This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Post Incident Forensics for Fake-AV - Remote Employee

Hi Folks! We have a remote user (works in her home office) who came into contact with a variant of the Fake-AV malware/scareware and it ended up causing a nasty infection. We're trying to improve our knowledge of forensics and also want to understand exactly what happened so that we can protect better and educate the user.

Does anyone have any proven steps for identifying how a computer was infected in a remote worker scenario? We may not have the ability to have her ship her laptop to our HQ for analysis and since she works at her home office, we don't have all of the network capture capabilities we have at our office locations.

Thanks,

CTD

This thread was automatically locked due to age.

0 QC over 12 years ago

Hello CTD,
exactly what happened so that we can protect better and educate the user
it is likely very hard to assess the exact sequence of events post-incident (and don't expect to be able to re-play the events). Likely she contracted it when visiting a website, but even if she can remember which one this won't help much in avoiding similar incidents in the future. You (she) can minimize the risk by visiting only (a few) "trusted" sites, paranoid security settings and the use of add-ons - but this might cause too much interference and thus be unfeasible. If you're already utilise HIPS and Web Protection there's not much else you can do.
You might be interested in Fake anti-virus: The journey from Trojan to a persistent threat and other articles on Naked Security. Please see also KT's post Re: NEW free tools to teach your end users about IT security.
Christian
:41557
Cancel
Vote Up 0 Vote Down

Cancel