What is the best way to track, prevent, and uninstall rogue software?  Process or steps?

K1000 version 5.4xx

Thanks

Answer Summary:
Cancel
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

4

For tracking: I setup an automated report that displayed all software installed in the last 24 hours and reviewed that report each morning. Being proactive is one of the best ways to mitigate malware.

Prevention: Don't have your users running as local admins. Have a strong antivirus installed on all of your systems. Don't allow USB drives to freely connect to your systems with something like Sophos or GPO.

Uninstall: See your other two questions on the same topic. I setup a Managed Installation associated with a Smart Label on the K1000 that would detect rogue software and automatically uninstall it using the command line. For more malicious malware, check out my blog post on using Sysinternals tools for malware remediation: http://www.itninja.com/blog/view/malware-hunting-with-sysinternals-tools

Answered 06/11/2013 by: mpace
Red Belt

  • Could you post the SQL for that report please? The software installed in the last 24 hours report.
    • Edit: Found it. Thanks!
      • I know you said you found it, but just in case anyone else needs it this is a variation I use.

        SELECT DISTINCT NAME, VALUE1 AS 'Software Display Name', VALUE2 AS 'Software Version'
        FROM ASSET_HISTORY A
        WHERE CHANGE_TYPE = 'DETECTED'
        AND FIELD_NAME = 'SOFTWARE'
        AND TIME > DATE_SUB(NOW(), INTERVAL 1 DAY)
        ORDER BY NAME, VALUE1
  • Nice, thank you. I will test it out.
  • Thanks dugullett.
Please log in to comment

Answers

2

I created a custom software inventory that watches for process's running from the user app data area.  90-95% it will be malwares home.  this is the fixed code

Answered 06/11/2013 by: SMal.tmcc
Red Belt

  • try this new line
    ShellCommandTextReturn(c:\windows\system32\wbem\WMIC.exe PROCESS where (executablepath like "%%AppDat%%") get executablepath)
    much cleaner
    • I'd be curious what you do with this information? I setup the custom inventory like you showed above, but all the applications it shows are legit for my system.
      Do you have a report setup to notify you?
      • I look at the list and if anything is not IT approved I create a work order to investigate and remove or create a MI uninstall to kill it.
        If it is IT approved or gets IT approved we then let that one go.
      • posted new line above, see picture above for cleaner out put
  • Awesome! Thank you!
  • Just a note on this report.

    We have found that when a new user signs on to an existing device, creating a new profile, softwares that run any type of install routine in the new profile (Google Chrome as an example), show up in the report. This could lead to a false-positive type of problem in environments that are tightly managed.

    Other than the above issue it is a very helpful report. I am working on adding the logged in user to it as time permits. Will post the results when I get it working.

    John
Please log in to comment
0
I like this report, but i tweaked it a little bit to weed out the Windows updates items since i already see that in seperate patching reports:


SELECT DISTINCT
    NAME as "Machine Name",
    VALUE1 AS 'Software Display Name',
    VALUE2 AS 'Software Version'
FROM
    ASSET_HISTORY A
WHERE
    CHANGE_TYPE = 'DETECTED'
        AND FIELD_NAME = 'SOFTWARE'
        AND VALUE1 NOT LIKE 'Security Update for Microsoft Windows%'
        AND VALUE1 NOT LIKE 'Update for Microsoft Windows%'
        AND TIME > DATE_SUB(NOW(), INTERVAL 30 DAY)
ORDER BY NAME , VALUE1


Answered 12/01/2014 by: brucegoose03
Second Degree Black Belt

Please log in to comment
Answer this question or Comment on this question for clarity