Think twice before making them

Have you ever allowed some “exceptions” to slip through the cracks, even after your security software warned you that it wasn’t safe to do so? Probably – it’s a safe bet that most people have. But while you might think that you know better than the software — or you might just really want to access that thing you downloaded — adding too many exceptions can be really dangerous. And even if you’ve gotten away virus-free so far, that doesn’t mean your luck is going to hold. 

Most digital infections occur because a person took a direct action that led to the infection. Sometimes it’s through social engineering, like a phishing attack that gets you to click on something. Sometimes it’s because you downloaded something you shouldn’t have. Or sometimes it’s from clicking an email attachment. Whatever the delivery method, your device likely got infected because of an action you took. 

In some cases, people are doing something that they know is questionable, immoral, or even illegal, like downloading pirated software, cracked games, or pirated TV shows. Those people might think that they’re getting the warning pop-up because they’re breaking the law, but they’re actually getting it because the file is infected. 

You might think you have nothing to hide or that you’re not important enough to be targeted by malware. But it’s exactly that attitude that leaves you more vulnerable to attack, because cybercriminals rely on that type of thinking. They know that the average user isn’t being super vigilant, which makes them an easier and cheaper target. Or, think about it this way: your data might be pretty much worthless, but that does not mean bad guys can’t sell it.

Exceptions that shouldn’t be exceptions

In 2020, the Avast Threat Labs team detected cryptomining malware inside of cracked games and key generators. Attempts to download the malware — which the team named CoinHelper — were detected on more than 220,000 Avast users’ devices from the beginning of 2020 to the end of 2021. While most of the attempted downloads were through pirated software and torrents, the team also detected it in clean software distributed through unofficial sources. 

The Threat Labs team detected another piece of malware, which they named Crackonosh, midway through 2021. Like CoinHelper, Crackonosh was distributed via infected files in illegal, cracked software. As part of its anti-detection and anti-forensics methods, Crackonosh tried to disable antivirus programs, including Avast, Windows Defender, Windows Updates, and more.

Every Avast user who attempted to download a file that contained CoinHelper or Crackonosh was given a pop-up warning that they were about to be infected. But, unfortunately, some users chose to ignore that warning and create an exception anyway. Bad move.

Antivirus isn’t here to police your actions; we’re here to provide protection against cybercriminals. So if you see that little pop-up when you’re doing something you know you probably shouldn’t be doing, pay attention. It could mean the difference between a nasty infection and getting off virus-free.

Creating an exception because you think it’s a false positive

Other times, people think that the warning is a “false positive” that’s detecting something as malware when it actually isn’t. And while most of the detections Avast makes are accurate, sometimes a false positive does slip through.  

At Avast, we take false positives seriously and we evaluate each case as fast as possible. But, please, let us make the assessment about whether or not it’s actually a false positive – we have the equipment to do so and you’re really rolling the dice if you choose to download anyway. When in doubt, you can always report the false positive directly from the detection, from the quarantine, or you can reach us on our forum as well as fill in an official false positive form on our web.

Creating dangerous exceptions

And, finally, some people choose to make dangerous exceptions that exclude an entire drive on their device, perhaps because they routinely download illegal or cracked files. Many choose to exclude C: drive and we’ve even seen a user exclude C:, D:, and E: drives, effectively disabling their File Shield protection on the whole computer. That move leaves your antivirus significantly weakened and leaves you open to all kinds of attacks.

How to stay safe from dangerous exceptions

So if exceptions create such a potential risk for users, why do cybersecurity companies allow for them at all? Well, there are circumstances in which exceptions make sense, like when an advanced user who, for example, wants to tweak something on their system/network or even use a hack tool for security purposes. Avast might detect usage of such a tool because it is frequently misused by bad actors.

But, for the average user, best practices is to allow for as few exceptions as possible. Think twice before you add anything to exceptions, even if our detection dialogue annoys you in the moment. Take a deep breath, and ask:

• Where did I download the software from? Can the source be trusted? Spending just a few minutes to retrace your steps will keep your PC safe in the long run.
• Is the software from a well-known company or a shady website? There are copycat websites that could trick you into downloading malware.
• Is the software asking me to change the settings of my antivirus? In order to infect your PC with their malware, cybercriminals will recommend adding exceptions. 
• Did a stranger ask me to install the software? There is always a higher risk of infection when someone tries to persuade you to install software.
• Did I download the software from torrents or unofficial forums? Files downloaded from unofficial sources are more likely to be infected with malware. Antivirus doesn’t police your actions, it protects you against cybercriminals. If we detect something, we think it is malicious.

At the end of the day, antivirus products are here to protect you – so leave it to our team’s experts to keep you safe. After all, you never know what might be hiding out there in the dark.