How to troubleshoot FakeAV if it is not detected
|Article:TECH157781|||||Created: 2011-04-11|||||Updated: 2013-01-14|||||Article URL http://www.symantec.com/docs/TECH157781|
- You cannot open Symantec Endpoint Protection (SEP) or any other program.
- System utilities like Cmd, Taskmgr, and Regedit are disabled.
- Pop-ups appear from what appears to be an antivirus program other than the one you know to be installed, one which states that there are viruses in the computer and that the computer is infected. Newer variants may also appear to show massive file fragmentation and/or imminent disk failure.
Users may be directed to malicious sites by way of the following methods:
- Spam emails that contain links or attachments
- Blogs and forums that are spammed with links to adult videos
- User-generated content spam, such as fake videos
- Malicious banner advertisements
- Sites advertising pornography or pirated software
- Search Engine Optimization (SEO) poisoning
- Fake torrent files or files on file sharing networks
- Web pages containing exploits
FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased. It is also referred to as "rogue antivirus".
- Boot the computer in Safe Mode.
- Browse to C:\Documents and Settings\%userprofile%\Local Settings\Application Data\
- There may be a folder or a .bat file or an .exe with a random name like VRQWSDJFGK. This folder contains the Fake AV file.
- If you don't find the folder in above mentioned location, try looking for it in C:\Documents and Settings\All Users\Application Data
- Once the folder and file are traced, submit the file to Symantec Security Response using the appropriate entitlement.
- Once the file is submitted successfully, the file may be deleted. However, it is not recommended to delete the threat file manually, as it may result in user profile corruption.
- Boot the computer in normal mode.
- If you are not able to access Internet, correct the proxy settings in Tools > Internet Options > Connections > LAN Settings. Most of the times the Fake AV changes the setting to 'Automatically detect settings'. If there is no proxy server, you may uncheck this setting.
If you are unable to find the suspicious threat file/s, the Symantec Power Eraser is designed to complement mainline antivirus applications by detecting and remediating specific types of threats:
- New variants of existing threats for which there is no coverage by the current definition sets
- Fake antivirus applications, and other rogueware
- System settings that have been tampered with maliciously
Please see the following Knowledge Base Article for additional information:
- About Symantec Power Eraser
- Using Symantec Support Tool, how to collect the suspicious files and submit them to Symantec Security Response:
- Does Symantec Endpoint Protection protect me from fake anti-virus programs?
If you use the Symantec Endpoint Protection Manager to manage SEP clients, consider the following articles:
- Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security
- Best practices regarding Intrusion Prevention System technology
- Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in SEP 11.x
Additional articles with excellent information and valuable links to podcasts, blog posts, videos and other resources on the topic.
- Symantec Report on Rogue Security Software - Released in October 2009
- An article on Misleading Applications
Article URL http://www.symantec.com/docs/TECH157781