Kaseya Community

Problem with Fake windows antivirus 2008 / 2009

  • For those of us without KES 2.0 or KES in General how do we go about blocking these?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jm-ctaccess
  • [QUOTE=jm-ctaccess;34133]For those of us without KES 2.0 or KES in General how do we go about blocking these?[/QUOTE]

    I was trying to get a script put together to deploy the file black list out, but I never got it working. That would be one way to prevent it, but it's rather manual and requires knowledge of the file name, which I'm sure changes constantly. And I still need a way to easily update everyone with new entries.

    Otherwise not sure what to tell you. We are deploying Trend "worry-free business security suite" to a lot of folks, which has a built in web filter that works pretty well defending against this thing. Similar to KES 2.0 it would appear.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: fisofo
  • I have no tested nor tried this but if you gather a list of commonly used exe names, could you simply put those file names on the application blocker within kaseya?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: GDRBrian
  • GDRBrian
    I have no tested nor tried this but if you gather a list of commonly used exe names, could you simply put those file names on the application blocker within kaseya?


    Absolutely, that's what I was referring to actually. The problem is that it's a bit clunky... you have to enter each executable individually, which isn't too bad since you can apply to a group all at once, but it takes a while if you have a longish list of exe's.

    The problem remains that it is really easy for these programs to just increment their file name and then they can start running. It would be nice to be able to block files using wildcards (I've requested this already). But anyway, application blocker is not really designed for this purpose (stopping viruses/trojans), so it's just duct tape for a leaky pipe in the end.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: fisofo
  • check out Malwarebytes it will clean up both Antivirus 2008 & 2009

    www.malwarebytes.org/mbam.php

    Good Luck
    John

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: Sansman
  • I have quite a few applications listed in my Application Blocker including all the ones I could find for XP Antivirus, but I'm not sure if it's preventing problems or causing problems. Below is the latest alarm.

    File access to C:\program files\xp antivirus\xpa.exe has been denied to Rtvscan

    When I connect to find that file, it's not there. This doesn't happen on all machines, only a few, but they occur about once a day. Has anyone else seen the Antivirus 2008/2009 disappear like this? I don't even know if it's install now or not.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: runnetworks
  • I've seen the same thing with Malwarebytes anti-malware, it will say it found that file even though it does not exist... I have confirmed this is a false positive. Typically if an antivirus/anti-malware detects the xpa file, it will also detect the corresponding directories, files, and registry entries that it also infects, so that's one way to see it's a false positive.

    There's definitely room for improvement into the way this works, I'd love to see wildcard capabilities, and the ability to allow specific processes access to the blocked applications (AV systems).

    Has anyone gotten it to work with Vista? I get daily protection violations when I run it on Vista for every single app I have blocked... I've got a ticket open with Kaseya on it right now.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: fisofo
  • arobar
    This has been a killer for us too! eTrust does not stop it, nor does either Windows Defender or SUPERAntiSpyware. Windows Defender will detect some of the infection if you run a full scan. SAS will usually detect the entire thing and clean the infection. The only "sure" fix we've found is to run SUPERAntiSpyware, MalwareBytes and ComboFix. If someone has a way to block installation, I'm all ears.


    Malwarebytes is about the only product out there that can rid a system of the AV 07,08,09, and now the AV 360. I haven't ventured into trying to scipt this app yet, but I am sure it can be done. AVG does see them puts them in either the Theat or Vault. Another thing I use to find the errant files is Process Explorer, and CCleaner.

    But your gonna have to remote in to use those of course.

    I did see a script for push CCleaner on here somewhere but haven't used tried it yet. If there is a better solution I'm welcome to hear about it.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: Techdawg
  • I'd question the comment on XPA being a false positive. We've seen AntiVirus xxx several times and never a false positive. We've seen it show XPA alone, files with a completely random name, sometimes related directories.

    We never had any false positives.

    Although I wouldn't be surprised with any program showing a false positive. I would be very surprised if it reported a file that wasn't there at all with the following exceptions (1) It was there and was removed. (2) The file or directory is hidden.

    Following is a script that one of my guys put together for malware bytes. He's out of the office right now so I can't confirm if he's run this on enough machine to verify how it works. But it should get you started.

    Script Name: MalwareBytes Quickscan
    Script Description:

    IF Test File
    Parameter 1 : C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    Exists :
    THEN
    Execute Shell Command
    Parameter 1 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runupdate
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /quickscanterminate
    Parameter 2 : 1
    OS Type : 0
    ELSE
    Execute Script
    Parameter 1 : push malware bytes (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 : 5
    Parameter 3 : 1
    OS Type : 0
    Execute Script
    Parameter 1 : MalwareBytes Quickscan (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 : 10
    Parameter 3 : 1
    OS Type : 0



    Script Name: push malware bytes
    Script Description:

    IF True
    THEN
    Write File
    Parameter 1 : c:\support\mbam-setup.exe
    Parameter 2 : VSASharedFiles\mbam-setup.exe
    OS Type : 0
    Execute Shell Command
    Parameter 1 : c:\support\mbam-setup.exe /verysilent
    Parameter 2 : 1
    OS Type : 0
    ELSE

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: doug.jenkins@ispire.ca
  • a quick reply to the false positives thing: we have a ticket with kaseya for this actually... the issue is twofold:

    1. application blocker reports alerts on almost all of our Vista boxes for ANYTHING that is added the list (even notepad), with alerts from svchost if I recall correctly. Kaseya verified it's a problem, and is working on it apparently Roll Eyes This is really a side issue, but one thing we are seeing.

    2. Additionally, with application blocker blocking (for example) xpa.exe, a known variant... kaseya will actually block a "phantom file" from being scanned by AV checkers. Here's what happens: Malwarebytes will specifically look for xpa.exe in specific locations, like system32, then application blocker responds with "you can't access that file" EVEN IF THE FILE DOESN'T EXIST (which is the point, really), then malwarebytes reports back that it "found" the file and that it has to be renamed on reboot.

    So that's where the false positives come from... you can reproduce that behavior on any freshly built machine.

    Thanks for the script, I may have to play around with that!

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: fisofo
  • Doug - thanks for the script! I'm going to test today...is this something that would be smart to push out to clients so that we've already got it installed, then we can run the quick scan if there's a problem? It seems logical to me, but I might be missing something. thanks! Lynda

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: Lynda
  • We use KES which has led us to drop using Spybot and Adaware on a regular basis. But we are currently considering pushing MalwareBytes and scanning on a regular basis. We haven't seen any negatives with this yet.

    What we have seen is users not catching on that they have AntiVirus xxxx so we want to do the scan and ensure there are no unreported problems.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: doug.jenkins@ispire.ca
  • doug.jenkins@ispire.ca
    We use KES which has led us to drop using Spybot and Adaware on a regular basis. But we are currently considering pushing MalwareBytes and scanning on a regular basis. We haven't seen any negatives with this yet.

    What we have seen is users not catching on that they have AntiVirus xxxx so we want to do the scan and ensure there are no unreported problems.


    Thanks for the info and the script. I am pretty new to Kaseya, and far from a master at scripting. Does the scan write to a log? If you were to do a scan on a regular basis, how do you collect the results?
    Thanks in advance,
    Jason

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonmh
  • doug.jenkins@ispire.ca
    I'd question the comment on XPA being a false positive. We've seen AntiVirus xxx several times and never a false positive. We've seen it show XPA alone, files with a completely random name, sometimes related directories.

    We never had any false positives.

    Although I wouldn't be surprised with any program showing a false positive. I would be very surprised if it reported a file that wasn't there at all with the following exceptions (1) It was there and was removed. (2) The file or directory is hidden.

    Following is a script that one of my guys put together for malware bytes. He's out of the office right now so I can't confirm if he's run this on enough machine to verify how it works. But it should get you started.

    Script Name: MalwareBytes Quickscan
    Script Description:

    IF Test File
    Parameter 1 : C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    Exists :
    THEN
    Execute Shell Command
    Parameter 1 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runupdate
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /quickscanterminate
    Parameter 2 : 1
    OS Type : 0
    ELSE
    Execute Script
    Parameter 1 : push malware bytes (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 : 5
    Parameter 3 : 1
    OS Type : 0
    Execute Script
    Parameter 1 : MalwareBytes Quickscan (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 : 10
    Parameter 3 : 1
    OS Type : 0



    Script Name: push malware bytes
    Script Description:

    IF True
    THEN
    Write File
    Parameter 1 : c:\support\mbam-setup.exe
    Parameter 2 : VSASharedFiles\mbam-setup.exe
    OS Type : 0
    Execute Shell Command
    Parameter 1 : c:\support\mbam-setup.exe /verysilent
    Parameter 2 : 1
    OS Type : 0
    ELSE


    Script is good, however there are some issues I am trying to get around.
    1) Does not play well with Vista, I'm sure it's because of UAC
    2) If it is a first install, there is a user box telling you it installed - great now close it
    3) After it runs and gets the updates - again another user box telling you it has updated to the latest and greatest version - great now close it
    4) Once the script gets past all that it works fine - only it is not saving a log file on the Malwarebytes interface - malware found or not. If you manually run MWB it saves a log file.
    5) How do I define the %userprofile% so it can snag the log file and mail it to me? GetFile maybe...

    Any insight is appreciated.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: Techdawg
  • Thank you Doug for this script. I finally got to use it today and have never had an easier time cleaning up the fake AV garbage.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonmh