Skip to main content

The antivirus “paranoid mode” is slowing businesses down

ransomware
(Image credit: Pixabay)

It is not easy to strike the right balance between security and efficiency. This is particularly true when it comes to cybersecurity because businesses must carefully protect themselves from threats whilst making sure that over-zealous defenses don’t hamper productivity.  

At AV-Comparatives, we spend our days carrying out rigorous, painstaking tests of antivirus (AV) solutions to expose exactly how effective they are at blocking malware infections and cyberthreats. Sometimes, a vendor may appear to have built the perfect product that blocks all threats and achieves a perfect score. Yet sometimes the apparently perfect antivirus product is hiding a problem: it blocks everything or generates large numbers of false positives.  

On a business-wide scale, using products which follow an approach we call “paranoid mode” can have a disastrous effect on productivity by slowing down normal processes, throwing obstacles in the way of employees and getting in the way of everyday activities.  

Of course, the opposite is true as well. If a business (or an antivirus solution) gives too much freedom, then trouble will not be far away. So how should organizations get the perfect "goldilocks” balance which ensures productivity whilst ensuring normal operations can still run smoothly?

The problem with false positives 

They sound innocuous. But false positives can have serious effects on a business. When an AV solution falsely detects a problem, it causes immediate operational problems. The production line must be stopped, so to speak, as the problem is triaged, investigated and then ruled out. If this happens once, it might be only a nuisance. When it happens over and over again, people in charge of security could lose faith in the AV product and start to question all of its reports.  

When the boy cried wolf, no one believed him when a real wolf turned up outside the village. The same is true of AV products. If false positives are continually generated, security staff will first suffer from alert fatigue before starting to lose faith in their AV solution – potentially missing a genuine threat. At worst, they could end up whitelisting a piece of malware so it is allowed to spread freely through the network.  It is better to have an AV product that blocks 99 percent of threats with no false positives than one which has a 100 percent block rate but generates false alarms.  

On a wider scale, excessive AV settings can slow down processes across a business. If an AV product is configured in paranoid mode, it may block routine processes. For instance, if the solution incorporates web filtering, it can play an important role in stopping employees from accessing inappropriate sites as well as malicious pages. But what if the accountancy team needs to access a banking portal? Or the marketing team wants to quickly produce some slides from a presentation using a web app? If the settings are too aggressive, these two attempts may be blocked. Amplify this issue across an organization and it is easy to see how seemingly effective AV products can hamper efficiency and place unnecessary roadblocks in people’s way. 

False alerts - Real crisis  

It is annoying when emails are blocked, and legitimate programs are prevented from working properly when an AV solution has paranoid mode engaged. Yet the problems caused by false positives have the potential to be more than just irritating. Some false positives can render an individual system unbootable or allow it to be switched on but not to be connected to the internet or a local network. A few years ago, this would have been less of a problem, because an individual employee hit by this problem could just swap to another machine. If they are working from home – miles away from another colleague and IT support staff – it is easy to see how hours could be wasted trying to fix the problem. No vendor can truly promise that this situation will never occur.  

It does not help that there are many ways in which legitimate programs may integrate themselves into an operating system in a way that resembles malware. Encryption programs and system restore functions, for example, often look like malware to behavior blockers. AV products that block everything they have never encountered before and which has not been whitelisted might seem like they are effective at blocking malware, but at the cost of a huge potential dent in productivity.  

We have seen many examples of the damage caused by false positives. A current example of this is with Microsoft Defender for Endpoint, it is currently blocking Office documents from being opened and some executables from launching due to a false positive tagging the files as potentially bundling an Emotet malware payload.  

It has been estimated that Security Operations Centres spend 15 minutes out of every hour dealing with false alerts. Now imagine what would happen at a smaller company without dedicated staff when it is hit by the same problem. The downtime caused by excessive protections could prove very expensive indeed. 

Addressing the problems of paranoid mode 

Tackling the problem of false positives and paranoid mode is an area in which the incumbents have an advantage. New entrants to the market may have the latest technology and fresh, innovative ideas about how to tackle threats and reduce risk. But what they lack is experience and knowledge. Older, more established vendors have extensive whitelists which allows software with legitimate business uses to operate effectively without being locked down by AV products. Newer entrants to the market will catch up, but it takes a long time to build up the expertise and knowledge to operate whitelists effectively. When up and running, these lists can be a powerful tool, allowing clients to operate a “deny by default” model which will prevent all software from running unless it is known to be legitimate.  

It is often said that the best way to make a device secure is to cut its internet connection and slice through the power cable. This will, of course, reduce the malware risk to zero. But it will reduce productivity to the same level. The solution is constant vigilance. Vendors must quickly identify false positives and take action. A whitelist should be constantly evolving. Customers should also monitor their AV solutions and report anything that is going wrong. AV Comparative integrates testing enabling a balance act to guide users on the settings that were applied in the security product by the vendors. The multi-faceted results can then provide a more enlightening picture of what is going on. Paranoid mode is a problem – but it can be solved.

Peter Stelzhammer, co-founder, AV-Comparatives

In 1999, Peter Stelzhammer co-founded AV-Comparatives as a joint student project at the University of Innsbruck. This was done purely out of technical interest, to see how good the products of different manufacturers actually are. The response was enormous, and AV-Comparatives became an independent organization offering systematic testing that checks whether security software lives up to its promises.