NOD32 Antivirus vs Fake Anti-Viruses

Hello everyone,

I am just wondering wether nod32 version 3.0/4.0 should be stopping installation of these fake anti-virus trojen's? We moved our clients from McAfee as these AV's for thies reason and had a call from a client saying she has a newAV which turned out to be SWP 2009 Demo..

It was a pain to remove and it took nod32 off..from startup or running in background.

Either I have my configuration incorrect:

From Mod:

Originally Posted by agoretsky
Hello,

The "Potentially Dangerous Applications" item has been renamed to "Potentially Unsafe Applications" (which I am going to call PUsA, for short).

PUsA is the classification used for commercial (legitimate) software, such as keyloggers, remote access tools, password-cracking tools and the like which are known to be used by malware authors and often bundled into their creations.

A new category has been added as well: "Potentially Unwanted Applications" (PUwA)

PUwA is the classification used for adware which is not necessarily intended to be malicious (provides a EULA, requires consent for installation, uninstalls cleanly, etc.) but that people may not want on their systems for various reasons.

It is up to users to determine if they wish to enable them. The default setting for PUsA is "off."

Regards,

Aryeh Goretsky

The above describes these two as blocking fairly legitimate software..but these fake AV are far from illigitmate so am confused.

I have Potentially Unsafe Applications = No

Potentially Unwanted Applications = No

Have since put these to Yes will this stop these fake AV or do I need to change anything else?

Any advice regarding these fake av's where the user gets a download prompt to run a scan downloading it installing a trojen which imo should be blocked by the AV

Hope someone can advise

 

Well, since the rogue AVs are changing extremly frequently, it's important not to rely solely on antivirus programs. It's crucial to take other precautions as well, such as not browsing the web in an administrator account, not visiting dodgy sites, keeping the OS up to date, use the browser in a sandbox whenever possible, etc. Try using this stand-alone ESET Rogue AV removal tool.

 

Excellent advice Marcos.

I come across too many infected PCs where the user says "But I have antivirus software installed, how can I get infected?". People sometimes think that installing AV is a substitute for common sense.


Jim

 

I have the honor to test the latest rogue application under SandboxIE. First I want to emphasize that it is very difficult to detect all rogue applications, because they have new variants each day. It is therefore necessary to rely on technologies such as proactive detection and heuristics. After a month of testing new variants, I found that thanks to the proactive detection and heuristics, ESET NOD32 Antivirus detects about 90% of new rogue applications (those I tested), something which other antivirus software can not boast. In some cases it may not detect many, but as least it's better than nothing. For example, to me happened to be blocked addresses, which connects rogue, which does not allow him to develop and to conquer the system.

If you find parts of the rogue, please send them to ESET lab.

 

I disagree with this. After testing NOD32 version 4 for about a month it did not catch any of these fake AV's. I threw 20-25 at it and all slipped past it. Now with that said, most other AV's I have tested had the same results give or take a few. Fake AV's are very hard to detect.

 

Please submit them to samples[at]eset.com with this thread's url in the subject. I, too, doubt that all those 20-25 samples were fully functional rogue applications.

 

There are a couple of things you can do to help mitigate the damage caused by these Fake Antivirus programs.. I'd like to let you know that I have had a couple get past ESET myself, but no AV is a magic bullet, and if you dumped ESET to go with someone else you would eventually run into a fake AV that got past the new product.

Your best bet is to keep ESET because they detect a lot of stuff. I've had 15,000 alerts generated over a 5 month time in a large scale environment. Here are some other steps you can take to help mitigate these attacks

1. Have your end users run as Local User in Windows. Even though some of these fake AVs will successfully install in the users Local Profile they may not successfully hop into the All Users folder, and infect files/folders, and registry settings.

2. Create a Sound, and Reasonable Software Restriction Policy. Turn on logging in the environment for about a week or two to find what services/files are being used by the end users.. Then create a whitelist of application that can run on that computer through an AD Group Policy SRP. Nothing else can be installed/uninstalled.. You can allow certain applications to run as Administrator or just local user.. You can create Hash Rules, Path Rules, and get very granular.. I have successfully implemented this in several divisions and on select groups.

3.Implement some sort of Web Filtering Application such as Websense, Ironport, or a Free ProxySquid using Dansguardian or even Untangle. This alone will cut down on some redirects.

4.Create a Group in Eset Remote Administrator called Block Thumb Drives, and put offenders in this group when they try to introduce an autorun.inf virus from their thumb drives.. Some people take their work thumb drives, plug them into at work, or take them to colleges which are infested. Add them to the group if they bring in an infection or just disable thumb drives all together.

Good luck

 

It would be really nice to know what Rogue AV's the tool targets !
Ahem

 

Keeping adobe reader/acrobat, flash player and java up to date will go a long way in preventing fake av infections. Many of these variants exploit outdated flash and adobe reader programs.

 

Adobe Flash Privacy Issues are of great debate of late. Use what suits you best.

 

I missed this thread. So, I ran into a new one called "Antivirus Live" yesterday and got it cleaned with MBAM. (Thanks to google for pointing me to bleepingcomputer.com).

The first post in this thread is interesting. I am at work now and can't verify the exact version of Nod 32 I am running at home. I know its version 4, but don't remember the exact release.

Are these PUsA and PUwA available in the older versions of the client or do I have to update my client to the latest release or beta?

I wish I had samples to help you guys. But it is some <random letters>sysguard.exe. I can try googling for these files once I get home and send them to you.

 

Very well put Marcos. Most of the well-informed people are usually very careful about what sites to browse. Firefox with No-Script helps too. But, there will be many instances when spouse, relatives, kids hop on the family PC and want to browse spurious websites, like asian language websites with asian news or streaming movies, that are infested with trojans.

I understand your statement that we can not rely solely on antivirus programs. But, in the same way, we can not rely solely on someone like you or me to continuously police a PC shared by the family.

There is no single magic S/W to alleviate all our problems, but we should work towards having one that is close enough.

 

Hello all,

Well, I've been submitting Fake AVs and Trojan downloaders samples to ESET on daily basis. I try to submitt as many as I can (about half dozen or more a day) so that way, ESET can have those offenders added to their signatures.

I've been doing this using the IE 8 running in a sandbox and I use WinRar to create an archive locked with the password infected.

ESET has been very proactive on this regard adding the signatures for the samples I submitt to them in the next signature release or in a couple of them.

Thanks so much ESET.


Carlos

 

I collect rogue AVs proactively so they are usually detected at least by our internal version when somebody submits them by email (I've just seen 24 new variants detected only by Etrust besides ESET).

Anyways, we appreciate the samples you submit as we may miss some when harvesting them.