Its been a while for me, but I'm re-investigating the ability to lock down these folders at certain "generic" levels without interfering with things too much.
Better still I think (because there will always be miss-configured systems), I'm working on something to check these things, match to the registry, and kill, delete, etc. Oh, and BTW, if its never come across in my previous posts: I detest IE. Yes, never versions are better. Dont care at this point. :-) -- Espi On Wed, Jul 13, 2011 at 11:33 AM, Harry Singh <[email protected]> wrote: > What have you been using to remove the malware ? The support team here have > been dealing wit increased occurrences more frequently, even with the > machines being patched and the logged on users having the bare minmum of > permissions. I don't have any whitelisting software or any GPO's that lock > down specific folders yet....I wondered if this was even viable considering > applications reliance on APPDATA. > > > > > On Wed, Jul 13, 2011 at 2:28 PM, Micheal Espinola Jr < > [email protected]> wrote: > >> To be addressed at a later date, yes. ;-) >> >> -- >> Espi >> >> >> >> >> >> On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff <[email protected]>wrote: >> >>> and as to "Maybe I'm nuts." , isn't that a separate issue ??? <grin> >>> >>> >>> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr < >>> [email protected]> wrote: >>> >>>> Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have >>>> some very simple questions about things I almost ALWAYS see on infected >>>> systems. Perhaps someone here can clarify something for me that I have yet >>>> to see Microsoft and any antivirus vender directly address. I'm gonna >>>> start >>>> this with one point, and then how the conversation goes: >>>> >>>> I almost always see malware injection points in the allusers\appdata >>>> folder. In these instances I *always* see a reference in one of the "run" >>>> registry keys. >>>> >>>> As far as I know; this top level appdata filer should NOT contain files >>>> at all. I repeat: NO FILES AT F'ING ALL. >>>> >>>> Can someone confirm this? Can someone with contacts at Microsoft or >>>> other AV providers confirm why this is completely overlooked when scanning? >>>> This is were 0-day malware live very commonly. This is very easy to check! >>>> >>>> Thank you for your time and any vender reach-outs you can provide. >>>> >>>> I'm currently working on a set of scripts to check what I consider very >>>> foolish things like this. If anyone wants to team-up, please do. >>>> >>>> -- >>>> Espi >>>> >>>> >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
