Kaseya Community

Problem with Fake windows antivirus 2008 / 2009

  • Problem with Fake windows antivirus 2008 / 2009

    We have been getting lots of customers with this problem and avg 7.5 / kes will not block it. Does anyone have a fix that they are using with there customers to prevent this problem?

    we also have a ticket open with k support but no solutions as of yet.

    Confused

    Legacy Forum Name: Problem with Fake windows antivirus 2008 / 2009,
    Legacy Posted By Username: jasonvm
  • Boy, have we ever had an issue with this later. I have quite a few notes on this including some of the filenames that are installed in certain directories. I would be interested to work on this together with others to find a way to scan and delete the files installed by this pesty program.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: trnetwork
  • This has been a killer for us too! eTrust does not stop it, nor does either Windows Defender or SUPERAntiSpyware. Windows Defender will detect some of the infection if you run a full scan. SAS will usually detect the entire thing and clean the infection. The only "sure" fix we've found is to run SUPERAntiSpyware, MalwareBytes and ComboFix. If someone has a way to block installation, I'm all ears.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: arobar
  • Me too! We've had it infect PCs with Trend, McAfee (both home and hosted versions) and CA.

    The cleanup tool that I've found works best is ComboFix, but I haven't found a way to script this yet.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: djmundy
  • I'd love to get a ticket logged for this. We have a really good relationship with AVG and would love to get this black-listed.

    Alternatively, you can submit problem programs like this to virus@avg.com.

    Jeff

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: Jeff.Keyes
  • Well it is my understanding that avg 8 does block this problem but we don't have it in kes yet. Is this right? does anyone know if it does or does not protect for this.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • So far nothing (primarily Trend and AVG) I've got on any of my clients blocks this.

    Until today I've been able to boot with BARTPE and delete the offending files but the latest version of this crap I found today is going to require a wipe and re-install.

    Face it everyone - Traditional AV products no longer work, the malware authors have won.

    Consider - most of the malware being released now has been tested against all of the current AV products on the market. And once they infect computers it continues to morph, in some cases hourly, so that there is no way traditional definition based AV products can keep up.

    We're no longer installing AV on our clients systems. When their license comes up for renewal were moving them to Anti-Executable from Faronics:

    http://www.faronics.com/html/AntiExec.asp

    This changes the game, instead of allowing everything and blocking some we block all and allow only what's approved.

    It also has the great advantage of not slowing computers down since it doesn't have to scan every file that passes through the system.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: misolutions.com
  • misolutions.com
    We're no longer installing AV on our clients systems. When their license comes up for renewal were moving them to Anti-Executable from Faronics:.


    Doesn't the Kaseya network driver perform the same thing (allows you to whitelist EXEs for execution or network access)? What are some of the advantages of Farconics?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: arobar
  • FYI Jeff we do have a ticket open with you. ticket 115105

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • As for Faronics we test about a year ago and had a lot of problems with it, it didn’t work well with kaseya, we had a hard time getting it to update windows patches, also very time consuming, every time a user needed to install a update to a program like, UPS, Fedex daily, quickbook taxes table, java, adobe, POS, or any program that they used that was legitimate we had to unlock the system, not only did this take lots of time out of our day but the customers were getting tired of calling us for to unlock. How have you been doing with it, how long have you been using it and how many pc on it? Have you been able to work out the problems we had above. we would like to look at it again but needs to work smoother.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • We have had a total of three infections.

    Two were the same machine. Seriously.
    One was a home user.

    The machine that was infected twice was because the user didn't listen to us about what emails to NOT open and that they shouldn't be visiting personal sites (like myspace, live.com, etc.) while on their companies time. The second infection we charged $240 for the cleanup. Guess who isn't visiting personal sites on company time anymore.

    This malware comes down to education. Smart browsing + intelligence = clean machine. If these are business clients, I would talk to the owner or other contact at your clients and relay some minor education to them like not opening eCard emails, not visiting websites like myspace on company time, etc. We haven't had any infections on clients' networks where we have spoken to each end-user on the do's and don'ts of the internet.

    If you are a MSP, there are a few blogs out there that relay early infections, so you should have plenty of time to send out a quick notice (email, kaseya popup, etc.) on websites not to visit and emails not to open. Keeping them up to date is just as proactive and important to keeping systems up and running as anything Kaseya can do.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: CeruleanBlue
  • Please do reveal these web site blogs so if we don't have these in our favorites, we can add them and check them regularly.
    Just curious, do you have local admin rights taken away from the users? We are seriously considering this to reduce the amount of infections propogating through the Internet. We are also considering blocking these sites to even remote field machines so we can reduce the amount of infections we have to clean. We can all agree spending time cleaning malware and spyware is an extreme waste of our time. If we can lock it down into a box of its own, then we can scan for the files and clean right away if they are found.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: trnetwork
  • jasonvm
    As for Faronics we test about a year ago and had a lot of problems with it, it didn’t work well with kaseya, we had a hard time getting it to update windows patches, also very time consuming, every time a user needed to install a update to a program like, UPS, Fedex daily, quickbook taxes table, java, adobe, POS, or any program that they used that was legitimate we had to unlock the system, not only did this take lots of time out of our day but the customers were getting tired of calling us for to unlock. How have you been doing with it, how long have you been using it and how many pc on it? Have you been able to work out the problems we had above. we would like to look at it again but needs to work smoother.


    Your probably thinking of DeepFreeze. Differant animal entirely.



    Anti-Executable allows you to specify those programs that need to update themselves and allow them to do so. As for patch managment, you set a time window when the system is unlocked so Kaseya can perform it's patch management tasks.

    By the way, they have a reseller program and if you want you can be the sole purchaser of the licenses you sell, getting yourself higher volume discounts. Then with the Enterprise version you can set the central console up on your own server and manage the clients from one location. Does require opening a port on the firewall but you can specify the port.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: misolutions.com
  • CeruleanBlue
    We have had a total of three infections.

    Two were the same machine. Seriously.
    One was a home user.

    The machine that was infected twice was because the user didn't listen to us about what emails to NOT open and that they shouldn't be visiting personal sites (like myspace, live.com, etc.) while on their companies time. The second infection we charged $240 for the cleanup. Guess who isn't visiting personal sites on company time anymore.

    This malware comes down to education. Smart browsing + intelligence = clean machine. If these are business clients, I would talk to the owner or other contact at your clients and relay some minor education to them like not opening eCard emails, not visiting websites like myspace on company time, etc. We haven't had any infections on clients' networks where we have spoken to each end-user on the do's and don'ts of the internet.

    If you are a MSP, there are a few blogs out there that relay early infections, so you should have plenty of time to send out a quick notice (email, kaseya popup, etc.) on websites not to visit and emails not to open. Keeping them up to date is just as proactive and important to keeping systems up and running as anything Kaseya can do.



    In reality, there are multiple thousands of infected web sites due to java script and sql injections. Many of them legitimate business related web sites. So there is no guarantee that "safe surfing" will keep you from getting infected.

    And you also prove my point about how worthless AV products are today. Even with AV, which I'm sure you had on the workstation, it still got infected.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: misolutions.com
  • Use SmitFraud Fix - search for it on google and you'll find it all over the place it cleans this infection very nicely. It doesn't work with scripting, but maybe some of the smart guys on this forum can tear it apart and make one that does the same thing but scriptable!

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: TBK Consulting