Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: MSE's heuristics & Scareware

21 Apr 2012   #1

W7 Pro SP1 64bit
MSE's heuristics & Scareware

I've installed MSE on a number of systems over the years and I'm not looking for alternatives (yet). Every system also has Malwarebytes (free) installed.

I do realize that malware changes often enough so that signature based AV tools have a hard time keeping up... but I wish that MSE's heuristic algorithms would catch more of these annoying scareware things.

I got a text message this morning from a friend that I do computer support for. They could not "go online". Fortunately, their computer (W7-Pro-SP1-64bit) was online and TeamViewer let me connect/clean the computer.

I snagged a copy of the exe that was infecting the computer and submitted it to VT told me that the file had already been scanned yesterday (20 April 2012) - MSE was not one of the 7/42 tools that found the exe to be bad in yesterday's report. I then had VT rescan the exe and 17 of 42 tools find the file to be bad... again MSE is not one of them. I uploaded the exe to Microsoft's sample submission website, but this is getting old. I've done this quite a few times of the years.

This particular scareware app was not that hard to clean, rkill as a screensaver was not blocked by it.

I added mlin's StartupMonitor to this computer and explained to the user how to use it; only time will tell if that monitor helps them. (The user is admin and uses the computer that way.)

Now for the reason for my post (other than general purpose venting):
What other prevention methods do you use with somewhat clueless users?
Do you try and teach them how to use the computer as a non-admin?

BTW, here is what the fake-av tool looks like in a fully patched, frozen, W7-Pro-SP1-32bit virtual machine that has no shared network connection to the host, is on its own isolated subnet for WAN traffic and is behind a NAT from the host's NIC.

Notice that it programmatically turns off the User Account Control - prompting the OS to ask for a restart... Also notice that MSE's service is disabled.

And after the restart - MSE's service is still not running and MSE does not start:

I would think that MSE's heuristics should kick in. It should at baulk at a program turning off UAC or at the very least, not let a program disable it's service.

The user in the video is an admin.

My System SpecsSystem Spec
22 Apr 2012   #2

win 7 64

Sandboxie is your friend
My System SpecsSystem Spec
22 Apr 2012   #3

W7 Pro SP1 64bit

Quote   Quote: Originally Posted by elstupido View Post
Sandboxie is your friend
Thx for your reply.

Are suggesting that I learn how to use Sandboxie and then teach somewhat clueless users how to use it too? Have you succeeded in setting Sandboxie up for a pair of 80 year old users?

This is from my first time of playing with an unregistered copy:

MSE's heuristics & Scareware-app-crash-sandboxie.jpg
I think that I know why it happened, but.....

My System SpecsSystem Spec


 MSE's heuristics & Scareware

Thread Tools

Similar help and support threads
Thread Forum
IE9 new scareware protection
I know dear old Ed Bott is a confirmed MS man but this is an interesting article about how browsers deal with "social engineering" attacks' It's comparing IE9 with Chrome and it appears that IE9 is ahead of the game with this form of attack. I though it was interesting and useful to read whatever...
ZoneAlarm Using Scareware Tactics?
More ... ZoneAlarm Global Virus Alert About ZeuS.Zbot.aoaq, Scareware At Its Best
Malwarebytes Shuriken heuristics Activated
well mbam gets more here Shuriken- sword hidden in the hand
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 23:48.
Twitter Facebook Google+