How Microsoft antimalware products identify malware and unwanted software


Malware is the overarching category name for programs that are either classified as unwanted software or malicious software.

Unwanted software

Identifying and analyzing unwanted software is a complex challenge. New forms of unwanted software are constantly under development. The same technology that can make software unwanted also appears in software that you want to keep and use (such as antivirus or antimalware software). It’s not always possible to automatically determine whether a program is something you want to keep or something you want to remove.

Microsoft helps by giving you the information and tools you need to decide which software to download, install, and run on your PC.

We maintain a definition library of unwanted software. This library has a database of unwanted software files and settings. When our researchers identify new unwanted software, they create definitions and add them to the library. We release regular definition updates to help protect your PC and personal information.

You can participate in our worldwide network by submitting unwanted software for analysis. This network helps identify programs to add to our definition library.

New forms of unwanted software are developed and distributed rapidly. As a result, Microsoft reserves the right to adjust, expand, and update its criteria for analysis without prior notice or announcements.

Consumer opinion

Microsoft has created a worldwide network where you can submit unwanted software for analysis. Participants in the network play a key role in helping identify new suspicious programs quickly. After analysis, Microsoft creates definitions for programs that meet the criteria, and makes them available to all users through Microsoft antimalware software.

If you believe you have been negatively affected by unwanted software, download and install Microsoft antimalware software. If the unwanted software persists, you can report the problem to Microsoft.

Evaluation criteria

Microsoft researchers use the following categories to determine whether to add a program to the definition library, and what classification type, risk level, and recommendation to give it:

  • Unwanted behavior: The software runs unwanted processes or programs on your PC, does not display adequate disclosures about its behavior or obtain adequate consent, prevents you from controlling its actions while it runs on your computer, prevents you from uninstalling or removing the program, prevents you from viewing or modifying browser features or settings, makes misleading or inaccurate claims about the state of your PC, or circumvents user consent dialogs from the browser or operating system.
  • Advertising: The software delivers out-of-context advertising that interferes with the quality of your computing experience, regardless of whether you consented to this behavior or not.
  • Advertisements: The advertisement should not mislead you into visiting another site or downloading files.
  • Privacy: The software collects, uses, or communicates your information without your explicit consent.
  • Consumer opinion: Microsoft considers input from individual users as a key factor in helping to identify new unwanted behaviors and programs that might interfere with the quality of your computing experience.

Unwanted behavior: lack of choice

You must be notified about what is happening on your PC, including what a program does and whether it is active.

Software that exhibits lack of choice may:

  • Fail to provide prominent notice about the behavior of the program and its purpose and intent.
  • Fail to clearly indicate when the program is active, and may attempt to hide or disguise its presence.
  • Install, reinstall, or remove software without your permission, interaction, or consent.
  • Install other software without a clear indication of its relationship to the primary program.
  • Circumvent user consent dialogs from the browser or operating system.
  • Falsely claim to be a program from Microsoft.

Unwanted behaviors: lack of control

You must be able to control programs on your computer. You must be able to start, stop, and otherwise revoke authorization to a program.

Software that exhibits lack of control may:

  • Prevent or limit you from viewing or modifying browser features or settings.
  • Open browser windows without authorization.
  • Redirect web traffic without clear notification and consent.
  • Modify or manipulate webpage content without your consent.

Programs that change the user browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, and removal.

  • Browsers without supported extensibility models will be considered non-extensible.

Unwanted behaviors: installation and removal

You must be able to start, stop, and otherwise revoke authorization to a program. Programs should obtain your consent before installing, and the program must provide a clear and straightforward way for you to install, uninstall, or disable it.

Software that exhibits a poor installation experience may:

  • Bundle or download other unwanted software classified in the Microsoft antimalware definition library.

Software that exhibits a poor removal experience may:

  • Present confusing or misleading prompts or pop-ups when attempting to uninstall software.
  • Fail to use standard install/uninstall features, such as Add/Remove Programs.

Unwanted behaviors: computer performance

You must be able to expect that the actions a system maintenance or optimization program takes towards system performance are actually beneficial. You should be able to maintain the overall quality of your computing experience.

Software that impairs computer performance may:

  • Display exaggerated claims about the system's health.
  • Make misleading or inaccurate claims about files, registry entries, or other items on the system.
  • Decrease computer reliability.

Unwanted behaviors: coercive messaging

Programs must not display alarming or coercive messages or misleading content to pressure you into paying for additional services or performing superfluous actions.

Software that coerces users may display the following characteristics, among others:

  • Reports errors in an exaggerated or alarming manner about the user’s system and requires the user to pay for fixing the errors or issues monetarily or by performing other actions such as taking a survey, downloading a file, signing up for a newsletter, etc.
  • Suggests that no other actions will correct the reported errors or issues
  • Requires the user to act within a limited period of time to get the purported issue resolved


Programs that promote a product or service outside of their own program can interfere with your computing experience. You should have clear choice and control when installing programs that open advertisements.

The advertisements that are opened by these programs must:

  • Include an obvious way to close the ad. The intent of closing the ad must not open another ad.
  • Include the name of the program that created the ad.

The program that creates these advertisements must:

  • Provide a standard uninstall method for the program using the same name as shown in the ads it produces.


Advertisements shown to you must:

  • Be distinguishable from the website content.
  • Not mislead or deceive, or confuse with the intent to mislead or deceive.
  • Not contain malicious code.
  • Not invoke a file download.


You want to maintain control over your information. You expect to determine how your information is collected, used, and shared with others.

Some types of programs can also have an impact on your privacy. These include, but are not limited to:

  • Monitoring programs: software that stores or transmits your activities without notice and consent, or offers a stealth option to hide this behavior.

Note: Monitoring programs are not necessarily malicious. For example, parental controls can feature keystroke monitors, but these programs can pose a risk to your privacy if you don't expect or know about their presence.

Malicious software

Malicious software is the general name for programs that perform malicious actions on your PC. This can include stealing your personal information, locking your PC until you pay a ransom, using your PC to send spam, or downloading other malicious software.

Most software that we classify as malware falls into one of the following categories:

  • Backdoor trojan: A type of trojan that gives a malicious hacker access to and control of your PC. This means they may be able to tell your PC what to do or monitor what you do online. A bot is a type of backdoor trojan.
  • Downloader: A type of trojan that downloads other malware onto your PC. The downloader needs to connect to the Internet to download the files.
  • Dropper: A type of trojan that installs other malware files onto your PC. The other malware is included within the trojan file. This is different to a downloader, which needs to connect to the Internet to download other files.
  • Exploit: A piece of code that uses software vulnerabilities to access information on your PC or install malware. For more information, see our page on exploits.
  • Hacktool: A type of tool that can be used to allow and maintain unauthorized access to your PC.
  • Macro virus: A type of virus that spreads through infected documents such as Microsoft Word or Excel documents. The virus is run when you open an infected document.
  • Obfuscator: A type of malware that hides its code and purpose to make it more difficult for security software to detect or remove it.
  • Password stealer: A type of malware that is used steal your personal information, such as user names and passwords. It often works along with a keylogger that collects and sends information about what keys you press and websites you visit to a malicious hacker.
  • Ransomware: A type of malware that can stop you from using your PC, or encrypt your files so you can’t use them. You may be warned that you need to pay money, complete surveys, or perform other actions before you can use your PC again. For more information, see our ransomware page.
  • Rogue security software: Software that pretends to be an antivirus program but doesn't actually provide any security. This type of software usually gives you a lot of alerts about threats on your PC that don't exist. It also tries to convince you to pay for its services. Our rogue security software page has more information.
  • Trojan: A type of malware. A trojan is a program that tries to look innocent, but is actually a malicious application. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead they try to look innocent to convince you to download and install them. Once installed, a trojan can steal your personal information, download more malware, or give a malicious hacker access to your PC.
  • Trojan clicker: A type of trojan that can use your PC to "click" on websites or applications. They are usually used to make money for a malicious hacker by clicking on online advertisements and making it look like the website gets more traffic than it does. They can also be used to skew online polls, install programs on your PC, or make unwanted software appear more popular than it is.
  • TrojanSpy: A program that collects your personal information, such as your browsing history, and uses it without adequate consent.
  • Virtool: A detection that is used mostly for malware components, or tools used for malware-related actions, such as rootkits.
  • Worm: A type of malware that spreads to other PCs. Worms may spread using one or more of the following methods: email programs, instant messaging programs, file-sharing programs, social networking sites, network shares, removable drives with Autorun enabled, and software vulnerabilities.
Latest news