locked
Virus from internet not detected RRS feed

  • Question

  • Latelely we get complains from users that their systems are infected with a virus and Forefront did not detect it. Today we had a user that each time he opened a browser he got a fake antivirus program that found a virus in outlook.exe and wanted to remove outlook. The proces was hotfix.exe after killing it manually FCS detected 5 trojans.

    We have all patches up to 80% of the system patches within one month after release at MS. We have the latest definitions on 80% of the systems. We have IE configured default on the internet zone.. Still these Virusses can get trough... another one was

    http://www.youtube.com/watch?v=1AYR-7O4m8Y

     

    Does FCS not procted users in their browser session?

     

    What we can do to increase protection?

    Tuesday, September 28, 2010 9:15 AM

Answers

  • Hi,

    Thanks for the post.

    Unfortunately, AFAIK, FCS has not provided the Real-time protection for Web pages so far.

    Currently, FCS provides "Real-time protection with the Windows Filter Manager".  By using “mini-filter” technology with the Windows Filter Manager, Forefront Client Security is able to scan virus and spyware files before they run, providing better security against spyware and blended threats (for example, spyware that infects a PC through backdoor Trojans or other means). The other benefit to using the Windows Filter Manager is that end-user disruption (system slowdowns) is minimized during real-time scans for both viruses and spyware.

    For more information about FCS features, please check the following link:

    http://www.microsoft.com/forefront/clientsecurity/en/us/features.aspx

    Thanks,

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Bechir Gharbi Wednesday, September 29, 2010 4:59 PM
    • Marked as answer by Miles Zhang Monday, October 4, 2010 1:29 AM
    • Unmarked as answer by LA1976 Monday, December 6, 2010 11:45 AM
    • Marked as answer by LA1976 Tuesday, December 7, 2010 10:10 AM
    Wednesday, September 29, 2010 3:12 AM
  • I found that FEP 2010 has improved realtime protection working together with IE to protect against web threats.

    http://technet.microsoft.com/en-us/library/ff823769.aspx

    • Marked as answer by LA1976 Tuesday, December 7, 2010 10:10 AM
    Monday, December 6, 2010 1:21 PM

All replies

  • Hi,

    Thanks for the post.

    Unfortunately, AFAIK, FCS has not provided the Real-time protection for Web pages so far.

    Currently, FCS provides "Real-time protection with the Windows Filter Manager".  By using “mini-filter” technology with the Windows Filter Manager, Forefront Client Security is able to scan virus and spyware files before they run, providing better security against spyware and blended threats (for example, spyware that infects a PC through backdoor Trojans or other means). The other benefit to using the Windows Filter Manager is that end-user disruption (system slowdowns) is minimized during real-time scans for both viruses and spyware.

    For more information about FCS features, please check the following link:

    http://www.microsoft.com/forefront/clientsecurity/en/us/features.aspx

    Thanks,

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Bechir Gharbi Wednesday, September 29, 2010 4:59 PM
    • Marked as answer by Miles Zhang Monday, October 4, 2010 1:29 AM
    • Unmarked as answer by LA1976 Monday, December 6, 2010 11:45 AM
    • Marked as answer by LA1976 Tuesday, December 7, 2010 10:10 AM
    Wednesday, September 29, 2010 3:12 AM
  • I dont understand your answer..

    You tell that FCS uses no realtime protection but you mention it is using a mini-filter...

    Well that means that the mini-filter is not working against virusses as mentioned above..

    Is there any change in this in Forefront Endpoint Protection 2010 ...

     

    Thursday, September 30, 2010 12:31 PM
  • I don't understand the response either...

    I'm getting the same thing. Of 20 engineers in my office, 5 have gotten the Hotfix.exe ad-ware. Is there at least a way to keep the file from installing itself in the c:\documentsandsettings\user\applicationdata folder? In Mcafee, I can keep that file from being written into that folder but I don't see a way to stop it using FCS.

     

    Thanks,

    Robert

    Wednesday, December 1, 2010 1:37 AM
  • FCS does not stop these virusses.. I hope that FEP 2010 will have some level of protection for these kind of attacks.. Just found that FEP 2010 does have protection for websites.. http://technet.microsoft.com/en-us/library/ff823886.aspx
    • Edited by LA1976 Monday, December 6, 2010 1:06 PM
    Monday, December 6, 2010 11:45 AM
  • FCS does not stop these virusses.. I hope that FEP 2010 will have some level of protection for these kind of attacks..


    If FCS cannot remove some malwares, so you can submit files to Microsoft, they will do the best to solve this problem https://www.microsoft.com/security/portal/Submission/Submit.aspx


    Bechir Gharbi | http://myitforum.com/cs2/blogs/bgharbi/
    Monday, December 6, 2010 12:20 PM
  • I search for a protection method to prevent users from being infected. Somehow Forefront allows running of an executable, creating a registry key and this starts somewhere on the web..

    I try to find some detailed information on how FEP 2010 protects threats from the web  .. I see there is better realtime protection.. is there a whitepapter available on the protection of FEP 2010

    Monday, December 6, 2010 12:32 PM
  • I found that FEP 2010 has improved realtime protection working together with IE to protect against web threats.

    http://technet.microsoft.com/en-us/library/ff823769.aspx

    • Marked as answer by LA1976 Tuesday, December 7, 2010 10:10 AM
    Monday, December 6, 2010 1:21 PM