Hi all. I’m Juan S. Fernandez, part of the technical support department for Panda USA. This will be my first post and I want to blog about something that we often get asked for in support, at least recently: How to deal with Conficker.
From Panda’s perspective, the current variants of Conficker are properly identified and removed. But still, you may have Panda installed in your network, and still, Conficker seems to be showing up all over the place… Your computers keep reporting that are infected, network traffic is slow, your users have problems logging on as your Domain Controllers are saturated… And you wonder what is going on.
Typically, by the time we receive a call in support regarding a Conficker network infection the customer has already expent hours (some times, days) trying to eradicate Conficker from the network. Isolating computers where Panda detected the virus, running tool over tool, to find nothing or just a few left over registry keys… but the problem never goes away. What gives!
Well, I’m sorry, but you are wasting your time. You are concentrating on the wrong computers. Panda correctly detects and disinfects Conficker. Current versions of Conficker will not be allowed to run on a machine that has a working and updated Panda antivirus on it.
So why are you seeing the detections? You need to understand the way that Conficker operates to know where to look for it: Conficker will utilize different paths of infection. The machine where Conficker is running will try to hit other machines on the same network, exploiting some Microsoft vulnerabilities (See MS08-67 here ) If the target machine hasn’t been patched, Conficker will be able to bypass your computer security and by impersonating an admin account, drop a file on the computer system32. It will also try to add a scheduled task to run those files, among other things (I’m a support guy, not a virus researcher… I’ll let them do the technical explanation)
So what is your Panda doing about it? Well, Panda is preventing the execution of the files, and giving you the detection. But we cannot “close the hole” on your Windows OS. That hole needs to be closed by applying the appropriate Windows Update. Which one? ALL of them!
Note where I said that Conficker will not run on a computer that has a working, and updated Panda Antivirus. That is actually they key to realizing what you need to do: Make sure that ALL your computers have working and updated Panda protections installed. And at the same time, make sure that all your computers have all needed Windows updates installed. But don’t stop just there. Go ahead and patch all your software too: from Adobe reader, to flash player, Real Player… or you may find yourself fighting other viruses another day.
So what should be your plan of action if you start receiving Conficker infections? Find the computers that are not complaining about it. Ignore the ones that complain. The computers that are infected with Conficker will not have working protection installed. Make sure that your Antivirus deployment is complete, and make sure that all your computers have Panda installed.
You only need 1 computer without protection and infected with Conficker to have the rest of your machines “defending” themselves constantly against it, generating distracting warnings. I had one instance where “a mayor network attack by Conficker” prevented user log-ins for hours on a 600 user network, and it was caused by a single Laptop that somebody had brought from home… Which, of course, did not have Panda installed. Establish strict policies for external computers brought over to your network, perhaps create a separate wifi network to allow them access to the Internet, without compromising your own security.
For added protection, set your Panda Antivirus to scan all extensions, as Conficker will try to use non standard extensions to foul the protections. You may need to create some exclusions to ensure application estability (like the exclusions for your Exchange server…)
This is where products like Panda for Business or Panda Managed Office protection really show their value. They allow to monitor what is going on on your network. Who has protection, who does not, who got what virus detected… and quickly adjust your computer’s protection settings if needed. Panda for Business will even tell you if you have any computers on the network that are not integrated, or with protections that cannot be managed. NetworkSecure can even remove from the network computers whose protection has been disabled, to reduce the risk to the rest of the network. Or prevent connections from computers on certain ip ranges. On large networks, it can be installed directly from a Group Policy, reducing the deployment time.
Panda Managed Office Protection allows you to monitor the protection status of your computers, no matter where they are in the world as long as they are connected to the internet. And you can do all that without investing on extra servers or databases.
I hope that this blog may help some of you get Conficker out of your network. And until the next post.