Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 798 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fake AV running rampant need help on how to remove from network

RobM
We are a post-secondary institution and have a number of student and staff complaints about FakeAV and ransomware infections. Right now our only hope is to wipe and rebuild from scratch. I've looked at the Sophos Anti-rootkit software, but the documentation on network cleansing is not very intuitive. Does anyone have some suggestions on a better way to clean up this mess? Thanks, Rob
:11367


This thread was automatically locked due to age.
Parents
  • 0

    Hello RobM,

    first of all - you should determine (if you can't tell yet) if it really spreads "from the inside" or if it comes from visiting a popular site. I don't assume the former although I won't rule it out.

    Second: Is the malware already detected by the scanner (which? do you run Sophos?) and if so, what is it? If it's as yet unknown and only identified by the users you should send in samples.

    Third: Ransomware - is it the kind which encrypts or otherwise modifies a user's files? Do you have clean backups of these? If not you should call support immediately.

    Fourth: Do you have evidence that a rootkit component is involved? This too is a reason for calling support.

    FakeAV (assuming there is no "worming" or viral component involved) can usually be cleaned up by using "aggressive" on-access and scheduled scan settings, rebooting and running a scheduled scan with no user logged on.  If the users' profiles are server based or roaming you have to clean these as well. The important part is that as much as possible is detected - that's why you should send in samples in case you don't have a specific detection. Fortunately most of the FakeAV can be cleaned without booting into Safe Mode.

    Be careful with the ransomware though.

    Christian

    :11381
Reply
  • 0

    Hello RobM,

    first of all - you should determine (if you can't tell yet) if it really spreads "from the inside" or if it comes from visiting a popular site. I don't assume the former although I won't rule it out.

    Second: Is the malware already detected by the scanner (which? do you run Sophos?) and if so, what is it? If it's as yet unknown and only identified by the users you should send in samples.

    Third: Ransomware - is it the kind which encrypts or otherwise modifies a user's files? Do you have clean backups of these? If not you should call support immediately.

    Fourth: Do you have evidence that a rootkit component is involved? This too is a reason for calling support.

    FakeAV (assuming there is no "worming" or viral component involved) can usually be cleaned up by using "aggressive" on-access and scheduled scan settings, rebooting and running a scheduled scan with no user logged on.  If the users' profiles are server based or roaming you have to clean these as well. The important part is that as much as possible is detected - that's why you should send in samples in case you don't have a specific detection. Fortunately most of the FakeAV can be cleaned without booting into Safe Mode.

    Be careful with the ransomware though.

    Christian

    :11381
Children
No Data