Windows Active Guard

Threat Scorecard

Threat Level: 20 % (Normal)
Infected Computers: 2
First Seen: July 23, 2012
Last Seen: April 23, 2023
OS(es) Affected: Windows

Windows Active Guard Image

Windows Active Guard is a malware program that belongs to the FakeVimes family of fake security software. Windows Active Guard carries out a common online scam that involves pretending to be a real security program in order to convince inexperienced computer users that they must pay for an expensive 'upgrade'. Since there are no real anti-malware capabilities on Windows Active Guard and it is, in reality, a malware infection itself, ESG malware researchers strongly recommend ignoring all of Windows Active Guard's warnings and removing this bogus security program with a reliable anti-malware application.

Windows Active Guard’s Family of Rogue Security Programs

Malware in the FakeVimes family has been active since 2009 and have been continually updated since then. One of the reasons why malware in the FakeVimes family have been increasingly active in 2012 is because criminals have started to integrate a rootkit component into the FakeVimes attack. Using a variant of the Sirefef rootkit, criminals can make programs such as Windows Active Guard particularly difficult to remove or even detect as malware. Examples of other fake security programs in the FakeVimes family released in 2012 and previous years include Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst. Do not be fooled by their different names, they are all essentially the same malware infection.

How Windows Active Guard Tries to Steal Your Money

Windows Active Guard is designed to impersonate a legitimate security program. However, unlike a real anti-virus application, Windows Active Guard will always indicate that your computer is severely infected with malware. If you try to use Windows Active Guard to fix these supposed problems, Windows Active Guard will direct you to its website, where you will be urged to purchase an expensive 'upgrade' to fix these nonexistent problems. Windows Active Guard will also harass you with continual error messages and alarming security notifications in order to pressure you into falling for its scam.

Do not pay for this fake security application, even if this is done in order to stop its annoying error message. In fact, you can stop these with the registration code 0W000-000B0-00T00-E0020. It is important to remember that this registration code will not remove Windows Active Guard. The only way to remove this fake security program is by using a real, legitimate and proper anti-malware application that possesses anti-rootkit capabilities. In most cases, an alternative boot method is also recommended before attempting to remove this threat.
ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

Windows Active Guard Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Active Guard may create the following file(s):
# File Name Detections
1. %AppData%\Protector-[RANDOM CHARACTERS].exe

Registry Details

Windows Active Guard may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [RANDOM CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe

URLs

Windows Active Guard may call the following URLs:

.bytemarkup.xyz

Messages

The following messages associated with Windows Active Guard were found:

Error
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.
Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.
Warning
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Trending

Most Viewed

Loading...