ESET Performance dissapointing against Sirefef

Hi,

Over the last few months I've had a few problems combating the various forms Sirefef. In particular, Win32/Sirefef.FC and the EV variants of the trojan.

I administer around 25 workstations on our network. I'm no expert in the field of IT administrator, but I am running everyone on the latest Windows 7, ESET 5, WSUS patches/updates and everything else with strict web control.

Problem is, that I'm still getting quite a few computers that are being completely hijacked - to the point where services.exe is hijacked, sfc /scanow becomes corrupt and even MSE essentials offline installer fails to remove it. Windows services like Firewall are shut down etc... a complete system meltdown!

I'm not sure when or who this nasty virus is getting in but it only seems to become noticeable when one of those fake av programs like "Live Security Platinum" pops up. What is quite disappointing is that even when these malicious programs are obviously running is that ESET completely misses what's going on - it seems to be totally oblivious to the system being hijacked and on this particular time, it was too late once it discovered services.exe was hijacked. It only a free program, Malwarebytes to remove most of the malware. However as mentioned today was the final straw as services.exe was comprised - so I reformatted.

Question is, are the any other steps I can take to further prevent these serious outbreaks? I think ditching IE9 for Chrome would be an excellent start, but are there any other important features or settings I can turn on in ESET Standpoint Security 5 that are not on by default? increased HIPS rules? Or further adding in another program in the background that everyone recommends?

 

if you're using win7 x64, force IE users to utilize the x64 version of IE. smartscreen's malware protection is significantly more robust than chrome. chrome has sandboxing of its processes, but that won't protect clueless users from downloading & executing malicious payloads, either intentionally or accidentally. unless java is required for the users' environments, prohibit its installation as it's becoming an increasingly common infection vector. deploy something like opendns or norton dns (assuming your use wouldn't violate their EULA) as a forward resolver, with categories selected to prevent users from reaching stuff they shouldn't be browsing.

imo, one of the best actions you can take is to educate your users. infections don't just magically occur. yes, there are exploits and rogue AVs and other nasty things on the internet. in corporate environments, recurring infections and stuff wreck productivity and cost money and time to fix. if particular users are habitually ending up with infected machines, that tells me something else is wrong. at that point, i'd think it's a user issue more than a security product or configuration issue, and the root cause needs to be addressed.