When Anti-Viruses go bad ...

Joe,

In theory, I certainly agree with you... an anti-virus program should never cripple... nor even significantly impair... one's computer system.   However, we both know that NO company --- be it big name or small, paid version or free --- is "exempt" from generating false positives.

You cited McAfee, BitDefender, and AVG.   Let me remind you (and others) that avast too had a "major screw-up" a few months ago:

http://en.community.dell.com/support-forums/virus-spyware/f/3522/p/19307775/19601742.aspx#19601742

and even MBAM was guilty (at least) once of rendering some PCs unbootable:

http://en.community.dell.com/support-forums/virus-spyware/f/3522/p/19303888/19587155.aspx#19587155

Here are a few more:

Trend Micro http://news.softpedia.com/news/Trend-Micro-Antivirus-Definitions-Crash-Computers-93224.shtml

ESET NOD32 http://news.softpedia.com/news/NOD32-Tags-Windows-Files-as-Malicious-106553.shtml

Kaspersky http://news.softpedia.com/news/Kaspersky-False-Positives-Quarantine-or-Kill-Windows-Explorer-in-Windows-Vista-74601.shtml

And I'm sure that, with time/diligence in searching, we could find many, many more.

If we strictly maintained a zero-tolerance policy, eliminating an antivirus (or antimalware) program after one strike [even a "major"/crippling strike], I think NOTHING would be left... meaning we'd all be running our systems UNprotected.   I'm sure that's not what you intended us to infer...

 ky:

Point taken.

However, I draw a distinction between false positive detections by on-demand scans, and FPs executed in real time. As I understand it, the latest McAfee fiasco crippled systems merely by the auto-update process.

You cite major FPs by both MBAM and Nod32, both of which I use. Yet neither crippled my OS, because these FPs did not result in automatic deletion/quarantine of critical Windows files by these resident programs, and because these FPs were corrected quickly in subsequent updates.

Did the avast! FP you cited cripple your system? I suspect not.

My point was that I have zero tolerance for any AV (or any other program, for that matter) that cripples my OS merely by auto-updating. I allow no program other than my AV to auto-update for this reason.  I'm not alone in my fear of auto-updating: http://billpstudios.blogspot.com/2010/04/auto-update-kills-computers-again.html

FPs are a fact of life with every AV.  But auto-updating an AV must be safe.

Joe,

as I recall the avast situation, it suddenly started objecting --- left and right --- to "tons" of legitimate files.   By chance, my wife's machine updated first... and the next thing she new, she was getting warnings about various SpyBot components.   I checked things out on another machine... and disabled avast's automatic updates... until the matter was acknowledged and fully fixed... several HOURS later.

by default, avast 5's modules... including its resident protection... are set to automatically quarantine any infection found.   So with a bad update like the one they had, many people found hundreds (even thousands) of valid files instantly quarantined, before they could do anything about it.

fortunately for me (and my wife), I had changed avast's default settings on our machines, so that it ASKED us what to do, when it found the (alleged) "virus"... and that certainly mitigated the potential problem for us.

the decision to quarantine (by default) rather than ASK has been debated in the avast forum.  the avast people stand by their decision, on the belief that the average user is not in a position to research and properly react to a viral prompt. and, since most fp's are harmless enough, the quarantined files can be restored.   i don't recall whether avast actually targeted any critical system files during its fiasco... but the thought that it could have is nonetheless very disconcerting.

ky:

I think that the links you and I have cited provide ample evidence of the dangers of auto-scanning and/or automatically quarantining/deleting (as opposed to alerting about) detections. I certainly have all my resident protection programs configured to alert me only. I'm not familiar with McAfee, but if it does not offer this option, I would not use it.

Which configuration is best for the average user is moot. My experience is that most AVs default to quarantining detections.

Playing Devil's Advocate here, there is also the option to NOT use a resident AV. Fully 7-8% of respondents to Wilder's Polls on AVs used chose this route over the past year. No doubt they will validate their decision by pointing at fiascos such as McAfee's.

Considering that my AV has never detected anything but the rare FP in years, I can see why some choose this, and remain uninfected. Obviously not my choice; the best analogy is to the use of seatbelts- they have never saved my life yet, but I would not drive without using them!