How Microsoft antimalware products identify malware: unwanted software and malicious software
Malware is the overarching category name for programs that are either classified as unwanted software or malicious
Identifying and analyzing unwanted software is a complex challenge. New forms of unwanted software are constantly
under development. The same technology that can make software unwanted also appears in software that you want to
keep and use (such as antivirus or antimalware software). It’s not always possible to automatically determine whether
a program is something you want to keep or something you want to remove.
Microsoft helps by giving you the information and tools you need to decide which software to download, install, and
run on your PC.
We maintain a definition library of unwanted software. This library has a database of unwanted software files and
settings. When our researchers identify new unwanted software, they create definitions and add them to the library.
We release regular definition updates to help protect your PC and personal information.
You can participate in our worldwide network by submitting unwanted software for analysis. This network helps identify
programs to add to our definition library.
New forms of unwanted software are developed and distributed rapidly. As a result, Microsoft reserves the right to
adjust, expand, and update its criteria for analysis without prior notice or announcements.
Microsoft has created a worldwide network where you can submit unwanted software for analysis. Participants in the
network play a key role in helping identify new suspicious programs quickly. After analysis, Microsoft creates
definitions for programs that meet the criteria, and makes them available to all users through Microsoft antimalware
If you believe you have been negatively affected by unwanted software, download and install Microsoft antimalware
software. If the unwanted software persists, you can report the problem to Microsoft.
Microsoft researchers use the following categories to determine whether to add a program to the definition library,
and what classification type, risk level, and recommendation to give it:
- Unwanted behavior: The software runs unwanted processes or programs on your PC, does
not display adequate disclosures about its behavior or obtain adequate consent, prevents you from controlling
its actions while it runs on your computer, prevents you from uninstalling or removing the program, prevents
you from viewing or modifying browser features or settings, makes misleading or inaccurate claims about the
state of your PC, or circumvents user consent dialogs from the browser or operating system.
- Advertising: The software delivers out-of-context advertising that interferes with
the quality of your computing experience, regardless of whether you consented to this behavior or not.
- Advertisements: The advertisement should not mislead you into visiting another site
or downloading files.
- Privacy: The software collects, uses, or communicates your information without your
- Consumer opinion: Microsoft considers input from individual users as a key factor in
helping to identify new unwanted behaviors and programs that might interfere with the quality of your computing
Unwanted behavior: lack of choice
You must be notified about what is happening on your PC, including what a program does and whether it is active.
Software that exhibits lack of choice may:
- Fail to provide prominent notice about the behavior of the program and its purpose and intent.
- Fail to clearly indicate when the program is active, and may attempt to hide or disguise its presence.
- Install, reinstall, or remove software without your permission, interaction, or consent.
- Install other software without a clear indication of its relationship to the primary program.
- Circumvent user consent dialogs from the browser or operating system.
- Falsely claim to be a program from Microsoft.
Unwanted behaviors: lack of control
You must be able to control programs on your computer. You must be able to start, stop, and otherwise revoke authorization
to a program.
Software that exhibits lack of control may:
- Prevent or limit you from viewing or modifying browser features or settings.
- Open browser windows without authorization.
- Redirect web traffic without clear notification and consent.
- Modify or manipulate webpage content without your consent.
Programs that change the user browsing experience must only use the browser's supported extensibility model for installation,
execution, disabling, and removal.
- Browsers without supported extensibility models will be considered non-extensible.
Unwanted behaviors: installation and removal
You must be able to start, stop, and otherwise revoke authorization to a program. Programs should obtain your consent
before installing, and the program must provide a clear and straightforward way for you to install, uninstall,
or disable it.
Software that exhibits a poor installation experience may:
- Bundle or download other unwanted software classified in the Microsoft antimalware definition library.
Software that exhibits a poor removal experience may:
- Present confusing or misleading prompts or pop-ups when attempting to uninstall software.
- Fail to use standard install/uninstall features, such as Add/Remove Programs.
Unwanted behaviors: computer performance
You must be able to expect that the actions a system maintenance or optimization program takes towards system performance
are actually beneficial. You should be able to maintain the overall quality of your computing experience.
Software that impairs computer performance may:
- Display exaggerated claims about the system's health.
- Make misleading or inaccurate claims about files, registry entries, or other items on the system.
- Decrease computer reliability.
Programs that promote a product or service outside of their own program can interfere with your computing experience.
You should have clear choice and control when installing programs that open advertisements.
The advertisements that are opened by these programs must:
- Include an obvious way to close the ad. The intent of closing the ad must not open another ad.
- Include the name of the program that created the ad.
The program that creates these advertisements must:
- Provide a standard uninstall method for the program using the same name as shown in the ads it produces.
Advertisements shown to you must:
- Be distinguishable from the website content.
- Not mislead or deceive, or confuse with the intent to mislead or deceive.
- Not contain malicious code.
- Not invoke a file download.
You want to maintain control over your information. You expect to determine how your information is collected, used,
and shared with others.
Some types of programs can also have an impact on your privacy. These include, but are not limited to:
- Monitoring programs: software that stores or transmits your activities without notice
and consent, or offers a stealth option to hide this behavior.
Note:Monitoring programs are not necessarily malicious. For example, parental controls
can feature keystroke monitors, but these programs can pose a risk to your privacy if you don't expect or know
about their presence.
Malicious software is the general name for programs that perform malicious actions on your PC. This can include stealing
your personal information, locking your PC until you pay a ransom, using your PC to send spam, or downloading other
Most software that we classify as malware falls into one of the following categories:
- Backdoor trojan: A type of trojan that gives a malicious hacker access to and control
of your PC. This means they may be able to tell your PC what to do or monitor what you do online. A bot is
a type of backdoor trojan.
- Downloader: A type of trojan that downloads other malware onto your PC. The downloader
needs to connect to the Internet to download the files.
- Dropper: A type of trojan that installs other malware files onto your PC. The other
malware is included within the trojan file. This is different to a downloader, which needs to connect to
the Internet to download other files.
- Exploit: A piece of code that uses software vulnerabilities to access information
on your PC or install malware. For more information, see our page on exploits.
- Hacktool: A type of tool that can be used to allow and maintain unauthorized access
to your PC.
- Macro virus: A type of virus that spreads through infected documents such as Microsoft
Word or Excel documents. The virus is run when you open an infected document.
- Obfuscator: A type of malware that hides its code and purpose to make it more difficult
for security software to detect or remove it.
- Password stealer: A type of malware that is used steal your personal information,
such as user names and passwords. It often works along with a keylogger that collects and sends information
about what keys you press and websites you visit to a malicious hacker.
- Ransomware: A type of malware that can stop you from using your PC, or encrypt your
files so you can’t use them. You may be warned that you need to pay money, complete surveys, or perform other
actions before you can use your PC again. For more information, see our ransomware page.
- Rogue security software: Software that pretends to be an antivirus program but doesn't
actually provide any security. This type of software usually gives you a lot of alerts about threats on your
PC that don't exist. It also tries to convince you to pay for its services. Our rogue security software page
has more information.
- Trojan: A type of malware. A trojan is a program that tries to look innocent, but
is actually a malicious application. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead
they try to look innocent to convince you to download and install them. Once installed, a trojan can steal
your personal information, download more malware, or give a malicious hacker access to your PC.
- Trojan clicker: A type of trojan that can use your PC to "click" on websites or applications.
They are usually used to make money for a malicious hacker by clicking on online advertisements and making
it look like the website gets more traffic than it does. They can also be used to skew online polls, install
programs on your PC, or make unwanted software appear more popular than it is.
- TrojanSpy: A program that collects your personal information, such as your browsing
history, and uses it without adequate consent.
- Virtool: A detection that is used mostly for malware components, or tools used for
malware-related actions, such as rootkits.
- Worm: A type of malware that spreads to other PCs. Worms may spread using one or
more of the following methods: email programs, instant messaging programs, file-sharing programs, social
networking sites, network shares, removable drives with Autorun enabled, and software vulnerabilities.