This came up in the SBS2K list where one of the members posted about his sites and the fact that the users were downloading and installing a product called Antivirus 2009. He wondered why the version of Trend he is using was not blocking them. I suspect that this came to him using a form of malvertisement and sure enough – after checking Sandi’s blog, I am right. It looks like one of the attack vectors for this is from "infected add banners", although it can be also from other sources too. After some digging I found this blog post from Bill Mullins that talks about the software as well.
So why does Trend not block it? Well it depends on the version really – you can see that from the screenshot below that WFBS 5.0 does indeed block it and it requires user interaction to bypass it. I can only assume that the group member didn’t have the latest version installed on his computer.
Web Reputation Services is a facility in WFBS 5.0 that allows it to monitor a users web site access and if the URL that the user is going to is a known bad URL then it stops user access with the message below. The user can reclassify the URL and allow access to the site, but this as you can see is not something that they will do without first being warned that this is a bad thing 🙂
If you don’t have WFBS 5.0 installed, this is yet one more reason that you should get it up and running ASAP.
I’ll be updating my Trend Guide for CSM to WFBS 5.0 shortly – it will be available for purchase via www.sbsfaq.com and available free to subscribers.