Antivirus XP 2010 not blocked?

Discussion in 'ESET NOD32 Antivirus' started by jimwillsher, Mar 16, 2010.

Thread Status:
Not open for further replies.
  1. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Hi,

    One of our users managed to get duped into installing XP Antivirus 2010 yesterday. It's an XP Pro machine and they're running EAVBE 4.0.474.

    I find it very worrying that a user can click a link and install XP AntiVirus 2010, and ESET didn't block anything?

    Needless to say, the only safe solution was to wipe and reinstall their PC, which I did last night. But surely such a well-known malware like this should have been blocked?



    Jim
     
  2. timid

    timid Registered Member

    Joined:
    Mar 3, 2010
    Posts:
    22
    If the user allows to run an installation, and the program itself causes no harm - it only displays false positives to force user buying the full version or whatever - there is no real threat.
    If you want to detect it by heuristics you will be having milions of false positives, and if you add it to virus definition, there are lot of different versions each day. So it would be impossible to keed track on all of them and real threats would have more free space if developers are focused on users "click everything that says OK" attitude.

    So the only reasonable solution is for the user to read properly what he or she is agreeing on.

    This is clearly users responsibility.

    btw here is a howto remove XP antivirus 2010 ;)
     
  3. Rolando57

    Rolando57 Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    24
    Same happend here few weeks ago with Antivirus Plus.

    Scanned the machine with Avira from a bootable CD and it quarantined the program files.
     
  4. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    timid, sorry but I disagree. Many users are quite naive and when they see the web page with a fake virus scanner running, they click the button to install. Education, I know, but I'm still very surprised that ESET didn't even flinch.

    XP Antivirus 2010 takes over a system. It links into Windows Security Centre, the av.exe process restarts after it's killed, etc. You can't seriously say that it's not a nasty program?





    Jim
     
  5. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    it's not a dangerous program, but it blackmails/scams the user - if that's not the very definition potentially unwanted, I don't know what is.
     
  6. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Exactly. And we have the "potentially unwanted" option selected.


    Jim
     
  7. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Yes, we had this happen last week also but it was labeled Antivirus SE. Unfortunately MalwareBytes completely deleted the files so I wasn't able to submit them to be analyzed.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    There is a long related thread here
    The Rogue remover may work. As previously posted in this thread there are instructions how to remove this rogue Noting that no AV can detect everything.

    Regards,
     
  9. Arkh

    Arkh Registered Member

    Joined:
    Jun 2, 2009
    Posts:
    10
    Why does the user have Administrator rights in the first place? If they're incapable of telling the difference between a fake antivirus popup, I can't imagine why it would be a good idea to allow them admin rights on the local machine.

    Secondly, I understand the frustration, but no AV provides immunity. I had this same infection on a user's laptop that was running AVG Pro, it didn't catch it either.
     
    Last edited: Mar 16, 2010
  10. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Legacy software. Datafile and Sage (their version) won't run without admin rights.


    Jim
     
  11. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    The user in my organization that received AntiVirus SE does not have administrative rights to the computer however AntiVirus SE still made it through. The machine is running Windows XP SP3 fully patched. My guess is the exploit came through Adobe Flash, since Flash was a couple versions behind.

    If only we could get rid of Adobe Flash once and for all........
     
  12. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hello,

    It really upsets me when I read people with apparently some computer knowledge affirming that people that get infected by these kind of threats are “happy clickers” [ people that click on everything they see on their computer screen].

    Even when I have never been infected by this kind of Internet garbage I have been on the verge of getting infected. For example, the other day I was searching for some information about computers power supplies at Google and I came across with a link that seemed to benign and and clicked on it only to realize that it landed me straight on a Fake Scanner page. I was prompted to choose one of two things by the Fake Scanner page dialog box [1]-Click OK or [2]-Click Cancel; either decision would have had exactly the same effect, to download and install a Rogue AV on my computer without my knowledge.

    Because I was smarter than that I just right clicked on the Windows taskbar and Started the Task Manager effectively killing the iexplore.exe process and avoiding myself a headache.
    How many people would know exactly what is the right thing to do upon being prompted by a Fake Scanner page? At least my 86 years old grandma wouldn't.

    I think that Sandboxing the broweser would be a good start but also I would recommend my folks ESET employees to come up with some kind of refined heuristics so they can detect EVERY variant of the same Rogue AV. What is the point of issuing a new signature for every single variant of the SAME Fake AV? If you keep doing like this you will need to have 10,000,000 of signatures to be able to catch just ONE of hundreds of Fake AVs out there. [e.g.: the Rogue AV named “Security Tool” has more than 100 variants and at least between 5 - 10 appear daily]

    I have observed MBAM [Malwarebytes Antimalware which happens not to be a full flagged AV] to wipe out every single Rogue AV you throw at it and it doesn't need to issue a new signature when the Rogue AV writers change the MD5 of their nasty creation.

    How can ESET make NOD32 better than it currently is? Please, give it a thought


    Regards,



    Carlos



    P.S.: Please, stop claiming the Rogue AVs are harmless applications because they are installed on your PC through Trojan Downloaders and they in turn also come bundled with Vundo virus, Koobface worm, TDSS rootkit and many more garbage.
     
  13. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    That's 100% right. You do not need to be running as Adminstrator on the local computer for those Rogues to install. At the department of the company I work for, last week 14 people got hit by “Cleanup Antivirus” Rogue and none of them were running as Administrators on their PCs.


    Regards,

    Carlos
     
  14. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Exactly......what it tells me, is that they are "wanna be" IT people, that they don't actually have a good grasp on the subject.

    So many people think it's the end users fault that they got infected. "Ahh..shouldn't have gone to that midget porn website" or "shouldn't have installed that waterfall screensaver" or..."Shouldn't have downloaded that 'free' movie and codecs.." While many of those are true....the way rogue/fake alerts are working these days is targeted at the average "safe" web surfer. The people spreading these rogues are hacking websites out there...legit ones, websites people go to all the time. Or working through ad banners. One day you could go about on your normal daily morning surfing through your usual 10x websites that you go to every morning..the same ones you've been going to every day for years...and one of those websites could have been hacked last night..and BAM...you're infected.

    I myself, last winter, while surfing the united auto workers website during the "big 3 gov't buyout" debate...I was using Firefox...BAM, personalantivirus (PAV..one of the common rogues last year) jumped up on my screen. My eset didn't even notice it. Luckily, due to my job...I had huge experience with rogues, I recognized what it was, within milliseconds I was shutting it down via task manager, and going to check the usual spots on my computer where PAV infected you...because I had it memorized after many months of cleaning infected rigs, even though Eset hadn't yet recognized it..lol.

    The other thing I notice...so many people are quick to claim "what are they doing with local admin rights?". I see home users who think they know a little bit of computers always say this, and I see IT guys from big enterprise often say this. If we're talking about an SMB setup here (small to medium network)...it's accepted common practice for domain users to have local admin rights. Lots and lots of LOB (Line Of Business) software requires this. Sorry, but it's true. SMB is too small to have full time IT staff to perform upgrades and maint on this software. It's accepted and common practice that they take care of themselves, calling in a consultant only for big jobs...as their budget allows.
     
  15. Arkh

    Arkh Registered Member

    Joined:
    Jun 2, 2009
    Posts:
    10
    I apologize for the miscommunication. I wasn't trying to imply that removing admin rights makes a user immune to virus/malware infection. I was merely commenting on the fact that the OP commented on the fact that his users were naive and didn't know better than to click 'OK' on a fake scanner dialog box. I can only assume that these users probably also have every single IE toolbar known to man and every other piece of junk that gets bundled with certain applications. (This is just commentary, I'm not pointing fingers at anyone, just commenting on what was said previously)

    To the person that commented on Malwarebytes picking up every variant, that is not true. I've had several removal troubleshoots where I had to use something other than Malwarebytes to detect and remove the infection. (Albeit 98% of the time Malwarebytes gets the job done)

    I do find it extremely hard to believe that people are getting infected without any user interaction. I run my home PC without any AV, or personal firewall and have done this for over 10 years now. I've never been infected in my entire life without willingly clicking on something or downloading something that I was about 90% sure was bad idea to do. I've never seen an infection just magically spread to users because they browsed to a legitimate website and didn't click on something. Can someone link me to evidence otherwise?
     
  16. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    As mentioned above, a simple Google search can land you on a compromised/fake website. They usually use Javascript or vulnerabilities in acrobat/flash plugins to initiate a drive-by download.
     
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    >> It's an XP Pro machine and they're running EAVBE 4.0.474.

    Running a server version on a client machine? :blink:

    Then - have you considered to give user a LUA (limited user account)?
    And let him elevate some programs to admin level with "run as.."?
    The GPO is a powerful option for that.
    On the other hand - using a secure browser?
    The trouble here seems that user clicked without any thought on OK.
    Either user missed it by accident - or he should be limited coz user is
    no pro or poweruser to help himself to get rid of.
     
  18. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Indeed. It looks like it was a toolbar called "Alot", which I've never encountered, that let it in.



    Errm.......eh? ESET AntiVirus Business Edition. Has exactly what to do with being a "server version" please?



    Jim
     
  19. Arkh

    Arkh Registered Member

    Joined:
    Jun 2, 2009
    Posts:
    10
    I'm not sure if linking to off-site pages is permitted on these forums, but a quick google search for IE toolbar vulnerabilities will point you to quite a few known issues with IE toolbars that allow for malicious attacks.

    As stated before, no AV provides 100% immunity. So coming to the forums and complaining because something slipped through (that has also been shown to be slipping through other AVs) is pointless. I don't understand how you expect ESET to somehow prevent a user from willingly clicking and installing malicious software 100% of the time. AV software is security IN ADDITION to having a fully patched machine. The system still needs to be fully patched and kept up to date with software updates.

    On a side-note, I tried running a Malwarebytes scan on this exact variant that you are discussing, and it did not detect it. AVG Pro also did not detect or remove it. So I don't see how you can argue that "other AV" solutions are doing a better job, when in fact they are not.
     
  20. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    "Business" runs also on Windows Server, not only on client Windows.
    It was ostensible build for server use - in combination with a license file to
    download updates and share it in intranet with clients.
    BE also contains remote access to clients - not sure if that feature is
    activated with a license file - my home does not have it.

    ofc - there no limit to use BE on a client - with a license file home and BE
    will act same and can mirror updates.
     
  21. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    There is such a lot of nonsense being written in this thread. There are people with "a little IT knowledge" criticising others who they claim only have, err, a little IT knowledge".

    The rogue infections are getting more sophisticated all the time. They are dangerous - they succeed in conning lots of users into releasing their credit card details. They also do not just infect users running with admin rights - more and more infect users running in restricted accounts just as easily. These polymorphic infections change routinely in ways sufficient to bypass most all signature-based AVs - by the time signatures have been added and pushed out to users, the rogues have morphed sufficiently to make those signatures all but useless. One AV vendor has reported approx. 60,000 new variants of these nasties every day. I'm afraid the answer is not (yet) sandboxing - today's sandboxing product offerings are beyond the understanding/capabilities of the average computer user. Any product which requires the user to have IT knowledge beyond that required for the user to use their IT is a non-starter in my book. You don't have to be a mechanic to drive a car, so why do vendors believe you have to be an IT whizzkid to use computers?

    I clean these rogues off of (my clients') computers every day - I never rely on automated tools to do the job for me, because I know there is none that will reliably succeed. MBAM is good at what it does, but it is far from 100% effective. No, I boot the client's machine into a custom-built WinPE-based rescue CD or USB stick, unhook the rogue from the client's registry and delete the rogue's primary files and folders. Then I boot back into the client's Windows and remove the important remnants (like proxy server settings, local policy settings, etc.) and use tools like MBAM to finish off the now-orphaned bits and pieces. Knowing how these rogues hook themselves in is key to this approach, and I have been (so far) 100% successful in removals.

    In the (current) absence of any effective tool to deal with rogue infections, the best way I have found to tackle this issue is by targetted user education: i.e., to undo the social engineering these rogues use to further themselves. The idea is simple: make sure the user is familiar with what their own security software looks like - this is actually quite an easy task. Then, any security alert that is not from their own (known) software is - by definition - fake. Drill into them the need to react properly the first time: as Zyrtec recognised, it is crucial the user does not interact with the initial fake alert in any way. Train the user to go straight to their start button/orb and restart their computer. More often than not, this will stop the rogue taking hold.

    Training users on an individual or group basis is easier than you think - it only takes a few minutes. Of course, training the masses is another matter altogether...
     
  22. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    erm - how do you get that? i never had any in years... :blink:
    further
    how can you be sure that those "infections" does not leave any crap behind after "cleaning"?
    is "cleaning" really possible?
    disagree - sorry - thats the same if a child hides its eyes with hands and think its unvisible
    no restart or hard reset will prevent installing or working that crap.
    the security vulnerability is still present and it needs to be focussed.
     
  23. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668

    Sorry, but you are talking rubbish.

    EAVBE is for a business environment, requires a minimum of five licenses (we have 122), can be administered by ERAC/ERAS etc. It works on servers, yes - but you cannot "Running a server version on a client machine". That's pretty much like saying that notepad.exe and appwiz.cpl are server versions.

    Thank you for your input, but as others have said in this thread - a little knowledge is a dangerous thing. Please don't post if you're posting incorrect information, it's of no help to anyone.



    Jim
     
  24. jeremyf

    jeremyf Registered Member

    Joined:
    Jul 14, 2008
    Posts:
    61

    Who is this knucklehead? I smell troll. Begone!
     
  25. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    I am talking about new clients, who come to me after they get infected. I am not talking about existing clients who get infected.

    Because I understand Windows, and the different ways that software can integrate itself. As I said, to date I have had a 100% success rate. On no occasion has a cleaned machine ever shown any symptoms of continued infection.

    Mmm, you don't really understand the process of infection, obviously. You present yourself as a 'support specialist', but - as evidenced by your expressed opininons and complete lack of understanding of what EAVBE is - I am having a hard time accepting your 'status'.
     
Thread Status:
Not open for further replies.