When Exactly Is One Infected In A Drive By? And What Do Ya'll Tell Your Customers/Bosses?

 Internet is not safe any more google not at all safe..
3 out of 10 results will point to malicious/Compromised site
tons and tons or mailicious files are loaded on the internet daily..which is unknowingly downloaded by the people worldwide..When a malicious file is created they make sure no one is detecting it ( atleast not the famous ones )
If any Antivirus would have been 100% safe these botnets wouldn't have been so much hit in the recent times..
Now coming to SEP..there have been lots of posts on PAV..
do you really think SEP doesn't detect any PAV variants...
I can quarantee daily many PAV's samples are being submitted to Symantec security response some by Customers/Tech Support/Symantec Sensors etc..
but every hour they come up witha new variants..the PAV authors are working in more speed than AV companies its just because they want to earn from this software..
However I agree that if your system is once compromised it can never be trusted..
However if you plan to re-image the PC..always make it a best practise to submit the threat to Symantec security response at https://submit.symantec.com/basic / essential depending on your contract.
So that you cannot be infected with the same one in the future..i.e. you ( or anybody on the unsafe internet ) wont have to re-image any other PC because of the same files..
Now coming on your second computer--u cannot go by users word..
Last night even i was hit by a similar threat on my production system in office..I disconnected the LAN immideate..still i was able to find 2-3 exe's in my content.IE and %temp% and and 2-3 DLL's lying here and there..well i ran rapidrelease defs did a scan..all were detected..
Then wheni further analysed it had created about 100 services...which i had to remove manually ( it was only services entry no sys file was found on the system ).

So you never know what all has been downloaded on your system..if you want you can run some rapidrelease and freewares to find it if really it downloaded something..or if its possible just go ahead and re-image it..

" Roger Grimes has stated that if any malware shows on a PC that one should format and reinstall.  That once malware is in place one can never be sure that it is cleaned 100%.  In the 1st PC case, malware for certain is in place.  Should one wipe this system?  Hey, if Symantec EP can't detect this stuff (as noted in an earlier post) why the heck even bother with trying to clean this PC?"

>> Rightly said, but he overlooks one fact. If you simply go ahead and reimage the system, chances are that the malware that infected your PC(s) might be detected too late in order to have an effective response to it. Best option, if you have a threat, submit it to Security response and get it detected as well.

Even with a fully patched system if the threat is infecting, chances are that it's a possible new variant / offshoot program of the existing threat out in thw wild that IS BEING DETECTED.

With the limited user rights option enabled, we actually dont take away the rights of the users to be able to change wall papers and / or install BHO's (Browser Helper Objects). In such a case, this particular threat loads itself as a Wallpaper and persistently loaded desktop icon by creating entries in the HKLM\System\.....\Currentversion\Run and setting a seemingly legit DLL / OCX file to rename itself to EXE and execute and create the icons / other stuff.

Furthermore, this is just the tip of the iceberg. The actual threat is not yet present on your system(s). When the user clicks on Scan Now or something sililar, thats when the actual payload is doanloaded in the form of seemingly innocuous updates or accitional files required for the program to work, and these execute immediately on coming onto the system, and create several other load points / trigger points that again download the payload time and again in case we delete one part of it. This is done by creating several additional entries in the registry.

Unless the parent payload file is determined and dealt with, the system is actually never free from the threat.

HTH

Personally I always tell people security is a layered apporach and any AV product is the last line of defence.   I would recommend a URL filter that provides frequent updates to some security categories.   Websense does a pretty good job on this.  Also making sure machines and applications are fully patched and up to date.  If the threat uses an exploit to get in and the exploit is not there it can't get in.   Having users unable to install applictations helps prevents them from accidently doing something bad while it will not prevent everything it does help.  Also user education plays a part making them aware of the stupid things people do. 

My suggestion to clients is to update windows and other software also which are installed.

Nothing can make you 100% secure on internet.Threats use Social Engineering to drive by..
Some link that user will be forced/lured to click on.
Once he clicks on the links its not more Exploit.Now it uses the Logged in user priviledge to come in.,
There are threats which loook for vulnerablility and exploit them..but if the user is clicking on some link and telling it to install ( un-intentionally ) it won't need a vulnerability..

For every Fake AV PAV ,AV360, etc etc...they all use the same technique to lure and scare users that they are already infected..then you click on YES it will start installing the exe's on your computer.

SOmetimes the files will be download to your computer but you will have to click on some pop-up to install them on your computer...Sometimes once you click on a link they start installing them on your computer using some vulnerability like IE or Flash etc..

Most of the websites today scam people so that they can track the users activity for their research. So one of the best thing to do is to educate the users.
For administrators, teach them the flow of SEP from the start (e.g. installation of av, virus infection, virus submission etc..)

You need additional security to protect yourself against malicous code on the internet. To get rid of viruses nowadays usually demands a lot of work. The real trick is to make sure you do not get any viruses in the first place.

Using a proxy solves this issue pretty well especially if it is bought by an external provider that will scan all sites before allowing them to be accessed by a user. Any site that is not reliable (or not up to code by a predefined filter) will be blocked for the user. This proxy can be installed in a way that it cannot be removed by the user and will be active also if they change network to an unprotected network like home office or internet cafe.

you need lyered security approach

Network Firewall
gateway Proxy+Antivirus+Content Scanning

Then Host based HIPS and Antivirus.

you need to block unwanted websites and monitor user habbits.

 SEP is the best HIPS ... ( host based intrution prevention system ) in the Network threat Protection feature..

For Symantec has a Gateway antivirus which also does Content Scanning...i am not sure about its Proxy capabilities though..they best way would be to get in contact with Symantec Customer Care..

These products get the automatic updates for URL monitoring and blocking Websense has a good name..

You do not need to administrate it if you do not want but then you might get blocked from access to legitimate sites. This is the downfall with automated services that they are not perfect. But nowadays they are pretty good so that it will not cause you to do to much unnecessary work.

Check out www.scansafe.com (example of external proxy solution). I am not sure if Symantec yet has a similar service. Anyone?