Fake AV Malware Not Stopped

AS the person who did the initial testing and trial of our Sophos, then implementation and subsequent care and feeding over the last three years - I feel a sence of ownership to the Sophos product here at work. It protects our 1800 workstations and does a fairly good job of it - except for FakeAV.

I've found my infection rate drop considerably after enforcing the use of Sophos Web Security appliances - they catch a lot of crap before it hits the workstation. However, with that said - FakeAV still pops up occasionally and Sophos EPP can not remove it.

That frustatrates the heck out of me. Technically I know why and I'm comfortable saying so to my peers, managers, and the users who ask. But there is a good reason right there to begin trialing other products to see how, if, and can they clean up after FakeAV better than our current product before we renew our three year terms.

I would like to see more effort on the part of Sophos to battle this profitable malware. If that means injecting a boot partition into each workstation that I can initiate a clean up job from without having to visit the workstation and boot from CD, or leverage more updates more often, or allowing me to allow only specific applications to run using the Application control.

I'd also like to mention that our helpdesk has given up on doing onsite cleanups with the Sophos CLI on a CD and went for a Malware Bytes disinfection app on a thumbdrive. They found it to be faster and more efficient with this specific infection. If the first run doesn't clean up it up - we reimage the machine.

AS the person who did the initial testing and trial of our Sophos, then implementation and subsequent care and feeding over the last three years - I feel a sence of ownership to the Sophos product here at work. It protects our 1800 workstations and does a fairly good job of it - except for FakeAV.

I've found my infection rate drop considerably after enforcing the use of Sophos Web Security appliances - they catch a lot of crap before it hits the workstation. However, with that said - FakeAV still pops up occasionally and Sophos EPP can not remove it.

That frustatrates the heck out of me. Technically I know why and I'm comfortable saying so to my peers, managers, and the users who ask. But there is a good reason right there to begin trialing other products to see how, if, and can they clean up after FakeAV better than our current product before we renew our three year terms.

I would like to see more effort on the part of Sophos to battle this profitable malware. If that means injecting a boot partition into each workstation that I can initiate a clean up job from without having to visit the workstation and boot from CD, or leverage more updates more often, or allowing me to allow only specific applications to run using the Application control.

I'd also like to mention that our helpdesk has given up on doing onsite cleanups with the Sophos CLI on a CD and went for a Malware Bytes disinfection app on a thumbdrive. They found it to be faster and more efficient with this specific infection. If the first run doesn't clean up it up - we reimage the machine.