• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

New IPS Definitions 20090904.002

I just got new new IPS Definitions 20090904.002. What do these do exactly.  Do they block the scareware?

Replies

Kudos0

Re: New IPS Definitions 20090904.002

I just got new new IPS Definitions 20090904.002. What do these do exactly.  Do they block the scareware?
Kudos0

Re: New IPS Definitions 20090904.002

Hi car825,

If you read this excellent article by Ameya, it will tell you all you need to know about IPS (Intrusion Prevention System) and how it works - it is very detailed:

http://community.norton.com/t5/Norton-Protection-Blog/Intrusion-Prevention-System-IPS-Your-first-line-of-defense/ba-p/124400#A339

Message Edited by Yaso_Kuuhl on 09-05-2009 09:28 PM
Your Norton Ladybug.
Kudos0

Re: New IPS Definitions 20090904.002


car825 wrote:
I just got new new IPS Definitions 20090904.002. What do these do exactly.  Do they block the scareware?

Hi car825,

IPS definitions prevent malware from gaining entry onto your system through known vulnerabilities in your operating system and applications.  IPS spots attempts to exploit these holes and blocks them.  The list of Attack Signatures that Norton watches for is published here:

http://www.symantec.com/business/security_response/attacksignatures/index.jsp

Scareware uses social engineering to frighten people into manually installing the malware themselves.  Norton has other protections such as Auto-Protect to deal with that type of threat.  IPS is primarily designed to thwart drive-by downloads that install malicious payloads with no action on the user's part.

Message Edited by SendOfJive on 09-05-2009 12:17 PMMessage Edited by SendOfJive on 09-05-2009 12:19 PMMessage Edited by SendOfJive on 09-05-2009 12:24 PM
Kudos0

Re: New IPS Definitions 20090904.002


SendOfJive wrote:

car825 wrote:
I just got new new IPS Definitions 20090904.002. What do these do exactly.  Do they block the scareware?

Hi car825,

IPS definitions prevent malware from gaining entry onto your system through known vulnerabilities in your operating system and applications.  IPS spots attempts to exploit these holes and blocks them.  The list of Attack Signatures that Norton watches for is published here:

http://www.symantec.com/business/security_response/attacksignatures/index.jsp

Scareware uses social engineering to frighten people into manually installing the malware themselves.  Norton has other protections such as Auto-Protect do deal with this type of threat.  IPS is primarily designed to thwart drive-by downloads that install malicious payloads with no action on the user's part.

Message Edited by SendOfJive on 09-05-2009 12:17 PMMessage Edited by SendOfJive on 09-05-2009 12:19 PM

Recently there have been more people here looking for assistance with scareware that somehow got through their defenses.  I was hoping that these new IPS definitions (it's been a while since they were updated) would address that.  From what you wrote I assume it won't help.  That's too bad.  I still don't understand why Norton doesn't stop scareware before it's gets to the point where you need to close the popup windows with Task Manager.

Message Edited by car825 on 09-05-2009 03:31 PM
Kudos0

Re: New IPS Definitions 20090904.002

Recently there have been more people here looking for assistance with scareware that somehow got through their defenses.  I was hoping that these new IPS definitions (it's been a while since they were updated) would address that.  From what you wrote I assume it won't help.  That's too bad.  I still don't understand why Norton doesn't stop scareware before it's gets to the point where you need to close windows with Task Manager.


Norton and the team behind Norton do their best to keep the baddies at bay. However, the internet surfer also has to be careful about where they surf and what they download. Security software doesn't make you invulnerable. Also, bear in mind that the latest threats always come out first and the security companies follow with writing up the definitions and enhancing protective and counteractive software as fast as they can. In other words: security is dependent, to a certain extent, on the surfer's actions and on when the threats come out, among other things.

Message Edited by Yaso_Kuuhl on 09-05-2009 09:35 PM
Your Norton Ladybug.
Kudos0

Re: New IPS Definitions 20090904.002

How long does it take to provide protection against a specific threat?  Looking at various posts it appears that the Total Security scareware has been around for a while.  Does Norton stop it yet?
Kudos0

Re: New IPS Definitions 20090904.002

Your Norton Ladybug.
Kudos0

Re: New IPS Definitions 20090904.002

A lot of the times it is NOT  "Total Security" as an individual infection that is involved.

The individual TS installer is detected at the moment as "Packed.Generic.243"

Quads 

Kudos0

Re: New IPS Definitions 20090904.002


Yaso_Kuuhl wrote:

Yes; here you go:

http://www.symantec.com/security_response/writeup.jsp?docid=2009-083102-0516-99&tabid=2


This is good.  My confidence level just went up. So what happens now if one encounters this particular scareware?  Will there be any popups or will Norton completly block it?
Kudos0

Re: New IPS Definitions 20090904.002


Quads wrote:

A lot of the times it is NOT  "Total Security" as an individual infection that is involved.

The individual TS installer is detected at the moment as "Packed.Generic.243"

Quads 


Scareware is truly scary...:-) It's horribly sneaky nowadays...

Your Norton Ladybug.
Kudos0

Re: New IPS Definitions 20090904.002


car825 wrote:

Yaso_Kuuhl wrote:

Yes; here you go:

http://www.symantec.com/security_response/writeup.jsp?docid=2009-083102-0516-99&tabid=2


This is good.  My confidence level just went up. So what happens now if one encounters this particular scareware?  Will there be any popups or will Norton completly block it?

If you want to know how to react promptly and correctly to a pop-up, please check out this great thread over here:

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=70586

It's pretty much a tutorial ;-D

Message Edited by Yaso_Kuuhl on 09-05-2009 09:58 PM
Your Norton Ladybug.
Kudos0

Re: New IPS Definitions 20090904.002


Yaso_Kuuhl wrote:

Quads wrote:

A lot of the times it is NOT  "Total Security" as an individual infection that is involved.

The individual TS installer is detected at the moment as "Packed.Generic.243"

Quads 


Scareware is truly scary...:-) It's horribly sneaky nowadays...


Not really, just a matter of figuring it out, what other Malware is on the system in the background
 Mind you some people are scared of cats, I am not
Some are scared of poisonous snakes (ME), some handle them with ease
 
Quads 
Message Edited by Quads on 09-06-2009 08:02 AM
Kudos0

Re: New IPS Definitions 20090904.002

Scareware is truly scary...:-) It's horribly sneaky nowadays...


Not really, just a matter of figuring it out, what other Malware is on the system in the background
 Mind you some people are scared of cats, I am not
Some are scared of poidonous snakes (ME), some handle them with ease
 
Quads 

Ah, but you have a sixth sense where rootkits and the nastiest baddies are concerned, Quads ;-)))) I like cats, too. And spiders :-)
Your Norton Ladybug.
Kudos0

Re: New IPS Definitions 20090904.002


car825 wrote:
I still don't understand why Norton doesn't stop scareware before it's gets to the point where you need to close the popup windows with Task Manager.

 Hi car825,

The difficulty in stopping scareware is that it doesn't actually do anything that an antivirus program would recognize as malicious, such as changing system files or stealing passwords.  Scareware simply inserts popups into the website you are visiting and displays images that purport to show what is on your computer.  Since the scareware is not actually looking at your computer and there is no attempt to install anything until you click something, all legitimate antivirus programs have a tough time with this type of threat.  When you actually try to install the rogue program it should be detected, but again these programs morph all the time so antivirus companies are always playing catch up to keep their detections current.  This is why it is always best to close the browser using Task Manager and avoid the threat altogether.

There is a very short, but informative, article about scareware detection on this PC Mag Security Watch blog from a few days ago:

 http://blogs.pcmag.com/securitywatch/2009/09/standard_user_malware.php

Kudos0

Re: New IPS Definitions 20090904.002


SendOfJive wrote:

car825 wrote:
I still don't understand why Norton doesn't stop scareware before it's gets to the point where you need to close the popup windows with Task Manager.

 Hi car825,

The difficulty in stopping scareware is that it doesn't actually do anything that an antivirus program would recognize as malicious, such as changing system files or stealing passwords.  Scareware simply inserts popups into the website you are visiting and displays images that purport to show what is on your computer.  Since the scareware is not actually looking at your computer and there is no attempt to install anything until you click something, all legitimate antivirus programs have a tough time with this type of threat.  When you actually try to install the rogue program it should be detected, but again these programs morph all the time so antivirus companies are always playing catch up to keep their detections current.  This is why it is always best to close the browser using Task Manager and avoid the threat altogether.

There is a very short, but informative, article about scareware detection on this PC Mag Security Watch blog from a few days ago:

 http://blogs.pcmag.com/securitywatch/2009/09/standard_user_malware.php


This is where it gets confusing.  I'm pretty sure I read in one of the other threads that you should disconnect from the internet and close the popup windows as soon as possible because they will do bad things while you are figuring out your next step.  I would call that malicious.
Kudos0

Re: New IPS Definitions 20090904.002

This is where it gets confusing.  I'm pretty sure I read in one of the other threads that you should disconnect from the internet and close the popup windows as soon as possible because they will do bad things while you are figuring out your next step.  I would call that malicious.

You're right about what you read. Such pop-ups will hijack your browser and/or attempt to install malware on your machine as soon as you click on them. So it depends on how you close those pop-ups. You cannot click on the pop-up while it is sticking around on your screen. If you click, you'll fall into the trap. So how do you get rid of the pop-up without clicking on it? And that's why it is strongly recommended to close your browser (and thus the pop-up) in order to avoid any kind of interaction with said pop-up - and to get rid of it. Often, people will try to close the pop-up by clicking on the red "x". Which is a big mistake to do. This is why your security software is dependent on your actions. You, as a user, have to make certain decisions, and your security software can't always make up your mind for you :-) 

When I encountered the errorsafe pop-up, I used two methods: one was to disconnect from the internet, and then close the pop-up/browser window(s); the second one was to terminate my browser via the task manager. I prefer combining the two, however. Disconnect from the internet and terminate the browser via task manager. I haven't had to do that kind of thing for a very long time, though :-) In a nutshell: what is crucial is that you should never ever try clicking away those pop-ups. 

Message Edited by Yaso_Kuuhl on 09-05-2009 11:35 PM
Your Norton Ladybug.
Kudos1 Stats

Re: New IPS Definitions 20090904.002


car825 wrote:
This is where it gets confusing.  I'm pretty sure I read in one of the other threads that you should disconnect from the internet and close the popup windows as soon as possible because they will do bad things while you are figuring out your next step.  I would call that malicious.

The scareware itself cannot install unless you click on something.  That is why it has to go to the trouble of trying to convince you that your PC is already infected with hundreds of nasties that can only be gotten rid of if you install the rogue product.  If it could infect you silently, it would.  Now it is certainly possible that if the website has been hacked, then while you are watching all the festivities other malicious programs are scanning your PC for vulnerabilities to exploit to enable other malware to creep in unannounced.  And, of course, that is where IPS comes in (along with you staying up to date on all Windows and application patches).

When you see one of these scareware displays it is easy to get a bit panicky (Quads excepted, of course), even if you know what to do.  Remain calm, disconnect from the internet and bring up Task Manager.  The notion that you are in a race against time will only unnecessarily distract you from what needs to be done.  In truth, no matter how quickly you react, if you were susceptible to a drive-by download, the damage is most likely already done anyway.  Applying all vendor patches as they are released is your best defense.

Message Edited by SendOfJive on 09-05-2009 02:24 PM
Kudos0

Re: New IPS Definitions 20090904.002

One of the reasons I.P.S.s are there for people who do not Patch their system's Vulnerabilities, although, Patching them, of course, is always advised.  I.D.S.s will always Block any Attempt to Attack your computer, whether successful or not.  It is always good to stay up-to-date with I.D.S.s as mostly all of the Updates will contain Vulnerabilities that have not been Disclosed yet.  The second reason is to Patch Vulnerabilities which Currently do not have a Patch Available, or the Vulnerability has been un-disclosed.

Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures.  Attack signatures contain the information that identifies an attacker's attempt to exploit a known operating system or program vulnerability. If the information matches an attack signature, Intrusion Prevention automatically discards the packet and breaks the connection with the computer that sent the data. This action protects your computer from being affected in any way. Intrusion Prevention protects your computer against most common Internet attacks.

Message Edited by Floating_Red on 09-05-2009 11:50 PMMessage Edited by Floating_Red on 09-05-2009 11:51 PMMessage Edited by Floating_Red on 09-05-2009 11:53 PMMessage Edited by Floating_Red on 09-06-2009 12:12 AM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: New IPS Definitions 20090904.002

Funny, with the new IPS definitions, it's now saying that Verizon's Newsroom is attacking me. I know it's a statistical submission, but so far 2 of them for the same site. Verizon is my ISP.
Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.

This thread is closed from further comment. Please visit the forum to start a new thread.