Rogue/Fake Antivirus Malware detection?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Rogue/Fake Antivirus Malware detection?

L0 Member

I was wondering if there is any way to detect the Rogue/Fake Antivirus Malware that is making its way around the internet?

A couple in paticular are Internet Security 2010, Antivirus Live and Advanced Virus Remover.

Thanks,

D

1 accepted solution

Accepted Solutions

The WildFire feature in 4.1 code should detect these types of malware.

Cheers,

Kelly

View solution in original post

7 REPLIES 7

L4 Transporter

Along with our standard AV and Spyware signatures and known-malware URL categories, we have introduced a new "drive-by download protection" feature in PAN-OS 4.0.  Basically this gives you the capability of setting a "continue" action on a file-blocking profile.  For instance, you can set all executable downloads as "continue".

This keeps malicious web pages from automatically downloading and installing fake antivirus and malware detection programs when users inadvertently hit the page.  Instead they will get a warning page pop up that you can customize.  If the file really is legitimate, the user can continue the download at their choice and the session will be logged.

Cheers,

Kelly

L4 Transporter

Specific threats aside the only way we will detect any malicious traffic is if it traverses the properly licensed Firewall. Of course the threats must also be identified and a signature be created that we can match. You can also detect via a TAP interface but this will not allow for anything beyond reporting.

~Phil

Having read this thread, I'm not sure the question asked was answered.  So let me re-ask the orginal question another way.  Do PA's malware or threat filters have signatures for the Rogue/Fake AV malware that continues to circle the Internet?  I'm guessing not because as recent as two weeks ago, one of our staff hit a site that infected her work machine with fake AV malware while she was in the office.  The firewall that handled that user's traffic at the time was running the 4.08 code at that time.

The WildFire feature in 4.1 code should detect these types of malware.

Cheers,

Kelly

Thanks!

However it will miss the first detection and if these fake AV sites regenerate their exe files (to avoid detection from signaturebased AV's) Wildfire wont help (since Wildfire will only get a hit if the particular executable was found out to be bad AND has been seen previously by Wildfire). Wildfire will also miss it if the fake exe used a stolen cert (which isnt found out to be stolen yet) to sign the executable since Wildfire currently just ignores testing such executables.

Doesnt most of these bad sites belong to the "Spyware and Adware" or "Malware Sites" url category which you could just block?

I tried some urls from http://www.spywarewarrior.com/rogue_anti-spyware.htm and most of them turned up belonging to the "Spyware and Adware" or "Malware Sites" url category according to www.brightcloud.com.

The Malware group was a gap for us that we are fixing this week.  We had all of the other types of nasty groups already filterd.

  • 1 accepted solution
  • 3590 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!