SEP might not detect Fake AV if it does not have definitions for a new variant or if the definitions are out of date.
Fake AV’s are very annoying and scary. The Fake AV might display a warning saying that system files are infected and one needs to buy the anti-virus to clean the computer. There’s nothing to worry. It’s just an animation to scare and persuade the user to buy the Anti-virus. Typical behaviour of fake AV-
1. Disables system tools like Task manager, regedit, disables the Anti-virus program, etc.
2. Disable applications. It closes an application whenever a user tries to launch one.
3. It might also change browser proxy settings.
4. It might change .exe that is, executable or application file association.
5. It might infect the current user profile however; another user on the same machine might be able to use the machine normally.
6. There are various symptoms.
7. A typical Fake AV pop-up would look like as shown in the below picture.
First step to fix the issue is, do not panic. Follow the below steps.
1. Boot the computer in ‘Safe Mode with Networking’ using the same account. If the computer cannot be started in safe mode, login as some other user. However if the Fake AV affects all user profiles on the computer, it’s recommended to boot in safe mode.
2. To find the location of the fake AV file, click on start > Run > type msconfig and click ok.
3. The System configuration utility opens as shown in the below picture.
4. Look for suspicious entries, especially the ones in user profile.
5. The fake AV is usually found in user profile folder. In this case TrungND is the user profile.
6. The Fake AV executable should be there in the specified folder.
7. Open Internet explorer or a web browser. If you cannot connect to Internet, the virus could have changed the proxy settings. For Internet Explorer, go to Tools > Internet Options > Connections > LAN Settings.
8. Correct the proxy settings. If you do not use a proxy server, uncheck all the check boxes and click OK to save the settings.
9. Check if you can access Internet.
10. Submit the file to Symantec Security Response using the below url
https://submit.symantec.com/websubmit/gold.cgi
11. You will need a contact id to submit the file. If you are not sure of what it is? contact customer care.
12. Delete the file from the location and uncheck the fake av entry from the System Configuration Utility.
13. Boot the computer in normal mode using the same user profile.
14. The issue should be fixed.
15. You might also want to take a look at the below articles.
“How to block known virus executables that run from %UserProfile% using Application and Device Control”
https://www-secure.symantec.com/connect/articles/how-block-known-virus-executeables-using-application-and-device-control-running-userprofile
"Does Symantec Endpoint Protection protect me from fake anti-virus programs?"
http://www.symantec.com/business/support/index?page=content&id=TECH122898&actp=search&viewlocale=en_US&searchid=1291074160545