So I manage a computer network with about 120 or so PCs. It's always been an issue, but lately it seems that we're seeing a lot of the fake antivirus type infections. They're usually not too bad to clean up (they're usually isolated to a single user profile), but if there is something I could put in place to stop them before it happens that would be awesome.
Some relevant info:
* Machines are XP Pro
* Users are defined as Power Users and I can't really change that
* We have Symantec Endpoint Small Business Edition, which seems to do fine with traditional viruses
* Users aren't very sophisticated. I've trained them what the real AV looks like and how to avoid these infections, but they will get confused and click everything. Also, we have part-time employees who don't give a shit and will install Gamevance or whatever they can find.
* Budget is very tight, so free is best
* Machines have to run IE8
Halp?
I just got a 3DS XL. Add me! 2879-0925-7162
Posts
I've tried ad-aware for this and it has never been able to rid me of fake anti-virus software
You might try Microsoft Security Essentials (it is an independent pack of security programs created by microsoft engineers, type the name in google and it should directly link you to teh download, it is free to boot).
Good luck man
One thing you COULD try is SpywareBlaster. I've used it on all of my personal PCs for years, and it seems to be pretty preventative. It's silent and requires manual updating unless you pay for it (which can be worked around via a batch script if you push a logon script daily).
For removal, which sounds like you already have covered, I always defer to Malwarebytes, as it is the best anti-spyware program ever created - free or not.
One thing I have done as an alternative to prevention, is to warn and re-warn my users of this sort of thing and ask them to contact me ASAP if they see something of this nature. The less they click and the less time it has to spread and invite other spyware to the party, the better.
Good luck man.
EDIT: And to make your life easier, I would HIGHLY consider removing local admin rights from your PCs. It will save you immense headaches.
EDIT EDIT: Nevermind, I just re-read and saw the power user thing.
I use Microsoft Security Essentials at home and it's great. They had a bad experience with it before I got here (which makes it more than 3 years ago, people remember a bad experience) which makes them kind of hostile to it.
I think I'm going to give spywareblaster a shot. I'll put it on some of the more "high-risk" PCs I have and see how it goes. I do some stuff with scripts, but I'm self taught so I need to do some more research. Specifically, how to make a task not run if it already has run. For example, if there were daily updates but people were logging in and out of the PC multiple times per day.
Yup, I use Malwarebytes for removal, and it crushes these things 90% of the time. CCleaner is decent for finding all the registry entries at once as well. Sometimes MBAM will clean the infection, but users will still see error messages when startup tries to run some of the now deleted files. CC fixes that pretty easily.
I'm reading through the tech forum now, some good stuff there.
If they were logging in and out multiple times a day, just use a switch at the end of the command to overwrite with essentially a "yes to the re-copy" command. I forget it off the top of my head. If you do a Google search for "Logon script switches", you'll find a lot (a LOT) of methods you can apply to make things easier for yourself on a daily basis in various programs and functions on the network.
For SpywareBlaster, it might be tedious to update with the daily definitions...and this is why there is really no perfect solution to the problem. You're damned if you do and you're damned if you don't with this type of stuff. What I would do is see if you can install it to a server or shared network location. Once you have that set, find the folder that SWB updates to, and have that copy down to all other PCs using the login script. You'd want to do an xcopy command, and just move everything in the network folder to the local installation folder for each PC. If you choose this route, don't forget to set office-wide permissions on the network folder so the script can see and pull from it.
Hope this helps. God speed.
Some things I'd recommend would include the following (keeping in mind I'm no expert):
There's some more passive protection-type info, and more detail on the options I just described, in this post of the security thread, if you want to take a look.
Just to share the pain, the last few months rogue antivirus programs have become particularly aggressive, they're popping up more than I've seen before and many are nastier to clear out once they're in. Nearly all my service calls this week were for them, and I've started encountering ones that are difficult to immediately distinguish from real programs, primarily AVG but I also ran into an Avira clone just today.
My biggest fear is that one of our home users who uses AVG gets the AVG clone. I couldn't immediately tell it wasn't actually AVG, only the fact that the user told me he never installed AVG clued me in, I was actually trying to use it to track down the rogue at first.
Oh holy cripes on toast this. I completely forgot this, but blocking ads, blocking javascript, and blocking Flash should be a high priority for the browsers. If you can whitelist javascript and plugins for only the sites required, you can cut most of these things off at the legs before they launch.
The primary attack method is to hide a redirect script somewhere in a compromised webpage or advertisement. Then that boots the user to a malicious page that usually relies on javascript to scan for day-0 exploits, and/or uses a fake window to coax the user into downloading and running the payload. If javascript and flash are disabled, or are only allowed on trusted domains, the redirect in this case will just give the user a blank page.
Also, one thing that can make life a lot easier: Disable javascript in Adobe Reader/Acrobat.
I really like the idea of dropping the rights that the browser runs under. That's pretty slick.
@gamefacts - Totally and utterly true gaming facts on the regular!
Deepfreeze and the like are rad, but it won't work in my situation. It's really great for public access type PCs though.
Can users accounts be demoted to standard users, and elevated to Power Users as needed? I do this for problem users when I have to clean their PC more than once. Basically, I have a Local Admin group which is assigned to the Administrators group on the local machine. By default, every user is a member of this group, but when they prove they can't be trusted, they are removed. If there are software updates that are due to be installed, they are added back into the Local Admin group temporarily.
NintendoID: Nailbunny 3DS: 3909-8796-4685
My previous company had this. Their workaround was archaic but it did...work..around the...situation as it were
Instead of launching the original application (requiring user to be power or above) they created a new .exe that automatically run the application under the local admin account. Like an automatic "run as" without any input needed
It worked but we could not change the admin password as it was tied to so many different processes. I guess if you keep a good handle on what processes are done you could change the password and pass an updated .exe to the affected machines...
edit something along the line of this
PSN - MicroChrist
I'm too fuckin' poor to play
WordsWFriends - zeewoot
all that, plus your insistence that a program like Deep Freeze can't be used leads me to believe that the problem is not the virus, but the company's strange hangups about implementing proper desktop security
i know your budget is essentially $0, but you should really consider starting to educate the higher ups about the benefits of having a more controlled computing environment... either through strict user controls, or proper software that takes care of problems when they pop up.
you can for example have the machines do a recovery point every night - and then if something goes wrong during the day you simply recover to the known good state (poor man's version of deep freeze basically)... and i'd definitely demote the users to something with less ability to fuck with the OS
if you can do the above on a demo machine, and then show your bosses that a bad infection can be taken care of quickly or avoided entirely, maybe they'll relent and let you roll out to your entire user base? effort spent here will save you 100x the effort of rescuing pwned machines every few days
just my $.02
I just delete the user profiles. I consider it a form of negative reinforcement.