Fake anti-virus: understanding it and preventing it

  • Article ID: 110379
  • Rating:
  • 6 customers rated this article 4.3 out of 6
  • Updated: 28 Sep 2010

What is fake anti-virus?

Fake anti-virus, also known as rogue anti-virus or scareware, is one of the leading ways for malicious hackers to make money from unsuspecting internet users. The fake anti-virus software typically warns the user that they have various fictional security threats present on their computer. The warnings themselves are false but they are often backed up by believable descriptions of the supposed malware.

The following examples illustrate the sort of false warnings you might see on your computers:

Example 1

text 1

Example 2

Example 3

When the user chooses to remove the threats they are asked to purchase or register the product and taken to a website that will process the payment details.

The web pages users are taken to may look like one of these:

Because this scam provides revenue directly to the hackers it is particularly popular.
Creators of fake anti-virus software also use networks of affiliates to help distribute their software, usually by less than honest means.


Fake anti-virus is spread using a variety of methods, all designed to draw an unsuspecting user into installing the software.

Email and messaging
Criminals send spam email and social network messages with the software installer attached, using a social engineering lure to persuade the recipient to open the attachment. Common lures include tax refund information, package delivery notifications or pictures of topical news stories.

Search Engine Optimization
Hackers create pages related to common or topical search terms and design them to appear high in search engine results. This makes it likely that people will encounter the page during their usual search activity. The web pages may either display warnings about infection that encourage the user to purchase the fake anti-virus, or they download a video player which is actually the fake anti-virus installer.

Compromised websites
Cybercriminals often break into other websites in order to spread their software, relying on the site's own popularity to draw innocent users. The hackers will then install extra code into the compromised pages, again with the goal of either displaying fake security warnings or exploiting a browser vulnerability to install their software directly. Cybercriminals will often combine these techniques to increase the effectiveness of their fraud:

Once installed the fake anti-virus may also install other malware such as spam bots or keyloggers.

Names and numbers

The fake anti-virus software makers use a variety of names for their software to make it appear legitimate. Examples of these names include:
  • AntiSpywarePro
  • Antivirus Plus
  • Antivirus Soft
  • Antivirus XP
  • Internet Security 2010
  • Malware Defense
  • Security Central
  • Security Tool
  • Winweb Security
  • XP Antivirus
To illustrate the rapid growth in popularity of fake anti-virus among malware authors, the graph below shows the number of known versions of two families of this malware, known to Sophos as Mal/FakeAV and Mal/FakeAle. During 2009 the number of know versions of these families grew from 350 to over 450,000, more than a thousandfold.

Prevention, detection and remediation

The best protection is provided by a comprehensive defense which should include:
  • up-to-date anti-malware software
  • proactive detection technology
  • a good understanding of your security solution.
Sophos Endpoint Security and Data Protection (ESDP) provides several technologies that can be used to detect and prevent fake anti-virus infections:
  • Behavioral Genotype technology - built into the malware detection engine it is used to detect many thousands of malware variants. In the example used above of detection for Mal/FakeAV and Mal/FakeAle each family is detected using a set of Behavioral Genotype detections. Each detection can identify a section of the family of between a few hundred and 200,000+ versions.
  • Host Intrusion Prevention System (HIPS) technology - this is also built into Sophos's endpoint security software. It incorporates:
    • suspicious file detection - can alert a user or administrator when previously unknown malware arrives on a PC or is run
    • suspicious behaviour detection - similarly can alert a user or administrator when previously unknown malware arrives on a PC or is run
    • buffer overflow protection - reduces the risk from browser or application vulnerabilities that malware authors use to silently install their software

The default configuration of the HIPS technologies is 'Alert only' meaning that it will notify the user or administrator but will not block any malicious actions.
After tuning the HIPS technology to your environment, you can disable the ‘Alert only’ setting. This will allow HIPS to provide additional protection against fake anti-virus and many other threats.

Further information regarding deploying and using the HIPS technologies in Sophos ESDP can be found in the following knowledgebase articles:

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent