Re: Spyware on an SBS client and what to do?

Perhaps your def's were out of date, or some other setting?

WFBS has been removing these for me.

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"stephen" <stephen@xxxxxxxxxxxxxxx> wrote in message news:eDI3EZN7IHA.5440@xxxxxxxxxxxxxxxxxxxxxxx
Leythos wrote:
In article <#cHYt4L7IHA.4864@xxxxxxxxxxxxxxxxxxxx>, stephen@xxxxxxxxxxxxxxx says...
I'm just back from removing this from a client's computer. The malware came in an email pretenting to be from UPS in the form of a zipped exe. Neither clamav nor Trend WFBSA prevented the infection although the Trend logs showed some stuff had been found and cleaned.

A properly setup firewall would never have permitted an exe to pass through to the users email box. A properly setup Exchange Aware anti-
malware product would never have let an exe pass to the user through email either.

What forms of protection are you using on this server?

This server is running Trend Micro Worry Free Business Security Advanced (the successor to CSMSS). This was a zipped exe, not a raw exe. The mail is also pre-scanned with MailScanner (incorporates ClamAV anti-virus and SpamAssassin anti-spyware)before it hits Exchange. ClamAV didn't pick it up, nor did the Exchange scanner in Trend, so the infected message ended up in the user's Junk Mail Folder. They then opened the zip attachment and double clicked on the exe inside (file extensions were hidden so it was not obvious to the user that this was an executable).

I would have thought that the Trend real-time scanner should have blocked this, but it didn't, although later inspection of the Trend logs shows that it did detect malware associated with this exe. I'm not sure if a later update to Trend was able to detect the malware but the pattern was not available when the user ran the program. In any case, I am dissappointed in the performance of Trend in this instance, because despite the protection, a deep infection occurred, which required a site visit to fix.

--
stephen

.

Relevant Pages

  • Re: Spyware on an SBS client and what to do?
    ... came in an email pretenting to be from UPS in the form of a zipped exe. ... Neither clamav nor Trend WFBSA prevented the infection although the ... Trend logs showed some stuff had been found and cleaned. ...
    (microsoft.public.windows.server.sbs)
  • Re: Spyware on an SBS client and what to do?
    ... Neither clamav nor Trend WFBSA prevented the infection although the Trend logs showed some stuff had been found and cleaned. ... A properly setup firewall would never have permitted an exe to pass through to the users email box. ... The mail is also pre-scanned with MailScanner (incorporates ClamAV anti-virus and SpamAssassin anti-spyware)before it hits Exchange. ... In any case, I am dissappointed in the performance of Trend in this instance, because despite the protection, a deep infection occurred, which required a site visit to fix. ...
    (microsoft.public.windows.server.sbs)
  • Re: unknown program creating osc file eating up disk space
    ... Yes to the Spybot question. ... My Trend anti-virus doesn't detect ... Today the exe name is YYB6A4.exe. ... It appears to launch around 9 AM on ...
    (microsoft.public.windows.server.general)
  • RE: Trend Scan Mail
    ... Are you sure that Trend is stripping the .exe? ... it will prevent access to "potentially harmful attachments" ...
    (Security-Basics)
  • Re: Anti-Spyware/Malware Tool of Choice?
    ... Malware Bytes, Trend Hijackthis, Trend Sysclean, Trend RUbotted, Reg run ... networks (with TM WFBS) that are hit with some type of virus/malware. ...
    (microsoft.public.windows.server.sbs)