Topic: XP / Vista Antivirus 2008 attack behind SME

[msk]

Hello

I am using SME My Natwork gateway Server, since few days my network pc's are under attack by "XP Antivirus 2008"

Here is detail about this auto install virus/mailware
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

Finally i found Malwarebytes' Anti-Malware tool to remove it from PC's

But i want to know if there is any setting or configuration in SME server to protact these attacks on lan Pc's behind SME gateway.

Best regards
Mobassir Sattar Khan

[CharlieBrady]

But i want to know if there is any setting or configuration in SME server to protact these attacks on lan Pc's behind SME gateway.

No, there are not. SME server does not block any content which is requested by a program (such as a browser) running on a system behind its firewall. It does block any external attacks, by programs running on other systems out on the Internet.

There are some add-ons which might do the filtering you are looking for.

[shawnbishop]

Hi

You could prevent this type of attack, by preventing the users form downloading the exe for these programs, use something like dansguardian or / and squid guard and dont allow these users onto the network...

Or even better you can put a firewall in front of your SME Server, use something like Untangle which is Open Source GPL licensed and very easy to configure

[imcintyre]

Don't forget to apply any solutions to laptops or other portables.

[mike_mattos]

I recently cleaned that virus off a couple of computers, BOTH had been running the same file share / download program, and I suspect it was eMule.  I don't think it is eMule itself, rather that they both downloaded infected files, and/or made their machines part of an infected network

[MSmith]

Just for the record, I've had tremendous success on 2000/XP systems using a tool called ERUNT which makes date-stamped copies of the registry on demand and at startup.  This doesn't have all the overhead & other issues of System Restore but makes it trivial to revert to an uninfected registry, then clean up the mess.  I also use a BartPE CD to boot infected systems and look for files with appropriate modification/creation dates (and nonsense names, and Program Files directories, etc).  This, of course, does not prevent problems with VERY sneaky malware that, for instance, patches "beep.sys" to load, but will give you many more ways to attack these problems.

Of course, ERUNT must be installed and in use *before* the problem occurs! 

And, thanks to UAC, ERUNT doesn't properly make backups at Vista startup so is much less useful than on XP/2000 systems.

One final note:  I install the Recovery Console on every XP/2000 system that I touch.  ERUNT creates its backups in C:\WINDOWS\ERDNT which is accessible under Recovery Console, so it's easy to put a clean registry in place.

[imcintyre]

MSmith;

Thx for Erunt tip.

IMc