Antivirus exceptions: Think twice before making them

Have you ever allowed some “exceptions” to slip through the cracks, even after your security software warned you that it wasn’t safe to do so? Probably – it’s a safe bet that most people have. But while you might think that you know better than the software — or you might just really want to access that thing you downloaded — adding too many exceptions can be really dangerous. And even if you’ve gotten away virus-free so far, that doesn’t mean your luck is going to hold. 

Most digital infections occur because a person took a direct action that led to the infection. Sometimes it’s through social engineering, like a phishing attack that gets you to click on something. Sometimes it’s because you downloaded something you shouldn’t have. Or sometimes it’s from clicking an email attachment. Whatever the delivery method, your device likely got infected because of something you did. 

In some cases, people are doing something that they know is questionable, immoral, or even illegal, like downloading pirated software, cracked games, or pirated TV shows. Those people might think that they’re getting the warning pop-up because they’re breaking the law, but they’re actually getting it because the file is infected. 

For example, in 2020 the Avast Threat Labs team detected cryptomining malware inside of cracked games and key generators. Attempts to download the malware — which the team named CoinHelper — were detected on more than 220,000 Avast users’ devices from the beginning of 2020 to the end of 2021. While most of the attempted downloads were through pirated software and torrents, the team also detected it in clean software distributed through unofficial sources. 

The Threat Labs team detected another piece of malware, which they named Crackonosh, midway through 2021. Like CoinHelper, Crackonosh was distributed via infected files in illegal, cracked software. As part of its anti-detection and anti-forensics methods, Crackonosh tried to disable antivirus programs, including Avast, Windows Defender, Windows Updates, and more.

Every Avast user who attempted to download a file that contained CoinHelper or Crackonosh was given a pop-up warning that they were about to be infected. But, unfortunately, some users chose to ignore that warning and create an exception anyway. Bad move.

Antivirus isn’t here to police your actions; we’re here to provide protection against cybercriminals. So if you see that little pop-up when you’re doing something you know you probably shouldn’t be doing, pay attention. It could mean the difference between a nasty infection and getting off virus-free.

Other times, people think that the warning is a “false positive” that’s detecting something as malware when it actually isn’t. And while most of the detections Avast makes are accurate, sometimes a false positive does slip through.  

At Avast, we take false positives seriously and we evaluate each case as fast as possible. But, please, let us make the assessment about whether or not it’s actually a false positive – we have the equipment to do so and you’re really rolling the dice if you choose to download anyway. When in doubt, you can always report the false positive directly from the detection, from the quarantine, or you can reach us on our forum as well as fill in an official false positive form on our web.

And, finally, some people choose to exclude an entire drive on their device, perhaps because they routinely download illegal or cracked files. Many choose to exclude C: drive and we’ve even seen a user exclude C:, D:, and E: drives, effectively disabling their File Shield protection on the whole computer. That move essentially makes your antivirus worthless and leaves you open to all kinds of attacks.

Yes, your data could also be at risk

You might think you have nothing to hide or that you’re not important enough to be targeted by malware. But it’s exactly that attitude that leaves you more vulnerable to attack, because cybercriminals rely on that type of thinking. They know that the average user isn’t being super vigilant, which makes them an easier and cheaper target. Or, think about it this way: your data might be pretty much worthless, but that does not mean bad guys can’t sell it.

And sometimes the attack isn’t even from cybercriminals but instead is “coming from inside the house.” For example, Avast Threat Labs has detected stalkerware — which is malware that a controlling partner or ex or sometimes even a boss installs on someone’s device in order to track their movements both online and off — that gives step-by-step instructions to abusers on how to disable antivirus and/or set up exceptions. It’s a scary way that intimate partner violence specifically takes advantage of peoples’ tendency to allow antivirus exceptions. 

Here’s how to stay safe

So if exceptions create such a potential risk for users, why do cybersecurity companies allow for them at all? Well, there are circumstances in which exceptions make sense, like when an advanced user who, for example, wants to tweak something on their system/network or even use a hack tool for security purposes. Avast might detect usage of such a tool because it is frequently misused by bad actors.

But, for the average user, best practices is to allow for as few exceptions as possible. Think twice before you add anything to exceptions, even if our detection dialogue annoyed you in the moment. Take a deep breath, and ask:

• Am I sure the software can be trusted?
• Where did I download the software? Is the source trusted?
• Do I know the author? Is it a big company or some random site you’ve never heard of?
• If it is a big company, did I download it from the official site?
• Is the software digitally signed?

Antivirus products are here to protect you, so why not let us do our job? You never know what might be hiding out there in the dark.