When an Oregon science fiction writer named Charity tried to log onto Facebook on February 11, she found herself completely locked out of her account. A message appeared saying she needed to download Facebook’s malware scanner if she wanted to get back in. Charity couldn’t use Facebook until she completed the scan, but the file the company provided was for a Windows device—Charity uses a Mac.
“I could not actually run the software they were demanding I download and use,” she says. When she tried instead to log in from her computer at work, Facebook greeted her with the same roadblock. “Obviously there is no way for Facebook to know if my device is infected with anything, since this same message appeared on any computer I tried to access my account from,” says Charity.
A Facebook spokesperson said Charity may have been asked to download the wrong software because some malware can spoof what kind of computer a person is running. Still, Charity was left without any way to access her account. And her experience is far from unique.
The internet is full of Facebook users frustrated with how the company handles malware threats. For nearly four years, people have complained about Facebook’s anti-malware scan on forums, Twitter, Reddit, and on personal blogs. The problems appear to have gotten worse recently. While the service used to be optional, Facebook now requires it if it flags your device for malware. And according to screenshots reviewed by WIRED from people recently prompted to run the scan, Facebook also no longer allows every user to select what type of device they’re on, which ostensibly would have prevented what happened to Charity.
The malware scans likely only impact a relatively small population of Facebook’s billions of users, some of whose computers may genuinely be infected. But even a fraction of Facebook’s users still potentially means millions of impacted people. The mandatory scan has caused widespread confusion and frustration; WIRED spoke to people who had been locked out of their accounts by the scan, or simply baffled by it, on four different continents.
The mandatory malware scan has downsides beyond losing account access. Facebook users also frequently report that the feature is poorly designed, and inconsistently implemented. In some cases, if a different user logs onto Facebook from the same device, they sometimes won’t be greeted with the malware message. Similarly, if the “infected” user simply switches browsers, the message also appears to occasionally go away.
“It is actually tied to one specific Facebook user on one specific browser—if I change either to a different account, or use Safari instead of Chrome with the locked-out account, I do not get the scanner dialog,” says Anatol Ulrich, a Facebook user from Germany who was locked out of his account after sharing several Google docs in comment threads on Facebook. He, too, was prompted to download a Windows file on a Mac device.
“Our visibility into each account on a given device isn’t complete enough for us to checkpoint based only on the device, without factoring in whether the particular account is acting in a suspicious manner,” Facebook spokesperson Jay Nancarrow said in a statement. In some ways that might be comforting; Facebook doesn’t collect enough information about your computer to say whether malware has infected it.
But if Facebook doesn’t know for sure, why would it push you to clean your device? Antivirus software is a powerful tool, capable of accessing nearly everything on your computer. Some users might reasonably not want to give Facebook and its chosen cybersecurity partners that level of access. Antivirus and anti-malware software are also prone to vulnerabilities themselves; in 2016, Google’s Travis Ormandy discovered critical flaws across all of Symantec’s antivirus products, for example.
Facebook also doesn’t appear to have regularly updated its users about which partners it relies on to supply its malware scans. The social network began integrating the scans into its malware detection systems in May of 2014, and said they would be supplied by F-Secure and Trend Micro, according to the announcement blog post written at the time. In December of 2014, it added ESET, and in 2015, Facebook announced it was also adding Kaspersky Lab.
Facebook stopped working with Kaspersky last year, following reports that Russia exploited the company’s antivirus software to trawl US government systems for classified data. F-Secure says it also stopped working with Facebook last year, but the social media platform never announced the change. “Thank you for bringing this to our attention. We will update our documentation to reflect the current set of companies,” Nancarrow said in a statement.
Both ESET and Trend Micro say that they continue to work with Facebook, but stressed that they had no control over how the social network handles its scanning feature. “ESET does not have any ability to lock users out of their Facebook account, or unlock someone’s account. We recommend that people contact Facebook support for help if they experience this issue,” a spokesperson for ESET said in a statement.
Even with legitimate software partners, though, Facebook’s malware-scanner notification could encourage unsafe behavior elsewhere on the web. It “will possibly train users to accept or install fake antivirus products, most of which are ransomware,” says Mohammad Mannan, a security researcher at Concordia University who has studied antivirus vulnerabilities. “That is, you visit a random site, and get a scary popup which says your machine is infected and needs immediate cleaning; if you say yes to the installation, a ransom is asked.”
At least one person, New Zealand businessman Jack Yan, even reported that running Facebook’s malware detector caused his own antivirus to disappear in 2016. Facebook declined to comment on the record about why this may have happened. It’s possible the Kaspersky Lab antivirus software that Facebook mandated Yan use may have automatically deleted a number of other programs on his machine. After the incident, Yan penned a blog post describing his experience, which has since attracted a number of Facebook users who have experienced similar annoyances.
“Most of the folks who I have spoken to over the last couple of years have all said their systems were clean, and used their own virus and malware detectors,” says Yan. “Mine was confirmed clean at the time too.”
Mohammad Mannan, Concordia University
Facebook declined to say how many users see the malware scanner prompt, possibly because it doesn’t actually know. When the social media company stopped working with Kaspersky, it said it was “unable to easily reconstruct how many Facebook users downloaded Kaspersky software.” The only public figure is from a 2015 blog post, in which Facebook said it had “helped clean up more than two million people’s computers,” over the course of three months.
Facebook also hasn’t provided information about how it uses the data it gleams from its cybersecurity partners that conduct the malware scans. “What does Facebook collect from their antivirus partners?” asks Mannan. “An antivirus product can collect a lot of useful information from the user machine—telemetry data; beyond what Facebook gets through their website—and share it with Facebook. Facebook should make their agreements with antivirus partners public.”
Facebook tells users when they agree to conduct the scan that the data collected in the process will be used “to improve security on and off Facebook,” which is vague. The company did not immediately respond to a followup request for comment about how exactly it uses the data it collects from conducting malware checks.
Facebook has legitimate reason to want to keep malware off its service. Scammers, hackers, and even would-be cryptocurrency miners have all targeted Facebook and Facebook Messenger. But if Facebook keeps forcing its malware scans on its users, it has to commit to more transparency as well.
Upping the Antivirus
- Antivirus is an incredibly powerful tool—as one Kaspersky-using NSA employee learned the hard way
- It also has a rocky track record for vulnerabilities itself, especially on Android
- And some particularly clever attacks can even turn it into malware