September 7, 2016 By Douglas Bonderud 2 min read

Antivirus programs walk a fine line between overly passive and overly aggressive detection algorithms. In the first case, it’s possible for infected sites and links to slip through the cracks; in the second, users must continually fend off false positives that impair their ability to perform basic functions or administrator actions.

While false findings have largely been eliminated thanks to whitelists and intelligent scanning techniques, nothing is perfect. As noted by CSO Online, a recent false positive detection left some Windows users locked out of their computers with a serious case of antivirus aggravation.

Logon Limitations Lead to False Positive Detection

It all started when a popular antivirus program flagged the critical Winlogon.exe process as infected by malware — specifically, a Trojan program called Troj/FarFli-CT, The Register reported. Apparently, the root cause was an antivirus update.

While a fix was offered in just a few hours, some users found themselves staring at a black screen when attempting to boot their machines. Even the familiar blue screen of death was gone, replaced instead by dark, inky silence.

Security firm Sophos said the problem with the update affected only a specific group of PCs running the 32-bit version of Windows 7 SP1. According to the company, other iterations, such as Windows XP, Vista, 8 and 10, experienced no issues. Once users booted up in safe mode, disabled the antivirus service and cleared the false positive detection notices from the console, the newly released fix solved the problem and put PCs back on track.

Positive Problems

Thankfully, these types of antivirus issues are no longer the rule but the exception. Security companies and tech giants alike have taken steps to whitelist critical sites and features, but the specter of false positive detection remains.

In some cases, reports of a potentially suspicious (but entirely innocuous) file make it more difficult to complete tasks or access services. The situation gets still more complicated when suspected code is present in Windows-critical files.

Consider the recent case of Techmeme, which, as reported by Search Engine Roundtable, endured its own problems with false positives when Google began flagging editorial links and embeds on the site as “hacked with spam.” The search giant fixed the problem a few days later, but Techmeme users were left wondering what had happened in the first place.

False Positives Versus Missed Negatives

Ultimately, false positive detection is a better problem to have than missed negatives. However, as malware threats become more advanced and antivirus companies step up the speed and impact of their response to compensate, an unexpected result occasionally occurs: PCs sustain critical damage, not from malware-makers, but from the very thing designed to protect software and systems. It’s a bit like cutting off the nose to spite the face — if the nose were mistakenly diagnosed with some kind of incurable disease.

Bottom line: In attempting to safeguard PCs, false antivirus positives can actually have the opposite impact and produce results akin to malicious attacks. While it’s worth investing in more intelligent threat protection, there’s also a need for more introspective tools able to catch false positives before they generate actual negatives.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today