Solved

Desktop security.

Posted on 2014-10-22
5
230 Views
Last Modified: 2014-11-04
Our company Windows 7 workstations is running latest Mcafee VSE 8.8 and patch.  A lot of them are being infected by malware.zeroday, cryptoware or something similar.

The workstation also receive Microsoft patches periodically.  

Can someone advise if there is additional thing(s) we could do to make the blocking stronger?

Thanks.
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 11

Expert Comment

by:epichero22
ID: 40397724
Are they being infected with the McAfee software enabled?  At this point, I would either tighten your security GPOs or simply create a standard user account for users to log into.  You also may want to consider repairing the OS once the viruses are removed.
0
 
LVL 13

Assisted Solution

by:Rizzle
Rizzle earned 334 total points
ID: 40397773
I would make sure of the below to help stop getting infected.

1. Your Anti-Virus is actively monitoring any activity on the machine
2. The Anti-Virus is up to date with the latest infections database
3. Ensure users don't have right to download/install .exes
4. Ensure the machines have the latest Windows updates installed
5. Give user awareness training on not to click pop up, unknown links in emails and also go to unknown websites.
0
 

Author Comment

by:nav2567
ID: 40398125
Thanks guys.

We have this "f33b2d1.exe" which got into the c:\users\user\appdata\roaming folder for some reason.

I scanned it from virustotal and only three vendors recognize it.  

Again, the PC has latest Mcafee VSE and being real time monitored.  The user does not have local admin right to the PC.
0
 
LVL 13

Accepted Solution

by:
Rizzle earned 334 total points
ID: 40398641
Would probably be worth notify mcafee then as that shouldn't be happening. Atleast if there is an issue with the definitions or active monitoring they can resolve this. To resolve this issue in the short term download and run Malwarebytes.

Maybe ask the users what sites they're visiting to see if one is where the infections are coming from.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 40399091
"f33b2d1.exe...I scanned it from virustotal and only three vendors recognize it." - just imagine: virus authors know virustotal.com, too. They like it a lot. They use it to modify their viruses as long, as no virus scanner will recognize them. Yes, true.

Don't ever rely on Antivirus softwares. AV is just a small tiny piece of the security puzzle.
A virus wants to start on each reboot. In order to do that, it writes some exe to startable areas as %appdata%. Can we deny write access there? This will be difficult, as legitimate programs write there, too. But we can deny write access to startup entries, so the virus will not start on next reboot (or setting it up will fail altogether). This principle "no autostarts for users" is old but good. The german IT magazine CT had a tool that helped configuring it, it was called kafu.exe - google it, you'll still find it.

Apart from that, you could establish policies for applocker (or software restriction policies) that deny starting executables from certain paths or even resort to whitelisting only known executables. Unknown ones will not even run.
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question