Jump to content
Free PC Help Forum
Logging In to Free PC Help Forum Has Changed

Avast Doesn't Block XP Defender malware (ave.exe)

Guest Ant

By Guest Ant
in Microsoft Support & Discussions

 Share

Recommended Posts

Guest Ant

Guest Ant

Posted
Posted

"David Kaye" wrote:

 

 

> What I'm getting at is that I use the best of off the shelf freebie programs

 

> my customers would tend to download. As for updates, typically when I first

 

> see them they have default Windows services turned on, so that they are up to

 

> date on Windows updates,

 

 

 

What about non-MS updates?

 

 

> I'm using IE8 Version 8.0.6001.18702.

 

 

 

That should be reasonably safe, hence the importance of checking 3rd

 

party (non-MS) plugins and helper apps.

 

 

> I know you mean well, but believe me, I already know about this stuff.

 

 

 

I appreciate you have some clue and that's why I'm interested in how

 

you got infected. If all your software was fully updated this drive-by

 

infection should not have happened. If it was a new vulnerability, AKA

 

a zero-day exploit, then I'm particularly interested in knowing what

 

it was.

 

 

 

When executable code runs via an exploit like a buffer overflow and

 

code injection there's no guarantee that an otherwise securely

 

configured OS can spot it. DEP (data execution prevention) can help

 

prevent this kind of attack if available for the machine.

 

 

> I noted the file date/time and have looked back on this.

 

 

 

As I said, you need to examine the cached files to have any hope of

 

finding the exploit. Of course, you will need to have an understanding

 

of file formats and know what to look for.

 

 

> The exploit appears

 

> to have come from foxnews, officedepot, or officemax -- the time stamps are

 

> within a few seconds of each other and show up right before the time stamp

 

> that was written to the temp directory in my documents and settings tree.

 

 

 

You see, my probing has caused you to give more information which then

 

prompted someone else to reply with a link to a forum about the Faux

 

News site infection. Although that discussion is a year old, the

 

problem of legitimate sites serving up malware through adverts or

 

hacked servers is still a real one. It appears those exploits were via

 

buggy ActiveX controls which have all now been patched.

 

 

>>More important is to find the vulnerable software component that

 

>>allowed it to run.

 

>

 

> Yes. Also, since I was able to get this infection I suspect that I'll be

 

> getting frantic calls this coming week from others. I'm getting tempted to

 

> set people up as limited users, even though that creates headaches in itself

 

> (such as the inability to run QuickBooks properly, which I mentioned before).

 

 

 

You should at least disallow the automatic running of PDFs, look at

 

tightening browser security settings, and perhaps change the browser

 

to Firefox or Opera if they are not using IE 8. XP's default settings

 

are no longer sufficient.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...