Scareware/Rougueware detection and prevention

[mlchris2]

These new strains of infections are becoming quite troublesome.

I run a mix of Symantec, MS Security Essentials, AVG and Nitro IPS and average at least one infection a week for the past several months.

Anyone out there using a A/V solution that detects and prevents infections?

Mark C.

 

[2ffat]

Unfortunately, at the rate these things are written and re-written, it's hard to find anything that will catch everything even with up-to-date codecs and heuristic AV programs. Coders are constantly rewriting malware to try and stay ahead of the AV programs.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[goombawaho]

Your best bet is a layered approach with the following components (my recommendation)

1. Be careful what you do and where you go on the internet
2. Run an anti-virus product (free or paid)
3. Run the paid version of MalwareByte's anti-malware or at least scan monthly with the free version if you're cheap.
4. Run your browser with less rights using dropmyrights
5. Good luck avoiding everything bad

 

[hawkdaddy]

I read of this forum that "only an idiot would web browse using a user profile with full permissions", and I said to myself hey wait I am an idiot so I checked and I was. I created a limited user and it saved the bacon at least by not letting one of those ransom ware programs get deep seated. Forgot who it was but he deserves a star for it.

My question is then- For information only, if you are having trouble do you browse with a limited user? (permissions)

 

[hawkdaddy]

Can you, after not proofreading a post, edit it after it is posted? I cannot see how to do it.

 

[mlchris2]

@James - I figured as much, but had to ask.

@goombawaho - I love your recommendations, but we all know how difficult it is to get a "typical-end-user" to be "cautious" when browsing the web. On paper it looks good, but in the real-world... just doesn't happen.

@hawkdaddy - great point. I however, am not an idiot. (sry, been doing this way too long). I use GPO to control permissions on domain machines. I'm not seeing any real pattern with infections either in regards to level of user permissions. Oh and no, you cant edit after you submitted a post.

With all the different levels of "infecting" these new strains do, It takes alot longer to remove than just running Malwarebytes scan and rebooting. Over the last month, II cant believe what it takes to remove these rougueware programs. What was once a 20 minute scan is now a 2 hour ordeal.

I'm out searching to see if there are better methods than what I am using to combat these new stains. IMHO, a few infections a week isnt bad considering I'm blocking 99.999% of infections before they even reach my network.

Mark C.

 

[ponoodle]

I caught and cleaned a few of these in the past year or so. I installed Adblock Plus and noscript for firefox and I haven't seen one for a long time now. It could just be that I've been lucky, but I wouldn't go without those add-ons if I had the choice. Goombawaho's suggestion for dropmyrights sounds good to, I'll have to check that one out.

 

[goombawaho]

Yeah - people will be people, doing all kind of crazy stuff online. But if you want to avoid the bad stuff, staying away from porn sites, free ring tones, peer to peer file sharing, etc., etc. would help out quite a bit.

I just say that because it IS TRUE whether anybody wants to be careful or not is another issue. Would that GUARANTEE they never get any malware - NO! But if you only visited your webmail page and your bank's web site, you'd probably never get any malware.

Just like you'd never get your heart broken if you never dated.

I wouldn't say that people are idiots to browse with ADMIN rights. I've always done it. I just use DropMyRights now with Firefox so that the browser has less ability to allow something to run.

 

[sggaunt]

One infection a week !!!
I would suggest that your machine has a deep infection that is directing other nasties to you.
So suggesting a defence combination is 'locking the door after the horse etc'

I would suggest running Malwarebytes and SuperAntiSpyware. run a rootkit scanner and Combofix (you will need to uninstall everything else before this will run). Also if I am right you might find it difficult to download these programs.
Look through the posts here to get more info on where to get and run these tools.


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

 

[mlchris2]

I'm not kidding about the once a week infection. However it's not on the same machine every week. I have a dozen off site pc's that I'm dealing with.

I have the skills and the tools to remove them. My goal was to find another product (low cost or free) that is better at protecting from these new strains.

I will try DropMyRights and see how that goes.


Mark C.

 

[kjv1611]

I'm not kidding about the once a week infection. However it's not on the same machine every week.

Why is that unusual? If it's not the same PC every week, then it's not an every week problem. Different computers, different users, different environments, since off-site.

Are these your PCs, non-related individuals, individuals as part of a large organization, what?

If they are totally unrelated, then it's going to be a per user issue, and yes, it's VERY likely for some to get reinfected. Some of the risks cannot be fixed with any hardware/software configuration - particularly if it's a personal or small business computer.

 

[mach04]

@mlchris,
How can you run so many security programs and not having trouble with them? I thought using more than 1 security software will cause trouble with Windows.

 

[goombawaho]

An anti-virus program runs all the time, but...

Malwarebytes and SuperAntiSpyware, a rootkit scanner and Combofix all run on demand and thus don't interfere. Even the paid version of Malwarebytes doesn't cause a problem even though it's always running.

You wouldn't want two dedicated anti-virus programs running like Trend Micro and Microsoft Security Essentials.

 

[kjv1611]

mach04,

It's definitely possible to run more than one "security" app at once. As goombawaho points out, there are more than one type. There are:
Antivirus
Antimalware/Antispyware/AntiAdware
Script Blocking Applications (or add-ins such as NoScript in Firefox and Google Chrome)
Software Firewalls
"Sandbox" software - though I'm not always so sure about them, as in being worth the headache.

And within those categories, you can sometiems run more than one product. For instance, I've successfully run Avira Antivir and Microsoft Security Essentials (per someone else mentioning the same thing) on a couple of machines with no issues. I have seen an issue once on a machine running both, but based on the symtoms, I think it was just an issue with MS Security Essentials. For some reason, at rare times, it'll just eat up resources seemingly for no good reason. But 99% of the time, it runs just fine, quietly doing it's job.

 

[goombawaho]

To make it simple, for non-technical users, I recommend to not run more than one TRADITIONAL A/V product.

Other specialized tools can often be run with the A/V running or in safe mode. Combofix will often warn you about running it with an A/V running. If you want to roll the dice and ignore that warning, you can. I usually don't and remove the A/V temporarily.

 

[mach04]

kjv1611

mlchris2 is running 4 AV, it sounds very interesting that he is not having any trouble with them. I had read people used 2 AV like Avast+MSE, but not 4 AV.
I am currently running Avast+Superantispyware+Malwarebytes antimalware.

 

[kjv1611]

Wow, yeah, I must have overlooked that - running multiple AV products (not general security - there are diff categories, as mentioned already) is probably not a good idea.

For instance, it could be that AV1 finds and quarantines an infection. Then AV2 could find the same quarantined infection... and try itself... same thing with AV3 and AV4. of course, with many/most of them, you can specify folders to not scan. So you could make sure they don't scan each others' quarantine folders.