MSE's heuristics & Scareware


  1. UsernameIssues
    Posts : 10,485
    W7 Pro SP1 64bit
       New #1

    MSE's heuristics & Scareware


    I've installed MSE on a number of systems over the years and I'm not looking for alternatives (yet). Every system also has Malwarebytes (free) installed.

    I do realize that malware changes often enough so that signature based AV tools have a hard time keeping up... but I wish that MSE's heuristic algorithms would catch more of these annoying scareware things.


    I got a text message this morning from a friend that I do computer support for. They could not "go online". Fortunately, their computer (W7-Pro-SP1-64bit) was online and TeamViewer let me connect/clean the computer.

    I snagged a copy of the exe that was infecting the computer and submitted it to virustotal.com. VT told me that the file had already been scanned yesterday (20 April 2012) - MSE was not one of the 7/42 tools that found the exe to be bad in yesterday's report. I then had VT rescan the exe and 17 of 42 tools find the file to be bad... again MSE is not one of them. I uploaded the exe to Microsoft's sample submission website, but this is getting old. I've done this quite a few times of the years.

    This particular scareware app was not that hard to clean, rkill as a screensaver was not blocked by it.

    I added mlin's StartupMonitor to this computer and explained to the user how to use it; only time will tell if that monitor helps them. (The user is admin and uses the computer that way.)

    Now for the reason for my post (other than general purpose venting):
    What other prevention methods do you use with somewhat clueless users?
    Do you try and teach them how to use the computer as a non-admin?


    BTW, here is what the fake-av tool looks like in a fully patched, frozen, W7-Pro-SP1-32bit virtual machine that has no shared network connection to the host, is on its own isolated subnet for WAN traffic and is behind a NAT from the host's NIC.

    Notice that it programmatically turns off the User Account Control - prompting the OS to ask for a restart... Also notice that MSE's service is disabled.


    And after the restart - MSE's service is still not running and MSE does not start:


    I would think that MSE's heuristics should kick in. It should at baulk at a program turning off UAC or at the very least, not let a program disable it's service.

    The user in the video is an admin.
    Last edited by UsernameIssues; 21 Apr 2012 at 13:22. Reason: added SP1 to the computers' info
      My Computer
    Quote Quote

  3. elstupido
    Posts : 78
    win 7 64
       New #2

    Sandboxie is your friend
      My Computer
    Quote Quote

  4. UsernameIssues
    Posts : 10,485
    W7 Pro SP1 64bit
    Thread Starter
       New #3

    elstupido said:
    Sandboxie is your friend
    Thx for your reply.

    Are suggesting that I learn how to use Sandboxie and then teach somewhat clueless users how to use it too? Have you succeeded in setting Sandboxie up for a pair of 80 year old users?

    This is from my first time of playing with an unregistered copy:

    MSE's heuristics & Scareware-app-crash-sandboxie.jpg
    I think that I know why it happened, but.....
      My Computer
    Quote Quote

 

  Related Discussions
I know dear old Ed Bott is a confirmed MS man but this is an interesting article about how browsers deal with "social engineering" attacks' It's comparing IE9 with Chrome and it appears that IE9 is ahead of the game with this form of attack. I though it was interesting and useful to read whatever...
More ... ZoneAlarm Global Virus Alert About ZeuS.Zbot.aoaq, Scareware At Its Best
well mbam gets more power..........read here Shuriken- sword hidden in the hand
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 10:01.
Find Us