Helping people with computers... one answer at a time.

A pop-up message that says you may have a virus may, or may not be legitimate. Anti-virus companies don't make viruses, but virus makers do try to look like anti-virus companies.

I wonder the about the origins of viruses. I mean, are things detected as viruses really viruses, or its just a way for anti-virus software to make us feel good about running their products? Or perhaps the anti-virus companies also make the viruses, so that we have a need for their product? And could the scanners get confused by other problems that are mis-identified as viruses?

There's a gut instinct to react to this question by saying "boy, you sure are paranoid". I mean, the question implies some heavy-duty conspiracy is at play.

The problem is that, as with any fear, there's a grain of truth to it. That means that if you ask me "is this 'you're infected' message a hoax" the best I can offer is "maybe".

We need to check a few more things before we can really say one way or the other with any certainty.

Let's look at a few of those things...

First off, if you are running a legitimate, name brand, anti-virus program, and it tells you that it has found a virus ... then it's not likely to be a hoax, and you most likely do have that virus on your machine.

So, what's a "legitimate, name brand, anti-virus program"? There are several clues that you can use:

  • It's recommended, or at least discussed, by more than one tech or software recommendations resource. Obviously I make mention of several anti-virus programs, but I'm not enough. You should be able to find similar mention or recommendations other places as well. For example computer magazines are a great place for periodic software reviews. Even Microsoft has a page listing Anti-Virus Software partners. Any of those can be considered "legitimate".

  • It's available in more than one place. If you see it on the shelves of your local computer store, or you an purchase it on-line at places like or, then you can consider it "legitimate". You can buy it wherever you like, but the fact that it's available in multiple places gives it much more legitimacy.

  • If you've never purchased it, and you suddenly get a pop-up that says "you might be infected! Buy this software to protect yourself!" it's probably not legitimate.

That last one is particularly important, and leads to my next point.

"If the 'solution' involves downloading or purchasing more software, don't do it."

Some less-than legitimate software vendors have taken the approach of trying to scare you into purchasing their product. You might get that message "You might be infected!", or worse "You are infected!", as a popup in your browser or elsewhere. If the "solution" involves downloading or purchasing more software, don't do it. Especially if you are already running anti-virus software, and especially if the message doesn't look like anything a message from your anti-virus software. That is a hoax.

It's almost a form of phishing - the vendor is presenting a sales message that looks like an error message, but it is not. Don't click on the message - even if it looks like it has an OK, or "No Thanks" or any other kind of button in it. Why? Because those buttons are often fake and lead you to the vendor's website whether you want to go there or not. Click on the little "x" in the upper right corner of the message window instead, to close it.

What's important here is that you need to be able to tell the difference between a legitimate alert popped up by your anti-virus software and a fake warning showing up elsewhere. Two quick tests:

  • Your anti-virus software will include the name of the anti-virus software (which you should recognize - you should know what package you're running on your machine). The fake will not, or will have the wrong name.

  • Your anti-virus software will not pop up a message in a browser window. (ALT+TAB, and you'll see the icon for your browser, say Internet Explorer or Firefox, and not that of the anti-virus software.) Many hoaxes do, as you are browsing the web.

So if there are some folks out there who are using these slimy marketing tactics to scare us into buying their product, could they in fact also be writing viruses that only their package can remove?

The answer is an emphatic "No" for all the legitimate makers of anti-virus software listed above. They would instantly lose all credibility once discovered.

The answer is also a reluctant "Yes" for the scam artists out there. There have been cases of viruses written in order to sell the solution to the specific virus. It's occasionally referred to as "hostage-ware". You are infected, and your machine is held hostage until you purchase the specific solution. The good news is that this never lasts very long. The legitimate anti-virus vendors quickly add each new virus to the list of those that they catch as well. If you're already running a good anti-virus program, then you'll typically need do nothing but stay up-to-date with its database updates.

Can an anti-virus be fooled? Of course.

Occasionally an anti-virus program will alert to a virus that isn't actually present - it's called a "false positive". Legitimate anti-virus vendors move quickly to update their definitions so as to remove these when they are detected.

Similarly, viruses are constantly trying to hide, and slip through the anti-virus scanners. And again, the vendors are constantly on the alert for when this might happen, and update their definitions accordingly.

That's one of the many reasons that keeping your anti-virus program's database of known viruses up to date is so critically important.

One last point I do want to make is this: anti-virus programs rarely say "you are infected", but rather something along the lines of "I found this virus". The difference is subtle, but important.

A virus can exist on your machine, but not be "installed" or activated. A good example is an executable file that you've downloaded which contains a virus. It exists on your machine, and the anti-virus software will catch it, but you are not actually infected.

Once you run the executable, and the virus also has a chance to run, that's when the infection actually occurs.

Article C2680 - June 6, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
alta hubbard
June 11, 2006 12:03 PM

your comments are always so helpful to me

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.