Trojans keep infecting my computers.

[mofusjtf]

Hello all.

I currently use the Trend Micro CSM solution for my clients. Lately a lot of my clients have been getting virus and/or trojan infections on their workstations. The virus patterns on the workstations are current yet they still get infected. The virus does not spread throughout the network, but the trojan and/or virus should not even infect the machine. I verified and reverified my configurations on manual scanning and real-time scanning and cannot find any issues. Any ideas on how these virus and/or trojans are getting by the AV protection? I have seen this with NAV, Trend and Innoculant. Current software yet systems are still getting infected. Any info would be great?

 

[smah]

Can you share the names of the virus/trojans that you're referring to? It might help someone answer the question. Or are you referring to some spyware? There also some windows vulnerabilities that, if not patched, could lead to infection.

 

[mofusjtf]

The most recent infections was the following

Troj_Agent.AB
ADW_SCANPortal.a
BKDR_RULEDOR.e

There are others that I can't quite remember. Troj_SCTHOUGHT is another i believe.

 

[vop]

You probably need to evaluate where your users are surfing and what tools they are using, to see trojan infections in a completely new light.

What is the delivery agent and (partial?) payload(s) for trojan processes? How do they seemingly avoid detection at their initial entry points? Is the real-time scanning engine component weak or are certain ports being compromised or exempted in some way. Perhaps the trojan is an assembly of external and pre-existing internal (ActiveX?) components. Why is trojan detection seemingly only effective (after-the-fact) on a thorough scan?



Do Google searches on the following keyword sets:


trojan ActiveX "drive-by"

trojan "instant messaging"

trojan "critical updates"



A large list of ActiveX components can be controlled by the IMMUNIZE feature in Spybot (including SpywareBlaster). TeaTimer is its resident (real-time) process blacklister. Even (up-to-date) critical updates may also help to neutralize some ActiveX vulnerabilities.

In IE: Tools>Internet Options>Security>Custom Level you may want to consider changing most of the ActiveX items to 'prompt' or 'disable'. Or, consider changing to a less ActiveX friendly browser.

Instant Messaging is increasing becoming a key suspect, as well.

 

[vop]

SpywareBlaster (mentioned above) does indeed have a custom ActiveX blocking capability.

A custom blocking example (and resource links) is shown for ADW_SCANPortal.a (and other items) at

http://www.mvps.org/winhelp2002/blaster.htm

http://www.lissaexplains.com/forum/showthread.php?t=55330

has some interesting discussion, in part, on BKDR_RULEDOR.e .
In particular, it suggested the following:

"It sounds more like a browser hijack, which most AV programs seem to have trouble catching, but HijackThis might help." A MSN Messenger (or similar) connection was also mentioned as a possibility.

 

[mofusjtf]

Thanks for the info. I have previously been just Ad-Aware 6.0. I like it and think it works great but it works even better with SpyBot. Run the TeaTimer and periodically scan with both. I am going to lock down some of my firewalls too. Right now I let out only the necassary traffice but I might only allow certain approved websites. Thanks again.