"Fake security software takes aim at Mac users"

Created software restrictions in Casper on the "MacDefender" and "MacSecurity" process names.
On May 9, 2011, at 8:15 AM, Swanson Noah wrote:

We'll see if we run into it... Cabel Sasser of Panic had a screen capture with a visible link to the thing on his twitter feed (http://twitter.com/cabel - think the link was http://twitpic.com/4u7tqn), in case anyone wants to play...

--Robert

This is a prime example of why users should not have admin rights. With admin rights faulty software can be installed in places it should
not be, and given access to things it should not. If a non admin user
tries to install this, nothing would happen, and worst case scenario
they hose their home directory.

…And Symantec Endpoint Protection for Mac v11.0.6100 (0179) with definitions from 5/6/11 does not recognize it as malware.

Someone please remind me why we spend thousands of dollars a year on this “security” software?

I am about to try out Sophos and Intego to see whether they are any smarter.

--Andy

Intego should. They had a nice postmortem on it and indicated after some
such date of their definitions that it'll be picked up.

j
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Sophos Works with it. I had a user download it and Sophos took care of it. I have the Virus and was testing it and it prevent it from installing everytime.

D. Trey Howell ACMT, ACHDS, CCA
trey.howell at austinisd.org
Desktop Engineering
twitter @aisdmacgeek

I've now seen a 3rd variation of this malware called 'MacProtector".
I've added it to my JSS watched process list along with
"MacDefender.app" and "MacSecurity.app". I'm sure there will be more
variations.

Sophos is detecting these files as of last week's definitions.

I'm also about to push out a change to all my managed laptops to
uncheck the "Open "safe" files after downloading" checkbox in each
user profiles. I know I saw the terminal command for this somewhere.
I'll just drop it in a script and have it run.

I wish I could have an environment where my users weren't admins, but
politics doesn't allow it. I've been keeping track of the amount of
time I've been spending on this issue and others, so I have ammunition
in the future when the discussion about students having admin access
occurs.

In the meantime, it's whack-a-mole time! Whee!

Btw. I used Sophos for 3 years at previous employer & I was always impressed by it.

Low on resources & just seemed to do the job.

Regards,

Ben.

Sophos is great. Never ever us Symantec anything especially SEP11/12. Symantec I am convinced is clueless about anything Mac.

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

For those of you using McAfee, this was defined with DAT versions 6340 and above. The only issue is that if a machine is out of date, I have to either remote in or instruct the user to update themselves. Since there are no command line actions I could run with any of the McAfee software, I can't schedule it to update; Last I checked there weren't applescript actions either. Big flaw by McAfee and all of our requests for this feature have hit a wall because either they don’t want to do it or the support tech we talk to has no clue what we're talking about.

That being said, does SAV or Sophos or any of the other products allow you to send a command to force an update?

Thanks,
Noah

SEP 11 and SAV 10 offers a "symsched" command that can set a scheduled
update, but I not convinced it works consistently.

The Resource Kit from JAMF offers a script to run Symantec live update. The
script includes one routine if no one is logged in and another rountine if
someone is logged in. I haven't been able to track down why it fails on
some and not on others. I really think Symantec is at fault, not the person
that wrote the script. It shouldn't be this difficult.

Jason

For SAV (and I believe SEP too) you can use:
On 5/10/11 8:53 AM, "Swanson Noah" <SwansonNoah at JohnDeere.com> wrote:

/Applications/Symantec Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate
-update LUal -liveupdatequiet YES -liveupdateautoquit YES

This is all one line.

You'll find additional details here:
http://service1.symantec.com/support/num.nsf/docid/2004052015282311

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Be warned that this will only work when someone is logged in. Better to use the script in the Resource Kit, as that can update without anyone logged in.

Be warned that this will only work when someone is logged in. Better to use the script in the Resource Kit, as that can update without anyone logged in.

Be warned that this will only work when someone is logged in. Better to use the script in the Resource Kit, as that can update without anyone logged in.

Add CheckPoint to that category.

My understanding was SEP 11 RU6 was still buggy, at least on the Mac side. Is SEP 12 out already? If so, we're hot to start testing...

Some of us in enterprise environments don't have a choice but to leverage the deployed Wintel solution for the Mac environment. We have full control of all malware console settings for the Mac environment (Wintel folks don't want to be put on the frying pan if/when production folks miss deadlines because of antivirus stuff <g>). So we disable the things that are most likely to effect production environments, such as:

disable active scanning (the #1 reason antivirus gets bad rep) scan internet downloads folder scan expanding files nightly definitions update weekly scan (full on weekend of course; incremental during the week)

...of course when users have admin rights, all the above can be disabled. We are working with the companies to ensure JSS shows computers calling/reporting in regularly. This way we can confirm the above are set properly (else departments deal with their users as they see fit to ensure compliance).

In our world, it's all about accountability/liability, so antivirus is a must. How we implement is what matters...and as long as we have full control on that end, everyone is happy. If/when we lose control, we're happy to lead those who micromanage into the frying pan so they can bite the big one when the $h!t hits the fan because of wonky antivirus processes...

Don