I read about a new attack from the Vonteera adware family that can actually disable antimalware software on endpoint...
devices. How does Vonteera accomplish this, and what can enterprise security programs do to prevent this adware attack?
Vonteera is like old school adware that an end user might intentionally install on his computer because he thinks it will give him exclusive coupons, sale price notifications and more. What he really gets is an immense number of ads that are difficult to stop and practically take over the computer. Vonteera sets up several scheduled tasks and browser helper objects to display the ads. It also has functionality to monitor that it isn't being removed.
The Vonteera adware disables antimalware software on endpoint devices by setting the software signing certificates used by an antimalware software vendor to "untrusted." This turns a Windows security feature against the antimalware software. Windows has functionality for only allowing signed software to run, which can prevent malware, but when the list of approved certificates is changed, it can be used to disable the antimalware software.
Antimalware tools take several different steps to protect themselves from being disabled: running as a service, using elevated privileges and implementing a monitoring agent to ensure the main application is working, among others. Antimalware tools should now also monitor the certificate store and software restriction policies to ensure their applications are not disabled by malware.
Enterprise security programs can prevent this malware and the Vonteera adware attack by following the essential endpoint security guidance from Securosis or using the more comprehensive Microsoft security baselines.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out why your organization needs endpoint antimalware protection
Read about the most effective antimalware products
Learn how to defend yourself against fileless malware
Related Q&A from Nick Lewis
Zscaler recently discovered a malvertising campaign that spreads the Terror exploit kit through malicious ads. Discover more about the threat with ... Continue Reading
Cybersecurity vendor Wordfence reported a rise in scans for SSH private keys that are often accidentally exposed to the public. Learn how to stay ... Continue Reading
The SANS Internet Storm Center discovered a DDE attack spreading Locky ransomware through Microsoft Word. Learn what a DDE attack is and how to ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.