September 7, 2016 By Douglas Bonderud 2 min read

Antivirus programs walk a fine line between overly passive and overly aggressive detection algorithms. In the first case, it’s possible for infected sites and links to slip through the cracks; in the second, users must continually fend off false positives that impair their ability to perform basic functions or administrator actions.

While false findings have largely been eliminated thanks to whitelists and intelligent scanning techniques, nothing is perfect. As noted by CSO Online, a recent false positive detection left some Windows users locked out of their computers with a serious case of antivirus aggravation.

Logon Limitations Lead to False Positive Detection

It all started when a popular antivirus program flagged the critical Winlogon.exe process as infected by malware — specifically, a Trojan program called Troj/FarFli-CT, The Register reported. Apparently, the root cause was an antivirus update.

While a fix was offered in just a few hours, some users found themselves staring at a black screen when attempting to boot their machines. Even the familiar blue screen of death was gone, replaced instead by dark, inky silence.

Security firm Sophos said the problem with the update affected only a specific group of PCs running the 32-bit version of Windows 7 SP1. According to the company, other iterations, such as Windows XP, Vista, 8 and 10, experienced no issues. Once users booted up in safe mode, disabled the antivirus service and cleared the false positive detection notices from the console, the newly released fix solved the problem and put PCs back on track.

Positive Problems

Thankfully, these types of antivirus issues are no longer the rule but the exception. Security companies and tech giants alike have taken steps to whitelist critical sites and features, but the specter of false positive detection remains.

In some cases, reports of a potentially suspicious (but entirely innocuous) file make it more difficult to complete tasks or access services. The situation gets still more complicated when suspected code is present in Windows-critical files.

Consider the recent case of Techmeme, which, as reported by Search Engine Roundtable, endured its own problems with false positives when Google began flagging editorial links and embeds on the site as “hacked with spam.” The search giant fixed the problem a few days later, but Techmeme users were left wondering what had happened in the first place.

False Positives Versus Missed Negatives

Ultimately, false positive detection is a better problem to have than missed negatives. However, as malware threats become more advanced and antivirus companies step up the speed and impact of their response to compensate, an unexpected result occasionally occurs: PCs sustain critical damage, not from malware-makers, but from the very thing designed to protect software and systems. It’s a bit like cutting off the nose to spite the face — if the nose were mistakenly diagnosed with some kind of incurable disease.

Bottom line: In attempting to safeguard PCs, false antivirus positives can actually have the opposite impact and produce results akin to malicious attacks. While it’s worth investing in more intelligent threat protection, there’s also a need for more introspective tools able to catch false positives before they generate actual negatives.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today