Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1781 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FakeAV - Microsoft Security Essentials

chadwick

I'm just curious if anybody else is getting hit pretty hard by this one? For us it's showing up as mstsc.exe and hotfix.exe. Sophos takes care of it but the delay between detection and cleanup allows the Fake Microsoft Security Essentials window to pop up.

:5299


This thread was automatically locked due to age.
Parents
  • 0

    Hello chadwick,

    first of all, please always use the exact name for a detection.

    the delay between detection and cleanup allows the Fake Microsoft Security Essentials window to pop up

    If it's detected it shouldn't be allowed to run - is it again detected after cleanup? Are you using runtime HIPS (suspicious behaviour detection)? Did you use a full scan? I've had some encounters with FakeAVs recently. If they are not removed completely there's a chance that something not yet detected is involved.

    I'd try to find out which process pops up the window (I suggest using Process Explorer) and from where it is started. In some cases using a more aggressive scanning policy (scan on write/rename and runtime HIPS) lead to the identification of suspicious files which I then sent to the Labs. Once they were analyzed and new/updated identities had been issued a subsequent full scan and reboot removed the remaining items. If you do not know where the threat came from it might be wise to continue to use the aggressive policy for a few days as sometimes the threats are updated.

    Please keep us informed

    Christian

    :5308
Reply
  • 0

    Hello chadwick,

    first of all, please always use the exact name for a detection.

    the delay between detection and cleanup allows the Fake Microsoft Security Essentials window to pop up

    If it's detected it shouldn't be allowed to run - is it again detected after cleanup? Are you using runtime HIPS (suspicious behaviour detection)? Did you use a full scan? I've had some encounters with FakeAVs recently. If they are not removed completely there's a chance that something not yet detected is involved.

    I'd try to find out which process pops up the window (I suggest using Process Explorer) and from where it is started. In some cases using a more aggressive scanning policy (scan on write/rename and runtime HIPS) lead to the identification of suspicious files which I then sent to the Labs. Once they were analyzed and new/updated identities had been issued a subsequent full scan and reboot removed the remaining items. If you do not know where the threat came from it might be wise to continue to use the aggressive policy for a few days as sometimes the threats are updated.

    Please keep us informed

    Christian

    :5308
Children
No Data
Unfiltered HTML