False positives

One issue I've seen with most spyware detection mechanisms I've seen is
false positives.

I've posted HijackThis logs from my systems to forums, and gotten lists back
of entries that folks think I should remove which include a fair number of
support-channel mechanisms for various bits of software which I've knowingly
installed and know about the support mechanisms for.--i.e. backweb, etc.

Even current commercial offerings--I tested Symantec's online scan on my
mother-in-laws system and had several such items flagged--have this issue.

Am I off base here? Should I be removing backweb--perhaps because it is
exploitable by some app other than what it was installed for? Or are the
existing mechanisms flagging stuff with the expectation that the user will
be intelligent enough to know what's what?

I think that such flags needlessly scare the average user, and sell software
based on FUD--i.e. "On my clean system, kept up with xyz antivirus, and
Ad-Aware daily, XXX anti-spyware STILL found 4 instances of spyware on my
system. EVERYONE needs to immediately download and install an antispyware
app."

I'm not sure I disagree with the last sentence above, although generally
hate the newsgroup posts that end with a long list of apps that everyone
should install and run regularly--such prescriptions are more than many
average users can handle, I believe.

So--maybe Giant, as Microsoft integrates it, will be simpler--here's hoping!

Bill,
I agree. I think whoever named the program 'backweb' should be flogged.
It's too close to backdoor, backorifice etc. to make someone feel comfy
leaving it in.

Ron Chamberlin

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:OiQksgF8EHA.1600@cpmsftngsa05.privatenews.microsoft.com...
> One issue I've seen with most spyware detection mechanisms I've seen is
> false positives.
>
> I've posted HijackThis logs from my systems to forums, and gotten lists
> back of entries that folks think I should remove which include a fair
> number of support-channel mechanisms for various bits of software which
> I've knowingly installed and know about the support mechanisms for.--i.e.
> backweb, etc.
>

Bill Sanderson wrote on 01-Jan-2005 3:16 PM:
>
> Am I off base here? Should I be removing backweb--perhaps because it is
> exploitable by some app other than what it was installed for? Or are the
> existing mechanisms flagging stuff with the expectation that the user will
> be intelligent enough to know what's what?
>
> I think that such flags needlessly scare the average user, and sell software
> based on FUD--i.e. "On my clean system, kept up with xyz antivirus, and
> Ad-Aware daily, XXX anti-spyware STILL found 4 instances of spyware on my
> system. EVERYONE needs to immediately download and install an antispyware
> app."
>

I think the variability comes from differing definitions of malware.
See? I use "malware" since I feel that "spyware" doesn't cover all the
unwelcome software that gets onto folks' computers.

Backweb is a type of spyware, but since it comes with legitimate
software and may be required for that software to run, I don't think it
fits the definition of malware (although, since most folks don't read
license agreements all the way through, it *is* a problem to some degree).

What the Microsoft tool requires is to group suspicious software
together with the application that installed it. So, for example, Kazaa
would have all the spyware that it installed listed along with Kazaa so
that all could be removed in a group. Backweb could be associated with
the vendor or OEM which installed it (assuming this information can be
determined).

The grouping would help the user identify applications that would break
if the suspicious software was removed. I believe the MS Research folks
already group suspicious software into groups in this way.

--
Kent

"Kent W. England" <kwe@mvps.org> wrote in message
news:eK7mZOU8EHA.1600@cpmsftngsa05.privatenews.microsoft.com...
>
> I think the variability comes from differing definitions of malware. See?
> I use "malware" since I feel that "spyware" doesn't cover all the
> unwelcome software that gets onto folks' computers.
>
> Backweb is a type of spyware, but since it comes with legitimate software
> and may be required for that software to run, I don't think it fits the
> definition of malware (although, since most folks don't read license
> agreements all the way through, it *is* a problem to some degree).
>
> What the Microsoft tool requires is to group suspicious software together
> with the application that installed it. So, for example, Kazaa would have
> all the spyware that it installed listed along with Kazaa so that all
> could be removed in a group. Backweb could be associated with the vendor
> or OEM which installed it (assuming this information can be determined).
>
> The grouping would help the user identify applications that would break if
> the suspicious software was removed. I believe the MS Research folks
> already group suspicious software into groups in this way.

That's reassuring, and I expect we will know more soon.

Along (peripherally, anyway) these lines, I might mention that the latest
version of the script "Silent Runners.vbs", rev 29, available here:

http://www.silentrunners.org/Silent%20Runners.vbs

lists among its improvements better parsing to show the copyright/vendor
information for each item, and I can attest that the result is easier to
read and determine the "ownership" of the various items.

As President of PCS (Personal Communication Systems,
Inc.) we manufacture software that is installed in
the "...Program Files/PCS" directory. Microsoft ASSUMES
that since this directory can also be created by a
program called "PC Spy" that the mere PRESENCE of this
directory indicates the presence of spyware. Wazzup with
that? How about some due dilligence in checking for the
presence of the actual executable by PC Spy before
recommending deleting all files (including TXT, DLL and
PDF files)? What if I worked for "Private Commercial
Shipping" and kept all my important documents in
the ".../PCS" directory - ZAP - gone in one fell swoop?
PLEASE MICROSOFT - FIX THIS BEFORE MORE OF OUR CUSTOMERS
CALL AND COMPLAIN THAT THE PRODUCTS THEY PURCHASE FROM US
HAVE BEEN UNINSTALLED BY YOU! If anyone with authority
reads this - PLEASE contact me directly AJ@PhoneTree.com.
>-----Original Message-----
>One issue I've seen with most spyware detection
mechanisms I've seen is
>false positives.
>
>I've posted HijackThis logs from my systems to forums,
and gotten lists back
>of entries that folks think I should remove which
include a fair number of
>support-channel mechanisms for various bits of software
which I've knowingly
>installed and know about the support mechanisms for.--
i.e. backweb, etc.
>
>Even current commercial offerings--I tested Symantec's
online scan on my
>mother-in-laws system and had several such items flagged-
-have this issue.
>
>Am I off base here? Should I be removing backweb--
perhaps because it is
>exploitable by some app other than what it was installed
for? Or are the
>existing mechanisms flagging stuff with the expectation
that the user will
>be intelligent enough to know what's what?
>
>I think that such flags needlessly scare the average
user, and sell software
>based on FUD--i.e. "On my clean system, kept up with xyz
antivirus, and
>Ad-Aware daily, XXX anti-spyware STILL found 4 instances
of spyware on my
>system. EVERYONE needs to immediately download and
install an antispyware
>app."
>
>I'm not sure I disagree with the last sentence above,
although generally
>hate the newsgroup posts that end with a long list of
apps that everyone
>should install and run regularly--such prescriptions are
more than many
>average users can handle, I believe.
>
>So--maybe Giant, as Microsoft integrates it, will be
simpler--here's hoping!
>
>
>.
>

Replied in another group and via email.

<anonymous@discussions.microsoft.com> wrote in message
news:082a01c4f82f$527f43c0$a601280a@phx.gbl...
> As President of PCS (Personal Communication Systems,
> Inc.) we manufacture software that is installed in
> the "...Program Files/PCS" directory. Microsoft ASSUMES
> that since this directory can also be created by a
> program called "PC Spy" that the mere PRESENCE of this
> directory indicates the presence of spyware. Wazzup with
> that? How about some due dilligence in checking for the
> presence of the actual executable by PC Spy before
> recommending deleting all files (including TXT, DLL and
> PDF files)? What if I worked for "Private Commercial
> Shipping" and kept all my important documents in
> the ".../PCS" directory - ZAP - gone in one fell swoop?
> PLEASE MICROSOFT - FIX THIS BEFORE MORE OF OUR CUSTOMERS
> CALL AND COMPLAIN THAT THE PRODUCTS THEY PURCHASE FROM US
> HAVE BEEN UNINSTALLED BY YOU! If anyone with authority
> reads this - PLEASE contact me directly AJ@PhoneTree.com.
>>-----Original Message-----
>>One issue I've seen with most spyware detection
> mechanisms I've seen is
>>false positives.
>>
>>I've posted HijackThis logs from my systems to forums,
> and gotten lists back
>>of entries that folks think I should remove which
> include a fair number of
>>support-channel mechanisms for various bits of software
> which I've knowingly
>>installed and know about the support mechanisms for.--
> i.e. backweb, etc.
>>
>>Even current commercial offerings--I tested Symantec's
> online scan on my
>>mother-in-laws system and had several such items flagged-
> -have this issue.
>>
>>Am I off base here? Should I be removing backweb--
> perhaps because it is
>>exploitable by some app other than what it was installed
> for? Or are the
>>existing mechanisms flagging stuff with the expectation
> that the user will
>>be intelligent enough to know what's what?
>>
>>I think that such flags needlessly scare the average
> user, and sell software
>>based on FUD--i.e. "On my clean system, kept up with xyz
> antivirus, and
>>Ad-Aware daily, XXX anti-spyware STILL found 4 instances
> of spyware on my
>>system. EVERYONE needs to immediately download and
> install an antispyware
>>app."
>>
>>I'm not sure I disagree with the last sentence above,
> although generally
>>hate the newsgroup posts that end with a long list of
> apps that everyone
>>should install and run regularly--such prescriptions are
> more than many
>>average users can handle, I believe.
>>
>>So--maybe Giant, as Microsoft integrates it, will be
> simpler--here's hoping!
>>
>>
>>.
>>