/build/static/layout/Breadcrumb_cap_w.png

What is the best way to track, prevent, and uninstall rogue software?

What is the best way to track, prevent, and uninstall rogue software?  Process or steps?

K1000 version 5.4xx

Thanks


0 Comments   [ + ] Show comments

Answers (3)

Answer Summary:
Posted by: mpace 11 years ago
Red Belt
4

For tracking: I setup an automated report that displayed all software installed in the last 24 hours and reviewed that report each morning. Being proactive is one of the best ways to mitigate malware.

Prevention: Don't have your users running as local admins. Have a strong antivirus installed on all of your systems. Don't allow USB drives to freely connect to your systems with something like Sophos or GPO.

Uninstall: See your other two questions on the same topic. I setup a Managed Installation associated with a Smart Label on the K1000 that would detect rogue software and automatically uninstall it using the command line. For more malicious malware, check out my blog post on using Sysinternals tools for malware remediation: http://www.itninja.com/blog/view/malware-hunting-with-sysinternals-tools


Comments:
  • Could you post the SQL for that report please? The software installed in the last 24 hours report. - AFCUjstrick 11 years ago
    • Edit: Found it. Thanks! - AFCUjstrick 11 years ago
      • I know you said you found it, but just in case anyone else needs it this is a variation I use.

        SELECT DISTINCT NAME, VALUE1 AS 'Software Display Name', VALUE2 AS 'Software Version'
        FROM ASSET_HISTORY A
        WHERE CHANGE_TYPE = 'DETECTED'
        AND FIELD_NAME = 'SOFTWARE'
        AND TIME > DATE_SUB(NOW(), INTERVAL 1 DAY)
        ORDER BY NAME, VALUE1 - dugullett 11 years ago
  • Nice, thank you. I will test it out. - ITROCKS 11 years ago
  • Thanks dugullett. - ITROCKS 11 years ago
Posted by: SMal.tmcc 11 years ago
Red Belt
2

I created a custom software inventory that watches for process's running from the user app data area.  90-95% it will be malwares home.  this is the fixed code


Comments:
  • try this new line
    ShellCommandTextReturn(c:\windows\system32\wbem\WMIC.exe PROCESS where (executablepath like "%%AppDat%%") get executablepath)
    much cleaner - SMal.tmcc 11 years ago
    • I'd be curious what you do with this information? I setup the custom inventory like you showed above, but all the applications it shows are legit for my system.
      Do you have a report setup to notify you? - AFCUjstrick 11 years ago
      • I look at the list and if anything is not IT approved I create a work order to investigate and remove or create a MI uninstall to kill it.
        If it is IT approved or gets IT approved we then let that one go. - SMal.tmcc 11 years ago
      • posted new line above, see picture above for cleaner out put - SMal.tmcc 11 years ago
  • Awesome! Thank you! - ITROCKS 11 years ago
  • Just a note on this report.

    We have found that when a new user signs on to an existing device, creating a new profile, softwares that run any type of install routine in the new profile (Google Chrome as an example), show up in the report. This could lead to a false-positive type of problem in environments that are tightly managed.

    Other than the above issue it is a very helpful report. I am working on adding the logged in user to it as time permits. Will post the results when I get it working.

    John - jmarotto 11 years ago
Posted by: brucegoose03 10 years ago
5th Degree Black Belt
0
I like this report, but i tweaked it a little bit to weed out the Windows updates items since i already see that in seperate patching reports:


SELECT DISTINCT
    NAME as "Machine Name",
    VALUE1 AS 'Software Display Name',
    VALUE2 AS 'Software Version'
FROM
    ASSET_HISTORY A
WHERE
    CHANGE_TYPE = 'DETECTED'
        AND FIELD_NAME = 'SOFTWARE'
        AND VALUE1 NOT LIKE 'Security Update for Microsoft Windows%'
        AND VALUE1 NOT LIKE 'Update for Microsoft Windows%'
        AND TIME > DATE_SUB(NOW(), INTERVAL 30 DAY)
ORDER BY NAME , VALUE1


 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ