I read about a new attack from the Vonteera adware family that can actually disable antimalware software on endpoint devices. How does Vonteera accomplish this, and what can enterprise security programs do to prevent this adware attack?
Vonteera is like old school adware that an end user might intentionally install on his computer because he thinks it will give him exclusive coupons, sale price notifications and more. What he really gets is an immense number of ads that are difficult to stop and practically take over the computer. Vonteera sets up several scheduled tasks and browser helper objects to display the ads. It also has functionality to monitor that it isn't being removed.
The Vonteera adware disables antimalware software on endpoint devices by setting the software signing certificates used by an antimalware software vendor to "untrusted." This turns a Windows security feature against the antimalware software. Windows has functionality for only allowing signed software to run, which can prevent malware, but when the list of approved certificates is changed, it can be used to disable the antimalware software.
Antimalware tools take several different steps to protect themselves from being disabled: running as a service, using elevated privileges and implementing a monitoring agent to ensure the main application is working, among others. Antimalware tools should now also monitor the certificate store and software restriction policies to ensure their applications are not disabled by malware.
Enterprise security programs can prevent this malware and the Vonteera adware attack by following the essential endpoint security guidance from Securosis or using the more comprehensive Microsoft security baselines.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out why your organization needs endpoint antimalware protection
Read about the most effective antimalware products
Learn how to defend yourself against fileless malware