Does MSE detect and remove BlackPOS?

Topic

New Reply

… or other POS-targeted malware? I can find no useful information through Google or on the MSE website.

–Thanks

Reply | Quote

Replies

I read a blog that BlackPos had evaded 40 commercial AV programs and as MSE isn’t the best of AVs, I’d hazard a guess and say No, but you could contact MS and see if you can get a honest response from them.

Reply | Quote

You can contact Microsoft? I had no idea. When did that become possible? And they actually answer? Please tell me how to do this.

Reply | Quote

You can contact Microsoft? I had no idea. When did that become possible? And they actually answer? Please tell me how to do this.

http://support.microsoft.com/contactus/

Some help is free which this query should be but for more technical queries they will charge.

From the UK I found a non premium phone number which you could also Google for from your location which negates the need to create an account.

Reply | Quote

I do use a multi-layered strategy. I use ZyXel business class firewall routers, software firewalls (Windows Firewall on the systems running MSE), and the virus/malware protection of MSE or NIS. I run a MalwareBytes scan once a week on each system. I scan both my office and store Internet connections monthly at the ShieldsUp website. And there are a couple of other scans that I run manually, though I can’t remember what they are right off hand. My computer reminds me to do them. 🙂 I continually remind my employees to keep their browsing to business or weather related sites as much as possible. Their email clients are setup with aggressive spam filtering. I’m sure I’ve overlooked something.

But to make my network and computers completely secure would be to make them unusable. It seems like eventually there will be some combination of exploits/vulnerabilities which will allow something in. If a virus trashes a computer, or even all of them, that’s not as bad as if it starts siphoning off my customer’s credit/debit card info. If I’m not doing everything I reasonably can to protect against that, I will probably not survive the ensuing lawsuits. So I want to make sure that whatever AV/AM I am using, it keeps up with the latest POS exploits. And preferably keeps ahead of them.

Reply | Quote

I do use a multi-layered strategy. I use ZyXel business class firewall routers, software firewalls (Windows Firewall on the systems running MSE), and the virus/malware protection of MSE or NIS. I run a MalwareBytes scan once a week on each system. I scan both my office and store Internet connections monthly at the ShieldsUp website. And there are a couple of other scans that I run manually, though I can’t remember what they are right off hand. My computer reminds me to do them. 🙂 I continually remind my employees to keep their browsing to business or weather related sites as much as possible. Their email clients are setup with aggressive spam filtering. I’m sure I’ve overlooked something.

But to make my network and computers completely secure would be to make them unusable. It seems like eventually there will be some combination of exploits/vulnerabilities which will allow something in. If a virus trashes a computer, or even all of them, that’s not as bad as if it starts siphoning off my customer’s credit/debit card info. If I’m not doing everything I reasonably can to protect against that, I will probably not survive the ensuing lawsuits. So I want to make sure that whatever AV/AM I am using, it keeps up with the latest POS exploits. And preferably keeps ahead of them.

From a malware point of view, the Windows Firewall is almost useless, although int your case it could help if it is configured to block any outgoing, non allowed program. Other than that, it provides basically no additional protection to the one provided by your hardware firewall. Running Malwarebytes on demand is good, but what really matters is detecting malware in real time. If you want to keep your setup I would add Malwarebytes in real time.

I believe in whitelisting apps. That’s why I run a HIPS, which doesn’t allow anything that hasn’t been authorized, to run, be that a legitimate program or malware. So my setup relies on Online Armor + EAM. With OA whitelisting and EAM behavioral detection I feel I am reasonably protected even against unknown, zero day, threats.

Reply | Quote

If you want to keep your setup I would add Malwarebytes in real time.[/quote]
I have been vacillating on that, but you’re right, I really need to pay up and upgrade.

I believe in whitelisting apps. That’s why I run a HIPS, which doesn’t allow anything that hasn’t been authorized, to run, be that a legitimate program or malware. So my setup relies on Online Armor + EAM. With OA whitelisting and EAM behavioral detection I feel I am reasonably protected even against unknown, zero day, threats.

What does HIPS stand for so I can read up on it?

EAM is that Emsisoft Antimalware that you mentioned earlier or something else?

So about whitelisting. At what level does this occur? For example, my POS system has a credit card module and a debit card module. Will I need to make an exception for each of those or just for the overall POS product? And if I do need to make that exception, will it be something that requires me to plan and configure ahead? Or will it take the form of a popup that I can examine and make a decision on the fly?

Thanks.

Reply | Quote

If you haven’t I would recommend upgrading Malwarebytes to Pro version for active protection. It will work fine alongside MSE. It can be found for as little as $10 and you might want to consider Enterprise Edition. I would also recommend running Malwarebytes anti-rootkit once a week. Also use Keyscrambler to encrypt input.

Reply | Quote

So far not so good. I did a chat at that first address. I was #1 and it started right away. The guy was obviously reading from a script and trying his best to calm and reassure me – even though I was already calm and did not need reassurance. But all he could do was refer me to a different chat service. That one (http://answerdesk.microsoftstore.com) is so backlogged that I get bored and wander off before they answer my chat request. When I return I have to restart it. So far I haven’t been able to talk to anyone who can answer such a simple question.

The first chat service allowed me to enter my question before initiating the chat. It also allowed me to email a transcript to myself. But it didn’t email the original question. What the heck good is that?

The second chat service does not allow me to enter my question while I’m waiting. I was planning to just copy/paste my question from the first chat, but since it was not sent along with the transcript I will have to remember and recompose my question all over again.

I am still not convinced that it is possible to get help from Microsoft.

Reply | Quote

😀 I contacted them once with a problem and the guy suggested something which I didn’t think would work, but it did.

MSE is probably a sensitive subject with MS with its competence questionable and the guy was probably reluctant to commit where security matters are concerned.

The article that I read which said that it had evaded 40 commercial AV programs didn’t mention which they were, but I think it tends to target businesses rather than the home user.

Probably best to use cash at the checkout http://www.darkreading.com/vulnerability/securestate-releases-black-pos-malware-s/240165683 and get a better AV program.

Reply | Quote

I’m not a home user. I have two Point of Sale cash register systems in my store and two backups. I don’t want to end up like Target. They can lawyer up and they will survive it. I would not. I’d end up living under a bridge if that happened to me.

My store systems are all running MSE because I read in a Windows Secrets newsletter that it was a competent antivirus program. I am now researching to see whether it really is or if I should get a different one. In the past I have only ever used Norton Internet Security after an incident in 1999 (+/- a year) when McAfee destroyed my system worse than any virus at the time could possibly have done. I still run it on a few systems. Should I switch all of my MSE systems to Norton? Or is there something better I should consider – and is enough better than Norton to be worth the learning curve?

Reply | Quote

I’m not a home user. I have two Point of Sale cash register systems in my store and two backups. I don’t want to end up like Target. They can lawyer up and they will survive it. I would not. I’d end up living under a bridge if that happened to me.

My store systems are all running MSE because I read in a Windows Secrets newsletter that it was a competent antivirus program. I am now researching to see whether it really is or if I should get a different one. In the past I have only ever used Norton Internet Security after an incident in 1999 (+/- a year) when McAfee destroyed my system worse than any virus at the time could possibly have done. I still run it on a few systems. Should I switch all of my MSE systems to Norton? Or is there something better I should consider – and is enough better than Norton to be worth the learning curve?

Well, I don’t really like MSE and comparatives never rank it very well. My personal preference lies with Emsisoft Antimalware and I would recommend BitDefender, as well. These are regularly top rated AVs. If you prefer Norton, it is still better than MSE.

You should know, however, that no single AV can catch everything, so a multilayered strategy works best.

Reply | Quote

I don’t want to end up like Target. They can lawyer up and they will survive it. I would not. I’d end up living under a bridge if that happened to me.

You are the exact audience for a session I put together called “Don’t Be a Target”. Get the slides (and mostly read the notes, which is where the information is) at SlideShare. I hope you find it useful.

Eric

Reply | Quote

BackSpacer,

From what I read here I’d be more worried about the attack vector (in this case a compromised web server) than about detecting the malware. If you can prevent the attack vector they can’t get the malware on your POS! HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I wouldn’t trust MSE with anything but the second paragraph in that article basically says that it has been reported that it is AV proof.

Reply | Quote

BlackPOS is AV proof? That would be seriously bad news. But nothing is ever totally bulletproof and once known someone will figure out how to detect it. In fact I just heard on the radio yesterday that someone at Target is in trouble because there were “indications” of a problem but they were ignored. I’d sure like to know what those indications were so I could make sure I do not ignore them if they occur at our store.

Reply | Quote

That article is entitled SecureState Releases Black POS Malware Scanning Tool and while may not be a freebie, they must have been able to break it down to produce a scanner.

If current AV programs are unable to detect it, then it may be worth enquiring about just for peace of mind.

Reply | Quote

Ah, a further Google has produced http://engage.securestate.com/black-pos-malware-scanning so you may be in luck as not to be facing further costs if there isn’t a catch.

Reply | Quote

Ah, a further Google has produced http://engage.securestate.com/black-pos-malware-scanning so you may be in luck as not to be facing further costs if there isn’t a catch.

Thanks. It looks like I’ll be a busy guy this evening and tomorrow morning.

Reply | Quote

I use Win7 Ultimate and have used MSE for a long time. I added Tinywall firewall to the assortment along with web based Bitdefender. You have to be aware that Tinywall blocks all outbound unless they are specifically okay’d. You can set several levels with it though or easily disable or allow all outbound. Should some internet, or for that matter, local network function stop connecting then suspect Tinywall, it is just doing it’s job. Had a recent Flash update which wasn’t recognized, caused me a little grief until I checked my prime suspect, Tinywall. Though I’m new to The Lounge I’m 72yo and have been working on computers for over 30 years. I was in electronics before transisters got going. Time sure flies! Still like the Commodore 64 and had a Franklin ….Apple compatible computer. Seen many changes, still love these wonderful machines!

Reply | Quote

Hi,

EAM is Emsisoft AntiMalware, yes.

HIPS stands for Host Intrusion Prevention System.

The whitelisting is implemented by Online Armor. In its default configuration, it prompts you when running unknown programs, so that you can make a decision. So, it will prompt you for whatever modules it identifies as wanting to run. You can then confirm or reject and choose to have your option remembered. For system files, OA recognizes them usually automatically, so after an initial setup period, things just run smoothly.

Using a HIPS like OA is a great way to keep your system running just what you want it to run, so it is a good way to avoid malware, any malware, from infecting you. In many cases OA takes decisions on its own, when it can (safe programs or known threats), in other cases it prompts you to make a decision, but if you so configure OA, you can rest assured that non authorized, unknown programs won’t be able to run.

If you are interested in testing it, OA has a 30 days trial period. It’s a good way to see if it fits your needs and works properly in your environment. HIPS include their own firewall and OA does it too, replacing the Windows firewall with a better firewall and a much better interface – you can see what apps are connecting to where, whenever you want to, even with automatic IP resolution.

Reply | Quote

I think the whitelisting is something I will try implementing when I can be in the store for a couple of days. That will probably be sometime in May. Same goes for switching firewalls and AV/AM software if I decide to do so. I normally do all of my sysadmin work via RDP and changes to firewalls typically locks me out until I can fix it locally.

Reply | Quote

I haven’t upgraded to Malwarebytes Pro, but it’s on my todo list. I don’t know what their anti-rootkit product is. I’ll see if I can find it on their website when I go to upgrade. Where do I find the $10 deal? Just Google for it?

How does Keyscrambler work? Does it only work with keyboards or does it scramble credit card swipers, too? If so I wonder if the swiper would still work correctly. And if not do I have the ability to bypass the scrambler?

Reply | Quote

watch deals websites like slickdeals or Woot community sourced deals where members post leaks to deals. Sometimes Tiger Direct has it, or Newegg.

As far as Keyscrambler, I don’t think they have anything for POS but I would ask them. http://www.qfxsoftware.com/ks-windows/which-keyscrambler.htm

Reply | Quote

Thanks. I didn’t know those places exist.

Reply | Quote

Thanks, I will also look into Tinywall. I have a couple of months before I need to commit to a major upheaval that includes firewall changes. The reason is that I will be 1200 miles from the store until sometime in May and I do everything via Remote Desktop. If I install a firewall remotely and it shuts me out, I have to get on a plane fast. And if it shuts down my outbound credit card processing it had better be a supersonic one!

I’m only 58 but I do remember going through the TV pulling and taking the tubes down to the Albertson’s grocery store one at a time so I didn’t get them confused, putting them in the big blue tube tester at the front of the store, and finally finding the bad one and replacing it. I was just a kid and really wanted to watch one of the moon landings. I had watched the repairman once before and it didn’t look that hard. And it wasn’t as long as it was just a dead tube. Can you imagine pulling out the chips in your TV and taking them down to the grocery store to be tested and to buy a replacement? It’s a different world now. I also built my own computer from a Z80 in the days when that was the hottest chip going. That was left behind to buy an Osborne I “portable” computer, then I left the world of dinky little computers for the world of big, high performance computers. It was a real rush designing those guys. It was like designing Freightliner trucks to compete in NASCAR. Really big, really powerful, really fast servers and corporate database machines. All relative to that time, of course. I’m sure the PC on my desktop right now could probably outperform them easily.

Reply | Quote

How did that scanning tool work out ?

Reply | Quote

How did that scanning tool work out ?

I downloaded it to one system and ran it. It found nothing. Then my wife decided she had other plans for me. I’ll try and do the second one this evening. I can’t really mess with them during work hours.

Thanks again for suggesting it.

Reply | Quote

OK, both POS systems are checked with that scanner and both come back negative. That’s good to know. Thanks, Sudo15

Reply | Quote