Kaseya Community

Virus/Spyware/Malware - Discussion

  • From a spinoff of this thread here: http://community.kaseya.com/xsp/f/114/t/5393.aspx



    I wanted to discuss what products every one is using with regard to web security and spyware. Specifically, malware like Antivirus 2009 and the variants.



    We are looking to move to a SAAS web security product (possibly moving from AVG) and wanted to get some real life feedback.



    With any virus software, its hard to say whether KES is great or terrible, but we dont seem to get the results we are looking for with respect to reporting, alerts and management (and obviously, protection). KES seems to constantly wanting to reboot for unknown reasons, definitions stop updating and all we get from support is a 're-install', the list goes on.



    What software or techniques are you using to stop or help the, what seems lately to be an increase, in spyware and web filtering. Do you add web security products on top of KES if you use it? Does the web shield and linkscanner provide any help (we currently don't run either)?

    Legacy Forum Name: Virus/Spyware/Malware - Discussion,
    Legacy Posted By Username: GDRBrian
  • Prevention:
    - Untangle
    - Custom black hole DNS server
    - App blocker template
    - Patches via Kaseya / manual after fail

    Cleanup:
    - Cleanup script consisting of:
    - RKill (to kill malware processes that kill executables)
    - MalwareBytes download / update / silent run
    - CCleaner silent run
    - Delete broken shortcuts
    - Flush system restore
    - Defrag
    - Manual full scan with ComboFix and MBAM
    - Manual checking of proxy settings and hosts file (will script)

    We run KES / AVG, but it doesn't seem to stop many of the newer rogues.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: k2tech_tony
  • [QUOTE=k2tech_tony;51976]Prevention:
    - Untangle
    - Custom black hole DNS server
    - App blocker template
    - Patches via Kaseya / manual after fail

    Cleanup:
    - Cleanup script consisting of:
    - RKill (to kill malware processes that kill executables)
    - MalwareBytes download / update / silent run
    - CCleaner silent run
    - Delete broken shortcuts
    - Flush system restore
    - Defrag
    - Manual full scan with ComboFix and MBAM
    - Manual checking of proxy settings and hosts file (will script)

    We run KES / AVG, but it doesn't seem to stop many of the newer rogues.[/QUOTE]

    Couple questions if you dont mind...

    - What is a Custom Black Hole DNS Server? Are you talking about what some SPAM services use?
    - would you be willing to share any of the scripts you mention? help fight the good fight against Maleware?

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: jfoote
  • [QUOTE=k2tech_tony;51976]Prevention:
    - Untangle
    [/QUOTE]

    How do you sell untangle to your customers? Sell it as an add-on? or is it standard with your services?

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: GDRBrian
  • Edge Protection: Sonicwall TZ or NSA Series w/ the security services
    DNS: OpenDNS
    Email / Spam: Exchange Servers are behind ExchangeDefender, others break down into either Google Apps (includes Postini) or using the spam blocker on a Sonicwall
    Client AV/AS: KES
    Misc: MS Patching every Fri & Sat. Weekly temp / log file removal with CCleaner. Most users do not have Admin privileges so they are unable to install crappy apps and toolbars. We put Firefox on all systems and recommend everyone uses it as much as possible.

    As for cleanup, it looks like the last infection a client had was about 6 months ago. We used a combo of Malwarebytes and Combofix to ensure that the computer was cleaned.

    We have a pretty simple setup that seems to be effective enough. Maybe we and our clients are just lucky though.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: CeruleanBlue
  • Edge Protection: Sonicwall or ASA
    Spam: Barracuda or AppRiver (SaaS filtering)
    Antivirus: Symantec or Trend
    Malware: Malwarebytes (MSP version licensed and providing proactive scanning)

    So far (knock on wood) after 7 weeks of having Malwarebytes out at our MSP clients we haven't had a single malware infection.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: CCDave
  • CCDave
    Edge Protection: Sonicwall or ASA

    Malware: Malwarebytes (MSP version licensed and providing proactive scanning)

    So far (knock on wood) after 7 weeks of having Malwarebytes out at our MSP clients we haven't had a single malware infection.


    Is there any way to monitor malwarebytes or does it just work and the clients call if they have a problem?

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: GDRBrian
  • GDRBrian
    Is there any way to monitor malwarebytes or does it just work and the clients call if they have a problem?


    Currently Malwarebytes only logs IP Protection and Quick/Full Scan results to text log files. I've been hounding their developers to add more Event Log type alerts and I believe I'm starting to get somewhere.

    The issue with getting the text log files is they are located in directories with apostrophes (') in the path. When putting these into Kaseya's Log Monitor section Kaseya wraps each apostrophe with additional apostrophes, thus making the path invalid.

    Currently I'm just going on the "clients aren't calling" type scenerio. Stick out tongue

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: CCDave
  • Thats the only problem I have with malwarebytes at this time is that it would be difficult to manage.

    Has anyone looked at the AV/Spyware products from McAfee, Trend or Panda Security? We are looking for a all in one antivirus and web security combo. Any suggestions?

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: GDRBrian
  • jfoote do you have a copy of that flush system restore script?

    GDRBrian: I would definitely install edge protection such as a SonicWALL or Fortinet. If you can stop the threat before it reaches the endpoint that is half the battle. For AV we use Trend Micro WFBS-Adv. It is a total protection suite providing url filtering, AV, AS, firewall with IDS, Anti-Spam, etc. Trend even has a 'Remote manager' to centrally manage all your installs. And it (the remote manager) can integrate via email to Kaseya for ticketing. For Spam we use Google Postini.

    The spyware tools we use are Spybot, Malwarebytes and Combofix. All of these can be automated through Kaseya scripts.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: jfox
  • Since we are addressing all things spyware/malware related, may I suggest a great testing site. www.malwaredomainlist.com is a forum where users post links to fake antivirus, viruses, etc. that can be used for testing. I spent a full day several months ago trying to get spyware and having no luck. (I don't know how end-users do it so easily!) After 5 minutes on this site I was able to test my installs of Symantec Endpoint, Webroot Spysweeper, Malwarebytes, and Virpe. Great testing tool, but be very careful as you are getting into live infections.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: CCDave
  • I would like to see the Flush System Restore script as well... Thanks!

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: billmccl
  • billmccl
    I would like to see the Flush System Restore script as well... Thanks!


    Just thinking out loud...

    Why don't you delete the System Restore files in the System Volume Information directory? You can run a script as SYSTEM which has rights to the folder. You should even be able to determine the files/folders older than X days to keep at least some sort of System Restore operational.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: CCDave
  • Has anyone been able to suppress the log file opening from Rkill when it actually ends a process?

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: Coldfirex
  • GDRBrian
    How do you sell untangle to your customers? Sell it as an add-on? or is it standard with your services?


    We sell is as a managed security product. We build the hardware, load the software and manage it all. We charge $75 per month for a 10 user appliance. That comes with the box, the professional software, the monitoring from kaseya, unlimited support and also configuration changes for them.

    We are about to launch this and our other offerings as a reseller product for other MSP's soon.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: Mark Shehan