Re: Spyware on an SBS client and what to do?

Leythos wrote:
In article <#cHYt4L7IHA.4864@xxxxxxxxxxxxxxxxxxxx>, stephen@xxxxxxxxxxxxxxx says...
I'm just back from removing this from a client's computer. The malware came in an email pretenting to be from UPS in the form of a zipped exe. Neither clamav nor Trend WFBSA prevented the infection although the Trend logs showed some stuff had been found and cleaned.

A properly setup firewall would never have permitted an exe to pass through to the users email box. A properly setup Exchange Aware anti-
malware product would never have let an exe pass to the user through email either.

What forms of protection are you using on this server?


This server is running Trend Micro Worry Free Business Security Advanced (the successor to CSMSS). This was a zipped exe, not a raw exe. The mail is also pre-scanned with MailScanner (incorporates ClamAV anti-virus and SpamAssassin anti-spyware)before it hits Exchange. ClamAV didn't pick it up, nor did the Exchange scanner in Trend, so the infected message ended up in the user's Junk Mail Folder. They then opened the zip attachment and double clicked on the exe inside (file extensions were hidden so it was not obvious to the user that this was an executable).

I would have thought that the Trend real-time scanner should have blocked this, but it didn't, although later inspection of the Trend logs shows that it did detect malware associated with this exe. I'm not sure if a later update to Trend was able to detect the malware but the pattern was not available when the user ran the program. In any case, I am dissappointed in the performance of Trend in this instance, because despite the protection, a deep infection occurred, which required a site visit to fix.

--
stephen
.

Relevant Pages

  • Re: Spyware on an SBS client and what to do?
    ... came in an email pretenting to be from UPS in the form of a zipped exe. ... Neither clamav nor Trend WFBSA prevented the infection although the ... Trend logs showed some stuff had been found and cleaned. ...
    (microsoft.public.windows.server.sbs)
  • Re: Spyware on an SBS client and what to do?
    ... Les Connor [SBS MVP] ... Neither clamav nor Trend WFBSA prevented the infection although the Trend logs showed some stuff had been found and cleaned. ... A properly setup firewall would never have permitted an exe to pass through to the users email box. ... I would have thought that the Trend real-time scanner should have blocked this, but it didn't, although later inspection of the Trend logs shows that it did detect malware associated with this exe. ...
    (microsoft.public.windows.server.sbs)
  • Re: unknown program creating osc file eating up disk space
    ... Yes to the Spybot question. ... My Trend anti-virus doesn't detect ... Today the exe name is YYB6A4.exe. ... It appears to launch around 9 AM on ...
    (microsoft.public.windows.server.general)
  • RE: Trend Scan Mail
    ... Are you sure that Trend is stripping the .exe? ... it will prevent access to "potentially harmful attachments" ...
    (Security-Basics)
  • Trojan & ADEBOT - Dell Vista SP1 XPS420 infected by ADEBOT... Trend installed but didnt prev
    ... Not to pick on Trend, however, perhaps to alert everyone to this. ... Makes me wonder where the infection came from. ... Trend Micro AntiVirus plus AntiSpyware 2008 ... Protect your PC from viruses, spyware, and more ...
    (microsoft.public.windows.server.sbs)