|21 Apr 2012||#1|
| || |
MSE's heuristics & Scareware
I've installed MSE on a number of systems over the years and I'm not looking for alternatives (yet). Every system also has Malwarebytes (free) installed.
I do realize that malware changes often enough so that signature based AV tools have a hard time keeping up... but I wish that MSE's heuristic algorithms would catch more of these annoying scareware things.
I got a text message this morning from a friend that I do computer support for. They could not "go online". Fortunately, their computer (Windows 7-Pro-SP1-64bit) was online and TeamViewer let me connect/clean the computer.
I snagged a copy of the exe that was infecting the computer and submitted it to virustotal.com. VT told me that the file had already been scanned yesterday (20 April 2012) - MSE was not one of the 7/42 tools that found the exe to be bad in yesterday's report. I then had VT rescan the exe and 17 of 42 tools find the file to be bad... again MSE is not one of them. I uploaded the exe to Microsoft's sample submission website, but this is getting old. I've done this quite a few times of the years.
This particular scareware app was not that hard to clean, rkill as a screensaver was not blocked by it.
I added mlin's StartupMonitor to this computer and explained to the user how to use it; only time will tell if that monitor helps them. (The user is admin and uses the computer that way.)
Now for the reason for my post (other than general purpose venting):
What other prevention methods do you use with somewhat clueless users?
Do you try and teach them how to use the computer as a non-admin?
BTW, here is what the fake-av tool looks like in a fully patched, frozen, Windows 7-Pro-SP1-32bit virtual machine that has no shared network connection to the host, is on its own isolated subnet for WAN traffic and is behind a NAT from the host's NIC.
Notice that it programmatically turns off the User Account Control - prompting the OS to ask for a restart... Also notice that MSE's service is disabled.
And after the restart - MSE's service is still not running and MSE does not start:
I would think that MSE's heuristics should kick in. It should at baulk at a program turning off UAC or at the very least, not let a program disable it's service.
The user in the video is an admin.
|My System Specs|
|22 Apr 2012||#3|
| || |
Are suggesting that I learn how to use Sandboxie and then teach somewhat clueless users how to use it too? Have you succeeded in setting Sandboxie up for a pair of 80 year old users?
This is from my first time of playing with an unregistered copy:
I think that I know why it happened, but.....
|My System Specs|
|Similar help and support threads for2: MSE's heuristics & Scareware|
|Firefox now targeted for scareware||Security News|
|IE9 new scareware protection||News|
|ZoneAlarm Using Scareware Tactics?||News|
|Malwarebytes Shuriken heuristics Activated||System Security|
|Scareware now with live support||Chillout Room|
|MS. - Scareware Indictments Put Cybercriminals on Notice||News|
|FBI Warns About the Scareware Threat.||Security News|