Honestly, the Malware game is like a big game of Whack-a-Mole, therefore there is always going to be "writeable" areas in the OS even for the user, and the malware authors are using packing and anti-tampering methods that are evading most anti-virus vendors ( the really targeted attacks), so it's a battle that is going to keep going on and on, just as soon as you block one method they come up with 3-5 more you haven't thought of.
The only suggestion would be a good Application White-listing technology to only allow known good software and disallow anything else to run. I am sure it has its caveats ( Trust me we are implementing an application white-listing now, and compared IPS its still got its pain points.) Although its been fun reading the Malware Analyst Cookbook and DVD, nice insight into reverse-engineering malware and seeing what it does so you can better protect your systems. Keep your friends close and your enemies closer EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Micheal Espinola Jr [mailto:[email protected]] Sent: Wednesday, July 13, 2011 2:28 PM To: NT System Admin Issues Subject: Re: Thought on malware cleaning To be addressed at a later date, yes. ;-) -- Espi On Wed, Jul 13, 2011 at 11:09 AM, Erik Goldoff <[email protected]> wrote: and as to "Maybe I'm nuts." , isn't that a separate issue ??? <grin> On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr < [email protected]> wrote: Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some very simple questions about things I almost ALWAYS see on infected systems. Perhaps someone here can clarify something for me that I have yet to see Microsoft and any antivirus vender directly address. I'm gonna start this with one point, and then how the conversation goes: I almost always see malware injection points in the allusers\appdata folder. In these instances I *always* see a reference in one of the "run" registry keys. As far as I know; this top level appdata filer should NOT contain files at all. I repeat: NO FILES AT F'ING ALL. Can someone confirm this? Can someone with contacts at Microsoft or other AV providers confirm why this is completely overlooked when scanning? This is were 0-day malware live very commonly. This is very easy to check! Thank you for your time and any vender reach-outs you can provide. I'm currently working on a set of scripts to check what I consider very foolish things like this. If anyone wants to team-up, please do. -- Espi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image003.jpg>>
