Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1780 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FakeAV - Microsoft Security Essentials

chadwick

I'm just curious if anybody else is getting hit pretty hard by this one? For us it's showing up as mstsc.exe and hotfix.exe. Sophos takes care of it but the delay between detection and cleanup allows the Fake Microsoft Security Essentials window to pop up.

:5299


This thread was automatically locked due to age.
Parents
  • 0

    Hello ian,

    the More Information tab in the analysis for the detected item might contain information on registry keys and files/shortcuts created or modified. Sometimes the modifications can prevent a user from completely logging on.

    Since sophos did not catch this upfront, are there additional manual steps that need to be taken

    Even with HIPS turned on unknown threats can sneak in. Once an IDE is issued (and the threat detected) usually no additional steps (other than the full scan and if needed in safe mode) are required to remove all known components. As I said, additional items could be present and as deeper analysis is performed and/or customers are sending in more samples identities might be updated and additional items detected following the identification of a new threat. So running a scheduled scan once or twice a day for the next few days is a good idea.

    If you observe any anomalies or are unsure about removal do not hesitate to contact Support. Also if you notice any suspect files (if a threat has been detected look in the user's %TEMP% and CONTENT.IE5 directories look for files with a similar creation date) use the Sample submission form to send them to Sophos.

    Christian

    :5318
Reply
  • 0

    Hello ian,

    the More Information tab in the analysis for the detected item might contain information on registry keys and files/shortcuts created or modified. Sometimes the modifications can prevent a user from completely logging on.

    Since sophos did not catch this upfront, are there additional manual steps that need to be taken

    Even with HIPS turned on unknown threats can sneak in. Once an IDE is issued (and the threat detected) usually no additional steps (other than the full scan and if needed in safe mode) are required to remove all known components. As I said, additional items could be present and as deeper analysis is performed and/or customers are sending in more samples identities might be updated and additional items detected following the identification of a new threat. So running a scheduled scan once or twice a day for the next few days is a good idea.

    If you observe any anomalies or are unsure about removal do not hesitate to contact Support. Also if you notice any suspect files (if a threat has been detected look in the user's %TEMP% and CONTENT.IE5 directories look for files with a similar creation date) use the Sample submission form to send them to Sophos.

    Christian

    :5318
Children
No Data
Unfiltered HTML