RE: Thought on malware cleaning
Humm I sense POSTAL Epic Fail… Don’t go off the deep end Epsi, you can’t stop everything, and you can’t stop the users from going to bad sites or getting owned in some cases. We all know that technical controls don’t solve personal behavior issues. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: MMF [mailto:mmfree...@ameritech.net] Sent: Tuesday, July 19, 2011 5:48 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Don’t hold back ( MMF From: Micheal Espinola Jr mailto:michealespin...@gmail.com Sent: Tuesday, July 19, 2011 3:15 PM To: NT System Admin Issues mailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: Thought on malware cleaning On that note, I'm going to go on my lunch break now. Here's what I'll do: I'm going to close my eyes and walk in the direction of my car. Screw anything I walk into, because logically there should be doors that automatically open in the direction I need to go. Screw how things currently exist, because I think I know how they should exist for me. Because I know better. Better than anyone else. All must bend to my will. And whatever people do now, they will change on the drop of a dime at my request. Because user [re]education is akin to waving a magic wand. What I say goes. The world will fall in-line. If I bang my face into a wall along the way - screw it. I'll just keep doing it until someone comes along and changes something to be how I want it. Sounds perfectly reasonable... -- Espi On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Well that's f'ing helpful. Good luck on educating the planet with a more logical course of action. Let us know how that works-out for you! -- Espi On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott mailvor...@gmail.com wrote: On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. (When all you have is a hammer, everything starts to look like a nail.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin image003.pngimage004.jpg
Re: Thought on malware cleaning
Wait I thought a clue-x-four with a nail on the user side daily would help mitigate those issues if not put a stop to them? Jon On Wed, Jul 20, 2011 at 11:01 AM, Ziots, Edward ezi...@lifespan.org wrote: Humm I sense POSTAL Epic Fail… ** ** Don’t go off the deep end Epsi, you can’t stop everything, and you can’t stop the users from going to bad sites or getting owned in some cases. We all know that technical controls don’t solve personal behavior issues. *** * ** ** Z ** ** Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] *From:* MMF [mailto:mmfree...@ameritech.net] *Sent:* Tuesday, July 19, 2011 5:48 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning ** ** Don’t hold back ([image: Smile] MMF *From:* Micheal Espinola Jr michealespin...@gmail.com *Sent:* Tuesday, July 19, 2011 3:15 PM *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject:* Re: Thought on malware cleaning On that note, I'm going to go on my lunch break now. Here's what I'll do: I'm going to close my eyes and walk in the direction of my car. Screw anything I walk into, because logically there should be doors that automatically open in the direction I need to go. Screw how things currently exist, because I think I know how they should exist for me. Because I know better. Better than anyone else. All must bend to my will. And whatever people do now, they will change on the drop of a dime at my request. Because user [re]education is akin to waving a magic wand. What I say goes. The world will fall in-line. If I bang my face into a wall along the way - screw it. I'll just keep doing it until someone comes along and changes something to be how I want it. Sounds perfectly reasonable... -- Espi On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Well that's f'ing helpful. Good luck on educating the planet with a more logical course of action. Let us know how that works-out for you! -- Espi On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott mailvor...@gmail.com wrote:* *** On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. (When all you have is a hammer, everything starts to look like a nail.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage003.pngimage004.jpg
Re: Thought on malware cleaning
While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. I think we are all painfully aware that malware detection must go beyond the basic signature match. Malware and exploits follow a logic process/path. We should also be looking to follow that path in the detection process. I think its high-time that we get away from this stagnant idea of how AV/AM software works. It didn't work for spam. It doesn't work for malware. I personally don't see how the points I have individually raised here would have a negative or detrimental effect on the scanning process. The foot-print is small, and the verification time should be quite limited. -- Espi On Mon, Jul 18, 2011 at 2:48 PM, Stu Sjouwerman s...@sunbelt-software.comwrote: ** OK, I just could not stay out of this one. Someting like 60-70% of these infections are caused by social engineering, so why not prevent this from happening in the first place? Train those users within an inch of their life so that they will have nightmares even contemplating clicking on something they should not. Cybercrime is accelerating, check out the sophistication level of the current fifth generation. http://www.knowbe4.com/resources/five-generations-of-cybercrime/ Warm regards, Stu -- *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 1:12 PM *To:* NT System Admin Issues *Subject:* Thought on malware cleaning Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. (When all you have is a hammer, everything starts to look like a nail.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
Well that's f'ing helpful. Good luck on educating the planet with a more logical course of action. Let us know how that works-out for you! -- Espi On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott mailvor...@gmail.com wrote: On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. (When all you have is a hammer, everything starts to look like a nail.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
On that note, I'm going to go on my lunch break now. Here's what I'll do: I'm going to close my eyes and walk in the direction of my car. Screw anything I walk into, because logically there should be doors that automatically open in the direction I need to go. Screw how things currently exist, because I think I know how they should exist for me. Because I know better. Better than anyone else. All must bend to my will. And whatever people do now, they will change on the drop of a dime at my request. Because user [re]education is akin to waving a magic wand. What I say goes. The world will fall in-line. If I bang my face into a wall along the way - screw it. I'll just keep doing it until someone comes along and changes something to be how I want it. Sounds perfectly reasonable... -- Espi On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Well that's f'ing helpful. Good luck on educating the planet with a more logical course of action. Let us know how that works-out for you! -- Espi On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott mailvor...@gmail.com wrote: On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. (When all you have is a hammer, everything starts to look like a nail.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
Just be glad that I am not the person to come and help you when you run into a wall. I'll just point you into another wall, or worse, a hallway plant of some sort, and watch you fall down, hoping that the floor will 'give way to your will' and watch you either fall flat on your face, or go through the floor, then through the building, and hopefully land on some solid ground, somewhere. I would suggest that you at least open your eyes, walk confidently to the exit. You have a much better chance of getting to your car and leaving in a timely manner, rather than walk around the office like a blind lemming. :O But, that's just me. :) On Tue, Jul 19, 2011 at 4:15 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: On that note, I'm going to go on my lunch break now. Here's what I'll do: I'm going to close my eyes and walk in the direction of my car. Screw anything I walk into, because logically there should be doors that automatically open in the direction I need to go. Screw how things currently exist, because I think I know how they should exist for me. Because I know better. Better than anyone else. All must bend to my will. And whatever people do now, they will change on the drop of a dime at my request. Because user [re]education is akin to waving a magic wand. What I say goes. The world will fall in-line. If I bang my face into a wall along the way - screw it. I'll just keep doing it until someone comes along and changes something to be how I want it. Sounds perfectly reasonable... -- Espi On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Well that's f'ing helpful. Good luck on educating the planet with a more logical course of action. Let us know how that works-out for you! -- Espi On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott mailvor...@gmail.com wrote: On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. (When all you have is a hammer, everything starts to look like a nail.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
On Tue, Jul 19, 2011 at 4:01 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. Well that's f'ing helpful. You asked why. Not my fault you assumed there was a *good* reason. :) In general, if something seems to be suboptimal, I find the world is full of incompetent people is a safe bet for the answer. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Thought on malware cleaning
Good luck with that …. And really, good luck on your *stated* quest. Please keep me in the loop on your findings. Layered security usually proves better, and you seem to be hunting for that as of yet ignored layer. Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Tuesday, July 19, 2011 4:16 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning On that note, I'm going to go on my lunch break now. Here's what I'll do: I'm going to close my eyes and walk in the direction of my car. Screw anything I walk into, because logically there should be doors that automatically open in the direction I need to go. Screw how things currently exist, because I think I know how they should exist for me. Because I know better. Better than anyone else. All must bend to my will. And whatever people do now, they will change on the drop of a dime at my request. Because user [re]education is akin to waving a magic wand. What I say goes. The world will fall in-line. If I bang my face into a wall along the way - screw it. I'll just keep doing it until someone comes along and changes something to be how I want it. Sounds perfectly reasonable... -- Espi On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Well that's f'ing helpful. Good luck on educating the planet with a more logical course of action. Let us know how that works-out for you! -- Espi On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott mailvor...@gmail.com wrote: On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. (When all you have is a hammer, everything starts to look like a nail.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
Don’t hold back ( MMF From: Micheal Espinola Jr Sent: Tuesday, July 19, 2011 3:15 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning On that note, I'm going to go on my lunch break now. Here's what I'll do: I'm going to close my eyes and walk in the direction of my car. Screw anything I walk into, because logically there should be doors that automatically open in the direction I need to go. Screw how things currently exist, because I think I know how they should exist for me. Because I know better. Better than anyone else. All must bend to my will. And whatever people do now, they will change on the drop of a dime at my request. Because user [re]education is akin to waving a magic wand. What I say goes. The world will fall in-line. If I bang my face into a wall along the way - screw it. I'll just keep doing it until someone comes along and changes something to be how I want it. Sounds perfectly reasonable... -- Espi On Tue, Jul 19, 2011 at 1:01 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Well that's f'ing helpful. Good luck on educating the planet with a more logical course of action. Let us know how that works-out for you! -- Espi On Tue, Jul 19, 2011 at 12:44 PM, Ben Scott mailvor...@gmail.com wrote: On Tue, Jul 19, 2011 at 3:02 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: While I agree with your sentiment whole-heartedly, I still wonder why antimalware software isnt performing the most basic of checks for common infection breadcrumbs. Hammer myopia. (When all you have is a hammer, everything starts to look like a nail.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminwlEmoticon-smile[1].png
RE: Thought on malware cleaning
OK, I just could not stay out of this one. Someting like 60-70% of these infections are caused by social engineering, so why not prevent this from happening in the first place? Train those users within an inch of their life so that they will have nightmares even contemplating clicking on something they should not. Cybercrime is accelerating, check out the sophistication level of the current fifth generation. http://www.knowbe4.com/resources/five-generations-of-cybercrime/ Warm regards, Stu From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 1:12 PM To: NT System Admin Issues Subject: Thought on malware cleaning Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Thought on malware cleaning
Surely all AV tools do on access scanning. So it doesn't matter where the file is, when it's accessed, it will be scanned. And whilst there might not be any files there today, unless Microsoft writes something on MSDN telling developers that no files should be there, then it's entirely legitimate for vendors to put files there down the track. Cheers Ken From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Thursday, 14 July 2011 5:04 AM To: NT System Admin Issues Subject: Re: Thought on malware cleaning I'm all for leaving it open. But it should be checked by AV software and related tools. its just common sense. there is almost always infection there. There and some other common locations should be checked. Any apps present should be checked if they are signed. Or have any company detail (most/all are null). And depending, then that should be scanned against the registry. Its not rocket science, and its not that resource intensive. Especially if we are talking about using an AV/AM app performing a system sweep. -- Espi On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: I'm not referring to whitelisting, which has its own set of issues. I'm talking about your suggestion of disallowing any .exe files in the root of AppData. From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 3:50 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning While I agree with whitelisting, and I believe its a reasonable solution at this point. The original intent of this post and what I am proposing dont involve whitelisting. -- Espi On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: My point is that it's common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I'm misunderstanding what you're suggesting. From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:52 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that's how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:25 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.orgmailto:ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be writeable areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it's a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven't thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.orgmailto:email%3aezi...@lifespan.org Cell:401-639-3505tel:401-639-3505 [CISSP_logo] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com
Re: Thought on malware cleaning
Anything that is a network drive or UNC path is disallowed by default. As is anything not owned by the local Admins group. We do this with AppSense Application Management. We call it AppLocker on steroids. It supports a vast amount of trigger conditions and actions, and gives you a level of granularity and control that you can't get with standard policy objects or software restrictions. Disclaimer: I am an AppSense bigot, now that I'm qualified in it :-) On 14 July 2011 04:12, Harry Singh hbo...@gmail.com wrote: It could just be late here on the east coast, but could you explain what do you mean by non-local areas? Also, how are you preventing any .exe from running? GPO? On Wednesday, July 13, 2011, kz2...@googlemail.com wrote: We redirect AppData, and any exes in non-local areas aren't allowed to run. As is anything not owned by Administrators. Sent from my POS BlackBerry wireless device, which may wipe itself at any momentFrom: Micheal Espinola Jr michealespin...@gmail.com Date: Wed, 13 Jul 2011 14:04:17 -0700To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Thought on malware cleaning I'm all for leaving it open. But it should be checked by AV software and related tools. its just common sense. there is almost always infection there. There and some other common locations should be checked. Any apps present should be checked if they are signed. Or have any company detail (most/all are null). And depending, then that should be scanned against the registry. Its not rocket science, and its not that resource intensive. Especially if we are talking about using an AV/AM app performing a system sweep. -- Espi On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott crawfo...@evangel.edu wrote: I’m not referring to whitelisting, which has its own set of issues. I’m talking about your suggestion of disallowing any .exe files in the root of AppData. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 3:50 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning While I agree with whitelisting, and I believe its a reasonable solution at this point. The original intent of this post and what I am proposing dont involve whitelisting. -- Espi On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott crawfo...@evangel.edu wrote: My point is that it’s common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I’m misunderstanding what you’re suggesting. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:52 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that’s how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. From: Micheal Espinola Jr [mailto: ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ** IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress.. * * The originator of this email is not liable for the transmission of the information
RE: Thought on malware cleaning
And its not only .EXE that contain executable code, a lot of time its PDF's and word documents with embedded code, or links to download the malicious code. But in the end its all about controlling executable code in whatever form it is in. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Wednesday, July 13, 2011 4:41 PM To: NT System Admin Issues Subject: RE: Thought on malware cleaning My point is that it's common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I'm misunderstanding what you're suggesting. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:52 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that's how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:25 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be writeable areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it's a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven't thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:28 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise
Re: Thought on malware cleaning
AppSense blocks certain pdfs, dlls and all sorts of other executable stuff in its default configuration as well. I can see this from the Denied alerts that we get whenever something is prevented from executing. It must have some form of detection for this because most pdfs, for instance, are allowed to run. It certainly makes me feel quite a bit more at ease, as I can see it stopping all the stupid things users are trying to run. As I said before though, I'm biased. On 14 July 2011 12:48, Ziots, Edward ezi...@lifespan.org wrote: And its not only .EXE that contain executable code, a lot of time its PDF’s and word documents with embedded code, or links to download the malicious code. But in the end its all about controlling executable code in whatever form it is in. ** ** Z ** ** Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] ** ** *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] *Sent:* Wednesday, July 13, 2011 4:41 PM *To:* NT System Admin Issues *Subject:* RE: Thought on malware cleaning ** ** My point is that it’s common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I’m misunderstanding what you’re suggesting. ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:52 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning ** ** Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi ** ** ** ** ** ** On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that’s how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:25 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi ** ** On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be “writeable” areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it’s a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven’t thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:28 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address
Re: Thought on malware cleaning
There's a desktop.ini file in mine but no other ones. You might be interested in taking a look at the VB script here, which I've found to be useful: http://www.silentrunners.org/ There is a list of launch points the script checks, notated with which OS they are applicable to on the web site. Jeff On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
What I would like to see from the OS is something like a trimmed down version of UAC *just for the malware load points* !!! A permission / integrity monitor that prompts and/or logs whever a RUN key is altered, whenever a scheduled task is created, whenever a link is added to the STARTUP group, etc ... and it would be great if all the antimalware vendors' software could read these load points, parse out the potentially infectious files ( exe, dll, etc ) and quick scan just those. On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
That's certainly helpful, thank you. I had forgot about that script. It may have reusable code. -- Espi On Wed, Jul 13, 2011 at 10:53 AM, Jeff Bunting bunting.j...@gmail.comwrote: There's a desktop.ini file in mine but no other ones. You might be interested in taking a look at the VB script here, which I've found to be useful: http://www.silentrunners.org/ There is a list of launch points the script checks, notated with which OS they are applicable to on the web site. Jeff On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
Exactly. And thats what I'm starting to pull-together. I'm really fed up with this nonsense. -- Espi On Wed, Jul 13, 2011 at 11:08 AM, Erik Goldoff egold...@gmail.com wrote: What I would like to see from the OS is something like a trimmed down version of UAC *just for the malware load points* !!! A permission / integrity monitor that prompts and/or logs whever a RUN key is altered, whenever a scheduled task is created, whenever a link is added to the STARTUP group, etc ... and it would be great if all the antimalware vendors' software could read these load points, parse out the potentially infectious files ( exe, dll, etc ) and quick scan just those. On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
Oh, no - I think you should rewrite it in powershell... Heh. Seriously though, this looks like a good project. On Wed, Jul 13, 2011 at 11:18, Micheal Espinola Jr michealespin...@gmail.com wrote: That's certainly helpful, thank you. I had forgot about that script. It may have reusable code. -- Espi On Wed, Jul 13, 2011 at 10:53 AM, Jeff Bunting bunting.j...@gmail.com wrote: There's a desktop.ini file in mine but no other ones. You might be interested in taking a look at the VB script here, which I've found to be useful: http://www.silentrunners.org/ There is a list of launch points the script checks, notated with which OS they are applicable to on the web site. Jeff On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
What have you been using to remove the malware ? The support team here have been dealing wit increased occurrences more frequently, even with the machines being patched and the logged on users having the bare minmum of permissions. I don't have any whitelisting software or any GPO's that lock down specific folders yetI wondered if this was even viable considering applications reliance on APPDATA. On Wed, Jul 13, 2011 at 2:28 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
Its been a while for me, but I'm re-investigating the ability to lock down these folders at certain generic levels without interfering with things too much. Better still I think (because there will always be miss-configured systems), I'm working on something to check these things, match to the registry, and kill, delete, etc. Oh, and BTW, if its never come across in my previous posts: I detest IE. Yes, never versions are better. Dont care at this point. :-) -- Espi On Wed, Jul 13, 2011 at 11:33 AM, Harry Singh hbo...@gmail.com wrote: What have you been using to remove the malware ? The support team here have been dealing wit increased occurrences more frequently, even with the machines being patched and the logged on users having the bare minmum of permissions. I don't have any whitelisting software or any GPO's that lock down specific folders yetI wondered if this was even viable considering applications reliance on APPDATA. On Wed, Jul 13, 2011 at 2:28 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.comwrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
What OSes are you seeing this with, btw? * * *ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of Technology for the SMB market… * On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Thought on malware cleaning
Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be writeable areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it's a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven't thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:28 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage003.jpg
Re: Thought on malware cleaning
Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be “writeable” areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it’s a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven’t thought of. ** ** The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) ** ** Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. ** ** Keep your friends close and your enemies closer EZ ** ** Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:28 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning ** ** To be addressed at a later date, yes. ;-) -- Espi ** ** ** ** On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin ** ** On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ** ** ** ** ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage003.jpg
Re: Thought on malware cleaning
Mostly XP (with new extended life-cycle!), but Vista and 7 as well. -- Espi On Wed, Jul 13, 2011 at 11:48 AM, Andrew S. Baker asbz...@gmail.com wrote: What OSes are you seeing this with, btw? * * *ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of Technology for the SMB market… * On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Thought on malware cleaning
If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that's how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:25 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.orgmailto:ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be writeable areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it's a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven't thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.orgmailto:email%3aezi...@lifespan.org Cell:401-639-3505tel:401-639-3505 [CISSP_logo] From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:28 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.commailto:egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.commailto:michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt
Re: Thought on malware cleaning
Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.eduwrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that’s how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:25 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning ** ** Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi ** ** ** ** On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be “writeable” areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it’s a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven’t thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:28 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi ** ** On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http
Re: Thought on malware cleaning
On 13 Jul 2011 at 14:08, Erik Goldoff wrote: What I would like to see from the OS is something like a trimmed down version of UAC *just for the malware load points* !!! A permission / integrity monitor that prompts and/or logs whever a RUN key is altered, whenever a scheduled task is created, whenever a link is added to the STARTUP group, etc ... WinPatrol does this pretty well. The basic one is free, even for commercial use, but it doesn't monitor the startup locations in real time. http://www.winpatrol.com/morewhyplus.html#plus3 Advanced Examination of HIDDEN Registry Startup Keys (NOW FREE in Version 14) While programs like MSConfig will show you the standard Startup locations in Windows, we know there are other ways to launch programs without your knowledge. WinPatrol PLUS examines many alternate, more technically advanced locations. We've seen undesirable programs use these locations and even some of our friends in the security business now hide their programs there. WinPatrol PLUS will let you know about any changes to the following alternate startup keys. See: WinPatrol Free vs PLUS http://www.winpatrol.com/compare.html and WinPatrol Real-Time Infiltration Detection http://www.winpatrol.com/rid.html RID is NOT in the free version. The non-free Plus version is currently on sale at 50% off, but I bought my licenses last year during his 99-cent sale ;-). He offers discounts for quantity purchases. HTH Angus ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
Those malwares doesn't bother me, people bring me personal machines, which I get to fix and make money on the side to fund my hobbies. :-) James On Wed, Jul 13, 2011 at 4:12 PM, Angus Scott-Fleming angu...@geoapps.comwrote: On 13 Jul 2011 at 14:08, Erik Goldoff wrote: What I would like to see from the OS is something like a trimmed down version of UAC *just for the malware load points* !!! A permission / integrity monitor that prompts and/or logs whever a RUN key is altered, whenever a scheduled task is created, whenever a link is added to the STARTUP group, etc ... WinPatrol does this pretty well. The basic one is free, even for commercial use, but it doesn't monitor the startup locations in real time. http://www.winpatrol.com/morewhyplus.html#plus3 Advanced Examination of HIDDEN Registry Startup Keys (NOW FREE in Version 14) While programs like MSConfig will show you the standard Startup locations in Windows, we know there are other ways to launch programs without your knowledge. WinPatrol PLUS examines many alternate, more technically advanced locations. We've seen undesirable programs use these locations and even some of our friends in the security business now hide their programs there. WinPatrol PLUS will let you know about any changes to the following alternate startup keys. See: WinPatrol Free vs PLUS http://www.winpatrol.com/compare.html and WinPatrol Real-Time Infiltration Detection http://www.winpatrol.com/rid.html RID is NOT in the free version. The non-free Plus version is currently on sale at 50% off, but I bought my licenses last year during his 99-cent sale ;-). He offers discounts for quantity purchases. HTH Angus ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Thought on malware cleaning
My point is that it's common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I'm misunderstanding what you're suggesting. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:52 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that's how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:25 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.orgmailto:ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be writeable areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it's a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven't thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.orgmailto:email%3aezi...@lifespan.org Cell:401-639-3505tel:401-639-3505 [CISSP_logo] From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:28 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.commailto:egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.commailto:michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http
Re: Thought on malware cleaning
While I agree with whitelisting, and I believe its a reasonable solution at this point. The original intent of this post and what I am proposing dont involve whitelisting. -- Espi On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott crawfo...@evangel.eduwrote: My point is that it’s common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I’m misunderstanding what you’re suggesting.*** * ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:52 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning ** ** Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi ** ** ** ** On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that’s how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:25 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi ** ** On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be “writeable” areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it’s a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven’t thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:28 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com
RE: Thought on malware cleaning
I'm not referring to whitelisting, which has its own set of issues. I'm talking about your suggestion of disallowing any .exe files in the root of AppData. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 3:50 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning While I agree with whitelisting, and I believe its a reasonable solution at this point. The original intent of this post and what I am proposing dont involve whitelisting. -- Espi On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: My point is that it's common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I'm misunderstanding what you're suggesting. From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:52 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edumailto:crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that's how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:25 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.orgmailto:ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be writeable areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it's a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven't thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.orgmailto:email%3aezi...@lifespan.org Cell:401-639-3505tel:401-639-3505 [CISSP_logo] From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:28 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.commailto:egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.commailto:michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the run registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts
Re: Thought on malware cleaning
I'm all for leaving it open. But it should be checked by AV software and related tools. its just common sense. there is almost always infection there. There and some other common locations should be checked. Any apps present should be checked if they are signed. Or have any company detail (most/all are null). And depending, then that should be scanned against the registry. Its not rocket science, and its not that resource intensive. Especially if we are talking about using an AV/AM app performing a system sweep. -- Espi On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott crawfo...@evangel.eduwrote: I’m not referring to whitelisting, which has its own set of issues. ** ** I’m talking about your suggestion of disallowing any .exe files in the root of AppData. ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 3:50 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning ** ** While I agree with whitelisting, and I believe its a reasonable solution at this point. The original intent of this post and what I am proposing dont involve whitelisting. -- Espi ** ** ** ** On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott crawfo...@evangel.edu wrote: My point is that it’s common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I’m misunderstanding what you’re suggesting. *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:52 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi ** ** On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that’s how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:25 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be “writeable” areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it’s a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven’t thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:28 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff egold...@gmail.com wrote: and as to Maybe I'm nuts. , isn't that a separate issue ??? grin On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here
Re: Thought on malware cleaning
We redirect AppData, and any exes in non-local areas aren't allowed to run. As is anything not owned by Administrators. Sent from my POS BlackBerry wireless device, which may wipe itself at any moment -Original Message- From: Micheal Espinola Jr michealespin...@gmail.com Date: Wed, 13 Jul 2011 14:04:17 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Thought on malware cleaning I'm all for leaving it open. But it should be checked by AV software and related tools. its just common sense. there is almost always infection there. There and some other common locations should be checked. Any apps present should be checked if they are signed. Or have any company detail (most/all are null). And depending, then that should be scanned against the registry. Its not rocket science, and its not that resource intensive. Especially if we are talking about using an AV/AM app performing a system sweep. -- Espi On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott crawfo...@evangel.eduwrote: I’m not referring to whitelisting, which has its own set of issues. ** ** I’m talking about your suggestion of disallowing any .exe files in the root of AppData. ** ** *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 3:50 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning ** ** While I agree with whitelisting, and I believe its a reasonable solution at this point. The original intent of this post and what I am proposing dont involve whitelisting. -- Espi ** ** ** ** On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott crawfo...@evangel.edu wrote: My point is that it’s common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I’m misunderstanding what you’re suggesting. *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:52 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi ** ** On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that’s how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:25 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning Very true, but there some very basic things that can be checked and have some very basic logic applied to take action on. Why this isnt addressed is beyond me. There are key folders that shouldn't have files in them, let alone executable's. I agree with the concepts of whitelists. But the issue I'm addressing specifically right now shouldnt need to involve it. -- Espi On Wed, Jul 13, 2011 at 11:51 AM, Ziots, Edward ezi...@lifespan.org wrote: Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be “writeable” areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it’s a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven’t thought of. The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 [image: CISSP_logo] *From:* Micheal Espinola Jr [mailto:michealespin...@gmail.com] *Sent:* Wednesday, July 13, 2011 2:28 PM *To:* NT System Admin Issues *Subject:* Re: Thought on malware cleaning To be addressed
Re: Thought on malware cleaning
It could just be late here on the east coast, but could you explain what do you mean by non-local areas? Also, how are you preventing any .exe from running? GPO? On Wednesday, July 13, 2011, kz2...@googlemail.com wrote: We redirect AppData, and any exes in non-local areas aren't allowed to run. As is anything not owned by Administrators. Sent from my POS BlackBerry wireless device, which may wipe itself at any momentFrom: Micheal Espinola Jr michealespin...@gmail.com Date: Wed, 13 Jul 2011 14:04:17 -0700To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.comReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Thought on malware cleaning I'm all for leaving it open. But it should be checked by AV software and related tools. its just common sense. there is almost always infection there. There and some other common locations should be checked. Any apps present should be checked if they are signed. Or have any company detail (most/all are null). And depending, then that should be scanned against the registry. Its not rocket science, and its not that resource intensive. Especially if we are talking about using an AV/AM app performing a system sweep. -- Espi On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott crawfo...@evangel.edu wrote: I’m not referring to whitelisting, which has its own set of issues. I’m talking about your suggestion of disallowing any .exe files in the root of AppData. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 3:50 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning While I agree with whitelisting, and I believe its a reasonable solution at this point. The original intent of this post and what I am proposing dont involve whitelisting. -- Espi On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott crawfo...@evangel.edu wrote: My point is that it’s common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I’m misunderstanding what you’re suggesting. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:52 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that’s how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. From: Micheal Espinola Jr [mailto: ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Thought on malware cleaning
We're using McAfee and EPo with over 5000 desktop systems. Primarily Windows XP with a few hundred Windows 7 systems with Trend Micro on our Exchange servers. We do not whitelist/blacklist apps, we have a mix of desktop and thin client apps. We have not seen a rise in malware infections. We have seen a rise in phishing emails. We have published compliance reports for bith the server and the desktop environments. Anything out of compliance more then a few days get a ticket opened for a visit. Steven On Wed, Jul 13, 2011 at 8:12 PM, Harry Singh hbo...@gmail.com wrote: It could just be late here on the east coast, but could you explain what do you mean by non-local areas? Also, how are you preventing any .exe from running? GPO? On Wednesday, July 13, 2011, kz2...@googlemail.com wrote: We redirect AppData, and any exes in non-local areas aren't allowed to run. As is anything not owned by Administrators. Sent from my POS BlackBerry wireless device, which may wipe itself at any momentFrom: Micheal Espinola Jr michealespin...@gmail.com Date: Wed, 13 Jul 2011 14:04:17 -0700To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: Thought on malware cleaning I'm all for leaving it open. But it should be checked by AV software and related tools. its just common sense. there is almost always infection there. There and some other common locations should be checked. Any apps present should be checked if they are signed. Or have any company detail (most/all are null). And depending, then that should be scanned against the registry. Its not rocket science, and its not that resource intensive. Especially if we are talking about using an AV/AM app performing a system sweep. -- Espi On Wed, Jul 13, 2011 at 1:55 PM, Crawford, Scott crawfo...@evangel.edu wrote: I’m not referring to whitelisting, which has its own set of issues. I’m talking about your suggestion of disallowing any .exe files in the root of AppData. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 3:50 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning While I agree with whitelisting, and I believe its a reasonable solution at this point. The original intent of this post and what I am proposing dont involve whitelisting. -- Espi On Wed, Jul 13, 2011 at 1:40 PM, Crawford, Scott crawfo...@evangel.edu wrote: My point is that it’s common simply because its allowed. Disallowing .exes to be stored would make it rare, but the .exes would just have moved with no net gain. Or maybe I’m misunderstanding what you’re suggesting. From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 13, 2011 2:52 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning Thats not my solution. my solution is to check these types of folders and match against the registry. Its a very common occurance in my experience, and would add lots of value when they are found. -- Espi On Wed, Jul 13, 2011 at 12:34 PM, Crawford, Scott crawfo...@evangel.edu wrote: If the OS blocked .exe from the root of AppData, malware would just put it in a subfolder. Your simple solution is only simple because that’s how windows is designed. The overhead to block .exe in AppData would take resources to code and test and would add virtually no value. From: Micheal Espinola Jr [mailto: ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin