Second line of defense pgm to Stop Rogues - Like Antivirus Soft ?

Discussion in 'other anti-malware software' started by JosephB, Feb 7, 2010.

Thread Status:
Not open for further replies.
  1. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    My family pc was infected Mon. with Antivirus Soft. It was time consuming to research how to remove it. (finally removed).
    .... My Family PC was fully updated with latest AV definitions, but pc was infected anyway with the rogue "Antivirus Soft (part of the family of Antivirus Live rogue).

    Question:
    1. Which 2nd layer security pgm would have stopped Antivirus Soft from infecting my pc on monday (not sure how this rogue has been around) and also other stop unknown rogue pgms, before the defintions of my AV pgm is updated with definitions to prevent and detect it ? ... and at the same time be easy for other family members to use:

    ...A) Would one of these sandbox pgms have stopped it as early as Monday, if my browser was sandboxed - Sandboxie, DefenseWall, Geswall ?

    ...b) Would one of these Real-Time Scanner Pgms have stopped it as early as this past monday - SuperAntiSpware - Real Time component, MBAM - real-time component ?
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    mbam pro kills almost all of the rouges software and fake antivirus in real time;)
     
  3. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    yup....it would have been rendered useless by the said programmes

    well mbam pro's ip protection in the first place would not let you even get to the site hosting/spreading these and both sas and mbam are pretty efficient in what they do
     
  4. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    The easiest program to install for your family would be MBAM's full version with IP protection, blocking harmful sites. And it has scheduled daily scanning.

    The others mentioned would stop the program, such as sandboxie, but there are always situations where a family member can 'recover' a file and install it thinking it is safe.

    Easiest option, I'd go for MBAM real-time. Family members won't know what happened (unless they see MBAM's alert), the malicious page just won't load.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    good recomendations friends;) :thumb:
     
  6. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    returnil2008 the one i use
    returnil2010classic

    both will stop it
    i also run browser sandboxed and returnil2008 on
     
  7. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    A friends similar experience convinced me to run MBAM. I am not doing so, and also SAS Pro.

    Regards,
    Jerry
     
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    With Antivirus Soft you can navigate to MBAM's program's folder and rename mbam.exe to firefox.exe or opera.exe and it should run.

    If on XP then Icesword can run after a coupla tries and the AV Soft process can be terminated through Icesword's GUI.

    Or download and run this version of RKill. You may have to execute it a coupla times but it will eventually kill the rogue's process allowing a scan with MBAM.
    http://download.bleepingcomputer.com/grinler/iExplore.exe

    If after getting rid of any rogue and you still have some strife with the internet go to Internet Options - Connections tab - LAN Settings then untick Use a proxy server....

    If you are succesful with renaming mbam.exe don't forget to rename back to the original after you're clean.
     
  9. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Checked again just now and mbam.exe will run as opera.exe with Antivirus Soft active but this could change with any future morphed versions of the rogue as they change installers and tactics quite often :

    Sample.JPG
     
  10. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    I would personally suggest using one of those 3 you mentioned above and throw in a fourth; AppGuard. All 4 will protect you against rogues (IMO better than a blacklist scanner). DW and AG are very easy to use without requiring the user to answer technical questions. SB, DW, and AG all have excellent support from the developers as well as help from other users here. I think that each of these programs are worth the money they cost for the paid versions. The best way to proceed would be to study each of them, pick one, try it out on the system you will be using it on and see how the family responds (or even notices) to the new program.
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    if you decide to use appguard dont forget to include spoolsv.exe to the guarded applications list to block or prevent the TDL3 rootkit infection ;)
     
  12. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    will that cause any issues with printing? Good call mate. :thumb:
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i dont use any printer but if you guys do test it;) and see :) i guarded it to avoid this malware for just in case and for those who dont use appguard and dont use a printer just disable the print spooler service within msconfig to avoid getting infected:D
     
  14. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    It's all well and good recommending which anti-malware programs could stop this particular piece of rogue software, but my first reaction on reading the OP's comments that the family PC "was fully updated with latest AV definitions", unless I'm missing something, was to ask why did they have Antivirus Soft on their PC at all?

    Had they searched for alternative AVs? Clicked on a link in an email or on another site taking you to the Antivirus Soft site to download it? If it's either of those, I don't understand why you would do it when you already have an AV installed.

    This is a widespread problem; users who are not clued up on these things are searching and downloading stuff like this that isn't necessary when they've already got adequate protection in place.
     
    Last edited: Feb 8, 2010
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Joseph, why try a new fake Anti Virus when you have one up and running? :D

    Seriously,

    There a two approaches
    Denyning installs
    simply forbidding installs by other family members, run as limited user or buy an anti executable sort of program.

    Allowing only known good installs
    Defensewall is also great for limiting the damage. Version 3 has a white list and a firewall. The whitelist lets them install safe problems automatically. Unknow programs can only install in a sort of limited user environment. When they ask for admin rights, DW will deny it and the install wil fail. Best is to add a password on DW, so your family members can't install

    Online Armour paid wil provide simular objective (also a HIPS plus FireWall) and the upcoming version of CIS4 (free) will also provide this (simply do not allow rights elevation = uncheck in the sandbox)

    Sandboxie would not fit your need, becasue you have to allow your family members to save files in the real system (unless you keep everything in the sandbox and check afterwards with buster sandbox analyser for instance). When they save something out of the sandbox, your are unprotected by Sandboxie

    Partition virtualisation
    With Shadow Defender, Returnil (free) it is possible to throw away all changes of the programs partition. You have to move your data to another partition to get it working allright


    Undoing possible installs afterwards
    You could use Commodo's Time machine (free) Rollback, Aez-fix, First Defense to roll back to a known good snapshot instantly
     
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Absolutely.
    I was surfing the web looking for something the other day and got hit with one of these rogues (Security something or other) and as it claimed that I had 700 or so infections I knew what had to be done. So I rebooted. ShadowDefender saved the day here.
    So my advice would be to add something in the lines of Sandboxing, Virtualization or HIPS.

    I would add those for on demand scanning,, nothing wrong with a second opinion.
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Totally agree :thumb:
     
  18. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    Tony, Kees1958,

    FYI,

    No, Family member, was *not* trying to install any program. They said the infection came soon after either one or two last activities - either accessing a page from a google search or accessing a pdf from a google search.
     
  19. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    There have exploits periodically with Adobe Reader so it could have been a pdf that caused this (I am by far no exploit expert). You also don't have to be installing anything for this to occur. For example a few months ago I was looking for a song for my wife and when I went to a certain page a rogue was downloaded and attempted to install without any interaction from me. Fortunately, I had GW Pro which contained it and auto-terminated the rogue's install process. I simply closed my browser and cleared my cache and it was like it never happened.
     
  20. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Thanks for the information. It clearly shows one has to be on their guard at all times, along with using secondary protection measures such as the ones being suggested.

    The installation of such rogue programs does happen far too often though, which is what made me think that might have happened in your case.
     
  21. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    kees1958, and all,

    So that I can contrast the pluses and minuses of various approaches:

    1. What are the differences (if any) in the security model approaches used by "Defensewall" and "Online Armor" ?

    2. Do they both fall into the sandbox pgm style category ?

    3. How are malware coming in via the browser handled by these 2 pgms (Defensewall and Online Armor) to protect you ?

    4. What is difference in how user would interact to handle things ? Advantages/disadvantages ?
     
    Last edited: Feb 8, 2010
  22. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    That's a fair point you make but you're looking at it through the eyes of an advanced user rather than an average one.

    When they see something pop-up that looks very similar to a standard Windows security centre/dialogue box,the tendency is for them to believe what the warning says.When they read a dire warning that their system has been infected they're likely to click the button to remove said infection.They won't pay heed to such matters as the type of security software already installed just that their AV has failed (correctly as it happens).

    Socially engineered malware is hugely prevalent for a good reason,like a confidence trickster it plays on peoples natural inclinations.
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Defense Wall originated from a policy HIPS (a 'sandbox') while OA originated from an Anti Executable. Main difference is that DW only defends threat gate programs, but also protects you from all data downloaded by these selected programs. OA protecs system wide, with some emphasis on browser protection. The paid version of OA has a superb option to make it very quiet running normal programs:
    a) the white list
    b) You can set OA to allow unknown programs to run, but run them as a limited user. Together with the OA protection on intrusions, this makes it nearly as easy to use with simular protection as DW. I think it is one of the best OA options, which is not much used, but really superb in effectiveness.

    I think it are both two great programs (best in their class), so you should really have to try them both to see what suites you best. Out of the box, DW is the easiest to use, but when you tell OA to run unknow programs as RUN SAFER, it is as easy to use as DW.
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    trojam nice avatar:thumb:
     
  25. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Fake alert installed by the rogue "Antivirus" which I think would fool most non-Wilders folks.

    wscsvc32.exe - Result: 17/40

    Sec Center.JPG
     
Loading...
Thread Status:
Not open for further replies.