Facebook forced me to download their anti-malware, and my own antivirus gets knocked out

When Facebook says it cares about security, I laugh. Every day I see bots, spammers and click-farm workers plague the site, and despite reporting them, Facebook lets them stay. It will make a statement saying it would no longer kick off drag queens and kings, then proceed to kick off drag queens and kings. So when I was blocked last night from using Facebook on my Windows 10 computer, after using a website with a Facebook messaging plug-in, with the claim that there was malware on the system, I knew something was fishy.
   Like Google’s false malware accusationsso serious that people have lost websites over them—I knew to take this one with a massive grain of salt. However, I didn’t have a choice: in order to get in to the site, I had to download a Kaspersky malware program, and let it run. The program never appeared in my installed list in Windows. I let it run overnight, for seven hours, whereupon it was frozen at 62 per cent. Restarting the computer, I was back to square one.
 



Above: Doing things the Facebook way. Listening to them was bound to end in tears.
 

Above: There’s no sign of Kaspersky in Windows’ installed programs’ list.
 
   Here’s where things started getting very strange. Windows 10 began saying I had no antivirus, anti-malware, or firewall up. Normally I would use McAfee. However, no matter how many times I tried to choose it, the warnings kept coming, thick and fast. In one case, it chose Windows Defender for me—only because I decided to let it run—and would not permit me to change it back through the settings. The timing of these events was all too suspicious.
   There was a rumour, denied by Kaspersky, that it was creating malware to throw off its competitors. The jury’s still out, but it’s just odd that while Kaspersky is running its Facebook scan, of what I knew to be non-existent malware, that McAfee would be inaccessible. I went to the McAfee website to file this.
 


Above: While the Kaspersky scan proceeded, McAfee was knocked out and could not be switched on. Coincidence?
 
   Unlike most people, I have options open to me, so I began to go on to Facebook using several different methods. A VirtualBox containing XP on the same computer was fine, if incredibly slow while Kaspersky was doing its thing. (Think about Windows XP on a 386.) Lubuntu was fine as well, as was Mac OS X. I Tweeted the McAfee community link, and thought it odd that it did not appear in Facebook (I have my Twitter set up to post there). I then tried to paste the link into Facebook manually, whereupon, in Lubuntu and Mac OS, I was told that my computer was now infected with either a virus or malware. Unlike Windows, I had the option of telling them they were in error, and I was able to continue using the machines.
   This really sounds like Facebook and Kaspersky have it in for McAfee and, possibly, rival products, if the scan knocks out your choice of antivirus and anti-malware program, and if the mere mention of mcafee.com inside Facebook results in a warning box saying your computer is infected.
 

Above: On a Mac, I couldn’t even tell people about the post on mcafee.com. The second I did, Facebook said my computer was infected. The same thing happened on Lubuntu. Facebook accuses you of infection on the mere mention of mcafee.com.
 
   Eventually, the entire system froze, and while I could still move the mouse about, I couldn’t access the task bar or go to other programs.
   I was forced to do a hard reboot.
   But you’re asking now: was I ever infected? No. It’s Google all over again.
   Peter, the very knowledgeable McAfee support tech who came to my aid many years ago, was present again and put me on to two other programs after this restart. Getsusp analysed my system for malware, and, you guessed it, found nothing. Malware Bytes did the same, and found some PUPs (potentially unwanted programs), all of which I knew about, and I had intentionally installed. They’ve been present for years. In other words, two other malware scanners told me my system was clean. Malware Bytes did, however, restore McAfee as the correct antivirus program, exactly as Peter had predicted.
   He also suggested a system restore, which sadly failed, with Windows giving the reason that an antivirus program was running. Having restored this system once before (after some bad advice from Microsoft), I knew it couldn’t be McAfee. The only difference on this computer: I had had Kaspersky doing its Facebook scan. It appears that Facebook and Kaspersky don’t want you restoring your system.
   I had fixed the newer issues, but the original one remained: I couldn’t get on to Facebook. The Kaspersky scan never finishes, incidentally—you’re stuck on 62, 73 or 98 per cent—and while not having a personal Facebook is no great loss, I have businesses that have presences there.
   I stumbled across a Reddit thread where others had been forced to download antivirus programs by Facebook, and, fortunately, a woman there had found where hers resided. In my case, it was at C:\Users\USERNAME\AppData\Local\Temp\FBScanner_331840299. Deleting this, and all cookies mentioning Facebook and Kaspersky, restored my access.
   What to do if you ever come across this? My advice is to, first, run Malware Bytes, but ensure you run the free version, and do not opt for the trials. Once you’re satisfied your computer is clean, head into your cookies and delete all the Facebook ones, and any from the antivirus provider it recommends. This second Reddit thread may be helpful, too. I don’t know if this will work completely, but anything is preferable to following Facebook’s instructions and wasting your time. I really need to stop following instructions from these big firms—you’d think after all these years, I’d know better.
 
PS.: I found this video from last July which suggests the malware accusations have nothing to do with your computer set-up:
 

 
In addition, I cannot paste any links in Facebook. The situation began deteriorating after I regained access. Initially, I could paste and like a few things, but that facility eventually disappeared. Regardless of platform, I get the same error I did on the Mac yesterday (see screen shot above). Liking things results in the below error, and the wisdom there is to wait it out till Facebook staff get back to work on Monday.
 

 
P.PS.: Holly Jahangiri confronted the same issue as I did a few days later. She was smarter than me: she didn’t download the anti-malware malware. Have a read of her post here: other than that one difference, it’s almost play for play what happened to me for four days. She’s also rightly frustrated, as I am, by Facebook’s inaction when it’s legitimately needed.
 
P.P.PS.: Not only does Kaspersky delete your comment when you ask on its blog how to remove the malware scanner, they also clam up when you ask them on Twitter.
 
P.P.P.PS.: I’m beginning to hear that deleting cookies will not work (April 26). Facebook seems intent on having you download their suspicious junk. In those cases, people have switched to another browser.
 
P.P.P.P.PS.: Andrew McPherson was hit with this more recently, with Facebook blocking the cookie-deleting method in some cases, and advises, ‘If you get this, you will need to change your Facebook password to something very long (a phrase will do), delete and clear your browsers cache and history, then delete your browser, then renew your IP address to a different number and then reinstall your browsers.’ If you cannot change your IP address but are using a router, then he suggests refreshing the address on that. Basically, Facebook is making it harder and harder for us to work around their bug. Once again, if you sign on using a different account using the same “infected” computer, there are no problems—which means the finger of blame should remain squarely pointed at Facebook.
 
P.P.P.P.P.PS.: June 17: for those who might find Andrew’s method too technical, the current wisdom is to wait it out. It does appear to take days, however. Reminds me of the time Facebook stopped working for me for 69 hours in 2014.

P.P.P.P.P.P.PS.: January 28, 2017: David has come up with a great solution in the comments (no. 103). You can fool Facebook into thinking you are using a Mac by changing the user-agent. He suggests a Chrome Extension. I have Modify Headers for Firefox, which might work, too.
 
P.P.P.P.P.P.P.PS.: May 9: Stephan, on my other thread on this topic (comment no. 66), confirms that David’s solution worked and has posted a few more details, including extensions for Firefox, Safari and Chrome.
 
P.P.P.P.P.P.P.P.PS.: October 24: Don Dalton found that he was able to replace his Chrome profile with an older one to bypass Facebook’s block. Have a read of his comment here.
 
P.P.P.P.P.P.P.P.P.PS.: February 18, 2018: over the last few weeks, Mac users have been getting hit hard with this fake warning, and are being offered Windows software to download (which, of course will not work). Some have reported that changing browsers gets them around this. Downloading the equivalent anti-malware program from the same provider (e.g. Eset) does nothing, since the one user I know of who has done this came up with a clean Mac—because, as we already know, the warnings are fake.
 
P.P.P.P.P.P.P.P.P.P.PS.: February 18, 2018: let’s see if Wesley Shields, security engineer at Facebook, will tell us what’s going on. He’s been asking for more staff to join his malware detection team.


 
P.P.P.P.P.P.P.P.P.P.PS.: February 23, 2018: finally, a journalist has taken this seriously! Louise Matsakis, a writer for Wired covering the security and social media beats, has looked into the latest round of Facebook malware warnings being forced on Mac users. Facebook is still lying, in my opinion, claiming there could really have been malware (lie number one), but the company’s probably so used to saying one thing and doing another by now. Louise is right to seize upon the fact that no one knows what data are sent to Facebook during the scan. It’s a fine article, and I highly recommend it.


You may also like




195 thoughts on “Facebook forced me to download their anti-malware, and my own antivirus gets knocked out

  1. Hi Jack,

    Thanks a lot for sharing this post with me on twitter! I linked it to the end of my forum post: Facebook is forcing to use Kaspersky Anti-Virus.

    I have written there instructions for all the victims of this scam. To summarize, you have 3 options: 1) wait two days before you are allowed to login again, 2) install/use another browser, or 3) quit using Facebook. The 3rd option is the only permanent fix.

    Cheers,

    Santeri

  2. Santeri,
    Me installing an older Google Chrome profile worked beautifully. I call it option 4. I figured it out after waiting 5 days with no luck.

  3. Hi Don,

    Thanks for the info. When did that happen to you?

    I tried both older and newer chrome 1 week ago without luck. It has to be a different browser. Also the 48 hours time cap seems to be very recent development.

    Cheers,

    Santeri

  4. Global Nomads,
    This happened to me about two weeks ago. I used a 5 month old profile. I guess this issue has a random solution for everyone. :(
    Hope you get you accessibility back soon.

  5. I have been reading these accounts for a few days now starting from 2014 and they seems to differ a lot which implies that Facebook is tweaking their anti-virus marketing tool. Those fixes I listed on the forum fix the issues right now and I have confirmed them from multiple, independent sources, but there is no guarantee that remedies will change again in future. I can confirm you that changing the browser version did not work for me. Only certain thing is that as long as we keep using Facebook, anything can happen.

  6. Global Nomads,
    Changing the browser version won’t do it. You need to change the browser “Profile” that is made when you first start using the browser. You’ll need to have saved one before the issues started. I detailed the instructions above but the short and skinny is (on a Windows computer) you go to your “roaming/local” file (WinKey + %appdata%). Delete the folder titled “Google” then copy and paste your previously saved/archived “Google” profile folder in its place. Just deleting this folder won’t do it. Importing bookmarks and passwords from a browser that’s working won’t do it. I seriously hope that the wait is only 2 days now. It was almost 3x that for me.

  7. I can’t test your fix as I don’t take backups of system files or save old profiles. Windows is so badly made and messy that it’s easier to re-install it than trying to return system backups

    I re-installed chrome first wiping it out clean, but that did not help. The time is now 48 hours and you can speed that up by installing another browser which should work. This attack appears to be browser specific.

  8. https://www.forbes.com/sites/ygrauer/2015/09/24/antivirus-less-secure/#4cfd6a5e782a
    “We’ve written before about how antivirus software is not only resource-intensive but in some cases can make you less secure because it can be hacked itself. Now there’s new evidence that Kaspersky Lab’s antivirus software contains bugs which could be remotely exploited in targeted attacks, as Thomas Fox-Brewster reported yesterday. Some of these bugs are detailed in a blog post written by information security engineer Tavis Ormandy, a member of Google’s Project Zero vulnerability research team.

  9. Hi Don,

    I just finished testing your profile fix by making again a completely clean installation (with profiles and all traces of Chrome removed, and replacing with a profile I had earlier that already started to work on Facebook), and Facebook to is banning again my login with Chrome. I am afraid the trick does not work anymore :(

    Cheers,

    Santeri

  10. Santeri,
    I had tried doing a clean install of Chrome and it didn’t work for me either. The only thing that worked (besides downloading the scanner) was to use a saved profile from a few months earlier when I had no problems.

  11. I’ve noticed some confusion in the steps I provided so I’m going to add some detail.

    YOU MUST HAVE A SAVED, CHROME “PROFILE” FROM BEFORE YOU WERE LOCKED OUT.
    I realize the average user does not backup their computer but this is absolutely necessary for the following steps.

    0) Copy your earlier/archived Chrome user file named “Google” to the desktop.
    1) Press the “Start/Win” key.
    2) Type %appdata% (with the % sign).
    3) Click up one folder. You should see the following folders “Local”, “LocalLow”, and “Roaming”.
    4) Open “Local” and find the folder named “Google”. This is your user profile for Chrome.
    5) Delete it. There should now no longer be a “Google” folder in “Local”.
    6) Copy your Google Profile backup that you saved onto the desktop in step “0” above into the “Local” folder and you should be good to go.
    7) When you attempt to login to Facebook, it will most likely offer you to recover your account. DO THIS!
    8) After you’ve recovered your account, you should now be able to use Facebook on Chrome.

  12. Don,

    I had a clean profile, but not a few months old. That profile worked for accessing Facebook. I don’t see how the age of the profile could be a factor here. Facebook has no way of accessing the time stamps of the profile files to detect their age.

    Cheers,

    Santeri

  13. Jack, I hope they Help.

    Santeri,
    From my experience, whatever this is gets into the users profile. I imported my passwords and bookmarks from my Chrome account into Firefox and was instantly locked out. When I removed that profile, I was instantly able to get into my account through FireFox. Whatever causes this lockout is rather insidious and acts like a virus/maleware. My scans were unable to detect it.

  14. Don,

    I don’t think this has anything to do with malware, other than Facebook which is malware in many sense.

    It seems to me that Facebook is randomly picking Facebook users and flagging them (using browser signature to identify the victim) as potential customers for anti-virus, then forcing them to download, install and a crippleware version of anti-virus (Kaspersky or Trend Micro), which will force users to pay for an update to a full version (ransomware).

    I bet Facebook gets their share of revenue and this is nothing but a marketing stunt to make more money with unsuspecting Facebook users. This is not the first plunder Facebook has done and for sure not the last.

    Cheers,

    Santeri

  15. Santeri,
    I can totally see that as the case. I’m just glad blog threads like this exist that offer possible solutions. :D

  16. so i get the whole profile/cookies explanation …however none of this is working, have tried the virgin firefox log in, virgin ms edge log in, no importation, no cookies, even tried on different pcs and still get the ‘unclean unclean’ message….even went so far as to download and use this trend micro russian program and it just sat there for 2 days and did nothing….and there is no work around….there is no place to say i cant do this right now….im soooooooo very frustrated cause the android mobile version of fb is working like a charm….and the account is peruse only, no posting and very little comments….so how abouts some new pearls of wisdom for me ?? thanks in advance… LB

  17. Lori, Facebook blocked the deletion of cookies as a solution in April 2016. Downloading their questionable software is troublesome—I really recommend removing it as noted in the original post (it’s in a hidden Windows directory), because we don’t know what it’s doing inside there. As noted in one of the postscripts and a few of the comments, the most reliable method appears to be altering your headers: I’ve only heard one person in the comments who said it didn’t work for him. If it’s too technical, then another way is to wait it out, which can take between three days and a month: even if you did regain access, there’s no guarantee you can comment, like or post (something that happens a lot with Facebook, even before they started telling people falsely that they had malware—this is so clearly Facebook’s bug). One other person on this blog said she used the Windows Facebook app, though that does mean loading more Facebook software on to your computer, and I don’t think that’s a good thing.

  18. Jack…thanks for the clarification….i will keep working on it….
    LB

  19. It’s definitely that. They lie about why we need to download it. Once installed (because I was stupid enough to say yes), it resides in a hidden directory on your computer, which computer-savvy people can find but most probably will not. It never shows up in your installed programs’ list. When pressed, none of Facebook’s co-conspirators answer questions about it, even when they respond to you about other things. While we’re not asked for money, I believe the program extracts data from us without our consent, and that is our “payment”. One user above said she got around it by installing the Facebook app for Windows 10—which, of course, does the same thing. Facebook got what they wanted when she did that: a program that resides on her machine, probably constantly giving them data.

  20. Facebook just forced the ESET to run on my machine. I’m sure it was due to me using Dashlane to login (just a guess though).

    What I dislike the most is how it said it found and removed 4 files, but I get no info on what the files are… seriously, they just stealthily remove 4 files?!

    After the above I’m able to use Facebook as normal in my normal browser etc..

  21. Thank you for your update, Morten. There doesn’t seem to be a set pattern to whom this affects, but it will be interesting if others come by and say they are using Dashlane as well.

Leave a Reply

Your email address will not be published. Required fields are marked *