Example 6.1.1. Webroot Antivirus.
In 2017 a popular antivirus service created a bad rule that identified certain Windows operating system files as threats. The antivirus solution quarantined these files, which were critical for the operation of the machine. The result was a machine that was unusable.
1
www.nbcnews.com/tech/tech-news/popular-antivirus-program-mistakenly-ids-windows-threat-creating-chaos-n750521
For 13 minutes, Webroot distributed this rule to its antivirus software shutting down operations on an untold number of machines. Fortunately Webroot was able to quickly identify the problem and send out an update which would have allowed the machines to automatically fix the problem. Unfortunately their infrastructure for distributing the update quickly became overloaded.
When a security solution fails to identify a threat, this is known as a false negative. While no solution can ever be 100% effective, false negatives can undermine confidence in a product. False negatives may be resolved by a skilled SOC team, closely monitoring what is happening. It is also possible to address false negatives through Layered Security a concept that we will cover next.