Re: Thought on malware cleaning

[Jon Harris]

Wait I thought a clue-x-four with a nail on the user side daily would help
mitigate those issues if not put a stop to them?

Jon

On Wed, Jul 20, 2011 at 11:01 AM, Ziots, Edward  wrote:

>  Humm I sense POSTAL Epic Fail… 
>
> ** **
>
> Don’t go off the deep end Epsi, you can’t stop everything, and you can’t
> stop the users from going to bad sites or getting owned in some cases. We
> all know that technical controls don’t solve personal behavior issues. ***
> *
>
> ** **
>
> Z
>
> ** **
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Security Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org
>
> Cell:401-639-3505
>
> [image: CISSP_logo]
>
> *From:* MMF [mailto:mmfree...@ameritech.net]
> *Sent:* Tuesday, July 19, 2011 5:48 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  ** **
>
> Don’t hold back  ([image: Smile]
>
>  
>
> MMF
>
>  
>
> *From:* Micheal Espinola Jr  
>
> *Sent:* Tuesday, July 19, 2011 3:15 PM
>
> *To:* NT System Admin Issues  
>
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> On that note, I'm going to go on my lunch break now.  Here's what I'll do:
>
> I'm going to close my eyes and walk in the direction of my car.  Screw
> anything I walk into, because logically there should be doors that
> automatically open in the direction I need to go.  Screw how things
> currently exist, because I think I know how they should exist for me.
> Because I know better.  Better than anyone else.  All must bend to my will.
> And whatever people do now, they will change on the drop of a dime at my
> request.  Because user [re]education is akin to waving a magic wand.  What I
> say goes.  The world will fall in-line.
>
> If I bang my face into a wall along the way - screw it.  I'll just keep
> doing it until someone comes along and changes something to be how I want
> it.  Sounds perfectly reasonable...
>
> --
> Espi
>
>  
>
>  
>
>
>
> 
>
> On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
> Well that's f'ing helpful.  Good luck on educating the planet with a more
> logical course of action.  Let us know how that works-out for you!
>
> --
> Espi
>
>  
>
>  
>
>
>
> 
>
> On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott  wrote:*
> ***
>
>  On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr
>  wrote:
> > While I agree with your sentiment whole-heartedly, I still wonder why
> > antimalware software isnt performing the most basic of checks for common
> > infection breadcrumbs.
>
> Hammer myopia.
>
> ("When all you have is a hammer, everything starts to look like a nail.")
>
> -- Ben
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<><>

RE: Thought on malware cleaning

[Ziots, Edward]

Humm I sense POSTAL Epic Fail… 

 

Don’t go off the deep end Epsi, you can’t stop everything, and you can’t stop 
the users from going to bad sites or getting owned in some cases. We all know 
that technical controls don’t solve personal behavior issues. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: MMF [mailto:mmfree...@ameritech.net] 
Sent: Tuesday, July 19, 2011 5:48 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

 

Don’t hold back  ( 

 

MMF

 

From: Micheal Espinola Jr <mailto:michealespin...@gmail.com>  

Sent: Tuesday, July 19, 2011 3:15 PM

To: NT System Admin Issues <mailto:ntsysadmin@lyris.sunbelt-software.com>  

Subject: Re: Thought on malware cleaning

 

On that note, I'm going to go on my lunch break now.  Here's what I'll do:

I'm going to close my eyes and walk in the direction of my car.  Screw anything 
I walk into, because logically there should be doors that automatically open in 
the direction I need to go.  Screw how things currently exist, because I think 
I know how they should exist for me.  Because I know better.  Better than 
anyone else.  All must bend to my will.  And whatever people do now, they will 
change on the drop of a dime at my request.  Because user [re]education is akin 
to waving a magic wand.  What I say goes.  The world will fall in-line.

If I bang my face into a wall along the way - screw it.  I'll just keep doing 
it until someone comes along and changes something to be how I want it.  Sounds 
perfectly reasonable...

--
Espi

 

 





On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr 
 wrote:

Well that's f'ing helpful.  Good luck on educating the planet with a more 
logical course of action.  Let us know how that works-out for you!

--
Espi

 

 





On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott  wrote:

On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr
 wrote:
> While I agree with your sentiment whole-heartedly, I still wonder why
> antimalware software isnt performing the most basic of checks for 
common
> infection breadcrumbs.

Hammer myopia.

("When all you have is a hammer, everything starts to look like a 
nail.")

-- Ben


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
<><>

Re: Thought on malware cleaning

[MMF]

Don’t hold back  (

MMF

From: Micheal Espinola Jr 
Sent: Tuesday, July 19, 2011 3:15 PM
To: NT System Admin Issues 
Subject: Re: Thought on malware cleaning

On that note, I'm going to go on my lunch break now.  Here's what I'll do:

I'm going to close my eyes and walk in the direction of my car.  Screw anything 
I walk into, because logically there should be doors that automatically open in 
the direction I need to go.  Screw how things currently exist, because I think 
I know how they should exist for me.  Because I know better.  Better than 
anyone else.  All must bend to my will.  And whatever people do now, they will 
change on the drop of a dime at my request.  Because user [re]education is akin 
to waving a magic wand.  What I say goes.  The world will fall in-line.

If I bang my face into a wall along the way - screw it.  I'll just keep doing 
it until someone comes along and changes something to be how I want it.  Sounds 
perfectly reasonable...

--
Espi







On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr 
 wrote:

  Well that's f'ing helpful.  Good luck on educating the planet with a more 
logical course of action.  Let us know how that works-out for you!

  --
  Espi







  On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott  wrote:

On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr
 wrote:
> While I agree with your sentiment whole-heartedly, I still wonder why
> antimalware software isnt performing the most basic of checks for common
> infection breadcrumbs.


Hammer myopia.

("When all you have is a hammer, everything starts to look like a nail.")

-- Ben


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
  ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

  ---
  To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
  or send an email to listmana...@lyris.sunbeltsoftware.com
  with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: Thought on malware cleaning

[Erik Goldoff]

Good luck with that …. And really, good luck on your *stated* quest.  Please
keep me in the loop on your findings.  Layered security usually proves
better, and you seem to be hunting for that as of yet ignored layer.

 

Erik Goldoff

IT  Consultant

Systems, Networks, & Security 

'  Security is an ongoing process, not a one time event ! '

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Tuesday, July 19, 2011 4:16 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

 

On that note, I'm going to go on my lunch break now.  Here's what I'll do:

I'm going to close my eyes and walk in the direction of my car.  Screw
anything I walk into, because logically there should be doors that
automatically open in the direction I need to go.  Screw how things
currently exist, because I think I know how they should exist for me.
Because I know better.  Better than anyone else.  All must bend to my will.
And whatever people do now, they will change on the drop of a dime at my
request.  Because user [re]education is akin to waving a magic wand.  What I
say goes.  The world will fall in-line.

If I bang my face into a wall along the way - screw it.  I'll just keep
doing it until someone comes along and changes something to be how I want
it.  Sounds perfectly reasonable...

--
Espi

 

 





On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr
 wrote:

Well that's f'ing helpful.  Good luck on educating the planet with a more
logical course of action.  Let us know how that works-out for you!

--
Espi

 

 





On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott  wrote:

On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr
 wrote:
> While I agree with your sentiment whole-heartedly, I still wonder why
> antimalware software isnt performing the most basic of checks for common
> infection breadcrumbs.

 Hammer myopia.

 ("When all you have is a hammer, everything starts to look like a nail.")

-- Ben


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Ben Scott]

On Tue, Jul 19, 2011 at 4:01 PM, Micheal Espinola Jr
 wrote:
>>> While I agree with your sentiment whole-heartedly, I still wonder why
>>> antimalware software isnt performing the most basic of checks for common
>>> infection breadcrumbs.
>>
>>  Hammer myopia.
>
> Well that's f'ing helpful.

  You asked why.  Not my fault you assumed there was a *good* reason.  :)

  In general, if something seems to be suboptimal, I find "the world
is full of incompetent people" is a safe bet for the answer.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Daniel Rodriguez]

Just be glad that I am not the person to come and help you when you run into
a wall.

I'll just point you into another wall, or worse, a hallway plant of some
sort, and watch you fall down, hoping that the floor will 'give way to your
will' and watch you either fall flat on your face, or go through the floor,
then through the building, and hopefully land on some solid ground,
somewhere.

I would suggest that you at least open your eyes, walk confidently to the
exit. You have a much better chance of getting to your car and leaving in a
timely manner, rather than walk around the office like a blind lemming. :O

But, that's just me. :)



On Tue, Jul 19, 2011 at 4:15 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> On that note, I'm going to go on my lunch break now.  Here's what I'll do:
>
> I'm going to close my eyes and walk in the direction of my car.  Screw
> anything I walk into, because logically there should be doors that
> automatically open in the direction I need to go.  Screw how things
> currently exist, because I think I know how they should exist for me.
> Because I know better.  Better than anyone else.  All must bend to my will.
> And whatever people do now, they will change on the drop of a dime at my
> request.  Because user [re]education is akin to waving a magic wand.  What I
> say goes.  The world will fall in-line.
>
> If I bang my face into a wall along the way - screw it.  I'll just keep
> doing it until someone comes along and changes something to be how I want
> it.  Sounds perfectly reasonable...
>
> --
> Espi
>
>
>
>
>
>
> On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> Well that's f'ing helpful.  Good luck on educating the planet with a more
>> logical course of action.  Let us know how that works-out for you!
>>
>> --
>> Espi
>>
>>
>>
>>
>>
>> On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott  wrote:
>>
>>> On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr
>>>  wrote:
>>> > While I agree with your sentiment whole-heartedly, I still wonder why
>>> > antimalware software isnt performing the most basic of checks for
>>> common
>>> > infection breadcrumbs.
>>>
>>>   Hammer myopia.
>>>
>>>  ("When all you have is a hammer, everything starts to look like a
>>> nail.")
>>>
>>> -- Ben
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

On that note, I'm going to go on my lunch break now.  Here's what I'll do:

I'm going to close my eyes and walk in the direction of my car.  Screw
anything I walk into, because logically there should be doors that
automatically open in the direction I need to go.  Screw how things
currently exist, because I think I know how they should exist for me.
Because I know better.  Better than anyone else.  All must bend to my will.
And whatever people do now, they will change on the drop of a dime at my
request.  Because user [re]education is akin to waving a magic wand.  What I
say goes.  The world will fall in-line.

If I bang my face into a wall along the way - screw it.  I'll just keep
doing it until someone comes along and changes something to be how I want
it.  Sounds perfectly reasonable...

--
Espi





On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Well that's f'ing helpful.  Good luck on educating the planet with a more
> logical course of action.  Let us know how that works-out for you!
>
> --
> Espi
>
>
>
>
>
> On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott  wrote:
>
>> On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr
>>  wrote:
>> > While I agree with your sentiment whole-heartedly, I still wonder why
>> > antimalware software isnt performing the most basic of checks for common
>> > infection breadcrumbs.
>>
>>   Hammer myopia.
>>
>>  ("When all you have is a hammer, everything starts to look like a nail.")
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

Well that's f'ing helpful.  Good luck on educating the planet with a more
logical course of action.  Let us know how that works-out for you!

--
Espi





On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott  wrote:

> On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr
>  wrote:
> > While I agree with your sentiment whole-heartedly, I still wonder why
> > antimalware software isnt performing the most basic of checks for common
> > infection breadcrumbs.
>
>   Hammer myopia.
>
>  ("When all you have is a hammer, everything starts to look like a nail.")
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Ben Scott]

On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr
 wrote:
> While I agree with your sentiment whole-heartedly, I still wonder why
> antimalware software isnt performing the most basic of checks for common
> infection breadcrumbs.

  Hammer myopia.

  ("When all you have is a hammer, everything starts to look like a nail.")

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

While I agree with your sentiment whole-heartedly, I still wonder why
antimalware software isnt performing the most basic of checks for common
infection breadcrumbs.

I think we are all painfully aware that malware detection must go beyond the
basic signature match. Malware and exploits follow a logic process/path.  We
should also be looking to follow that path in the detection process.  I
think its high-time that we get away from this stagnant idea of how AV/AM
software works.  It didn't work for spam.  It doesn't work for malware.

I personally don't see how the points I have individually raised here would
have a negative or detrimental effect on the scanning process.  The
foot-print is small, and the verification time should be quite limited.

--
Espi





On Mon, Jul 18, 2011 at 2:48 PM, Stu Sjouwerman
wrote:

> **
> OK, I just could not stay out of this one. Someting like 60-70% of these
> infections are
> caused by social engineering, so why not prevent this from happening in the
> first place?
>
> Train those users within an inch of their life so that they will have
> nightmares even
> contemplating clicking on something they should not. Cybercrime is
> accelerating,
> check out the sophistication level of the current fifth generation.
>
> http://www.knowbe4.com/resources/five-generations-of-cybercrime/
>
> Warm regards,
>
> Stu
>
>
>  --
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 1:12 PM
>
> *To:* NT System Admin Issues
> *Subject:* Thought on malware cleaning
>
> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
> very simple questions about things I almost ALWAYS see on infected systems.
> Perhaps someone here can clarify something for me that I have yet to see
> Microsoft and any antivirus vender directly address.  I'm gonna start this
> with one point, and then how the conversation goes:
>
> I almost always see malware injection points in the allusers\appdata
> folder.  In these instances I *always* see a reference in one of the "run"
> registry keys.
>
> As far as I know; this top level appdata filer should NOT contain files at
> all.  I repeat: NO FILES AT F'ING ALL.
>
> Can someone confirm this?  Can someone with contacts at Microsoft or other
> AV providers confirm why this is completely overlooked when scanning?  This
> is were 0-day malware live very commonly.  This is very easy to check!
>
> Thank you for your time and any vender reach-outs you can provide.
>
> I'm currently working on a set of scripts to check what I consider very
> foolish things like this.  If anyone wants to team-up, please do.
>
> --
> Espi
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Thought on malware cleaning

[Stu Sjouwerman]

OK, I just could not stay out of this one. Someting like 60-70% of these 
infections are
caused by social engineering, so why not prevent this from happening in the 
first place?

Train those users within an inch of their life so that they will have 
nightmares even
contemplating clicking on something they should not. Cybercrime is accelerating,
check out the sophistication level of the current fifth generation.

http://www.knowbe4.com/resources/five-generations-of-cybercrime/

Warm regards,

Stu



From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
Sent: Wednesday, July 13, 2011 1:12 PM
To: NT System Admin Issues
Subject: Thought on malware cleaning

Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some very 
simple questions about things I almost ALWAYS see on infected systems.  Perhaps 
someone here can clarify something for me that I have yet to see Microsoft and 
any antivirus vender directly address.  I'm gonna start this with one point, 
and then how the conversation goes:

I almost always see malware injection points in the allusers\appdata folder.  
In these instances I *always* see a reference in one of the "run" registry keys.

As far as I know; this top level appdata filer should NOT contain files at all. 
 I repeat: NO FILES AT F'ING ALL.

Can someone confirm this?  Can someone with contacts at Microsoft or other AV 
providers confirm why this is completely overlooked when scanning?  This is 
were 0-day malware live very commonly.  This is very easy to check!

Thank you for your time and any vender reach-outs you can provide.

I'm currently working on a set of scripts to check what I consider very foolish 
things like this.  If anyone wants to team-up, please do.

--
Espi




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[James Rankin]

AppSense blocks certain pdfs, dlls and all sorts of other executable stuff
in its default configuration as well. I can see this from the "Denied"
alerts that we get whenever something is prevented from executing. It must
have some form of detection for this because most pdfs, for instance, are
allowed to run. It certainly makes me feel quite a bit more at ease, as I
can see it stopping all the stupid things users are trying to run.

As I said before though, I'm biased.

On 14 July 2011 12:48, Ziots, Edward  wrote:

>  And its not only .EXE that contain executable code, a lot of time its
> PDF’s and word documents with embedded code, or links to download the
> malicious code.  But in the end its all about controlling executable code in
> whatever form it is in. 
>
> ** **
>
> Z
>
> ** **
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Security Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org
>
> Cell:401-639-3505
>
> [image: CISSP_logo]
>
> ** **
>
> *From:* Crawford, Scott [mailto:crawfo...@evangel.edu]
> *Sent:* Wednesday, July 13, 2011 4:41 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Thought on malware cleaning
>
>  ** **
>
> My point is that it’s common simply because its allowed. Disallowing .exes
> to be stored would make it rare, but the .exes would just have moved with no
> net gain. Or maybe I’m misunderstanding what you’re suggesting.
>
> ** **
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:52 PM
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
> ** **
>
> Thats not my solution.  my solution is to check these types of folders and
> match against the registry.
>
> Its a very common occurance in my experience, and would add lots of value
> when they are found.
>
> --
> Espi
>
> ** **
>
> ** **
>
> ** **
>
> On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
> wrote:
>
> If the OS blocked .exe from the root of AppData, malware would just put it
> in a subfolder. Your simple solution is only simple because that’s how
> windows is designed. The overhead to block .exe in AppData would take
> resources to code and test and would add virtually no value.
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:25 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> Very true, but there some very basic things that can be checked and have
> some very basic logic applied to take action on.  Why this isnt addressed is
> beyond me.  There are key folders that shouldn't have files in them, let
> alone executable's.
>
>
>
> I agree with the concepts of whitelists.  But the issue I'm addressing
> specifically right now shouldnt need to involve it.
>
> --
>
> Espi
>
>  
>
>  
>
> ** **
>
> On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
> wrote:
>
> Honestly, the Malware game is like a big game of Whack-a-Mole, therefore
> there is always going to be “writeable” areas in the OS even for the user,
> and the malware authors are using packing and anti-tampering methods that
> are evading most anti-virus vendors ( the really targeted attacks), so it’s
> a battle that is going to keep going on and on, just as soon as you block
> one method they come up with 3-5 more you haven’t thought of. 
>
>  
>
> The only suggestion would be a good Application White-listing technology to
> only allow known good software and disallow anything else to run. I am sure
> it has its caveats ( Trust me we are implementing an application
> white-listing now, and compared IPS its still got its pain points.) 
>
>  
>
> Although its been fun reading the Malware Analyst Cookbook and DVD, nice
> insight into reverse-engineering malware and seeing what it does so you can
> better protect your systems. 
>
>  
>
> Keep your friends close and your enemies closer
>
> EZ 
>
>  
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Security Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org
>
> Cell:401-639-3505
>
> [image: CISSP_logo]
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:28 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
> 
>
>
>
> To be addresse

RE: Thought on malware cleaning

[Ziots, Edward]

And its not only .EXE that contain executable code, a lot of time its
PDF's and word documents with embedded code, or links to download the
malicious code.  But in the end its all about controlling executable
code in whatever form it is in. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

 

From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Wednesday, July 13, 2011 4:41 PM
To: NT System Admin Issues
Subject: RE: Thought on malware cleaning

 

My point is that it's common simply because its allowed. Disallowing
.exes to be stored would make it rare, but the .exes would just have
moved with no net gain. Or maybe I'm misunderstanding what you're
suggesting.

 

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Wednesday, July 13, 2011 2:52 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

 

Thats not my solution.  my solution is to check these types of folders
and match against the registry.

Its a very common occurance in my experience, and would add lots of
value when they are found.

--
Espi

 

 

 

On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott <
crawfo...@evangel.edu> wrote:

If the OS blocked .exe from the root of AppData, malware would just put
it in a subfolder. Your simple solution is only simple because that's
how windows is designed. The overhead to block .exe in AppData would
take resources to code and test and would add virtually no value.

 

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Wednesday, July 13, 2011 2:25 PM


To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

 

Very true, but there some very basic things that can be checked and have
some very basic logic applied to take action on.  Why this isnt
addressed is beyond me.  There are key folders that shouldn't have files
in them, let alone executable's.



I agree with the concepts of whitelists.  But the issue I'm addressing
specifically right now shouldnt need to involve it.

--

Espi

 

 

 

On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
wrote:

Honestly, the Malware game is like a big game of Whack-a-Mole, therefore
there is always going to be "writeable" areas in the OS even for the
user, and the malware authors are using packing and anti-tampering
methods that are evading most anti-virus vendors ( the really targeted
attacks), so it's a battle that is going to keep going on and on, just
as soon as you block one method they come up with 3-5 more you haven't
thought of. 

 

The only suggestion would be a good Application White-listing technology
to only allow known good software and disallow anything else to run. I
am sure it has its caveats ( Trust me we are implementing an application
white-listing now, and compared IPS its still got its pain points.) 

 

Although its been fun reading the Malware Analyst Cookbook and DVD, nice
insight into reverse-engineering malware and seeing what it does so you
can better protect your systems. 

 

Keep your friends close and your enemies closer

EZ 

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

 

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Wednesday, July 13, 2011 2:28 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

 

To be addressed at a later date, yes.  ;-)

--

Espi

 

 

 

On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff 
wrote:

and as to "Maybe I'm nuts." , isn't that a separate issue ??? 

 

On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have
some very simple questions about things I almost ALWAYS see on infected
systems.  Perhaps someone here can clarify something for me that I have
yet to see Microsoft and any antivirus vender directly address.  I'm
gonna start this with one point, and then how the conversation goes:

I almost always see malware injection points in the allusers\appdata
folder.  In these instances I *always* see a reference in one of the
"run" registry keys.

As far as I know; this top level appdata filer should NOT contain files
at all.  I repeat: NO FILES AT F'ING ALL.

Can someone confirm this?  Can someone with contacts at Microsoft or
other AV providers confirm why this is completely overlooked when
scanning?  This is were 0-day malware live very commonly.  This is very
easy to check!

Thank you for your time and any vender reach-outs you can provide.

I'm currently working on a set of scripts to check what I consider very
foolish things like this.  If anyone wants to team-up, please do.

--
Espi

 

 

 

~ Finally, powerful endpoint security 

Re: Thought on malware cleaning

[James Rankin]

Anything that is a network drive or UNC path is disallowed by default. As is
anything not owned by the local Admins group. We do this with AppSense
Application Management. We call it "AppLocker on steroids". It supports a
vast amount of trigger conditions and actions, and gives you a level of
granularity and control that you can't get with standard policy objects or
software restrictions.

Disclaimer: I am an AppSense bigot, now that I'm qualified in it :-)

On 14 July 2011 04:12, Harry Singh  wrote:

> It could just be late here on the east coast, but could you explain
> what do you mean by "non-local areas"?
>
> Also, how are you preventing any .exe from running? GPO?
>
>
>
> On Wednesday, July 13, 2011,   wrote:
> >We redirect AppData, and any exes in non-local areas aren't allowed to
> run. As is anything not owned by Administrators.
> > Sent from my POS BlackBerry  wireless device, which may wipe itself at
> any momentFrom:  Micheal Espinola Jr 
> > Date: Wed, 13 Jul 2011 14:04:17 -0700To: NT System Admin Issues<
> ntsysadmin@lyris.sunbelt-software.com>ReplyTo:  "NT System Admin Issues" <
> ntsysadmin@lyris.sunbelt-software.com>
> > Subject: Re: Thought on malware cleaning
> > I'm all for leaving it open.  But it should be checked by AV software and
> related tools.  its just common sense.  there is almost always infection
> there.  There and some other common locations should be checked.  Any apps
> present should be checked if they are signed.  Or have any company detail
> (most/all are null).  And depending, then that should be scanned against the
> registry.
> >
> > Its not rocket science, and its not that resource intensive.  Especially
> if we are talking about using an AV/AM app performing a system sweep.
> > --
> > Espi
> >
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott 
> wrote:
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > I’m not referring to whitelisting, which has its own set of issues.
> >
> > I’m talking about your suggestion of disallowing any .exe files in the
> root of AppData.
> >
> > From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> >
> > Sent: Wednesday, July 13, 2011 3:50 PM
> > To: NT System Admin Issues
> > Subject: Re: Thought on malware cleaning
> >
> > While I agree with whitelisting, and I believe its a reasonable solution
> at this point.  The original intent of this post and what I am proposing
> dont involve whitelisting.
> >
> > --
> > Espi
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott 
> wrote:
> >
> >
> > My point is that it’s common simply because its allowed. Disallowing
> .exes to be stored would make it rare, but the .exes would just
> >  have moved with no net gain. Or maybe I’m misunderstanding what you’re
> suggesting.
> >
> > From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> >
> > Sent: Wednesday, July 13, 2011 2:52 PM
> >
> >
> > To: NT System Admin Issues
> > Subject: Re: Thought on malware cleaning
> >
> >
> > Thats not my solution.  my solution is to check these types of folders
> and match against the registry.
> >
> >
> >
> >
> > Its a very common occurance in my experience, and would add lots of value
> when they are found.
> >
> > --
> > Espi
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
> wrote:
> >
> >
> >
> >
> >
> >
> > If the OS blocked .exe from the root of AppData, malware would just put
> it in a subfolder. Your simple solution is only simple because
> >  that’s how windows is designed. The overhead to block .exe in AppData
> would take resources to code and test and would add virtually no value.
> >
> > From: Micheal Espinola Jr [mailto:
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas 

RE: Thought on malware cleaning

[Ken Schaefer]

Surely all AV tools do "on access" scanning. So it doesn't matter where the 
file is, when it's accessed, it will be scanned.

And whilst there might not be any files there today, unless Microsoft writes 
something on MSDN telling developers that no files should be there, then it's 
entirely legitimate for vendors to put files there down the track.

Cheers
Ken

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
Sent: Thursday, 14 July 2011 5:04 AM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

I'm all for leaving it open.  But it should be checked by AV software and 
related tools.  its just common sense.  there is almost always infection there. 
 There and some other common locations should be checked.  Any apps present 
should be checked if they are signed.  Or have any company detail (most/all are 
null).  And depending, then that should be scanned against the registry.

Its not rocket science, and its not that resource intensive.  Especially if we 
are talking about using an AV/AM app performing a system sweep.

--
Espi




On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
I'm not referring to whitelisting, which has its own set of issues.

I'm talking about your suggestion of disallowing any .exe files in the root of 
AppData.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 3:50 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

While I agree with whitelisting, and I believe its a reasonable solution at 
this point.  The original intent of this post and what I am proposing dont 
involve whitelisting.

--
Espi



On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
My point is that it's common simply because its allowed. Disallowing .exes to 
be stored would make it rare, but the .exes would just have moved with no net 
gain. Or maybe I'm misunderstanding what you're suggesting.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:52 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Thats not my solution.  my solution is to check these types of folders and 
match against the registry.


Its a very common occurance in my experience, and would add lots of value when 
they are found.

--
Espi



On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
If the OS blocked .exe from the root of AppData, malware would just put it in a 
subfolder. Your simple solution is only simple because that's how windows is 
designed. The overhead to block .exe in AppData would take resources to code 
and test and would add virtually no value.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:25 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Very true, but there some very basic things that can be checked and have some 
very basic logic applied to take action on.  Why this isnt addressed is beyond 
me.  There are key folders that shouldn't have files in them, let alone 
executable's.


I agree with the concepts of whitelists.  But the issue I'm addressing 
specifically right now shouldnt need to involve it.

--
Espi



On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there 
is always going to be "writeable" areas in the OS even for the user, and the 
malware authors are using packing and anti-tampering methods that are evading 
most anti-virus vendors ( the really targeted attacks), so it's a battle that 
is going to keep going on and on, just as soon as you block one method they 
come up with 3-5 more you haven't thought of.

The only suggestion would be a good Application White-listing technology to 
only allow known good software and disallow anything else to run. I am sure it 
has its caveats ( Trust me we are implementing an application white-listing 
now, and compared IPS its still got its pain points.)

Although its been fun reading the Malware Analyst Cookbook and DVD, nice 
insight into reverse-engineering malware and seeing what it does so you can 
better protect your systems.

Keep your friends close and your enemies closer
EZ

Edward E. Ziots
CISSP, Network +, Security +
Security Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505
[CISSP_logo]



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: Thought on malware cleaning

[Steven Peck]

We're using McAfee and EPo with over 5000 desktop systems.  Primarily
Windows XP with a few hundred Windows 7 systems with Trend Micro on our
Exchange servers.  We do not whitelist/blacklist apps, we have a mix of
desktop and thin client apps.

We have not seen a rise in malware infections.  We have seen a rise in
phishing emails.  We have published compliance reports for bith the server
and the desktop environments.  Anything out of compliance more then a few
days get a ticket opened for a visit.

Steven

On Wed, Jul 13, 2011 at 8:12 PM, Harry Singh  wrote:

> It could just be late here on the east coast, but could you explain
> what do you mean by "non-local areas"?
>
> Also, how are you preventing any .exe from running? GPO?
>
>
>
> On Wednesday, July 13, 2011,   wrote:
> >We redirect AppData, and any exes in non-local areas aren't allowed to
> run. As is anything not owned by Administrators.
> > Sent from my POS BlackBerry  wireless device, which may wipe itself at
> any momentFrom:  Micheal Espinola Jr 
> > Date: Wed, 13 Jul 2011 14:04:17 -0700To: NT System Admin Issues<
> ntsysadmin@lyris.sunbelt-software.com>ReplyTo:  "NT System Admin Issues" <
> ntsysadmin@lyris.sunbelt-software.com>
> > Subject: Re: Thought on malware cleaning
> > I'm all for leaving it open.  But it should be checked by AV software and
> related tools.  its just common sense.  there is almost always infection
> there.  There and some other common locations should be checked.  Any apps
> present should be checked if they are signed.  Or have any company detail
> (most/all are null).  And depending, then that should be scanned against the
> registry.
> >
> > Its not rocket science, and its not that resource intensive.  Especially
> if we are talking about using an AV/AM app performing a system sweep.
> > --
> > Espi
> >
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott 
> wrote:
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > I’m not referring to whitelisting, which has its own set of issues.
> >
> > I’m talking about your suggestion of disallowing any .exe files in the
> root of AppData.
> >
> > From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> >
> > Sent: Wednesday, July 13, 2011 3:50 PM
> > To: NT System Admin Issues
> > Subject: Re: Thought on malware cleaning
> >
> > While I agree with whitelisting, and I believe its a reasonable solution
> at this point.  The original intent of this post and what I am proposing
> dont involve whitelisting.
> >
> > --
> > Espi
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott 
> wrote:
> >
> >
> > My point is that it’s common simply because its allowed. Disallowing
> .exes to be stored would make it rare, but the .exes would just
> >  have moved with no net gain. Or maybe I’m misunderstanding what you’re
> suggesting.
> >
> > From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> >
> > Sent: Wednesday, July 13, 2011 2:52 PM
> >
> >
> > To: NT System Admin Issues
> > Subject: Re: Thought on malware cleaning
> >
> >
> > Thats not my solution.  my solution is to check these types of folders
> and match against the registry.
> >
> >
> >
> >
> > Its a very common occurance in my experience, and would add lots of value
> when they are found.
> >
> > --
> > Espi
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
> wrote:
> >
> >
> >
> >
> >
> >
> > If the OS blocked .exe from the root of AppData, malware would just put
> it in a subfolder. Your simple solution is only simple because
> >  that’s how windows is designed. The overhead to block .exe in AppData
> would take resources to code and test and would add virtually no value.
> >
> > From: Micheal Espinola Jr [mailto:
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Harry Singh]

It could just be late here on the east coast, but could you explain
what do you mean by "non-local areas"?

Also, how are you preventing any .exe from running? GPO?



On Wednesday, July 13, 2011,   wrote:
>We redirect AppData, and any exes in non-local areas aren't allowed to 
> run. As is anything not owned by Administrators.
> Sent from my POS BlackBerry  wireless device, which may wipe itself at any 
> momentFrom:  Micheal Espinola Jr 
> Date: Wed, 13 Jul 2011 14:04:17 -0700To: NT System Admin 
> IssuesReplyTo:  "NT System Admin 
> Issues" 
> Subject: Re: Thought on malware cleaning
> I'm all for leaving it open.  But it should be checked by AV software and 
> related tools.  its just common sense.  there is almost always infection 
> there.  There and some other common locations should be checked.  Any apps 
> present should be checked if they are signed.  Or have any company detail 
> (most/all are null).  And depending, then that should be scanned against the 
> registry.
>
> Its not rocket science, and its not that resource intensive.  Especially if 
> we are talking about using an AV/AM app performing a system sweep.
> --
> Espi
>
>
>
>
>
>
>
> On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott  
> wrote:
>
>
>
>
>
>
>
>
>
>
> I’m not referring to whitelisting, which has its own set of issues.
>
> I’m talking about your suggestion of disallowing any .exe files in the root 
> of AppData.
>
> From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
>
> Sent: Wednesday, July 13, 2011 3:50 PM
> To: NT System Admin Issues
> Subject: Re: Thought on malware cleaning
>
> While I agree with whitelisting, and I believe its a reasonable solution at 
> this point.  The original intent of this post and what I am proposing dont 
> involve whitelisting.
>
> --
> Espi
>
>
>
>
>
>
> On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott  
> wrote:
>
>
> My point is that it’s common simply because its allowed. Disallowing .exes to 
> be stored would make it rare, but the .exes would just
>  have moved with no net gain. Or maybe I’m misunderstanding what you’re 
> suggesting.
>
> From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
>
> Sent: Wednesday, July 13, 2011 2:52 PM
>
>
> To: NT System Admin Issues
> Subject: Re: Thought on malware cleaning
>
>
> Thats not my solution.  my solution is to check these types of folders and 
> match against the registry.
>
>
>
>
> Its a very common occurance in my experience, and would add lots of value 
> when they are found.
>
> --
> Espi
>
>
>
>
>
>
>
>
> On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott  
> wrote:
>
>
>
>
>
>
> If the OS blocked .exe from the root of AppData, malware would just put it in 
> a subfolder. Your simple solution is only simple because
>  that’s how windows is designed. The overhead to block .exe in AppData would 
> take resources to code and test and would add virtually no value.
>
> From: Micheal Espinola Jr [mailto:

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[kz20fl]

We redirect AppData, and any exes in non-local areas aren't allowed to run. As 
is anything not owned by Administrators.

Sent from my POS BlackBerry  wireless device, which may wipe itself at any 
moment

-Original Message-
From: Micheal Espinola Jr 
Date: Wed, 13 Jul 2011 14:04:17 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: Re: Thought on malware cleaning

I'm all for leaving it open.  But it should be checked by AV software and
related tools.  its just common sense.  there is almost always infection
there.  There and some other common locations should be checked.  Any apps
present should be checked if they are signed.  Or have any company detail
(most/all are null).  And depending, then that should be scanned against the
registry.

Its not rocket science, and its not that resource intensive.  Especially if
we are talking about using an AV/AM app performing a system sweep.

--
Espi





On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott wrote:

>  I’m not referring to whitelisting, which has its own set of issues.
>
> ** **
>
> I’m talking about your suggestion of disallowing any .exe files in the root
> of AppData.
>
> ** **
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 3:50 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
> ** **
>
> While I agree with whitelisting, and I believe its a reasonable solution at
> this point.  The original intent of this post and what I am proposing dont
> involve whitelisting.
>
> --
> Espi
>
> ** **
>
> ** **
>
>
>
> 
>
> On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott 
> wrote:
>
> My point is that it’s common simply because its allowed. Disallowing .exes
> to be stored would make it rare, but the .exes would just have moved with no
> net gain. Or maybe I’m misunderstanding what you’re suggesting.
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:52 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> Thats not my solution.  my solution is to check these types of folders and
> match against the registry.
>
>
>
> Its a very common occurance in my experience, and would add lots of value
> when they are found.
>
> --
> Espi
>
>  
>
>  
>
> ** **
>
> On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
> wrote:
>
> If the OS blocked .exe from the root of AppData, malware would just put it
> in a subfolder. Your simple solution is only simple because that’s how
> windows is designed. The overhead to block .exe in AppData would take
> resources to code and test and would add virtually no value.
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:25 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> Very true, but there some very basic things that can be checked and have
> some very basic logic applied to take action on.  Why this isnt addressed is
> beyond me.  There are key folders that shouldn't have files in them, let
> alone executable's.
>
>
>
> I agree with the concepts of whitelists.  But the issue I'm addressing
> specifically right now shouldnt need to involve it.
>
> --
>
> Espi
>
>  
>
>  
>
>  
>
> On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
> wrote:
>
> Honestly, the Malware game is like a big game of Whack-a-Mole, therefore
> there is always going to be “writeable” areas in the OS even for the user,
> and the malware authors are using packing and anti-tampering methods that
> are evading most anti-virus vendors ( the really targeted attacks), so it’s
> a battle that is going to keep going on and on, just as soon as you block
> one method they come up with 3-5 more you haven’t thought of. 
>
>  
>
> The only suggestion would be a good Application White-listing technology to
> only allow known good software and disallow anything else to run. I am sure
> it has its caveats ( Trust me we are implementing an application
> white-listing now, and compared IPS its still got its pain points.) 
>
>  
>
> Although its been fun reading the Malware Analyst Cookbook and DVD, nice
> insight into reverse-engineering malware and seeing what it does so you can
> better protect your systems. 
>
>  
>
> Keep your friends close and your enemies closer
>
> EZ 
>
>  
>
> Ed

Re: Thought on malware cleaning

[Micheal Espinola Jr]

I'm all for leaving it open.  But it should be checked by AV software and
related tools.  its just common sense.  there is almost always infection
there.  There and some other common locations should be checked.  Any apps
present should be checked if they are signed.  Or have any company detail
(most/all are null).  And depending, then that should be scanned against the
registry.

Its not rocket science, and its not that resource intensive.  Especially if
we are talking about using an AV/AM app performing a system sweep.

--
Espi





On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott wrote:

>  I’m not referring to whitelisting, which has its own set of issues.
>
> ** **
>
> I’m talking about your suggestion of disallowing any .exe files in the root
> of AppData.
>
> ** **
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 3:50 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
> ** **
>
> While I agree with whitelisting, and I believe its a reasonable solution at
> this point.  The original intent of this post and what I am proposing dont
> involve whitelisting.
>
> --
> Espi
>
> ** **
>
> ** **
>
>
>
> 
>
> On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott 
> wrote:
>
> My point is that it’s common simply because its allowed. Disallowing .exes
> to be stored would make it rare, but the .exes would just have moved with no
> net gain. Or maybe I’m misunderstanding what you’re suggesting.
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:52 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> Thats not my solution.  my solution is to check these types of folders and
> match against the registry.
>
>
>
> Its a very common occurance in my experience, and would add lots of value
> when they are found.
>
> --
> Espi
>
>  
>
>  
>
> ** **
>
> On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
> wrote:
>
> If the OS blocked .exe from the root of AppData, malware would just put it
> in a subfolder. Your simple solution is only simple because that’s how
> windows is designed. The overhead to block .exe in AppData would take
> resources to code and test and would add virtually no value.
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:25 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> Very true, but there some very basic things that can be checked and have
> some very basic logic applied to take action on.  Why this isnt addressed is
> beyond me.  There are key folders that shouldn't have files in them, let
> alone executable's.
>
>
>
> I agree with the concepts of whitelists.  But the issue I'm addressing
> specifically right now shouldnt need to involve it.
>
> --
>
> Espi
>
>  
>
>  
>
>  
>
> On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
> wrote:
>
> Honestly, the Malware game is like a big game of Whack-a-Mole, therefore
> there is always going to be “writeable” areas in the OS even for the user,
> and the malware authors are using packing and anti-tampering methods that
> are evading most anti-virus vendors ( the really targeted attacks), so it’s
> a battle that is going to keep going on and on, just as soon as you block
> one method they come up with 3-5 more you haven’t thought of. 
>
>  
>
> The only suggestion would be a good Application White-listing technology to
> only allow known good software and disallow anything else to run. I am sure
> it has its caveats ( Trust me we are implementing an application
> white-listing now, and compared IPS its still got its pain points.) 
>
>  
>
> Although its been fun reading the Malware Analyst Cookbook and DVD, nice
> insight into reverse-engineering malware and seeing what it does so you can
> better protect your systems. 
>
>  
>
> Keep your friends close and your enemies closer****
>
> EZ 
>
>  
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Security Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org
>
> Cell:401-639-3505
>
> [image: CISSP_logo]
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:28 PM
> *To:* NT System Admin Issues
> *Sub

RE: Thought on malware cleaning

[Crawford, Scott]

I'm not referring to whitelisting, which has its own set of issues.

I'm talking about your suggestion of disallowing any .exe files in the root of 
AppData.

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
Sent: Wednesday, July 13, 2011 3:50 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

While I agree with whitelisting, and I believe its a reasonable solution at 
this point.  The original intent of this post and what I am proposing dont 
involve whitelisting.

--
Espi




On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
My point is that it's common simply because its allowed. Disallowing .exes to 
be stored would make it rare, but the .exes would just have moved with no net 
gain. Or maybe I'm misunderstanding what you're suggesting.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:52 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Thats not my solution.  my solution is to check these types of folders and 
match against the registry.


Its a very common occurance in my experience, and would add lots of value when 
they are found.

--
Espi



On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
If the OS blocked .exe from the root of AppData, malware would just put it in a 
subfolder. Your simple solution is only simple because that's how windows is 
designed. The overhead to block .exe in AppData would take resources to code 
and test and would add virtually no value.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:25 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Very true, but there some very basic things that can be checked and have some 
very basic logic applied to take action on.  Why this isnt addressed is beyond 
me.  There are key folders that shouldn't have files in them, let alone 
executable's.


I agree with the concepts of whitelists.  But the issue I'm addressing 
specifically right now shouldnt need to involve it.

--
Espi



On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there 
is always going to be "writeable" areas in the OS even for the user, and the 
malware authors are using packing and anti-tampering methods that are evading 
most anti-virus vendors ( the really targeted attacks), so it's a battle that 
is going to keep going on and on, just as soon as you block one method they 
come up with 3-5 more you haven't thought of.

The only suggestion would be a good Application White-listing technology to 
only allow known good software and disallow anything else to run. I am sure it 
has its caveats ( Trust me we are implementing an application white-listing 
now, and compared IPS its still got its pain points.)

Although its been fun reading the Malware Analyst Cookbook and DVD, nice 
insight into reverse-engineering malware and seeing what it does so you can 
better protect your systems.

Keep your friends close and your enemies closer
EZ

Edward E. Ziots
CISSP, Network +, Security +
Security Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505
[CISSP_logo]

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:28 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

To be addressed at a later date, yes.  ;-)

--
Espi



On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff 
mailto:egold...@gmail.com>> wrote:
and as to "Maybe I'm nuts." , isn't that a separate issue ??? 

On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr 
mailto:michealespin...@gmail.com>> wrote:
Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some very 
simple questions about things I almost ALWAYS see on infected systems.  Perhaps 
someone here can clarify something for me that I have yet to see Microsoft and 
any antivirus vender directly address.  I'm gonna start this with one point, 
and then how the conversation goes:

I almost always see malware injection points in the allusers\appdata folder.  
In these instances I *always* see a reference in one of the "run" registry keys.

As far as I know; this top level appdata filer should NOT contain files at all. 
 I repeat: NO FILES AT F'ING ALL.

Can someone confirm this?  Can someone with contacts at Microsoft or other AV 
providers confirm why this is completely overlooked when scanning?  This is 
were 0-day malware live very commonly.  This is very easy to check!

Thank you for your time and any vend

Re: Thought on malware cleaning

[Micheal Espinola Jr]

While I agree with whitelisting, and I believe its a reasonable solution at
this point.  The original intent of this post and what I am proposing dont
involve whitelisting.

--
Espi





On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott wrote:

>  My point is that it’s common simply because its allowed. Disallowing
> .exes to be stored would make it rare, but the .exes would just have moved
> with no net gain. Or maybe I’m misunderstanding what you’re suggesting.***
> *
>
> ** **
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:52 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
> ** **
>
> Thats not my solution.  my solution is to check these types of folders and
> match against the registry.
>
>
> Its a very common occurance in my experience, and would add lots of value
> when they are found.
>
> --
> Espi
>
> ** **
>
> ** **
>
>
>
> 
>
> On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
> wrote:
>
> If the OS blocked .exe from the root of AppData, malware would just put it
> in a subfolder. Your simple solution is only simple because that’s how
> windows is designed. The overhead to block .exe in AppData would take
> resources to code and test and would add virtually no value.
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:25 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> Very true, but there some very basic things that can be checked and have
> some very basic logic applied to take action on.  Why this isnt addressed is
> beyond me.  There are key folders that shouldn't have files in them, let
> alone executable's.
>
>
>
> I agree with the concepts of whitelists.  But the issue I'm addressing
> specifically right now shouldnt need to involve it.
>
> --
>
> Espi
>
>  
>
>  
>
> ** **
>
> On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
> wrote:
>
> Honestly, the Malware game is like a big game of Whack-a-Mole, therefore
> there is always going to be “writeable” areas in the OS even for the user,
> and the malware authors are using packing and anti-tampering methods that
> are evading most anti-virus vendors ( the really targeted attacks), so it’s
> a battle that is going to keep going on and on, just as soon as you block
> one method they come up with 3-5 more you haven’t thought of. 
>
>  
>
> The only suggestion would be a good Application White-listing technology to
> only allow known good software and disallow anything else to run. I am sure
> it has its caveats ( Trust me we are implementing an application
> white-listing now, and compared IPS its still got its pain points.) 
>
>  
>
> Although its been fun reading the Malware Analyst Cookbook and DVD, nice
> insight into reverse-engineering malware and seeing what it does so you can
> better protect your systems. 
>
>  
>
> Keep your friends close and your enemies closer
>
> EZ 
>
>  
>
> Edward E. Ziots
>
> CISSP, Network +, Security +****
>
> Security Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org
>
> Cell:401-639-3505
>
> [image: CISSP_logo]
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:28 PM
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> To be addressed at a later date, yes.  ;-)
>
> --
>
> Espi
>
>  
>
>  
>
>  
>
> On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff  wrote:
> 
>
> and as to "Maybe I'm nuts." , isn't that a separate issue ??? 
>
>  
>
> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
> very simple questions about things I almost ALWAYS see on infected systems.
> Perhaps someone here can clarify something for me that I have yet to see
> Microsoft and any antivirus vender directly address.  I'm gonna start this
> with one point, and then how the conversation goes:
>
> I almost always see malware injection points in the allusers\appdata
> folder.  In these instances I *always* see a reference in one of the "run"
> registry keys.
>
> As far as I know; this top leve

RE: Thought on malware cleaning

[Crawford, Scott]

My point is that it's common simply because its allowed. Disallowing .exes to 
be stored would make it rare, but the .exes would just have moved with no net 
gain. Or maybe I'm misunderstanding what you're suggesting.

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
Sent: Wednesday, July 13, 2011 2:52 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Thats not my solution.  my solution is to check these types of folders and 
match against the registry.

Its a very common occurance in my experience, and would add lots of value when 
they are found.

--
Espi




On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
If the OS blocked .exe from the root of AppData, malware would just put it in a 
subfolder. Your simple solution is only simple because that's how windows is 
designed. The overhead to block .exe in AppData would take resources to code 
and test and would add virtually no value.

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:25 PM

To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Very true, but there some very basic things that can be checked and have some 
very basic logic applied to take action on.  Why this isnt addressed is beyond 
me.  There are key folders that shouldn't have files in them, let alone 
executable's.


I agree with the concepts of whitelists.  But the issue I'm addressing 
specifically right now shouldnt need to involve it.

--
Espi



On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there 
is always going to be "writeable" areas in the OS even for the user, and the 
malware authors are using packing and anti-tampering methods that are evading 
most anti-virus vendors ( the really targeted attacks), so it's a battle that 
is going to keep going on and on, just as soon as you block one method they 
come up with 3-5 more you haven't thought of.

The only suggestion would be a good Application White-listing technology to 
only allow known good software and disallow anything else to run. I am sure it 
has its caveats ( Trust me we are implementing an application white-listing 
now, and compared IPS its still got its pain points.)

Although its been fun reading the Malware Analyst Cookbook and DVD, nice 
insight into reverse-engineering malware and seeing what it does so you can 
better protect your systems.

Keep your friends close and your enemies closer
EZ

Edward E. Ziots
CISSP, Network +, Security +
Security Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505
[CISSP_logo]

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:28 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

To be addressed at a later date, yes.  ;-)

--
Espi



On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff 
mailto:egold...@gmail.com>> wrote:
and as to "Maybe I'm nuts." , isn't that a separate issue ??? 

On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr 
mailto:michealespin...@gmail.com>> wrote:
Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some very 
simple questions about things I almost ALWAYS see on infected systems.  Perhaps 
someone here can clarify something for me that I have yet to see Microsoft and 
any antivirus vender directly address.  I'm gonna start this with one point, 
and then how the conversation goes:

I almost always see malware injection points in the allusers\appdata folder.  
In these instances I *always* see a reference in one of the "run" registry keys.

As far as I know; this top level appdata filer should NOT contain files at all. 
 I repeat: NO FILES AT F'ING ALL.

Can someone confirm this?  Can someone with contacts at Microsoft or other AV 
providers confirm why this is completely overlooked when scanning?  This is 
were 0-day malware live very commonly.  This is very easy to check!

Thank you for your time and any vender reach-outs you can provide.

I'm currently working on a set of scripts to check what I consider very foolish 
things like this.  If anyone wants to team-up, please do.

--
Espi




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http:/

Re: Thought on malware cleaning

[James Kerr]

Those malwares doesn't bother me, people bring me personal machines, which I
get to fix and make money on the side to fund my hobbies. :-)

James



On Wed, Jul 13, 2011 at 4:12 PM, Angus Scott-Fleming wrote:

> On 13 Jul 2011 at 14:08, Erik Goldoff wrote:
>
> > What I would like to see from the OS is something like a trimmed down
> > version of UAC *just for the malware load points* !!! A permission /
> > integrity monitor that prompts and/or logs whever a RUN key is
> > altered, whenever a scheduled task is created, whenever a link is
> > added to the STARTUP group, etc ...
>
> WinPatrol does this pretty well.  The basic one is free, even for
> commercial
> use, but it doesn't monitor the startup locations in real time.
>
>http://www.winpatrol.com/morewhyplus.html#plus3
>Advanced Examination of HIDDEN Registry Startup Keys (NOW
>FREE in Version 14)
>
>While programs like MSConfig will show you the standard
>Startup locations in Windows, we know there are other ways to
>launch programs without your knowledge. WinPatrol PLUS
>examines many alternate, more technically advanced locations.
>We've seen undesirable programs use these locations and even
>some of our friends in the security business now hide their
>programs there. WinPatrol PLUS will let you know about any
>changes to the following alternate startup keys.
>
> See:
>WinPatrol Free vs PLUS
>http://www.winpatrol.com/compare.html
> and
>WinPatrol Real-Time Infiltration Detection
>http://www.winpatrol.com/rid.html
>
> RID is NOT in the free version.
>
> The non-free Plus version is currently on sale at 50% off, but I bought my
> licenses last year during his 99-cent sale ;-).  He offers discounts for
> quantity
> purchases.
>
> HTH
>
> Angus
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Angus Scott-Fleming]

On 13 Jul 2011 at 14:08, Erik Goldoff wrote:

> What I would like to see from the OS is something like a trimmed down
> version of UAC *just for the malware load points* !!! A permission /
> integrity monitor that prompts and/or logs whever a RUN key is
> altered, whenever a scheduled task is created, whenever a link is
> added to the STARTUP group, etc ... 

WinPatrol does this pretty well.  The basic one is free, even for commercial 
use, but it doesn't monitor the startup locations in real time.

http://www.winpatrol.com/morewhyplus.html#plus3
Advanced Examination of HIDDEN Registry Startup Keys (NOW 
FREE in Version 14)  

While programs like MSConfig will show you the standard 
Startup locations in Windows, we know there are other ways to 
launch programs without your knowledge. WinPatrol PLUS 
examines many alternate, more technically advanced locations. 
We've seen undesirable programs use these locations and even 
some of our friends in the security business now hide their 
programs there. WinPatrol PLUS will let you know about any 
changes to the following alternate startup keys.  

See:
WinPatrol Free vs PLUS
http://www.winpatrol.com/compare.html
and
WinPatrol Real-Time Infiltration Detection
http://www.winpatrol.com/rid.html

RID is NOT in the free version.

The non-free Plus version is currently on sale at 50% off, but I bought my 
licenses last year during his 99-cent sale ;-).  He offers discounts for 
quantity 
purchases.

HTH

Angus


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

Thats not my solution.  my solution is to check these types of folders and
match against the registry.

Its a very common occurance in my experience, and would add lots of value
when they are found.

--
Espi





On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott wrote:

>  If the OS blocked .exe from the root of AppData, malware would just put
> it in a subfolder. Your simple solution is only simple because that’s how
> windows is designed. The overhead to block .exe in AppData would take
> resources to code and test and would add virtually no value.
>
> ** **
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:25 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
> ** **
>
> Very true, but there some very basic things that can be checked and have
> some very basic logic applied to take action on.  Why this isnt addressed is
> beyond me.  There are key folders that shouldn't have files in them, let
> alone executable's.
>
>
> I agree with the concepts of whitelists.  But the issue I'm addressing
> specifically right now shouldnt need to involve it.
>
> --
> Espi
>
> ** **
>
> ** **
>
>
>
> 
>
> On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
> wrote:
>
> Honestly, the Malware game is like a big game of Whack-a-Mole, therefore
> there is always going to be “writeable” areas in the OS even for the user,
> and the malware authors are using packing and anti-tampering methods that
> are evading most anti-virus vendors ( the really targeted attacks), so it’s
> a battle that is going to keep going on and on, just as soon as you block
> one method they come up with 3-5 more you haven’t thought of. 
>
>  
>
> The only suggestion would be a good Application White-listing technology to
> only allow known good software and disallow anything else to run. I am sure
> it has its caveats ( Trust me we are implementing an application
> white-listing now, and compared IPS its still got its pain points.) 
>
>  
>
> Although its been fun reading the Malware Analyst Cookbook and DVD, nice
> insight into reverse-engineering malware and seeing what it does so you can
> better protect your systems. 
>
>  
>
> Keep your friends close and your enemies closer
>
> EZ 
>
>  
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Security Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org
>
> Cell:401-639-3505
>
> [image: CISSP_logo]
>
>  
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:28 PM
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
>  
>
> To be addressed at a later date, yes.  ;-)
>
> --
> Espi
>
>  
>
>  
>
> ** **
>
> On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff  wrote:
> 
>
> and as to "Maybe I'm nuts." , isn't that a separate issue ??? 
>
>  
>
> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
> very simple questions about things I almost ALWAYS see on infected systems.
> Perhaps someone here can clarify something for me that I have yet to see
> Microsoft and any antivirus vender directly address.  I'm gonna start this
> with one point, and then how the conversation goes:
>
> I almost always see malware injection points in the allusers\appdata
> folder.  In these instances I *always* see a reference in one of the "run"
> registry keys.
>
> As far as I know; this top level appdata filer should NOT contain files at
> all.  I repeat: NO FILES AT F'ING ALL.
>
> Can someone confirm this?  Can someone with contacts at Microsoft or other
> AV providers confirm why this is completely overlooked when scanning?  This
> is were 0-day malware live very commonly.  This is very easy to check!
>
> Thank you for your time and any vender reach-outs you can provide.
>
> I'm currently working on a set of scripts to check what I consider very
> foolish things like this.  If anyone wants to team-up, please do.
>
> --
> Espi
>
>  
>
>  
>
>  
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
>

RE: Thought on malware cleaning

[Crawford, Scott]

If the OS blocked .exe from the root of AppData, malware would just put it in a 
subfolder. Your simple solution is only simple because that's how windows is 
designed. The overhead to block .exe in AppData would take resources to code 
and test and would add virtually no value.

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
Sent: Wednesday, July 13, 2011 2:25 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

Very true, but there some very basic things that can be checked and have some 
very basic logic applied to take action on.  Why this isnt addressed is beyond 
me.  There are key folders that shouldn't have files in them, let alone 
executable's.

I agree with the concepts of whitelists.  But the issue I'm addressing 
specifically right now shouldnt need to involve it.

--
Espi




On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there 
is always going to be "writeable" areas in the OS even for the user, and the 
malware authors are using packing and anti-tampering methods that are evading 
most anti-virus vendors ( the really targeted attacks), so it's a battle that 
is going to keep going on and on, just as soon as you block one method they 
come up with 3-5 more you haven't thought of.

The only suggestion would be a good Application White-listing technology to 
only allow known good software and disallow anything else to run. I am sure it 
has its caveats ( Trust me we are implementing an application white-listing 
now, and compared IPS its still got its pain points.)

Although its been fun reading the Malware Analyst Cookbook and DVD, nice 
insight into reverse-engineering malware and seeing what it does so you can 
better protect your systems.

Keep your friends close and your enemies closer
EZ

Edward E. Ziots
CISSP, Network +, Security +
Security Engineer
Lifespan Organization
Email:ezi...@lifespan.org<mailto:email%3aezi...@lifespan.org>
Cell:401-639-3505
[CISSP_logo]

From: Micheal Espinola Jr 
[mailto:michealespin...@gmail.com<mailto:michealespin...@gmail.com>]
Sent: Wednesday, July 13, 2011 2:28 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

To be addressed at a later date, yes.  ;-)

--
Espi



On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff 
mailto:egold...@gmail.com>> wrote:
and as to "Maybe I'm nuts." , isn't that a separate issue ??? 

On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr 
mailto:michealespin...@gmail.com>> wrote:
Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some very 
simple questions about things I almost ALWAYS see on infected systems.  Perhaps 
someone here can clarify something for me that I have yet to see Microsoft and 
any antivirus vender directly address.  I'm gonna start this with one point, 
and then how the conversation goes:

I almost always see malware injection points in the allusers\appdata folder.  
In these instances I *always* see a reference in one of the "run" registry keys.

As far as I know; this top level appdata filer should NOT contain files at all. 
 I repeat: NO FILES AT F'ING ALL.

Can someone confirm this?  Can someone with contacts at Microsoft or other AV 
providers confirm why this is completely overlooked when scanning?  This is 
were 0-day malware live very commonly.  This is very easy to check!

Thank you for your time and any vender reach-outs you can provide.

I'm currently working on a set of scripts to check what I consider very foolish 
things like this.  If anyone wants to team-up, please do.

--
Espi




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource ho

Re: Thought on malware cleaning

[Micheal Espinola Jr]

Mostly XP (with new extended life-cycle!), but Vista and 7 as well.

--
Espi





On Wed, Jul 13, 2011 at 11:48 AM, Andrew S. Baker  wrote:

> What OSes are you seeing this with, btw?
>
> * *
>
> *ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of
> Technology for the SMB market…
>
> *
>
>
>
> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
>> very simple questions about things I almost ALWAYS see on infected systems.
>> Perhaps someone here can clarify something for me that I have yet to see
>> Microsoft and any antivirus vender directly address.  I'm gonna start this
>> with one point, and then how the conversation goes:
>>
>> I almost always see malware injection points in the allusers\appdata
>> folder.  In these instances I *always* see a reference in one of the "run"
>> registry keys.
>>
>> As far as I know; this top level appdata filer should NOT contain files at
>> all.  I repeat: NO FILES AT F'ING ALL.
>>
>> Can someone confirm this?  Can someone with contacts at Microsoft or other
>> AV providers confirm why this is completely overlooked when scanning?  This
>> is were 0-day malware live very commonly.  This is very easy to check!
>>
>> Thank you for your time and any vender reach-outs you can provide.
>>
>> I'm currently working on a set of scripts to check what I consider very
>> foolish things like this.  If anyone wants to team-up, please do.
>>
>> --
>> Espi
>>
>>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

Very true, but there some very basic things that can be checked and have
some very basic logic applied to take action on.  Why this isnt addressed is
beyond me.  There are key folders that shouldn't have files in them, let
alone executable's.

I agree with the concepts of whitelists.  But the issue I'm addressing
specifically right now shouldnt need to involve it.

--
Espi





On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward  wrote:

>  Honestly, the Malware game is like a big game of Whack-a-Mole, therefore
> there is always going to be “writeable” areas in the OS even for the user,
> and the malware authors are using packing and anti-tampering methods that
> are evading most anti-virus vendors ( the really targeted attacks), so it’s
> a battle that is going to keep going on and on, just as soon as you block
> one method they come up with 3-5 more you haven’t thought of. 
>
> ** **
>
> The only suggestion would be a good Application White-listing technology to
> only allow known good software and disallow anything else to run. I am sure
> it has its caveats ( Trust me we are implementing an application
> white-listing now, and compared IPS its still got its pain points.) 
>
> ** **
>
> Although its been fun reading the Malware Analyst Cookbook and DVD, nice
> insight into reverse-engineering malware and seeing what it does so you can
> better protect your systems. 
>
> ** **
>
> Keep your friends close and your enemies closer
>
> EZ 
>
> ** **
>
> Edward E. Ziots
>
> CISSP, Network +, Security +
>
> Security Engineer
>
> Lifespan Organization
>
> Email:ezi...@lifespan.org
>
> Cell:401-639-3505
>
> [image: CISSP_logo]
>
> ** **
>
> *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> *Sent:* Wednesday, July 13, 2011 2:28 PM
> *To:* NT System Admin Issues
> *Subject:* Re: Thought on malware cleaning
>
> ** **
>
> To be addressed at a later date, yes.  ;-)
>
> --
> Espi
>
> ** **
>
> ** **
>
>
>
> 
>
> On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff  wrote:
> 
>
> and as to "Maybe I'm nuts." , isn't that a separate issue ??? 
>
> ** **
>
> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
> very simple questions about things I almost ALWAYS see on infected systems.
> Perhaps someone here can clarify something for me that I have yet to see
> Microsoft and any antivirus vender directly address.  I'm gonna start this
> with one point, and then how the conversation goes:
>
> I almost always see malware injection points in the allusers\appdata
> folder.  In these instances I *always* see a reference in one of the "run"
> registry keys.
>
> As far as I know; this top level appdata filer should NOT contain files at
> all.  I repeat: NO FILES AT F'ING ALL.
>
> Can someone confirm this?  Can someone with contacts at Microsoft or other
> AV providers confirm why this is completely overlooked when scanning?  This
> is were 0-day malware live very commonly.  This is very easy to check!
>
> Thank you for your time and any vender reach-outs you can provide.
>
> I'm currently working on a set of scripts to check what I consider very
> foolish things like this.  If anyone wants to team-up, please do.
>
> --
> Espi
>
> ** **
>
> ** **
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security tha

RE: Thought on malware cleaning

[Ziots, Edward]

Honestly, the Malware game is like a big game of Whack-a-Mole, therefore
there is always going to be "writeable" areas in the OS even for the
user, and the malware authors are using packing and anti-tampering
methods that are evading most anti-virus vendors ( the really targeted
attacks), so it's a battle that is going to keep going on and on, just
as soon as you block one method they come up with 3-5 more you haven't
thought of. 

 

The only suggestion would be a good Application White-listing technology
to only allow known good software and disallow anything else to run. I
am sure it has its caveats ( Trust me we are implementing an application
white-listing now, and compared IPS its still got its pain points.) 

 

Although its been fun reading the Malware Analyst Cookbook and DVD, nice
insight into reverse-engineering malware and seeing what it does so you
can better protect your systems. 

 

Keep your friends close and your enemies closer

EZ 

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

 

From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Wednesday, July 13, 2011 2:28 PM
To: NT System Admin Issues
Subject: Re: Thought on malware cleaning

 

To be addressed at a later date, yes.  ;-)

--
Espi

 

 





On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff 
wrote:

and as to "Maybe I'm nuts." , isn't that a separate issue ??? 

 

On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have
some very simple questions about things I almost ALWAYS see on infected
systems.  Perhaps someone here can clarify something for me that I have
yet to see Microsoft and any antivirus vender directly address.  I'm
gonna start this with one point, and then how the conversation goes:

I almost always see malware injection points in the allusers\appdata
folder.  In these instances I *always* see a reference in one of the
"run" registry keys.

As far as I know; this top level appdata filer should NOT contain files
at all.  I repeat: NO FILES AT F'ING ALL.

Can someone confirm this?  Can someone with contacts at Microsoft or
other AV providers confirm why this is completely overlooked when
scanning?  This is were 0-day malware live very commonly.  This is very
easy to check!

Thank you for your time and any vender reach-outs you can provide.

I'm currently working on a set of scripts to check what I consider very
foolish things like this.  If anyone wants to team-up, please do.

--
Espi

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: Thought on malware cleaning

[Andrew S. Baker]

What OSes are you seeing this with, btw?

* *

*ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
> very simple questions about things I almost ALWAYS see on infected systems.
> Perhaps someone here can clarify something for me that I have yet to see
> Microsoft and any antivirus vender directly address.  I'm gonna start this
> with one point, and then how the conversation goes:
>
> I almost always see malware injection points in the allusers\appdata
> folder.  In these instances I *always* see a reference in one of the "run"
> registry keys.
>
> As far as I know; this top level appdata filer should NOT contain files at
> all.  I repeat: NO FILES AT F'ING ALL.
>
> Can someone confirm this?  Can someone with contacts at Microsoft or other
> AV providers confirm why this is completely overlooked when scanning?  This
> is were 0-day malware live very commonly.  This is very easy to check!
>
> Thank you for your time and any vender reach-outs you can provide.
>
> I'm currently working on a set of scripts to check what I consider very
> foolish things like this.  If anyone wants to team-up, please do.
>
> --
> Espi
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

Its been a while for me, but I'm re-investigating the ability to lock down
these folders at certain "generic" levels without interfering with things
too much.

Better still I think (because there will always be miss-configured systems),
I'm working on something to check these things, match to the registry, and
kill, delete, etc.

Oh, and BTW, if its never come across in my previous posts: I detest IE.
Yes, never versions are better.  Dont care at this point.  :-)

--
Espi





On Wed, Jul 13, 2011 at 11:33 AM, Harry Singh  wrote:

> What have you been using to remove the malware ? The support team here have
> been dealing wit increased occurrences more frequently, even with the
> machines being patched and the logged on users having the bare minmum of
> permissions. I don't have any whitelisting software or any GPO's that lock
> down specific folders yetI wondered if this was even viable considering
> applications reliance on APPDATA.
>
>
>
>
> On Wed, Jul 13, 2011 at 2:28 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> To be addressed at a later date, yes.  ;-)
>>
>> --
>> Espi
>>
>>
>>
>>
>>
>> On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff wrote:
>>
>>> and as to "Maybe I'm nuts." , isn't that a separate issue ??? 
>>>
>>>
>>> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
>>> michealespin...@gmail.com> wrote:
>>>
 Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have
 some very simple questions about things I almost ALWAYS see on infected
 systems.  Perhaps someone here can clarify something for me that I have yet
 to see Microsoft and any antivirus vender directly address.  I'm gonna 
 start
 this with one point, and then how the conversation goes:

 I almost always see malware injection points in the allusers\appdata
 folder.  In these instances I *always* see a reference in one of the "run"
 registry keys.

 As far as I know; this top level appdata filer should NOT contain files
 at all.  I repeat: NO FILES AT F'ING ALL.

 Can someone confirm this?  Can someone with contacts at Microsoft or
 other AV providers confirm why this is completely overlooked when scanning?
 This is were 0-day malware live very commonly.  This is very easy to check!

 Thank you for your time and any vender reach-outs you can provide.

 I'm currently working on a set of scripts to check what I consider very
 foolish things like this.  If anyone wants to team-up, please do.

 --
 Espi



 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~   ~

 ---
 To manage subscriptions click here:
 http://lyris.sunbelt-software.com/read/my_forums/
 or send an email to listmana...@lyris.sunbeltsoftware.com
 with the body: unsubscribe ntsysadmin

>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Harry Singh]

What have you been using to remove the malware ? The support team here have
been dealing wit increased occurrences more frequently, even with the
machines being patched and the logged on users having the bare minmum of
permissions. I don't have any whitelisting software or any GPO's that lock
down specific folders yetI wondered if this was even viable considering
applications reliance on APPDATA.




On Wed, Jul 13, 2011 at 2:28 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> To be addressed at a later date, yes.  ;-)
>
> --
> Espi
>
>
>
>
>
> On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff  wrote:
>
>> and as to "Maybe I'm nuts." , isn't that a separate issue ??? 
>>
>>
>> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
>> michealespin...@gmail.com> wrote:
>>
>>> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
>>> very simple questions about things I almost ALWAYS see on infected systems.
>>> Perhaps someone here can clarify something for me that I have yet to see
>>> Microsoft and any antivirus vender directly address.  I'm gonna start this
>>> with one point, and then how the conversation goes:
>>>
>>> I almost always see malware injection points in the allusers\appdata
>>> folder.  In these instances I *always* see a reference in one of the "run"
>>> registry keys.
>>>
>>> As far as I know; this top level appdata filer should NOT contain files
>>> at all.  I repeat: NO FILES AT F'ING ALL.
>>>
>>> Can someone confirm this?  Can someone with contacts at Microsoft or
>>> other AV providers confirm why this is completely overlooked when scanning?
>>> This is were 0-day malware live very commonly.  This is very easy to check!
>>>
>>> Thank you for your time and any vender reach-outs you can provide.
>>>
>>> I'm currently working on a set of scripts to check what I consider very
>>> foolish things like this.  If anyone wants to team-up, please do.
>>>
>>> --
>>> Espi
>>>
>>>
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Kurt Buff]

Oh, no - I think you should rewrite it in powershell...

Heh.

Seriously though, this looks like a good project.

On Wed, Jul 13, 2011 at 11:18, Micheal Espinola Jr
 wrote:
> That's certainly helpful, thank you.  I had forgot about that script.  It
> may have reusable code.
>
> --
> Espi
>
>
>
>
>
> On Wed, Jul 13, 2011 at 10:53 AM, Jeff Bunting 
> wrote:
>>
>> There's a desktop.ini file in mine but no other ones.
>>
>> You might be interested in taking a look at the VB script here, which I've
>> found to be useful:
>> http://www.silentrunners.org/
>>
>>
>> There is a list of launch points the script checks, notated with which OS
>> they are applicable to on the web site.
>>
>> Jeff
>>
>> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr
>>  wrote:
>>>
>>> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
>>> very simple questions about things I almost ALWAYS see on infected systems.
>>> Perhaps someone here can clarify something for me that I have yet to see
>>> Microsoft and any antivirus vender directly address.  I'm gonna start this
>>> with one point, and then how the conversation goes:
>>>
>>> I almost always see malware injection points in the allusers\appdata
>>> folder.  In these instances I *always* see a reference in one of the "run"
>>> registry keys.
>>>
>>> As far as I know; this top level appdata filer should NOT contain files
>>> at all.  I repeat: NO FILES AT F'ING ALL.
>>>
>>> Can someone confirm this?  Can someone with contacts at Microsoft or
>>> other AV providers confirm why this is completely overlooked when scanning?
>>> This is were 0-day malware live very commonly.  This is very easy to check!
>>>
>>> Thank you for your time and any vender reach-outs you can provide.
>>>
>>> I'm currently working on a set of scripts to check what I consider very
>>> foolish things like this.  If anyone wants to team-up, please do.
>>>
>>> --
>>> Espi
>>>
>>>
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

To be addressed at a later date, yes.  ;-)

--
Espi





On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff  wrote:

> and as to "Maybe I'm nuts." , isn't that a separate issue ??? 
>
>
> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
>> very simple questions about things I almost ALWAYS see on infected systems.
>> Perhaps someone here can clarify something for me that I have yet to see
>> Microsoft and any antivirus vender directly address.  I'm gonna start this
>> with one point, and then how the conversation goes:
>>
>> I almost always see malware injection points in the allusers\appdata
>> folder.  In these instances I *always* see a reference in one of the "run"
>> registry keys.
>>
>> As far as I know; this top level appdata filer should NOT contain files at
>> all.  I repeat: NO FILES AT F'ING ALL.
>>
>> Can someone confirm this?  Can someone with contacts at Microsoft or other
>> AV providers confirm why this is completely overlooked when scanning?  This
>> is were 0-day malware live very commonly.  This is very easy to check!
>>
>> Thank you for your time and any vender reach-outs you can provide.
>>
>> I'm currently working on a set of scripts to check what I consider very
>> foolish things like this.  If anyone wants to team-up, please do.
>>
>> --
>> Espi
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

Exactly.  And thats what I'm starting to pull-together.  I'm really fed up
with this nonsense.

--
Espi





On Wed, Jul 13, 2011 at 11:08 AM, Erik Goldoff  wrote:

> What I would like to see from the OS is something like a trimmed down
> version of UAC  *just for the malware load points* !!!
> A permission / integrity monitor that prompts and/or logs whever a RUN key
> is altered, whenever a scheduled task is created, whenever a link is added
> to the STARTUP group, etc ...
>
> and it would be great if all the antimalware vendors' software could read
> these load points, parse out the potentially infectious files ( exe, dll,
> etc ) and quick scan just those.
>
>  On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
>> very simple questions about things I almost ALWAYS see on infected systems.
>> Perhaps someone here can clarify something for me that I have yet to see
>> Microsoft and any antivirus vender directly address.  I'm gonna start this
>> with one point, and then how the conversation goes:
>>
>> I almost always see malware injection points in the allusers\appdata
>> folder.  In these instances I *always* see a reference in one of the "run"
>> registry keys.
>>
>> As far as I know; this top level appdata filer should NOT contain files at
>> all.  I repeat: NO FILES AT F'ING ALL.
>>
>> Can someone confirm this?  Can someone with contacts at Microsoft or other
>> AV providers confirm why this is completely overlooked when scanning?  This
>> is were 0-day malware live very commonly.  This is very easy to check!
>>
>> Thank you for your time and any vender reach-outs you can provide.
>>
>> I'm currently working on a set of scripts to check what I consider very
>> foolish things like this.  If anyone wants to team-up, please do.
>>
>> --
>> Espi
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Micheal Espinola Jr]

That's certainly helpful, thank you.  I had forgot about that script.  It
may have reusable code.

--
Espi





On Wed, Jul 13, 2011 at 10:53 AM, Jeff Bunting wrote:

> There's a desktop.ini file in mine but no other ones.
>
> You might be interested in taking a look at the VB script here, which I've
> found to be useful:
> http://www.silentrunners.org/
>
>
> There is a list of launch points the script checks, notated with which OS
> they are applicable to on the web site.
>
> Jeff
>
> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
>> very simple questions about things I almost ALWAYS see on infected systems.
>> Perhaps someone here can clarify something for me that I have yet to see
>> Microsoft and any antivirus vender directly address.  I'm gonna start this
>> with one point, and then how the conversation goes:
>>
>> I almost always see malware injection points in the allusers\appdata
>> folder.  In these instances I *always* see a reference in one of the "run"
>> registry keys.
>>
>> As far as I know; this top level appdata filer should NOT contain files at
>> all.  I repeat: NO FILES AT F'ING ALL.
>>
>> Can someone confirm this?  Can someone with contacts at Microsoft or other
>> AV providers confirm why this is completely overlooked when scanning?  This
>> is were 0-day malware live very commonly.  This is very easy to check!
>>
>> Thank you for your time and any vender reach-outs you can provide.
>>
>> I'm currently working on a set of scripts to check what I consider very
>> foolish things like this.  If anyone wants to team-up, please do.
>>
>> --
>> Espi
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Erik Goldoff]

and as to "Maybe I'm nuts." , isn't that a separate issue ??? 

On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
> very simple questions about things I almost ALWAYS see on infected systems.
> Perhaps someone here can clarify something for me that I have yet to see
> Microsoft and any antivirus vender directly address.  I'm gonna start this
> with one point, and then how the conversation goes:
>
> I almost always see malware injection points in the allusers\appdata
> folder.  In these instances I *always* see a reference in one of the "run"
> registry keys.
>
> As far as I know; this top level appdata filer should NOT contain files at
> all.  I repeat: NO FILES AT F'ING ALL.
>
> Can someone confirm this?  Can someone with contacts at Microsoft or other
> AV providers confirm why this is completely overlooked when scanning?  This
> is were 0-day malware live very commonly.  This is very easy to check!
>
> Thank you for your time and any vender reach-outs you can provide.
>
> I'm currently working on a set of scripts to check what I consider very
> foolish things like this.  If anyone wants to team-up, please do.
>
> --
> Espi
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Erik Goldoff]

What I would like to see from the OS is something like a trimmed down
version of UAC  *just for the malware load points* !!!
A permission / integrity monitor that prompts and/or logs whever a RUN key
is altered, whenever a scheduled task is created, whenever a link is added
to the STARTUP group, etc ...

and it would be great if all the antimalware vendors' software could read
these load points, parse out the potentially infectious files ( exe, dll,
etc ) and quick scan just those.

On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
> very simple questions about things I almost ALWAYS see on infected systems.
> Perhaps someone here can clarify something for me that I have yet to see
> Microsoft and any antivirus vender directly address.  I'm gonna start this
> with one point, and then how the conversation goes:
>
> I almost always see malware injection points in the allusers\appdata
> folder.  In these instances I *always* see a reference in one of the "run"
> registry keys.
>
> As far as I know; this top level appdata filer should NOT contain files at
> all.  I repeat: NO FILES AT F'ING ALL.
>
> Can someone confirm this?  Can someone with contacts at Microsoft or other
> AV providers confirm why this is completely overlooked when scanning?  This
> is were 0-day malware live very commonly.  This is very easy to check!
>
> Thank you for your time and any vender reach-outs you can provide.
>
> I'm currently working on a set of scripts to check what I consider very
> foolish things like this.  If anyone wants to team-up, please do.
>
> --
> Espi
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Thought on malware cleaning

[Jeff Bunting]

There's a desktop.ini file in mine but no other ones.

You might be interested in taking a look at the VB script here, which I've
found to be useful:
http://www.silentrunners.org/


There is a list of launch points the script checks, notated with which OS
they are applicable to on the web site.

Jeff

On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Maybe I'm nuts.  Maybe I'm sick of dealing with malware.  But I have some
> very simple questions about things I almost ALWAYS see on infected systems.
> Perhaps someone here can clarify something for me that I have yet to see
> Microsoft and any antivirus vender directly address.  I'm gonna start this
> with one point, and then how the conversation goes:
>
> I almost always see malware injection points in the allusers\appdata
> folder.  In these instances I *always* see a reference in one of the "run"
> registry keys.
>
> As far as I know; this top level appdata filer should NOT contain files at
> all.  I repeat: NO FILES AT F'ING ALL.
>
> Can someone confirm this?  Can someone with contacts at Microsoft or other
> AV providers confirm why this is completely overlooked when scanning?  This
> is were 0-day malware live very commonly.  This is very easy to check!
>
> Thank you for your time and any vender reach-outs you can provide.
>
> I'm currently working on a set of scripts to check what I consider very
> foolish things like this.  If anyone wants to team-up, please do.
>
> --
> Espi
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin