Wednesday, March 18, 2009

How to Recognize a Fake Virus Alert Message

The various mutations of the Antivirus XP 2008/2009/360 viruses out there try to get you infected by giving out scary warnings about how your computer is infected with viruses.  A typical version looks like this:

 AV360 alert -- fake

Note these things:

  • It "detects" multiple infections.  It's unusual for a real alert to find more than one at a time.
  • The "online scanner" pops up in a second or so. It takes time to scan your computer -- ten minutes or more.  Anything that finds multiple viruses on your computer in only a couple of seconds is lying to you.
  • If you're using a web-based scanner, you must install software before it scans. If you haven't done this, it won't detect any viruses.  So if you haven't deliberately downloaded the software first, no scan will work.
  • A legitimate web-based scanner like Housecall only installs from a single site named for the scanner.  It does not show up if you don't deliberately go to it. The fake alert here will display when you're not going to a scanner website.

It's instructive to compare this alert with those of legitimate antivirus software.  Here are a few:

McAfee

Mcafee alert

Note this tells you that the file has been deleted or cleaned (click on the image and see the state).  It does not require any further action.

Symantec

(This may be an old image).

Symantec alert

This, too, doesn't require further action.  The virus is neutralized.

AVG

AVG Alert

AVG does give you options. "Heal" is usually the best. Note, though, that there's a single popup, and that it doesn't "strongly recommend" you remove them. 

Avast!

Avast alert

One nice thing about Avast! -- its warning says "There is no reason to panic."  This is quite the opposite of AV360, which wants you to panic. There are several options, and a suggestion for a recommended action.

Checking for yourself

If you're using different antivirus, or to get a better idea of what the warning looks like on your computer, download the EICAR Test File. Most antivirus software will detect as a virus (it is a harmless file used for testing antivirus).  When you download it, you should get a virus warning.  This will show that your antivirus is working, as well as giving yourself a chance to see a legitimate warning so you won't be fooled by the fakes.