41

First things first, I'm not asking this question because of any specific alarm on my PC that I suspect to be false.

It's just that from the perspective of the software industry, it would make some sense to implement false alarms every now and then, give paying users the wrong feeling that they really do need the antivirus software, and thereby keeping them paying for updates, even if there never was an actual threat on the system.

Are there any known cases of something like this happening?

MaxD
  • 503
  • 4
  • 9
  • 40
    You're probably looking for the term *scareware*. – Arminius May 18 '17 at 19:12
  • @Arminius I'm not sure. I'm primarily thinking of real, working antivirus software that users pay for and that actually protects your system, but sends wrong alarms every now and then if it does not detect real threats. Would that be considered »scareware«? – MaxD May 18 '17 at 19:17
  • 3
    If there was a deliberate false alarm, I wouldn't describe the software as real and working. But there are grey areas. For example, PUPs - potentially unwanted programs. AV software being a bit trigger happy detecting PUPs would kind-of fit your question. – paj28 May 18 '17 at 19:21
  • @paj28 Yes, if the trigger happiness was **intentionally** implemented by the software developers to increase user dependence, it would fit very well. – MaxD May 18 '17 at 19:25
  • 1
    @MaxD: how would trigger happiness increase user dependence? If an AV produces too much false alarms users will probably switch too a better one instead feel more safe. And there are independent AV tests which also test for false positive rate. – Steffen Ullrich May 18 '17 at 20:03
  • 3
    @SteffenUllrich Unexperienced users might think »this software finds a lot of viruses, which means it is well working, and I have to keep using it to protect me from harm«. Also not everyone checks independent tests before buying some fancy brand new software. – MaxD May 18 '17 at 20:11
  • 6
    There's the EICAR test file. It's a harmless MS-DOS application but it's meant to be detected by antivirus software as if it were harmful. It's meant to be used to test whether antivirus software is working correctly while not actually exposing computers to harm. So in that sense there exists AV software that gives false alarms, but not for the reason you suggest. https://en.wikipedia.org/wiki/EICAR_test_file – Ross Ridge May 19 '17 at 01:01
  • 2
    here's a recent example of a (presumably) accidental instance of this: https://community.webroot.com/t5/Announcements/Webroot-False-Positive-Update-April-25/td-p/290577 I know twitter was full of Windows sysadmins freaking out for a few days after that, struggling to restore mission-critical apps that had been quarantined – user371366 May 19 '17 at 03:08
  • 14
    one of my windows-using friends told be that some AVs detect all "keygens" and similar stuff as threats. it's probably not because all of them are full of malicious behavior, I assume it's because they get *money* for this from some proprietary software copyright holders. – Display Name May 19 '17 at 04:36
  • 14
    When I worked for a major AV vendor, we had a data loss issue which we solved by setting our internal AV clients to scan for and alarm on any pieces of the data in question on our corporate workstations. It worked, and we managed to recover all the data we were after. Kind of fits your case... and is probably as close as you'll get to deliberate false alarms from a *legitimate* AV vendor. – HopelessN00b May 19 '17 at 05:58
  • 10
    @SargeBorsch that actually has more to do with the way AV products detect malware than payoffs from IP holders. Cracks and keygens and such do actually behave like actual malware, so to prevent them from triggering AV alarms or warnings, they'd have to be deliberately whitelisted, which would put the AV vendor in an uncomfortable position from a legal and liability standpoint. The vendor I worked for didn't get any money from IP holders for triggering on cracks, but didn't want to get sued by IP holders for deliberately enabling piracy, basically... and that's the boat all AV vendors are in. – HopelessN00b May 19 '17 at 06:05
  • 3
    @HopelessN00b Avira detected an office crack as "Keygen" dot something on a relative's computer once. Kaspersky never complained. If the name contains the word "keygen", I'd say this is due to blacklisting rather than failure to whitelist. – fNek May 19 '17 at 11:51
  • 1
    @HopelessN00b do you work for an AV vendor currently as well? – Display Name May 19 '17 at 13:10
  • 7
    While it's quite plausible that cracks have behaviours that may be similar to viruses, as it patches parts of another software, I don't see why a keygen would be confused with virus-like behaviour. All that a keygen does is make some calculations, some may collect hardware id, if the software uses hardware specific key, but that's pretty much it, AFAIK. – Lie Ryan May 19 '17 at 13:38
  • 1
    @LieRyan For keygens, specifically, it's more that they (generally) share libraries and/or coding techniques with malware... and if AV vendors went out of their way to whitelist these apps, they'd expose themselves to liability from IP owners. – HopelessN00b May 19 '17 at 20:25
  • If the software blatantly lied about threats, someone would probably find out. Then the company could be sued for fraud, which is illegal pretty much everywhere in the Western world, I think. Then they'd be out of business. – jpmc26 May 19 '17 at 22:38
  • I think your premise is wrong. Why would an when every now and then be helping a user relying on the software? An AV is more like a smoke detector. It costs money, but hopefully you would never need it in your life. I do not think my money spent on smoke detectors is thrown out of the window. – kap May 20 '17 at 22:33
  • 1
    Keygens, security tools etc. are often blocked by default by business-grade antivirus packages as "potentially unwanted applications". The rationale is "unless you have the knowledge and/or authority to reconfigure the AV, you have no business whatsoever using that in a company environment" and/or "it is more likely this semi-harmless tool was placed there as part of an attack/social engineering scenario than by user intent". – rackandboneman May 21 '17 at 02:45

4 Answers4

45

I have not seen false alarms, but I have seen an excessive amount of warnings/notifications, with Avast, for example. You could receive warnings about how vulnerable you 'might' be, and how you could fix it by buying another product or an upgrade (e.g. a VPN solution or web shield), every time you go on a bank website, pull up a login form, or click yes on any "18 or older" boxes. I'm sure there is a way to turn them off, but I believe that's one way they try to make the user feel like they need this software.

So it's not really false alarms, but a lot of warnings that might get non-tech-savy people to buy a license or another solution. Not a big fan of it, but it does help with awareness to some degree.

Community
  • 1
PositriesElectron
  • 1,595
  • 1
  • 13
  • 18
  • 20
    Same happens when you try to turn most antivirus off, it starts screaming at you "You are not protected! You are vulnerable to viruses, malware, leprosy, and genocide! Please turn us back on immediately!" – DasBeasto May 19 '17 at 13:37
  • 17
    *it does help with awareness to some degree* -- I'd argue it actually **hurts** awareness of security concerns. Because non-tech-savvy individuals buy the license/software/promised-miracle and then assume *that's it*, they're safe as can be and, most unforunately, that they don't need to practice any other good habits. – tonysdg May 19 '17 at 19:00
  • 5
    Alternatively, you could view this as a "pay to remove ads" scheme. +1, though. – jpmc26 May 19 '17 at 22:41
  • 3
    @tonysdg Or conditions people to ignore such warnings - so when a more important one comes along, [they ignore *that*, too](https://ux.stackexchange.com/questions/44609/how-do-i-avoid-users-becoming-numb-to-warnings). – Bob May 20 '17 at 08:34
  • I had seen a lot of Avast false alarms when I have been learning C. Often I needed to add some dummy code in order to be able to run my compiled programs. – abukaj Feb 03 '18 at 17:03
35

The problem with deliberately triggering false alarms is that users will at some point lose trust in the AV software. The rates of false positives are also an important factor in AV rankings - and these rankings potentially influence users' buying decisions.

So legitimate AVs will probably offer you potentially unnecessary bonus features rather than pretending there is a concrete dangerous infection that can only be fixed with an expensive upgrade. (Software that constantly warns about non-existent threats would get into the realm of scareware.)

How important good detection rates are for an AV company's reputation shows the reported story from 2015 that Kaspersky employees had submitted mocked records to VirusTotal to trigger false positives in competing AVs:

Two former Kaspersky employees have accused the company of faking malware to harm rival antivirus products. They would falsely classify legitimate files as malicious, tricking other antivirus companies that blindly copied Kaspersky's data into deleting them from their customers' computers.

(Source)

That said, many AV companies have been criticized for unethical behavior. E.g., Symantec (the company behind Norton Antivirus) has been alleged of charging unapproved extra fees and pretending "remove" non-existent malware:

Symantec has been criticized by some consumers for perceived ethical violations, including allegations that support technicians would tell customers that their systems were infected and needed a technician to resolve it remotely for an extra fee, then refuse to refund when the customers alleged their systems had not actually been infected.

(Source)

Arminius
  • 44,242
  • 14
  • 143
  • 138
2

Any detection system has certain number of false negatives and false positives (see ROC curves). A good system has relatively few of these, but still any system may report a file as malware when it is not, or miss the true malware if well masked. A system tuned to be very reluctant may be too reluctant and miss the real threat.

Hence it will always be a certain number of false alerts over perfectly legitimate software. A false alert is not a proof that anti-virus software is sending alerts intentionally, and may even not be an indication that the tool is bad in spotting real threats.

Various kinds of fraud surely have been attempted also in the past, including "antivirus software" that only produces false alarms and does not actually look for any viruses.

h22
  • 901
  • 6
  • 10
0

Yes. The EICAR Standard Anti-Virus Test File is a completely harmless file that anti-virus software deliberately detects as malicious.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The intention is to help testing if the anti-virus is works, and thus more benign than the scare-ware approach you're concerned about.

CodesInChaos
  • 11,964
  • 2
  • 40
  • 50
  • 1
    OP is actually asking if there's any Anti-Virus that will just pop warnings of "Viruses" it caught without anything being there. As a way to scare people into buying it. – Black Magic May 22 '17 at 14:07