Beware of phony or misleading malware rescue web pages

A search on an unfamiliar executable file brings you to a malware rescue page that says it's bad and you should download their software to remove. Here's how to tell if it's real.

Current Job Listings

Scammers and adware purveyors have long used the helpful nature of the internet to get more victims. In a world where the top search engines try their best to filter out the chaff, scammers still do their best to encourage victims to install unneeded and sometimes malicious software. They often succeed by using scare tactics and misleading information. My recent experience is an example and can serve as a warning to others.

My computer was acting slow and funky, especially when using Microsoft Outlook. I rebooted it, and then I saw some previously unannounced Microsoft Office patches automatically applying. This has happened to me two or three other times before where my Microsoft Office apps locked up and ground to a halt because some patches were trying to apply themselves.

After the patches applied, I ran Microsoft’s free Process Explorer with the VirusTotal option enabled, as I always do after my computer is running slow or acting funky. This rules out malware, just in case my patch issue was a false-negative coincidence.

Process Explorer runs every active executable’s and process’s hash result against Google’s VirusTotal database and reports how many antivirus engines flag each instance as malicious. Most of the things running on your computer will report something like 0/70, indicating that none of the 70 antivirus engines are finding what you report as malicious. That’s great.

Unfortunately, one or two antivirus engines will almost always report legitimate, non-malicious processes as malicious. In my long experience with running Process Explorer over thousands of computers, if what is reported is 1/x or 2/x, then it is always a false-positive report. Usually the false-positives are reported to these vendors and they fix their false finding within a day or two. You only need to worry if Process Explorer reports three or more antivirus engines as finding something malicious. Most malicious programs will be found by over a dozen antivirus engines. 

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.