Identifying and analyzing spyware is a complex challenge. New forms of spyware are constantly under development, and the same technology that can make spyware malicious and unwanted also appears in software that users want to keep and use on their computers, such as antivirus software. It's not always possible for software to determine whether a program is something the customer wants to preserve or remove. Microsoft addresses these challenges in two ways: Microsoft works with other industry leaders to share best practices for how to identify and analyze spyware. Microsoft helps ensure that customers have the information and tools they need to decide which software they allow to download and install on their computers.
The term malicious software refers to programs that demonstrate illegal, viral, fraudulent, or malicious behavior. Windows Defender helps identify and block known malicious spyware programs by asking you to choose whether you want to install programs that it identifies as legitimate, and recommending that you don't install programs that have not yet been analyzed and defined. You can also participate in the worldwide network Microsoft has created for users to submit suspected new spyware or unwanted software for analysis. This helps identify malicious programs to add to the Windows Defender definition list. Microsoft adds software that is determined to be malicious to a definition library of spyware. This definition library contains a database of spyware threat files and settings. When Microsoft researchers identify new threats, they create new definitions and add them to the library. Microsoft releases definition updates regularly to users to help provide protection for computers and personal information. See an illustration of the Windows Defender antispyware cycle. Microsoft researchers examine software from several perspectives: Context, intent, and source of the program Behaviors that the program exhibits Evaluation against criteria that range from consumer opinion to the software's impact on computer performance, user security, and privacy
(New forms of spyware and other unwanted software are developed and distributed rapidly. As a result, Microsoft reserves the right to adjust, expand, and update its criteria for analysis without prior notice or announcements.) Context and intent of the software
Many behaviors associated with spyware are also used for legitimate purposes. For example, spyware typically starts automatically, but the same is true of antivirus and firewall software. Both spyware and legitimate software can be set to start automatically when they are loaded (a feature called "autostart") and both can provide automatic updating at the user's convenience. However, legitimate software should provide a clear way to turn these settings off or on, or to change them. Source of the software
Microsoft also reviews the behaviors of programs that are installed by specific software vendors and their third-party affiliates. Researchers determine whether the vendors, the affiliates, or both should be included in the definition library. Software behaviors
Software behaviors are rated by their potential for harm and disruption. For instance, worm-like behavior is rated as extremely risky. Pop-up behaviors ("adware") are characterized as having less potential for harm, but having the potential to disrupt the user. Microsoft researchers use the following categories to determine whether to add a program to the definition library for detection, and what classification type, risk level, and recommendation to give it. Deceptive behaviors: The software runs processes or programs on the user's computer without notification or consent. The software prevents users from controlling its actions while it runs on the computer. The software prevents users from uninstalling or removing the program. Privacy: The software collects, uses, or communicates the user's personal information and behaviors (such as web browsing habits) without explicit consent. Security: The software attempts to circumvent or disable security features on the user's computer, or otherwise compromises the computer's security. Performance: The software undermines performance, reliability, and quality of the user's computing experience with slow computer speed, reduced productivity, or corruption of the operating system. Industry and consumer opinion: Microsoft considers the input from software industry and individual users as a key factor to help identify new behaviors and programs that might present risks to the user's computing experience.
Users must be notified about what is happening on their computers, including what a program does and whether it is active. Software that exhibits poor notice: Fails to provide information about its publisher, website of origin, or similar information. Fails to present an end-user license agreement in the course of the user's normal computing experience. Fails to provide prominent notice about the behavior of the program and its purpose and intent. Fails to clearly indicate when the program is active, including attempts to hide or disguise its presence.
Software that exhibits poor consent: Installs, reinstalls, or removes software without user permission, interaction, or consent. This includes actions by third-party affiliates of the software vendor. Initiates an outbound connection (modem, Internet, etc.) without user consent. Installs other software without a clear indication of its relationship to the primary program. Restores registry keys or file entries that the user has removed. Fails to provide explicit opt-in choices for the collection of user-specific information (beyond the posting of licensing terms). Notifying a user about the existence of licensing terms is not considered a sufficient means of receiving their consent for the functionality included in the program.
Users must be able to control programs on their computer. They must be able to start, stop, and otherwise revoke authorization to a program. Software that exhibits lack of control: Resists user attempts to close or remove a program. Opens browser windows without authorization. Starts processes that cannot be manually terminated by the user. Redirects or blocks searches, queries, user-entered URLs, or access to other sites without clear notification and user consent. Initiates autostart or auto update behavior without user consent.
Autostart and auto update
Autostart and auto update functions can take control away from users and give greater control to programs. These behaviors are not inherently malicious or wrong, but they can be problematic. Additionally, programs that exhibit these behaviors usually lack a user interface, so users probably do not know that the program is running, how to turn it off, or even whether it can be turned off. In analyzing the context and intent of a program, Microsoft takes into consideration not only the degree to which users know that these programs are operating, but also their ability to maintain a reasonable level of control over these functions. Pop-ups and programs that deliver advertising
Pop-ups and other advertising programs that promote a product or service for commercial purposes are prevalent forms of software that interfere with the user's computing experience. Pop-ups and other advertising programs: Appear independently, outside the context of the program, website, or other source that the pop-ups are promoting. Fail to offer clear attribution of their source. Contain false or deceptive content. Provide limited or no user controls, making it difficult for users to close or delete the programs.
Windows Defender alerts the user to the presence of automatic pop-up advertising that appears outside the context of the program they are currently using, regardless of whether the pop-up provides attribution. Users are also notified of programs that generate pop-ups that are not clearly under their control. Users must be able to start, stop, and otherwise revoke authorization to a program. Programs should obtain appropriate consent from users before installing, and the program must provide a clear and straightforward way for the user to install, uninstall, or disable it. Software that exhibits a poor installation experience: Uses naming that could be confused with other software programs or is otherwise misleading or deceptive. Installs in an obscure directory. Installs an ActiveX control without a prominent setup experience. Uses deceptive prompts to entice users to download or install software. Hides or fails to identify additional software that is bundled with the software that is intended for download.
Software that exhibits a poor removal experience: Fails to provide Help information for uninstalling the program. Fails to use standard install/uninstall features, such as Add/Remove Programs. Requires downloading a separate uninstaller from a website or connecting to the Internet to uninstall. Presents a large number of confusing or deceptive prompts or pop-ups when attempting to uninstall software. Fails to remove or disable a program at the request of a user. Removes the System Restore Utility, Control Panel, or elements of these features, or hides these features from the user's view. Removes or disables other software without user notification or consent.
Bundled programs
Some software comes "bundled" with additional software, which can contain extra features related to the software or provide unrelated functions. Terms related to all the software in a bundle should be discussed in the license agreement. Programs must list the bundled programs that are required to run concurrently for the software to work, as well as all other practical implications of the license agreement. Bundled software can indicate malicious software if the relationship between the bundled programs is not made clear to the user. For example: The user should know if Programs X, Y, and Z are bundled components of Program A. Otherwise, the user won't know why they are on the computer (the user might only know about the installation of Program A). The user must have the option to remove Programs X, Y, and Z when the user removes Program A. The user must be informed before installing Program A if it will not work without also installing Programs X, Y, and Z on the computer.
Users generally want to maintain control over their personal information. They expect to determine how their personal information is collected, used, and communicated to others—whether it's in communication with individuals or companies, or in commercial transactions. Privacy also includes the freedom from unwanted communications. Software that exhibits poor privacy practices: Fails to provide an easily accessible privacy policy that explains data collection and other practices used by the program or site. Tracks web browsing behavior without explicit user permission. Requires additional information before it can be uninstalled, such as a user's e-mail address or contact information. Allows user communications to be monitored, redirected, or changed without notice and consent. Employs software decipherers that break the encryption, authorization, non-repudiation of data, or all three without authorization.
Some types of programs reside outside the operating system but can also have an impact on user privacy. These include, but are not limited to: Monitoring programs: software that monitors user activity by recording keystrokes typed, screen images displayed, or other identifiable elements. Remote access programs: software designed to provide control over a computer from a remote location.
Note: Monitoring and remote access programs are not necessarily malicious. Parental controls can feature keystroke monitors, and remote access programs are often installed by business computer owners or administrators as add-ons to basic computer configurations. But these programs can pose a risk to the user's privacy if the user doesn't expect or know about their presence. Users must be able to expect their systems to remain resilient amid increasingly frequent and sophisticated network attacks. They should be able to maintain their system and data confidentiality, integrity, and availability. Software that exhibits poor security practices: Disables or interferes with firewalls, antivirus software, or other security software. Exploits security vulnerabilities. Changes operating system or software security settings (such as web browser security settings) without user consent. Makes key configuration changes (such as modifications to the startup registry, host files, or security settings) without user consent. Initiates an outbound connection (such as a modem or Internet connection) without user consent. Runs in a mode that hides processes from the user or from the computer's systems tools. Opens a port on the computer without user knowledge. Provides incentives to third parties to illegally or unethically distribute software. This includes, but is not limited to, malicious software.
Malicious software
The security-related behaviors listed above are also characteristic of malicious software. There are many types of malicious software, including, but not limited to: Backdoor: This software provides an undocumented way of gaining access to a program, online service, or an entire computer system. Dialer: This software installs itself in a computer's dial-up settings and dials numbers without the user's knowledge. Worm: This software spreads to computers on a network automatically, without human action. Then the worm resides in computer memory and performs detrimental tasks. Trojan: This software initially appears useful or benign to deceive users into running it. While it runs, it can allow "back door" access to the computer by hackers, destroy files on a hard disk, or perform other malicious tasks. Remote access Trojan (RAT): This class of Trojan software enables a hacker to control another computer remotely through an Internet connection, with the privileges of a computer administrator. Phishing: This software is used to create fraudulent e-mail or web pages that appear to be from an established legitimate enterprise. Phishing software deceives the user into providing private information that can be used for identity theft.
Spyware-based threats to security continue to evolve, becoming more complex and sophisticated, and propagating with increasing speed. It is important that users be alerted to new, existing, and emerging threats that demonstrate malicious behaviors. Software behaviors that impair computer performance: Place a high drain on system resources, resulting in noticeably slower computer performance. Consume an unusually large amount of bandwidth in an Internet connection. Decrease computer reliability. Create apparent incompatibilities between the software program and the operating system. Reduce the overall quality of the user's computing experience.
Windows Defender helps alert users to software programs that significantly decrease the performance of the computing environment, especially when the issues created by the software compound existing issues with deceptive behaviors, privacy, or security. Microsoft researchers rely on input from the software industry and individual users to help identify new forms of potentially unwanted software. Researchers consider the impact that the unwanted software has on the user experience when they determine appropriate software classifications. Customer opinion feature
Windows Defender lets users know the opinions of other users on the software it analyzes. Windows Defender displays ongoing percentages of users who have allowed and blocked each new piece of software in question, to provide even more context for each user as they determine whether to allow or block the software. Windows Defender customers
Microsoft has created a worldwide network where users can submit suspected new spyware or unwanted software for analysis. Participants in the network play a key role in helping identify new suspicious programs quickly. After analysis, Microsoft creates definitions for programs that meet the criteria, and makes them available to all users through Windows Defender. New and emerging data sources
Microsoft also examines a broad range of new and emerging data sources in analyzing and classifying software. As part of this effort, Microsoft is committed to working with industry groups and organizations, such as the Center for Democracy and Technology and its Consumer Software Working Group, to help focus regulatory and enforcement efforts on truly deceptive software development practices. If you believe that you have been negatively affected by spyware, download and install Windows Defender. If the spyware persists, you can report the problem to Microsoft. |
