Has anyone noticed a major uptick in viruses affecting XP Pro clients on
SBS2003 networks over the past few months? I'm talking the "you have been
infected with a virus and we are going to scan... click here to purchase our
product" type of viruses. I have been using MalwareBytes to clean them but
even MB is missing a few unless the database is REALLY up to date.

I have given a lot more latitude to clients in letting them have local admin
priv. and I am very good at keeping clients up to date in software patches
and AV (trend WFBS) but am rethinking the local admin rights. The only
thing that puts a hole in that theory is I have another associate who is
major league locked down with non-local admin rights, updates, AV etc. in
addition to a very good appliance firewall from Barracuda. His XP Pro
clients are still getting hit. Labor to fix these issues is starting to get
bad.



thoughts?

Richard K wrote:

> Has anyone noticed a major uptick in viruses affecting XP Pro clients on
> SBS2003 networks over the past few months? I'm talking the "you have
> been infected with a virus and we are going to scan... click here to
> purchase our product" type of viruses. I have been using MalwareBytes
> to clean them but even MB is missing a few unless the database is REALLY
> up to date.
>
> I have given a lot more latitude to clients in letting them have local
> admin priv. and I am very good at keeping clients up to date in software
> patches and AV (trend WFBS) but am rethinking the local admin rights.
> The only thing that puts a hole in that theory is I have another
> associate who is major league locked down with non-local admin rights,
> updates, AV etc. in addition to a very good appliance firewall from
> Barracuda. His XP Pro clients are still getting hit. Labor to fix
> these issues is starting to get bad.
>
> thoughts?
>
>

yup.
It's malicious banner ads in google hits.

Block the banner ads from the rotation.

Start killing off XP.

Behind a well-configured WatchGuard firewall, those pages are no threat. The
fake page comes up (or at least parts of it), but no executable files (DLL,
EXE, SYS, etc) can reach the computer, so they end up being just a scary
annoyance.

For clients without a WatchGuard in place, I have seen them get by AV
software. One day it will get by Norton/Symantec, another day it gets by
WFBS, yet another day, it gets by a different vendor. Completely innocent
searches can get one into trouble. My wife searched Google for "tuxedo
cheesecake recipe" and got one of those pages. She stopped and told me, then
I had my way with it through the WatchGuard, and it stopped everything that
tried to get through it.

I have my WG set very tight, only trusting Microsoft, Trend Micro, and a
couple others for access to executables. For others that are blocked but
needed, I have a temporary-use bypass username and password that allows the
download, but AV scans it as it comes in. For a user to get infected, they'd
have to ignore the screaming red warnings in my custom deny message from the
WG that the file might be infected, they'd have to know the bypass username
and password, the download would have to get by the WG's AV scan (using
AVG), and get by the different vendor's AV on the desktop. In my testing,
that is nearly impossible (never failed yet!). I test with an unpatched Win
2000 VPC with no antivirus, and with an unprotected XP VPC.

Gregg Hill

--
Gregg's pet peeves:

First of all, what does a peeve look like, and why would anyone want one as
a pet?

Peeve #1: Apostrophes: when in doubt, leave them out! You will be correct
more often than not.

Its = Belonging to it. For example, "Look at the sky. Its color is blue."
It's = It is. For example, "It's hot today."
It's = It has. For example, "It's been nice talking to you."
Its' = completely incorrect usage. Stop it!


Peeve #2: Your vs. You're
"Your" means belonging to you, as in, "It's your truck."
"You're" means "You are." Example, you're probably about ready to throttle
me for this peeve!

"Richard K" <rkokoski@newsgroup> wrote in message
news:OvjkyYBvKHA.3408@newsgroup

> Has anyone noticed a major uptick in viruses affecting XP Pro clients on
> SBS2003 networks over the past few months? I'm talking the "you have been
> infected with a virus and we are going to scan... click here to purchase
> our product" type of viruses. I have been using MalwareBytes to clean
> them but even MB is missing a few unless the database is REALLY up to
> date.
>
> I have given a lot more latitude to clients in letting them have local
> admin priv. and I am very good at keeping clients up to date in software
> patches and AV (trend WFBS) but am rethinking the local admin rights. The
> only thing that puts a hole in that theory is I have another associate who
> is major league locked down with non-local admin rights, updates, AV etc.
> in addition to a very good appliance firewall from Barracuda. His XP Pro
> clients are still getting hit. Labor to fix these issues is starting to
> get bad.
>
> thoughts?
>
>

In article <OvjkyYBvKHA.3408@newsgroup>,
rkokoski@newsgroup says...

> Has anyone noticed a major uptick in viruses affecting XP Pro clients on
> SBS2003 networks over the past few months? I'm talking the "you have been
> infected with a virus and we are going to scan... click here to purchase our
> product" type of viruses. I have been using MalwareBytes to clean them but
> even MB is missing a few unless the database is REALLY up to date.
>
>

On unmanaged networks where they don't restrict web access, where they
don't filter email contents, where they run as local admins, seen more
of it than 6 months ago. On managed networks, open web to ONLY business
approved sites, email filtered to remove any possibly malicious file,
not any sign of it.

Cost of removing malware exceeds the cost of preventing access to it in
every case, but the customers don't want to "limit" creativity or
freedom :-)

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@newsgroup (remove 999 for proper email address)

How do you block the banner ads?

"Susan Bradley" <sbradcpa@newsgroup> wrote in message
news:uKuAFoBvKHA.800@newsgroup

> Richard K wrote:

>> Has anyone noticed a major uptick in viruses affecting XP Pro clients on
>> SBS2003 networks over the past few months? I'm talking the "you have
>> been infected with a virus and we are going to scan... click here to
>> purchase our product" type of viruses. I have been using MalwareBytes to
>> clean them but even MB is missing a few unless the database is REALLY up
>> to date.
>>
>> I have given a lot more latitude to clients in letting them have local
>> admin priv. and I am very good at keeping clients up to date in software
>> patches and AV (trend WFBS) but am rethinking the local admin rights.
>> The only thing that puts a hole in that theory is I have another
>> associate who is major league locked down with non-local admin rights,
>> updates, AV etc. in addition to a very good appliance firewall from
>> Barracuda. His XP Pro clients are still getting hit. Labor to fix these
>> issues is starting to get bad.
>>
>> thoughts?
>>
>>

> yup.
> It's malicious banner ads in google hits.
>
> Block the banner ads from the rotation.
>
> Start killing off XP.

SBS2003 with XP Pro clients running WFBS. I can take away the local admin
rights (but for some users that can be a real pain if they use apps looking
for more access like QB). I cannot control where users surf the net but I'm
pretty sure they are getting these via web surfing.

"Leythos" <spam999free@newsgroup> wrote in message
news:MPG.25faae1c76afed6298a177@newsgroup

> In article <OvjkyYBvKHA.3408@newsgroup>,
> rkokoski@newsgroup says...

>> Has anyone noticed a major uptick in viruses affecting XP Pro clients on
>> SBS2003 networks over the past few months? I'm talking the "you have
>> been
>> infected with a virus and we are going to scan... click here to purchase
>> our
>> product" type of viruses. I have been using MalwareBytes to clean them
>> but
>> even MB is missing a few unless the database is REALLY up to date.
>>
>>

>
> On unmanaged networks where they don't restrict web access, where they
> don't filter email contents, where they run as local admins, seen more
> of it than 6 months ago. On managed networks, open web to ONLY business
> approved sites, email filtered to remove any possibly malicious file,
> not any sign of it.
>
> Cost of removing malware exceeds the cost of preventing access to it in
> every case, but the customers don't want to "limit" creativity or
> freedom :-)
>
> --
> You can't trust your best friends, your five senses, only the little
> voice inside you that most civilians don't even hear -- Listen to that.
> Trust yourself.
> spam999free@newsgroup (remove 999 for proper email address)

Implementing OpenDNS would be a help in controlling the web surfing.

"Richard K" <rkokoski@newsgroup> wrote in message
news:%23efyeBGvKHA.2436@newsgroup

> SBS2003 with XP Pro clients running WFBS. I can take away the local admin
> rights (but for some users that can be a real pain if they use apps
> looking for more access like QB). I cannot control where users surf the
> net but I'm pretty sure they are getting these via web surfing.
>
> "Leythos" <spam999free@newsgroup> wrote in message
> news:MPG.25faae1c76afed6298a177@newsgroup

>> In article <OvjkyYBvKHA.3408@newsgroup>,
>> rkokoski@newsgroup says...

>>> Has anyone noticed a major uptick in viruses affecting XP Pro clients on
>>> SBS2003 networks over the past few months? I'm talking the "you have
>>> been
>>> infected with a virus and we are going to scan... click here to purchase
>>> our
>>> product" type of viruses. I have been using MalwareBytes to clean them
>>> but
>>> even MB is missing a few unless the database is REALLY up to date.
>>>
>>>

>>
>> On unmanaged networks where they don't restrict web access, where they
>> don't filter email contents, where they run as local admins, seen more
>> of it than 6 months ago. On managed networks, open web to ONLY business
>> approved sites, email filtered to remove any possibly malicious file,
>> not any sign of it.
>>
>> Cost of removing malware exceeds the cost of preventing access to it in
>> every case, but the customers don't want to "limit" creativity or
>> freedom :-)
>>
>> --
>> You can't trust your best friends, your five senses, only the little
>> voice inside you that most civilians don't even hear -- Listen to that.
>> Trust yourself.
>> spam999free@newsgroup (remove 999 for proper email address)

>

Block the ads with OpenDNS.

One additional comment: from personal experience, Power User in XP is as
bad as full admin rights when it comes to these risks. I had a local power
user get infected with something (not this Antivirus 2010 or whatever) just
by visiting a page from a google search. I agree with Susan - start getting
rid of XP - but until you can do that, run everyone as standard user, not
power user.

And yes, I'm seeing an increase in the frequency.

"Richard K" <rkokoski@newsgroup> wrote in message
news:uQ2qKAGvKHA.5008@newsgroup

> How do you block the banner ads?
>
> "Susan Bradley" <sbradcpa@newsgroup> wrote in message
> news:uKuAFoBvKHA.800@newsgroup

>> Richard K wrote:

>>> Has anyone noticed a major uptick in viruses affecting XP Pro clients on
>>> SBS2003 networks over the past few months? I'm talking the "you have
>>> been infected with a virus and we are going to scan... click here to
>>> purchase our product" type of viruses. I have been using MalwareBytes
>>> to clean them but even MB is missing a few unless the database is REALLY
>>> up to date.
>>>
>>> I have given a lot more latitude to clients in letting them have local
>>> admin priv. and I am very good at keeping clients up to date in software
>>> patches and AV (trend WFBS) but am rethinking the local admin rights.
>>> The only thing that puts a hole in that theory is I have another
>>> associate who is major league locked down with non-local admin rights,
>>> updates, AV etc. in addition to a very good appliance firewall from
>>> Barracuda. His XP Pro clients are still getting hit. Labor to fix
>>> these issues is starting to get bad.
>>>
>>> thoughts?
>>>
>>>

>> yup.
>> It's malicious banner ads in google hits.
>>
>> Block the banner ads from the rotation.
>>
>> Start killing off XP.

>

I wish I could reject all local admin rights but there are some pieces of
software that will not run without local admin and some (like QB) that
require extensive customization so they can work if the user does not
provide local admin. As far as getting rid of XP..... easier said then done
with budgets and time with a lot of these businesses.

"Dave Nickason [SBS MVP]" <gwdibble@newsgroup> wrote in message
news:ecl1deIvKHA.3860@newsgroup

> Block the ads with OpenDNS.
>
> One additional comment: from personal experience, Power User in XP is as
> bad as full admin rights when it comes to these risks. I had a local
> power user get infected with something (not this Antivirus 2010 or
> whatever) just by visiting a page from a google search. I agree with
> Susan - start getting rid of XP - but until you can do that, run everyone
> as standard user, not power user.
>
> And yes, I'm seeing an increase in the frequency.
>
> "Richard K" <rkokoski@newsgroup> wrote in message
> news:uQ2qKAGvKHA.5008@newsgroup

>> How do you block the banner ads?
>>
>> "Susan Bradley" <sbradcpa@newsgroup> wrote in message
>> news:uKuAFoBvKHA.800@newsgroup

>>> Richard K wrote:
>>>> Has anyone noticed a major uptick in viruses affecting XP Pro clients
>>>> on SBS2003 networks over the past few months? I'm talking the "you
>>>> have been infected with a virus and we are going to scan... click here
>>>> to purchase our product" type of viruses. I have been using
>>>> MalwareBytes to clean them but even MB is missing a few unless the
>>>> database is REALLY up to date.
>>>>
>>>> I have given a lot more latitude to clients in letting them have local
>>>> admin priv. and I am very good at keeping clients up to date in
>>>> software patches and AV (trend WFBS) but am rethinking the local admin
>>>> rights. The only thing that puts a hole in that theory is I have
>>>> another associate who is major league locked down with non-local admin
>>>> rights, updates, AV etc. in addition to a very good appliance firewall
>>>> from Barracuda. His XP Pro clients are still getting hit. Labor to
>>>> fix these issues is starting to get bad.
>>>>
>>>> thoughts?
>>>>
>>>>
>>> yup.
>>> It's malicious banner ads in google hits.
>>>
>>> Block the banner ads from the rotation.
>>>
>>> Start killing off XP.

>>

In article <uQ2qKAGvKHA.5008@newsgroup>,
rkokoski@newsgroup says...

> How do you block the banner ads?
>

Banner ads normally come from a site other than the one you're visiting,
so, if you have a firewall (or OpenDNS or a good host file), you won't
see them.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@newsgroup (remove 999 for proper email address)