The Sophos Community will be unavailable from 13:00 to 18:00 UTC this Saturday, October 1st for upgrades. Stay tuned to our Twitter account @SophosSupport for updates.
This article describes a standard model for removing malicious/counterfeit Anti-Virus (AV) programs (i.e., 'fake AV') using Sophos Endpoint Security and Control and, if necessary, using the Sophos command line scanner (SAV32CLI).
You have most likely been infected with a Fake Anti-Virus if:
Applies to the following Sophos product(s) and version(s) Sophos Anti-Virus for Windows 2000+ 10.0Sophos Anti-Virus for Windows 2000+ 9.7.0
You can remove most fake AV programs with Sophos Endpoint Security and Control. Alternatively you can use the SAV32CLI program. See below for instructions on using either method.
If the procedure did not work using the Endpoint Security and Control GUI, you will need to reboot the computer into safe mode to use our command line scanner to attempt to remove the malware.
Note: This method could fail if this is a new variant of the detection, or if you have not recently updated your threat detection data.
"%programfiles%\Sophos\Sophos Anti-Virus\SAV32cli.exe" -remove -p="%Userprofile%\desktop\Scan.log"
If the above steps do not remove the fake AV or if you cannot perform them, contact Sophos Technical Support with the scan.log file mentioned above.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.