Windows Defender alert--real or phony?

Brint Hannay · Post by **Brint Hannay** » 23 Jan 2019 5:37 pm

I just encountered a very real-looking "Windows Defender Security Center" alert claiming my computer is infected with 5 viruses. It alleges that my "anti-virus software subscription has expired." I have Trend Micro Maximum Security and, checking with the main TM console, it has NOT expired.

My understanding is that activating TM automatically disables Windows Defender, and I have checked and WD says it is disabled.

What am I to make of this? I am very skeptical, to put it mildly.

I attach a screenshot of the alert screen. I have not clicked on the "Renew Now" button!

Mitch Drumm · Post by **Mitch Drumm** » 23 Jan 2019 5:59 pm

I say it's bogus.

Grammatical errors are a common indicator of a fake.

Windows is NOT capitalized where it should be if it were legitimately from Microsoft/Windows Defender.

Likewise, exclamation points to heighten your anxiety is another reason to question it!!!!!!!!

You'd think they'd have these "warnings" proofread by a native English speaker with some sense of proper usage, but they never seem to get to that point.

I'm willing to be proven wrong here, but I've got major doubts.

Brint Hannay · Post by **Brint Hannay** » 23 Jan 2019 6:07 pm

Me too.
note url below. "securitys-shieldso"? and all that other stuff
http://windowsappcenter.securitys-shiel ... tron.space

Mitch Drumm · Post by **Mitch Drumm** » 23 Jan 2019 6:13 pm

Run some other stuff to see if you can find any malware.

Malwarebytes maybe.

Malwarebytes.org

https://www.eset.com/int/home/online-scanner/

Mitch Drumm · Post by **Mitch Drumm** » 23 Jan 2019 6:14 pm

Brint Hannay wrote:Me too.
note url below. "securitys-shieldso"? and all that other stuff
http://windowsappcenter.securitys-shiel ... tron.space

Yeah, even more bogus looking.

Brint Hannay · Post by **Brint Hannay** » 23 Jan 2019 6:19 pm

I'm running TM full scan right now. I have MBAM paid version also, and will run that next.

Wiz Feinberg · Post by **Wiz Feinberg** » 23 Jan 2019 6:39 pm

That pop-up is for what's known as a Fake Anti-Virus Alert. It is an ad to goad the unsuspecting user into paying to remove the listed viruses. The only virus is that program that launches the pop-up alert. Malwarebytes will find and terminate it. You will need to reboot and scan again to get all of it out.

Mitch Drumm · Post by **Mitch Drumm** » 23 Jan 2019 6:45 pm

I wouldn't be amused that the paid version of Malwarebytes apparently did not prevent it.

Wiz Feinberg · Post by **Wiz Feinberg** » 23 Jan 2019 8:26 pm

Mitch Drumm wrote:I wouldn't be amused that the paid version of Malwarebytes apparently did not prevent it.

Some variants of these fake AV alerts are well disguised. In fact, there is a new trick being employed by scammers using Desktop Notifications over the System Tray to peddle crapware and fake security programs. This may even be one of those.

Desktop notifications can be disabled in your browser. It is an advanced option. You normally see a pop-up requesting permission to show these notifications. You can disallow them on a one to one basis, or all at once.

If it is just a browser pop-over alert, it is driven by JavaScript. Disabling JavaScript with the NoScript Add-on puts the kibosh on that crap. Blocking JavaScript is also an option with the uBlock Origin Add-on.

Brint Hannay · Post by **Brint Hannay** » 24 Jan 2019 10:25 am

Thanks, Wiz. I have rebooted and run both MBAM and Trend Micro scans, and both came up with 0 threats detected.

I looked into the settings in Firefox (my browser), and found options relating to what they call "Web Push" notifications. Is that what you're referring to as desktop notifications?