Untangle and XP Antispyware 2011

[gpeters]

Hi Gang,
I have now had two customer sites with a computer infected by XP Antispyware 2011. Both with Kaspersky Virus Blocker and Spyware Blocker installed.

Can anyone fill me in why Untangle is not blocking this?

[pirateghost]

because its not spyware or a virus...

[fasttech]

Because Untangle and the definition based scanners it uses, is incapable of detecting modern day malware. Therefore you're left with desktop anti whatever it's called today.
There are threads on here discussing this very shortcoming.

Really, at the gateway, one of the more effective methods is to use the Web Filter and block uncategorized web sites.

You could also block file extensions, but, that's easy to sneak through Untangle as well.

[sky-knight]

XP Antispyware 2011 is just a rogue AV applet. It is easily removed. Untangle + good desktop AV won't stop it in all cases, but it will contain it. Which makes removal trivial because the extras don't come along for the ride.

[YeOldeStonecat]

Quote:

Originally Posted by pirateghost

because its not spyware or a virus...

That's actually a horrible answer.
Viruses, adware, spyware, rogues, fake alerts, scareware, they've all evolved into the general term "malware".

Now if you take the time to even read Untangles own wording of what the Spyware Blocked does..and I quote...."Stop spyware, adware and malware before it makes it to your network".

First, if you've been in IT for any period of time, you'll realize that no antispyware program is 100% effective.

Most of my clients have Eset NOD32 at the desktop and on servers...generally considered one of the better antivirus programs, along with Kaspersky. Some of the rogue threats make it past Eset. At clients that I have Untangle at...I have a huge drop in rogue/fake alert problems...but sometimes one still slips through. Yes...a huge drop! So Untangle does help substantially. And this claim is easily made because all other variables are usually quite equal among my clients.

We're getting a TON of repair jobs regarding this recent variants of XP Antispyware and XP Security...it's the popular rogue of the month. This one is relatively easy to clean up, and only seen a few machines where it got into deep enough to whack out the windows shell and executable handling...still easily fixed.

Layered approach is the best approach.
UTM at the edge
Different brand AV at the desktop
I do OpenDNS for forwarding, even if there's a DC, I set its DNS forwarding to OpenDNS. OpenDNS blocks known malware distribution sites with a continuously updated list.
Maintain Microsoft Updates...on biz networks get WSUS, keep it easy on yourself
Since Microsoft has actually been good with security, these malware writers have turned to other ways to infect you...what I call the web players. Java, Adobe PDF, Adobe Flash, Adobe Shockwave, iTunes, etc. You need to keep those updated also.

[blueshoes]

Quote:

Originally Posted by gpeters

Hi Gang,
I have now had two customer sites with a computer infected by XP Antispyware 2011. Both with Kaspersky Virus Blocker and Spyware Blocker installed.

Can anyone fill me in why Untangle is not blocking this?

There is a very high chance that this is your problem. A skilled malware writer.

http://en.wikipedia.org/wiki/Polymorphic_code

.

I read an article about a week ago and can't seem to find it now. It was talking how bad the IPS/IDS and AV signature writers/reverse engineer coders are having their grass handed to them.The article talked about there is a very competitive and fast moving market in the blackhat community on writing better and more advanced polymorphic malware. The good guys just can't keep up.

This includes SSL payloads that walk right through any gateway AV unless you run certs and decrypt and then you still have to worry zero day hourly/daily changing code.

.

[gpeters]

Quote:

Originally Posted by YeOldeStonecat

We're getting a TON of repair jobs regarding this recent variants of XP Antispyware and XP Security...it's the popular rogue of the month. This one is relatively easy to clean up, and only seen a few machines where it got into deep enough to whack out the windows shell and executable handling...still easily fixed.

easily fixed? I wish you would come and fix them for me...

I've been at it now for a few hours. I'm ready to restore the OS.

[wolverine]

Uh actually this kind of malware is really not easy to fix.
And also i agree that no firewall is perfect.

You can try to use this 3 best malware cleaner :

www.malwarebytes.org
www.safer-networking.org
http://www.bleepingcomputer.com/comb...o-use-combofix

[sky-knight]

Every rogue AV product I've ever come across is trivial to remove. If you're having a hard time removing it, it's because your removal procedure is hopelessly flawed.

The most common flaw? You cannot disinfect a box from the infected OS. Yank the drive and scan from another machine, or use a livecd of some kind.

[dwasserman]

Quote:

Originally Posted by wolverine

Uh actually this kind of malware is really not easy to fix.
And also i agree that no firewall is perfect.

You can try to use this 3 best malware cleaner :

www.malwarebytes.org
www.safer-networking.org
http://www.bleepingcomputer.com/comb...o-use-combofix

Be ware, combofix make strange things
Malwarebytes and Spybot rocks!! and add hijackthis and process explorer to the toolkit to deal with live infected machines.