Untangle & spyware blocking

Any Untangle users here using it to block spyware? I've had two machines in the last two weeks hit with "Antivirus Live", and I'm wondering if it will completely stop that. One of them was the CEO's, and I had to reinstall after Antivirus 2009 got its hooks in last year. There's a special place in hell reserved for malware creators & propagators.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

RobertKaucher

I had considered deploying Untangle a while ago but I have not had the time. AV 2010 is really making some rounds. If you get the one that changes the EXE association I have a reg fix that thanges it back.
My general process is look in yask manager and find where AV.exe lives. Killit. Run the reg fix. Clean the system. Reboot.

I'm not sure who to credit the reg fix with as it was from a friend of a friend.

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

arwes

Thanks for that, I'm sure I'll be needing that fairly soon. Apparently some of our vendor sites that our users go to have 3rd party advertising loading and they aren't catching the malware installing stuff.

One thing I've noticed is that several of them try to serve up the stuff through a (ancient) javascript exploit in Adobe Reader. I think if you turn it off javascript, it only affects fillable forms. I'm going to test that out with a few of the repeat offenders and see if this takes care of it.

OoteR

RobertKaucher wrote: »

I had considered deploying Untangle a while ago but I have not had the time. AV 2010 is really making some rounds. If you get the one that changes the EXE association I have a reg fix that thanges it back.
My general process is look in yask manager and find where AV.exe lives. Killit. Run the reg fix. Clean the system. Reboot.

I'm not sure who to credit the reg fix with as it was from a friend of a friend.
....

.. I could have used that a couple days ago.. Had to do that badboy by hand.

Blech.

RobertKaucher

OoteR wrote: »

.. I could have used that a couple days ago.. Had to do that badboy by hand.

Blech.

Nice avatar, btw.

Nuwin

arwes wrote: »

Any Untangle users here using it to block spyware? I've had two machines in the last two weeks hit with "Antivirus Live", and I'm wondering if it will completely stop that. One of them was the CEO's, and I had to reinstall after Antivirus 2009 got its hooks in last year. There's a special place in hell reserved for malware creators & propagators.

I don't know if I've seen it actively block things like Antivirus Live. I've only ever noticed the spyware blocker show up on questionable link redirects.

If you know an infected site, I can test it for you.

OoteR

RobertKaucher wrote: »

Nice avatar, btw.

I'm so thankful for Cradle of Filth, they got me through some rough times.

Obdurate

arwes wrote: »

Any Untangle users here using it to block spyware? I've had two machines in the last two weeks hit with "Antivirus Live", and I'm wondering if it will completely stop that. One of them was the CEO's, and I had to reinstall after Antivirus 2009 got its hooks in last year. There's a special place in hell reserved for malware creators & propagators.

I had that virus on two work computers and a neighbors; I had to nuke-and-pave the two work computers (got to love Ghost). My neighbor's computer I got lucky, each family member had their own account and only one account got infected; all I did was delete the infected user account completely.

Of course I ran malwarebytes and an anti-virus sweep after I was done, which found nothing.

On a side note -- the bad guys appear to be using myspace and facebook as a launching pad

~Obdurate~