Big Security Guns Should Aim Carefully at Adware, Spyware

By Larry Seltzer  |  Posted 2005-03-21 Print this article Print

Opinion: Microsoft has the right ideas and it doesn't take any guff from adware merchants. Hint to Symantec: Ctrl-H "Microsoft" TAB "Symantec" ENTER.

Its been widely recognized for some time that defining software in the "spyware" and "adware" categories is tricky business, and that these types of programs are not the unambiguous threats that viruses are. For years the big security vendors dealt with the problem by ignoring it, or perhaps by making half-hearted attempts to combat it. None of them had an anti-spyware product considered even second class. But now the big guys are stepping into the spyware business. In many ways fighting spyware and adware is exactly like the anti-virus business—the pattern and heuristic scanners these companies have created should be useful against spyware and adware—but they need to know what to scan for. Thats the tricky part.

Microsoft might appear to be new to this business, but it got into it by buying the small but highly regarded anti-spyware Giant Company Software, and, along with it, some savvy. A paper Microsoft just published discussing its approach to selecting programs that fit the blocking criteria for their anti-spyware products shows that sophistication.
A similar paper from Symantec shows that that company is still figuring out how to deal with the new threats. Symantec calls its framework the "Risk Impact Model" and the document is not available online yet.

I see two main differences between Microsofts guidelines and Symantecs: First, Symantecs are geared toward formulating a score for the threat, and Microsofts arent. Symantec feels that one of the important goals of rules for classifying and evaluating such threats is that they produce information that users will be willing and able to use. Im really sympathetic to this, but it concerns me too. Symantecs existing scoring for some types of threats is better than for others; for instance, its scoring for OS vulnerabilities has always struck me as very reasoned, while its scoring for viruses and Trojans is at times overstated.

A factor in the scoring, also not an issue in Microsofts analysis, is the prevalence of a threat in the wild. You can see where something like this leads: With viruses, Symantec doesnt push out an update to all users ahead of its normal weekly schedule unless the score for that threat hits 3 out of 5. The potential malicious damage from these threats is almost always very high, but you need to get the threat out there and damaging things to get your overall score to a 3. It doesnt happen very often. Symantec, it would appear, wants to be able to have a predictable mechanism for deciding when an out-of-cycle update is necessary.

The other difference between Microsofts and Symantecs approaches is the attitude toward the sort of deceptive installation methods that Ben Edelman has examined recently with respect to peer-to-peer bundles and other dishonest vectors. Symantecs "Stealth" section speaks of software that installs silently, but what about the program that installs after you click Yes to a 10-page legal agreement that asked for permission to install other software on page eight? The vendor can say that you agreed to run the software, but we all know its a phony claim.

Next Page: Definitions, cookies and criteria.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel