Adware via the IE Toolbar

The Network: A Bank serving multiple states on the US East Coast with an HQ and several dozen branch offices; 500+ servers and 2000+ workstations.

The Expectation: Employee workstations are secured with brand-name up to date Anti Virus (AV) and latest updates.

The Catch: Adware observed launching on multiple branch workstations; also observed Internet Explorer (IE) toolbar installations for ShopAtHome.

The Find: The EventTracker DFIR feature catches launch of new processes via MD5 checksum; these adware packages are reported as malware by 27 of the 56 AV programs at VirusTotal, but the brand-name AV in this network lets it launch.

The Fix: Uninstall the toolbar (quite persistent and sticky); clean up the workstations; run a deep scan.

The Lesson: Wear a belt to keep your pants up but consider suspenders for insurance against embarrassment.

SOC Catch of the Day