[26257] in resnet

home help back first fref pref prev next nref lref last post

Re: Microsoft Forefront Endpoint Protection 2010 Not Catching Malware

daemon@ATHENA.MIT.EDU (Doughty, Marc)
Mon Apr 18 18:00:32 2011

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=bcaec51a867661454704a1388253
Message-ID:  <BANLkTimcQzjoMYUv=5OpkYYPRbMX_jYD=A@mail.gmail.com>
Date:         Mon, 18 Apr 2011 17:59:44 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Doughty, Marc" <marc_doughty@brown.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To:  <BANLkTikMUmMDyPbn16CHGsQov63FqVnoew@mail.gmail.com>

--bcaec51a867661454704a1388253
Content-Type: text/plain; charset=ISO-8859-1

Greetings,
     It's my understanding that most of those 'fake antivirus' kits are
actually exploited via browser and plugin vulnerabilities, then they
bootstrap a local OS exploit and install a rootkit (if they can). There's
not much that antivirus software can do about that; the AV software is a
sump pump; if your plugins, OS, and browser aren't updated you still have
cracks in the foundation.
     Also, verify that Network Scanning is enabled (
http://blogs.catapultsystems.com/arafels/archive/2011/01/20/microsoft-forefront-endpoint-protection-fep-network-inspection-system-nis.aspx),
that should help protect against this sort of exploit.

My short list of plugins to monitor for security updates:

   - Adobe Flash Player (ActiveX and Plugin)
   - Adobe Reader
   - Oracle Java
   - Apple Quicktime
   - Silverlight (handled by Windows Update)

All of them have silent installers, so you can push them over your network.

- Marc Doughty

"If you aren't sure who is the give-way vessel, you are the give-way
vessel."


On Mon, Apr 18, 2011 at 4:05 PM, Robert Wilson <rwilson@mccallie.org> wrote:

> We have had several users install fake antivirus software when it pops up
> warning them they are infected. Most of these users are not admins or power
> users and Microsoft Forefront Protection 2010 doesn't catch it or remove it.
> Does anyone know how we can report this to Microsoft?
> Thanks,
> --
> Robert Wilson, McCallie School, Chattanooga, TN
>  ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>

___________________________________________________
You are subscribed to the ResNet-L mailing list.

To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________

--bcaec51a867661454704a1388253
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Greetings,<br>=A0=A0=A0=A0 It&#39;s my understanding that most of those &#3=
9;fake antivirus&#39; kits are actually exploited via browser and plugin vu=
lnerabilities, then they bootstrap a local OS exploit and install a rootkit=
 (if they can). There&#39;s not much that antivirus software can do about t=
hat; the AV software is a sump pump; if your plugins, OS, and browser aren&=
#39;t updated you still have cracks in the foundation.<br>
=A0=A0=A0=A0 Also, verify that Network Scanning is enabled ( <a href=3D"htt=
p://blogs.catapultsystems.com/arafels/archive/2011/01/20/microsoft-forefron=
t-endpoint-protection-fep-network-inspection-system-nis.aspx">http://blogs.=
catapultsystems.com/arafels/archive/2011/01/20/microsoft-forefront-endpoint=
-protection-fep-network-inspection-system-nis.aspx</a> ), that should help =
protect against this sort of exploit.<br>
<br>My short list of plugins to monitor for security updates:<br><ul><li>Ad=
obe Flash Player (ActiveX and Plugin)</li><li>Adobe Reader</li><li>Oracle J=
ava</li><li>Apple Quicktime</li><li>Silverlight (handled by Windows Update)=
</li>
</ul>All of them have silent installers, so you can push them over your net=
work.<br><br>- Marc Doughty<br><br>&quot;If you aren&#39;t sure who is the =
give-way vessel, you are the give-way vessel.&quot;<br>
<br><br><div class=3D"gmail_quote">On Mon, Apr 18, 2011 at 4:05 PM, Robert =
Wilson <span dir=3D"ltr">&lt;<a href=3D"mailto:rwilson@mccallie.org">rwilso=
n@mccallie.org</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
We have had several users install fake antivirus software when it pops up w=
arning them they are infected. Most of these users are not admins or power =
users and Microsoft Forefront Protection 2010 doesn&#39;t catch it or remov=
e it. Does anyone know how we can report this to Microsoft?<div>



Thanks,<br>-- <br>Robert Wilson, McCallie School, Chattanooga, TN<br>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></blockquote></div><br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________

--bcaec51a867661454704a1388253--

home help back first fref pref prev next nref lref last post