Are there any known cases of antivirus software intentionally sending false alarms?

I have not seen false alarms, but I have seen an excessive amount of warnings/notifications, with Avast, for example. You could receive warnings about how vulnerable you 'might' be, and how you could fix it by buying another product or an upgrade (e.g. a VPN solution or web shield), every time you go on a bank website, pull up a login form, or click yes on any "18 or older" boxes. I'm sure there is a way to turn them off, but I believe that's one way they try to make the user feel like they need this software.

So it's not really false alarms, but a lot of warnings that might get non-tech-savy people to buy a license or another solution. Not a big fan of it, but it does help with awareness to some degree.


The problem with deliberately triggering false alarms is that users will at some point lose trust in the AV software. The rates of false positives are also an important factor in AV rankings - and these rankings potentially influence users' buying decisions.

So legitimate AVs will probably offer you potentially unnecessary bonus features rather than pretending there is a concrete dangerous infection that can only be fixed with an expensive upgrade. (Software that constantly warns about non-existent threats would get into the realm of scareware.)

How important good detection rates are for an AV company's reputation shows the reported story from 2015 that Kaspersky employees had submitted mocked records to VirusTotal to trigger false positives in competing AVs:

Two former Kaspersky employees have accused the company of faking malware to harm rival antivirus products. They would falsely classify legitimate files as malicious, tricking other antivirus companies that blindly copied Kaspersky's data into deleting them from their customers' computers.

(Source)

That said, many AV companies have been criticized for unethical behavior. E.g., Symantec (the company behind Norton Antivirus) has been alleged of charging unapproved extra fees and pretending "remove" non-existent malware:

Symantec has been criticized by some consumers for perceived ethical violations, including allegations that support technicians would tell customers that their systems were infected and needed a technician to resolve it remotely for an extra fee, then refuse to refund when the customers alleged their systems had not actually been infected.

(Source)


Any detection system has certain number of false negatives and false positives (see ROC curves). A good system has relatively few of these, but still any system may report a file as malware when it is not, or miss the true malware if well masked. A system tuned to be very reluctant may be too reluctant and miss the real threat.

Hence it will always be a certain number of false alerts over perfectly legitimate software. A false alert is not a proof that anti-virus software is sending alerts intentionally, and may even not be an indication that the tool is bad in spotting real threats.

Various kinds of fraud surely have been attempted also in the past, including "antivirus software" that only produces false alarms and does not actually look for any viruses.

Tags:

Antivirus

Related

How can I decrypt a Word document that I know the password to without opening it in a word processor? Has anybody successfully decrypted their files after paying the WannaCrypt ransom? How can I securely develop a local webapp at a coffee shop? What is a Warrant Canary? Is there a file system that doesn't support encryption? Does WannaCry infect Linux? Is this passwordless system secure? Mitigate MS17-010 on Windows XP? (wannacry ransomware) How is the "WannaCry" Malware spreading and how should users defend themselves from it? How SS7 attack first enter into SS7 network? Why do the roles of public/private keys reverse when talking about public key encryption and digital signatures? Can I trust a security hash implementation after testing it with random inputs against another implementation?

Recent Posts