Malware running from Application Data folders - can be prevented?

[Ai Haibara]

(sighs) Just had to eradicate Yet Another Piece Of Malware that had set itself up in the Application Data folders. Why is it that malware can apparently install itself in the Application Data root, temp or cache folders, run, and evidently NOT be detected, for the most part? I keep all the antivirus/antimalware programs up-to-date, but the malware ALWAYS seems to conveniently whitelist itself in everything.

Is there actually any reason why any executables should be allowed to run from any of the Application Data folders? And, if not, is there any way I can prevent anything from executing from those folders?
(Well, probably short of ramping up all the security settings in Vista and IE to their highest settings, making using that computer a pain for everyone else in the family to use. I don't have this problem on my personal systems, but the system in question is for use by the whole family, and I can't convince most of them to use anything OTHER than IE/Windows Mail, for starters...)

[guns1inger]

Don't use an administrator level account for day to day use, only for installing and maintaining software.

Don't turn off UAC.

Don't use Internet Explorer.

Do use realtime scanners for virus and malware scanning. A weekly (or even daily) scan won't stop infections, only clean up them.

Be careful what sites you visit (that said, google is a huge source of infections at the moment due to hijacked pages claiming that systems are infected and offering "solutions" that are highly dangerous).

Note : You can stop them using IE and Outlook Express if you really want to. They can be hidden and disabled, and if the user does not have admin rights, can not be returned to a usable state.

I have 2 desktops and 3 laptops in the house, and none of them have been infected by anything in years.

[johns0]

Some malware is designed to resemble legit apps which av cant detect until they are updated to recognize them.

[Ai Haibara]

Don't use an administrator level account for day to day use, only for installing and maintaining software.

Don't turn off UAC.

Don't use Internet Explorer.

Do use realtime scanners for virus and malware scanning. A weekly (or even daily) scan won't stop infections, only clean up them.

Be careful what sites you visit (that said, google is a huge source of infections at the moment due to hijacked pages claiming that systems are infected and offering "solutions" that are highly dangerous).

Note : You can stop them using IE and Outlook Express if you really want to. They can be hidden and disabled, and if the user does not have admin rights, can not be returned to a usable state.

I have 2 desktops and 3 laptops in the house, and none of them have been infected by anything in years.

Yeah, I've got them running in a non-admin account and with UAC fully running (and they hate me for it, as I'm the only one who knows the password. ) But it actually isn't my computer (I didn't buy that one), and they refuse to let me take away IE/Outlook Express/Windows Mail. They only really tolerate me being the system admin because I'm the one who maintains all of our systems, but that still won't prevent them from going to questionable sites (or infected regular sites) and getting malware sent in email.

johns0: Shouldn't the AV/AS/security programs be able to detect most, if not all of them, by signature, though? The two programs I'm using DID detect parts of it, but not all. And it still managed to whitelist one of the EXEs in the main scanner.

I just don't see why anything is allowed to run from the Application Data folders, anyway. There's probably a perfectly reasonable explanation for that, but it seems like the only thing making use of it is malware.

[guns1inger]

If you want to be a complete bastard, create an opendns account, change the DNS settings in the router to run through OpenDNS servers, and use the filtering at OpenDNS to restrict them from going to the worst of the net.

What AV/AS software are you running ?

Your other options include shifting them to Linux, taking an image of the system when it is clean, and telling the users that any time they screw it up, you will revert back to this point (and they will lose any data they have put on since that time), or simply telling them that you won't fix it if they screw it up through their own behavior.

[lacywest]

Interesting topic

[Ai Haibara]

What about having IE block any sites but Microsoft domains?

I doubt I have it in me to be a complete bastard, really. I'm usually too nice for my own good. Explains why I usually end up on call to fix several generations worth of family members' computers.

That particular system is a new OEM system (bought last month), so it's still running the Norton suite that was included with it (and they don't want me to touch THAT, either. ) Plus, MalwareBytes. I've seen the problem happen before even on previous Vista and XP systems that had far better AV/anti-spyware programs installed, though.

I couldn't get them to use Linux or OS X - they've watched me use them, and worse - they know full well their games probably wouldn't work with either of them.

[johns0]

johns0: Shouldn't the AV/AS/security programs be able to detect most, if not all of them, by signature, though? The two programs I'm using DID detect parts of it, but not all. And it still managed to whitelist one of the EXEs in the main scanner.

It cant detect the malware by signature if its a new type,only if its a recognized signature.

[Ai Haibara]

Both Norton and MalwareBytes detected parts of it, and cleaned those, so they had signature support for something. I had to go into the appdata folders and manually delete the rest.

[hech54]

Always try running malware apps in SAFE Mode too.

[lordsmurf]

Thumb drives are more problem than internet downloads/browsing, lately.
Turn off AUTOPLAY!

[Nelson37]

Get out the system restore disks and show them how to use them. Demo and explain how to run ALL the virus scans and updates. Get a third AV scanner, Spybot Search and Destroy would complement what you already have.

Explain that they absolutely must NOT click on any of the "Fix your problem now" adds that pop up.

Mandate that at least one and preferably all three complete scans, AFTER updating, are run after EVERY SINGLE online usage.

Demo taking a clean PC to Myspace, log on, then immediately log off, run all scans. You'll likely find two or three malwares. This was an eye-opener for my teenager.

Very simply, they just will NOT stop wandering through the back alleys of the Internet as long as somebody else is cleaning the dog poo off their shoes. Forcing them to be responsible for their own errors is the ONLY way to make them pay attention to where they put their virtual feet.

You must also be firm that when they have rendered their own PC non-operational, they will NOT use any of the others. Had a customer that one of their kid's friends trashed their PC downloading some crapware. When asked why he did not do this at home, he replied that he already had and their home PC didn't work anymore.

[Ai Haibara]

(Gah. Go away for a week, and look what happens. )

Yeah, I was thinking of installing Spybot, anyway. I normally use it on my Windows systems, but the only problem is I can't have it do an unattended update, that I'm aware of, which means that if I install it on the relatives' systems, I have to go visit all of them and update it because they can't be bothered to do it themselves.

That's actually the same problem I have here - the people in the house going on the questionable sites and getting malware in their email are older users who don't want to change their computer-using habits, darn it! ...so the nice-person doormat gets to come running every time they complain it doesn't work. I was in the process of trying to get them a Mac or Linux setup, so at least I wouldn't have to run maintenance on it all the time, but they went ahead and bought themselves a new Windows system.

[disturbed1]

You fixed the PC, offered advice on how to stop it from happening. If they can't follow advice, screw 'em! Start charging for your work, or make them fix it themselves. My girlfriend used to have a nasty habit of doing this back when Windows 98 was first released. Almost weekly she'd mutter Honey, fix it please. That all stopped once I tossed the reinstall disc at her, and said here you go, have fun.

"Doctor it hurts when I do this" - "Then don't do that".

If your too nice to be a hard ass, save some time and create a restore image. That way you, all you have to do is insert the disc, and press enter.

[freebird73717]

Yeah, I was thinking of installing Spybot, anyway. I normally use it on my Windows systems, but the only problem is I can't have it do an unattended update, that I'm aware of, which means that if I install it on the relatives' systems, I have to go visit all of them and update it because they can't be bothered to do it themselves.

Use the taskscheduler and spybot from the command line
SpybotSD.exe /autoupdate
SpybotSD.exe /autoimmunize
SpybotSD.exe /autocheck /autofix /autoclose

http://www.safer-networking.org/en/faq/30.html

[Ai Haibara]

I knew it had to be something simple. Thanks!

disturbed1: I'd love to create a restore image (for more than one of the systems, actually), but I keep forgetting to pick up an external drive large enough to hold backups of the HDs, or anything else.

[neomaine]

Yeah, I was thinking of installing Spybot, anyway. I normally use it on my Windows systems, but the only problem is I can't have it do an unattended update, that I'm aware of, which means that if I install it on the relatives' systems, I have to go visit all of them and update it because they can't be bothered to do it themselves.

Use the taskscheduler and spybot from the command line
SpybotSD.exe /autoupdate
SpybotSD.exe /autoimmunize
SpybotSD.exe /autocheck /autofix /autoclose

http://www.safer-networking.org/en/faq/30.html

Something to add to my 9PM outlook.pst backup! After all these years, never even thought to look for a command line option for Spybot. Thanks!