FakeAV (Fake AntiVirus)

Posted: December 24, 2023
from Cybersecurity Glossary
Fake antivirus, rogue antivirus, rogue
Windows , MacOS
MSIL/FakeAV, Win32/FakeRean, Win32/Winwebsec (System Progressive Protection), Windows Stability Center, Mac Defender, Mac Protector, Mac Security, Mac Guard, Mac Shield, FakeMacDef, Win32/Defru, Win32/OneScan, Win32/FakeXPA, Win32/FakePAV, JS/FakeAlert, Win32/FakeCog, Win32/FakeScanti, Win32/FakeVimes, Win32/Vakcune, Win32/SpySheriff, Win32/Renos, Win32/FakeSecSen
Extortion Of Money, Data Theft, Opening Backdoors For Other Malware (Like Ransomware), Compromised System Functions
Risk Level:

FakeAV employs various tactics to manipulate users into taking action, such as displaying fictitious threats or discreetly disrupting system functions (e.g., disabling the Task Manager). Users may be prompted to install additional software or pay for the complete removal of fabricated infections.

Possible symptoms

  • Unsolicited and persistent pop-up alerts claiming the presence of malware or viruses
  • Degraded system performance, such as slow response times and increased CPU usage
  • Unauthorized changes to browser settings, homepage, or default search engine
  • Inability to access or open certain applications or system utilities
  • Frequent system crashes or freezes
  • Unexpected redirection of web traffic to malicious or fake websites
  • Unexplained depletion of system resources and increased network activity
  • Disabled or limited functionality of legitimate antivirus or security software
  • Constant prompts to purchase or upgrade fake antivirus products

Sources of the infection

  • Malicious websites hosting fake antivirus downloads or enticing users to click on deceptive links
  • Email attachments and links leading to malicious websites or disguised malware payloads
  • Exploitation of software vulnerabilities through drive-by downloads or malicious ads
  • Compromised software installers or updates from unofficial or unauthorized sources
  • Social engineering tactics, such as fraudulent tech support calls or phishing emails
  • Malvertising campaigns that inject fake antivirus downloads into legitimate ad networks
  • Peer-to-peer file-sharing networks distributing infected files and executables
  • Compromised external devices, such as USB drives or external hard disks
  • Exploitation of unpatched system vulnerabilities and outdated software


FakeAV, also known as Fake AntiVirus, encompasses a diverse category of malicious software, often referred to as rogue antivirus or rogue. Operating as a Trojan, its damage potential spans extortion of money, data theft, opening backdoors for other malware (such as ransomware), and compromised system functions.

FakeAV employs a variety of tactics to deceive users, including displaying fictitious threats and discreetly disrupting system functions, such as disabling the Task Manager. Users may be prompted to install additional software or pay for the complete removal of fabricated infections.

Common symptoms of FakeAV infections include unsolicited and persistent pop-up alerts, degraded system performance, unauthorized changes to browser settings, and the inability to access certain applications or system utilities. Additionally, users may experience frequent system crashes, unexpected redirection of web traffic to malicious websites, and unexplained depletion of system resources.

Various variants of FakeAV exist, such as MSIL/FakeAV, Win32/FakeRean, and Mac Defender, each posing unique threats and challenges. The infection can be contracted through malicious websites, email attachments, drive-by downloads, and social engineering tactics.

If you suspect your system is infected with FakeAV, take immediate steps to disconnect from the network, run a Gridinsoft Anti-Malware, manually remove suspicious programs, update your operating system and software, and change passwords for critical accounts.

Preventing FakeAV infections involves keeping your operating system and software up-to-date, using a Gridinsoft Anti-Malware with real-time scanning, avoiding suspicious links, enabling automatic updates for your antivirus software, and implementing network firewalls to monitor and control traffic.

🤔 What to do?

If you suspect your system is infected with FakeAV, take the following steps:

  1. Disconnect from the network to prevent further data theft or compromise.
  2. Run a Gridinsoft Anti-Malware to scan and remove the FakeAV infection.
  3. Manually remove any suspicious programs or files associated with FakeAV.
  4. Update your operating system and all installed software to patch vulnerabilities.
  5. Change passwords for critical accounts.

🛡️ Prevention

To prevent FakeAV infections, follow these technical measures:

  1. Keep your operating system and all software up-to-date with the latest security patches.
  2. Use a Gridinsoft Anti-Malware with real-time scanning capabilities.
  3. Avoid clicking on suspicious links or downloading files from untrusted sources.
  4. Enable automatic updates for your antivirus software.
  5. Implement network firewalls to monitor and control incoming and outgoing traffic.

Gridinsoft Anti-Malware

Cure your PC from any kind of malware

GridinSoft Anti-Malware will help you to protect your computer from spyware, trojans, backdoors, rootkits. It cleans your system from annoying advertisement modules and other malicious stuff developed by hackers.

Gridinsoft Anti-Malware