July 11, 2005

How Good is Your Spyware Scanner?

This timely PC World article warns that various spyware scanners may intentionally stop detecting various adware programs. It's not because of any technical deficiency, but because adware companies are getting aggressive about being "delisted".

Delisting occurs when an antispyware developer removes a particular adware program from its detection database. At that point, it may not detect the program if it's installed on your PC. So why would anyone do that? Per the article: "Some adware companies, arguing that their software is benign, have petitioned anti-spyware firms to stop warning consumers about their software. Other companies have resorted to sending cease-and-desist letters that threaten legal action."

The real problem is that we users generally can't access the detection database, and won't be notified that a particular program has been delisted after a software update. While there could be good reasons for delisting (e.g., an adware developer cleaned up its software to be far less intrusive), there will have been a certain reliance built up over time on a particular spyware scanner's effectiveness. Also, while a particular adware developer may have cleaned up new versions of their software, prior "nasty" versions could still abound on a number of web sites, and be downloaded. Will the spyware scanner distinguish between the versions and protect against them?

Even Microsoft has been in the news today (even Slashdotted) about how Microsoft AntiSpyware downgraded the threat level of Claria's software (formerly known as "Gator" -- yes, that Gator). Here, Microsoft has the appearance of a conflict because of reports and speculation that it is looking to buy Claria. Others doubt this will really happen. Whether or not Microsoft acted appropriately is certainly clouded by the circumstances and timing. However, it illustrates how sensitive and controversial the issues have become.

These issues aren't new. Similar problems cropped up with how sites have been categorized in content blocking software, aka "censorware". Among other things, this type of software blocks young family members from accessing questionable sites. While certainly useful, it also had some questionable results. See The Censorware Project for more info. From time to time, various other sites would get caught in the "censored" net. That is, they'd be added to the list of blocked sites for having controversial or critical information posted. Some were allegedly blocked primarily because they dared to criticize the companies doing the blocking. I believe lawsuits ensued.

Regardless, the various content blocking, antivirus, and antispyware products work because we end users trust someone on the development side to find, block, and/or remove the "bad stuff". The problem is that determining exactly what is the "bad stuff" is somewhat subjective, and requires a judgment call. Sometimes it's also influenced by "cease and desist" letters and legal threats. Some may be legitimate, and others basically bullying tactics. Depending on the ability and determination to withstand such pressures, some spyware scanner developers may delist where others do not. Thus I'd advise utilizing several antispyware programs to have more complete coverage and mitigate your risk.

Obviously, antispyware developers now have more to worry about than the latest adware program. And, as a result, so do we.

Topic(s):   Privacy & Security
Posted by Jeff Beard

A solution to this problem may be off-shore based development and/or maintenance of the detection database. Preferably in a jurisdiction with strong consumer protection laws that has a loser-pays-all court system (that pretty much leaves us with some European countries, if I am not mistaken).

Send a C&D? Great, we'll ignore it. Wanna sue? Be our guest.

Posted by: JJ at July 18, 2005 02:46 PM