Kaseya Community

Problem with Fake windows antivirus 2008 / 2009

  • 1. so with whitelist tech, how do you overcome the hundreds of different users?

    2. how do you know what is ok to install on the systems, when you are not using a av? like when a user need a new software installed on there system how do you know it doesn't potentially have spy-ware or a virus in it?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • misolutions.com
    Your probably thinking of DeepFreeze. Differant animal entirely.



    Anti-Executable allows you to specify those programs that need to update themselves and allow them to do so. As for patch managment, you set a time window when the system is unlocked so Kaseya can perform it's patch management tasks.

    By the way, they have a reseller program and if you want you can be the sole purchaser of the licenses you sell, getting yourself higher volume discounts. Then with the Enterprise version you can set the central console up on your own server and manage the clients from one location. Does require opening a port on the firewall but you can specify the port.

    so with whitelist tech, how do you overcome the hundreds of different users?

    2. how do you know what is ok to install on the systems, when you are not using a av? like when a user need a new software installed on there system how do you know it doesn't potentially have spy-ware or a virus in it?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • jasonvm
    so with whitelist tech, how do you overcome the hundreds of different users?

    2. how do you know what is ok to install on the systems, when you are not using a av? like when a user need a new software installed on there system how do you know it doesn't potentially have spy-ware or a virus in it?


    Whitlist tech is not user specific but workstation based.

    In a business environment, the only thing that should be on the station is software that runs the business. If a user thinks he/she needs something on the businesses workstation then they need to justify it.

    As for installing it, the admin (since users shouldn't have free reign anyway) simply enters the secret code, or unlocks the station from the admin console and installs required software. Then you lock it back down. By installing it you automatically add it to the whitelist.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: misolutions.com
  • but with is there to stop you the tech from installing a bad pick of software by mistake, when there is no av?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • jasonvm
    but with is there to stop you the tech from installing a bad pick of software by mistake, when there is no av?


    What type of software would that be? If your getting software from untrusted sources then you reap what you sow.

    And in a business environment, the only software that should be installed is that which the business needs to operate.

    Besides, while I can't guarentee the whitelist tech will stop 100% of infections, I also know that AV tech will not stop 100% either.

    But I can guarentee that AV tech is more than likely going to add a big memory footprint and slow the computer down. Whitelist tech doesn't do that.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: misolutions.com
  • well I have seen were a download of adobe reader was infected with a problem even though it came for adobe, the virus scanner found it, but the other technology would not have, right?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • Hi all, I just had a client over the past weekend bring in a pc with winanti08 on it. And I did some research on google (god bless google) and found a program called malwarebytes, found here http://www.malwarebytes.org/mbam.php . I installed it after backing up the system and found that it got rid of it in one fell swoop. It even made a log of the files that were locked so that on start up it can get rid of them while they are still "unlocked" I am going to work on a way and see if I can get this guy scripted or find some way to make it run silently. I did not even need to update it to get rid of the winanti08. Good luck all! If I come up with a way to make it work through scripting I'll make a repost.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: Scottb
  • yes we are using this and it works most of the time depending on the payload. but no script yet. this only removes it, we are looking for a way to block it all together. any ideas?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • what about bit9 http://www.bit9.com/ or coretrace bouncer http://www.coretrace.com/ anyone using theys or tryied them?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • Scottb
    Hi all, I just had a client over the past weekend bring in a pc with winanti08 on it. And I did some research on google (god bless google) and found a program called malwarebytes, found here http://www.malwarebytes.org/mbam.php . I installed it after backing up the system and found that it got rid of it in one fell swoop. It even made a log of the files that were locked so that on start up it can get rid of them while they are still "unlocked" I am going to work on a way and see if I can get this guy scripted or find some way to make it run silently. I did not even need to update it to get rid of the winanti08. Good luck all! If I come up with a way to make it work through scripting I'll make a repost.


    Well the last version of the malware I came across this week would not clean. A reformat and re-install was needed. The problem is, these things keep morphing constantly.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: misolutions.com
  • jasonvm
    well I have seen were a download of adobe reader was infected with a problem even though it came for adobe, the virus scanner found it, but the other technology would not have, right?


    Was that download direct from Adobe? If so I would suspect a false positive from the AV software and not a real infection.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: misolutions.com
  • yes it was from them and yes it was real.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm
  • Run the following tools in safemode to remove this & most other infections:

    1. http://www.safer-networking.org/en/download/index.html
    2. http://siri.urz.free.fr/Fix/SmitfraudFix.exe
    3. http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    4. http://www.bleepingcomputer.com/files/sdfix.php

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: james@williswhite.co.nz
  • I did hear back from a higher level at AVG. Their response to this issue was to upgrade to AVG8 (KES 1.5) as it has polymorphic threat detection which AVG7.5 really only handles the raw signature based threats. We are working super hard at polishing off KES 1.5 so we can get it released to provide even better detection against these super nasty threats.

    Is there any way to move these clients directly to AVG8 (using the existing license keys) such that the threat would be mitigated?

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: Jeff.Keyes
  • Well how do we know what customers to move to it, this is a random problem, and it would take days of tech time to move all of the customers, not to Manichean that we would lose all control of the av and it update and reporting. That is why we went with kaseya in the first place.

    Legacy Forum Name: Kaseya End Point Security,
    Legacy Posted By Username: jasonvm