Hackers forcing ‘legitimate’ anti-virus uninstall
Cyber criminals are using social engineering in their attempts to get users to uninstall legitimate anti-virus software.


A social engineering technique is being used to dupe users into uninstalling their anti-virus products, including those by big-time vendors such as Microsoft and AVG.
Hackers have leveraged a clone of the prevalent rogue CoreGuard Antivirus product called AnVi Antivirus, Symantec noted.
In the past, such rogue anti-virus products have included a retro virus, which seeks to remove anti-virus products entirely, but this attack differs.
The AnVi Antivirus fake product gets the user to access the legitimate anti-virus uninstaller and forces the user to remove the vendor software from the computer.
Symantec even found the fake anti-virus product attempting to get the user to uninstall some of its own software.
"A warning is displayed that the Symantec anti-virus software is uncertified' and will hamper the system's performance," the firm explained in a blog post.
"The user is left with no other option than clicking OK, which initiates the uninstall process. Even if the user clicks the close' button, the uninstaller of the anti-virus product still executes."
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Symantec researchers also discovered that the scheme tries to download rogue anti-virus software by connecting to malicious websites.
The Bieber effect
Combining fake anti-virus and social engineering has been a popular method among cyber criminal gangs.
Yesterday, PandaLabs said it had found more than 200 spoof web addresses using the lure of teenage pop singer Justin Bieber to spread rogue software called MySecurityEngine.
"These types of activities have become increasingly common", warned Luis Corrons, technical Director of PandaLabs.
"By positioning websites used to distribute malware among the first results in search engines, they can be sure that numerous internet users will inadvertently download the fake anti-virus."
Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.
He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.
-
LaunchDarkly to "double down" on observability with Highlight acquisition
News Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
By Daniel Todd
-
Samsung Galaxy Tab S10 FE review
Reviews The Tab S10 FE retains the feel and core capabilities of Samsung's high-end S10 tablets, but compromises on the display and the performance
By Stuart Andrews
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
By Ross Kelly
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
News State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
By Emma Woollacott
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to know
News Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
By Solomon Klappholz
-
Phishing campaign targets developers with fake CrowdStrike job offers
News Victims are drawn in with the promise of an interview for a junior developer role at CrowdStrike
By Solomon Klappholz
-
Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week
News Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets
By Richard Speed
-
Malware being pushed to businesses by search engines remains a pervasive threat
News High-profile malvertising campaigns in recent months have surged
By Ross Kelly
-
CISA: Phishing campaign targeting US federal agencies went undetected for months
News Threat actors used legitimate remote access software to maliciously target federal employees
By Rory Bathgate