Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 15232 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fake AV Malware Not Stopped

Stony

Why doesn't Sophos stop Malware, especially Fake AV malware, like it does viruses? We have a corporate license and all machines are up-to-date with Sophos AV but more & more we spend too much time removing malware & tracking down other changes that were made by the malware that have disabled programs.

:3565


This thread was automatically locked due to age.
Parents
  • 0

    Hello cruzdre ,

    Suggestions/Solutions?

    your description is rather general and without details one can give only general replies - which probably won't help you much. With OpenDNS and multiple layers of security in place it's strange that you get an apparently significant amount of malware (and obviously not only the "latest"). Sounds more like there are other avenues for it to get in.

    Sophos detects it far too late and there nothing Sophos can do to remove it

    While a certain piece of malware might call itself Windows Security Suite it likely comes in different versions (even though from a user's POV they  might look and act identical) , keeps changing and also gets in by different methods - to repeat some points from my posts in this thread:

    Most malware (including rootkit components) can be successfully removed by Sophos once it has been identified. Sometimes it is necessary that a specific IDE is issued by the labs, therefore it is important to send in samples. Usually it takes a very few hours until an update is available so trying to get rid of it in the meantime (unless you are familiar with the process) is not worth the effort (moreover trying to analyze it on your own instead of submitting a sample will be counterproductive )

    In most cases there's at least a general detection of at least one component (Download scanning, HIPS/SUS and Live Protection increase the likelihood of at least partial detection - but of course Alert only won't help)

    Limited rights are not a cure-all but allowing only Users most of the time restricts an infection to the user's account only and does not affect the computer

    Last but not least try to determine the source - it's not that "all the Internet" is full of threats. As in real life there are places you (or your users) better not visit if you want to stay clear of threats. Also it helps to be wary of top search results as well as install this or update that instructions on webpages and pop ups

    If you could post a detailed course of events (together with the policy settings used) for a specific case there'd be a better chance to get a precise answer

    Christian 

    :18289
Reply
  • 0

    Hello cruzdre ,

    Suggestions/Solutions?

    your description is rather general and without details one can give only general replies - which probably won't help you much. With OpenDNS and multiple layers of security in place it's strange that you get an apparently significant amount of malware (and obviously not only the "latest"). Sounds more like there are other avenues for it to get in.

    Sophos detects it far too late and there nothing Sophos can do to remove it

    While a certain piece of malware might call itself Windows Security Suite it likely comes in different versions (even though from a user's POV they  might look and act identical) , keeps changing and also gets in by different methods - to repeat some points from my posts in this thread:

    Most malware (including rootkit components) can be successfully removed by Sophos once it has been identified. Sometimes it is necessary that a specific IDE is issued by the labs, therefore it is important to send in samples. Usually it takes a very few hours until an update is available so trying to get rid of it in the meantime (unless you are familiar with the process) is not worth the effort (moreover trying to analyze it on your own instead of submitting a sample will be counterproductive )

    In most cases there's at least a general detection of at least one component (Download scanning, HIPS/SUS and Live Protection increase the likelihood of at least partial detection - but of course Alert only won't help)

    Limited rights are not a cure-all but allowing only Users most of the time restricts an infection to the user's account only and does not affect the computer

    Last but not least try to determine the source - it's not that "all the Internet" is full of threats. As in real life there are places you (or your users) better not visit if you want to stay clear of threats. Also it helps to be wary of top search results as well as install this or update that instructions on webpages and pop ups

    If you could post a detailed course of events (together with the policy settings used) for a specific case there'd be a better chance to get a precise answer

    Christian 

    :18289
Children
No Data