Threat Description

Rogue antispyware/antivirus software


Aliases:Rogue antispyware/antivirus software, Fraudtool.[variant], Fraudpack.[variant]


Deceptive or fraudulent antispyware/antivirus software that uses misleading or high-pressure tactics (e.g., falsely claiming a malware infection or deliberately infecting the machine) to pressure users into installing or purchasing the software.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.


In some cases, a rogue may have been silently installed on the system in a 'drive-by download'. In such cases, disinfection should be accompanied by a check to determine if any programs require updating or patching; if so, please refer to the program vendor's site for further details.

Technical Details

Rogue antivirus/antispyware programs (generally known as 'rogueware') are security applications that use misleading, high-pressure, fraudulent or malicious sales tactics to convince users into installing and/or purchasing the product.

The quality of the purchased software itself is also suspect; once installed, the product may not perform as expected. Some are simply substandard products that present false information or false positives due to bugs in the software's code, rather than because of an outright deception. Code corrections can move a suspect program off the rogueware detection lists. Other rogues however are intentionally malicious and either do not bring no benefit to the user, or actively interfere with the computer's operations or compromise the user's data.

Rogue antispyware or antivirus programs typically closely mimic legitimate applications, using similar (or even identical) styling and packaging to convey legitimacy. As such, it can be difficult for both technical and non-technical users to differentiate between legitimate and rogue applications.

For more information about rogues, please see Article: About Rogues

Sign of a Rogue Infection

The most visible symptom of a rogue infection is when the installed 'trial' product displays excessive messages prompting the user to scan their computer system for infections, or to pay for a 'full version' of the product that will remove found infections. Many rogue applications present outright false positives as a means to alarm computer users into buying their application. They may also misrepresent common system files as malicious.

Note the misspelling of threats as "threads". The two files listed are common and are found on any installation of Windows. They are text files that contain configuration information for Windows. They are not executable programs.

How a Rogue Infection can Occur

A rogue may be installed onto a computer system in a number of ways:

  • User installed
    • Voluntarily installed directly from website / link - Rogue products are designed to appear legitimately professional and trustworthy. Users unfamiliar with the nature of these products may therefore assume they are safe and voluntarily download and install them from the product website. Rogue are also often offered on affiliate websites, which receive a commission each time the product is installed and sold. This system creates strong pressure to sell, by any means necessary, leading to the use of questionable sales tactics. These websites may aggressively display notices that the visitor's machine is infected and requires disinfection. Detecting problems in a demo or trial version, but requiring a license to remove those problems is also a typical tactic (as free, fully functional trial periods are usually not offered). Such fear tactics are unfortunately often successful in luring users into paying and installing such products.
    • Voluntarily installed (social engineering) - Rogues may also be maliciously distributed using social engineering tactics that trick users into installing the program. Most commonly, users are directed (either through 'poisoned' search engine results or malicious links sent out in spam) to a malicious site that displays what appears to be a video. To see the promised video, users are requested to download a file, alledgedly the 'video', or a 'codec', or similar. In reality, the user ends up downloading and installing the rogue onto their machine.
  • Involuntarily installed
    • Trojan - A number of trojan-downloaders silently install rogue products onto an infected computer.
    • Drive-by download - While browsing the Internet, an unsuspecting visitor to a malicious or compromised website hosting a specially crafted exploit may be silently infected with a rogue if their computer system has unpatched vulnerabilities susceptible to the exploit. This type of 'behind the scenes' infection is known as a 'driveby download'. At the time of writing, drive-by downloads tend to exploit vulnerabilities in Java and the web browser.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More