{"id":45119,"date":"2015-08-31T16:52:45","date_gmt":"2015-08-31T23:52:45","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=45119"},"modified":"2025-06-03T22:06:01","modified_gmt":"2025-06-04T05:06:01","slug":"preventing-dridex-infections","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/preventing-dridex-infections\/","title":{"rendered":"Best practices for preventing Dridex infections"},"content":{"rendered":"

Mitigating\u00a0the Dridex threat at multiple levels like file, registry, url and ip address can be achieved at various layers of McAfee security products<\/a>. Browse the product guidelines available here<\/a> (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described below in the Characteristics and symptoms section.<\/p>\n

We build several documentations regarding DRIDEX and variants :<\/p>\n

    \n
  1. https:\/\/kc.mcafee.com\/corporate\/index?page=content&id=PD25689<\/a> \u2013 W97M\/Downloader<\/li>\n
  2. https:\/\/kc.mcafee.com\/corporate\/index?page=content&id=PD25982<\/a> \u2013 Dridex<\/li>\n<\/ol>\n

    Basic rules on handling emails:<\/strong><\/p>\n

    Email from unknown senders should be treated with caution. If an email looks strange, do the following: ignore it, delete it, and never open attachments or click on URLs.<\/p>\n

    Opening file attachments, especially from unknown senders, harbors risks. Attachments should first be scanned with an antivirus program and, if necessary, deleted without being opened.<\/p>\n

    Never click links in emails without checking the URL. Many email programs permit the actual target of the link to be seen by hovering the mouse over the visible link without actually clicking on it (called the mouse-over function).<\/p>\n

    Configuring Access Protection in VirusScan Enterprise<\/a><\/strong><\/h2>\n

    \u00a0<\/strong>Refer to the following KB articles to configure Access Protection rules in VirusScan Enterprise<\/a>:<\/p>\n

    How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console<\/a><\/p>\n

    How to use wildcards when creating exclusions in VirusScan Enterprise 8.x<\/a><\/p>\n

    Dridex usually copies itself into the Administrator\u2019s Application Data folder using edge or edg with the random numeric numbers at the end, like the following examples:<\/p>\n

    On Win XP:<\/strong><\/p>\n

    \u00a0<\/strong>C:Documents and SettingsAdministratorApplication DataLocal Settingsedge or edg[random.hex].exe<\/strong><\/p>\n

    \u00a0<\/strong>WIN7:<\/strong><\/p>\n

    C:UsersAdministratorAppdatalocaledge or edg[random.hex].exe<\/strong><\/p>\n

    Users can configure and test Access Protection Rules to restrict the creation of new files and folders when there are no other legitimate uses.<\/p>\n

    Select New files being created<\/strong> and add the following file location in File or folder name to block:<\/strong><\/p>\n