Security Solution for False Antivirus Detection CATALIN POP, MARIUS POPESCU, ANTOANELA NAAJI Faculty of Natural Sciences, Engineering and Computer Science “Vasile Goldis” Western University Arad 310025, Bd. Revolutiei nr. 94-96 ROMANIA pop_catalin88@yahoo.com, popescu.marius.c @ gmail.com, anaaji@uvvg.ro, http://cs.uvvg.ro Abstract: - False antiviruses, also known as rogue, block access to PC operating systems, in which case a classic antivirus proves inadequate. The purpose of the software described in this paper is to improve the products already existing on the market by adding it to a security product, as a module, or to create other specific tools. The advantage of the “heuristic” security solution suggested is that it requires very little memory (max. 1 Mb) and has no false alarms. The solution can be added to a “cloud” module, which finds an existing file in the list and sends it to an analysis lab, together with all files that its interacts with. Key-Words: - False antivirus, security solution, rogue 1 Introduction In computing, the term “virus” is applied to various software programs, which can be found under the generic name of malware; users employ the term “virus” instead of “malware” [3], [5], [6], [7]. False antiviruses are part of the Trojan category, having a lifespan ranging from a few hours to a week. They are classified into two categories: FakeAV (copies of legitimate security programs or some other programs that seem to be security programs) and Fake Alert (alerts warning users that the PC is infected). False antiviruses disguise themselves as: antiviruses, anti spyware, anti adware, and, in some cases, even as computer maintenance programs. The best known methods for creating alerts are: - falsely creating a Security Center and warning the user that the antivirus year is not activated or not installed; - prompting messages in the tray area, warning of security issues. Recently, a new method appeared, displaying a window that warns the user that there is a security issue and that a PC driver scan is recommended. 2 The “False Antivirus” Application 2.1 False Antivirus Analyzing Lab The false antivirus analysis lab used in this paper is made up of two computers: a virtual one (implemented using the Oracle VM VirtualBox application) and a dedicated one (used only for tests). The research used the Windows XP operating system. As in the case of the virtual computer, the operating system is installed only once, after which a backup application is used, the resulting file being then copied to an external drive (USB). The tools employed are open - source and depend on the type of malware analyzed. If the computer runs the analysis module, then it is much more efficient to use the Ultimate Boot CD application (collection of applications run from a CD, in the memory), because the behavior can be viewed in real time. Tools employed in this case are: RegShot (open - source program that can create snapshots and compare registries), Autoruns (utility for viewing and changing programs that are launched on startup), ProcMon (utility offering real- time information on active processes), Rootkit Revealer (a program offering advanced detection of rootkits) and GMER (a program that can search rootkits in key parts of the operating system installed on the PC). Regardless of which computer the analysis is run on, one must first create a backup of registries and then save it on an external drive [9]. After creating several administrator accounts, the file to be analyzed is run, and then the computer is reset. If the computer does not start, then the Ultimate Boot CD application will be used to make a copy of registries (which will be compared to the first), using RegShot; then log is analyzed to establish why the PC does not start (in most cases, the winlogon.exe, userinit.exe files are copied and the computer starts). Recent Researches in Communications and Computers ISBN: 978-1-61804-109-8 227