Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 15232 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fake AV Malware Not Stopped

Stony

Why doesn't Sophos stop Malware, especially Fake AV malware, like it does viruses? We have a corporate license and all machines are up-to-date with Sophos AV but more & more we spend too much time removing malware & tracking down other changes that were made by the malware that have disabled programs.

:3565


This thread was automatically locked due to age.
Parents
  • 0

    Had another undetected FakeAV just these days.

    Although they employ similar mechanisms and can easily be spotted by a human I assume their behaviour is not easily distinguishable from that of legitimate software and therefore even HIPS doesn't always catch them. As these threats are convincing but otherwise not too sophisticated how "deep" they can dig in depends on the user's rights. 

    Usually users can't (or don't want to) tell you which site they visited and what they did before they noticed they can't get rid of it. So I can't say whether infection can be completely avoided once you've opened a "contaminated" webpage. Even if it doesn't catch all threats HIPS can significantly reduce the risk as can Web Protection.

    I can only repeat that it is important to send in a sample when "something" has slipped in as obviously rather specific entities are necessary to reliably detect these threats. Unless the FakeAV did replace some system file or registry key (the dozen or so I inspected closer did not and "only" added files, registry keys/values and shortcuts) it can be completely cleaned up by the usual methods.

    Christian 

    :7563
Reply
  • 0

    Had another undetected FakeAV just these days.

    Although they employ similar mechanisms and can easily be spotted by a human I assume their behaviour is not easily distinguishable from that of legitimate software and therefore even HIPS doesn't always catch them. As these threats are convincing but otherwise not too sophisticated how "deep" they can dig in depends on the user's rights. 

    Usually users can't (or don't want to) tell you which site they visited and what they did before they noticed they can't get rid of it. So I can't say whether infection can be completely avoided once you've opened a "contaminated" webpage. Even if it doesn't catch all threats HIPS can significantly reduce the risk as can Web Protection.

    I can only repeat that it is important to send in a sample when "something" has slipped in as obviously rather specific entities are necessary to reliably detect these threats. Unless the FakeAV did replace some system file or registry key (the dozen or so I inspected closer did not and "only" added files, registry keys/values and shortcuts) it can be completely cleaned up by the usual methods.

    Christian 

    :7563
Children
No Data