Announcement

Collapse
No announcement yet.

Malware Question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Malware Question

    Good morning everyone!

    -mods, feel free to move if this isn't in the right place-

    I use malwarebytes and microsoft security scanner, and ms security essentials for client pc protection, but it's never enough.

    Most of my clients don't have a pc that they can load
    norton or mcaffe on without it crawling, and we're talking quite a few hundred pcs.

    the most common malware is the fake virii which is easy for me to fix, but lately it's been a lot of the IE-redirect, to which I cannot seem to fix.

    anyone run into this issue, or found a fix for it? Google is pretty hit or miss on this one.

    thanks in advance everyone =)

  • #2
    Re: Malware Question

    My suggestion is to use bootable CDs that will scrape the offending PC as clean as is practically possible. I perfer Kaspersky's boot CD. Make sure to mind the licensing stipulations as many CDs are free for personal use but not for business use.

    Having said that, realize that any PC that is compromised can never be fully trusted again. The goal for A/V products is to prevent the infection in the first place. If you're finding that infections are unavoidable and also frequent, the ultimate problem is one of user education. However, if users cannot be educated to avoid infections, then the next step is to remove administrator rights. Without admin rights, infections are stopped in their tracks.

    It's possible to automate the offline, image-based scan of PCs if you use a tool like FOG for your Windows PCs. You can schedule a reboot into a PXE server which will, based on PC MAC address, feed a A/V scan image into memory and perform a scan.

    To address your specific concern about IE redirects, I'd suggest the following:
    1. Boot into a [A/V vendor of choice] CD and perform an offline scan
    2. Reset IE back to defaults. If the version of IE is pre-version-8 then uipdate them to 8 or 9 depending on their OS.
    3. Check localhosts file and remove all sketchy entries
    4. If all else fails, burninate and rebuild.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Malware Question

      The problem is that with so many computers, preforming an offline scan isn't feasible.

      third party wise, what's making the most waves out there these days?

      Comment


      • #4
        Re: Malware Question

        The problem you have though is that when you clean a pc it gets reinfected and the cycle just goes around.

        Best bet would be to spend the time and disconnect them all from the netowrk and run the scans then. Yes it takes time but it is worth it.

        BTW use multiple copies of the CD's and you can run batches of say 20 at a time.

        Comment


        • #5
          Re: Malware Question

          Originally posted by nharvey View Post
          The problem is that with so many computers, preforming an offline scan isn't feasible.
          Perhaps you might want to create a portable PXE "Server" in the form of a laptop that you can bring to clients and then boot up multiple PCs simultaneously into an offline scan. I don't think it's an option. You must do it or you must reimage.

          Originally posted by nharvey View Post
          third party wise, what's making the most waves out there these days?
          I am of the opinion that Kaspersky is one of the best products out there. I use it most of the time when I need an offline scan.
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: Malware Question

            Originally posted by Nonapeptide View Post
            You must do it or you must reimage.
            Going back to Wesley's previous point, keep in mind that an offline scan to remove an infection is a temporary measure. At some point you will want to reinstall the PC anyway, since you need to be able to trust that workstations are in a clean state.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: Malware Question

              Originally posted by Nonapeptide View Post
              Perhaps you might want to create a portable PXE "Server" in the form of a laptop that you can bring to clients and then boot up multiple PCs simultaneously into an offline scan. I don't think it's an option. You must do it or you must reimage.

              I am of the opinion that Kaspersky is one of the best products out there. I use it most of the time when I need an offline scan.

              ..that sounds like an AMAZING option.
              Not sure what a pxe server is exactly, but I'm very interested to throw this in the test lab we have at our office..
              can you link me to something?

              Comment


              • #8
                Re: Malware Question

                Google "open source pxe server", you'll get a decent sized list...
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Malware Question

                  Thank you so much.

                  Searched a couple things, and watched a couple youtubes about it,
                  but maybe I'm a bit confused on something.


                  How can I perform an offline virus scan on an infected pc, using a pxe server?

                  *note: it doesn't have to be open source, I just want the best option out there

                  Comment


                  • #10
                    Re: Malware Question

                    Configure the PXE server to serve the offline scan bootable CD image as the OS for its clients.
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment


                    • #11
                      Re: Malware Question

                      Originally posted by nharvey View Post
                      Thank you so much.

                      Searched a couple things, and watched a couple youtubes about it,
                      but maybe I'm a bit confused on something.


                      How can I perform an offline virus scan on an infected pc, using a pxe server?

                      *note: it doesn't have to be open source, I just want the best option out there
                      The PXE server would deliver an ISO that has a antivirus scanner in it. For example, get the Kaspersky boot CD ISO and configure the PXE server to deliver it to clients that boot from their PXE NICs. Of course, this is all predicated on clients actually having PXE NICs, which is fairly common these days.

                      Instead of rolling your own, look into FOG. It's friendly to use and abstracts away the scary Debian underguts of the whole operation. =)
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: Malware Question

                        Prevention is better than cure.. ensure that noone has administrative access.
                        improvements in UAC are fantastic over the way things were in XP and 2000.

                        the PXE server is also a brilliant idea!
                        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                        Comment


                        • #13
                          Re: Malware Question

                          malwarebytes is a good piece of removal tool abut it is not always effective , sometime you need Other better tool

                          Comment


                          • #14
                            Re: Malware Question

                            what other tools do you favour ?
                            The only other thing I use apart from MBAM, is HiJackThis (and my bloodhound nose, but still.)
                            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                            Comment


                            • #15
                              Re: Malware Question

                              MBAM, HJT, ComboFix.

                              Check out http://www.bleepingcomputer.com
                              ** Remember to give credit where credit is due and leave reputation points where appropriate **

                              Comment

                              Working...
                              X