Sunbelt Adjusts WhenU Detections in Security

Sunbelt Adjusts WhenU Detections in Security http://www.dslreports.com/forum/r13953597 en Wed, 20 Aug 2008 19:38:33 EDT Wed, 20 Aug 2008 19:38:33 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,14000799 ctrip : nevermind]]> http://www.dslreports.com/forum/remark,14000799 Thu, 28 Jul 2005 02:28:03 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,14000437 mongol : You rant at us about doing our homework and doing our own research and then admit you skipped 16 pages of posts. I think you sat in front of me at College. Is that you Bob??.]]> http://www.dslreports.com/forum/remark,14000437 Thu, 28 Jul 2005 01:02:19 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13998995 antiserious :

said by IndustryBurnout:

First let me say that I skipped about 16 pages of posts but from what I've seen it all looks the same anyway.

... and that's as far as I got, except to scroll through your verbose blather to get to the 'post reply' button ...

... but thanks for stopping by ... :uhh: ... always swell to hear from a burnout ...

--
... "Do You Know Where Your Towel Is ?" ...]]> http://www.dslreports.com/forum/remark,13998995 Wed, 27 Jul 2005 21:48:58 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13998900 doormans : You really should have taken the time to read the 16 pages of posts you admitted to skipping. I'm sure some of the info in them would have enlightened your somewhat sour and obtuse view of the companies and people involved.Oh and by the way, YOU never stated your qualifacations to berate the posters involved in this thread. :p]]> http://www.dslreports.com/forum/remark,13998900 Wed, 27 Jul 2005 21:38:46 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13998773 anon : OK I have to rant here. First let me say that I skipped about 16 pages of posts but from what I've seen it all looks the same anyway.

I think this thread is a perfect example of one of the major problems that plagues this industry today. This industry has developed a regrettably zealous and uninformed following. By that I mean that absolutely nothing any of these companies ever does will ever work as an apeasement to the large group of individuals that 1. Do not do their own research, 2. Take the word of self-appointed "experts", and 3. Allow their mentality to be formed by the highest common denominator, or simply, follow the herd.

From what I've seen here about the only thing that would satisfy the majority of these posters is to plant a nuke at each and every one of these adware companies and delisting antispyware companies and wipe them out. Unfortunately this is the kind of juvenile mentality that these antispyware companies are up against. It doesn't matter that these companies typically stock themselves with anywhere from 5 to 100 real experts that evaluate and fight this stuff everyday, publish legitimate research, and have the background to actually decide what stuff is harmful and what is not, as seen with Lavasoft and Pest Patrol one zealot starts a rampage about a delisting that 1,000 blind sheep jump on board with and naturally a commercial company has to cave. It's a disservice, to the antispyware companies, to the delisted companies, and believe it or not to the end user. This mentality is so rampant that often an end user that doesn't spend 10 hours a day often receives this extremist advice in some forum from some 13 yr old kid who received the same advice from an "expert" and they take it as gospel and voila, we're crowning another tin foil beanie chief. Now the antispyware company providing that end user with the solution has to take 3 days to calm down and explain to that user how their information is wrong.

I would venture to say that 95% of people in these forums have no formal education in regards to spyware evaluation, detection, and removal. Their education is solely in HJT logs and what someone else has told them is bad. Find me 10 people that have researched every entry on their own and based their decision on that and I'll come to your house and brush your teeth. I would also say that 85% of these people do not do their own research and accept what is spoon fed to them. You spend 3 hours a day on Hijack This logs you say? Great, from that I want you to tell me every distribution method that application takes advantage of as well as provide me with a detailed analysis of captured packet sniffer logs. Along with that I will need to know the company that produces the application, including registrar, address, and contact info. While you're at it go ahead and disassemble all the executables and dlls and get me a detailed report on those.

While we are on the subject and you have your assignments lined up you might as well provide us with every correspondence, contract, agreement, and conversation that has taken place between every antispyware company and every adware company or researcher that they have dealt with. I'm sure this will help you to prove the "conspiracy". Transparency is your argument to that? Well folks unfortunately we live in a corporate world and there's things called NDA's or Non Disclosure Agreements that are typically precursors to any kind of exchange of proprietary technology and information, which of course is a necessity to an honest and partial evaluation.

Now I'll use what I've seen in this thread as a perfect example. I've seen Eric Howes posting in this forum and references to his research. I'll be frank and say that I'm no fan of that rogue antispyware list. While I do believe it serves a purpose and can be informative to those who know how to filter out the biased leaning in favor of Lavasoft I have seen that thing quoted left and right, up and down, 9 ways to Sunday by this zealous following. Up until the point when he justified the Sunbelt changes you all thought Eric and that list was the best thing since sliced bread. Once his research came out and he justified the claims of Sunbelt you people turned on him, tried to chew him up, and spit him out. Absolutely zero weight was given to the fact that he actually did perform and provide non-biased research to back up the decision.

I don't think you can find in any other industry, firewall, antivirus, or otherwise, such a close minded, uninformed, blinder view of progression than in the spyware industry. It suffers from a mentality that is a cancer to the greater good. With such a blind outlook on things you have to realize, if an adware or whatever company honestly cleans up its act and justifies non-detection, only to have the antispyware company have to cave to a herd following public, we're never going to see an end to the problem. What encouragement do these guys have at all if their best efforts go for nill because of an uninformed public? They might as well keep exploiting loopholes and achieving installs and just deal with the antispyware removals than attempt to spend money righting their wrongs.

OK I think I've ranted enough and hopefully you understand my point. I think it applies to life as it does to the industry and I'll provide a couple recommendations to what should be done.

Lessons:

1. Do your own research
2. Use what your told as a factor of your research, not an excuse to do your research
3. People are grownups and need to accept some of the responsiblity over what they do. Your hand wasn't held when installing Windows, why can't we expect the same responsibility for an install dialog?

Resolution:

1. A non-biased researcher standard needs to be created, such as an MCSE or MVP for antispyware studies. This standard could be collaberated on by antispyware developers and open to the public for testing.

2. Subject the standard to strict revocation until we balance the industry. You start slanting in a bias manner or providing pure opinions in your advice, bye bye certification.

3. DO YOUR OWN RESEARCH. DO YOUR OWN RESEARCH. DO YOUR OWN RESEARCH. God, Buddha, and all others gave you a mind of your own and you didn't spend 13+ years in school to be told what to believe by others.

4. Use SaranWrap, not tin foil. This has got to be the most important of all. And no, antispyware vendors didn't kill JFK, build and isolate Area 51, hide Martians, start the FreeMasons and New World Order, pollute the water with pacifying hallucinogens, or turn a blind eye to Pearl Harbor]]> http://www.dslreports.com/forum/remark,13998773 Wed, 27 Jul 2005 21:22:35 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13983163 ghost16825 :

said by eburger68

:

That's all very well and good, but things do get a bit murkier when we're dealing with less knowledgeable users who don't always act consistently.

...which goes back to the point about assumed user knowledge.
--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/
]]> http://www.dslreports.com/forum/remark,13983163 Mon, 25 Jul 2005 20:48:31 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13982621 eburger68 : Bruce:

You wrote:

said by roamer_1:
Not exactly- You had said something to the effect that past reputation could be taken into account, but could not be an "end all" criteria, I simply proposed that if the company offered no spyware in any way for a reasonable period (1 yr was the example) then the delisting would take place- Perhaps I read you wrong. It seems you are now saying that past reputation cannot be a factor whatsoever! (?)

Perhaps you could flesh out how you see "past reputation" being applied?

I'm sorry, but the pre-checked boxes still amount to the same thing as a default action of "Remove," and you want those pre-checked boxes to be determined on the basis of a "known offender" status, which is itself reputation, which takes us right back to the original argument that some made in this thread, which was: "WhenU ought to be set to 'Remove' by default because it's WhenU." That's why I called it merely "another attempt to insert a 'because-it's-WhenU' trump card into the review process."

said by roamer_1:
I understand perfectly that labels are useless for targeting decisions (and I agree with your writings to that effect), but they are awfully handy in discussions. One saves alot of time labeling a creature a "duck" rather than explaining all the features that separate it from other avians in general every time a duck is described... Perhaps with a few well placed labels we might stop talking past each other.

Well, we're talking about the nitty targeting decisions here. For general coversation, labels can be handy. Beyond that, though, they become problematic. We like to think that the world is so simple that we can "call a duck a duck." But when we're dealing with anti-spyware targeting decisions, things are a bit more complicated because different people have different ideas as to what's a duck in some cases -- and we've seen as much right here in this thread.

said by roamer_1:
I was trying to delineate software that has install, notification, keeps ads within itself, and has an uninstall etc. Features you (seem to) describe as making it legitimate, though it is still adware. To me there is no difference, but if you need to define a legal difference, so be it.

I was suggesting an expansion of detect/remove to cover that "group" as well (AolMess and YahooBar were suggested earlier as examples of inclusion), so that these morphing companies could not say they were being unfairly singled out.

Actually, Sunbelt already does include similar applications in its database: Download Accelerator Plus and Weatherbug, for example. But Sunbelt doesn't include those apps because they fit some general label. They're included because they trip particular targeting criteria -- criteria which were developed with an eye towards what could cause users significant problems.

said by roamer_1:
I am against the idea that since the user was stupid enough to install it there should be no easy way to remove it and it must be relegated to A/R simply because it supplies an uninstall routine, or that it would be "Line item only" for removal.

First, what's not "easy" about Add/Remove Programs (assuming the uninstaller does the job as advertised? It seems that you want a general uninstallation utility for all manner of applications, but anti-spyware apps are not that kind of beast. They selectively detect and present applications of a certain quality based on certain criteria, which suggests to users that the selected/detected apps are somehow less desirable or more problematic than the ones not selected/detected. And once they do that, they've got take great care in how they select/detect/present.

Anti-spyware vendors can detect and present a wide range of different apps to users, but they must have some good rational for doing so (e.g., the app verifiably could present a problem or threat to users of some sort). Moreover, they must take special care in presenting applications that could be wanted and voluntarily installed by users, as I've explained in several other posts. That's where "Low risk adware" adware categories come from -- from an attempt to treat these types of applications differently.

It looks like you to want an easy way to erase all the default presentation differences, because you think it would suit your needs. But erasing those presentation differences could cause problems for other users -- tech gurus with clueless clients are not the only ones using anti-spyware apps.

said by roamer_1:
However, since you raised the point (and with any couched threat unintended), you would be suprised how many of your users ARE your users only with the blessing of their local guru or tech. If it doesn't fly with me, you can bet my users will be elswhere- especially when it comes to security software. My previous post aside, most of my users listen to me and accept my recommendations. I say this only to highlight the point that you do well to be here (and other places like in kind) and pound this out in an acceptable fashion.

Fine, but tech gurus are not the only ones using the anti-spyware applications, and anti-spyware vendors can't enshrine their preferences as the defaults just because they might feel they ought to be, esp. once we're dealing with types of software where the users themselves are divided and have differing needs and expectations.

Now, what anti-spyware companies CAN do is build in features that allow users of all kinds to customize the behavior of the anti-spyware programs to suit their particular needs -- a "Select/Remove All" button is a very simple example of that. A user-customizable "blacklist" (which I also discussed earlier today) is another example of that. But those kinds of preferences have to be incorporated into the product's performance through your own expressed customization/preference selecting actions. The defaults for anti-spyware applications, by contrast, have to be very carefully selected, and they may not absolutely match your own preferences.

said by roamer_1:
But you also can't take away the ability of the program to do the meat and potatos work that we rely on it to do. As I said before, CYA legally... fine. but give me a "Select all /remove" and keep detecting... Or a global option to select all... so that I can override the suggested action.

I know that you are holding your nose while you do this. I understand that you don't like these companies any more than I do. But in the midst of it you seem to be making the case for a type of "acceptable" level of adware, rather than a rally to "how do we beat 'em now?" which is an uncomfortable residue of this discussion.

So what are you saying in a general sense (not WhenU particularly for the moment)? Is there no productive way that Anti-Spy can assist if an adware drops below a certain level? And if such is the case, where might that level be defined? And if defined, How does one prevent further slippage (herein lies the brow of the proverbial slippery slope)?

It's not a matter of "acceptable" vs. "unacceptable" adware: it's a matter of finding ways to deal with applications that users can very well regard differently. As I've said several times, anti-spyware vendors can't just use your preferences as the defaults for the behavior and performance of their applications; they have to accommodate a wide range of users, and once we get down to handling what you're calling "ad-sponsored software," your preferences aren't universally held and could cause problems for other users if enshrined as the default preferences within anti-spyware applications.

said by roamer_1:
I didn't figure there would be any. Adware is within your pervue (at least traditionally). There are lots of mass uninstallers out there (regedit comes to mind), so that concept shouldn't be a problem...

But those kinds of applications don't selectively detect and present software based on the kinds of criteria that anti-spyware apps do. And users don't necessarily interpret the "results" presented to them by system cleaning applications in the same way as they do the "results" from "anti-spyware" apps.

As I said before, it looks like you want a general system cleaning app, and anti-spyware applications can come to resemble such applications, but the evolution isn't easy because of the expectations (from users, vendors, admins, etc.) that are brought to bear on anti-spyware apps, which started their lives closer to the "malware cleaning" side of things rather than the "system cleaning" side of things.

said by roamer_1:
If the "known offender" thing is what is in the way, then just give me a PUP (Spybot S&D) page with a "Select all" in settings. Then I can cherry pick the acceptable ones out of the list rather than checking the whole list except three or four...

Such a thing is easily implemented. Your suggestion from a later post to "make it global, make it stick," is more problematic without building checks or safety features for less knowledgeable users. You know enough to "select all" and then cherry pick the "acceptable ones," but I can already hear the complaints from users who didn't fully understand that the detected apps may not all be "bad" and who blindly selected that global option: "This @$#$%F*&S)#W! anti-spyware program said my screensaver and weather program were viruses and removed them!" And then we're right back to square one.

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13982621 Mon, 25 Jul 2005 19:35:30 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13982152 roamer_1 :

said by eburger68

:

Bruce:

otice the "Set a single action for all items" link next to the "Take Action" button. That link brings up a dialog box (see the second screenshot) that allows you do configure all detected items to for "Remove" or "Quarantine," no matter what the default action is.

I guess I didn't remember that such an option existed because in the testing I do, I never use it. I always inspect each detection one by one and select or verify the actions for each detection.

My apologies for the oversight and confusion.

(Note: the screenshots above are from CounterSpy 1.5 beta, but the same option and dialog box exist in the current release version 1.0.29.)

Best,

Eric L. Howes

Apologies not required.

Beauty day. Make it GLOBAL, Make it stick.

Regards,
Bruce]]> http://www.dslreports.com/forum/remark,13982152 Mon, 25 Jul 2005 18:36:34 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13982109 roamer_1 : Eric,

You wrote:

This looks to me like yet another attempt to insert a "because-it's-WhenU" trump card into the review process.

You worried earlier about anti-spyware vendors getting buried by petitions and legal threats -- this is the surest way to achieve that outcome.

Not exactly- You had said something to the effect that past reputation could be taken into account, but could not be an "end all" criteria, I simply proposed that if the company offered no spyware in any way for a reasonable period (1 yr was the example) then the delisting would take place- Perhaps I read you wrong. It seems you are now saying that past reputation cannot be a factor whatsoever! (?)

Perhaps you could flesh out how you see "past reputation" being applied?

Sunbelt does not make targeting decisions by starting with labels, which I've already explained are useless as the basis for targeting decisions

I understand perfectly that labels are useless for targeting decisions (and I agree with your writings to that effect), but they are awfully handy in discussions. One saves alot of time labeling a creature a "duck" rather than explaining all the features that separate it from other avians in general every time a duck is described... Perhaps with a few well placed labels we might stop talking past each other. :)

Truth be told, I don't even know what you mean by "ad-sponsored" software and how that would differ from the wide range of software most folks already call "adware." These labels are a dead-end street -- they're pointless and useless as the basis for targeting decisions.

I was trying to delineate software that has install, notification, keeps ads within itself, and has an uninstall etc. Features you (seem to) describe as making it legitimate, though it is still adware. To me there is no difference, but if you need to define a legal difference, so be it.

I was suggesting an expansion of detect/remove to cover that "group" as well (AolMess and YahooBar were suggested earlier as examples of inclusion), so that these morphing companies could not say they were being unfairly singled out.
I am against the idea that since the user was stupid enough to install it there should be no easy way to remove it and it must be relegated to A/R simply because it supplies an uninstall routine, or that it would be "Line item only" for removal.

I didn't mean that in any legal way- I was just suggesting that "user wants" are not an effective platform in this forum. We all know what the user wants, and it is generally not thought of as a good thing... at least not with me. Whether that is legally defensible wasn't the point. Sorry if I was not clear on that.

However, since you raised the point (and with any couched threat unintended), you would be suprised how many of your users ARE your users only with the blessing of their local guru or tech. If it doesn't fly with me, you can bet my users will be elswhere- especially when it comes to security software. My previous post aside, most of my users listen to me and accept my recommendations. I say this only to highlight the point that you do well to be here (and other places like in kind) and pound this out in an acceptable fashion.

But we can't take a consumer product and turn it into a poor-man's backdoor admin tool for IT admins to exert control over their know-nothing clients.

But you also can't take away the ability of the program to do the meat and potatos work that we rely on it to do. As I said before, CYA legally... fine. but give me a "Select all /remove" and keep detecting... Or a global option to select all... so that I can override the suggested action.

I know that you are holding your nose while you do this. I understand that you don't like these companies any more than I do. But in the midst of it you seem to be making the case for a type of "acceptable" level of adware, rather than a rally to "how do we beat 'em now?" which is an uncomfortable residue of this discussion.

So what are you saying in a general sense (not WhenU particularly for the moment)? Is there no productive way that Anti-Spy can assist if an adware drops below a certain level? And if such is the case, where might that level be defined? And if defined, How does one prevent further slippage (herein lies the brow of the proverbial slippery slope)?

And who will be paying the legal bills of anti-spyware vendors once they start targeting such software and hanging scarlet letters on the ones that IT admins really hate?

I didn't figure there would be any. Adware is within your pervue (at least traditionally). There are lots of mass uninstallers out there (regedit comes to mind), so that concept shouldn't be a problem... If the "known offender" thing is what is in the way, then just give me a PUP (Spybot S&D) page with a "Select all" in settings. Then I can cherry pick the acceptable ones out of the list rather than checking the whole list except three or four...

I'm sorry, but most of the ideas you've offered in this latest post are simply not practical or advisable for anti-spyware companies, who are already faced with a minefield of trouble as it stands.

*sigh* that is odd, as this post was basically a recap of a previous one which I felt you found acceptable (re: What were we arguing about?)

Regards,
Bruce]]> http://www.dslreports.com/forum/remark,13982109 Mon, 25 Jul 2005 18:31:04 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13981651 SpannerITWks : Hi Eric,

Thanx 4 your earlier reply, i did check out those links you posted, and a few more besides !

I don't know where you + Suzie + TeMerc + all the other good peeps get the patience to to do as MUCH as you All do. I'm a very patient guy, but i think the mountains of info you all must read/write, along with the significant amount of time it must take researching + cross referencing it all + hosting/posting it etc, would burn most people out.

- - -

2 everybody -

Sure people will have differences, that's just how life is. Not perfect, never has been and Never will be, and they should get used to it and relax a bit more. But when it gets personal it's stepped over the line and benefits No One or the issues. In fact it makes it so much worse cos some people waste lotsa time on that and not what it's Really about.

Exchanging ideas and discussion is great cos it helps us All move forward, sometimes faster, sometimes with hurdles thrown in the way. Who said everything was meant to be easy peasy all the time, cos it aint, but let's @ least try and move in the right direction together.

The crapware merchants would just love it if we all fell out and couldn't sort it out amongst ourselves ! So let's try and keep focused on the Real bad guys hey.

Regards,

Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks]]> http://www.dslreports.com/forum/remark,13981651 Mon, 25 Jul 2005 17:28:47 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13979229 eburger68 : Sybille:

You wrote:

said by sybille

:

I still believe that what users want, in so far as it can be determined and however complex it may be, could run counter to the interests of the ASW vendor.

I didn't see that you responded to that concern in particular.

It's always possible that there could be instances in which their interests are not identical. The better that anti-spyware vendors can discern or compel users to announce their true intentions and preferences, the less likely that will be a problem. In fact, it's in the interests of anti-spyware vendors to align their programs with users' desires and intentions.

I agree, though, that convergence can never become perfect union.

Eric L. Howes
--
Microsoft MVP

Sunbelt Software Consultant

Spyware Warrior]]> http://www.dslreports.com/forum/remark,13979229 Mon, 25 Jul 2005 12:09:47 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13979144 sybille : I fully agree that what users want is convoluted. If it were not, the users would not install unwanted software in the first place, for example.

I think your idea to require that users clarify their intentions by means of different checks is a very good one. It both helps protect the ASW vendor and can serve to educate the user.

In that case, the aims of the two parties converge, at least to some extent.

I doubt this would be the case in each instance.

I still believe that what users want, in so far as it can be determined and however complex it may be, could run counter to the interests of the ASW vendor.

I didn't see that you responded to that concern in particular.

Of course, you're not required to respond, either. :)]]> http://www.dslreports.com/forum/remark,13979144 Mon, 25 Jul 2005 11:58:48 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13979111 eburger68 : JustBasics:

You asked:

said by Just Basics

:

Let me see if I understand this correctly -

The program will still detect the 3 adjusted programs from WhenU and if Quarantine or Remove All is selected AS THE PROGRAM DEFAULT the programs will be automatically deleted or Quarantined?

Yes, CS will still detect the three programs. When you're presented with the scan results list, the default action for those three programs will be "Ignore." If you want to remove the programs, you can:

* Change the action for each program individually to "Remove" or "Quarantine," or

* Change the action for ALL detected programs in the scan results list to "Remove" or "Quarantine"

Note that if you scan again and those three programs are detected again, the default action will still be "Ignore." In other words, the "Set single action" option applies only to the current scan results.

Now, one thing I have been recommending anti-spyware vendors do is add a "Blacklist" function in addition to the "Whitelist" ("Always Ignore" or "Don't Detect") function that most anti-spyware apps already have. This option would allow users to customize their scan detections to better suit their own preferences.

TrendMicro AntiSpyware (formerly SpySubtract) already has such a blacklist (see attached screenshot). The trick is that the only way to add items to the blacklist is to select them from the scan results, which means that the items have to be detected first before they can be blacklisted (you can't specify in advance, for example, that you always want WhenU products removed).

Best,

Eric L. Howes
--
Microsoft MVP

Sunbelt Software Consultant

Spyware Warrior

]]> http://www.dslreports.com/forum/remark,13979111 Mon, 25 Jul 2005 11:55:41 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13979012 Shriyash : i think thats a great suggestion Diazruanova. definitely worth considering, IMO.]]> http://www.dslreports.com/forum/remark,13979012 Mon, 25 Jul 2005 11:43:54 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13979009 Cudni : Yes, indeed we like long and convoluted arguments :)

but civil

Cudni
--
Think locally, @#!? globally!
Help yourself so God can help you]]> http://www.dslreports.com/forum/remark,13979009 Mon, 25 Jul 2005 11:43:12 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13978999 antiserious :

... what, and spoil all the fun ? ...
]]> http://www.dslreports.com/forum/remark,13978999 Mon, 25 Jul 2005 11:41:15 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13978916 Just Basics : Let me see if I understand this correctly -

The program will still detect the 3 adjusted programs from WhenU and if Quarantine or Remove All is selected AS THE PROGRAM DEFAULT the programs will be automatically deleted or Quarantined?

If this is the case I wish someone would have mentioned it on page 1 of this thread!]]> http://www.dslreports.com/forum/remark,13978916 Mon, 25 Jul 2005 11:26:56 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13978851 Diazruanova : Quote.
------------------------------------------------------------------
Alex said : Ignore is probably the wrong word, as it does not mean the program is not detected. It is detected and presented to the user, and the user then decides if he/she wants to keep it or not. I have blogged a lot on what Ignore means - you can read some of my thoughts on this matter at sunbeltblog.com.
------------------------------------------------------------------

What about IF instead of "ignore", appears the word:

"OPTIONAL" and just to the right/left (or wherever possible) of the results, or with a pop-up window, a legend with the meaning of the "OPTIONAL" suggestion? maybe something like:

"Because of the low risk clasification of this software, you can delete, quarantine or ignore and keep it as desired"

Just a suggestion for your new version.

Diazruanova]]> http://www.dslreports.com/forum/remark,13978851 Mon, 25 Jul 2005 11:14:43 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13978712 eburger68 : Bruce:

OK, this is a bit embarrassing. Last night you wrote:

said by roamer_1:
So here are a couple proposals to pass on to your pals at Counterspy:

1. Give me a "Select ALL /remove" option

I chirpily said that it was a good suggestion. Had I explored the dim recesses of my memory first, however, I would have told you that CounterSpy already HAS such an option -- see the first attached screenshot above.

Notice the "Set a single action for all items" link next to the "Take Action" button. That link brings up a dialog box (see the second screenshot) that allows you do configure all detected items to for "Remove" or "Quarantine," no matter what the default action is.

I guess I didn't remember that such an option existed because in the testing I do, I never use it. I always inspect each detection one by one and select or verify the actions for each detection.

My apologies for the oversight and confusion.

(Note: the screenshots above are from CounterSpy 1.5 beta, but the same option and dialog box exist in the current release version 1.0.29.)

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior

]]> http://www.dslreports.com/forum/remark,13978712 Mon, 25 Jul 2005 10:54:25 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13978615 eburger68 : Sybille:

You wrote:

said by sybille

:

It is understandable that the ASW vendor would want to protect its interests and avoid such a situation.

However, what if the customers and users want something that is not in the interest of the ASW vendor?

For example, what if customers and users want am ASW program that will identify all programs made by WhenU as being equally undesirable?

This would not be in the interest of the ASW vendor that wants to protect itself from being sued, but it's certainly something that customers and users could desire.

How could such a conflict of interest be resolved most usefully?

Actually, this isn't quite as big of a problem as the previous hypothetical that I was responding to. A few observations and points:

1) The more that anti-spyware vendors can demonstrate that the features and performance of their applications reflect the actual preferences of their users, the stronger a position they'll be in. It's much sounder for anti-spyware vendors to point out that what adware vendors might object to is actually wanted by the customers of anti-spyware applications.

2) The trick here is that -- I hate to say it -- users are fickle and engage in self-contradictory behavior. Polls do show that most folks don't want spyware/adware on their systems. They hate it. But they don't always act in a manner consistent with that expressed wish because, as Bruce already pointed out (and which the study I referenced earlier also emphasizes), users like the freebie goodies as well. Moreover, as I noted several times earlier, users can even be divided themselves over what constitutes undesirable software in some cases.

So, we can get into situations where "what normal users want" isn't always clear and simple, esp. when a software vendor puts very clear forms of notice and disclosure in front of them and the users click through, apparently indicating their consent.

Note: I don't happen to think that much of what passes for "notice and disclosure" among adware vendors is meaningful because of all kinds of problems which I can't get into right at the moment. There are going to be some forms of notice and disclosure that are so clear, conspicuous, and straightforward that it becomes difficult for me to look at them and imagine how users could get through without knowing what they were installing. Those situations are very much the exception at present, though.

3) When user intent or desire becomes murky or divided, the best thing anti-spyware vendors can do is add "extra checks" (for lack of a better term at the moment) into their anti-spyware apps to get a better sense of what users' real intentions and desires are.

For example, forcing users to change the default in some cases from "Ignore" to "Remove" is one way to do that, because it allows anti-spyware vendors to claim that the users made the affirmative, unambiguous choice to remove the software of their own volition.

There other "extra checks" that anti-spyware vendors can build in to strengthen the case that the removals were the actual desire and intent of the user, but the above is one example.

I know that some folks here will read this and say, "I know what I want! It's not so difficult to figure out, and I'm completely consistent in my actions." That's all very well and good, but things do get a bit murkier when we're dealing with less knowledgeable users who don't always act consistently.

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13978615 Mon, 25 Jul 2005 10:42:55 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13977553 fcukdat : First of all,a big thanks to WCB for bringing this discussion back to alevel of respectibility/intelligence(Its more productive this way:)).

Thanks Alex for returning to the discussion and persuing a company policy of full disclosure on this thorny issue.

I was amazed at he backlash at youself,Eric &Suzi but having said that as all have acknowledged this is a thorny issue open to discussion.

But none the less full disclosure and openess should be greeted with respect and not open hostlity even if its a thorny issue.

Half the problem with Lavasoft's stealth removal of all WhenU detections was when discovered the company refused to address user's concerns or explain their actions for quite some period of time.Even then i'm fairly sure the truth never emerged:(
IRC AC did'nt make any appearances,it took a while for one of their support forum admins not even LS employed(the amiable "Corrine") to start doing the PR rounds without any concrete information.Subsequently MW(LSMikeW) of Lavasoft came other to try and put down the mob&concerned user's by telling them to practice DHAO.Lesson 101 in dire corperate PR:(

Im glad that yourself&your reps do not operate this way:)

I understand the situation that all Bot killer vendors are facing with reguards adware companies and lawsuits(detection&removal issue's).
So far i've found the Sunbelt model of defining problematical software as being the best in the industry.
I would also like to say that your way of dealing with threatened legal action is also second to none in the privacy industry.
Please for the sake of all keep it up:)

All-

Here's an interesting discussion on another relevent topic here at dslr security forums.

»www3.dslreports.com/forum/remark,13966689]]> http://www.dslreports.com/forum/remark,13977553 Mon, 25 Jul 2005 05:44:13 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13977517 sybille :

said by eburger68

said by roamer_1:

The people you are talking to here are the guys that have to tell those users "You can't have that. All this crap is pluggin up your box."

I agree with this, although I notice that your hypothetical example focuses on the ASW vendor being taken to court.

It is understandable that the ASW vendor would want to protect its interests and avoid such a situation.

However, what if the customers and users want something that is not in the interest of the ASW vendor?

For example, what if customers and users want am ASW program that will identify all programs made by WhenU as being equally undesirable?

This would not be in the interest of the ASW vendor that wants to protect itself from being sued, but it's certainly something that customers and users could desire.

How could such a conflict of interest be resolved most usefully?

Even if we do not have "hard numbers" to demonstrate what customers and users want in the particular case under consideration at present, it does not seem far-fetched to me to suppose that the interests of customers and users would differ from and possibly conflict with those of any company, including those of an ASW vendor.]]> http://www.dslreports.com/forum/remark,13977517 Mon, 25 Jul 2005 05:18:23 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13977490 eburger68 : ctrip:

You wrote:

said by ctrip

:

Make all the well reasoned arguments you want. I believe that over 50% of your customers do not want WhenU downgraded.

As I already explained several times now, Sunbelt did not "downgrade" WhenU across the board, as you imply. It downgraded three particular apps that it determined were comparatively low risk, but will still remove them if users elect to remove them.

The main WhenU adware application, Save!/SaveNow, which in my experience causes the most consternation among users because of unwanted pop-up advertising on the desktop, has not been downgraded at all. It remains targeted for removal with a default action of "Quarantine."

I'm all for taking users' opinions into account -- they're ultimately the ones we serve. But it won't do to simply assert with no evidence that you believe you know what the majority of users would want. I don't doubt that many wouldn't want those three apps downgraded. Just what percentage we don't know, however, and neither do you.

Eric L. Howes
--
Microsoft MVP

Sunbelt Software Consultant

Spyware Warrior]]> http://www.dslreports.com/forum/remark,13977490 Mon, 25 Jul 2005 04:55:54 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13977465 eburger68 : Bruce:

You wrote:

said by roamer_1

:

I would be sayin "Hell Yes"! (providing explicitly that "Known Offenders" are prechecked for removal, and that "Known Offender" status has a real, un-watered effect and a long and serious probationary period).

And the known offenders would have to be determined by some set of criteria that themselves would have to be drafted. Moreover, hanging a "known offender" status on vendors because of reputation issues would be an invitation to still further complaints and legal threats. This looks to me like yet another attempt to insert a "because-it's-WhenU" trump card into the review process.

You worried earlier about anti-spyware vendors getting buried by petitions and legal threats -- this is the surest way to achieve that outcome.

said by roamer_1

:

It's the "ignore" action that got me baked.

And that is the gist of the downgrade as I see it... that WhenU now only meets the criteria of "ad-sponsored" rather than spyware or adware. Well fine, then EXPAND the software to include "ad-sponsored" software too...

Sunbelt does not make targeting decisions by starting with labels, which I've already explained are useless as the basis for targeting decisions, and then determining threat levels. We start with the specific practices, behaviors, and functionality included in the Listing Criteria...

»research.sunbelt-software.com/li···eria.cfm

...so telling Sunbelt to include "ad-sponsored" software is simply pointless -- Sunbelt doesn't even USE such a label or category. The categories we do use are assigned at the end of the entire evaluation process and are more designed to provide a simple description of the software for users. We could throw the labels out tomorrow and still do reviews of software, but it is the criteria we look to, not the labels.

If you want to suggest changes, start with the Listing Criteria. If there are behaviors, functionality, or practices that you think are ommitted, then please suggest them -- it's always possible that we've missed something.

Truth be told, I don't even know what you mean by "ad-sponsored" software and how that would differ from the wide range of software most folks already call "adware." These labels are a dead-end street -- they're pointless and useless as the basis for targeting decisions.

said by roamer_1

:

It has been bandied about here that these types of programs are actually desireable to users- That dog don't hunt.

Users desire EVERYTHING. especially if it is free and has bouncy, flashy bits...

The people you are talking to here are the guys that have to tell those users "You can't have that. All this crap is pluggin up your box."

In other words, Sunbelt should start basing its targeting and evaluation decisions not on what its customers and users want, but what some IT guys think is appropriate for them.

Sorry: that dog just died.

Adware vendors would make so much legal hay with that targeting philosophy. I can see the courtroom now:

* Adware vendor's legal team shows the judge all the notice and disclosure provided during installation -- notice screens, EULAs, you name it -- and demonstrates how users must indicate their consent to the installation of the software.

* Anti-spyware vendor's legal team then replies that such may be true, but the anti-spyware vendor has polled IT admins, who know better than than the users themselves what those users need.

* Adware vendor's legal team then brings in five outraged users who really did want the screensavers and the talking purple monkey and were distraught when the anti-spyware program removed it.

* Anti-spyware vendor's legal team brings in five IT admins who all roll their eyes in unison and explain how the users shouldn't have been downloading that trash to begin with.

No, I'm afraid that's not going to work.

said by roamer_1

:

This is another whole facet to the war on the ground, and people are scared that you guys (in general) are gonna drop the ball and leave us in "Add and Remove" hell. You've got to remember that we don't have a fancy server down in IT preventing users from installing crap we don't want.

If you work in a corporate environment and are dealing with recalcitrant users who won't follow company policy, then you need an enterprise level anti-spyware product that gives the admins more administrative control over the software that gets installed on the company's computers. Sunbelt offers such a product, as do a number of other anti-spyware vendors.

But we can't take a consumer product and turn it into a poor-man's backdoor admin tool for IT admins to exert control over their know-nothing clients.

said by roamer_1

:

So be a pal... make it better. Expand into ad-sponsored "legitimately" installed Doh-ware... you'll make my day.

And who will be paying the legal bills of anti-spyware vendors once they start targeting such software and hanging scarlet letters on the ones that IT admins really hate?

I'm sorry, but most of the ideas you've offered in this latest post are simply not practical or advisable for anti-spyware companies, who are already faced with a minefield of trouble as it stands.

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13977465 Mon, 25 Jul 2005 04:34:55 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13977217 ctrip : Make all the well reasoned arguments you want. I believe that over 50% of your customers do not want WhenU downgraded.

You can either take into consideration your customers opinions or not when deciding your criteria.

If you decide to consider their opinions, you will. If not, then we have the status quo. It is a business decision and nothing we say will change that.
--
Spread Internet Explorer! - The browser you can trust to not have those annoying Firefox twits pushing it!]]> http://www.dslreports.com/forum/remark,13977217 Mon, 25 Jul 2005 02:46:04 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13977103 Shriyash :

said by roamer_1

:

Eric,

It's the "ignore" action that got me baked.

Users desire EVERYTHING. especially if it is free and has bouncy, flashy bits...

The people you are talking to here are the guys that have to tell those users "You can't have that. All this crap is pluggin up your box."

I have a particular client .....
She is inordinately fond of electronic pets and free internet games. She LOVES emoticons and font packages. She has downloaded every screensaver known to man... and she just doesn't get it. No matter how often I explain it to her, no matter what preventive software I load on... And her teenage daughter is just as bad. They both are clueless, the worst I've got... but they are very far from alone.

So just because it is desired by the user (lets not even talk about underage kids "legally" installing on the family box) does not mean that it is good for the user. They aren't ever gonna read a EULA and don't care what it says. They glaze over when I start talking geek...They just expect me to show up, waive my ju-ju beads, mutter some x-rated incantations, and exorcise the evil they have let into their lives.

Regards,
Bruce

you said it very well roamer1, i have someone closer to home thats exactly like the client{and her daughter!} you mentioned, namely my little sister! :)

she is almost a mirror image in terms of behaviour to the 2 ladies mentioned above, and it is me, who has to clean up her pc everytime as a result!
she says to me " oh but i dont know how my pc became so slow........... i dont know how to remove all this,......... its too complicated...."

i dont mind the practice, but i, in turn would like to transfer this job to an anti-spyware application, because they can do a much thorough and efficient and complete job than i could ever do manually.

but i am just dreading the day that she runs an antispyware app. only to be given 3 options,{she cant understand what this'qurantine' business is} for 10 detected things that she has no idea, wether to keep or delete. ]]> http://www.dslreports.com/forum/remark,13977103 Mon, 25 Jul 2005 02:12:44 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13976877 roamer_1 : Eric,

Well, perhaps it got missed in the fray...

As discussed between you and I earlier:

If you added a page to the scan results wherein all ad-sponsored software (as opposed to adware)were listed, and where "Known Offenders" were pre-checked for removal... where I could also remove all the Doh-ware like YahooBar, AolMess (just to name two)... well that would be a big gain to me! I would be sayin "Hell Yes"! (providing explicitly that "Known Offenders" are prechecked for removal, and that "Known Offender" status has a real, un-watered effect and a long and serious probationary period).

It's the "ignore" action that got me baked.

And that is the gist of the downgrade as I see it... that WhenU now only meets the criteria of "ad-sponsored" rather than spyware or adware. Well fine, then EXPAND the software to include "ad-sponsored" software too...

It has been bandied about here that these types of programs are actually desireable to users- That dog don't hunt.

Users desire EVERYTHING. especially if it is free and has bouncy, flashy bits...

The people you are talking to here are the guys that have to tell those users "You can't have that. All this crap is pluggin up your box."

This is another whole facet to the war on the ground, and people are scared that you guys (in general) are gonna drop the ball and leave us in "Add and Remove" hell. You've got to remember that we don't have a fancy server down in IT preventing users from installing crap we don't want.

I have a particular client (doesn't everyone?) who needs my service on a semi-monthly basis. She is inordinately fond of electronic pets and free internet games. She LOVES emoticons and font packages. She has downloaded every screensaver known to man... and she just doesn't get it. No matter how often I explain it to her, no matter what preventive software I load on... And her teenage daughter is just as bad. They both are clueless, the worst I've got... but they are very far from alone.

So just because it is desired by the user (lets not even talk about underage kids "legally" installing on the family box) does not mean that it is good for the user. They aren't ever gonna read a EULA and don't care what it says. They glaze over when I start talking geek...They just expect me to show up, waive my ju-ju beads, mutter some x-rated incantations, and exorcise the evil they have let into their lives.

So be a pal... make it better. Expand into ad-sponsored "legitimately" installed Doh-ware... you'll make my day.

Regards,
Bruce

EDIT: Ladies, please don't flame me because my representation involved only those of the fairer sex... I have plenty of male users that are nearly as bad as the two I mentioned...
B]]> http://www.dslreports.com/forum/remark,13976877 Mon, 25 Jul 2005 01:09:07 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13976667 Kmtnwmn : Eric and Suzie,

I can see both sides of the issue. You can't condemn one that is truly walking the walk to reform. But you have to watch their every step for many miles. That's where CS's job gets tough.

Most of all I wanted to thank you for the dignity you have maintained though out this thread. That in itself speaks volumes to me. I don't get a chance to post much, but do read as often as I can. But I felt compelled because for the 1st time since I have read this forum, I felt almost ashamed to be on it's member list due to this thread.

I lost respect for some people whose opinions I once held in high regard, and gained more respect for others. Thank you both for your tact and not stooping to the back biting, jealousy I saw going on in this thread.

Again, that speaks volumes of your character and motivation.

Keep up the great work!
--
Life is not holding a good hand. Life is playing a poor hand well.]]> http://www.dslreports.com/forum/remark,13976667 Mon, 25 Jul 2005 00:18:08 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13976506 eburger68 : Bruce:

You wrote:

said by roamer_1

:

IMHO, That remains to be seen. The obvious reason for spyware vendors to pursue C&D, delistings, etc. is that they are shaking up the game, looking for a way to preserve themselves. any change to the playing field will undoubtably be exploited.

Oh, that's quite clearly their intention. But I said that it "need not happen," not that I could guarantee it WOULD not happen. It still could happen if anti-spyware companies aren't careful and disciplined. It's a possibility, but not a foregone result.

said by roamer_1

:

No, but "anti-adware" goes right along with Anti-spyware... you could do us all a favor by ADDING emphasis to the anti-ad part... no need to distinguish between adware and ad-sponsored-ware...:D

I use the term "anti-spyware applications" because that's what most people know those programs as. Truth be told, I've never liked the term "spyware" for all kinds of reasons. In fact, I often write "spyware/adware" just to be clear that I most certainly do include advertising software within the scope of programs that I'm discussing. And if you take a look at the Sunbelt Listing Criteria...

»research.sunbelt-software.com/li···eria.cfm

...you'll notice that "adware" functionality is a big part of what Sunbelt considers in its review process. And for my own thoughts on useless labels like "spyware" and "adware," see:

»https://netfiles.uiuc.edu/ehowes/www/junkware.htm
»https://netfiles.uiuc.edu/ehowes/www/ftc···ents.htm

Quite frankly, I'm sick of silly arguments that revolve around labels.

said by roamer_1

:

Ummm... so remind me again... what were we arguing about? I doubt anyone here would take exception to the scenarios above...

Actually, when I discussed flexible presentation methods within scan results earlier in this discussion thread, they were widely dismissed by people who insisted that there should be no distinctions made, that "flexibility" was tantamount to "sell-out," and that all adware/spyware programs should be presented to users in the same way and handled in the same way with no exceptions. That's part of what was being argued about.

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13976506 Sun, 24 Jul 2005 23:51:07 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13976402 roamer_1 :

The bottom line is that there need be no Pandora's Box of adware de-listings, provided anti-spyware companies construct robust review processes. But it does require them to make tough calls that may not always be popular in some quarters.

IMHO, That remains to be seen. The obvious reason for spyware vendors to pursue C&D, delistings, etc. is that they are shaking up the game, looking for a way to preserve themselves. any change to the playing field will undoubtably be exploited.

Can anti-spyware programs start targeting all manner of programs that could bring the system to its knees?

No, but "anti-adware" goes right along with Anti-spyware... you could do us all a favor by ADDING emphasis to the anti-ad part... no need to distinguish between adware and ad-sponsored-ware...:D

said by roamer_1

:

1. Give me a "Select ALL /remove" option

Good suggestion.

said by roamer_1

:

2. Give me a separate page in the scan results for "Ad-Sponsored" software.
Include YahooBar, AOLMess, etc. (Not picking on them, just examples).
Any on that page rated as a "Known Offender" would be automatically checked for removal.
Those not so rated would not be checked.

Ummm... so remind me again... what were we arguing about? I doubt anyone here would take exception to the scenarios above...

Rgds,
Bruce]]> http://www.dslreports.com/forum/remark,13976402 Sun, 24 Jul 2005 23:30:29 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13976275 StraitShoot :

said by alexeck

:

We've done our due diligence on WhenU, as have many other antispyware vendors. Some other antispyware vendors just took WhenU off, which is patently wrong.
Alex Eckelberry
Presdient
Sunbelt Software

For some reason reading your post made me lighten up.. Maybe because you didn't get crazy with us "WhenU" haters out there and maybe because you actually said you respect our opinion..For that, thanks...

Now a question;... Who delisted WhenU? We have a right to know..I am assuming Aluria is one company...
Thanks
Jim]]> http://www.dslreports.com/forum/remark,13976275 Sun, 24 Jul 2005 23:09:34 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13976060 eburger68 : Ghost16825:

You wrote:

said by ghost16825

:

You're saying that just by coming up with a scan result, you're already made a recommendation.

Yep, that's what I'm saying. And that IS how users interpret the scan results, whether we like or not.

said by ghost16825

:

As I alluded to earlier, this seems to be a problem due to not having a clear scope of detection to begin with and/or not clearly telling consumers what the scope of detection for your AS app is.

Actually, I think you've got it backwards. The less clear, more vague, and more exapnsive your scope, the less and less you're making recommendations. The wider of a net you throw, the more you move away from making recommendations. That's why system cleaning apps have generally not had to deal with the hassles that anti-spyware vendors do -- because they're not discriminating and classifying the way anti-malware vendors do.

Selective Detection + Classification = Implied Recommendation (at least to non-knowledgeable end users; sysadmins are a bit of a different case)

said by ghost16825

:

Additionally, I would say it also comes down to user control. If the user has no or few options, than yes you have already made a recommendation for them.

I would agree that improved user control is a must, and most reputable anti-spyware vendors are struggling to figure out how to deliver that without overwhelming confused users with burdensome decisions that they find difficult to make.

Best,

Eric L. Howes
--
Microsoft MVP

Sunbelt Software Consultant

Spyware Warrior]]> http://www.dslreports.com/forum/remark,13976060 Sun, 24 Jul 2005 22:39:05 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975982 alexeck : SnoweOne:

I hear you. I hope it never comes across that I'm glowing over any adware vendor. I recognize the work they've done to clean up their channels, but we're certainly not happy play buddies.

Alex Eckelberry]]> http://www.dslreports.com/forum/remark,13975982 Sun, 24 Jul 2005 22:29:09 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975958 eburger68 : MerlynTech:

said by CajunTek

:

I think the biggest problem here is that WhenU is still a bad company with many bad products.. and singling out some as not so bad is not a good thing..

Well, this is essentially the same "because-it's-WhenU" argument that numerous other people have alrady made in this thread and which I have already responded to at length several times. Rather than rehash my responses yet again, let me simply point you to those earlier responses.

said by CajunTek

:

The other bad thing is this, you have had to spend many hours of your very valuable time defending this action. I wish you could have spent it working on IE-spyad, or the helping Sunbelt develope fixes for more serious malware, or even researching other rogueware...

I don't especially enjoy doing this, and I'm certainly no fan of WhenU. The decision was a tough one -- not pleasant or easy by any means. And, yes, I would much rather have spent my weekend doing something else. But the job had to be done, as unpleasant and frustrating as it might have been.

Also, if you look back through this thread and disregard the petty sniping and other such nonsense, you'll actually find a useful discussion between me and others (including critics) of some of the more substantive and knotty issues currently surrounding anti-spyware programs and how they detect and present potential threats to users. I do enjoy those kinds of discussions, as the topics and issues involved are my "bread-and-butter," so to be speak -- the kinds of problems I mull over endlessly.

So, I would hardly consider this thread a complete waste -- far from it.

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13975958 Sun, 24 Jul 2005 22:26:03 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975937 ghost16825 :

said by eburger68

:

The minute you selectively DETECT some programs but not others on the user's hard drive, you're already saying to the user: "These programs are somehow different or more problematic than the others we haven't detected, and you ought to remove them from your system."

My point is that you're making implied recommendations even when you don't use the words, "We recommend that you..."

No, you can't get around making recommendations as long as you're selectively presenting detected programs to users. The only option you have is to make the recommendations more appropriate, accurate, informative, useful, and intelligible to users.

Best,

Eric L. Howes

No, I for one strongly disagree with this. (See my previous post). You're saying that just by coming up with a scan result, you're already made a recommendation. As I alluded to earlier, this seems to be a problem due to not having a clear scope of detection to begin with and/or not clearly telling consumers what the scope of detection for your AS app is. Additionally, I would say it also comes down to user control. If the user has no or few options, than yes you have already made a recommendation for them.
--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/
]]> http://www.dslreports.com/forum/remark,13975937 Sun, 24 Jul 2005 22:24:05 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975936 SnowyOne : All well & good except I think Sunbelt Software took a turn south when it referred to WhenU as straight, decent internet citizens.]]> http://www.dslreports.com/forum/remark,13975936 Sun, 24 Jul 2005 22:23:59 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975830 alexeck : Against perhaps my better judgment, I'm going to wade into this soup again. I'm also currently out of town on vacation and haven't been able to follow this issue as closely as I would have liked too.

Every one of you who has expressed concern over the WhenU listing is, in fact, totally justified in doing so.

Antispyware vendors have a disgraceful history dealing with adware. There's even a vendor out there that actually did a financial transaction with WhenU, something that still makes my head whirl.

I have always felt that the problem in this business was one of trust and broken trust. You buy a product, and then your vendor gets weak in the face of a threat or a desist letter or whatever, and then betrays your trust by delisting a program.

I've stayed clear of petty snipes at some of competitors, because my opinion is so totally, obviously biased that it would be meaningless to say anything. However, I have privately fumed with our team as to how these vendors could do such things.

So there I sat at the Antispyware conference a few months back, watching all the adware vendors do their shtick as to how they had improved and gotten better. And a bunch of us got up, myself included, and offered conclusive proof as to why there wasn't the ring of truth to their claims. There were a lot of very, very pissed off Antispyware people there.

Then Bill Day from WhenU got up and talked, and a number of us listened. Because out of all the slick slimeballs there, this guy actually sounded sincere and had real actions to back his words. He is not an adware guy. He was the founder of About.com and is more of an adverting guy, brought in to clean up WhenU.

We went back to business after the conference and then, as can be expected, got a call from WhenU.

They wanted to get delisted.

I personally got on the conference call with their president, along with members of my research team and told them flat out: You will never, ever be delisted from a Sunbelt database. The only thing we would ever consider doing is changing their threat level.

We have a very carefully followed protocol when it comes to these things. We put any vendor complaint through an exhaustive, formal review process. It is based on objective and subjective criteria and takes some time.

We went through this process, and we were genuinely surprised.

WhenU had actually done a considerable amount to reform their actions.

This didn't mean, however, that their past actions weren't an issue. But there current state was 180 degrees different than just 12 months ago.

I was actually a bit worried. Could we have made a mistake? So I personally downloaded, on my work production system (not a Vmware), every single WhenU app I could find. I did the same as an innocent user might do.

Then I let the programs run. Now, I am a fairly experienced with spyware, having done my share of de-infestations of machines.

Well, WhenU Save was certainly still a problem, as the research team had found. But programs like WeatherCast simply didn't justify being in at their threat level.

So we determined, that in line with our listing criteria, they would be downgraded to Low Threat and a default action of Ignore. (Ignore is probably the wrong word, as it does not mean the program is not detected. It is detected and presented to the user, and the user then decides if he/she wants to keep it or not. I have blogged a lot on what Ignore means - you can read some of my thoughts on this matter at sunbeltblog.com.)

When it comes to antispyare databases, consistency is key. And we certainly feel that transparency is the key as well. So we posted our reasonings and announced it to the world. If you read the PDF, it clearly lays bare our thinking (what's incredible is that WhenU is now back at us arguing our decision -- something that I admit to being a bit irritated about myself).

So for those who are upset about this, good. Your voice is the conscience of this industry.

I pay some pretty big legal bills fighting spyware vendors. Being alone is tough sometimes, and having a strong voice out there to support people in our position is greatly valued.

The problem is that we need to fight the major problems. 180, DR, CWS, and all the others who need work.

We've done our due diligence on WhenU, as have many other antispyware vendors. Some other antispyware vendors just took WhenU off, which is patently wrong.

But WhenU is not worth the fight. They are absolutely in the database and will be detected on user systems, but believe it or not, the installations that are getting on people's machines are, for the most part, ACTUALLY WANTED.

(I can't understand why someone would want a program like WeatherCast, but some people actually like a little ticker that gives them weather alerts. So be it.)

We need help on the major issues, the ones that are taking down people's machines, the stealth installs, the poor or non-existent disclosures, and the idiotic lawsuits and cease and desist letters that are causing endless hassle to us Antispyware vendors.

I really do value this forum and the input. I don't post often, but I do a lot of reading. Many of you posting here are people I have a great respect for, having read other posts of yours. It means a lot that you care to take the time and make your points.

As always, you can always email me directly at alex(at)sunbelt-software.com

Keep up the good fight,

Alex Eckelberry
Presdient
Sunbelt Software]]> http://www.dslreports.com/forum/remark,13975830 Sun, 24 Jul 2005 22:11:49 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975827 eburger68 : SpannerITWks:

You wrote:

said by SpannerITWks

:

Why would Anyone want ANY adware etc on their comps in the first place ! Surely they would want to get rid of it all @ the first available oppourtunity, Not choose to keep it ?

Hard as it may be to believe, there are some folks who either want or are willing to put up with some of the *milder,* more *inncouous* forms of adware (I can't imagine anyone actually wanting EliteBar/SearchMiracle or Aurora, unless they were some wierd techno-masochist).

Want some heavy reading? Try this out:

Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware
»www.sims.berkeley.edu/~jensg/res···tudy.pdf

That ethnographic study examines the way users actually make download and installation decisions, and their decision-making processes are more involved than you might think.

The study is not without its problems -- see here for my response:

Muddy Data, Vague Notice, & the Swamp of User Consent
»www.spywarewarrior.com/elh/muddy_data.htm

The point here is that there are *some* programs that users themselves are actually divided over -- we've seen examples right here in this thread. The challenge for anti-spyware vendors is to figure out how to accommodate the competing demands and expectations of these users.

Best,

Eric L. Howes
--
Microsoft MVP

Sunbelt Software Consultant

Spyware Warrior]]> http://www.dslreports.com/forum/remark,13975827 Sun, 24 Jul 2005 22:11:36 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975793 CajunTek : Eric,

I think the biggest problem here is that WhenU is still a bad company with many bad products.. and singling out some as not so bad is not a good thing..

The other bad thing is this, you have had to spend many hours of your very valuable time defending this action. I wish you could have spent it working on IE-spyad, or the helping Sunbelt develope fixes for more serious malware, or even researching other rogueware...
--
Lost in Texas]]> http://www.dslreports.com/forum/remark,13975793 Sun, 24 Jul 2005 22:07:26 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975749 eburger68 : Wildcatboy:

You wrote:

said by Wildcatboy

:

Why would you want to recommend anything in the first place? The software's job is to detect what's there. Who says the software's job to tell me what to do? Just detect the malware based on a certain guidelines and leave a link in front each to a help file.

Once you stay away from the business of telling people what to do, then we won't have to go through similar situations.

You can't avoid making recommendations. The minute you selectively DETECT some programs but not others on the user's hard drive, you're already saying to the user: "These programs are somehow different or more problematic than the others we haven't detected, and you ought to remove them from your system."

Slap a label like "Spyware found" in the scan results screen, and you've effectively suggested to users that the programs presented below that label are "bad" and should be removed.

Throw up warning boxes with flashing red text (as some anti-spyware programs do) or sound alarm bells (as still others do) and the recommendation is even more pronounced.

My point is that you're making implied recommendations even when you don't use the words, "We recommend that you..."

And that is most certainly how users interpret those scan results: as advice, warnings, and recommendations. Take a look at threads here at DSLR where users breathlessly post screenshots of their anti-virus program or anti-spyware program detecting some file or program on their systems. They often say something like, "My AV program said this was a trojan and that I should remove it."

Implied recommendations are also what make false positives so alarming to non-tech-savvy users, who are confused and frightened that their anti-malware programs are apparently "telling" them that a program they thought was OK is now a "virus" that has to be removed.

No, you can't get around making recommendations as long as you're selectively presenting detected programs to users. The only option you have is to make the recommendations more appropriate, accurate, informative, useful, and intelligible to users.

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13975749 Sun, 24 Jul 2005 22:00:29 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975713 SpannerITWks : Why would Anyone want ANY adware etc on their comps in the first place ! Surely they would want to get rid of it all @ the first available oppourtunity, Not choose to keep it ?

Even better is not to get it installed anyway by securing their PC's + Browsers properly, and not accepting too good to be true Apps etc, that they don't Really need.

Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks]]> http://www.dslreports.com/forum/remark,13975713 Sun, 24 Jul 2005 21:55:37 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975692 Wildcatboy :
Unless you have something more intelligent to say than Puh-lease, LOL and I'm baaaaack you may consider staying out.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,13975692 Sun, 24 Jul 2005 21:52:18 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975655 eburger68 : Bruce:

You wrote:

said by roamer_1

:

If criteria need be established in order to CYA in legal terms, then that obviously must be done- but as I said in my previous post, I worry that thousands of "Change of Rating" requests would have a tendency to overwhelm the resources of an Anti-Ad company and I foresee and hereby predict that logical end.

I worry about this as well -- not only with respect to anti-spyware companies but even more so with independent researchers and web sites, who don't have the financial resources to defend themselves legally.

One thing I've been urging the anti-spyware vendors that I talk to to do is to set up some kind of informal process or structure for sharing information about who's been approached or threatened by various adware companies. Anti-spyware companies need to cooperate more on a lot of things, but sharing information on challenges and threats would be most useful and could allow the anti-spyware industry to formulate a more coordinated and effective defense against legal challenges.

said by roamer_1

:

It is far easier for me to believe these companies are building a "Bait and Switch" rather than to surmise they have "Seen the Light" and are now noble creatures suitable for edification as bronze busts on marble columns.

That's also a very legitimate worry, and most of the adware companies that I've seen have exhibited very little tendency or inclination to actually do the hard work of cleaning up their acts. At best, they're more interested in making cosmetic changes and then bullying anti-spyware companies into dropping their software from the detections.

In the rare case that we do encounter a company that appears to be making substantive changes, though, I find it hard to maintain that we should ignore such progress, where it can be verified.

said by roamer_1

:

As I said in my previous post- It isn't so much whether or how you rate things that I care about, it is what you do with that rating, and therein lies the friction between "your side" and "mine". The ACTION taken by the software is where all the gripe is here.

As I've said in numerous posts here, I think that the actual behavior and functionality (the "action," as you put it) should be the primary (but not exclusive) focus, and that's exactly why I've been asking folks here over and over to tell me what specifically these three programs (WhenUSearch, ClockSync, Weathercast) do that warrants a risk rating of higher than "Low risk." So far, no one's been able to address this question square-on or back up their conclusions with evidence.

said by roamer_1

:

I envision a time when 300 of those 500 spy\ad bots are rated to "ignore" and I have to laboriously wander down the entire list hitting the pulldown and changing the "ignore" to "remove" line by line...

That certainly would be an extreme annoyance. In fact, Lavasoft Ad-aware Personal already forces users to laboriously check every box in the scan results (one of the benefits to upgrading to the Plus or Pro versions is that you get a nice checkbox to automatically select all results in the scan results screen).

That said, I really don't think we'll get to the point where 300-500 adware/spyware programs are set to "Ignore." Here's why:

The nightmare scenario you lay out is based (I assume) on the fear that in downgrading or reclassifying one adware program, anti-spyware vendors open a Pandora's box which will quickly cause hundreds more to be downgraded. But that scenario happens only if anti-spyware vendors don't have a solid review process in place and haven't established standards of some sort to guide (but not completely determine) that review process.

It is quite possible to have a review process in place that allows for reclassifications and de-listings without giving away the store. I can vouch for this from personal experience. Not only do I maintain several well known block lists...

»https://netfiles.uiuc.edu/ehowes/www/resource.htm

...but I administer the Rogue/Suspect Anti-Spyware page:

»www.spywarewarrior.com/rogue_ant···ware.htm

Both projects attract their fair share of complaints and even threats from companies of one sort or another. In both cases, though, I have occasionally reclassified or even removed domains or listed software from the block lists or the Rogue/Suspect page. Removals are very much the exception, not the norm. But I do have to provide a review process of some sort and give requests from companies due consideration. I end up rejecting far more removal requests from companies than I grant. In some cases, I've been rejecting the repeated requests from the same companies for a year or more because they haven't fundamentally changed their products or their web sites.

I must admit that when the first credible removal request hit my inbox, I was very worried that if I gave in to one, I'd effectively give away the whole store. That concern was misplaced, as it turns out. I've found it quite practical to grant removals in the rare instances where I think they are truly warranted while holding the rest of the problem actors at bay.

The bottom line is that there need be no Pandora's Box of adware de-listings, provided anti-spyware companies construct robust review processes. But it does require them to make tough calls that may not always be popular in some quarters.

said by roamer_1

:

Privacy issues aside, in answer to your question posed to StraightShooter, it isn't the one adware left behind that is terribly harmful to to the system, it is the aggregate. This is true of ad-sponsored and purchased softwares too. Shutting off all the TSRs in a box is already a problem. There is no sense making it worse.

Well, I'll hand it to you -- that's the most credible answer I've heard yet to my question, though it still doesn't quite address the question or scenario square-on. It's also somewhat problematic, because the implied standard ("aggregate effect on the system if installed in volume") would be easily applicable to other types of completely legitimate software.

For example, I've seen boxes where the users were infatuated with cool screensavers, wallpapers, icons, custom cursors and so forth that were so completely junked up that using the system was difficult indeed. I've also seen boxes that were simply overwhelmed with the sheer number of programs installed by the OEM and running in the system tray (in fact, back in the Win9x days, tech support at OEMs used to routinely advise users to resolve their problems by disabling all the resident auto-run programs clogging the system tray).

Can anti-spyware programs start targeting all manner of programs that could bring the system to its knees? You could certainly build a cleanup and removal tool that would help users unclog their systems of all the (legitimate) garbage they or their kids installed, but that would resemble more one of the many system cleaning tools that are already on the market (and, yes, we have had proposals here at DSLR for anti-spyware vendors to revamp their programs into more general system cleaning tools).

said by roamer_1

:

1. Give me a "Select ALL /remove" option

Good suggestion.

said by roamer_1

You're thinking along the same lines I do -- revamp the scan results in anti-spyware programs to provide more flexible, useful, and intelligible ways for presenting a wide range of potentially risky software (from the lowest of the low risk adware programs to out and out malware) to users for possible removal. Anti-spyware vendors are currently changing their scan results in just this way. See this page for a discussion of those changes with screenshots:

»www.spywarewarrior.com/asw-notes···ults.htm

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13975655 Sun, 24 Jul 2005 21:46:52 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975647 SnowyOne :

said by DakAD:

I wonder wether that simple change would satisfy most of the people who have objected to counterspy's reccomendation to 'ignore' WhenU?

I'd consider that change a change for the better.
It would also hamper the ability of a known Ad/SpyWare vendor to put out a few "clean" apps for the only purpose of creating argument & discourse among the AntiSpyWare Community. Divide & conquer is a time honored strategy.]]> http://www.dslreports.com/forum/remark,13975647 Sun, 24 Jul 2005 21:46:07 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975644 StraitShoot : Forget it... This is ridiclous. ]]> http://www.dslreports.com/forum/remark,13975644 Sun, 24 Jul 2005 21:45:57 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975615 Wildcatboy :
Why would you want to recommend anything in the first place? The software's job is to detect what's there. Who says the software's job to tell me what to do? Just detect the malware based on a certain guidelines and leave a link in front of each to a help file.

Once you stay away from the business of telling people what to do, then we won't have to go through similar situations.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,13975615 Sun, 24 Jul 2005 21:42:00 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975603 anon : I haven't read this entire thread, but I've read some pages and reading the last entries I have a question. I don't have CounterSpy, but if I installed it, I think I would have it delete anything it found regardless of if it said "ignore". Could doing that compromise your Windows system or cause other problems?]]> http://www.dslreports.com/forum/remark,13975603 Sun, 24 Jul 2005 21:40:16 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975546 anon :

Truth be told, I've never been a big fan of the "Ignore" label and have recommended changing it to something that more accurately reflects what Sunbelt is trying to do and say with that particular default action

^E Howes
----------------------

I dunno... i think the ignore (oh, thats how its spelt :D) recomendation is useful, but should be for programs that are no longer a problem at all (but are still included incase anyone has an older, objectionable copy) or are on a 'probationary' period; I agree that ignore, as applied to dubiouse apps like WhenU, is a tad misrepresentative of what users should actually do (ie, assess the program themselves and chose wether to keep it or not).

I like suzi's idea of 'user choice'... just that one simple change from 'ignore' --> 'user choice' could do alot, by prompting users to actually check up on the program, rather than disreguard it.

I wonder wether that simple change would satisfy most of the people who have objected to counterspy's reccomendation to 'ignore' WhenU?]]> http://www.dslreports.com/forum/remark,13975546 Sun, 24 Jul 2005 21:32:57 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975413 suzi : Eric wrote:

quote:
Truth be told, I've never been a big fan of the "Ignore" label and have recommended changing it to something that more accurately reflects what Sunbelt is trying to do and say with that particular default action, which is:

"We've analyzed this program and assessed it as 'low risk,' so there's no dire need to remove this program if you want to keep it. You may want to remove it, however -- see the information we've provided about the program. If you want to remove it, we can do that, but you'll need to affirmatively elect to do so by changing the action to 'Remove' or 'Quarantine.'"

The trick, of course, is how to compress that "message" or "advice" into a one word label. Not easy

That's my thinking, too. IMO a better option might be to have the recommended action say something like "user choice" or just "choice" and force the user to select one of the 3 options to remove, quarantine, or ignore. If the user wants more information, they can click on the link to the research center page.
--
aka Suzi, Spyware Warrior
Microsoft MVP Windows Security 2005
Sunbelt Software Consultant]]> http://www.dslreports.com/forum/remark,13975413 Sun, 24 Jul 2005 21:16:10 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975274 eburger68 : DakAD:

You asked:

said by DakAD:

Does the 'more info' button link to this (or a very similar) page by any chance?

Yes. There's info within the scan results itself plus a link to more information like you found. See the attached screenshot for an idea of the kind of information presented in the scan results screen. (Btw, that screenshot is of a beta of CS 1.5, however, the scan results screen in the current release version 1.0.29 is very similar.)

said by DakAD:

If so, for what its worth, I think thats fine as it gives the user the info they need to make their own descision; although I suppose it could benifit from a really succinct summary at the top, and possibly a 'should you keep WhenU wizard' (as someone suggested) for the terminally computer-unsavvy, although that's crossing over from (hopefully constructive) critisism to nit-picking.

Sunbelt is presently in the process of overhauling its database, which includes not only the boilerplate descriptions of things like threat levels, but also the more detailed summaries and descriptions for individual threats. This is a time consuming process, though.

said by DakAD:

Although having said that, it would open the possibility of a third reccomendation -- 'uncertain: check link'.

Truth be told, I've never been a big fan of the "Ignore" label and have recommended changing it to something that more accurately reflects what Sunbelt is trying to do and say with that particular default action, which is:

"We've analyzed this program and assessed it as 'low risk,' so there's no dire need to remove this program if you want to keep it. You may want to remove it, however -- see the information we've provided about the program. If you want to remove it, we can do that, but you'll need to affirmatively elect to do so by changing the action to 'Remove' or 'Quarantine.'"

The trick, of course, is how to compress that "message" or "advice" into a one word label. Not easy.

said by DakAD:

this could be reserved for apps like WhenU, which are generally OK but have in the recent past been installed without the users permission, and still have trouble uninstalling/come in bundles etc. It could be used to draw to the users attention a potentially unwanted product and help the user descide wether to keep it without actually recomending wether they keep it or not, and reserving the status of 'ignoor' for apps which have almost completely cleaned up their act and are only objectable in a few very limited circumstances/are in a 'probationary' pieriod before being removed completely, etc.

I guess counterspy should probably review its current modus operandi reguarding the ignor/quarenteen recomendation, if only to avoid coming under fire like this again.

See my discussion of the "Ignore" button just above -- looks like we're thinking along the same lines.

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior

]]> http://www.dslreports.com/forum/remark,13975274 Sun, 24 Jul 2005 20:59:05 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13975098 roamer_1 : Eric,

I don't question the color of your hat, and please realize that I do not consider myself enough of an authority to judge your judgements. I believe you and respect your position (which is quite articulate, I might add). I don't mean to be hot-headed or rancorous.

If criteria need be established in order to CYA in legal terms, then that obviously must be done- but as I said in my previous post, I worry that thousands of "Change of Rating" requests would have a tendency to overwhelm the resources of an Anti-Ad company and I foresee and hereby predict that logical end. It is far easier for me to believe these companies are building a "Bait and Switch" rather than to surmise they have "Seen the Light" and are now noble creatures suitable for edification as bronze busts on marble columns.

As I said in my previous post- It isn't so much whether or how you rate things that I care about, it is what you do with that rating, and therein lies the friction between "your side" and "mine". The ACTION taken by the software is where all the gripe is here.

I am a service tech (as I suppose many here are). I remember back to the days when adware was first coming out and the Anti-virus companies decided that ad trojans were somehow different than a viral trojan and declared "That is not my job" thus spawning the entire Anti-ad / anti-spy industry.

That "classification", that supposed "difference" was horror-highway to those of us that had to rip tons of nasties out by hand to get a user back to normal.

The classifications being made today make me jumpy for the same reason. I rely on Anti-v\s\a\t to prevent in the first case, or to clean things up adaquately and efficiently to keep my time down and reduce cost to my client.

Even in the midst of the greatest awareness of spyware ever, it is really not uncommon for a client to bring in a box that will not run due to 100 virus and 500 spy/ad running TSR in the machine.

I envision a time when 300 of those 500 spy\ad bots are rated to "ignore" and I have to laboriously wander down the entire list hitting the pulldown and changing the "ignore" to "remove" line by line...

Privacy issues aside, in answer to your question posed to StraightShooter, it isn't the one adware left behind that is terribly harmful to to the system, it is the aggregate. This is true of ad-sponsored and purchased softwares too. Shutting off all the TSRs in a box is already a problem. There is no sense making it worse.

So here are a couple proposals to pass on to your pals at Counterspy:
1. Give me a "Select ALL /remove" option

2. Give me a separate page in the scan results for "Ad-Sponsored" software.
Include YahooBar, AOLMess, etc. (Not picking on them, just examples).
Any on that page rated as a "Known Offender" would be automatically checked for removal.
Those not so rated would not be checked.
If a "Known Offender" cleans up his act and keeps it clean for a year delist him as a Known Offender.
Of course the user may uncheck a desired software and it will stay unchecked (until I show up).
A user may also CHECK an unchecked box and it will stay checked (which is what I will do when I show up).

This would give me the added bonus of having a handy place to rip out all the ad-sponsored annoyances currently not handled as a malware...

Bruce]]> http://www.dslreports.com/forum/remark,13975098 Sun, 24 Jul 2005 20:34:20 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13974917 anon : When i said 'WhenU', i was reffering to the downgraded WhenU apps, not savenow; but it bore pointing out.

Does the 'more info' button link to this (or a very similar) page by any chance?

»research.sunbelt-software.com/th···id=14835

If so, for what its worth, I think thats fine as it gives the user the info they need to make their own descision; although I suppose it could benifit from a really succinct summary at the top, and possibly a 'should you keep WhenU wizard' (as someone suggested) for the terminally computer-unsavvy, although that's crossing over from (hopefully constructive) critisism to nit-picking.

Although having said that, it would open the possibility of a third reccomendation -- 'uncertain: check link'.

this could be reserved for apps like WhenU, which are generally OK but have in the recent past been installed without the users permission, and still have trouble uninstalling/come in bundles etc. It could be used to draw to the users attention a potentially unwanted product and help the user descide wether to keep it without actually recomending wether they keep it or not, and reserving the status of 'ignoor' for apps which have almost completely cleaned up their act and are only objectable in a few very limited circumstances/are in a 'probationary' pieriod before being removed completely, etc.

I guess counterspy should probably review its current modus operandi reguarding the ignor/quarenteen recomendation, if only to avoid coming under fire like this again.]]> http://www.dslreports.com/forum/remark,13974917 Sun, 24 Jul 2005 20:09:35 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13974659 eburger68 :

said by DakAD:

So counterspy still will warn (even outside of a scan) if WhenU gets onto the machine, and will still find WhenU in a scan and offer the option of removing it. that seems to be quite fitting for a product which has been demonstrated to be undesireable in some cases, but fine in (most?) others.

In a word, yes. The Active Protections don't make distinctions between programs as the scan results screen does.

Also, keep in mind that WhenU's main adware program Save/SaveNow, has not been changed in teh CS database or scan results. It's only three other comparatively low risk programs (WhenUSearch, ClockSync, Weathercast) that have been reclassified, but even they will be presented to the user in the scan results screen with a default action of "Ignore."

said by DakAD:

Although having said that, id still only be perfectly happy if the user was in some way given more information in order to make the descision as to wether to ignor or not, either by a 'more info' button or, as someone else suggested, by a user-configured set of criteria for counterspy to descide wether to reccomend ignoring or quarenteening a program.

or maybe some kind of 'installation shield', which would block the installation of WhenU and pop-up a message informing the user that WhenU will deliver text adverts, and quoting relevant parts of the EULA, and asking the user if they want the instalation to proceed (thus ensuring that the user is actually knowingly installing WhenU whilst being fully aware that this will result in adverts)?

In both the scan results and the Active Protection warning box that pops up, users have the ability to get more information.

said by DakAD:

My only problem remains that some less computer-savvy users will blindly follow counterspys advice and ignor WhenU, even if (were they to understand what WhenU did) they wouldn't want it to remain on their PC*; hence my desire to see anti-slyware programs help the user in making an informed descision.

*or, i suppose, change it to 'quarenteen' on the grounds that anything detected by an anti-spyware program is evil, even if (were they to understand what WhenU does) they would willingly tolerate the adverts in return for the main program.

Again, keep in mind that the Sunbelt review of WhenU was not an across-the-board reclassification of WhenU -- the main adware program, Save/SaveNow remains classified as "Adware" with a default action of "Quarantine."

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13974659 Sun, 24 Jul 2005 19:34:54 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13974541 mers2 : Eric has acknowledged for a long time that he has been a paid consultant to Sunbelt and no one until now seemed to care. His work and test results were taken as gospel. He is speaking out on this issue as it is his work that contributed to the decision by Sunbelt to downgrade 3 of WhenU's programs. Both Eric and Daphne have done a tremendous amount of work against spyware and I for one am ashamed that some in this forum have sunk to the low of insulting them rather then sticking to the facts of the issue. I thought the Security Forum was better then this.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. ]]> http://www.dslreports.com/forum/remark,13974541 Sun, 24 Jul 2005 19:14:45 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13974484 anon :

The changes that Sunbelt announced affect only the scan results in the scan/removal engine. The "Active Protections" remain unaffected, so if one of the "downgraded" programs is detected by one of the Active Protections, they should kick in and warn the user, just as with any other program listed in the database. (If for some reason they don't in a particular case, that's because of a lack of proper data to detect a particular variant, not a decision to not detect it.)

^E Howes
--------------------------

cheers

my main concern was that the active protection for it would have been removed for some reason.

So counterspy still will warn (even outside of a scan) if WhenU gets onto the machine, and will still find WhenU in a scan and offer the option of removing it. that seems to be quite fitting for a product which has been demonstrated to be undesireable in some cases, but fine in (most?) others.

Although having said that, id still only be perfectly happy if the user was in some way given more information in order to make the descision as to wether to ignor or not, either by a 'more info' button or, as someone else suggested, by a user-configured set of criteria for counterspy to descide wether to reccomend ignoring or quarenteening a program.

or maybe some kind of 'installation shield', which would block the installation of WhenU and pop-up a message informing the user that WhenU will deliver text adverts, and quoting relevant parts of the EULA, and asking the user if they want the instalation to proceed (thus ensuring that the user is actually knowingly installing WhenU whilst being fully aware that this will result in adverts)?

My only problem remains that some less computer-savvy users will blindly follow counterspys advice and ignor WhenU, even if (were they to understand what WhenU did) they wouldn't want it to remain on their PC*; hence my desire to see anti-slyware programs help the user in making an informed descision.

*or, i suppose, change it to 'quarenteen' on the grounds that anything detected by an anti-spyware program is evil, even if (were they to understand what WhenU does) they would willingly tolerate the adverts in return for the main program.]]> http://www.dslreports.com/forum/remark,13974484 Sun, 24 Jul 2005 19:07:01 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13974357 eburger68 : TeMerc:

You wrote:

said by TeMerc:
I would not call it universalizing at all. I would call it a conclusion based on said history with regard to WhenU, that's all. And just because some people here came to different conclusions is by no means any reason to change my mind, not by any stretch, regardless of how high I hold some of you.

Except that you framed that conclusion by suggesting everyone would reach the same as you:

said by TeMerc:
There is no way anyone who reads this thread, or has read any other thread about WhenU and its actions...

Setting that aside, it seems to me that your history still ignores the past 8-9 months of verifiable improvements. Those changes have got to count for something, yet I don't seen any allowance in your assessment of "trustworthiness" that gives any consideration to the changes that have occurred and can be verified.

And by the way, I am not saying that WhenU ought to be completely trusted -- that's part of the reason the Save/SaveNow application has not been changed in the CS database and the reason that I and Sunbelt will continue monitoring WhenU's installations as best we can.

said by TeMerc:
How you can say its spiteful and vengeful makes no sense to me. I would draw the same conclusions with any company with the history that WhenU has. I would indeed say they do not need to be given any leeway in regards to trying to improve their road to legitimacy. And again, considering the history, in my mind, I think that's just.

What you see as "just" I see as spiteful and vengeful -- either way, your proposed probation period seems more oriented towards exacting "just" retribution rather than in practical considerations such as "what is the required time period to verify that this particular vendor's distribution channels have been cleaned up and will likely remain cleaned up"?

said by TeMerc:
My 'standard'(your word, not mine) would need not be carved in stone, and would need to be on a per vendor basis. And carving anything in stone with adware related vendors, is just going to have them skirt the lines which were carved in stone.

I would agree that decisions have to be made on a case by case basis, and that's exactly why I've been comparing WhenU with 180solutions, which to me require different handling based on their respective histories.

Best,

Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior]]> http://www.dslreports.com/forum/remark,13974357 Sun, 24 Jul 2005 18:49:35 EDT Re: Sunbelt Adjusts WhenU