Redefining Spyware

The problem with spyware is that it can be in the eye of the beholder. There are companies that decry the general problem, but have their own software report back to a central server.

This kind of thing can result in a conflict of interest: "Spyware is spyware only if I don't have a corporate interest in it." Here's the most recent example:

Microsoft's Windows AntiSpyware application is no longer flagging adware products from Claria Corp. as a threat to PC users.

Less than a week after published reports of acquisition talks between Microsoft Corp. and the Redwood City, Calif.-based distributor of the controversial Gator ad-serving software, security researchers have discovered that Microsoft has quietly downgraded its Claria detections.

If you're a user of AntiSpyware, you can fix this. Claria's spyware is now flagged as "Ignore" by default, but you can still change the action to "Quarantine" or "Remove." I recommend "Remove."

Edited to add: Actually, I recommend using a different anti-spyware program.

Posted on July 14, 2005 at 5:05 PM • 40 Comments

Comments

Davi OttenheimerJuly 14, 2005 5:58 PM

Sunbelt says "there are a number of other items that have been downgraded to "Ignore" status, including certain WhenU adware programs, WebHancer and Ezula Toptext. So the Claria downgrade is quite likely part of a bigger picture regarding Microsoft's listing criteria for adware."

http://sunbeltblog.blogspot.com/2005/07/...

Check out Benjamin Edelman's analysis over the past year of the spyware companies mentioned by Sunbelt:

http://www.benedelman.org/spyware/

You have to wonder what kind of pressure Microsoft has been recieving from the companies that Edelman studies as Spyware. Or, more to the point, Edelman's research shows that "some of the [spyware] programs I received come from big companies with major investment backing".

He suggests "my records make it possible to track down who's behind the installations -- just follow the money trail."

http://www.benedelman.org/news/010205-1.html

EricBJuly 14, 2005 6:01 PM

From other sites that I read regarding the change in MSAS to "Ignore" for Claria (and WhenU and some others) actually happened some time back (I can't find the reference right now), before the talks with Claria.

Later,

EricB

Davi OttenheimerJuly 14, 2005 6:26 PM

@EricB

Talks or no talks (Sunbelt says the "Ignore" status dates back to the end of March, long before talks supposedly began) the issue is the classification of spyware and independence.

I suggest you review Microsoft's opinion on the matter and then ask yourself whether you trust their criteria and judgement of what should be "Ignored" versus "Removed":

http://www.microsoft.com/athome/security/spyware/...

Mark J.July 14, 2005 7:01 PM

"I recommend "Remove.""
I recommend using a different anti-spyware utility, like Adaware SE or Spybot (or both). I was using MS's program, but after this BS from MS, I switched to Adaware SE.

Bruce SchneierJuly 14, 2005 7:24 PM

"From other sites that I read regarding the change in MSAS to "Ignore" for Claria (and WhenU and some others) actually happened some time back (I can't find the reference right now), before the talks with Claria."

If you could find a reference for me, I would appreciate it.

jblJuly 14, 2005 8:04 PM

"I recommend using a different anti-spyware utility, like Adaware SE or Spybot (or both). I was using MS's program, but after this BS from MS, I switched to Adaware SE."

I have been using both for some time. I was advised by the vendor of my home computer that even Spybot is set up to ignore some items it detects, though not very many. If you want to make it detect everything it knows about, here are the steps:

(1) On the Mode menu switch to "Advanced"
(2) Click the "Settings" button
(3) Select "Ignore products"
(4) Right-click in the window and "Deselect all".

This will un-check the few items which may be selected in the default configuration.

/JBL

traderJuly 14, 2005 8:13 PM

@Bruce
Which DO you recommend? I now use MSAS, Spybot S&D, & Webroot Spy Sweeper.
Probably inclined to try Sunbelt's Counter Spy instead of MSAS.
Opinions?

Bruce SchneierJuly 14, 2005 8:53 PM

I use Spybot, although I admit that I haven't done a comprehensive evaluation of them. I'm sure there are comparisons in the computer magazines.

Davi OttenheimerJuly 14, 2005 8:57 PM

@Bruce

Read this link:
http://www.microsoft.com/athome/security/spyware/...

"Microsoft offers all software companies the opportunity to request a review of how Microsoft classifies their products through our vendor dispute process. In January, Claria filed a request for Microsoft to reevaluate some of its products. Upon review of their software against our criteria, we determined that continued detection of Claria's products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors. At the end of March, we communicated to Claria the result of our analysis through our standard process."

This has been confirmed by Sunbelt:

http://sunbeltblog.blogspot.com/2005/07/...

"So we did a brief check of our database updates from Microsoft, and found the change to 'Ignore' occurred on March 31."

Hope that helps...

l_jJuly 14, 2005 9:00 PM

http://www.eweek.com/article2/...


Microsoft has broken its silence over the decision to downgrade the default recommendations in its Windows AntiSpyware product, insisting that "absolutely no exceptions" were made for Claria Corp.

Facing heavy criticisms for recommending that users "ignore" the existence of Claria's adware products, Microsoft Corp. issued a public statement to explain that the change stemmed from a review that was based on a single set of objective criteria.

"[We] decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware handles similar software from other vendors," Microsoft said.

The other AnonJuly 14, 2005 11:31 PM

As much as I'm not a fan of M$, I don't think the issue is clear yet. Apparently they changed the settings to "ignore" for all software that was clearly marked Opt-In and had some type of removal option. This was under the assumption that you must choose to put the spyware on your computer.

Wintendo is a toyJuly 14, 2005 11:42 PM

I recommend using Linux, even if only on a seperate partition in a dual boot setup for internet use only.

This whole anti-spyware/adware/trojan/rootkit/keylogger/malware situation is snowballing out of control. I still maintain a few Windows XP systems for some friends and family and I've switched the rest over to Linux (or as I mentioned above, to a dual boot setup). I used to have the patience to help people out with their Windows systems but it's just getting too out of control. Next year how many different utilities are you going to need to scan your Windows system for whatever problems exist? This is all just a direct result of the clear security failure of a closed source operating system.

(All of the text within this post is in my opinion)

Closed Source = Closed MindsJuly 15, 2005 12:51 AM

"Try running not as Admin if you don't want (or can't) do the linux thing."

LOL, and that solves what exactly? You still have a closed source OS and all the scanning programs which have to be used.

The solution is simple: use Linux online.

GrainneJuly 15, 2005 5:08 AM

M$ antispyware is so bad in never flags anything anyway!

Sure next thing they will be incorporating claria spyware or something similar into IE for whatever reason they make up!

RG3July 15, 2005 5:39 AM

@The other Anon

I've never looked myself, but according to Scott Granneman or SecurityFocus (writing in The Register - http://www.theregister.co.uk/2005/07/15/...

"a lack of uninstallers makes it impossible for the average user to get rid of this crap"

So it apparently doesn't have a remove option. Which would make setting it to "ignore" seem like a dubious decision.

Timm MurrayJuly 15, 2005 7:46 AM

I found that the best way to get rid of malware isn't with an anti-spyware/anti-virus package, but with the restore ability in WinXP. As soon as I identify that I have a virus/spyware, I boot into safe mode, tell it to load up to the last clean system state, and reboot.

Many of the viruses out there today seem to embed themselves deep within the system. Deleting the binaries of running processes isn't enough--it seems to download brand new binaries every time it detects that the old one is gone. But a system restore wipes it out.

Steve L.July 15, 2005 8:58 AM

I use and have all of my users trained to use (whether they use them regularly or not I'm not sure) Ad Aware - removal only, Spybot - both removal and prevention, and Spyware Blaster - prevention only.

Also, I have all of the IT staff using MS Antispyware Beta and we've only seen it catch a few things during its nightly scans. I'm not sure that had one of the other tools been used first that it would not have found them and deleted them.

Jon SolworthJuly 15, 2005 9:34 AM

This is an issue of misplaced descision making.

The problem is that the definition of spyware, or any other authorization based security policy, must be at the discretion of the organization which owns the computer. I may be willing to get some benefit (eg. see free movies of, um, hang gliding) in exchange for
some advertisement, you may not. I may consider some activity too dangerous, you may not.

Power to the people!

VincentJuly 15, 2005 10:19 AM

Claria's adware often comes bundled with other software, e.g. Kazaa. If you remove the Claria software, the application in came with stops working. Don't you see this as a lose-lose situation? If Microsoft recommends "Remove" and Kazaa breaks, they get blamed for breaking Kazaa. If they recommend "Ignore", they get blamed for "not detecting" spyware (even though the spyware is actually still detected).

I understand that in an ideal world, they should automatically recommend "Remove" -- but we don't live in an ideal world, unfortunately. The recommendation should say, "We recommend you remove, but based on past experience, we know that if you remove this software, you're going to screw up other programs on your system."

Even though no one at either Microsoft or Claria has said they are actually in discussions, many people, including yours, imply that the "ignore" recommendation is because Microsoft is thinking of buying them. I think you'll find that the recommendation changed before any rumors about a discussions began. I think you'll also find that other programs similar to Claria bear the same rating such that Claria isn't getting special treatment.

2dmanJuly 15, 2005 10:33 AM

@Wintendo & @Closed\ Source

I am surprised in a forum such as this to see Linux suggested as a spyware defense. It is my experience that the vast majority of spyware is (relatively) opted-in. Now, I'm as commited a Linux fan as anybody, but I'm not about to start claiming that Linux removes the ability to opt-in ;-).

If the Windows crowd moved over to Linux to do all their banking and etc., I would expect that to correlate with an increase in spyware plugins to firefox and konqueror. Linux is only "safe" in the sense that I think it represents a less vulnerable userbase (i.e., most geeks don't install browser toolbars, right?).

The Linux solution is only a temporary solution. Once a good 10-20% move, then we'll have to work on the *real* problem, which is that as long as untrained people use computers that allow them to *run*programs* (some nerve, eh?) they will be a target.

-2dman-

DonJuly 15, 2005 11:07 AM

I don't see the real surprise here. After all, these are the same clowns whose popup blocker doesn't block popups spawned with their propriatary extensions but does block the ones created with cross-platform script.

Jon SolworthJuly 15, 2005 11:21 AM

2dman writes: "Once a good 10-20% move, then we'll have to work on the *real* problem, which is that as long as untrained people use computers that allow them to *run*programs* (some nerve, eh?) they will be a target."

I don't think this the *real* problem, the problem is that its too hard to specify authorized behavior. I am untrained to use the locks on my car and house, but do so anyway and in a fairly competent way.

Once we can specify what we want, then a bit of education will not doubt be in order (just as you get a little lesson when you get an alarm system for your car/house).

Jon

jammitJuly 15, 2005 11:32 AM

I know we aren't here to flog progucts, but I've been using Lavasofts' Ad-aware for some time in conjunction with this http://www.ewido.net/en/
It seems to do a pretty good job. ewido is to spyware what grisoft is to virus.

another_bruceJuly 15, 2005 11:52 AM

i use spybot and ad-aware, but i heard recently that ad-aware caved in to something called newnet and no longer removes its spyware. microsoft has always been about making money, certainly not the security of the user. you expected it to change now?

jammitJuly 15, 2005 12:01 PM

Oops. I just rememberd something to add and apologize for wasting electrons. www.trendmicro.com/pc-cillin/ and http://www.pandasoftware.com/products/activescan/...
have free live online scans that can try to kill viruses and don't kill spyware, but let you see which ones you do have and where they're located. Trend micro also has free software for a Cool web search shredder and spyware scanner.

Davi OttenheimerJuly 15, 2005 12:02 PM

I have found some spyware is smart enough to disable Ad-Aware, whereas Spybot has yet to disappoint.

I also just tested Microsoft's AntiSpyware and discovered that it flags some actual non-revenue generating "spy" software as spyware (e.g. keystroke loggers, file activity monitors).

I wonder if this is incorrect behavior since these programs are not technically "spyware" in the sense of the distributed data-mining anti-consumer revenue-generating evil doers. Granted, they are true spy applications, but they for investigative purposes and typically installed in very small numbers by someone with admin level privileges.

Again, you have to consider who/what Microsoft considers harmful and how much it costs to get them to label your company as one of the good guys.

jammitJuly 15, 2005 12:05 PM

to: another_bruce
from: jammit "sensless electron slaughterer" I would like to state that Ad-aware added newdotnet back in as spyware.

Pat CahalanJuly 15, 2005 12:13 PM

To set the table properly -> I'm primarily a Windows sysadmin by trade, and a Linux user by preference. However, in the 10+ years I've been doing this job, I've found that all operating systems stink in one way or another (and I've tried old Mac, Mac OS X, FreeBSD, five different Linux distributions, Windows 3.1/95/98, and Windows NT/2000/XP).

The irritant with Windows isn't that it's totally unsecurable (it is, but that's not the point), it's just that it's a pain to reasonably secure it - most of the default settings are "failed open" out of the box, and a lot of the built-in assumptions are hard to work around for anybody who doesn't do this for a living.

True, I can't make my machine immune to the underlying code vulnerabilities, but if you run as a regular user rather than an admin, turn off activeX, turn off javascripting, etc. you can web browse fairly safely.

Of course, I also don't *run* anything on my Windows box like Kazaa (there are a very limited number of downloadable programs I'll install on my machine), so I'm hardly an "average user" case.

What I'm trying to say is that "just use Linux, it's a magic bullet that makes your security problems go away" is naive at best.

@ 2dman

I think your analysis is fairly spot on. Also, for what it is worth, as horrible as Microsoft is at producing something that isn't broken to begin with, in the last 2 years they have created a very effective distribution method for getting patches to the unskilled end-user machines. If you're an utter neophyte computer user and you buy a new machine now, it comes with automatic updates on, so your machine will patch itself nightly (there are problems with this, but just ignore that for a sec, I'm going somewhere with this) -> in the meantime, most Linux distributions aren't anywhere near as user-friendly to keep patched (and I see plenty of CERT warnings for Linux systems, so all the problems of code vulnerabilties exist in Linux just like they do in Windows).

If we just move all the Windows users over to Linux systems, the spy/adware people will focus on writing spy/adware programs optimized for Linux.

JulianYorkeJuly 15, 2005 2:28 PM

@Cahalan
"If we just move all the Windows users over to Linux systems, the spy/adware people will focus on writing spy/adware programs optimized for Linux."

Would this fall in the catagory of security through obscurity ( that of the use of linux for security because the general public uses windows)

Skippy McGeeJuly 15, 2005 2:31 PM

My Microsoft Anti-spyware install picks up VNC (legitimately installed) as spyware, but interestingly enough, it ignores Ad-Aware. Now I'm starting to get nervous.

Davi OttenheimerJuly 15, 2005 4:25 PM

"most Linux distributions aren't anywhere near as user-friendly to keep patched"

Bah, many are, and it is trivial (user-friendly even) to automate them with the same/similar ease as Windows.

At the end of the day, though the real difference in patching for users is that the Linux architecture inconveniences users far less (better multi-tasking with few or no required reboots/outages) and does not have the awful registry spaghetti/bloat issues to deal with. It is no wonder that Microsoft is finally starting to admit that they might discontinue the registry and adopting a UNIX-like kernel/file structure.

Davi OttenheimerJuly 15, 2005 4:55 PM

@Skippy McGee

Exactly. Programs that might have a legitimate administrative purpose on the system and have no clear commercial theft/fraud association seem to be classified as "spyware", whereas publically lambasted commercial software tracked by anti-spyware experts...yes, those are set to ignore.

Take a look at Microsoft's stated criteria:

http://www.microsoft.com/athome/security/spyware/...

Here's a relevant quote:

"In addition to the issues raised above, the presence of certain types of programs residing outside of the operating system should be brought to the user's attention. These include, but are not limited to:

• Monitoring programs, or software designed to monitor user activity, such as keystrokes typed or screen images
• Remote access programs, or software designed to provide access to a computer from a remote location

There is nothing inherently malicious or wrong with these programs, as they are often installed by the computer owner or administrator as an add-on to the basic computer configuration. However, they can pose a risk to the user's privacy if their presence is unknown or unexpected by the user."

Oh really? Does their AntiSpyware report that Microsoft's own RDP is installed? Does it detect the "remote assistance" user in XP and suggest that its access be disabled or removed? I find it interesting that they report on third-party software that has been purposefully installed (explicit policy with prompt/license required), but not their comparable programs that come hidden in the OS.

They LiveJuly 16, 2005 12:15 AM

I find it rather amusing that so many thousands (millions?) of people are willing to blindly trust various closed source programs (which claim to scan and remove various nasty code) to aid in keeping their closed source OS "secure".

Talk about pouring perfume on a pig.

GooberslotJuly 16, 2005 5:32 AM

"It is no wonder that Microsoft is finally starting to admit that they might discontinue the registry and adopting a UNIX-like kernel/file structure."

Do you have any sources to back this up? It just sounds too good to be true.

Davi OttenheimerJuly 16, 2005 3:02 PM

@Gooberslot

No. Nothing reliable. :) Due to the marketing noise everything tends to up in the air until about three to six months after final release. The Longhorn message has already had its wings clipped a few times for publically discussing exciting new Windows capabilities (that are strangely already available in Linux and OSX).

I don't know if this answers your question, but you could try digesting some of the info that has been circulating since 2003 on Longhorn as well as Blackcomb and then taking a good look at the latest Linux distros. For example, the truly amazing search/preview capabilities (especially image and video management via a fully customizable GUI) that we are starting to see on linux today, should appear in a major release statement about "Avalon" sometime at the end of the year or early 2006.

But back to the point about securing the kernel without disrupting system availability as well as limiting damage from spyware through better role-based controls, you might be interested in some Longhorn "previews" like this:

http://www.winsupersite.com/showcase/...

"Longhorn Server will include [new] Terminal Services, which frees users from dealing with remote sessions and instead lets them access individual remote applications as if they were running directly on the local system."

"Longhorn Server will include Longhorn's hot-patching feature, which lets all non-kernel updates occur without the need for a system reboot."

"Microsoft internal documentation notes that the release will include a new 'transactional file system and Registry.'"

That's the bit I was originally referring to. Microsoft is desperately trying to backpedal from the huge (security and performance) mess of a monolithic registry and move into something more reliable, like a series of distributed (text or even XML) files that can be more *easily* secured and managed, ala UNIX. It is no coincidence that even MS is releasing estimates that 90 percent of Windows applications require Administrator privileges to install and 70 percent require Administrator privileges to run:

http://msdn.microsoft.com/library/default.asp?...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..