Fake/Rogue AV pop up question

Hello all,

I had a question regarding some of the blocking/quarantining methods used by some AV’s in regard to the pop up fake av pages…

Why is it that some stand alone AV’s (and even security suites) will detect, block, and/or quarantine fake/rogue AV pop ups, and even the ones that have started to download themselves, but then they do not “kill” the web page/connection if you will in order for the user to then proceed away from the offending flashing screen, if that makes any sense? It seems the user is then still left with a web page that won’t close as you know (and some users are even left with the "are you sure you still want to navigate away from this page" clicking it over and over)

An example of an AV that seems to do this is Webroot when even though it detects and quarantines the fake alert, it still doesn’t kill the page or somehow redirect the user away from it which is very annoying. Others AV’s do this also so then one isn’t quite sure if it completely blocked everything or not.

I usually end up just using Process Explorer to force the page to end as the AV doesn’t do this. Anyway, forgive me if I’m not very “security speak” regarding this!

Thanks all,

-Tookerjeff

 

Depends on the AV, but I know for sure Avast will block the connection (if you have Network and/or Web Shield installed). Other AVs with similar features will probably do the same.
As long as the threat is eliminated before infection, I think the AV did its job.

 

Yea that's how it is, and how it works.