'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
your antivirus or security app is suddenly disabled and you did not change it
Short answer
Assume compromise until proven otherwise: disconnect the device from the internet immediately and avoid logging into any accounts on it until you’ve checked things from a trusted device.
Do not do these things
- Don’t keep using the device for email, banking, shopping, password managers, or work logins.
- Don’t click pop-ups claiming “security disabled—click to fix” or install unknown “cleanup” apps.
- Don’t search and download random tools; scammers heavily target people in this exact moment.
- Don’t reconnect the device “just to update” if it keeps disabling security instantly—pause and contain first.
- Don’t factory-reset immediately if this is a work device or you may need records of what happened.
- Don’t click around “to investigate”. If you want a record, capture only what’s already visible; if unsure, take a photo of the screen with another device.
What to do now
-
Disconnect from the network.
Turn off Wi-Fi and Bluetooth, unplug ethernet, disable mobile data, or use airplane mode on phones/tablets. If you can’t reliably disconnect (or you see ransomware/extortion behaviour), power the device down. -
Capture a minimal record (fast, low-risk).
Note the time/date, the security product name, what changed, and any warnings. Take a photo/screenshot of any alerts that are already visible (don’t click around). -
From a different, trusted device, secure your critical accounts first.
Prioritize: email → Apple/Google/Microsoft account → banking/credit cards → work accounts.- Change passwords from the trusted device.
- Turn on multi-factor authentication if available.
- If you reused passwords, change reused ones immediately.
-
Check for obvious non-malicious causes (without deep troubleshooting).
Sometimes one security product disables another, or a device management tool changes settings. Look for:- A new antivirus/security suite you didn’t install.
- A new “work/school” management profile or administrator account you don’t recognize.
If something looks unfamiliar, don’t remove it yet—just document it.
-
Run an offline scan if available.
On Windows, use Microsoft Defender Offline scan (it restarts into a recovery environment to scan). If you use another security product, use its official offline/boot scan option if it has one. -
Only after containment: update and run a full scan.
If you must reconnect briefly, do it on a network you trust and only long enough to update the operating system and security tools, then run a full scan. Disconnect again if anything re-disables. -
If protection still won’t stay on, treat it as serious.
- For a personal device: isolate it and plan for professional help or a clean reinstall after accounts are secured.
- For a work/school device: stop and contact IT/security. Don’t “fix it yourself” unless they instruct you.
-
Report if there’s any sign of crime, fraud, or extortion.
- File a report with the FBI’s Internet Crime Complaint Center (IC3).
- If identity theft or account takeover is involved, use IdentityTheft.gov for recovery steps.
- If financial accounts may be exposed, call your bank/card issuer using the number on the back of your card or your official app.
What can wait
- You don’t have to decide right now whether to wipe the device—first isolate it and secure accounts.
- You don’t have to figure out exactly what malware it is today.
- You don’t have to pay or respond to threats today (if extortion/ransomware appears, keep the device offline and focus on containment and reporting).
Important reassurance
Security settings can change for benign reasons (updates, conflicting security products), but the safest first response is to assume compromise and reduce exposure. Disconnecting and slowing down is a practical move that prevents bigger harm.
Scope note
This is first-steps guidance to stabilize and prevent irreversible mistakes. Next steps (reinstalling, restoring backups, deeper investigation) depend on whether the device is personal, work-managed, or part of a broader incident.
Important note
This is general information, not professional security, legal, or law-enforcement advice. If this involves a workplace, school, healthcare, or sensitive data, follow your organization’s incident process and avoid actions that could destroy useful evidence.
Additional Resources
- https://www.cisa.gov/stopransomware/ive-been-hit-ransomware
- https://www.cisa.gov/stopransomware/ransomware-guide
- https://www.ic3.gov/CrimeInfo/Ransomware
- https://www.identitytheft.gov/
- https://support.microsoft.com/en-us/windows/scan-options-in-windows-security-1ab1f43a-96a8-3f45-1d45-5c7b99b8ef4c
- https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-offline