topic Rogue/Fake Antivirus Malware detection? in General Topics

Rogue/Fake Antivirus Malware detection?

migration — Thu, 21 Apr 2011 18:35:05 GMT

I was wondering if there is any way to detect the Rogue/Fake Antivirus Malware that is making its way around the internet?

A couple in paticular are Internet Security 2010, Antivirus Live and Advanced Virus Remover.

Thanks,

Re: Rogue/Fake Antivirus Malware detection?

kbrazil — Fri, 22 Apr 2011 15:27:19 GMT

Along with our standard AV and Spyware signatures and known-malware URL categories, we have introduced a new "drive-by download protection" feature in PAN-OS 4.0. Basically this gives you the capability of setting a "continue" action on a file-blocking profile. For instance, you can set all executable downloads as "continue".

This keeps malicious web pages from automatically downloading and installing fake antivirus and malware detection programs when users inadvertently hit the page. Instead they will get a warning page pop up that you can customize. If the file really is legitimate, the user can continue the download at their choice and the session will be logged.

Cheers,

Kelly

Re: Rogue/Fake Antivirus Malware detection?

pkruse — Fri, 22 Apr 2011 18:09:23 GMT

Specific threats aside the only way we will detect any malicious traffic is if it traverses the properly licensed Firewall. Of course the threats must also be identified and a signature be created that we can match. You can also detect via a TAP interface but this will not allow for anything beyond reporting.

~Phil

Re: Rogue/Fake Antivirus Malware detection?

carlboyer — Mon, 12 Mar 2012 15:16:06 GMT

Having read this thread, I'm not sure the question asked was answered. So let me re-ask the orginal question another way. Do PA's malware or threat filters have signatures for the Rogue/Fake AV malware that continues to circle the Internet? I'm guessing not because as recent as two weeks ago, one of our staff hit a site that infected her work machine with fake AV malware while she was in the office. The firewall that handled that user's traffic at the time was running the 4.08 code at that time.

Re: Rogue/Fake Antivirus Malware detection?

kbrazil — Mon, 12 Mar 2012 15:22:25 GMT

The WildFire feature in 4.1 code should detect these types of malware.

Cheers,

Kelly

Re: Rogue/Fake Antivirus Malware detection?

carlboyer — Mon, 12 Mar 2012 19:45:44 GMT

Thanks!

Re: Rogue/Fake Antivirus Malware detection?

mikand — Mon, 12 Mar 2012 21:48:47 GMT

However it will miss the first detection and if these fake AV sites regenerate their exe files (to avoid detection from signaturebased AV's) Wildfire wont help (since Wildfire will only get a hit if the particular executable was found out to be bad AND has been seen previously by Wildfire). Wildfire will also miss it if the fake exe used a stolen cert (which isnt found out to be stolen yet) to sign the executable since Wildfire currently just ignores testing such executables.

Doesnt most of these bad sites belong to the "Spyware and Adware" or "Malware Sites" url category which you could just block?

I tried some urls from http://www.spywarewarrior.com/rogue_anti-spyware.htm and most of them turned up belonging to the "Spyware and Adware" or "Malware Sites" url category according to www.brightcloud.com.

Re: Rogue/Fake Antivirus Malware detection?

carlboyer — Mon, 12 Mar 2012 21:53:31 GMT

The Malware group was a gap for us that we are fixing this week. We had all of the other types of nasty groups already filterd.