Fake Antivirus Software Competition - Is There a Winner?

Today, while testing new malware and fake antivirus samples, a great idea occurred to me. Remember that trick when you hit CTRL+A and ENTER on your friend's computer? All programs, files, shortcuts, and everything else on the desktop are executed simultaneously. When this occurs, the only way to return the system to normal is to restart the computer.

The Idea - What if we do the same with many fake antivirus programs?

This was blowing my mind all day, so I finally decided to take the challenge and do the test. I prepared my old Intel P4 computer with 512 MB of RAM, restored it with a fresh install, and checked if it was in perfect working order.

Meet the participants - Fake antivirus programs

After spending some time searching for various fake antivirus samples, I selected 14 participants. These were fake antivirus programs that scare users into buying full versions by displaying bogus warnings and errors. Some were old versions, some more recent.

Before starting the test, I scanned all samples with AVG Antivirus Free Edition. One fake antivirus was not detected by AVG, despite ensuring AVG was running with the latest updates.


The following participants are:

  • Internet Security
  • Internet Security 2012
  • System check
  • System Fix
  • Security Sphere 2012
  • Windows Diagnostic
  • XP Antivirus 2012 and other variants of this multi-named threat
  • Windows Attacks Preventor
  • Security Shield
  • Smart Protection 2012 and some other variants of this fake AV family
  • Security Monitor 2012

fakeavtest_1 fakeavtest_2 fakeavtest_3

Ready! Set! GO!

When everything was set up, I selected all files and pressed ENTER. Before doing this, I opened the Task Manager. You can see that the CPU usage is almost at zero percent.


When the fake antivirus samples were executed, Task Manager was closed immediately, leaving no possibility to monitor CPU and memory load fluctuations. The hard drive noise was terrible, and the mouse cursor was virtually impossible to move; not surprising, then, that the CPU load average was near 100 percent.


After about a minute, the first error appeared: "Unable to open the script file." Fake antivirus samples started to disappear one by one.


After another few minutes, and an Internet Security malware window appeared but disappeared soon after. In addition, the 'Internet Security' icon appeared on the desktop and a system tray icon of the same name, reporting that some other fake antivirus sample could not be executed since it was infected. Perhaps the first time this rogue program reported the truth!

Another rather weird observation was that within the fake antivirus folder, a new '.exe' file appeared with the name 'filesystemscan.exe.' At this point, just eight fake antivirus samples remained from the fourteen at the outset of the test. A new executable file was created by one of these bogus programs.

fakeavtest_7 fakeavtest_8 fakeavtest_9 fakeavtest_10

After approximately 5 minutes, the situation was relatively stable.  Although the hard drive sound remained terrible, the mouse moved, and I could work with the computer.  It was, however, VERY slow. After clicking the Internet Security icon, Windows reported that the shortcut was broken and the file isecurity.exe was missing. I managed to run the Task Manager, surprised that it was not disabled by the running malware processes. The CPU load was continually spiking from 10% to 100%.

fakeavtest_11 fakeavtest_12

My test was about to reach a disappointing conclusion. None of the fake antiviruses appeared, and none of them attempted to scan my computer for errors. Undeterred, I decided to repeat the test with the remaining samples within my fake antivirus folder and the newly-created one. When all files were selected and ENTER pressed, Task Manager displayed a permanent CPU load of 100%, and after approximately 30 seconds, a blue screen of death appeared. My computer restarted itself...

fakeavtest_13 fakeavtest_14

And the Winner is Security Sphere 2012!

When my old PC was trying to boot Windows again, I wondered why none of the fake antiviruses had appeared. When I heard the Windows start-up sound and observed that my desktop background had been changed to a solid blue color, I realized there was hope. Despite my reservations, we would have a winner of the Fake Antivirus Competition! And sure enough, Security Sphere 2012 appeared - scanning my PC and displaying fake errors. Finally, the test was successful, and I can confirm that the scariest and 'best' phony antivirus program is... Security Sphere 2012!

fakeavtest_16 fakeavtest_17

▼ Show Discussion

About the author:

Tomas Meskauskas

I am passionate about computer security and technology. I have an experience of 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an editor for pcrisk.com since 2010. Follow me on Twitter to stay informed about the latest tech news or online security threats. Contact Tomas Meskauskas.

Our guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.