How to troubleshoot FakeAV if it is not detected
Created: 13 Apr 2011 | Updated: 05 Jul 2011 | 9 comments
FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.
- Cannot open SEP or any other program.
- System utilities like Cmd, Taskmgr, Regedit are disabled.
- Receiving Pop-up from another Rogue Antivirus stating there are Virus in the machine and the machine is infected.
1. Boot the computer in safe mode.
2. Browse to C:\Documents and Settings\%userprofile%\Local Settings\Application Data\
3. There would be a folder or a .bat file or an .exe with a random name like VRQWSDJFGK.
4. This folder contains the Fake AV file.
5. If you don't find the folder in above mentioned location, try looking for it in C:\Documents and Settings\All Users\Application Data
6. Once the folder and file are traced, submit the file to Symantec Security Response using the appropriate entitlement.
7. Once the file is submitted successfully, the file can be deleted.
8. Boot the computer in normal mode.
9. If you are not able to access Internet, Correct the proxy settings in Tools > Internet Options > Connections > LAN Settings. Most of the times the Fake AV changes the setting to 'Automatically detect settings'. If there is no proxy server, you may uncheck this setting.
NOTE: It is not recommended to Delete the Threat File manually, as it may result to User profile corruptions.
In many cases, we found that the issue gets resolved, if the User Profile has been deleted and a new User profile is created. This is because, these programs are Trojans and mostly gets installed on the User's Profile (On the folders which the user has access to.).
So, in case, if you have couple of users on the same computer; you may see these programs if the infected user login to his profile and if you switch the profile, you may not see these programs running in another non-infected profile.
However, this case is necessarily not the case everytime. This is a sample based on some infections.
So, In case if you are unable to Find the Suspicious Threat File, you may consider to work on the Article Provided below:
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
A Common Question always arises --- Does Symantec Endpoint Protection protect me from fake anti-virus programs?
YES. Check the article below:
Symantec and FakeAV (Technical Write-up's)
Also, If you have Symantec Endpoint Protection Manager to manage SEP clients, you might consider going through the below articles.
1) Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security
2) Best practices regarding Intrusion Prevention System technology
3) Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x
Now, about the BEST TOOL which you can use during situations like this,
Symantec Power Eraser
Symantec Power Eraser is designed to complement mainline antivirus applications by detecting and remediating specific types of threats:
- New variants of existing threats for which there is no coverage by the current definition sets
- Fake antivirus applications, and other rogueware
- System settings that have been tampered with maliciously
Check this Article:
About Symantec Power Eraser
Some Good Articles with Excellent information on valuable links to podcasts, blog posts, videos and other resources on the topic.
Symantec Report on Rogue Security Software - Released in October 2009
An article Misleading Applications
Article Filed Under:
Security, Endpoint Protection (AntiVirus) - 9.x and Earlier, Endpoint Protection (AntiVirus) - 10.x, Endpoint Protection (AntiVirus) - 11.x, Endpoint Protection (AntiVirus), Endpoint Protection Small Business Edition 12.x, Basics, Best Practice, Configuring, Documentation, Error messages, Tip/How to, Troubleshooting