"fake AV" are in the definitions, however, they literally change daily, if not more-so, as I've discovered.
In fact, new domains are registered daily! Each is equipped with new threats every day. These folks don't hide their registrations, so they aren't too hard to find and each of the "email addresses" seems to have dozens of domains registered to it.
I use application control.......... I posted a policy in my article here that handles it. You have to create a white-list of good apps you want to allow, but so far, it's working fairly well here.
The issue is that these phony AV apps are INVITED in, or scripted, OR launched in FLASH ads.
Then they put their files under the user profile area where the user, even a lowly ordinary user, has "god rights".
So they install or download freely!
Gee, even Google Chrome will do that, so that's how we blocked it as well as a number of those really nasty toolbars like the ALOT toolbars, rogue browser helpers (BHOs) and other stuff we don't want.
I attached an example DAT file to my article, but it needs a lot of tweaking and cleaning up, and you'll need to exclude JAVA apps you like, webinar software and so on.