Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 256
  • Last Modified:

Desktop security.

Our company Windows 7 workstations is running latest Mcafee VSE 8.8 and patch.  A lot of them are being infected by malware.zeroday, cryptoware or something similar.

The workstation also receive Microsoft patches periodically.  

Can someone advise if there is additional thing(s) we could do to make the blocking stronger?

Thanks.
0
nav2567
Asked:
nav2567
3 Solutions
 
epichero22Commented:
Are they being infected with the McAfee software enabled?  At this point, I would either tighten your security GPOs or simply create a standard user account for users to log into.  You also may want to consider repairing the OS once the viruses are removed.
0
 
RizzleCommented:
I would make sure of the below to help stop getting infected.

1. Your Anti-Virus is actively monitoring any activity on the machine
2. The Anti-Virus is up to date with the latest infections database
3. Ensure users don't have right to download/install .exes
4. Ensure the machines have the latest Windows updates installed
5. Give user awareness training on not to click pop up, unknown links in emails and also go to unknown websites.
0
 
nav2567Author Commented:
Thanks guys.

We have this "f33b2d1.exe" which got into the c:\users\user\appdata\roaming folder for some reason.

I scanned it from virustotal and only three vendors recognize it.  

Again, the PC has latest Mcafee VSE and being real time monitored.  The user does not have local admin right to the PC.
0
 
RizzleCommented:
Would probably be worth notify mcafee then as that shouldn't be happening. Atleast if there is an issue with the definitions or active monitoring they can resolve this. To resolve this issue in the short term download and run Malwarebytes.

Maybe ask the users what sites they're visiting to see if one is where the infections are coming from.
0
 
McKnifeCommented:
"f33b2d1.exe...I scanned it from virustotal and only three vendors recognize it." - just imagine: virus authors know virustotal.com, too. They like it a lot. They use it to modify their viruses as long, as no virus scanner will recognize them. Yes, true.

Don't ever rely on Antivirus softwares. AV is just a small tiny piece of the security puzzle.
A virus wants to start on each reboot. In order to do that, it writes some exe to startable areas as %appdata%. Can we deny write access there? This will be difficult, as legitimate programs write there, too. But we can deny write access to startup entries, so the virus will not start on next reboot (or setting it up will fail altogether). This principle "no autostarts for users" is old but good. The german IT magazine CT had a tool that helped configuring it, it was called kafu.exe - google it, you'll still find it.

Apart from that, you could establish policies for applocker (or software restriction policies) that deny starting executables from certain paths or even resort to whitelisting only known executables. Unknown ones will not even run.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now