[26257] in resnet
Re: Microsoft Forefront Endpoint Protection 2010 Not Catching Malware
daemon@ATHENA.MIT.EDU (Doughty, Marc)
Mon Apr 18 18:00:32 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=bcaec51a867661454704a1388253
Message-ID: <BANLkTimcQzjoMYUv=5OpkYYPRbMX_jYD=A@mail.gmail.com>
Date: Mon, 18 Apr 2011 17:59:44 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Doughty, Marc" <marc_doughty@brown.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <BANLkTikMUmMDyPbn16CHGsQov63FqVnoew@mail.gmail.com>
--bcaec51a867661454704a1388253
Content-Type: text/plain; charset=ISO-8859-1
Greetings,
It's my understanding that most of those 'fake antivirus' kits are
actually exploited via browser and plugin vulnerabilities, then they
bootstrap a local OS exploit and install a rootkit (if they can). There's
not much that antivirus software can do about that; the AV software is a
sump pump; if your plugins, OS, and browser aren't updated you still have
cracks in the foundation.
Also, verify that Network Scanning is enabled (
http://blogs.catapultsystems.com/arafels/archive/2011/01/20/microsoft-forefront-endpoint-protection-fep-network-inspection-system-nis.aspx),
that should help protect against this sort of exploit.
My short list of plugins to monitor for security updates:
- Adobe Flash Player (ActiveX and Plugin)
- Adobe Reader
- Oracle Java
- Apple Quicktime
- Silverlight (handled by Windows Update)
All of them have silent installers, so you can push them over your network.
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way
vessel."
On Mon, Apr 18, 2011 at 4:05 PM, Robert Wilson <rwilson@mccallie.org> wrote:
> We have had several users install fake antivirus software when it pops up
> warning them they are infected. Most of these users are not admins or power
> users and Microsoft Forefront Protection 2010 doesn't catch it or remove it.
> Does anyone know how we can report this to Microsoft?
> Thanks,
> --
> Robert Wilson, McCallie School, Chattanooga, TN
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec51a867661454704a1388253
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Greetings,<br>=A0=A0=A0=A0 It's my understanding that most of those =
9;fake antivirus' kits are actually exploited via browser and plugin vu=
lnerabilities, then they bootstrap a local OS exploit and install a rootkit=
(if they can). There's not much that antivirus software can do about t=
hat; the AV software is a sump pump; if your plugins, OS, and browser aren&=
#39;t updated you still have cracks in the foundation.<br>
=A0=A0=A0=A0 Also, verify that Network Scanning is enabled ( <a href=3D"htt=
p://blogs.catapultsystems.com/arafels/archive/2011/01/20/microsoft-forefron=
t-endpoint-protection-fep-network-inspection-system-nis.aspx">http://blogs.=
catapultsystems.com/arafels/archive/2011/01/20/microsoft-forefront-endpoint=
-protection-fep-network-inspection-system-nis.aspx</a> ), that should help =
protect against this sort of exploit.<br>
<br>My short list of plugins to monitor for security updates:<br><ul><li>Ad=
obe Flash Player (ActiveX and Plugin)</li><li>Adobe Reader</li><li>Oracle J=
ava</li><li>Apple Quicktime</li><li>Silverlight (handled by Windows Update)=
</li>
</ul>All of them have silent installers, so you can push them over your net=
work.<br><br>- Marc Doughty<br><br>"If you aren't sure who is the =
give-way vessel, you are the give-way vessel."<br>
<br><br><div class=3D"gmail_quote">On Mon, Apr 18, 2011 at 4:05 PM, Robert =
Wilson <span dir=3D"ltr"><<a href=3D"mailto:rwilson@mccallie.org">rwilso=
n@mccallie.org</a>></span> wrote:<br><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
We have had several users install fake antivirus software when it pops up w=
arning them they are infected. Most of these users are not admins or power =
users and Microsoft Forefront Protection 2010 doesn't catch it or remov=
e it. Does anyone know how we can report this to Microsoft?<div>
Thanks,<br>-- <br>Robert Wilson, McCallie School, Chattanooga, TN<br>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></blockquote></div><br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec51a867661454704a1388253--