How To Spot Fake AV Malware

So you’re surfing the internet, minding your own business, and suddenly a message pops up that warns “you’re infected”. It is true? Sometimes. Unfortunately, these days the fake AV software looks more real than ever.

Here’s a good example of some fake AV that looks fairly convincing:


At first glance, a lot of people see this and believe they’re actually infected.

To make matters worse, even if you don’t click on the “Erase infected” button, after a few moments another window pops up:


Sadly, many users click “Yes, protect my PC now” and then it’s too late.

How Can You Tell It’s Fake?

Other than the obvious (knowing the name of the REAL antivirus software you have installed and knowing what it looks like), there are numerous ways to spot the fake AV…

Browser version:
(This machine has IE8, Fake AV says IE7)
Wrong browser version reported 

Number of drives / letters:
(This machine doesn’t have a D: drive)
Reporting infections on drives that don't exist.

Incorrect navigation bars:
(Fake AV displays a modified Vista navigation bar on Windows 7 machine)

Fake AV

Fake AV menu

Real Windows Vista

Real Vista menu

Real Windows 7

Real Windows 7 menu


Typos or incorrect punctuation:
(Apostrophes pointed the wrong way)

Typos in dialog boxes are a clue that the software isn't legit. 

Virus warnings that are displayed in a web page:

Web page pretending to be virus warnings


Train your users by showing them what the REAL AV software looks like, and show examples what the fake software looks like.

The best way to show the real software in action is to trigger an actual virus alert. Then you can screenshot your current AV software. But instead of using a real virus to trip the alert, you can use the EICAR test file.

The EICAR is a harmless file that is available in several different file formats:
EICAR virus test file

Here’s what it looks like inside the file:
Inside the EICAR file

You can use the EICAR file to generate end-user documentation on what your real AV software screens look like.

Example: Microsoft Security Essentials

1) Initial “infection” (triggered by clicking on the file)

Microsoft Security Essentials - Virus found

2) After clicking Show details

Microsoft Security Essentials - Show Details

3) After clicking Clean computer

Microsoft Security Essentials - Virus removed

You can create a one-sheet “Virus Response Document” to print out and give to your users and include your phone number on the bottom. A little education up front can save lots of lost time and expense cleaning up after an infection or fake AV software removal battle.

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Leave a Comment

You must be logged in to post a comment.

rss feed

technorati fav

Blog Calendar

October 2010
« Sep   Nov »

Recent Posts