Main Area and Open Discussion > General Software Discussion
Windows Security Essentials
Bamse:
Is from a site listing malwaredomain so not HP. Should be a trojan, has ID and all. Content is all malware. When run it appears to be a Russian notepad.exe - no scanner seem to catch anything. Strange but I hope Kaspersky or other big names recognize it soon. Then back to the xbox playing dude at MS.
Not sure Im allowed to give links to that site, there are several of them, very public - used by Malwarebytes and others, but not all like them in forum posts. Like those who write forum rules. Can say so much site listed is Chinese and other content is labeled pdf exploit, Liberty Exploit System kit, trojan. I put money on infection for now.
Bamse:
Here is MSE in action when I enter domain holding that update.exe so Im a bit cheap on the links... Not all are so well protected :D
Windows Security Essentials
Innuendo:
Out of curiosity, was he running with Administrative rights when this happened?
-Stoic Joker (October 13, 2009, 06:22 PM)
--- End quote ---
Here's that information I promised to get you, Joker. He was running as as a user in the administrator group. The OS was Win7 and it was running at the stock UAC level (which I have since told him he needed to bump all the way up which he did) and the browser he used was Firefox v3.5.3 with no extensions.
He used to run Eset software before, but when his subscription lapsed he thought he'd try to save some money and give MSE a try. After his big adventure he couldn't get his credit card information to Eset fast enough.
Bamse:
The big unknown adventure with no clicks involved, just happened, ooops... Ok I stop but details, details, the more the better. Must know what went wrong, can nearly always be found out. If he has given you detailed and convincing reports of infection he also know where it came from. Check Malwarebytes log if nothing else is avialable, PM me link and such if you have it please. May be he got hit but Im sure of one thing - he DID click and that will be confirmed by a reconstruction. Most conveniently forget but unless you run unpatched XP with IE6, a few old browser plugins will help too, chances are not so clever clicks are involved. Like every time. Nothing to do with MSE, should stop whatever anyway but MSE was not alone of failure or you can slap me silly. If an infection race through your knowledgeable friends supposedly fully functional setup we have a major history to tell the world. Closest you will get to I did not do anything!! is infection from an usb drive with autorun enabled. That is entirely up to scanner and Windows to stop. He cant do much about that. I think MS just released a tool to permanently disable autorun on all removable drives, not the worst idea if unknown drives are used.
Well seems like that MS was right about that Russian update.exe which is in fact notepad.exe. I guess malware collector must have bundled it with all the other nasty Flash exploits and exe-files on that site. First time Ive seen that. Comodo now also flag it but I dont know. 3 out of 40+ I or scanners cant see any sign of infection so give up, is just sitting there. Went through strings in Process Explorer, looks like a Russian notepad to me. Had hoped it would trigger suddenly, nothing happens. Besides apparently being right response time of 16 min. is extremely fast. Makes people submit more, less than 6 hours or so is great.
Does not take more than a Google search do find those lists of malware but if anyone wants the handful I have they are avail. Next after Vista/7 getting computer infected is the most effective defense ever. Spend time removing too. Also good test of browser filters, Ive been told by MS IE8 have a 80+% detect rate in "social engineered" malware downloads = links! Try 30 tops. Strange world this is. Goes a bit up and down because those site of course does not list in real time, bundle and present. How that match MS filter machinery is perhaps random, no where near 80% hitrate that is for sure. Not ahead of Google filter either but nm that, another battle... If infection is good, like you cant figure out how to remove - done for!, it will stick in memory for a while. Must be done in Virtualbox/VMware or what else there is. No shared folders either. Get a 120 days free XP with IE6 from MS if none available. MSE require legit Windows, I assume it will work on those free versions. Guess easiest to set up in MS Virtual PC, don't remember if Virtualbox convert automatically.
Stoic Joker:
Out of curiosity, was he running with Administrative rights when this happened?
-Stoic Joker (October 13, 2009, 06:22 PM)
--- End quote ---
Here's that information I promised to get you, Joker. He was running as as a user in the administrator group. The OS was Win7 and it was running at the stock UAC level (which I have since told him he needed to bump all the way up which he did) and the browser he used was Firefox v3.5.3 with no extensions.-Innuendo (October 16, 2009, 11:21 AM)
--- End quote ---
I just had a funny feeling that was going to be the case (which proves f0dder's UAC recommendations again). I truly believe that the permissions reduction strategy is the only really effective defense. HIPS/Heuristics can do their part, but even they miss, FP, or just annoy you into screwing up. If a user is logged into a machine, with an account that has permission to break said machine, then the whole thing really just turns into a contest to see who blinks first. *Shrug* ...The question becomes how much of the systems resources are you willing to sacrifice on something that is only 98% effective.
Every single Anti-EvilWare solution on the market today is at best (just like birth control) only 98% effective. Why? (lawyers, true) Because (sh)IT happens...and there just isn't (cycle) time to check for every little thing right down to the very last detail so everybody just picks their best rendition of hitting the high-spots and calls it good.
A bit nihilistic of me perhaps true, but I don't care. I'm not about to pay (Peter) massive amounts of my systems resources to pay (Paul) for my right to do something stupid (Hay we all have off days...). So far MSE has managed to remain light enough to not annoy me resource usage wise (which is difficult I'll admit), so I'm letting it run to see what it does. I also have UAC enabled.
...No real specific point here, I'm just kinda sharing/thinking out loud... :)
Interesting side note on security trends, apparently there has been enough losses on the (high-end) border router defenses front that they are coming up/out with some entirely new "border-less" network paradigm. ...Cripes, that should be a hoot...
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version