locked
'Trojan.Agent.TKH' got through RRS feed

  • Question

  • Hi,

    I currently run Microsoft Forefront and have recently got Trojan.Agent.TKH or 'C:\Documents and Settings\<user>\Application Data\Lesewy\dikut.exe'. Does anyone know why this was not stopped by Forefront or if I should be doing anything else to prevent this occuring in future?

    Thanks,

    Monday, February 18, 2013 4:25 AM

Answers

  • You should also look at Microsoft's Software Restriction Policies.

    You can create Group Policies that prohibit programs from getting executed from user profile locations for non-administrator users.

    The only tricky part is if you have users the frequently use WebEx and other web based tools that launch from temporary web folders used in the profile.

    http://technet.microsoft.com/en-us/library/cc779607(v=ws.10).aspx

    It may take awhile, or maybe even a couple of different versions of the GPO to get all your users and OU's configured for those special programs that don't use the standard "Program Files" or "Program Files (x86)" locations.

    If you work it in great detail all the way through, you will be amazed at how little malware can now be installed or run on your non-administrator user systems.


    Randall

    Tuesday, February 19, 2013 4:40 PM
  • Hi,

    Thank you for the post.

    If FCS does not detect this kind of virus, you may submit a sample to MMPC for further analysis: https://www.microsoft.com/security/portal/Submission/Submit.aspx

    Regards,


    Nick Gu - MSFT

    • Marked as answer by Nick Gu - MSFT Monday, February 25, 2013 1:42 AM
    Friday, February 22, 2013 3:24 AM

All replies

  • anyone??
    Monday, February 18, 2013 10:36 PM
  • You should also look at Microsoft's Software Restriction Policies.

    You can create Group Policies that prohibit programs from getting executed from user profile locations for non-administrator users.

    The only tricky part is if you have users the frequently use WebEx and other web based tools that launch from temporary web folders used in the profile.

    http://technet.microsoft.com/en-us/library/cc779607(v=ws.10).aspx

    It may take awhile, or maybe even a couple of different versions of the GPO to get all your users and OU's configured for those special programs that don't use the standard "Program Files" or "Program Files (x86)" locations.

    If you work it in great detail all the way through, you will be amazed at how little malware can now be installed or run on your non-administrator user systems.


    Randall

    Tuesday, February 19, 2013 4:40 PM
  • Hi,

    Thank you for the post.

    If FCS does not detect this kind of virus, you may submit a sample to MMPC for further analysis: https://www.microsoft.com/security/portal/Submission/Submit.aspx

    Regards,


    Nick Gu - MSFT

    • Marked as answer by Nick Gu - MSFT Monday, February 25, 2013 1:42 AM
    Friday, February 22, 2013 3:24 AM