|
I'll definitely have to check that one out. I usually end up testing software before we hand it down to the service desk for malware removal. The only concern is the software license agreements. We got in some poo poo for using MalwareBytes on a per machine basis because someone in legal decided to read their software license agreement, we're a rather large company and they require entities such as ours to obtain/purchase a license per machine (not we need 10 licenses to be used and then removed from machines post cleanup). After we saw their license requirements we basically told them to get lost and went with Microsoft Safety Scanner as our go to for automated scanning tool with a few other freeware applications thrown in for safe measure. We have a contract with Microsoft so most of their software is at our finger tips.
|
#
?
Nov 21, 2011 20:10
|
|
|
|
| # ? Jun 7, 2024 07:32 |
|
|
Is there any good corporate antivirus out there with a decent management interface? SEP has a usable management interface (though not great), but the general consensus is that it's not very effective in mitigating viruses. MS Forefront requires SCCM, which is annoying. Any other choices?
|
|
#
?
Nov 21, 2011 21:01
|
|
|
Erwin posted:Is there any good corporate antivirus out there with a decent management interface? SEP has a usable management interface (though not great), but the general consensus is that it's not very effective in mitigating viruses. MS Forefront requires SCCM, which is annoying. Any other choices? It's kind of a religious question for some, but I was okay with the KAV install I was running for about 150 workstations. Seemed pretty straightforward; just make sure your network infrastructure is under control. I had a few workstations that would go 'OUT OF CONTROL!!' (in KAV's charming parlance) because of IP conflicts, VLAN fuckups, etc.
|
|
#
?
Nov 21, 2011 23:20
|
|
|
At my shop we've been using Symantec Endpoint for our clients, who are generally small businesses who can't afford their own IT. Problem is, SEP is utter poo poo and has started conflicting with Backup Exec, of all things. Long story short, we need (I want) a new AV with a good management console and not too many costs. How's Forefront? I can get a free license through my .edu email account for testing, but I wanted to know what other people thought of it.
|
|
#
?
Nov 22, 2011 00:03
|
|
|
We're going to be evaluating Forefront in the upcoming weeks if no one else has any additional information i'll try and provide you a write up on my experience with it. Right now we're using McAfee, I know it gets a bad rap but to be honest it hasn't been that bad to me. The management console is solid we manage about 8000+ machines off of it running various versions of Virus Scan Enterprise. You can modify policies on all machines or just a group of machines without impacting the rest of your organization. It does a pretty good job of keeping track of compliance and audit information (for those of you who have to deal with that poo poo.) It is kind of on the expensive side though from what I recall during our contract renewal but then again your experience may vary in terms of price and also based on support you want to receive from them.
|
|
#
?
Nov 22, 2011 00:20
|
|
|
I do IT work for a small organization with about 30 PCs. I set them up with ESET NOD32. The server console isn't the greatest, but it works and so far hasn't conflicted with anything. I've only had 2 computers that needed viruses cleaned from them that the real-time protection didn't catch. They don't have any other filtering methods, and people love to try downloading fun new toolbars.
|
|
#
?
Nov 22, 2011 00:22
|
|
|
So it turns out the infection that I was talking about above was identified as Alureon.E, and had infected the MBR. FixTDSS fixed it in just a single reboot. PS, we run Forefront here.
|
|
#
?
Nov 22, 2011 00:54
|
|
|
Serfer posted:PS, we run Forefront here. Do you have to buy SCCM in addition to Forefront, or is it included? The demo video seems to imply that you add Forefront to your existing SCCM server, like people actually have SCCM servers or something. Serfer posted:You add it to your existing SCCM Heh, sure, my existing SCCM 
Erwin fucked around with this message at 03:08 on Nov 22, 2011 |
|
#
?
Nov 22, 2011 03:00
|
|
|
Erwin posted:Do you have to buy SCCM in addition to Forefront, or is it included? The demo video seems to imply that you add Forefront to your existing SCCM server, like people actually have SCCM servers or something. You add it to your existing SCCM, it doesn't come as a part of it. Although you can mostly manage it without SCCM (with group policy), you just can't do some enforcement (force it on, get reports on it, etc).
|
|
#
?
Nov 22, 2011 03:03
|
|
|
http://blogs.mcafee.com/mcafee-labs/zeroaccess-rootkit-launched-by-signed-installers ZeroAccess using old tricks to infect machines. The method in the article is using a legit signed installer + a malicious DLL located in the directory where the executable is placed because LoadLibrary() looks in the current directory for DLL files it needs before looking elsewhere. edit: Well speak of the devil just found a live sample of it on one of the machines in our environment. Virus Total as usual is down and being useless so I can't see what the detections look like on it but that McAfee article is full of poo poo, DLL file is not detected as malware by their software. It is also ab 100KB larger than the original that exists in C:\Windows\System32. edit2: http://www.virustotal.com/file-scan/report.html?id=cfca3aefa86d3260e68b8f2307707bd26c61bac36a5f6b0a06f885edd625cf6d-1322003773 Virus total results: 0/43 0% detections. No one knows this DLL is malicious at the moment. Sending it off to McAfee and various other vendors so hopefully it'll be added to their definitions. Hex Darkstar fucked around with this message at 00:49 on Nov 23, 2011 |
|
#
?
Nov 22, 2011 19:14
|
|
|
Thanks for the responses about antivirus solutions, all. We tried the ESET solution and the guy doing the demo hated how clunky it was to use. I guess I'll try a trial of McAfee and Forefront and we'll see how that goes.
|
|
#
?
Nov 23, 2011 01:16
|
|
|
Thought you guys might get a kick out of this, check out the sweet sweet command and control interface for the Black Hole/ZeroAccess kit: http://isc.sans.edu/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079 It's kind of sad someone put that much work into something that is basically burgling people's computer resources.
|
|
#
?
Nov 23, 2011 20:53
|
|
|
Holy poo poo that control panel 
|
|
#
?
Nov 24, 2011 00:08
|
|
|
Scaramouche posted:Thought you guys might get a kick out of this, check out the sweet sweet command and control interface for the Black Hole/ZeroAccess kit: I guess the Russians are handing briefcases full of money to programmers these days. I feel like a lot of development went into that interface.
|
|
#
?
Nov 24, 2011 15:58
|
|
|
COCKMOUTH.GIF posted:I guess the Russians are handing briefcases full of money to programmers these days. I feel like a lot of development went into that interface. Talent goes where the money is. I've been tempted myself a few times, the pull of the dark side is strong when you're poor.
|
|
#
?
Nov 24, 2011 20:59
|
|
|
There's also a relatively large contingent of in-house talent as well. A lot of them are self-educated, but there's actually a pretty good number of Russian programmers/hackers. In the last 5 years alone I've worked with at least 4 (for legitimate stuff), which is the second largest number after Persians. The IT department I used to manage had 8 people plus me; I was the only one born in North America.
|
|
#
?
Nov 25, 2011 01:06
|
|
|
I haven't had a virus in years and I ended up with that fake Win 7 2011 antivirus poo poo today. gently caress is that crap annoying to fix. The scariest reboot ever is the one after you think you fixed it.
|
|
#
?
Nov 25, 2011 20:39
|
|
|
TLG James posted:I haven't had a virus in years and I ended up with that fake Win 7 2011 antivirus poo poo today. gently caress is that crap annoying to fix. The scariest reboot ever is the one after you think you fixed it. This is more for personal reference than anything, but were you running the latest versions Flash, Adobe Reader, AND Java (r29 is current for 6.x) at the time of the breach? Also, which browser were you running, and were you running any adblocking extensions? Were you able to isolate the action that originally infected you?
|
|
#
?
Dec 1, 2011 05:29
|
|
|
Double-posting due to a complete subject 180. I got to clean the lovely Morto worm off of one of our clients' terminal servers (2003) today. Guess how it got on there? Back in two thousand and loving NINE someone created a generic account on the server that had a password the same as the username and gave it domain admin level access. Being able to take care of poo poo like that without putting my fist through someone should earn me a raise. My job involves me walking along behind my engineers with a dustpan (my official title is just 'help desk' but I probably spend 80% of my time performing Sr. Server Administrator duties) and getting poo poo usable again until we can get someone on site to fix the details. For that alone I think I should ask for more money. Tomorrow I'm drafting an email about the importance of auditing AD userlists and most loving importantly the Domain Admins group. It's also time that external port 3389 is sealed loving shut on every god damned one of our firewalls. There's no excuse for any of this, but the only way it's going to happen is if I beat it into 40+ engineers one at a time. Amusing that I'm still peppered up about this having last dealt with it more than five hours ago.
|
|
#
?
Dec 1, 2011 05:39
|
|
|
Most fake AV installs I see lately target out of date Java installs. We have to keep old versions available because the app developers for certain web apps don't feel like updating their application to work properly with newer versions of java  edit: to clarify when I clean machines that get hit by a fake AV I often have detected java cached files that are marked as trojan downloaders etc..
|
|
#
?
Dec 1, 2011 06:52
|
|
|
Hex Darkstar posted:Most fake AV installs I see lately target out of date Java installs. We have to keep old versions available because the app developers for certain web apps don't feel like updating their application to work properly with newer versions of java I got a ticket about that a week or two ago. The kicker, the offending app was from a BANK. Of all institutions to be behind the security curve. (I am well aware of how naive I am when it comes to how hilariously outdated some poo poo for huge companies is.)Also, on a bunch of machines with nothing in common, the Java updater refuses to install from the systray icon, but if you go into Control Panel and to the update tab, it runs fine from there. It also is not cool that most malware these days includes rootkits as default behavior.
|
|
#
?
Dec 1, 2011 07:17
|
|
|
Secunia PSI is flagging Java included with the CrashPlan client and a couple of Steam games out of date. I don't otherwise have Java installed, so what's the best thing to do? It defeats the purpose to always have a non-green tray icon, but I'm not sure I should set an ignore rule.
|
|
#
?
Dec 3, 2011 16:58
|
|
|
IEatBabies posted:Secunia PSI is flagging Java included with the CrashPlan client and a couple of Steam games out of date. I don't otherwise have Java installed, so what's the best thing to do? It defeats the purpose to always have a non-green tray icon, but I'm not sure I should set an ignore rule. Just run it once a week or so and ignore things like that if you know they aren't an issue. There isn't any reason to run it all the time, especially if you don't have stuff like java installed anyway.
|
|
#
?
Dec 3, 2011 17:56
|
|
|
xov posted:This is more for personal reference than anything, but were you running the latest versions Flash, Adobe Reader, AND Java (r29 is current for 6.x) at the time of the breach? Also, which browser were you running, and were you running any adblocking extensions? I don't know how this poo poo isn't running rife on on work's network, as our *incredibly* expensive [unmentioned large ERP installation] requires an obsolete version of Java.
|
|
#
?
Dec 5, 2011 03:46
|
|
|
xov posted:This is more for personal reference than anything, but were you running the latest versions Flash, Adobe Reader, AND Java (r29 is current for 6.x) at the time of the breach? Also, which browser were you running, and were you running any adblocking extensions? Well apparently I'm still running r26 for java... I updated that uhhh right now. I'm glad I went back to this thread. I did a full scan with malwarebytes and I had another fake antivirus going on, although this time I didn't accidentally click yes on my loving firewall program. I always run the most updated firefox and I run adblock on pretty much everywhere that isn't here. Still have no idea what infected me. I think I'm clean now though. TLG James fucked around with this message at 04:56 on Dec 5, 2011 |
|
#
?
Dec 5, 2011 04:33
|
|
|
TLG James posted:Well apparently I'm still running r26 for java... I updated that uhhh right now. Also, run NoScript for Firefox. It's annoying for a while to white list websites, but the thing doesn't let any scripts run. Which preemptively closes so many security holes.
|
|
#
?
Dec 5, 2011 06:30
|
|
|
Armourking posted:Honestly, the need to have Java is pretty loving minimal. Unless you have some specific need for it, get rid of it. Just flat out uninstall it. I love noScript it probably lowers your attack surface more then adblock (run both gently caress). I agree it takes several weeks to setup your white list but after that it mostly runs without you noticing (until you need it for a new site). You aren't 100% safe, you really can't be if you want an internet connection because there is always some bug to be exploited. Careful web surfing, AdBlock and NoScript will make you immune to most poo poo out there though and you'll likely never need your virus scanner (but seriously you still need one don't be retarded). You have a ton of poo poo that automatically updates, who's to say windows update can't be hacked and install a key logger? (this is so unlikely, and the fall out from this would be insane.) e: Why can't I have an option to automatically download Java updates and install them when I close firefox? Every other program on my computer updates without my intervention, thanks to steam my games update while I'm in class or asleep. Obviously this would have to be an option because you can't have company computers doing this poo poo on their own, but seriously make it easy for the end user. I think it would actually help a ton of people. I run into family running versions of Java that are over a year old because "There is always an update so I never bother to update". pixaal fucked around with this message at 06:45 on Dec 5, 2011 |
|
#
?
Dec 5, 2011 06:40
|
|
|
pixaal posted:I run into family running versions of Java that are over a year old because "There is always an update so I never bother to update".
|
|
#
?
Dec 5, 2011 07:02
|
|
|
Noscript is frankly dumb, the Internet of 2011 very much presumes the presence of Javascript / JQuery. Besides, Noscript is a shittily coded trash that caused me problems rendering certain pages even with the addon completely disabled.
|
|
#
?
Dec 5, 2011 16:34
|
|
|
Little bit old but starting last Thursday (Dec 1st) a large amount of SQL injection attacks are (were?)taking place against unpatched SQL servers. Looks like MSSQL, IIS and ASP.Net are being listed and a mention of Coldfusion users. Blocking hXXp://lilupophilupop.com might be a good idea if you have some form of content filtering in place. http://isc.sans.edu/diary.html?storyid=12127 http://www.scmagazineus.com/new-mass-sql-injection-attack-could-be-forming/article/218069/
|
|
#
?
Dec 5, 2011 18:51
|
|
|
I had that Win 7 Security bullshit to remove off of a relative's computer. I got into safe mode, turned off everything I could find and downloaded Combofix, ran it, it restarted and did a bunch of things and now the computer appears to be fixed. I think I'm in love.
|
|
#
?
Dec 5, 2011 20:07
|
|
|
pixaal posted:e: Why can't I have an option to automatically download Java updates and install them when I close firefox? Every other program on my computer updates without my intervention, thanks to steam my games update while I'm in class or asleep. Obviously this would have to be an option because you can't have company computers doing this poo poo on their own, but seriously make it easy for the end user. I think it would actually help a ton of people. I run into family running versions of Java that are over a year old because "There is always an update so I never bother to update". Because guys like me who used to maintain 1000+ user java applications would poo poo down the internet into Sun/Oracle's throat once a version specific intranet app got broken by auto-updating.
|
|
#
?
Dec 5, 2011 23:25
|
|
|
pigdog posted:Noscript is frankly dumb, the Internet of 2011 very much presumes the presence of Javascript / JQuery. Besides, Noscript is a shittily coded trash that caused me problems rendering certain pages even with the addon completely disabled. Yeah, but with a whitelist unless you are visiting 30+ new webpages every day it's not such a big deal. If I run into a site that won't work nomatter how much I fiddle with Noscript or Adblock or whatever, I just load it up in Chrome. Problem solved. ...wait, am I allowed to do that? Or must I pledge allegiance to only one browser at a time 
|
|
#
?
Dec 6, 2011 00:34
|
|
|
My main beef with NoScript is that it's useless if one of the servers you've whitelisted is compromised.
|
|
#
?
Dec 6, 2011 13:05
|
|
|
Mr Chips posted:My main beef with NoScript is that it's useless if one of the servers you've whitelisted is compromised. Not necessarily -- most of the compromises I've seen involve malicious scripts/Java applets/whatever that are hosted on separate domains that appear to be created specifically for malware distribution, which NoScript and the like would still block. (Unless you've whitelisted apiehipoeiahbeah.cn or whatever, but why the gently caress would you?)
|
|
#
?
Dec 6, 2011 13:25
|
|
|
I can't suggest NoScript for other people, it's just too much hassle, but I run it alongside AdBlock both at home and at work, along with UAC cranked all the way up and SEHOP enabled. I am one of the few who hasn't ever gotten a drive-by install (we all run as local admin.) We have to use IE for our CRM, but nothing else really requires it. I personally can't stand it under most circumstances, I don't know how anyone can say with a straight face that they don't mind it, but I am terribly impatient with technology.
|
|
#
?
Dec 6, 2011 16:09
|
|
|
My wife cottoned onto Noscript after a single conversation. UAC, too. She understands what they're doing and why the inconvenience is worth it for, generally speaking, not having to worry about security past "don't download strange files from untrusted sites" and "don't open that obviously spam email if for some reason your protection doesn't scrub the exe off it." It must be different in a corporate environment, but learning how to use noscript is pretty easy on an individual level. Thinking about it, counter-example, there's my father in law, who keeps reinstalling Windows because every time I go over to his house and set his computer up safely, he starts turning stuff off because he's not learning new tricks and noscript is just more than he can handle.  I guess a mixed population of computer literate and "why can't I play the video, this is stupid, turning this crap off --> viruses everywhere" would be pretty hard to manage.
|
|
#
?
Dec 6, 2011 17:06
|
|
|
Not that anyone should use CNet to download files to begin with but it looks like they're packaging legit software with toolbars and changes the default search engine and home page to Bing/MSN. http://seclists.org/nmap-hackers/2011/5 Someone unpacked the cnet installer and uploaded it to virus total the heuristic scans all recognized what it tries to do mimics what malware generally tends to try and do. Funny stuff.
|
|
#
?
Dec 6, 2011 18:48
|
|
|
Hex Darkstar posted:Not that anyone should use CNet to download files to begin with but it looks like they're packaging legit software with toolbars and changes the default search engine and home page to Bing/MSN. Webroot used to bundle Ask toolbar with Spy Sweeper. Yeah.
|
|
#
?
Dec 6, 2011 19:18
|
|
|
|
| # ? Jun 7, 2024 07:32 |
|
|
Looks like it'll be time to patch Adobe Reader in the near future if you're running 9.X, They're not patching Reader 10 until the quarterly patch because the built in security in that version will supposedly prevent it from taking place: https://www.adobe.com/support/security/advisories/apsa11-04.html CVE-2011-2462
|
|
#
?
Dec 6, 2011 23:58
|
|