False positives

[Bill Sanderson]

One issue I've seen with most spyware detection mechanisms I've seen is
false positives.

I've posted HijackThis logs from my systems to forums, and gotten lists back
of entries that folks think I should remove which include a fair number of
support-channel mechanisms for various bits of software which I've knowingly
installed and know about the support mechanisms for.--i.e. backweb, etc.

Even current commercial offerings--I tested Symantec's online scan on my
mother-in-laws system and had several such items flagged--have this issue.

Am I off base here? Should I be removing backweb--perhaps because it is
exploitable by some app other than what it was installed for? Or are the
existing mechanisms flagging stuff with the expectation that the user will
be intelligent enough to know what's what?

I think that such flags needlessly scare the average user, and sell software
based on FUD--i.e. "On my clean system, kept up with xyz antivirus, and
Ad-Aware daily, XXX anti-spyware STILL found 4 instances of spyware on my
system. EVERYONE needs to immediately download and install an antispyware
app."

I'm not sure I disagree with the last sentence above, although generally
hate the newsgroup posts that end with a long list of apps that everyone
should install and run regularly--such prescriptions are more than many
average users can handle, I believe.

So--maybe Giant, as Microsoft integrates it, will be simpler--here's hoping!

 

[Ron Chamberlin-MVP]

Bill,
I agree. I think whoever named the program 'backweb' should be flogged.
It's too close to backdoor, backorifice etc. to make someone feel comfy
leaving it in.

Ron Chamberlin

 

[Kent W. England]

Bill Sanderson wrote on 01-Jan-2005 3:16 PM:

Am I off base here? Should I be removing backweb--perhaps because it is
exploitable by some app other than what it was installed for? Or are the
existing mechanisms flagging stuff with the expectation that the user will
be intelligent enough to know what's what?

I think that such flags needlessly scare the average user, and sell software
based on FUD--i.e. "On my clean system, kept up with xyz antivirus, and
Ad-Aware daily, XXX anti-spyware STILL found 4 instances of spyware on my
system. EVERYONE needs to immediately download and install an antispyware
app."

I think the variability comes from differing definitions of malware.
See? I use "malware" since I feel that "spyware" doesn't cover all the
unwelcome software that gets onto folks' computers.

Backweb is a type of spyware, but since it comes with legitimate
software and may be required for that software to run, I don't think it
fits the definition of malware (although, since most folks don't read
license agreements all the way through, it *is* a problem to some degree).

What the Microsoft tool requires is to group suspicious software
together with the application that installed it. So, for example, Kazaa
would have all the spyware that it installed listed along with Kazaa so
that all could be removed in a group. Backweb could be associated with
the vendor or OEM which installed it (assuming this information can be
determined).

The grouping would help the user identify applications that would break
if the suspicious software was removed. I believe the MS Research folks
already group suspicious software into groups in this way.

 

[Bill Sanderson]

I think the variability comes from differing definitions of malware. See?
I use "malware" since I feel that "spyware" doesn't cover all the
unwelcome software that gets onto folks' computers.

Backweb is a type of spyware, but since it comes with legitimate software
and may be required for that software to run, I don't think it fits the
definition of malware (although, since most folks don't read license
agreements all the way through, it *is* a problem to some degree).

What the Microsoft tool requires is to group suspicious software together
with the application that installed it. So, for example, Kazaa would have
all the spyware that it installed listed along with Kazaa so that all
could be removed in a group. Backweb could be associated with the vendor
or OEM which installed it (assuming this information can be determined).

The grouping would help the user identify applications that would break if
the suspicious software was removed. I believe the MS Research folks
already group suspicious software into groups in this way.

That's reassuring, and I expect we will know more soon.

Along (peripherally, anyway) these lines, I might mention that the latest
version of the script "Silent Runners.vbs", rev 29, available here:

http://www.silentrunners.org/Silent Runners.vbs

lists among its improvements better parsing to show the copyright/vendor
information for each item, and I can attest that the result is easier to
read and determine the "ownership" of the various items.

 

[Guest]

As President of PCS (Personal Communication Systems,
Inc.) we manufacture software that is installed in
the "...Program Files/PCS" directory. Microsoft ASSUMES
that since this directory can also be created by a
program called "PC Spy" that the mere PRESENCE of this
directory indicates the presence of spyware. Wazzup with
that? How about some due dilligence in checking for the
presence of the actual executable by PC Spy before
recommending deleting all files (including TXT, DLL and
PDF files)? What if I worked for "Private Commercial
Shipping" and kept all my important documents in
the ".../PCS" directory - ZAP - gone in one fell swoop?
PLEASE MICROSOFT - FIX THIS BEFORE MORE OF OUR CUSTOMERS
CALL AND COMPLAIN THAT THE PRODUCTS THEY PURCHASE FROM US
HAVE BEEN UNINSTALLED BY YOU! If anyone with authority
reads this - PLEASE contact me directly (e-mail address removed).

 

[Bill Sanderson]

Replied in another group and via email.

As President of PCS (Personal Communication Systems,
Inc.) we manufacture software that is installed in
the "...Program Files/PCS" directory. Microsoft ASSUMES
that since this directory can also be created by a
program called "PC Spy" that the mere PRESENCE of this
directory indicates the presence of spyware. Wazzup with
that? How about some due dilligence in checking for the
presence of the actual executable by PC Spy before
recommending deleting all files (including TXT, DLL and
PDF files)? What if I worked for "Private Commercial
Shipping" and kept all my important documents in
the ".../PCS" directory - ZAP - gone in one fell swoop?
PLEASE MICROSOFT - FIX THIS BEFORE MORE OF OUR CUSTOMERS
CALL AND COMPLAIN THAT THE PRODUCTS THEY PURCHASE FROM US
HAVE BEEN UNINSTALLED BY YOU! If anyone with authority
reads this - PLEASE contact me directly (e-mail address removed).