This article describes a standard model for removing malicious/counterfeit Anti-Virus (AV) programs (i.e., 'fake AV') using Sophos Endpoint Security and Control and, if necessary, using the Sophos command line scanner (SAV32CLI).
You have most likely been infected with a Fake Anti-Virus if:
- You see warnings that you've been infected with malware, similar to Windows popups.
- Whenever you try using a search engine, the links you click on redirect to "Anti-Virus sites".
Known to apply to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+ 9.7.0
Sophos Anti-Virus for Windows 2000+ 10.0
What To Do
You can remove most fake AV programs with Sophos Endpoint Security and Control. Alternatively you can use the SAV32CLI program. See below for instructions on using either method.
Using Endpoint Security and Control
- Log in as a local Administrator on the affected computer.
- In the system tray (bottom right corner of your screen), double-click the Sophos Shield.
- Click 'Scan My Computer' and wait for the scan to finish.
- Click 'Manage Quarantine Items'.
- Under Type, check for "Mal/FakeAV-* or Troj/FakeAV-*" (where * = any random characters).
- Select the fake AV entry (by checking the box to the left of the of it).
- Below the list of detections, click the 'Perform Action' button and select 'Cleanup'.
- Reboot the computer and confirm that the fake AV has been removed. (To do this, double-click the Sophos shield and then click 'Quarantine'. If the fake AV detection is no longer present, then it was successfully removed from your computer.)
If the fake AV entry remains after performing the Cleanup, follow the steps below.
Using SAV32CLI command line scanner
If the procedure did not work using the Endpoint Security and Control GUI, you will need to reboot the computer into Safe Mode to use our command line scanner to attempt to remove the malware.
Note: This method could fail if this is a new variant of the detection, or if you have not recently updated your threat detection data.
- Boot the computer into Safe mode. For instructions on this procedure see: Start your computer in safe mode.
- Click Start | Run | Type:
cmd.exe | Press return.
- Type the following command on one line and exactly as written here:
"%programfiles%\Sophos\Sophos Anti-Virus\SAV32cli.exe" -remove -p="%Userprofile%\desktop\Scan.log"
and then press the Enter key.
- Allow this scan to finish and reboot the machine in the normal way (Click Start | Shutdown | Restart). Do not reboot into Safe Mode.
- Confirm the fake AV has been removed. (To do this, double-click the Sophos shield and then click 'Quarantine'. If the fake AV detection is no longer present, then it was successfully removed from your computer).
If the above steps do not remove the fake AV or if you cannot perform them, contact Sophos Technical Support with the
scan.log file mentioned above.