Antivirus programs walk a fine line between overly passive and overly aggressive detection algorithms. In the first case, it’s possible for infected sites and links to slip through the cracks; in the second, users must continually fend off false positives that impair their ability to perform basic functions or administrator actions.
While false findings have largely been eliminated thanks to whitelists and intelligent scanning techniques, nothing is perfect. As noted by CSO Online, a recent false positive detection left some Windows users locked out of their computers with a serious case of antivirus aggravation.
Logon Limitations Lead to False Positive Detection
It all started when a popular antivirus program flagged the critical Winlogon.exe process as infected by malware — specifically, a Trojan program called Troj/FarFli-CT, The Register reported. Apparently, the root cause was an antivirus update.
While a fix was offered in just a few hours, some users found themselves staring at a black screen when attempting to boot their machines. Even the familiar blue screen of death was gone, replaced instead by dark, inky silence.
Security firm Sophos said the problem with the update affected only a specific group of PCs running the 32-bit version of Windows 7 SP1. According to the company, other iterations, such as Windows XP, Vista, 8 and 10, experienced no issues. Once users booted up in safe mode, disabled the antivirus service and cleared the false positive detection notices from the console, the newly released fix solved the problem and put PCs back on track.
Positive Problems
Thankfully, these types of antivirus issues are no longer the rule but the exception. Security companies and tech giants alike have taken steps to whitelist critical sites and features, but the specter of false positive detection remains.
In some cases, reports of a potentially suspicious (but entirely innocuous) file make it more difficult to complete tasks or access services. The situation gets still more complicated when suspected code is present in Windows-critical files.
Consider the recent case of Techmeme, which, as reported by Search Engine Roundtable, endured its own problems with false positives when Google began flagging editorial links and embeds on the site as “hacked with spam.” The search giant fixed the problem a few days later, but Techmeme users were left wondering what had happened in the first place.
False Positives Versus Missed Negatives
Ultimately, false positive detection is a better problem to have than missed negatives. However, as malware threats become more advanced and antivirus companies step up the speed and impact of their response to compensate, an unexpected result occasionally occurs: PCs sustain critical damage, not from malware-makers, but from the very thing designed to protect software and systems. It’s a bit like cutting off the nose to spite the face — if the nose were mistakenly diagnosed with some kind of incurable disease.
Bottom line: In attempting to safeguard PCs, false antivirus positives can actually have the opposite impact and produce results akin to malicious attacks. While it’s worth investing in more intelligent threat protection, there’s also a need for more introspective tools able to catch false positives before they generate actual negatives.