Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Desktop security.

Posted on 2014-10-22
5
Medium Priority
?
252 Views
Last Modified: 2014-11-04
Our company Windows 7 workstations is running latest Mcafee VSE 8.8 and patch.  A lot of them are being infected by malware.zeroday, cryptoware or something similar.

The workstation also receive Microsoft patches periodically.  

Can someone advise if there is additional thing(s) we could do to make the blocking stronger?

Thanks.
0
Comment
Question by:nav2567
5 Comments
 
LVL 11

Expert Comment

by:epichero22
ID: 40397724
Are they being infected with the McAfee software enabled?  At this point, I would either tighten your security GPOs or simply create a standard user account for users to log into.  You also may want to consider repairing the OS once the viruses are removed.
0
 
LVL 13

Assisted Solution

by:Rizzle
Rizzle earned 1336 total points
ID: 40397773
I would make sure of the below to help stop getting infected.

1. Your Anti-Virus is actively monitoring any activity on the machine
2. The Anti-Virus is up to date with the latest infections database
3. Ensure users don't have right to download/install .exes
4. Ensure the machines have the latest Windows updates installed
5. Give user awareness training on not to click pop up, unknown links in emails and also go to unknown websites.
0
 

Author Comment

by:nav2567
ID: 40398125
Thanks guys.

We have this "f33b2d1.exe" which got into the c:\users\user\appdata\roaming folder for some reason.

I scanned it from virustotal and only three vendors recognize it.  

Again, the PC has latest Mcafee VSE and being real time monitored.  The user does not have local admin right to the PC.
0
 
LVL 13

Accepted Solution

by:
Rizzle earned 1336 total points
ID: 40398641
Would probably be worth notify mcafee then as that shouldn't be happening. Atleast if there is an issue with the definitions or active monitoring they can resolve this. To resolve this issue in the short term download and run Malwarebytes.

Maybe ask the users what sites they're visiting to see if one is where the infections are coming from.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 664 total points
ID: 40399091
"f33b2d1.exe...I scanned it from virustotal and only three vendors recognize it." - just imagine: virus authors know virustotal.com, too. They like it a lot. They use it to modify their viruses as long, as no virus scanner will recognize them. Yes, true.

Don't ever rely on Antivirus softwares. AV is just a small tiny piece of the security puzzle.
A virus wants to start on each reboot. In order to do that, it writes some exe to startable areas as %appdata%. Can we deny write access there? This will be difficult, as legitimate programs write there, too. But we can deny write access to startup entries, so the virus will not start on next reboot (or setting it up will fail altogether). This principle "no autostarts for users" is old but good. The german IT magazine CT had a tool that helped configuring it, it was called kafu.exe - google it, you'll still find it.

Apart from that, you could establish policies for applocker (or software restriction policies) that deny starting executables from certain paths or even resort to whitelisting only known executables. Unknown ones will not even run.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question