can click on the dog, and 'active tasks'. They're able to shutdown any program causing them grief, including a locked up IE, or firefox.

    I've tried a lot of rogues, I was even testing a malicious site sandboxed, and it not only locked up the browser, provided so many prompts, in full screen you couldn't access the task manager anyway. But that wasn't in a popular google search, I went looking specifically for it.

    If that occurred again, best method would be for a user to either logoff, which will force a shutdown of all active programs, or complete shutdown. In the event of a full screen million pop-up rogue asking you to install, that allows you to not even access the task manager, hold the power button and shut the system down (you kidding me buddy?!). Might only need to do it once a year, but some temporary loss of data is better than a possible reformat. Support staff can then either perform system restore or additional scans (Clearing of temp data etc).

    User education is key.
     
    Last edited: Apr 3, 2010
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    Firefox in its original state is more secure that ie ever was.
    are the most common plugins which make it leaky.
    flash exploit - pdf exploit - java exploit - java in conjuction with javascript.
    by default firefox uses website blocker from google.
    ofc the settings should be revised before first use - eg javascript settings

    >> IE8 is actually more immune to these.

    the major point here ist the internal sandbox of ie and the possibility for a breakout.
    mozilla has nothing to answer that feature (yet).

    >> User education is key.

    idd - anything useless when the click on OK is too fast.
     
  16. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,405
    Version 4.0 is where Firefox should be more closely aligned to Chrome. 3.7 says it will move flash to the computing process, avoid crashes (not sure how this will improve security?)

    It's tough though, run an IP blocker like malwarebytes paid, people will complain. Give them sandboxie, they'll complain it's too difficult to work out.

    ThreatFire, could be an option, although people say here it slows their system down, its alerts are clear and should prevent more serious attacks.

    At the end of the day, it's learning to hover the mouse cursor over a link or 'advertisement' and seeing where it points to (since I showed friends, they must look at where a link is taking them, and long random links are no go zones, no problems). People are clicking, and then asking, 'now where am I, what is this?'. Like opening random doors on the street, and asking whose house is this? Dude with a shotgun blows their head off. :D

    I know browser re-directs happen, and some advertisements look legitimate, but people are clearly not spending that extra 10 seconds, to look at what and where they're clicking on. And when it comes to attachments, 'check this out, this is funny', they open it. Buddy, do you need a quick laugh at the risk of losing several months of important work? They'll be a way to take that smile from your face.

    Security programs have to strike a fine balance between rock solid security, and a ton of prompts, and user convenience. Here's another analogy for the day, cause I love em. I get the car sideways as I leave my house coming into the first corner, I stomp on the (good old standard) brakes but crash into someone's front fence. Do I blame the car brakes as being poor?
     
    Last edited: Apr 3, 2010
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    Firefox v4.0 is going 3.6.5 - actual codename is "lorentz" - btw i use it this moment.
    but afaik the lorentz feature supports only separate instances for plugins - so
    if the plugin crashes (in common flash) it does not crash the browser too.

    >> Give them sandboxie, they'll complain it's too difficult to work out.
    :D

    ThreatFire idd slows me down also - i would say - any behaviour blocker would do that.
    even malware defender does - i experienced some minor lags while online gaming
    and mailwasher is active - without md i have very litte till nothing.

    in the german firefox forum we had an issue last days with unicode javascript
    decrypted html with flash and some other bad crap in it.
    that is one example which needs to be filtered - eliminated before browser render it.
    otherwise you have to be fast with keyboard and mouse clicks to close the tab :D

    anyway you got the points :thumb:
     
  18. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    or not allow javascript and other scripting except for Trusted site(s). Not that it helps if the Trusted sites are infected ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.