Are we protected from this?

intrepid44 · July 28, 2010, 8:49pm

The windows icon exploit that is out are we protected? I see sophos has come out with a tool to use instead of the microsoft fix and said anyone using sophos now is protected anyway.
http://www.sophos.com/security/threat-spotlight/index.html#threat1

brucine · July 28, 2010, 9:18pm

I don’t know about cis av.
But Sophos states (http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html):

I'm already running Sophos on my computer. Do I need to install this tool? No. As a Sophos Endpoint customer you are already protected against the Windows Shortcut Exploit. We detect it as Exp/Cplink.

Avira detects the POC published in the present forum (Exp/Cve-2010-2568.B), i suppose it also does detect the real malware, and i suppose that, by now, all av do: so, do we really need to install the sophos tool, in the event not of the present malware, but of one of its future “brothers” using the same exploit?

ssj100 · July 29, 2010, 5:18am

The Sophos tool doesn’t work on Windows XP (at least when the malware is on the C:\ drive):

As you can see, the G Data one works to some extent.

This tool also works to some extent:

jerenator69 · July 31, 2010, 8:53am

Comodo is one of the best suites out there, i am pretty sure they have already gotten the signature for it.

brucine · July 31, 2010, 11:41am

You are quite funny, jerenator69: in every message you write or so, you either state, without corroborating this statement any further, that “Comodo is the best”, either, when some counter-evidence appears (even, i agree, if it sometimes could be due to improper settings), that “it is odd and should not occur”.

The probability that even the worst AV in the world (assuming, again, that some objective ranking could be made) now detects the malware we are talking of is most certainly 1.

But the argument is nor relevant, as whatever AV, including cis, only relies on a library of known malwares.

The real and only issue is to know if defense+ intercepts not only the said malware, but also similar ones to come, and i am afraid there that the answer is, at the time speaking, negative in both instances (speaking of defense+, cis detects whatever lnk/tmp/exe/dll process if you set defense+ to intercept these extensions and image execution to high, but it is not a specific setting, and is very unfriendly to the user).

jerenator69 · July 31, 2010, 11:56pm

brucine post:5:

You are quite funny, jerenator69: in every message you write or so, you either state, without corroborating this statement any further, that “Comodo is the best”, either, when some counter-evidence appears (even, i agree, if it sometimes could be due to improper settings), that “it is odd and should not occur”.

The probability that even the worst AV in the world (assuming, again, that some objective ranking could be made) now detects the malware we are talking of is most certainly 1.

But the argument is nor relevant, as whatever AV, including cis, only relies on a library of known malwares.

The real and only issue is to know if defense+ intercepts not only the said malware, but also similar ones to come, and i am afraid there that the answer is, at the time speaking, negative in both instances (speaking of defense+, cis detects whatever lnk/tmp/exe/dll process if you set defense+ to intercept these extensions and image execution to high, but it is not a specific setting, and is very unfriendly to the user).

I never said Comodo detected everything. I just said it was one of the best. All i stated was that Comodo most likely already has the signature because it is very good with zero day malware.

ssj100 · August 1, 2010, 1:02am

Signature for what exactly?