(see my article on using SEP app control to block bad BHOs and fake AV apps)
Here are some paths that a SINGLE threat attempted to exploit - this is a common one:
This is part of my policy here - I NOW block this since it was successful in getting in to this area - I'd left a hole...........
%userprofile%\templates\*.exe
Check these log entries below to see all the ways this
one threat was trying to get in!
------------------------------------
Attempt #1:
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/av.exe
|
User name:
|
|
----------------------------------------------------------
Attempt #2
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Templates/av.exe
|
User name:
|
|
----------------------------------------------------
Attempt #3
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/mtg.exe
|
User name:
|
|
------------------------------------------------------
Attempt #4
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/MSASCui.exe
|
User name:
|
|
-----------------------------------------------------
Attempt #5
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg/av.exe
|
User name:
|
|
--------------------------------------------------
Attempt #6
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/mtg.exe
|
User name:
|
|
-----------------------------------------------------
Attempt #7
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/MSASCui.exe
|
User name:
|
|
--------------------------------------------------------
Attempt #8
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/Microsoft/Windows Defender/av.exe
|
User name:
|
|
-------------------------------------------------------
Attempt #9
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/mtg.exe
|
User name:
|
|
---------------------------------------------------------------
Attempt #10
Caller Process Name:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Temp/cxmaon.exe
|
Target:
|
C:/Documents and Settings/Jami.Schwickerath/Local Settings/Application Data/MSASCui.exe
|
User name:
|
|
--------------------------------------------------------------------