Best Ways To Prevent Rogue Antivirus Infections, Outbreaks ...

What are the best ways to prevent the various Rogue Antivirus infections ?  Does removing local Admin rights for users completely solve the problem ? Assuming the users have training but are still  non-technical users,  Is it more difficult to get these infections when using Vista or Windows 7 than compared to WinXP where all installations run as the local user account ?  What are the other Suggested Best Practices to avoid these types of infections ?

TIA ...

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The place to start is with user education. I am surprised, as ubiquitous as computers and the Internet are, that so many people are totally clueless about how to protect themselves. Guess it's a "never gonna happen to me" mentality,

Second, get a good anti-malware product.  There are about as many opinions as to what that ought to be as there are people answering questions. Assuming you're in a work environment, develop a multi-tiered approach to protection.  In our environment we have a hardware-based firewall, an IDS/IDP device, we filter our email and our web access, and run a corporate level anti-malware product.  And even with that, we still occasionally get hit. But as good as I think the protection is, I really believe that things have improved mostly because of user education.
LGroup1Author Commented:
This particular site has everything that you mentioned (e.g. IDS/IPS, AV, anti-spyware, firewall, etc...), and also does User Training, but the Rogue Antivirus is apparently installed when users click on infected links during web browsing (i.e. SEO infections) - and the IDS/IPS and other defenses do not effectively protetect against that.   The malware products are also in place, but have varying degrees of success against this constantly evolvoing (and difficult to thoroughly clean) piece of malware.   So at this site they too only occassionally get hit (considering there are 100s of users) but when they do get hit it is often a difficult process to fix.  I wanted to find out what measures others are (effectively) using to protect against these specific types of infections ...

I've yet to find anything that keeps the Rogue AV products from coming in...I'm not even sure where the users get them from.  Our current anti-malware product, Vipre, does a pretty good job of detecting them and unless they are super new will clean them for us.  But along with that we have used malwarebytes, which is excellent.  I've also found, on some of the newer ones that I can log in as another user, sometimes I have to log in in safe mode, but usually it works OK in normal mode, after MWB has done it's thing and usually I don't experience the infection. From there I run MWB again and that has usually taken care of the problem.  I did once have to completely wipe a users's profile because although the infection appeared to be gone, it had so screwed up her profile that she was unable to work. I saved off her data, logged in as me and then made sure all was clean, deleted her profile and then had her log back in to create a new one.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Thomas Zucker-ScharffSolution GuideCommented:
We use many different solutions, but the only one in which we have not encountered ANY infections is an installation of 140+ computers with a perimeter firewall, NOD32 on each machine, Microsoft Update disabled (the sysadmin pushes out the appropriate updates instead), and a very savvy admin.  In other areas we have had infections by rogue antivirus and have cleaned using Combofix, MalwareBytes AntiMalware, and Spybot.  I personally use ESET Security Suite on my computers and have yet to have a problem (I also don't click willy nilly on search results/links).

You are welcome to use any part of the ppolicy I use to keep malware off our computers:

User education is VERY important in getting this to work.  
Make sure you keep Adobe Flash, Acrobat Reader and Java (and any other multimedia content addons) up to date with the latest versions installed on all machines.  Most of these fake Antivirus programs come in through security holes in those 3 programs, especially infected Flash ad banners, you don't even have to click on some of them to get infected, you just need to look at them..  Keeping current on those programs can help prevent infections, in addition to the other measures you already have in place.
We use a combination of blacklisting known "bad sites", we get an updated list from Emerging Threats and, Sophos Endpoint Security and MS ISA Proxy which gives you the option of using MS Reputation service via Threat Management Gateway.  We also find that javascript is a big issue when dealing with Rogue AV.   If you deploy java in your network, please consider keeping it only on the user machines that absolutely need it.  We also deploy UAC on Vista and that does help, but we had an issue with a Rogue AV trying to install via javascript, but luckily it failed to get a full config installed.   Secunia is used as well to keep our third-party apps up-to-date and the rest is managed through WSUS.  Hope that helps.  Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LGroup1Author Commented:
Good info ! Thank you everybody !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.