McAfee Malware Support - Best Practices Series

Avoid being affected by Rogue Security Software & Scareware

What is Rogue Security Software?
Rogue Security Software uses social engineering techniques to fraudulently imitate legitimate security
applications. They may look very convincing, often using well designed user interfaces and logos that look
immediately familiar to most users that have used desktop security solutions in the past. The premise of
these applications is simple. They purport to scan your computer for known threats and upon finding any;
will prompt the user to pay a fee for their successful removal. The scanning and discovery process will often
look extremely convincing, even using threat names known to be in the wild at that moment. However, the
threats that are listed are not really on the system, the fake malware detection alerts/pop-ups are simply a
hoax to scare users into paying the requested sum.
Rogue Security Software (detected as FakeAlert by McAfee products) is essentially a type of Trojan horse
malware, and does not self-replicate, although it can download other malware onto the affected computer.

Variations of Rogue Security Software

Rogue Security Software falls into the commonly used category of Scareware, with which social engineering
techniques are used to impart fear and anxiety in the user so that they may be easily manipulated.
Although the most commonly seen Rogue Security Software imitates desktop Anti-Virus applications,
variations on this technique could effectively imitate any useful software utilities such as registry cleaners,
password recovery tools, disk defragmenters, personal firewall software, etc.

Ransomware
Ransomware is a particularly prevalent type of Scareware that denies access either to the computer itself or
to specific files until the user makes the requested monetary payment. There are commonly two types of
ransomware:
Screen Lockers
Screen-lock Ransomware will deny access to the computer system as a whole. A common tactic is to
display the lineage of a well-known global or regional law enforcement agency, along with a message that
the user has been identified as performing illegal activity on their computer. This is another social
engineering attack and has the effect of frightening the user into meeting the demands for financial
payment, in return for regaining access to the computer.
File Encryptors
This type of Ransomware works by systematically encrypting files found on local drives. As with screen-
locking Ransomware, the objective is to hold these files to ransom until the financial demands are met.
The level of encryption used by these threats can vary from the simple to the extremely complex. Its not
uncommon for the more sophisticated Ransomware to use RSA encryption, with a decryption key that is
downloaded directly from the attacker-controlled server. In these cases the only practical remediation
available is to restore the encrypted files from backup storage.

Payloads
The payload of Rogue Security Software can vary depending on the specific threat. Generally the intention
is to fraudulently extort money from the user and there is no other payload as such. However, there is
every possibility that further malicious functionality may be included in a particular threat instance, and for
this reason a sample of the threat will need to be submitted to McAfee Labs for analysis.

Infection Vectors
The methods by which Rogue Security Software and Scareware can find its way onto a users system are
numerous. Commonly they will be downloaded by other malware but they can also arrive via drive-by
downloads from compromised web-pages, Peer-to-Peer network sharing applications and Spam campaigns.
Home users are particularly vulnerable to this type of threat, and attackers are known to use Search Engine
Optimisation (SEO) techniques to ensure that searches for terms such as free anti-virus will result in pages
hosting Rogue Security Software being offered as some of the top search results. In this way, ironically,
users that actively intend to make their computing experience more secure can, unknowingly, directly
download malware to their computers.
Rogue Security Software is often written with complex, custom packing/encryption to attempt to evade
legitimate security software.

Summary of Infection Vectors:

Downloaded by unknown malware.
Drive-by web downloads.
Insecure file sharing networks (Peer-to-Peer).
Email Spam campaigns (both as attachments and as links to malicious web pages).
Fraudulent marketing tricks.

Hardening Actions
Configure McAfee Products to be effective against these threats:

Best Practices at the EndPoint

McAfee VirusScan Enterprise (VSE)
o It is kept fully up to date with the latest patch, DAT version and scanning engine.
o All machines in your environment are protected and updated.
o Real time scanning (On Access) is set to scan all files, On Read and On Write. Never turn scanning
On Read off - other than when configuring Low-Risk processes.
o Scan exclusion rules should be kept to a minimum and only used when absolutely necessary. In
the event of malware being suspected, ensure that any scan exclusions are temporarily disabled if
safe to do so. Find how to setup exclusions in the Knowledge Base: KB50998.
o In heavily utilized environments or those where hardware specifications are on the verge of those
recommended as a minimum, leverage the use of High-Risk/Default/Low-Risk Process
configurations to limit the risk exposure against the performance requirements. Understand this
feature KB55139 and learn how to configure it KB58692.
o Configure product to use the Global Threat Intelligence File Reputation. This technology helps
bridge the gap between Zero Day Threats and Signature Based Detections. Learn about
recommended GTI File Reputation settings here KB74983. More information here KB53735.
o Utilize Access Protection Rules for the prevention of unknown threats from being installed and to
allow for the potential payload from taking place.

McAfee Host Intrusion Prevention (HIP)

o Provides a comprehensive protection through the use of behavioural analysis, signatures and a
dynamic stateful firewall. This together with the use of GTI cloud technology to block and log
communications to networks known to have a negative reputation as classified by McAfeeLabs
will be a major factor in reducing or eliminating the vectors of infection such as the use of exploits
including zero-day attacks.
o HIP will be also able to prevent the payloads and/or connection to botnets that may carry out
additional attacks or download secondary or tertiary drops.
o Block only high-severity signatures initially, this should provide a high level of protection with few
false events. Medium-severity signatures operate on behaviors and generally require some tuning
to ensure configuration is suitable to all different setups and customized environments across
your organization.
o Segregate desktops to reflect applications and privileges.
 o Pick a few important user groups, pilot with representative users committed to providing
feedback, test that applications still work correctly, and then roll out broadly when policies are
proven to not disrupt productivity.
o Regular monitoring and regular maintenance are required to maintain the accuracy and
effectiveness of protection. Budget time to review logs and update rules at least weekly once you
complete deployment (KB73399).
o Start with IPS, then add firewall, then add application blocking as needed (KB71794).
o Use adaptive mode for brief periods only when able to monitor rules created.
o Take the time to verify that the traffic you are seeing is indeed malicious. Use packet captures,
network IPS, or similar tools at your disposal.
o Read more: Adopting Host Intrusion Prevention - Best practices for quick success.

SiteAdvisor Enterprise (SAE)

o Based on McAfee Global Threat Intelligence (GTI) web reputation and web categorization services
to identify sites that are hosting malware, infected by malware, and hosting inappropriate
content.
o Identifies sites considered safe and not safe with a color scheme:
Green = Safe (Very low or no risk issues)
Yellow = Caution (Minor risk issues)
Red = Warning (Serious risk issues)
Grey = Unknown (Not rated yet, use caution)
McAfee Secure = Tested Daily for hacker vulnerabilities
o Very easily deployed and configured through ePolicy Orchestrator.
o FAQs for SiteAdvisor Enterprise (KB73457).
o Provides authorization/blocking of websites.
o Custom messaging.
o Reactions based on safety ratings.
o Reports on web usage.
o It provides another layer of protection on the end point. It can be used with IE, Firefox and
Chrome.
o As well as providing protection against malicious or compromised websites it can help to educate
users into safer browsing habits.
Use effective anti-spam protection to prevent malicious emails from entering your network.

Best Practices at the Gateway

McAfee Email Gateway
o Detailed appliance configuration best practices can be found in PD24115
o Using a mail EWG gives not only the ability to stop malicious e-mail and e-mail containing
malicious code but it is able to block e-mail based on different features i.e. Based on a particular
text string detection here.
o Powerful antispam scanning technologies to identify and block incoming spam with over 99%
accuracy. Spam Filtering Best Practices here.
o Working in conjunction with GTI cloud reputation services, Email Gateway uses the message,
network, and web reputation service to identify email messages carrying malicious payloads.

McAfee Advanced Threat Defence

 o McAfee Advanced Threat Defense detects todays stealthy, zero-day malware with an innovative,
layered approach. It combines low-touch antivirus signatures, reputation, and real-time
emulation defenses with in-depth static code and dynamic, malware analysis (sandboxing) to
analyze the actual behavior of malware.
o FAQs for Advanced Threat Defense

McAfee Network Security Platform

o Discovers and blocks sophisticated threats in the network. Using advanced threat detection
techniques, it defends against stealthy attacks with extreme accuracy at speeds of up to 80 Gbps,
o FAQs for Network Security Platform

McAfee Web Gateway

o Ultimate antimalware protection against web threats.
o Layered approached at the gateway combining local and cloud-based protection.
o MWG Best Practices and Common Scenarios here.

More E-Mail and Web Security product details are available here. Read more about our Solution Services US
UK - DE India Australia - Japan.
Educate personnel to prevent security breaches:
o Ensure users are aware of, and can recognise the social engineering techniques used by Rogue
Security Software (McAfee Foundstone Security Education - Ultimate Hacking: Human - US - UK -
DE FR - India Australia). Ensure that all end users are educated in safe computing practices and
that there is a clear escalation process available to them if they become suspicious.
o Only purchase security software from trusted vendors and retailers. Do not attempt to download
free utilities from untrusted sources (e.g. Peer-to-Peer file sharing applications).
o The presence of Rogue Security Software can be an indicator of an otherwise undetected attack.
Always enable Access Protection Rules and Potentially Unwanted Application detection to
maximise security against Rogue Security Software.
Employ browser security settings to prevent malicious content from running on compromised web pages.
McAfee Foundstone Security Education: Ultimate Hacking: Windows Security US - UK - DE FR India -
Australia.
Ultimately, if you need specialized help call our Incident Response & Forensics Team: US - UK - DE - FR
India - Australia
Emergency? Hacked999@Foundstone.com

2014 McAfee, Inc. All rights reserved.