Anti Spyware 2010 and similar attacks

[reaser]

In our office we use Symantec Endpoint Protection and it is updated but still does not protect any of our computers from Vista Anti Spyware 2010 or the other variants of this virus/trojan.

What protection is available that is stopping this from installing on systems?

[YeOldeStonecat]

Layered approaches. The more, the better. Yes these rogues/fake alerts are getting crazy.

I've been switching more and more of my clients to have UTM appliances for their firewalls instead of just NAT firewalls.
UTM = Unified Threat Management
Basically, these are firewall/routers that do additional scanning of web/email traffic at the gateway, using virus scanners, and various other technologies.
I use a product called Untangle at many of my clients. There are many other brands of course. These will give you an added layer of protection, and clients that I have Untangle protection seem to have less issues, and I see its Spyware Blocker module be very busy in the logs. It also has an additional add-on component, Kaspersky antivirus scanning..which is an excellent product. This does NOT replace a good antivirus at the desktop.

Are you running the latest version of Symantec Endpoint? Their detection rates are actually pretty good. These rogues/fake alerts are released at the rate of 4-6 and more new ones PER DAY to stay ahead of all AV vendors.

For DNS, all of my clients have DNS forwarding to OpenDNS. Those with domain controllers, I set the DCs DNS to forward to OpenDNS. OpenDNS blocks lots of known malware sites...so it's yet another added layer of security for your network.

Maintain your Microsoft Updates. Many of these rogues exploit vulnerabilities that were patched.

Maintain updates for Java, Flash, Shockwave...many of these rogues exploit vulnerabilities that were patched

[reaser]

As always excellent response. Our firewall/routers are maintained by an outside vendor. I will speak to them and see if we can do something to add another layer of security. I will look into the OpenDNS to configure our DC to add an additional layer. When checking the end users anti virus the databases are updated so I'm at a loss as what to do on the client machines to protect them from these attacks. I will concentrate on making sure these applications are updated as well as Windows updates to see if this eliminates some of these issues.

Thanks again for a great response.

[mnosteele52]

Something else to look into is a HIPS program that monitors your pc for changes. In a corporate environment I'm not sure how well it would work due to it needs some type of user intervention, but for a home user I install WinPatrol for users.

You might look into Microsoft's Forefront Security, it uses multiple scanning engines.

[YeOldeStonecat]

Our firewall/routers are maintained by an outside vendor. I will speak to them and see if we can do something to add another layer of security.

Added note....you don't have to replace the routers, many of the UTM appliances support being run in a transparent proxy mode. They can sit behind the primary router...run via a single NIC. Untangle supports this...you can just install several components into the "rack"..and have it only scan web/mail traffic. It "fools" network traffic into thinking it's the gateway..via a special arp poisoning method.

[TonyT]

Anti Spyware 2010 and similar attacks

The majority of these variants get installed via IE security holes. And there are no fixes to patch these vulnerablities and likely won't ever will be any.

Thus, besides the hardware based layer the best thing you can do is educate employees on:
1. how to use search engines
2. how not to use search engines
3. don't use apps/adons at social network sites

And by all means use a browser with better security.

[CableDude]

Something else to look into is a HIPS program that monitors your pc for changes.

So that is what Sophos has.