Fake antivirus competition - is there a winner?

Today, whilst testing new malware and fake antivirus samples, a 'great' idea occurred to me. Remember that trick when you hit CTRL+A and ENTER on your friend's computer? All programs, files, shortcuts, and everything else on the desktop are executed simultaneously. When this occurs, the only way to return the system to normal is to restart the computer.

The Idea - What if we do the same with many fake antivirus programs?

This was blowing my mind all day, so I finally decided to take the challenge and do the test. I prepared my old Intel P4 computer with 512 MB of RAM, restored it with a fresh install, and checked that it was in perfect working order.

Meet the participants - Fake antiviruses

After spending some time searching for various fake antivirus samples, I selected 14 participants. These were fake antivirus programs that attempt to scare users into buying full versions by displaying bogus warnings and errors. Some were old versions, some more recent. Before starting the test, I scanned all samples with AVG Antivirus Free Edition. One fake antivirus was not detected by AVG, despite ensuring AVG was running with the latest updates.

The participants are as follows:

  • Internet Security
  • Internet Security 2012
  • System check
  • System Fix
  • Security Sphere 2012
  • Windows Diagnostic
  • XP Antivirus 2012 and other variants of this multi-named threat
  • Windows Attacks Preventor
  • Security Shield
  • Smart Protection 2012 and some other variants of this fake av family
  • Security Monitor 2012

fakeavtest_1 fakeavtest_2 fakeavtest_3

Ready! Set! GO!

When everything was set up, I selected all files and pressed ENTER. Before doing this I opened the Task Manager. You can see that the CPU usage is almost at zero percent.


When the fake antivirus samples were executed, Task Manager was closed immediately, leaving no possibility to monitor CPU and memory load fluctuations. The hard drive noise was terrible and the mouse cursor was virtually impossible to move; not surprising, then, that the CPU load average was near 100 percent.


After about a minute, the first error appeared: "Unable to open script file". Fake antivirus samples started to disappear one by one.


After another few minutes, an Internet Security malware window appeared, but disappeared soon after. In addition, the 'Internet Security' icon appeared on the desktop and a system tray icon of the same name reporting that some other fake antivirus sample could not be executed, since it was infected. Perhaps the first time this rogue program reported the truth!

Another rather weird observation was that within the fake antivirus folder, a new '.exe' file appeared with the name 'filesystemscan.exe'. At this point, just eight fake antivirus samples remained from the fourteen at the outset of the test. A new executable file was created by one of these fake programs.

fakeavtest_7 fakeavtest_8 fakeavtest_9 fakeavtest_10

After approximately 5 minutes, the situation was relatively stable.  Although the hard drive sound remained terrible, the mouse moved and I was able to work with computer.  It was, however, VERY slow. After clicking the Internet Security icon, Windows reported that the shortcut was broken and the file isecurity.exe was missing. I managed to run the Task Manager, surprised that it was not disabled by the running malware processes. The CPU load was continually spiking from 10% to 100%.

fakeavtest_11 fakeavtest_12

My test was about to reach a disappointing conclusion. None of the fake antiviruses appeared and none of them attempted to scan my computer for errors. Undeterred, I decided to repeat the test with the remaining samples within my fake antivirus folder and with the newly-created one. When all files were selected and ENTER pressed, Task Manager displayed a permanent CPU load of 100% and after approximately 30 seconds, a blue screen of death appeared. My computer restarted itself.. :(

fakeavtest_13 fakeavtest_14

And finally.. the winner is.... Security Sphere 2012!

When my old PC was trying to boot Windows again, I wondered why none of the fake antiviruses had appeared. When I heard the Windows start-up sound and observed that my desktop background had been changed to a solid blue color, I realized there was hope. Despite my reservations, we would have a winner of the Fake Antivirus Competition! And sure enough, Security Sphere 2012 appeared - scanning my PC and displaying fake errors. Finally, the test was a success and I can confirm that the most scary and 'best' fake antivirus program is... Security Sphere 2012!

fakeavtest_16 fakeavtest_17

Henry Price

Thanks for this helpful information. I am now fully aware of these fake AV. Do not just download on the net. You may not be aware of its source and origin. Its important to purchase a genuine and license copy on your trusted computer shop. I made a purchase of ESET Antivirus days ago. And now I dont have to worry about anything.

About the author:

Tomas Meskauskas

I am passionate about computer security and technology. I have an experience of 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an editor for pcrisk.com since 2010. Follow me on Twitter to stay informed about the latest tech news or online security threats. Contact Tomas Meskauskas.

Our guides are free. However, if you want to support us you can send us a donation.