Its been widely recognized for some time that defining software in the "spyware" and "adware" categories is tricky business, and that these types of programs are not the unambiguous threats that viruses are.
For years the big security vendors dealt with the problem by ignoring it, or perhaps by making half-hearted attempts to combat it. None of them had an anti-spyware product considered even second class.
But now the big guys are stepping into the spyware business. In many ways fighting spyware and adware is exactly like the anti-virus business—the pattern and heuristic scanners these companies have created should be useful against spyware and adware—but they need to know what to scan for. Thats the tricky part.
Microsoft might appear to be new to this business, but it got into it by buying the small but highly regarded anti-spyware Giant Company Software, and, along with it, some savvy. A paper Microsoft just published discussing its approach to selecting programs that fit the blocking criteria for their anti-spyware products shows that sophistication.
A similar paper from Symantec shows that that company is still figuring out how to deal with the new threats. Symantec calls its framework the "Risk Impact Model" and the document is not available online yet.
I see two main differences between Microsofts guidelines and Symantecs: First, Symantecs are geared toward formulating a score for the threat, and Microsofts arent.
Symantec feels that one of the important goals of rules for classifying and evaluating such threats is that they produce information that users will be willing and able to use.
Im really sympathetic to this, but it concerns me too. Symantecs existing scoring for some types of threats is better than for others; for instance, its scoring for OS vulnerabilities has always struck me as very reasoned, while its scoring for viruses and Trojans is at times overstated.
A factor in the scoring, also not an issue in Microsofts analysis, is the prevalence of a threat in the wild. You can see where something like this leads: With viruses, Symantec doesnt push out an update to all users ahead of its normal weekly schedule unless the score for that threat hits 3 out of 5. The potential malicious damage from these threats is almost always very high, but you need to get the threat out there and damaging things to get your overall score to a 3.
It doesnt happen very often. Symantec, it would appear, wants to be able to have a predictable mechanism for deciding when an out-of-cycle update is necessary.
The other difference between Microsofts and Symantecs approaches is the attitude toward the sort of deceptive installation methods that Ben Edelman has examined recently with respect to peer-to-peer bundles and other dishonest vectors.
Symantecs "Stealth" section speaks of software that installs silently, but what about the program that installs after you click Yes to a 10-page legal agreement that asked for permission to install other software on page eight? The vendor can say that you agreed to run the software, but we all know its a phony claim.