Fake AV Malware Not Stopped

I can only repeat what has been said several times before:
As FakeAV is very profitable quite some effort goes into it and it "mutates" at a high rate. Apart from taking advantage of (zero-day) exploits it uses mechanisms common to software updates and installs. You can catch most of it using an aggressive policy - risking of course some more false positives. 
Once you know you are infected you care less about false positives and you can use more offensive rules. That's also true for "new kids on the block" - not too long ago Trend Micro's Housecall was *the* tools to use *after* you've been hit. AV is neither magic nor StarTrek nor Culture. 
Sophos never failed to clean up FakeAV in the dozen or so cases I've sent in a sample - it just takes a little effort to collect the samples and the some patience: four to five hours later the threat is history without any intervention on the client except for perhaps an additional aggressive full scan you schedule from the console. In one case there was even a rather nasty rootkit component involved - this too didn't survive the updated IDEs.

As to guinea pigs (mentioned in one of the posts) - this is, forgive me, ridiculous (and no, I am not speaking for Sophos): "Doc, you gave me a shot but even so I've got the flu. And no, I won't give you a blood sample, just do something so it won't happen again!". How do you think you can prevent infections (generally, biological ones too) without any samples?

Those who think Malware Bytes (or whatever) is superiour - why don't you just switch? Tell about your experience in day-to-day business and if it proves to be better I'll happily follow you. Don't forget we (especially those with larger installations) are specialists which should have at least some understanding. Sorry, I'm getting old and more and more suffering from senile impatience and I just can't stand a certain approach to conjectured problems ("Didn't try this cause I don 't like it anyway") - ask my daughter :). Seriously - I'd vigurously support any constructive suggestion iin this area.

Christian

I can only repeat what has been said several times before:
As FakeAV is very profitable quite some effort goes into it and it "mutates" at a high rate. Apart from taking advantage of (zero-day) exploits it uses mechanisms common to software updates and installs. You can catch most of it using an aggressive policy - risking of course some more false positives. 
Once you know you are infected you care less about false positives and you can use more offensive rules. That's also true for "new kids on the block" - not too long ago Trend Micro's Housecall was *the* tools to use *after* you've been hit. AV is neither magic nor StarTrek nor Culture. 
Sophos never failed to clean up FakeAV in the dozen or so cases I've sent in a sample - it just takes a little effort to collect the samples and the some patience: four to five hours later the threat is history without any intervention on the client except for perhaps an additional aggressive full scan you schedule from the console. In one case there was even a rather nasty rootkit component involved - this too didn't survive the updated IDEs.

As to guinea pigs (mentioned in one of the posts) - this is, forgive me, ridiculous (and no, I am not speaking for Sophos): "Doc, you gave me a shot but even so I've got the flu. And no, I won't give you a blood sample, just do something so it won't happen again!". How do you think you can prevent infections (generally, biological ones too) without any samples?

Those who think Malware Bytes (or whatever) is superiour - why don't you just switch? Tell about your experience in day-to-day business and if it proves to be better I'll happily follow you. Don't forget we (especially those with larger installations) are specialists which should have at least some understanding. Sorry, I'm getting old and more and more suffering from senile impatience and I just can't stand a certain approach to conjectured problems ("Didn't try this cause I don 't like it anyway") - ask my daughter :). Seriously - I'd vigurously support any constructive suggestion iin this area.

Christian