Anti-Spyware Coalition Risk Model Description
The anti-spyware industry offers a robust selection of tools to consumers in the marketplace. As is to be expected in such an environment, the rating systems used to classify Spyware and other Potentially Unwanted Technologies vary between Anti-Spyware vendors. The members of ASC believe that reputable anti-spyware companies should be transparent about their decisions to help users understand how anti-spyware tools make decisions; software publishers understand what may concern users; and Anti-Spyware vendors share information about emerging threats.
To facilitate that transparency, the ASC has developed a list of a broad set of behaviors that its members can use to help users make decisions. We expect the list to change over time as new bad practices are discovered.
ASC is making this draft available for public comment until 11/27. We hope that by including the public in our process, we will come away with a document that will help users to better protect themselves. You can comment on the document via the ASC Web site –or via email at firstname.lastname@example.org.
This document will:
- Outline the common terminology and process for classifying potentially unwanted technologies
- Describe the behaviors that can lead to detection so that software vendors and users will have a better understanding of the decision-making process
- Provide an overview of the approaches used to classify a software application
The risk modeling system is based on behavior. The risk and consent factors described below lay the groundwork for the eventual publication of industry-wide Best Practices.
Ultimately, the decision on what rating to give and what risk model to use falls to the individual Anti-Spyware vendor. This decision was intentional, to give each vendor the flexibility to rate software on their own terms while agreeing to a common framework.
Anti-Spyware vendors agree on the basic terminology and factors leading to risk or consent, but will differ on the exact modeling system and thresholds for detection. The variations in modeling help users make better marketplace decisions by selecting products that align with their priorities. The common framework and language regarding risk and consent behaviors helps Anti-Spyware vendors describe their models consistently, and gives standard guidance to application vendors about the factors that may lead to a program being flagged.
The criteria below outline the key factors that members of the Anti-Spyware Coalition use to make a determination – vendors may decide to use all or a subset of the criteria. In general, a program’s rating will increase with risk behaviors, and decrease with behaviors that provide user consent and control.
Modeling Process Overview
The risk-modeling process is the method Anti-Spyware vendors use to determine the classification of a program. Members of the Anti-Spyware Coalition use the same essential modeling process:
- Determine the installation method used
- Install and research software to determine areas of impact
- Measure the risk factors
- Measure the consent factors
- Weigh the risk factors against the consent factors to determine what classification and level apply, if any
While Anti-Spyware Coalition members agree on the factors that increase risk or consent, each member weighs and combines these factors on their own scale. Although ratings should not differ greatly, variations are possible because Anti-Spyware products have differing foci and philosophies.
For example, one vendor may not detect a program that tracks the user if such behavior is turned ‘off’ by default, while another may detect such a program but at a low warning level.
Overview of the Risk Categories:
Spyware and other Potentially Unwanted Technologies encompass a wide variety of behaviors that can concern users. To help understand the impact, we can describe software as affecting one or more of the following areas:
Privacy – Compromising the user’s information or data, such as
- Exposure to fraud or identity theft
- Loss of personal information
- Unauthorized tracking
Security – Impacting the system integrity of the computer, such as
- Attacking the computer, or using it as part of an attack
- Exposing the computer to risk by lowering security settings
- Using computer resources in an unauthorized manner
- Hiding programs from the user
User Experience – Impacting the user’s functionality of the computer, such as
- Delivering unexpected advertisements
- Changing settings
- Creating system instability or slowing performance
These risk categories are not mutually exclusive, and are not limited to the examples above. These represent the general areas Anti-Spyware vendors examine, and help describe the impact to users in common terms.
For example, a program may be detected by an anti-spyware vendor because it intercepts network traffic. The anti-spyware vendor may wish to explain this as an impact to privacy, rather than explaining the details of the underlying technology (which may be described in a more extensive write-up).
To further describe a program, some Anti-Spyware vendors may choose to rate a program along each risk category, while others may merge the categories into a single rating.
Risk and Consent Factors
Many applications have complex behavior – the final determination of a program requires a judgment call on the part of the Anti-Spyware vendor, based on their policies about what programs should be brought to the user’s attention. The following are key considerations in the risk modeling process:
Technologies/Activities are neutral
- Technologies and activities like data collection are neutral, and as such are harmful or helpful depending on their context. Anti-Spyware vendors need to consider both the factors that increase risk and the factors that increase consent before making a determination.
Many risk factors can be mitigated
- A risk factor is an indication that a program has certain behavior. The Anti-Spyware vendor must consider this behavior in context and decide whether the consent factors mitigate the risk. Some risk factors may not flag a program on their own, but could be considered in combination with other factors. Certain risk factors are impactful enough that they cannot be mitigated, such as installation by security exploit. The Anti-Spyware vendor may choose to always alert the user about programs with this behavior.
Weights can differ
- Anti-Spyware vendors may weigh behaviors differently, depending on their policies about what behaviors are taken into consideration. Each vendor sets their own threshold for detection based on the weights they assign to the risk and consent factors.
Strive for objective, consistent rules
- The factors outlined below are meant to be objective and easy to apply consistently. However, certain factors cannot be determined programmatically but are still important to users (such as the use of deceptive text or graphics). In these cases, each Anti-Spyware determines the impact according to their internal policies.
The common agreement in the Anti-Spyware Coalition centers on what factors increase risk and what factors increase consent. Therefore, the general advice for an application vendor is to
- Minimize the risk factors
- Maximize the consent factors
The lists below cover a wide variety of behaviors, and are not exhaustive. They will grow with time as new behaviors emerge.
The following risk factors are behaviors that have the potential for user harm or disruption. In some cases, the behavior may be desired, such as data collection for personalization, but can still present a risk if unauthorized. Many of these risks can be mitigated by providing the appropriate consent factors.
In certain cases, a risk may be serious enough that a vendor may decide to inform users, even if consent was given. This may be the case for certain monitoring or security tools (users who knowingly install such programs can dismiss these warnings). Other risks, such as “installing by security exploit” may warrant automatic detection, no matter what other consent was given.
Some risk factors may be minor, and not enough to warrant detection on their own. However, the low-risk behaviors can help differentiate two similar programs, or may be combined into a higher risk level if enough low-risk behaviors are present. Anti-Spyware vendors may use confirmed user feedback as a part of their investigation into a risk factor.
Note that installation method varies not only from program to program, but also by affiliate and in some cases even by campaign. We rate and classify software based primarily on behaviors inherent in the software itself. In cases where installation has been observed via intrusive, covert or exploitative measures, this fact is taken into account by each Anti-Spyware vendor according to its policy.
The risk factors have general weights (High, Medium and Low) that help show the relative impact to the user. Although all behaviors can be problematic if unauthorized, certain ones tend to have a greater impact and are treated with more severity than others.
The list below is a combined set of the behaviors that members of the Anti-Spyware Coalition consider in their analysis. Each Anti-Spyware vendor weighs the behaviors as they see fit in their modeling formula.
Behavior that may impact users / Relative Impact
Installation & Distribution, including but not limited to:
Replication behavior (mass-mailing, worming, or viral) High
Installs without user’s explicit permission or knowledge, such as not providing or ignoring user’s request to cancel installation, drive-by installation, use of a security exploit, or software that meets other risk factors and is undisclosed in a software bundle (Note: The rating of High indicates a typical rating for this item and its relative risk. The specific weight may vary depending on the severity.) High
Uninstalls other applications, such as competitive programs High
Software updates automatically Medium
Program downloads or installs software that has potentially unwanted behavior, as described in definitions document (Reminder: The rating of High indicates a typical rating for this item and its relative risk. The specific weight may vary depending on the severity or amount of items installed.) High
Identification & Control, including but not limited to
Has incomplete or inaccurate identifying information Medium
Program obfuscated with tools that make it difficult to identify, such as a packer Medium
No indication the program is running inside an application, such as an icon, toolbar or window Low
No indication the program is running standalone, such as a taskbar, window or tray icon Low
Program runs automatically without explicit user consent Low
Networking, including but not limited to:
Proxies, redirects or relays the user’s network traffic or modifies the networking stack High
Creates or modifies “hosts” file to divert domain reference without user permission or knowledge at time of change High
Changes default networking settings (Broadband, telephony, wireless, etc.) High
Dials phone numbers or holds open connections without user permission or knowledge. High
Alters the default internet connection to connect at a premium rate (i.e. 2x normal rate) High
Data Collection, including but not limited to:
Transmits personally identifiable data (Reminder: Technologies are neutral, and only a concern when abused. A behavior can be acceptable with notice and consent). High
Collects personal information, but stores it locally Medium
Intercepts communication, such as email or IM conversations (without appropriate notice and consent) High
Uploads arbitrary data, some of which could be personally identifiable Medium
Uploads data that can be used used to track user behavior offline and online as well as other types of data that may be sensitive, yet not personally identifiable Low
Uses tracking cookies to collect information (Reminder: Each Anti-Spyware vendor weighs a behavior according to their own policy. ASC recommends that vendors that utilize this criteria make it clear to users that they do so, affording users the opportunity to make an informed marketplace decision) Low
Computer Security, including but not limited to
Changes the contents of files the program did not originally create that most user-level applications would not normally modify High
Hides files, processes, program windows or other information from the user or system tools High
Allows remote users to alter or access the system (files, registry entries, other data) High
Allows host security to be bypassed (privilege elevation, credential spoofing, password cracking, etc.) High
Allows remote parties to identify vulnerabilities on the host or elsewhere on the network High
Allows remote control over a computer, including process creation, spamming, or attacks on third parties High
Disables security software, such as AntiVirus or Firewall software High
Lowers security settings, such as in the browser, application, or operating system High
Allows for remote control of the application, beyond self-update High
User Experience, including but not limited to:
Displays external advertisements (ie, not created by online content—e.g., web pages—to which users deliberately surf) that are not attributed to their source program High
Displays external advertisements that are indirectly attributed to the source program (such as a pop-up with a label) Medium
Displays external advertisements that are clearly attributed to the source program, such as starting alongside the program Low
Replaces or otherwise alters web page content, such as search results or links High
Changes browser pages or settings (error page, home page, search page, etc.) Medium
Modifies user settings such as favorites, icons, shortcuts, etc. Low
Causes frequent system instability Low
Uses excessive resources (CPU, Memory, Disk, Handles, Bandwidth) Low
Attaches to other programs, such as the browser, using a non-standard method Low
Disables or interferes with functionality of system (right-click behavior, ability to use system tools, etc.) High
Other Behaviors, including but not limited to
Has other potentially unwanted behavior, as described in definitions document Medium
Program modifies other applications to bypass copyright protections
Program generates serial numbers/registration keys to allow illegal use of copyrighted products Medium
Removal, including but not limited to
Self-healing behavior that defends against removal or changes to its components, or requiring manual steps to run the uninstaller High
Uninstaller does not functionally remove the program, such as leaving components running after reboot or silently reinstalling components High
Does not provide an easy, standard method to permanently stop, disable or uninstall the program (such as Add/Remove Programs or equivalent). High
Uninstaller repeatedly attempts to badger or coerce the user into cancelling the uninstall Low
Non-Programmatic Behaviors, including but not limited to
Contains or distributes offensive language and content (Reminder: Each Anti-Spyware vendor weighs a behavior according to their own policy. ASC recommends that vendors that utilize this criteria make it clear to users that they do so, affording users the opportunity to make an informed marketplace decision) Medium
Consists of advertising components and is installed at or through web sites designed for, targeted at, or heavily used by children 13 and under
Uses misleading, confusing, deceptive, or coercive text or graphics text, graphics, advertising or other false claims to induce, compel, or cause users to install or run the software or take actions (such as click on an advertisement)
The behaviors below indicate that a program provides users with some level of notice, consent and control that may help mitigate a risk factor. Certain high-level risks may be extensive enough that no level of consent can mitigate them, and the Anti-Spyware vendor will always warn users about such behavior.
The consent factors help lay the terminology and groundwork for Best Practices, which is a set of positive examples that demonstrate clear notice and consent. (Note: The Best Practices will live in a separate document, based on the final version of this document.)
It is important to note that these consent factors are per-behavior. If a program has multiple risky behaviors, each is examined separately for its consent experience.
The weights (High, Medium or Low) indicate a relative ordering for the consent behaviors – although all are helpful, some behaviors provide more consent than others. Again, each Anti-Spyware vendor can weigh the characteristics on their own scale.
In the list below, the term “Potentially Unwanted Behavior” refers to any program activity or technology that can present a risk to users if abused, such as data collection or changing system settings. These technologies are described in more detail in the definitions document on the Anti-Spyware Coalition website.
Behavior that provides user consent / Level of Consent
Installation & Distribution
Distributed via download, in clearly labeled packages, and not bundled by affiliates High
Requires high level of consent before installation, such as registration, activation, or purchase High
Has clear, explicit setup experience that users can cancel High
Potentially unwanted behaviors are clearly called out and prominently disclosed outside of EULA Medium
Potentially unwanted behaviors are part of the expected functionality of the program (i.e., an email program is expected to transmit information) High
User can opt-out of potentially unwanted behaviors (on by default) Medium
User can opt-in for potentially unwanted behaviors (off by default)
Obtains user consent before software updates High
Obtains user consent before using passive technologies, such as tracking cookies High
All bundled software components are disclosed in EULA Low
All bundled software components are clearly called out and prominently disclosed outside of EULA Medium
User can review and opt-out bundled components (on by default) Medium
User can opt-in for bundled components (off by default) High
Files and directories have clear, identifiable names and properties in accordance with industry standards (Publisher, Product, File Version, Copyright, etc.) Low
Files are digitally signed by publisher Med
Program has a minor indication when it is active (tray icon, banner, etc.) Med
Program has major indication when it is active (application window, dialog box, etc.) High
Sponsor programs only run when sponsored program is active Med
Clear method to disable or avoid program, aside from uninstall Med
Program requires explicit user consent before starting (i.e., double-click an icon) High
Program has opt-in before starting automatically High
Provides straightforward, functional uninstaller in well-known location (such as Add/Remove Programs) Med
Program uninstaller removes all bundled components Med
The consent factors, risk factors and modeling process outline the analysis approach used by members of the Anti-Spyware Coalition. Although behavior weights may vary between vendors, the core guidance for application developers is to minimize the risk factors and maximize the consent factors to avoid classification. However, certain risks may be serious enough that an Anti-Spyware vendor will always inform users about impact of the behavior.
The risk modeling process is a living document, and will change over time as new behaviors and technologies emerge.