Re: Sunbelt Adjusts WhenU Detections in Security

said by Mele20

I have Adobe Reader 5.0 on this XP Pro box because I won't put up with ads, calling home, any of the crap that is on the later versions. When the time comes that 5.0 is too old to use, I'll look for free software, etc. that I can use as a substitute. If there isn't any then I simply will do without PDF files. As for Opera, yes I recently downloaded it. I almost never use it and when I do (only because it can help me figure out a problem because it has more information about what is going on with the browser than other browsers) I have to constantly click no to the steady stream of adware cookies it wants to set. I allow none of them and if I use Opera anymore I will strip the ads using Proxo.
[/BQUOTE:

First of all, I really think AdWare is very different from Spyware. AdWare inserts ads into the program's (that program you use, not other programs) interface to pay for it.

In fact, for the two programs you list, you have 3 very clear and I think very fair choices. 1)don't use the software.

2)View ads in the software to pay for its development and your use of it.

3)Buy the software outright - no ads.

Especially with software like Opera or Adobe Reader, I don't see why the ads are a bad choice, or how it makes it any sort of threat. They both uninstall cleanly, and don't steal any information from you. And like TV, it makes us able to use important/useful software without paying lots of money for it.
--
Opera 8.01(Build 7642); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/20/05(Opera mod),GPG ID:0x0A1C6EE3]]> http://www.dslreports.com/forum/remark,13968965 Sat, 23 Jul 2005 21:53:57 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968936 StraitShoot : Then what the hell are we all arguing about? I will not read Sunbelt's essay.. LOL]]> http://www.dslreports.com/forum/remark,13968936 Sat, 23 Jul 2005 21:47:52 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968923 fatdcuk : FUD alert:(

Sunbelt has not downgraded WhenU ala M$ recent developements with Claria aka gator.

AS stated by Mele and 2nd by StraitShoot.

Sunbelt has downgraded default action on only 3 of the many WhenU softwares(you know the innocous ones which are not malware).

Please stick to the facts and stop spreading FUD gentlemen.

Sunbelt still considers most of WhenU software to be worthy of detection/action by default other than ignore:)
But if you had read the Sunbelt whitepaper on WhenU you would realise that,RTFA.

On the other hand M$,went default action ignore across the board against claria products

That is unfortunetly fact gentlemen:(]]> http://www.dslreports.com/forum/remark,13968923 Sat, 23 Jul 2005 21:45:26 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968763 StraitShoot :

said by Mele20

:

So, it was NOT alright for MSAS to alter the default action for Gator but it IS alright for Sunbelt to do so for WhenU? That doesn't make much sense. Or were you one of those who applauded Microsoft's also? (I don't have time to go wade through that long thread to see if you posted it).

That's exactly what I was trying to say before! Thank you Mele! You hit the nail right on the head! Why should everyone condemn M$? At least they are free! Eric, keep singing that song of yours, man... :D
Seriously though, Eric, I don't want to see or read anything..or any evidence.. The bottom line is Sunbelt is just as much a fraidy cat as every other antispyware company out there... I wonder what will be next? The only thing is Counter Spy had you to post their decision on this forum hoping to "diffuse" any potential backlash.. You said yourself Sunbelt knew their action would not be looked at kindly by some.. Hmmmm? I wonder why?
I don't care if you think I have anything to contribute to this forum.. How dare you try to censor me? I don't tell you what to say...or sing...]]> http://www.dslreports.com/forum/remark,13968763 Sat, 23 Jul 2005 21:17:16 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968250 B :

said by fatdcuk

said by B

:

and that if WhenU's clock (or whatever the heck it is) didn't include any ads at all it wouldn't even be mentioned by Counterspy.

-- B

Do you realise how shredded in court they would get for targeting an innocent* application reguardless of its authors ?
*Software that dose not exibit malware traits etc

Hey, the RESAO2K6 (Roger Ebert Spyware Act of 2006) says differently.

Seriously, I've addressed that concern several times here and am tired of going in circles.

-- B

Edit: All I'd expect is that they say something like "this is from WhenU, who have been know to distribute applications that rate higher on our spyware scale", much as Ebert might write "you know, this movie was directed by George Lucas / Jan de Bont, and you might want to think twice".

--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13968250 Sat, 23 Jul 2005 19:44:57 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968242 Mele20 : I just shake my head in absolute wonder at what I read here. It is so simple. Any application that auto updates and I can't disable is spyware. Any application that is not under my control is spyware. It is that simple. Acrobat Reader 7 is spyware and I won't have it on my boxes. Windows Media Player since 6.4 is spyware. I ripped out versions 8 and 9 from XP thanks to an uninstall string provided by Microsoft to all of us who hate spyware. I use version 6.4 because I can control it and it is the last version that is totally under the control of the user.

All of those applications Eric listed are spyware.

I thought MSN toolbar would be neat because it provides tabbed browsing for IE and I can't live without tabbed browsing. So, I tried it. As soon as it started popping up some stupid message about a new version, I immediately removed it from my box. I couldn't see a way to stop that notice so I removed it. (I had already had to use ProcessGuard to block it from automatically indexing my desktop which I didn't want and it started doing that the moment it was installed. I was given no opportunity to see if I could uncheck an option. It just immediately started indexing. That is how crapware behaves). Plus, while the toolbar was not autoupdating (horrors) it was bugging me, without my permission, regarding updating. That is just as bad and that makes it spyware/crapware in my book. Microsoft made that toolbar expressly so that I, the user, could not fully control it. I don't want any crapware that I can't control on my box PERIOD even if that crapware makes IE slightly usable instead of a piece of antiquated junk.

You guys can debate these "fine" points that are irrelevant until doomsday. It is very simple. Anything that takes control away from me is spyware/crapware/adware, etc. and I want it off my box. In the case of MSN toolbar, it wouldn't uninstall. That's another hallmark of crapware. I had an awful time getting rid of it.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,13968242 Sat, 23 Jul 2005 19:43:25 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968217 fatdcuk :

said by B

:

and that if WhenU's clock (or whatever the heck it is) didn't include any ads at all it wouldn't even be mentioned by Counterspy.

-- B

Do you realise how shredded in court they would get for targeting an innocent* application reguardless of its authors ?
*Software that dose not exibit malware traits etc

Bonus payday for the scumware lords and their investors.Not good:(

said by Mele20:
If the vendors can't protect us properly because of impending lawsuits then either go offshore or shut your company immediately and then in the ensuing uproar some good may come.

I don't follow your rational thinking here.How on earth dose closing a company benefit its customers or business reputation ?]]> http://www.dslreports.com/forum/remark,13968217 Sat, 23 Jul 2005 19:38:19 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968181 antiserious :
... here's what I said about the MS/Claria incident > »Re: MS Downgrades Claria Detections - which I thought was a worse transgression since MS was in discussions at the time to acquire Claria (a little blatant self-interest there) ... and a good friend pointed out to me that as long as the detection was still there, users could still choose to remove it ... since then I've come to see that sometimes these alterations are unavoidable, and I didn't advocate that anyone stop using MSAS - I DID, however, recommend that people stop using AdAware when they REMOVED the detection for WhenU rather that modify the recommended action, and I stand by that decision ...

... don't get me wrong, I'm not HAPPY about Counterspy's decision, but based on recent events and some input from others I can understand it ... also, I now have less sympathy for the clueless who blindly click on things, whether getting them INTO their systems or getting them OUT ... it may be a failing on my part, but I never said I was perfect - not even close ...

--
... "Nobody's perfect - well, there was this one guy, but we killed Him" ... Christopher Moore, 'Lamb' ...]]> http://www.dslreports.com/forum/remark,13968181 Sat, 23 Jul 2005 19:32:49 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968164 SpannerITWks : Hi Mele n All.

Hey guess what, going offshore doesn't actually mean thousands of miles away from home etc.

I read Very recently about a ship anchored a few miles ( 4 i think ) off San Diego LA CA USA. It's staffed full of software writers from all over the world, but mainly places like India, i seem to recollect. They are coding for US companys, on behalf of US companys, as i read it.

As they are outside US juristriction nobody can touch them legally. Howsabout that !!!

Anyone got a boat for sale or hire ? It could be done you know, cos it has been. Nice lifestyle too, and only a short trip to land.

I quite fancy the idea myself, Seriously.

Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks]]> http://www.dslreports.com/forum/remark,13968164 Sat, 23 Jul 2005 19:29:02 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968131 Cudni : I'd rather MS closes all the holes so the user has the ultimate choice whether to install a piece of software or not...

has the same chance as MS moving off shore?

Cudni
--
Think locally, @#!? globally!
Help yourself so God can help you]]> http://www.dslreports.com/forum/remark,13968131 Sat, 23 Jul 2005 19:23:26 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968095 Mele20 :

said by antiserious

:

but I really don't have a problem with altering default actions INSTEAD OF deleting detections altogether ... there's a quantum, fundamental difference between REMOVING detections and changing the recommended action when something is found, and if you can't or won't recognize this you're in for a long stretch of bumpy road ... IMHO ...

So, it was NOT alright for MSAS to alter the default action for Gator but it IS alright for Sunbelt to do so for WhenU? That doesn't make much sense. Or were you one of those who applauded Microsoft's also? (I don't have time to go wade through that long thread to see if you posted it).

All we are doing here is saying that NONE of the vendors should be altering default actions to ward off lawsuits. I think these vendors should all move off shore immediately including Microsoft and then we'd see an outraged yowl and some immediate action from Congress.

If the vendors can't protect us properly because of impending lawsuits then either go offshore or shut your company immediately and then in the ensuing uproar some good may come.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,13968095 Sat, 23 Jul 2005 19:15:46 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968089 B :
Okay, that's a fair position, except that I wonder whether current scales at the major AS vendors flag AT ALL on apparently-benign software from known spyware producers. My guess is that they don't, and that if WhenU's clock (or whatever the heck it is) didn't include any ads at all it wouldn't even be mentioned by Counterspy.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13968089 Sat, 23 Jul 2005 19:14:47 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13968058 antiserious :
... sorry B, I wasn't shooting at you, but your quote was handy for the point I was trying to make ...

... say a crapware vendor attempts to clean up its' act - even just a little, for appearance sake ... some people here want it blackballed forever and ever, and I mostly agree with that sentiment ... BUT, if the antispyware program does it automatically, without accounting for the possibility of reform on the crapware vendor's part, in that scenario it might be considered libelous and actionable ... if, however, the USER simply sees the adjusted detection and recommended action and CHOOSES to click on 'remove' instead of 'ignore', well then that's simply a personal choice - the antispyware vendor can say "hey, we adjusted our database reflecting their new-found religion, we can't help it if nobody else believes them" ... and they're off the hook, legally, and can continue to exist and offer a way for users to detect and remove crapware, as opposed to being court-ordered to DELETE the detection altogether ...

... that's what I was alluding to ... it seems to me some people are asking that the app do ALL the work, but that means they take ALL the risk, and when the lawsuits eventually shut them down or cause detections to be removed, the users will be left without ANY effective tools ... apparently, some people want NO responsibility for their own security, 'just gimme an app to do all the work - and all the thinking for me' ...

--
... "Nobody's perfect - well, there was this one guy, but we killed Him" ... Christopher Moore, 'Lamb' ...]]> http://www.dslreports.com/forum/remark,13968058 Sat, 23 Jul 2005 19:07:30 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967862 B :

said by antiserious

:

be WITHOUT any product with the potential to actually remove this crapware, just because they were too damn lazy and too damn proud to simply make a decision on their own ... for want of a click or two, everyone will get the shaft ... and this is what so many people are advocating ... it's a trap, a setup, and you're gonna walk right into it ...

Sorry, I don't follow you at all. Surely you're not implying that Sunbelt or anyone else is listening to me and changing their product accordingly? 'Cause they're not.

What "click or two" are you referring to? Who's walking into "a trap, a setup"?

I've said several times that effective spyware removal probably needs to be lawsuit proof, and discussed two fledgling ideas for how to make that happen. A third idea, which I would dub The Roger Ebert Spyware Act of 2006, would explictly allow companies to offer their opinions of software products. Again, I don't see movie reviewers getting sued for saying that Star Wars sucks.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13967862 Sat, 23 Jul 2005 18:39:04 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967793 antiserious :

said by B

:

In short, Counterspy (and others that merely categorize individual product behavior) may not be the product for people who want to protect themselves from all software from malware producers, in the trust and reputation-based fashion that I have described. But people WANT such a product.

... and such a product will get sued out of existence in weeks, if not days ... MS talked about buying Claria for $500 mill, Murdoch bought Intermix for $580 mill - that's serious money, spelled Big Business and Real Legal Teams ... they'll simply take the spyware definitions so many people want published, alter the product just enough to fall in the gray area (haven't we just seen this done?), and sue the pants off ANY vendor that outright calls them spyware - and likely they'll win ... so all the people that want outright, unqualified detection and removal will then be WITHOUT any product with the potential to actually remove this crapware, just because they were too damn lazy and too damn proud to simply make a decision on their own ... for want of a click or two, everyone will get the shaft ... and this is what so many people are advocating ... it's a trap, a setup, and you're gonna walk right into it ...

... unbelievable ... wait, I take that back ... sadly, it's not ...

--
... "Nobody's perfect - well, there was this one guy, but we killed Him" ... Christopher Moore, 'Lamb' ...]]> http://www.dslreports.com/forum/remark,13967793 Sat, 23 Jul 2005 18:28:42 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967723 eburger68 : B:

You wrote:

said by B

One correction: I never said that reputation and historical experience could play NO role in anti-spyware detection criteria and decion-making. I said that it can't and shouldn't play the primary, overriding, decisive, or exclusive role. And that's what the "because-it's-from-WhenU" criterion does -- make reputation the sole, overriding criterion irrespective of a specific analysis of the software.

See also my latest response to TeMerc, in which I address several thorny issues with regard to vendors' historical track records.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13967723 Sat, 23 Jul 2005 18:19:29 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967657 eburger68 : TeMerc:

Thanks for the post, which raises several important issues, and which I've been tardy in responding to.

You wrote:

said by TeMerc

:

I have been trying to read thru this thread most of the day, being interrupted by one thing or another, so forgive me if I missed this:

Has anyone addressed how long WhenU needs to continue their newly found path towards legitimacy?

Lets face it, after years of deceitful, unethical and at best, in many cases, explanations which run counter to what is provided by users across security forums all over the net, who could possibly trust them after a few installs get tested?

You raise a question that I've discussed on several occasions with other spyware researchers. It's important that we not discount past behavior and find a meaningful way to incorporate it into our analysis of advertising software vendors who appear to be reforming.

There are several considerations here:

1) How reliable and "trustworthy" is the company in making reforms?

180solutions has for years been claiming that it's cleaning up its act, yet every minor "reform" is followed by revelations of still further objectionable, even outrageous behavior, and even the "reforms" themselves look dubious once scrutinized carefully.

Contrast with WhenU, which announced that it was ending ActiveX installs back in November 2004 and has largely delivered in putting an end to them:

»www.whenu.com/press_release_04_11_10.html

Also, WhenU abandoned the use of third-party distribution networks, which have played a key role in facilitating sleazy installs and drive-by-exploit installs:

»www.clickz.com/news/article.php/3460101

180solutions, by contrast, continues to use them, notwithstanding its claim that by purchasing CDT, Inc. it could better control the distribution of its software.

2) How many sleazy installations in the installed base remain? What is to be done with them?

Even after vendors reform, we can expect that there will still be plenty of users out there who somehow acquired the software before those reforms were inplemented. There may even be plenty of victims of stealth-installs out there.

Obviously, anti-spyware companies can't ignore these potentially ill-gotten installations (of which the adware companies may still be making money). But what is to be done about them?

My understanding is that turnover rates with adware installed bases are rather high, for a lot of obvious reasons. We don't have good numbers for specific vendors, though PC Pitstop cites a figure of 70 percent with WhenU ( »www.pcpitstop.com/spycheck/whenu2.asp ), though even that number doesn't tell us, for example, what the churn rate over the period of, say, a month is. I've been told by one adware vendor that the installed base for their software installed during a particular time period degrades asymptotically, and that over a few months the churn rate could approach as high as 90 percent.

Still even that high chrun rate that leaves a potentially significant number of users that date from the pre-reform period.

So what is to be done?

One solution is to require that vendors overhaul their new software versions so that the "reformed" versions are easily distinguishable from the non-reformed versions. Anti-spyware apps could continue detecting and removing the pre-reform versions, while leaving the post-reform versions untouched.

Another proposed solution (originally from Esther Dyson) is that adware vendors push out a notice prompt of some sort to the entire installed base and re-acquire users'/victims' consent. While intriguing, this proposal suffers from a number of problems, not the least of which is the quality and implementation of such a notice -- 180solutions' recent notice effort was plagued, unsurprisingly, by a number of problems, as documented by Ben Edelman:

»www.benedelman.org/news/062805-1.html

Then there's the question of whether adware vendors with a potentially ill-gotten user base ought to be making any attempts at all to preserve that user base. Some have proposed that instead of pushing out a notice prompt via their auto-updater facilities, adware companies undergoing reform ought to simply push out uninstallers to remove their pre-reform software from users' boxes.

3) Should there be a probabation period, as TeMerc has suggested? If so, for how long and based on what factors?

Several knowledgeable folks that I've talked to have proposed such a probabation period, and the Sunbelt white paper on 180solutions that was released in March actually proposed a period of 12 months for 180solutions, conditioned on 180's actually cleaning up its act (which in the judgment of Sunbelt it hadn't).

A year long probabation may be justified in some cases, esp. where there is a long track record of force-installs through third-party distribution networks and the vendor has had demonstrated problems in reining in its distributors. A year would be the time expected to verify that distribution channels have indeed been cleaned up.

In other cases, though, a year might be excessive. WhenU, for example, announced the end of ActiveX installs 8 months ago and has apparently delivered on its promise to bring those to an end.

And what about vendors that have performed only bundled installs? Once we verify that all of its bundled installs have been cleaned up, is a full year of probabation appropriate or necessary?

Then there's the question of monitoring and enforcement. Anti-spyware companies are struggling even now just to keep up with the flood-tide of malware being released on the Net every day. Must they now devote employees and other resources to monitoring efforts to ensure compliance among adware vendors?

Still another issue related to probationary periods is the question of "user awareness." PC Pitstop has done several outstanding surveys on "user awareness" of WhenU and Claria applications, and the low levels of "user awareness" of those apps have indicated serious problems with notice and consent during installation -- see:

»www.pcpitstop.com/gator/Survey.asp
»www.pcpitstop.com/spycheck/whenu.asp
»www.pcpitstop.com/spycheck/whenu2.asp

One potentially useful idea might be to require reforming adware vendors to achieve a certain level of user awareness. But who is to administer the surveys and collect the data to measure "user awareness"? PC Pitstop is but one organization that has done but a few surveys on a very small number of adware apps. Must anti-spyware vendors take on this burden as well?

said by TeMerc

:

33 out of how many? Even those which were lowered\downgraded\adjusted still leave a bad taste in my mouth.

At one time, WhenU had about 59 different "distribution partners." Some "partners" are more active than others, though. For the purposes of Sunbelt's review, I was made privy to proprietary data that indicated that the partner-installations that I tested account for over 99% of their monthly downloads.

said by TeMerc

:

Give them a year of clean installs, show us that they have tracked down every last known affiliate who has some old installs then come back and say 'hey, how we doing?' If they expend half the amount of money doing that, that they raked in doing the unwanted, sneaky unethical installs, that would show some real guts and dedication to turning the company around to be legit.

Maybe then, the security community will give them a more friendly response.

See my comments above on probation periods. Again, you've raised some important issues here, and I certainly don't have the answers to all of them.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13967657 Sat, 23 Jul 2005 18:08:43 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967465 B :

said by Mowergun

:

It looks like I am in the minority amongst the posters in this thread, but I see nothing wrong with the actions of the folks at Sunbelt.

Neither do I! Based on their own practices and standards, they've reclassified some products. That particular ACTION isn't really my concern (and I'm not a customer).

I've been trying to speak more generally about why I'd rather see them (or someone) use a broader brush based on the realities of the current malware landscape. At least for now, there are known bad actors.

Cudni, until recently, I kind of thought he was. I still don't have any clear idea of how much of his brain is committed to Sunbelt per se and how much to the greater good. I'd like to say it doesn't really matter, but it really does.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13967465 Sat, 23 Jul 2005 17:38:34 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967420 B :
Perfect example now on the front page

»Sanford Wallace: Not so Reformed

You're telling me that iHateSpam (which is I think Sunbelt's product) shouldn't be able to see that an e-mail message is from a Sanford Wallace entity and block based on that reputation?

'Cause that's sure what seems to be being argued re: spyware/adware.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13967420 Sat, 23 Jul 2005 17:31:50 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967413 Cudni : Reading at these polished answers of yours and well oiled contra arguments i can not help but wish you were consulting for some independent body in charge of regulating Internet advertising. Free of commercial restraints.

Cudni
--
Think locally, @#!? globally!
Help yourself so God can help you]]> http://www.dslreports.com/forum/remark,13967413 Sat, 23 Jul 2005 17:30:50 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967408 Mowergun : It seems to me that if an anti-malware vendor were to make decisions and classify software on the basis of emotion or personal bias rather than objective criteria, they might be making themselves legally vulnerable.

If you are in it for the long haul then it's wise to behave like an adult instead of like a stubborn impulsive child.

It looks like I am in the minority amongst the posters in this thread, but I see nothing wrong with the actions of the folks at Sunbelt.]]> http://www.dslreports.com/forum/remark,13967408 Sat, 23 Jul 2005 17:30:10 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967365 Xzar : Well, All I got to say after reading the white pages, and the thread so far is. Thanks for one of the best products and support. You did make the right choice by jugeing the software rating by the software and not by the makers. I'll be sure to recommend your product even more now.

However if the choice is made to change any of the products back to the higher level. I demand that Adobe arcrobat reader, Opera, AIM, Yahoo IM, are all listed as ad-ware. Really every and any program that goes into my task bar, and or displays any kind of pop up or ad should also be classified as spy-ware. that seems what complainers want using there black and white logic.]]> http://www.dslreports.com/forum/remark,13967365 Sat, 23 Jul 2005 17:21:54 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967349 B : We are all operating from different premises, and that's part of the problem (if there is a problem).

Eric and Counterspy -- trying to both effectively identify adware/spyware criteria and carefully analyze each separate piece of software vis a vis those criteria. (Leaving out the financial incentives for now.)

StraitShoot and Others -- want the best AntiSpyware detection rate they can find, and want to trust their vendor.

Me and Others -- want to keep undesirable software and software from disreputable companies off of computers.

Casual Readers -- may assume that Counterspy has blessed all WhenU software, and/or may not understand why there are ratings classifications instead of simple malware identifications.

Claria is a hugely disreputable company. So is WhenU.

But apparently none of the mainstream antispyware vendors are "allowed" legally to provide guidance to their users based on such simple (albeit TRUE) criteria.

Supporting adware companies, even by using their ad-free "freeware", is similar to supporting RJ Reynolds by buying (or just wearing) a T-Shirt from them, or supporting Spammers by buying their products, or supporting a criminal by giving him a talk show.

You can count on this -- if the "Stoned" virus had made money for its authors, we'd have been having this SAME kind of discussion about viruses 18 years ago, because, apparently, we're suddenly not allowed to hold malicious entities responsible for their actions if those actions are making them money.

There are entities that many of us just don't WANT to support, at all, because they are known to be malicious and untrustworthy. It is completely fair to say "WhenU has performed malciously and knowingly annoying acts against millions of people, and you may not want to install their software". Unless, of course, you're afraid of getting sued for saying it.

It appears, from the current arguments, that if WhenU produces a piece of software (free or paid) that doesn't contain ads at all or exhibit other spyware symptoms, then Counterspy, Eric, and lots of other commercial interests wouldn't even flag it at all! And that's just ridiculous to some of us ignorant consumers. we want nothing to do with WhenU, and don't want to support them in any way.

While I UNDERSTAND AS companies' urge to classify levels of risk, it doesn't well serve the average users, who simply don't want bad stuff on their machines, and don't want to support spammers or phishers or malware (including spyware) producers.

In short, Counterspy (and others that merely categorize individual product behavior) may not be the product for people who want to protect themselves from all software from malware producers, in the trust and reputation-based fashion that I have described. But people WANT such a product. (I still feel personally-defined self-contained filtering has got to be an answer.)

Ah well, rambling again. :(

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13967349 Sat, 23 Jul 2005 17:19:46 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967293 eburger68 : SnowyOne:

You wrote:

said by SnowyOne

:

Eric,
This disclosure is starting to appear more as a disclosure by you rather than a "Sunbelt" disclosure.
In Sunbelt's newsletter of 07-22-05 (today as far as I can tell) I can only find a scant reference to the 'adjustment' that on it's own hardly qualifies as a disclosure of any sort.
I am only posting a portion of that newsletter even though it's requested that the newsletter be copied in it's entirety. I will post the entire contents if requested by Sunbelt.

"You might ask yourself: "Is Sunbelt also downgrading their threat
definitions to "ignore" for Claria and other adware like Microsoft
is doing in their Windows Antispyware?". The answer is NO, we ignore
Microsoft's threat scoring values. We only use their threat data
(the file names, and locations where malware is found, etc.). We
have not downgraded our Claria or other adware recommendations and
do not plan to, unless they shape up, get straight and behave like
decent Internet citizens, like WhenU recently did."

emphasis is mine, but even emphasised, I wouldn't call this disclosure by any stretch. This is the official newsletter sent to all CounterSpy" subscribers. Selectively full disclosing is not full disclosure.

As I understand it, the newsletters that came out yesterday were the "W2K News" and "WinXP Newsletter" newsletters, which are general Sunbelt newsletters that cover general topics of interest to subscribers, many of whom are enterprise customers. They are not CounterSpy-exclusive newsletters and is not presently designed to serve as a venue for breaking news about CounterSpy. There is a separate CounterSpy newsletter, but I'm not familiar with its distribution schedule.

That said, your point is a good one, and I have passed along your post to the folks at Sunbelt, who may consider adding announcements such as these to their several newsletters.

Also, as I noted in an earlier post, Sunbelt does provide a number of sources for users to get information about developments with CounterSpy:

1) CounterSpy forum (CastleCops)
»castlecops.com/f164-CounterSpy.html

2) Sunbeltblog (Alex Eckelberry)
»sunbeltblog.blogspot.com/

3) Sunbelt Research Center
»research.sunbelt-software.com/

4) Sunbelt Definitions Update Summary
»research.sunbelt-software.com/de···ions.cfm

5) Sunbelt Threat Library
»research.sunbelt-software.com/Br···rary.cfm

Edit: I was in error. One of the newsletters that went out Friday was indeed the "CounterSpy News" newsletter, not just the "Win2k News" and "WinXP News" newsletters. As I said, I have passed along the recommendation to add these kinds of announcements to Sunbelt's newsletters.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13967293 Sat, 23 Jul 2005 17:11:10 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967152 eburger68 : StraitShoot:

said by StraitShoot

:

That's okay Eric... you can sing any song you want, but i'm voting with my pocket and my downloads who I'm using..

Nice line, lousy logic. There are serious questions on the table waiting for those who are astute enough to step up to the plate and answer them with sound reasons and established evidence. Good reasons and solid evidence aren't a "game," StraitShoot, and those who provide them are not singing a "song." They're giving YOU the opportunity to offer serious, constructive input into a decision-making process.

If you're not able or willing to contribute productively, fine. But please don't pretend or imply that I, Sunbelt, or any of the others here who have defended Sunbelt's decisions haven't offered plenty of sound reasons and evidence to justify those decisions -- we have.

And please don't imply that we've stubbornly ignored you. We've also given you plenty of opportunity to offer us good reasons to think we're wrong. You haven't (in fact, you still haven't answered my question from several pages back).

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13967152 Sat, 23 Jul 2005 16:43:36 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967150 fatdcuk : For all the FUDmeisters on this discussion

Happy reading( A Bud moment,This one's for you;))

»www.vitalsecurity.org/2005/07/ra···ria.html]]> http://www.dslreports.com/forum/remark,13967150 Sat, 23 Jul 2005 16:43:16 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967047 StraitShoot : That's okay Eric... you can sing any song you want, but i'm voting with my pocket and my downloads who I'm using.. If we start letting the antispyware companies get away with this kind of action, I am afraid that will give the wrong message to the adware companies, to congress, to who ever ... Also, the simple act of having to scroll from "ignore" to "delete" only shows user tolerance to a practice like that... So, yeah, if the program was free, like adaware or M$ antispyware, I guess I could scroll down..NOT IF I HAD TO PAY FOR IT! (Thank God I didn't.....!)]]> http://www.dslreports.com/forum/remark,13967047 Sat, 23 Jul 2005 16:26:02 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13967029 eburger68 : Davebo_:

You wrote:

said by 33591094

:

Of course you can't apply the same rules to any software that has an auto-update. However, let's use some common sense please. Some of the software in your list has a "history" of shady practises - others don't. And until a company exhibits such behaviour it should be labelled safe. Has ZoneLabs ever done anything shady (privacy-wise) to warrant attention of anti-spyware software? (Making a crappy firewall doesn't count... :p )

See my response above to Jet_Set, which addresses most of the points you make here.

The important thing to recognize is that anti-spyware vendors cannot make targeting decisions primarily or exclusively on the basis of "reputation" or "oast history." As I noted earlier, there is a role for those factors, but it is a limited one, esp. when we have direct knowledge of the products themselves.

As for the case of WhenU specifically, there is no history of WhenU abusing the auto-updater included in its programs (though if you have evidence to the contrary, I would be most anxious to see it). The functionality in and of itself is worrisome, which is why it's included in the Sunbelt Listing Criteria, but general reputation can't override empirical experience with WhenU's autoupdater so as to suggest a more serious threat classification based solely on this particular program function.

said by 33591094

:

Hell - why didn't you add XP's Automatic Updates service to your list. You never know... The point I was making is that you're comparing a legit company that has the ability to do something shady, to a shady company that has the ability to do something shady. See the difference?

You persist in thinking that your own preferences and distinctions are perfectly and universally obvious to everyone. They're not, and if you'd be so kind as to peruse the other posts in this thread (esp. those regarding the "legitimacy" of various kinds of programs) you would see this.

And by the way, just so we're clear, nowhere have I claimed that I regard WhenU (generally, as a company) and ZoneLabs (generally, as a company) to be equally trustworthy or to have the same track record of performance. Here we're talking about the proper analysis of one particular program function and what weight ought to be given general reputation within that analysis.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13967029 Sat, 23 Jul 2005 16:22:34 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13966893 eburger68 : Jet_Set:

You wrote:

said by Jet_Set:

eric, its tough, because you are making it tough, at least in thecase of WhenU.

when the overwhelming majority of people, experts and novices alike , are asking you to reconsider your current classification of WhenU, you still choose to stick by what you think is right.

we, the potential consumers/buyers of your ANTI-spyware product, dont want you to go down this path.

First, would you please get your facts straight: Sunbelt's decision was NOT a general reclassification of WhenU. Sunbelt's decision involved a reclassification of THREE WhenU programs that were considered comparatively innocuous. The main WhenU adware program, Save!/SaveNow, has NOT been reclassified and, as Alex Eckelberry indicated very early on this thread, will not be reclassified.

Second, contrary to what you state, there is no overwhelming majority of people here (including experts) who have asked Sunbelt to reconsider its classifications. Plenty have, but if you go back and look at the posts here, you'll find plenty of others who are comfortable with the decision. Paperghost, for example, would certainly be considered an expert -- in fact, he ought to be regarded as one of the top anti-spyware researchers currently at work. Take a look at Paperghost's posts here.

Third, I have been asking the folks who have responded here to provide good reasons and solid evidence to think that the three programs that were reclassified merit a classification higher than "Low risk adware" or "Adware bundler" with a default action of "Ignore."

Not a single person has been able to come up with convincing reasons or solid evidence (with the possible exception of Mers2, but even he had no specific information on the three programs). All anyone in this thread has been able to come up with is "because it's WhenU," which even the first person who first offered this reason admitted was based on irrational prejudice.

Example: I asked earlier that if WhenUSearch were to be left on a user's hard drive, what would happen? What ills would befall the user? That's a simple straightforward question -- a basic one, really -- that the "experts" here ought to be able to answer. But no one was able (or willing) to do it.

Keith2468 went so far as to outline a detailed procedure for testing the products in question here. Who among you critics has taken up Keith's challenge? None that I know of.

I'm sorry, Jet_Set, but simply repeating the same demand ad nauseam without providing good reasons or solid evidence to back it up isn't going to be convincing in this situation.

said by Jet_Set:

and drawing comparisons between Zonealarm and AAR 7.0 with WhenU dosent help your case one bit.

Thanks for proving my point, which you obviously missed. The entire point I was making was that general comparisons between products based solely on reputation or even hear-say are useless as evaluations of products -- at least when we're in the business of debating anti-spyware detections -- because different users have different preferences and different opinions about what's "legit" and what's not "legit." In your text above, you group three programs into two groups:

1) ZoneAlarm, AAR 7.0 (legit)
2) WhenU (not legit)

You cannot assume that your own personal preferences are easily universalized. People love to believe that their own personal preferences are the "norm" or are even universally shared. They are not. That users have differing ways of grouping certain programs ought to be well evident by now just by review of the posts in this thread.

Some users might group the programs/vendors this way, now that Adobe has added advertising and an unwanted toolbar to AAR 7.0:

1) ZoneAlarm (legit)
2) WhenU, AAR 7.0 (not legit)

Take a look at the discussions in security forums like this one that erupt every time ZoneLabs makes it impossible for users to disable auto-updates in ZA Free. Some of those users would group the programs this way:

1) none (legit)
2) ZoneAlarm, WhenU, AAR 7.0 (not legit)

The ultimate point is that anti-spyware vendors can't make targeting decisions on the basis of reputation alone or even primarily on the basis of reputation. That's arbitrary, capricious, and not soundly grounded in an honest evaluation of the products themselves, their functionality, and behavior.

Let me reiterate again: I am happy to listen to soundly reasoned arguments based on good reasons and hard evidence that the three products in question (WhenUSearch, Weathercast, ClockSync) merit a classification higher than "Low risk adware" or "Adware bundler" with a default action of "Ignore." If you can come up with good evidence that we have overlooked something -- perhaps even, god forbid, an ongoing rash of stealth-installs of these products through security holes -- than I would be most happy to hear it. I haven't heard it yet, though.

When Sunbelt performs these kinds of software reviews, it strives to base them on the best knowledge and information available about the products under review. Mantras of "Because-it's-WhenU!" simply don't constitute a substantive contribution to the specific analysis of the products.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13966893 Sat, 23 Jul 2005 15:59:54 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13966628 Diazruanova :

said by antiserious

:

... frankly, I'm surprised at the reactions of some people in this thread - and not at all surprised by others ... but that's life, I suppose ...

What is surprising to me is that some of the people here that are supposedly open minded, intelligent and knowledgeable about web security and that besides, they have read the White Paper and all of Eric,s replies, still, after five pages, do not get it and insist over and over on the same stubborn and one track mind arguing, but I guess that it is because of this, that we as human race are doomed ! We have made the world the mess it is right now because of disputes and sterile arguing that derives in wars and fights.]]> http://www.dslreports.com/forum/remark,13966628 Sat, 23 Jul 2005 15:17:51 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13966510 antiserious :
... some people in this thread are getting a bit absurd - AdAware dropped detections, but MSAS and Counterspy STILL detect these things, they've simply changed the default choice ... how hard is it to change it to YOUR preference ? ... it's a simple matter of a click or two to remove things according to your own personal bias, and it probably covers their arses legally ... if you're looking for some magic app with ONE SETTING that will protect the Great Unwashed Masses AND the people with an awareness of what's actually going on, you're not gonna find it anymore - and I don't think that's the Apocalyptic Tragedy that some of you do ... I see it as Evolution In Action ... you simply cannot operate a computer safely AND without a clue any longer ... maybe that's not how it SHOULD be, but that's how it IS ... you don't need to be a fanatic, but some basic knowledge is required - as it should be ... I'd be heavily in favor of linking detections with more detailed explanations, and perhaps a 'Full-Paranoia' setting option (delete any and everything that might possibly be questionable in some parallel Universe), but I really don't have a problem with altering default actions INSTEAD OF deleting detections altogether ... there's a quantum, fundamental difference between REMOVING detections and changing the recommended action when something is found, and if you can't or won't recognize this you're in for a long stretch of bumpy road ... IMHO ...

... frankly, I'm surprised at the reactions of some people in this thread - and not at all surprised by others ... but that's life, I suppose ...

--
... "Nobody's perfect - well, there was this one guy, but we killed Him" ... Christopher Moore, 'Lamb' ...]]> http://www.dslreports.com/forum/remark,13966510 Sat, 23 Jul 2005 14:58:26 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13966036 Bobby_Peru :

said by Davebo_:

... The point I was making is that you're comparing a legit company that has the ability to do something shady, to a shady company that has the ability to do something shady. See the difference?

Thank-you for re-iterating this. I would expand it to follow the principles from known crapware entities in a Notice of "Offender Status", yep, a big red Scarlet Letter branded right on.

Legal threats? Sadly, always. Retain aggressive, top-notch council. I may be totally wrong on this, but as I and others have already mentioned, what about anti-crapware vendors using express, clear, EULA's designed to attempt protection from the crapmeisters?

The intensive, time-consuming efforts to deeply test and analyze crapware are all very welcome and much appreciated, and can serve quite a few legitimate purposes, including providing users with an accurate assessment of just what the crapware appeared to do at the time it was tested, and what that could mean to the user, but to me, one of those legitimate purposes should never have anything to do with _pleasing_ the crapmeisters in the least.

This seems part of the divergence here.

So how to handle the "novice user? A well designed "Wizard" could walk users through an initial configuration to get them to select a few basic risk and benefit questions dealing with crapware, with explanations of the risks/benefits, and handling rules for notice and clean-up. Users machines could be scanned for popular software presently proved/thought to be non-offending, and offending in the various ways known possible, and alert users to any "Exceptions" that may be required for their particular set-up.

While the above Wizard concept is simplifying this (as Eric and others have pointed out the myriad of software possibly impacted) this certainly seems to be technically, economically and novice user implementable. The aggressive legal council can weigh-in on this, along the designers who must accommodate the novice user.

No matter what we do, we need to stick together on this, though! So, just in case it got lost, another big thank-you to Eric, Suzi, CJ, and everyone else involved.
--
How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach]]> http://www.dslreports.com/forum/remark,13966036 Sat, 23 Jul 2005 13:37:54 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13965981 SpannerITWks : I tried to - check the boxes - but it didn't work ! Maybe it's cos of my security settings lol .....

I have S+D, Adaware, and have run SS etc too. They Never find anything, but that's cos i've got my IE + PC locked down. I run them maybe once a week just outa curiosity.

On EVERBODY elses PC's i look at it's a completely different story. Along with Viruses + Trojans etc. So for us it might not be a problem.

The trouble is though, the peeps with All the nasties are the ones least likely to know about them, and/or Really know what to do, and how to stop it happening time n time again.

So once, well not once cos they keep forgetting and some just don't/can't get it, they are shown how to use these Apps then they can start taking care of business. But stuff still gets thru, and Yes it's their fault, but they are the ones who Really need protecting from the crapware merchants. And that means probably 99% of computer users !

So the battle goes on n on, and i don't see it getting much better any day soon.

Keep up the good work Eric + Co.

Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks]]> http://www.dslreports.com/forum/remark,13965981 Sat, 23 Jul 2005 13:27:34 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13965868 fatdcuk : More reality check for the protaganists.

The antispyware industry is on a slippery slope towards accepting legitimate adware programmes whether we like it or not.The clock is ticking on the innevitable:(

As straitshooter so wonderfully puts it in the above post.

Sorry folks bad news a comin' to town.Webroot/pest patrol will be following suit very soon if not they will be royally screwed in the courts by the adware companies.

Has no one seen the pattern emerging ?

:(]]> http://www.dslreports.com/forum/remark,13965868 Sat, 23 Jul 2005 13:11:05 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13965800 StraitShoot : I honestly don't know who or what to believe in anymore.. It seems every time I let my guard down, I wind up being disapointed... What can I say? Eric, this wouldn't be a 6 page thread for nothing... I think many people have made up their mind...

Spyware installations I have uninstalled... due to misttrust..

1. McAfee Antispyare.. Terrible detection (Paid for it)
2. Spybot S&D... Weak detection ...
3. Adaware... Mistrust it now...
4. MSAntispyware- Mistrusted it but now may flip back to it because it's free...
5. CounterSpy - Mistrust it now.. Thank God I only trialed it....

I may just as well stay with Norton AV with Antispyware... LOL
I wonder how PestPatrol and Spysweeper are.. ]]> http://www.dslreports.com/forum/remark,13965800 Sat, 23 Jul 2005 12:59:28 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13965726 anon :

But it does mean that the job of making distinctions becomes much tougher -- at least 
for anti-spyware vendors ...

eric, its tough, because you are making it tough, at least in thecase of WhenU.
when the overwhelming majority of people, experts and novices alike , are asking you to reconsider your current classification of WhenU, you still choose to stick by what you think is right.
we, the potential consumers/buyers of your ANTI-spyware product, dont want you to go down this path.

and drawing comparisons between Zonealarm and AAR 7.0 with WhenU dosent help your case one bit.
]]> http://www.dslreports.com/forum/remark,13965726 Sat, 23 Jul 2005 12:48:37 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13965638 33591094 : Of course you can't apply the same rules to any software that has an auto-update. However, let's use some common sense please. Some of the software in your list has a "history" of shady practises - others don't. And until a company exhibits such behaviour it should be labelled safe. Has ZoneLabs ever done anything shady (privacy-wise) to warrant attention of anti-spyware software? (Making a crappy firewall doesn't count... :p )

Hell - why didn't you add XP's Automatic Updates service to your list. You never know... The point I was making is that you're comparing a legit company that has the ability to do something shady, to a shady company that has the ability to do something shady. See the difference?]]> http://www.dslreports.com/forum/remark,13965638 Sat, 23 Jul 2005 12:31:09 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13965532 fatdcuk : No I think he was trying to point out that auto-update is a feature amongst some software.
My AV has it(Avast 4.6) too:)

Dose that automatically make these two examples worthy of detection/removal by a bot killer since the core software can update automatically ?]]> http://www.dslreports.com/forum/remark,13965532 Sat, 23 Jul 2005 12:14:12 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13965522 eburger68 : Davebo:

You wrote:

said by 33591094

:

So you're comparing a creator of useful software to a known adware vendor??? This makes no sense at all. If ZoneLabs was a known spy/ad/malware vendor then of course your point would be valid. But they are not, are they? WhenU is, and who knows what they'll use that updater for down the road...

As a general rule, you can't decide in advance that some vendors are "OK" and others aren't and then start applying different rules to them -- that's arbitrary and capricious in the extreme.

Let's say we did start grouping vendors and applying different rules to them. You obviously think ZoneLabs ought to be in the "Legit" category and allowed to use such an auto-updater while WhenU shouldn't.

What if ZL starts using that auto-updater to drop a little ad program on your computer that pitches other ZL products in pop-ups on startup. Is ZL still on the good side of the fence?

How about if ZL drops the same ad program, only the ad program starts serving pop-ups pitching utilities from "trusted partners" of ZL. Is ZL then still on the good side of the fence?

How about if ZL drops a new module that starts displaying third-party advertising in a banner window within the ZA GUI to support the "free" use of ZA Free. Is ZL still on the good side of the fence?

Now let's expand our little vendor vetting procedure to others. Which of the following should be allowed to use an autoupdater with impunity and not be targeted for default removal by anti-spyware apps:

[ ] Yahoo Toolbar
[ ] MSN Toolbar
[ ] Accoona Toolbar
[ ] Hotbar
[ ] WhenUSearch
[ ] ChildSafeNetwork Toolbar
[ ] Adobe Acrobat Reader 7.0
[ ] Download Accelerator Plus
[ ] Real Player
[ ] Windows Media Player
[ ] AOL Instant Messenger
[ ] Weatherbug
(Check all that apply)

Now that you've checked all the boxes that you think are applicable, are you 100 percent sure that every single one of your decisions comports in every case with every other user of an anti-spyware app and that other users won't start screaming bloody murder once those anti-spyware apps start targeting the apps you personally think ought to be targeted for using an auto-updater that allows the user no control? Are you really, really sure?

The point that I've been attempting to make for some time now is that the software that many folks regard as "spyware" shares a lot of functionality with software considered "legitimate." That doesn't mean we can't distinguish between the two -- we must.

But it does mean that the job of making distinctions becomes much tougher -- at least for anti-spyware vendors who have to accommodate users with competing, incompatible expectations for what ought to be targeted and what shouldn't, as I discussed in an earlier post.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13965522 Sat, 23 Jul 2005 12:12:20 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13965349 33591094 :

said by eburger68

:

Sheiny:

Given as much, the auto-update mechanism is enough to justify a listing of at least "Low risk," but not enough to justify a "Moderate risk." If you think otherwise, I'll be interested to hear your thoughts the next time ZoneLabs thinks the ZA Free auto-update mechanism ought not be turned off by users.

So you're comparing a creator of useful software to a known adware vendor??? This makes no sense at all. If ZoneLabs was a known spy/ad/malware vendor then of course your point would be valid. But they are not, are they? WhenU is, and who knows what they'll use that updater for down the road...

That said, thanks for all your work Eric et al. I appreciate your coming here to let us know about this, because as others have said, this is more YOU letting us know what's up, rather than a disclosure by Sunbelt (that blog entry can't be classed as disclosure! lol)]]> http://www.dslreports.com/forum/remark,13965349 Sat, 23 Jul 2005 11:42:09 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13964914 Mele20 : You wouldn't? I sure would! I think that is an excellent suggestion for CS. Move offshore. Nithing of consequence is in this nation now anyway so if that would stop these assholes from trying to sue CS and thus forcing CS to water down their product then I say more power to them..move offshore! That would be a smart thing to do. As long as the federal government continues to bite its nails instead of going after these buggars, I say drastic measures are needed. Such action just might be the cattle prod necessary to get our legislators to do something worthwhile about spyware.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,13964914 Sat, 23 Jul 2005 10:21:34 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13964660 Marilla :

said by SpannerITWks

:

Well it'd be interesting to see what the scumware etc merchants could do if one or more of the removal Apps peeps went offshore etc, just like some of the scammers do !!

Spanner

I sure as heck won't buy -anything- from a company that moves 'offshore' to protect itself from legal remedies, no matter what they are selling. Nor would I even use a FREE product from a company that did such a thing.
--
I am the sole arbiter of what is important enough to spend my time on - not anyone else here, or anywhere else. You take care of yourself, and leave me to me, got it?]]> http://www.dslreports.com/forum/remark,13964660 Sat, 23 Jul 2005 09:19:12 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13964408 SpannerITWks : Well it'd be interesting to see what the scumware etc merchants could do if one or more of the removal Apps peeps went offshore etc, just like some of the scammers do !!

Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks /SpannerITWks]]> http://www.dslreports.com/forum/remark,13964408 Sat, 23 Jul 2005 07:41:37 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13964377 fatdcuk : With the amount of VC pouring into Adware its not a case of "what if" its a case of "when they".

Two schools of ideology appear now.
1)Do you run scared of legal action by dropping detections or
2)Make sure your as prepped as possible to win a legal battle by demonstrating a solid case for classification/detection and possible removal of a software.]]> http://www.dslreports.com/forum/remark,13964377 Sat, 23 Jul 2005 07:21:27 EDT Re: Disproving by counter-example http://www.dslreports.com/forum/remark,13964367 Mele20 :

said by jimkyle

said by Mele20

:

Anything with ads is spyware. It is so simple. You are making it way too difficult.

I trust, then, that you refuse to use Google, since its search pages always have some ads...

I don't see ads at Google. Although I did see a couple of sponsored links at the top of a search result (not those on the right side...I NEVER see any of those) for CounterSpy. I just saw two day before yesterday and I was pissed. I went right over to the Proxo forums at Castlecops and complained. I have been having problems with Proxo recently and those ads ordinarly are not there. I still see none in the usual right column on Google unless I bypass Proxo and make a direct connection to Google. But I don't even want to see the two sponsored links at the top on a CounterSpy search. Plus, I saw a book link! That was really stupid.

The reason I was seeing the ads evidently has to do with my turning off the special filters for Google. I don't like those although a lot of Proxo users do. Evidently somehow the sponsored links at top are connected to the style sheet and since I turned off the three style sheets we Grypen Proxo users can choose from that's why those links were there. If I used one of those style sheets those would be GONE.

I VERY RARELY see ANY ads anywhere on the internet. I haven't seen any ads in many years. I got Ad/subtract when it was in beta years ago and when it finally went to paid only (no more free version) I moved to its parent the Proxomitron which blocks ads and does a zillion other things too to rewrite the web the way users want it to be. If I do see an ad, then a filter is written for it. I don't see that stupid, Fx ad here and I love Fx but this site shouldn't advertise it. I did see the ad until I got someone to write a filter for it.

Although what ads at Google have to do with Adware I don't know. When I said "anything with ads is spyware" I was speaking about any product that has ads and is offered to users bundled with ads is spyware. Google is a search engine . You don't download it onto your box. It is not an application.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,13964367 Sat, 23 Jul 2005 07:17:05 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13964324 Martinus :

said by fatdcuk

:

When did you last hear of a virus writer sueing an AV vendor for targeting/removing his /her creation ?

Reality check needed.

Check!

So this is definitely the parameter used in "detection adjustments". The "what if they sue" thing.
--
From the GSV "Ethics Gradient"]]> http://www.dslreports.com/forum/remark,13964324 Sat, 23 Jul 2005 06:54:12 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13964263 fatdcuk : Time to dispel FUD being created by certain postee's on this discussion:(

Sunbelt Counterspy is still detecting all WhenU products,default action is based on the individual software characteristic's and not set to ignore by default across all WhenU products!

A Duck is still a Duck:D

Read the PDF on Sunbelt review of WhenU softwares.

This is reality:(

If a software is'nt spyware/adware you cannot label it as such reguardless of the Authors past malpractices&other software.

This will result in an expensive vist to the law courts and almost certainly damages being awarded to the software authors(more profits for the puke:().

Sunbelt still detect all branded components and still point out the dubious ones.They no longer target the less dubious softwares for removal.

This is more defendable in a court of law,which is where the malware battle is heading:(

For all the postee's that keep trying to link the treatment of virus's to the treatment of adware/spyware etc

One question-

When did you last hear of a virus writer sueing an AV vendor for targeting/removing his /her creation ?

Reality check needed.]]> http://www.dslreports.com/forum/remark,13964263 Sat, 23 Jul 2005 06:18:08 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963973 hpguru :

said by DakAD:

My one sujjestion -- and I appologise if this is already the case, but I havent seen it refered to in this thread -- is that sunbelt should possibly give more information to the user as to what circumstances may warrant disreguarding sunbelts reccomendation of 'ignoor'.

A better move I think would be to not offer any recommendation at all. Show the user what was detected by the ad/spyware scan and ask the user what course of action should be taken out of set of options with no default option pre-selected. The AS app would still detect the ad/spyware and still offer a real-world risk assessment but it would place the decision to remove, quarantine or ignore squarely in the hands of the end-user where it belongs. It would also save the AS vendor from the bad PR that can result from offering controversial recommendations. I also think it would result in more ad and spyware being removed than would result from a mere ignore recommendation so the ad/spyware PUSHERS will no doubt disapprove, but they can ki... - well never mind. :D

A link to more info as "DakAD" mentioned is a good idea too so long as it is based in the real world and includes a short summary of the companys history and reputation.

Of course there will always be users who need hand-holding every step of the way who may need a recommendation in order to make a decision. For them you could offer a "recommendation wizard" which asks a few short questions and offers a recommendation based upon the answers. Questions like

"Did you know this software was on your computer?"
"Did you or a family member install it?"
"Have you tried to uninstall it and failed?"
"Does it meet a particular computing need?"
"Does its presence cause any software conflicts?"

and so on.
--
Get hpHOSTS! Member ASAP
Downing St. memo: BUSH LIED, YOUR SON DIED.
REMEMBER 1776! NEVER FORGET!]]> http://www.dslreports.com/forum/remark,13963973 Sat, 23 Jul 2005 03:05:34 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963875 TeMerc : I have been trying to read thru this thread most of the day, being interrupted by one thing or another, so forgive me if I missed this:

Has anyone addressed how long WhenU needs to continue their newly found path towards legitimacy?

Lets face it, after years of deceitful, unethical and at best, in many cases, explanations which run counter to what is provided by users across security forums all over the net, who could possibly trust them after a few installs get tested?

33 out of how many? Even those which were lowered\downgraded\adjusted still leave a bad taste in my mouth.

I'm with many here in that if it says its from WhenU, I want it off my machine, and suggest to any users I help in security forums to do the same, regardless of whether its doing anything. They just cannot be trusted as far as I'm concerned.

Give them a year of clean installs, show us that they have tracked down every last known affiliate who has some old installs then come back and say 'hey, how we doing?' If they expend half the amount of money doing that, that they raked in doing the unwanted, sneaky unethical installs, that would show some real guts and dedication to turning the company around to be legit.

Maybe then, the security community will give them a more friendly response.

I do however appreciate that Sunbelt breaks the news as to what's being done with their database, this gives everyone a chance to see what they want to do with regards to the related bit of ad\mal\spy\grey\x(fill your own)-ware.

As usual, great work by the likes of Eric and Suzi.]]> http://www.dslreports.com/forum/remark,13963875 Sat, 23 Jul 2005 02:34:36 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963780 eburger68 : DakAD:

Thanks for your post, which is not only most welcome but quite useful. In fact, you've essentially started to answer the questions that I raised in the post I put up just after yours.

Don't have time to address all your ideas quite yet, but they are intriguing and worth consideration.

Best regards,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13963780 Sat, 23 Jul 2005 02:03:50 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963768 eburger68 : Aryan66:

You wrote:

said by Shriyash

:

you asked if i think Adobe Reader should be classified as "spyware/Adware".....{yes there is a fine line between the two, but you cant expect millions around the world to really care , adware-companies = spyware-companiers = MUST DELETE AT ANY COST.}

my answer is: of course not!
why : because its my pdf file reader, i like it, and Adobe Acrobat has never been insuinuated as being a spyware-company, or a adware-company, by anyone, ever!

as for WhenU?
yes, delete absolutely anything {bundlers, what-have-you} from them
.
why? Because, its WhenU.

and that sums it up, for me and millions of people around the world, whose occupation isint computer-forensics related.

{people ARE emotional creatures, and anything to do with "adware'spyware" does bring up their defenses. its really a Zero_Tolerence policy, without a doubt.}

There are several problems here:

1) You, like so many, people are getting hung up on labels and names ("spyware") instead of looking at specific practices and functionality, which is the critical consideration in all cases. To some extent, that's understandable, esp. if haven't investigated applications in detail. It's dead end, though, for anti-spyware vendors. Let me explain.

When I ask about an application like Adobe Acrobat Reader 7.0, I want to know about your specific reaction to the behavior of the program, not your perception of what other people are saying about it or how they're labeling it. To do otherwise would leave me and Sunbelt chasing our own tails.

How do applications acquire the reputation of spyware or adware? By hosing people's computers, obviously, but also because anti-spyware apps happen to target and label them as such.

If a significant number of anti-spyware apps were to suddenly start targeting AAR 7.0, would you change your opinion? (Hint: the answer ought to be "no," based on your own independent experience with the application.)

So what should Sunbelt do? Not target the application because users haven't attached the label "spyware" to it, even knowing that were anti-spyware vendors to target it, users might start regarding it as "spyware"?

Do you see the problem with labels and why Sunbelt relies on detailed analyses of specific practices and functionality and not reputation-driven labels?

Vague labels have only a few real uses:

* To facilitate informal discussion and news reporting;

* To give advertising software vendors something to complain about.

Beyond that, labels are useless wastes of time.

2) Your reaction to my question does highlight a point I was making earlier about users and their differing reactions to certain types of software. You clearly think AAR 7.0 ought not be classified as "adware" or targeted by anti-spyware apps. I also take it (correct me if I'm wrong) that you would be a bit disconcerted if anti-spyware apps suddenly started targeting it for removal. Other users, I can assure you, wouldn't be nearly so charitable -- they'd freak out and cause all kinds of trouble for both Adobe as well as the anti-spyware vendors.

Yet here in this very thread we've had other users suggest that detection criteria ought to be black-and-white, inflexible, and unforgiving. More to the point, some users have even suggested, as Mele20 did earlier, that all apps that serve ads ought to be targeted with no exceptions:

said by Mele20:
The distinction that weatherbug, or something like it, "only" has ads contained in weatherbug and thus is not hurtful is spurious. They are ads! Therefore, weatherbug is adware and should be removed by default if I run CS. Anything that puts ANY sort of ads on my box, calls home in any fashion, sets permanent cookies on my box, is adware and I want it removed. I'm very unlikely to ever get adware on this box but if I did, I want it treated just like a virus is treated...no if, ands, buts...it is immediately removed by default. I have no interest in ever running any application that places ads on my box and/or spies on me. I think that is how most feel.

By the way, I've used AAR 7.0 as an example, but I could have used others: DAP, GoZilla, Weatherbug, Yahoo Toolbar, Real Player -- the list is a long one. What all of these applications have in common is that some users find them useful and like them, just as you do with AAR 7.0. They tend to get very upset when anti-spyware apps target them for detection and removal. (I've seen users get seriously angry when you tell them there might be a problem with FunWeb's/SmileyCentral's softare.)

By turns, anti-spyware vendors also have to deal with customers like Mele20 who are rather unforgiving and single-minded when they look at these kinds of applications.

So how would you suggest anti-spyware vendors like Sunbelt handle this situation? How should it handle these two groups of users with wildly different, even passionate, demands and expectations? If they target apps like AAR 7.0 and Weatherbug, they'll satisfy users like Mele20 but freak out other users. If they don't target these kinds of applications, they'll satisfy fans of those apps but piss off users like Mele20.

By the way, this same conundrum applies to the debate over whether anti-spyware applications ought to detect and remove cookies. (In fact, in the earlier "Informal Adware Risk Survey" thread that I started here at DSLR, I was more interested in how respondents would classify cookies than anything else.)

When anti-spyware applications start handling cookies differently or even drop them, you're likely to see serious outbreaks of cookie hysteria, with users loudly demanding that cookie detection be added back in and talking darkly of "betrayal" and "sellout." The mood can get real ugly, real fast.

But detecting and removing cookies also puts anti-spyware vendors in a very difficult position with other users, who see cookie detections as attempts by anti-spyware vendors to engage in "scare-mongering" to drum up sales from gullible users. These folks talk darkly of "fraud," "rip-offs," and "deception." They also begin emailing me to demand that I add such anti-spyware apps to the Rogue/Suspect Anti-Spwyare list. And, no, I'm not kidding -- see here for but one example:

»spywarewarrior.com/viewtopic.php?t=14963

said by bigbruva:
I have recommend TrendMicro in the past but the new online "Security Scan" for spyware that HouseCall does left me questioning their integrity.

I ran the security scan on a test system that I know is clean, after a short scan (less than 1 min) I was informed of "36 spyware programs detected"!
Looking at the report every "program" was in fact a cookie!

They where marked as "Low risk" with a default setting of "Pass" so it does not remove them unless the action is changed but at the end of the wizard I was left with a Page entitled "Danger! Potential threats detected!" in large red letters.

I know the debate on whether "cookies" are spyware but that is not the point here. They are reporting cookies as "spyware programs" which they are not! To me this is scaremongering and I think TrendMicro have over stepped the mark. This type of behavior borders on "Rogue Anti-Spyware" IMO

Has anyone else seen problems with this service?

Again, what would you suggest anti-spyware vendors do to accommodate both sets of users?

Folks, it's easy to sit here in a security forum and bitch loudly that anti-spyware vendors aren't conforming to your personal preferences, but anti-spyware vendors face real dilemmas with certain kinds of applications that even users themselves are divided over. And it simply won't do to insist that if anti-spyware vendors don't satisfy you and you alone, that they must have "sold out" or "gone over to the dark side," because there are going to be plenty of other users taking the opposite position. And once the anti-spyware vendors satisfy your peculiar whims, those other users will be screaming about "fraud," "scaremongering," and "stepping over the line," as well as threatening to file complaints with the FTC.

So what will it be folks?

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13963768 Sat, 23 Jul 2005 02:01:21 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963507 anon : PHEW! what alot of reading!

Well, first off my complements to sunbelt for being open about their descisione.

As I see it, there are a few circumstances (based on the white paper) in which the recently downgraded WhenU software could be objectionable to users:

#When it is installed in a bundle

#If the WhenU was installed prior to WhenU's recent reformation

#If they are having uninstalation problems ("must uninstal savenow before uninstalling savenow" made me laugh :D)

#If it was one of the instanses of poor disclosure on instalation

So, sunbelt still detects and offers the option of uninstallation for WhenU products, but reccomends ignoring them, thus offering the option of removal in the above cases but ignoring them in others.

On the one hand, this seems good to me -- after all, its no use critisising these software wrighters for being naughty, and then still critisising them when they start to behave themselfs; they need an insentive to reform.

On the other hand, unknowledgeble users, I would assume, have a tendancy to trust an anti-malware programs reccomendations, and so might, I suppose, ignore WhenUs products even if they don't want them on their system, maybe trusting sunbelts recomendation over their own suspicions that WhenU is responcible for the adverts they are getting.

My one sujjestion -- and I appologise if this is already the case, but I havent seen it refered to in this thread -- is that sunbelt should possibly give more information to the user as to what circumstances may warrant disreguarding sunbelts reccomendation of 'ignoor'.

for example:

-----------------

Scan results:
WhenU -- low risk adware -- [ignoor] -- more info

-----------------

and clicking 'more info' could bring up a box like this:

-----------------

"WhenU delivers text-based adverts to you*. Untill recently, sunbelts reccomendation was to remove WhenU. WhenU has made some progress towards reformation, and -- in the majority of cases -- is no longer objectionable, hence the 'ignor' reccomendation. In many cases, you will have installed it as a kind of 'payment' for another program such as BearShare.

However, there are some cases where you may wish to remove it. These include:

#if you did not knowingly install it

#if you no longer wish to use the program but are having problems uninstalling it

if so, simply change 'ignor' to 'quaranteen'.

--------------
*(possibly with a few screenshots to help the user recognise the product, so that they can tell if its the program that they wish to get rid of)

Thusly:

1)keeping their clasifications consistant and recognising WhenU's reformation

2)giving the user a choice of removing WhenU

3)helping to make that choice an informed one, and so

4)limiting the chance that they would blindly trust sunbelt and keep a program that they do not whish to keep.

also, maybe some kind of feed-back system could be used, so that the level of WhenU refusals to uninstall/failures to disclose etc could be monitored.

Just my 2c

DakAD]]> http://www.dslreports.com/forum/remark,13963507 Sat, 23 Jul 2005 01:07:50 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963481 Shriyash : hi eburger68, yes i am nitpicking, and it is out of spite, but spite directed towards WhenU and the like.

i have great respect for esteemed researchers like yourself, and Daphne, you have done a lot to educate me on all things spyware related.
i probably sounded cheeky, but i didnt mean any disrespect toward Daphne or yourself, the good guys!(so sorry daphne :)

you asked if i think Adobe Reader should be classified as "spyware/Adware".....{yes there is a fine line between the two, but you cant expect millions around the world to really care , adware-companies = spyware-companiers = MUST DELETE AT ANY COST.}

my answer is: of course not!
why : because its my pdf file reader, i like it, and Adobe Acrobat has never been insuinuated as being a spyware-company, or a adware-company, by anyone, ever!

as for WhenU?
yes, delete absolutely anything {bundlers, what-have-you} from them
.
why? Because, its WhenU.

and that sums it up, for me and millions of people around the world, whose occupation isint computer-forensics related.

{people ARE emotional creatures, and anything to do with "adware'spyware" does bring up their defenses. its really a Zero_Tolerence policy, without a doubt.}]]> http://www.dslreports.com/forum/remark,13963481 Sat, 23 Jul 2005 01:03:04 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963322 eburger68 : Aryan66:

said by Shriyash

:

daphne:

then why call it "Low-risk Adware" ?
you have made it very clear, that you dont think it is of any risk whatsoever. or certainly not worth paying any attention to.
i suggest you do the right thing daphne, call it "Potentially No-risk Adware"
especially since you are comparing it with Adobe Reader!

This is truly petty. At this point you're nitpicking sheerly out of spite. Changing the label for the category wouldn't change the threat level ("Low risk"), because the threat assigned threat level is driven by an analysis of specific practices (see the Sunbelt Listing criteria), not labels that can be, at times, an uncomfortable fit.

said by Shriyash

:

{btw, is Adobe reader also classified as "Low Risk Adware too?)

At the present time it isn't because Sunbelt has yet to analyze it. At present Sunbelt's researchers are more focused on keeping up with the explosion of CWS and Aurora variants, which seems to me a better use of their time.

The more interesting question, though, is do YOU think it ought to be listed and targeted? I would truly be interested in hearing your opinion on this.

said by Shriyash

:

{oh, it contacts WhenU's servers? 3 times? im sure its no big deal, so what if it does ?
WhenU folks are really reliable, im sure those successful attempts at contacting them mean nothing. why? just look at their clean track record!)

See my response to Sheiny. Several people have analyzed packet logs of WhenU's data traffic, and none have found evidence of anything untoward or seriously (note the qualification, please) out of line with the claims made in WhenU's Privacy Policies.

If you have evidence to the contrary, let's see it. If you don't, could I kindly request that you spare us the snarky insinuations, which are baseless and useless.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13963322 Sat, 23 Jul 2005 00:42:05 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963223 eburger68 : Sheiny:

Thanks for giving the white paper a read.

You asked:

said by sheiny

:

This is where I would start. (from pg. 9 of your report)

WhenU's software does employ an auto-update mechanism over which users have no control,however, allowing WhenU to arbitrarily install new software

This requires a high degree of trust on the user's behalf. What has WhenU done to deserve this trust? My AV gives me a chance to opt out, as do my OS and AS. Why doesn't WhenU?

Yes, the auto-update mechanism is a concern -- that's why it's discussed in the white paper, and that's why it's included in the Sunbelt Listing Criteria:

»research.sunbelt-software.com/li···eria.cfm

See the "System Reconfiguration" section.

The auto-update mechanism is just one of the reasons why WhenU's software, including the new "Low risk" detections, are still included in Sunbelt's database.

The question becomes, is such an auto-update mechanism in and of itself a serious enough risk to justify a something other than "Low risk," especially when there's been no evidence in all the years WhenU's been around that it's been deliberately abused by WhenU. Sunbelt does have criteria to handle software that uses an auto-update mechanism to install other unwanted software. WhenU's software doesn't trip those other criteria because there's no evidence that it's been used for such purposes.

Given as much, the auto-update mechanism is enough to justify a listing of at least "Low risk," but not enough to justify a "Moderate risk." If you think otherwise, I'll be interested to hear your thoughts the next time ZoneLabs thinks the ZA Free auto-update mechanism ought not be turned off by users.

said by sheiny

:

From,
"Data Collection, Transmission, & Sharing"
You state:

2. Data regarding users' surfing habit is transmitted to WhenU only in certain,limited contexts (for example, to identify the web page users were visiting when
they clicked on an ad) and is not tied to a personally identifiable profile or used to
build a profile history of their surfing habits.

How did you verify this? Do you have access to WhenU's database?

I had no direct access to WhenU's database, so I had to base my analysis on several sources:

1) Ben Edelman's several write-ups on WhenU, which include packet log excerpts.

»www.benedelman.org/

2) WhenU's own privacy policies:

»www.whenu.com/pc_product_policies.html

3) Esther Dyson's extensive write-up of WhenU in her Release 1.0 April newsletter (not available online except for purchase or subscription).

»release1.edventure.com/index.cfm

4) Andrew Clover's write-up of Save:

»www.doxdesk.com/parasite/SaveNow.html

5) A WhenU-commissioned privacy-audit:

»whenu.com/pc_role_audit.html

Several of the sources are of questionable quality, to be sure, but their conclusions generally agree with what we know from other sources.

Two other points:

1) Even if you regard the above sources as insufficient to support the claim of limited data collection, transmission, and use, there are no sources that I know of that prove that WhenU has done anything beyond what was claimed. Lacking such evidence, there are no solid grounds to establish that WhenU's ad software trips any of Sunbelt's more serious listing criteria. You can't base detections and classifications on non-existent evidence.

2) The data collection/transmission done to support WhenU's contextual advertising does not apply to ClockSync, which doesn't display ads itself.

Still later you write:

said by sheiny

:

Re: Sunbelt Adjusts WhenU Detections

Everyone should read Mr. Burger's report. They shold also read,
"WhenU Violates Own Privacy Policy"
»www.benedelman.org/spyware/whenu-privacy/

Ben Edelman's piece is an excellent one and addresses an erroneous claim in WhenU's Save/SaveNow privacy policy. Several points:

1) This issue is fully addressed in the Sunbelt write-up and was incorporated into Sunbelt's conclusions.

2) The erroneous privacy policy has been replaced with the updated/corrected privacy policy in most installations. I know, because I specifically checked in each of the 33 installations that I tested.

3) Ben's write-up concerns WhenU's Save/SaveNow advertising application, which HAS NOT BEEN CHANGED IN SUNBELT'S DATABASE. In other words, the application in question remains classified as "Moderate Risk" with a Recommended Action of "Quarantine."

said by sheiny

:

and,
"Eighty-Seven Percent of WhenU
Users Are Unaware They Are Using It"
»www.pcpitstop.com/spycheck/whenu.asp

and,
"WhenU Awareness, One Year Later"
»www.pcpitstop.com/spycheck/whenu2.aspp

Several points:

1) As with Ben's write-ups, these PC Pitstop surveys are also discussed in the Sunbelt write-up and they played a role in Sunbelt's conclusions and decisions.

2) PC Pitstop's first write-up is pre-Nov. 2004, when WhenU began ending its ActiveX installations. ActiveX installs are notoriously bad environments for good notice and disclosure, and that's exactly why Sunbelt frowns on them.

3) PC Pitstop's followup one year later pre-dates the large scale introduction of new notice screens, and their data don't reflect these newer installations with significantly improved notice, as PC Pitstop itself notes. PC Pitstop plans to do a followup survey, and I look forward to seeing it.

These are good questions, but they still don't provide me with any reason to think that WhenUSearch, ClockSync, or Weathercast are improperply classified as "Low risk adware." To convince me, you're going to have to do your own independent testing and analysis of those three applications, and that testing and analysis will have suggest serious ommissions or analytical problems in the Sunbelt write-up.

Regards,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13963223 Sat, 23 Jul 2005 00:29:45 EDT Re: Disproving by counter-example http://www.dslreports.com/forum/remark,13963054 jimkyle :

said by Mele20

:

Anything with ads is spyware. It is so simple. You are making it way too difficult.

I trust, then, that you refuse to use Google, since its search pages always have some ads...]]> http://www.dslreports.com/forum/remark,13963054 Sat, 23 Jul 2005 00:03:43 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13963049 norwegian : eric, daphne and alex and everyone else

if it wasnt for an article shown to me ABOUT erics work, i might never have known about this site, or half of the security issues i since put into practice, eric howes, has to be commended for what he does, as does daphne and alex for their contributions, as do alot of the people who spend lots of time here free, just to learn more and help more,

BUT,

we all know one wrong turn can affect the outcome, no threats in my first post nor none know, but was it wise coming forth with this news, as hackers get better and spyware programs back off on detection ratings, and so soon after MSAS, microsoft, etc have lowered their ratings,im not sure,
but for the balls out approach of sunbelts approach, the general consensus was yippee counterspy,i think this site gave more than enuff praise
now we find other software companies bringing antispy programs out, i just hope the damage hasnt been done,

it must have been a hard discussion behind closed doors on this, i just hope counterspy recovers,

what is next

good luck to all on their projects, may they stand tall and proud ]]> http://www.dslreports.com/forum/remark,13963049 Sat, 23 Jul 2005 00:03:10 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13962885 eburger68 : Anonymous:

You wrote:

said by Anonymous

:

Also you quoted part of my post (I stated that was IMHO and no I'm not a moderator).

Please. Most of your post was devoted to telling various people that they ought not be posting. That's not only inappropriate, it's rude.

If you don't have the evidence to suggest that what people have argued is wrong, fine. But don't tell them to be quiet just because it makes you uncomfortable.

said by Anonymous

:

Just be careful and don't let your reputation go down the drain together with Sunbelt' reputation.

The only thing I can do and have ever done here, at Spyware Warrior, or my own web site is to investigate carefully, reflect deeply, and call them as I see them. I haven't done anything differently here, and if my conclusions upset some people, then so be it.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13962885 Fri, 22 Jul 2005 23:40:52 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13962611 sheiny : Everyone should read Mr. Howes' report. They shold also read,
"WhenU Violates Own Privacy Policy"
»www.benedelman.org/spyware/whenu-privacy/

and,
"Eighty-Seven Percent of WhenU
Users Are Unaware They Are Using It"
»www.pcpitstop.com/spycheck/whenu.asp

and,
"WhenU Awareness, One Year Later"
»www.pcpitstop.com/spycheck/whenu2.asp]]> http://www.dslreports.com/forum/remark,13962611 Fri, 22 Jul 2005 23:00:18 EDT Re: Disproving by counter-example http://www.dslreports.com/forum/remark,13962549 B :

said by Mele20

:

Anything that installs ads on my computer is ADWARE and I want it gone immediately. It doesn't matter one whit if it is software supported by ads. It's ADWARE/SPYWARE and I want it GONE.

And my even more primitive corollary was that if it's from a known spyware producer (like WhenU or Claria/Gator) then I want it GONE too, regardless of the merits of the individual program in question. This may, or may not, fall into the moral, legal, or technical grounds of how a particular antispyware application defines itself. It is, however, the kind of unilateral control I seek on my own computer. If no commercial enterprises are willing to give people like me that kind of control, we will eventually find other means.

Here's an analogy. I don't like smoking or cigarette manufacturers. They approach corporate "evil". I therefore would not wish to knowingly purchase a T-Shirt from them, no matter how innocuous, or even beneficial, that T-Shirt might be to me. There's no need to evaluate on its own merits each T-Shirt or other product from the bad company. (Yes, I'm well aware of how the cigarette makers are all also in the food business, and yes it drives me crazy.) If a Sunbelt Antitobacco Scanner could tell me which products emanated from these malware (literally) producers, I'd want to use it.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13962549 Fri, 22 Jul 2005 22:54:34 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13962486 Shriyash : daphne:

then why call it "Low-risk Adware" ?
you have made it very clear, that you dont think it is of any risk whatsoever. or certainly not worth paying any attention to.
i suggest you do the right thing daphne, call it "Potentially No-risk Adware"
especially since you are comparing it with Adobe Reader!{btw, is Adobe reader also classified as "Low Risk Adware too?)

{oh, it contacts WhenU's servers? 3 times? im sure its no big deal, so what if it does ?
WhenU folks are really reliable, im sure those successful attempts at contacting them mean nothing. why? just look at their clean track record!)]]> http://www.dslreports.com/forum/remark,13962486 Fri, 22 Jul 2005 22:47:28 EDT Re: Disproving by counter-example http://www.dslreports.com/forum/remark,13962436 Mele20 : No,you have it all wrong. There is NO need to do testing like that. Anything that installs ads on my computer is ADWARE and I want it gone immediately. It doesn't matter one whit if it is software supported by ads. It's ADWARE/SPYWARE and I want it GONE. I expect my anti-adware/spyware software to, if running in real time, block my downloading this crap in the first place. But if the antispyware application is not being run in real time then, if somehow I was dumb enough to put this stuff that has ads to support it on my box, I want it gone. I wouldn't trust add/remove programs to remove it all. It's spyware. Anything with ads is spyware. It is so simple. You are making it way too difficult.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,13962436 Fri, 22 Jul 2005 22:42:17 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13962401 sheiny :

said by eburger68

:

I've been asking all day long for critics to offer specific reasons and good evidence for continuing to detect WhenUSearch, Weathercast, and ClockSync as something other than "Low risk adware." No one has yet been able to do it.

This is where I would start. (from pg. 9 of your report)

WhenU's software does employ an auto-update mechanism over which users have no control,however, allowing WhenU to arbitrarily install new software

This requires a high degree of trust on the user's behalf. What has WhenU done to deserve this trust? My AV gives me a chance to opt out, as do my OS and AS. Why doesn't WhenU?
From,
"Data Collection, Transmission, & Sharing"
You state:

2. Data regarding users' surfing habit is transmitted to WhenU only in certain,limited contexts (for example, to identify the web page users were visiting when
they clicked on an ad) and is not tied to a personally identifiable profile or used to
build a profile history of their surfing habits.

How did you verify this? Do you have access to WhenU's database?]]> http://www.dslreports.com/forum/remark,13962401 Fri, 22 Jul 2005 22:38:40 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13962329 WFO : Taken Back. LOL. :)]]> http://www.dslreports.com/forum/remark,13962329 Fri, 22 Jul 2005 22:29:28 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13962328 Anonymous : To eburger68 and daphne:

Read Mele20's post. I completely agree.

Adware is not a kind of software I'd like to have installed on my PC.

Lavasoft messed up and their reputation went down the drain.
Sunbelt is doing the same thing but they think if they make it public it will make some difference.

It will not.

Also you quoted part of my post (I stated that was IMHO and no I'm not a moderator).

Just be careful and don't let your reputation go down the drain together with Sunbelt' reputation.
--
Get Firefox!]]> http://www.dslreports.com/forum/remark,13962328 Fri, 22 Jul 2005 22:29:22 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13962311 Tsume : Well, I read the entire post, and I don't see anything wrong with this decision.]]> http://www.dslreports.com/forum/remark,13962311 Fri, 22 Jul 2005 22:27:50 EDT Disproving by counter-example http://www.dslreports.com/forum/remark,13962265 keith2468 :

quote:
I strongly suspect that much of the hue and cry here comes from people who have no direct experience with WhenU's software or only very limited experience with it. After I finish testing 33 installations of WhenU's software (to say nothing of the innumerable times I've tested WhenU's software in prior years), "because it's WhenU" begins looking more and more like a bogeyman argument.

I'm with Eric on this reasoning.

I think a lot of spyware labels are due to mis-steps by the vendor that have been corrected, due to guilt by association (being distributed by websites that also distribute malware -- but, to draw an analogy, just because one product that Sears sells is needlessly dangerous does not mean that all products that Sears sells are needlessly dangerous), and mistakes in software evaluation.

This is not to say that there isn't plenty of spyware and malware out there, just that there is also a lot of mis-identified legitimate advertising sponsored software. It will be a big job for the industry to straighten the mis-identification mess all out.

The only real way to defeat Eric's point above is to provide a counter example.

If a WhenU product (or anything else) is spyware/malware it is designed to get on computers. So getting yourself infected should be relatively easy. You get infected, and then you wait and see what the product really does. Then try the "uninstall" utility to see if it actually prevents the product from loading automatically on re-start.

I am thinking that these testing steps will be work, but some experts may want to contribute corrections.

It is simple enough. The only barrier is having the test PC, and having the time.

1. Be sure that nobody in the family relies upon the test computer for work or school. Make sure that it doesn't contain the only copies of photos of a wedding, a beloved puppy, etc.

2. Get the test computer ready.

Note that you must not connect to the internet until you have firewall protection in place. You want to make sure the infection is coming as a result of visiting the site concerned.

a) Re-format the computer.

b) Install the operating system of your choice.

c) Install the firewall or NAT router of your choice.

d) Do not update the operating system (in particular, do not install the updates that prevent drive-by downloads).

e) If you wish, install security scanning software (an AV, and ASW software). Disable any real-time monitoring.

f) Use a disk imaging utility to make an image back-up of your system in its clean state.

A clean image backup will allow you to repeat the tests quickly, without going through steps (a) thru (e) every time.

(The tests will be made invalid if some AV or ASW monitor leaps to life and tries to do a removal or disinfection. I know from experience that some of ASW products sometimes mess with the uninstall registry links.)

3. Visit sites with WhenU and see if you get any drive-by downloads.

4. If step 2 gets you infected, report the URLs to and infectious files to the various ASW vendors.

Clearly you have proof that one distributor of the products is doing drive-by downloads. The ASW vendors can then research if this is a rogue distributor or common practice.

5. If step 2 fails, go to a site and manually download WhenU.

6. Wait 6 hours to see if anything follows (i.e. whether other products are installed without permission).

7. Test the product's "uninstall" utility. For this test to be valid there must have been no AV or ASW product messing with the product being tested. You need to have your AV and ASW monitoring software disabled from the time you do the install until after you test the uninstall.

8. Re-start the computer to see if the un-install utility worked. There may be directories left, there may be modules left, but if the product no longer automatically starts the uninstall utility worked as adequately as your typical uninstall utility for generally accepted software like NAV.

If the "uninstall" utility didn't work, send your information to the ASW vendors.

Keep in mind that your test computer will be susceptible to infection from whatever worms and viruses are going around, because you have to have the AV monitor turned off for the testing to be valid, and because your operating system will be partially or fully unpatched (so that drive-by downloads can occur). So you will need to protect any other computers on the same LAN from infections that the test computer gets.

The proof that a product is malware/spyware/adware is that you yourself see behavior meets the definition of malware behavior, and others can duplicate your results by carrying out the same tests in the same way.

Everything else is just talk.
--
(Virus&Hijacking FAQ + Submit suspected malware + Backups FAQ + Security FAQ TOC)]]> http://www.dslreports.com/forum/remark,13962265 Fri, 22 Jul 2005 22:21:57 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961974 feverfive : ^^^^^If nothing else, that'd do away w/ subjectivity.....That's what I worry about the most--who is actually making these decisions? I haven't, admittedly, thought this through as much as some of you...Though my visceral reaction is that I am concerned about the standards/views/methodology espoused or used by those who make these decisions. It's getting harder to know which vendor(s) to trust (& I am not making specific allusions about Sunbelt/CounterSpy).]]> http://www.dslreports.com/forum/remark,13961974 Fri, 22 Jul 2005 21:42:59 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961973 B :

said by doormans

:

Now Sunbelt does let us, the end user know and it seems it is even worse.

Well, yeah, although as Snowy pointed out they didn't really mention it to their users in their newsletter, but rather blogged an entry about it. Eric's notification here was presented as a semi-independent notification in keeping with his usual watchdog role, with "full disclosure" as to his consulting relationship. I don't know how orchestrated or not this non-announcement was, and I don't think I care.

I still respect and hold in awe all of Eric's tireless efforts to date. But he knows better than most that people follow the money and that assertions from "interested" parties are rightly viewed more suspiciously.

This thread started with "Sunbelt has announced the completion of a review of WhenU's software." But it doesn't seem they really announced as such. The actual blog entry, or what Eric referred to as a "short digest", is not really as commital as the phrase "completed a review" would imply to me.

Ah well. I'm not interested in casting suspicions about; I guess I just hope Eric and Suzi understand that however white-hatted and pure of heart they think they are, and in all likelihood and from most appearances they really ARE, that financial relationship colors EVERYTHING they say and do in this arena. I understand their indignation after all of their hard work, but it comes with the territory. I don't follow these issues closely, but I do recall being somewhat surprised about Eric's Sunbelt relationship when it was mentioned some months ago; I don't think it's always been tagged to his well-publicized and well-regarded postings. Sorry for the long dramatic monolog guys.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13961973 Fri, 22 Jul 2005 21:42:49 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961941 suzi : Anonymous wrote:

quote:
I have a lot of respect for some people that contributed to this thread but if you're related in any way to this company IMHO you should not post.

So. are you advocating censorship?

quote:
Wow you guys are actually justifying this decision? Posting screenshots etc...

That's just wrong.

I take it you only want one side of the story told? Since when should both sides of the story not be told? I offer no apologies.

Perhaps *you* should show some concrete evidence to support your statements, particularly this one:

quote:
Why is it always WhenU? I mean we all know what they do...

Please tell us how you know what they do? Did you read the white paper? Have you downloaded their software? Please, *do* tell us. Eric has repeadedly asked for evidence of anything that might have been overlooked in Sunbelt's analysis. No one has offered anything except opinions based on bias and emotion.
--
aka Suzi, Spyware Warrior
Microsoft MVP Windows Security 2005]]> http://www.dslreports.com/forum/remark,13961941 Fri, 22 Jul 2005 21:39:51 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961891 Mele20 : Spyware/adware is just that. There is no need for classifications. We don't classify viruses (at least not in terms of their degree of badness so that only the baddest are targeted for immediate removal). They are just viruses and we ask and expect our AV vendor to be very aggressive and get rid of all of them by default setting. I don't go around picking and choosing some viruses that I like and want running on my box. Same with adware. I want NO adware period ever on my box. If by some weird chance some piece of crap adware got on my box, I would have, until now, expected CS to remove it by default. (Of course, now I also know that CS doesn't currently remove any spyware that gets on Firefox because it is unaware of it).

The distinction that weatherbug, or something like it, "only" has ads contained in weatherbug and thus is not hurtful is spurious. They are ads! Therefore, weatherbug is adware and should be removed by default if I run CS. Anything that puts ANY sort of ads on my box, calls home in any fashion, sets permanent cookies on my box, is adware and I want it removed. I'm very unlikely to ever get adware on this box but if I did, I want it treated just like a virus is treated...no if, ands, buts...it is immediately removed by default. I have no interest in ever running any application that places ads on my box and/or spies on me. I think that is how most feel. So, the need for determining that some viruses are good for me and some spyware is good for me, or at least not evil, is absurd. Its ALL EVIL and I want it gone and I expect my anti-malware software to understand this and remove it all. I don't have to go through Bit Defender's av definitions to see which ones they think are "somewhat" ok so they won't remove them. I shouldn't need to do that with CS for spyware. If I do, then the application sucks because adware/spyware is just that. There are NO GRAY areas just as there are NO GRAY areas with viruses.

It may be true that vendors would drop detections if definitions were inflexible ones. All that means though is that the vendor has caved in. And it means we the users need some other way like B

has suggested to deal with this kind of threat instead of depending on vendors that cave in. Because the vendor may drop detections in this instance doesn't make it right that "flexible" definitions are the answer. Not at all. What it means is that we have to find some other ways to combat this evil since it is now clear we can't depend on the vendors. The main thing we can do right now is never, ever use IE and even with Fx be very, very careful.

I have Adobe Reader 5.0 on this XP Pro box because I won't put up with ads, calling home, any of the crap that is on the later versions. When the time comes that 5.0 is too old to use, I'll look for free software, etc. that I can use as a substitute. If there isn't any then I simply will do without PDF files. As for Opera, yes I recently downloaded it. I almost never use it and when I do (only because it can help me figure out a problem because it has more information about what is going on with the browser than other browsers) I have to constantly click no to the steady stream of adware cookies it wants to set. I allow none of them and if I use Opera anymore I will strip the ads using Proxo.

And no, before you ask, I haven't read CS's white paper because it's irrelevant. I want all spyware immediately removed/quarantined (quarantine as default is safer because it could be an FP) and I see no reason for classification. Spyware is spyware just as a virus is a virus. Remove it/quarantine immediately ...no equivocation. No if, ands, or buts necessary.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,13961891 Fri, 22 Jul 2005 21:34:23 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961811 doormans : I first must say that I have only posted in this forum on 2or 3 occassions to ask questions. I do however read this forum religously twice daily without fail and pretty much take as gospel what the everyday contributors say concerning security for the home computer user.This far and away the best forum for your security needs and issues.I am however quite shocked at the way this particular issue has turned to such a personal and venomous attack against Eric's credibility on this matter. I doubt any of us has worked as endlessly or tirelessly as he has to keep the entire computer users world as informed and secure from malware as he has. If in his professional opinion certain Whenu apps. are not as bad as they once were then I think we should consider the source, who has not ever as far as I know deliberately led anyone astray.

As far as sunbelt goes, I feel they are to be commended for coming straight out with this information on lowereing their risk standards for these particular products. When adaware delisted certain apps. and did not disclose it everyone swore to delete it from their machine. Now Sunbelt does let us, the end user know and it seems it is even worse. Can't have it both ways with out the bridge collapesing in the middle.

Buy the way, I don't use Sunbelt and have never meet or corresponded with Eric so lets put that to rest. Everyone should just relax and be calm. Thanks to everyone here for all their dedication and hard work keeping myself and others secure while cruising the net.
:)

]]> http://www.dslreports.com/forum/remark,13961811 Fri, 22 Jul 2005 21:23:53 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961741 eburger68 : Anonymous:

said by Anonymous

:

I have a lot of respect for some people that contributed to this thread but if you're related in any way to this company IMHO you should not post.

I'm sorry, but I didn't happen to notice that you'd been appointed moderator. And since when were vendors or those associated with them not allowed to explain and defend decisions? Isn't that exactly what users have been demanding from anti-spyware companies -- more transparency about vendors' decision-making processes?

said by Anonymous

:

Why is it always WhenU? I mean we all know what they do...

No, I'm afraid that's not the case. I've been asking all day long for critics to offer specific reasons and good evidence for continuing to detect WhenUSearch, Weathercast, and ClockSync as something other than "Low risk adware." No one has yet been able to do it.

Perhaps you'd care to step up to the plate and tell us all what you apparently "know" but the rest of us don't? (And please don't skimp on verifiable evidence -- we're all dying to see it.)

said by Anonymous

:

EDIT:

Wow you guys are actually justifying this decision? Posting screenshots etc...

That's just wrong. :huh:

Aluria, MS Spyware, Sunbelt who's next?

Gosh, I hadn't realized that well reasoned arguments supported with concrete evidence would come as such a shock to some folks. Please do accept my apologies. (Suzi can apologize for herself.)

Let me reiterate, if you've got the evidence to suggest that something has been overlooked in Sunbelt's analysis of certain WhenU products, I'd be happy to look at it.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13961741 Fri, 22 Jul 2005 21:14:48 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961621 Anonymous : I just wonder who will be able to stand up to crapware makers?

I almost purchased their product but changed my mind after hearing about licencing of their spyware definitions.

I'm sure glad I did not waste any money on them.

I have a lot of respect for some people that contributed to this thread but if you're related in any way to this company IMHO you should not post.

Why is it always WhenU? I mean we all know what they do...

EDIT:

Wow you guys are actually justifying this decision? Posting screenshots etc...

That's just wrong. :huh:

Aluria, MS Spyware, Sunbelt who's next?

--
Get Firefox!]]> http://www.dslreports.com/forum/remark,13961621 Fri, 22 Jul 2005 20:56:36 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961100 eburger68 : StraitShoot:

You wrote:

said by StraitShoot

:

Well, uh... he'll have spyware on his computer.. and it's WhenU...LOL

But what is going to HAPPEN to the user as a result of having that "spyware" on their computers? What specific ills will befall that user? Labels don't us much of anything. We need a discussion of specific practices and effects.

If you really don't know because you're not familiar with the software, that's fine. There's no shame in having better things to do with your time than installing useless software and testing it -- like I do with so much of my day. In fact, that would make you completely normal. But let's not cloud the issue with vague labels like "spyware."

said by StraitShoot

:

I do have to hand it to Sunbelt, though. They are handling it better than others...

Thank you. I'm sure the folks at Sunbelt appreciate the comment, because transparency is important to them, as Alex Eckelberry emphasized early on in this thread.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13961100 Fri, 22 Jul 2005 19:39:09 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13961008 StraitShoot :

said by eburger68

:

My question to you, Jim, is this: what will happen? Can you tell me what ills will befall the user who who leaves WhenUSearch installed?

Eric L. Howes

Well, uh... he'll have spyware on his computer.. and it's WhenU...LOL
I do have to hand it to Sunbelt, though. They are handling it better than others...]]> http://www.dslreports.com/forum/remark,13961008 Fri, 22 Jul 2005 19:27:24 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960996 StraitShoot : Eric, from now on my answer to everything from now on is ... "Because it's WhenU"...LOL]]> http://www.dslreports.com/forum/remark,13960996 Fri, 22 Jul 2005 19:25:33 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960992 eburger68 : Mers2:

You wrote:

said by mers2

:

I read the white paper before I posted my first post in this thread. My opinion is this: as long as a company has one program out there that is still moderate risk malware then all of their side programs - particularly those that are bundlers for the adware - should be kept listed as moderate risk. This company has not completely cleaned up it's act and should not be rewarded for partially changing it's behavior.

OK, this is a real argument over which reasonable people can have a legitimate disagreement. You seem to view reclassifications through the lens of "rewards" to adware vendors, and think that the "goodies" ought to be withheld until their act is 100 percent clean.

There's much to be said for the position, and I must admit it's tempting. Still further, I would point out that Sunbelt has not budged on its Save/SaveNow detection precisely because problems remain with the program and its installation/uninstallation practices.

That said, when I think of how programs are to be presented to users, I find it tough to justify presenting WhenUSearch or Weathercast or ClockSync to users in the same way as Save/SaveNow, simply because of what that pop-up advertising program does.

In fact, it borders on misleading to tell users "We assess this clock program as moderate risk, the same as the pop-up ad program, and recommend removal of the clock program," when that assessment is based NOT on the specific characteristics of the clock program itself or the practices associated with it, but rather on the characterisitcs of some OTHER pop-up program that you happen to have a problem with.

Put another way, I tend to view detection/presentation issues as a matter of making the most justifable assessment and recommendation to users based on the actual threat represented by the named program itself.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13960992 Fri, 22 Jul 2005 19:25:13 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960941 suzi : I downloaded WhenU's WeatherCast to see for myself what it does (even though I've read the white paper several times). For those of you who haven't read the white paper and are protesting the reclassification, here are some screenshots. This is what comes up when you start the installer:

When you click on the link to read the License Agreement and Privacy Policy, this screen comes up:

Now tell me that is not an easy-to-read, clear agreement. It is actually larger than shown here because I re sized the screenshot to be 100 px smaller in width.

Once installed, the program looks like this:

The default location is New York City. It does not show the user's location unless you enter your city and state or zipcode. The text link ad is displayed in the lower portion of the window. This the actual size; I did not re size it.

When you close that window, and I don't mean minimize it, I mean close it completely, you continue to see the icon in the system tray, the one to the far left.

That's it -- that's all there is to it. Nothing more, nothing less. Yes, it puts itself in startup, but most any software does that now, even ones that don't need to be there.

During the installation process, it asks to connect to WhenU's servers 3 times. Since I don't have a packet sniffer, I can't say what is or isn't being transmitted. The text ads sometimes reflect the city or geographic area you enter, but some are very generic.Here's what WhenU says about it. (Yes, Whenu's domains are still in IE-SPYAD in case anyone is wondering. I had to remove whenu.com from restricted sites to download the app.)

»www.whenu.com/pc_weathercast.html

I fail to see how this app is any different from Adobe Reader which displays ads in the upper right corner and downloads the Yahoo toolbar on upgrading to version 7. I don't use Opera, but I understand the free version displays ads, too. I fail to see any reason why WeatherCast should be labeled anything more than Low Risk Adware. If someone has objective reasons and documentation to the contrary, let's see it.
--
aka Suzi, Spyware Warrior
Microsoft MVP Windows Security 2005]]> http://www.dslreports.com/forum/remark,13960941 Fri, 22 Jul 2005 19:18:40 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960910 eburger68 : Bruce:

You wrote:

said by roamer_1

:

There is GREAT validity in B's assertion: "Because it's from WhenU".

Reputation can play an important and necessary role in an analysis of spyware/adware vendors and their software, especially when dealing with new or unknown software (for example, a 0-day file from CoolWebSearch), when dealing with software that already possesses characteristics that are ripe for misuse and exploitation (for example, being ActiveX-installable), or when dealing with companies who continue to engage in business practices that are known to produce bad results (for example, using multi-level, third-party affiliate networks, which WhenU stopped using but 180 continues to use).

But reputation can't be the only or primary criterion when dealing with software that's readily available for analysis and that's available through distribution methods that can be exhaustively researched. WhenU's software is not new or unknown; it's readily available for analysis; and its distribution channels are fairly well-known and easy to find. That's a far cry from CoolWebSearch or even 180solutions.

When I can test 33 different WhenU installations, pick apart their installation processes, examine their uninstallation processes, and observe very closely their advertising methods, reputation becomes much less important because I have more specific knowledge to base my assessments on.

I strongly suspect that much of the hue and cry here comes from people who have no direct experience with WhenU's software or only very limited experience with it. After I finish testing 33 installations of WhenU's software (to say nothing of the innumerable times I've tested WhenU's software in prior years), "because it's WhenU" begins looking more and more like a bogeyman argument.

By the way, it needs to emphasized that WhenU's main adware application remains classified as "Moderate risk"/"Quarantine," and a good part of the reason lies in the specific characteristics of the program (pop-ups outside of the context of the host program, distribution/execution independent of a host program) that make it much more troublesome than a simply desktop toolbar or weather program with text advertising embedded within it.

Finally, it also needs to be emphasized that while I don't completely discount WhenU's reputation or past practices, I can't ignore the changes they've made:

* ending ActiveX installs
* ending the use of third-party distribution networks
* revamping notice/disclosure screens to use straightforward, unvarnished language

As a result of the past nine months of changes, WhenU has a much better reputation with me and Sunbelt than, say, 180solutions. Where I don't have to look hard at all to find sleazy 180 installations or other obnoxious behavior, I have gone for months and months without seeing a single report of a bad WhenU install.

In the two cases that I have seen (Nov. 2004, June 2005 -- notice the significant gap), WhenU immediately got the installations shut down. Not so with 180 and other adware vendors, who shut down one problem installation only to see ten more take its place.

said by roamer_1

:

I can't help but believe that any wiggling or "gray area" can only be beneficial to adware and spyware companies- It is absurd to believe that these companies are trying to protect their "name", as their past practices have damaged their names FOREVER.

This seems to be a growing sentiment -- that hard and fast definitions grounded in pure, objectively defined functionality with no flexibility would lead to tougher detections. In fact, that sentiment is completely mistaken.

Tough, hard, inflexible, black-and-white definitions are brittle and easily broken. There's a reason why adware vendors themselves have been demanding such "objective," "black-and-white" definitions -- because they're ripe for being exploited with functionality and practices that aren't contemplated in such definitions.

In fact, to be truly strong, definitions need flexibility. Flexibility is what gives you the ability to handle borderline cases and address new functionality and practices from adware vendors that aren't strictly contemplated in "objective" criteria.

It's also wrong to assume that inflexible, black-and-white definitions would produce more detections. In fact, they would probably produce FEWER detections. Flexible definitions that allow for different levels of classification enable you to detect and present more types of software to users than otherwise.

Don't assume that that if vendors were to switch to black-and-white definitions, more software would be detected. My guess is that vendors would quietly drop detections that don't clearly fit their main detection criteria, whereas more flexible criteria would allow them to continue offering those detections while presenting them to users in a different way.

Doubt me? Let me give you an example. Take a look at this blog entry from Spyware Warrior:

»netrn.net/spywareblog/archives/2···-survey/

Look at comment 13, which is from a representative of Weatherbug. Notice that he's arguing for a strictly defined industry standard definition of "adware"? Why? It's no accident, really -- because he strongly suspects that such an inflexible definition or set of criteria would of necessity give Weatherbug the green light.

Now, Sunbelt CounterSpy does detect and present Weatherbug to users, but using the same "Low risk adware"/"Ignore" detection as is now being used for WhenUSearch and Weathercast.

Truth be told, if Sunbelt were forced to abide by a black-and-white detection scheme, Weatherbug would probably have to be de-listed, as it would be silly and indefensible to lump Weatherbug in with Aurora or CWS and present them to users as the same kind of threat. Most folks who responded to my informal adware risk survey appeared to agree, too:

»Informal Adware Risk Survey

That "Low risk adware" classification effectively allows Sunbelt to detect a program that it might not otherwise, because Sunbelt can present Weatherbug to users in a different way and with different advice than it does in the case of Aurora or CWS. That's the power of flexibility in detection and presentation.

said by roamer_1

:

A good point was made (sorry, forget who made it) that it is much simpler to set up a secondary company to sell legit software out of, or to reorganize under a different name to continue drive-bys with... as many have done (Claria is a good example).

WhenU doesn't perform drive-bys. And were they to start again, their software would be swiftly reassessed and reclassified.

said by roamer_1

:

When I use an anti-virus program I expect it to remove all viruses by default- not just the really, really bad ones.

In the same way all software is judged by it's performance "out-of-the-box", Anti-ad / anti-spy should work the same way, with the default stock installation ready to remove EVERYTHING from every classification.

But advertising software isn't like traditional malware. Advertising software (such as WhenU's) employs a whole host of functionality that has legitimate uses -- see my earlier response to ghost16825 for examples:

»Sunbelt Adjusts WhenU Detections

That's another reason why adware and spyware criteria need to be nimble and flexible enough to handle difficult, borderline cases where things aren't so clear.

said by roamer_1

:

If you wish to add an option for the user to ignore certain items or items under a class number of [1,2,3,etc], that would be fine- but the default should set to "whack 'em all!"

If "whack 'em all" becomes the default for all adware programs, then vendors are going to have much less leeway to present certain detections to users. Here's why:

Let's take the example of Download Accelerator Plus or Weatherbug, programs that display advertising within the context of their own ad windows. These programs are comparatively innocuous, but some anti-spyware vendors might still want to alert users or administrators to the presence of the programs on systems without necessarily suggesting that they represent the same kind of threat as Aurora or CWS.

In a black and white detection model, you're forced to present these to users in the same way as Aurora and CWS. And do you know what many users are going to do when they see you recommending to remove Weatherbug or DAP because they allegedly present the same kind of threat as CWS or Aurora?

Easy. They're going to absolutely *FREAK.* Some of them will then start emailing the vendors for Weatherbug and DAP, accusing them of planting "trojans" and "viruses" on their computers. Others are going to start emailing the anti-spyware vendor, pleading desperately for information about this horrible threat that the anti-spyware program detected on their drives. A small few are going to email or phone the anti-spyware vendor and accuse them of fraud and scaremongering.

Those are the kinds of results you get with black-and-white, whack-em-all detection criteria. And given the potential fallout, many an anti-spyware vendor is simply going to drop the detection or not offer it to begin with.

Vendors who have more flexible detection and presentation criteria can do better, though. They can present the detections as "Low risk," advise "Ignore" (because very little of consequence will befall users if the software remains), but still offer to remove the software if users affirmatively elect to do so by changing the action from "Ignore" to "Quarantine" or "Remove."

Sorry for the long-winded reply, but this is important stuff, and I hate to see people here coming to the same conclusions as the *adware vendors themselves*: that we need hard-and-fast, black-and-white, rigid, inflexible, objective criteria and definitions.

said by roamer_1

:

(I have marked your WhenU stuff fo later reading...)

Thank you. If you'd like even more to read, you might check this short discussion on Spyware Warrior about the ways in which anti-spyware vendors are incorporating flexibility into their presentation of detected software to users:

Presenting Anti-Spyware Scan Results
»www.spywarewarrior.com/anti-spyw···ults.htm

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13960910 Fri, 22 Jul 2005 19:14:48 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960909 SnowyOne : Eric,
This disclosure is starting to appear more as a disclosure by you rather than a "Sunbelt" disclosure.
In Sunbelt's newsletter of 07-22-05 (today as far as I can tell) I can only find a scant reference to the 'adjustment' that on it's own hardly qualifies as a disclosure of any sort.
I am only posting a portion of that newsletter even though it's requested that the newsletter be copied in it's entirety. I will post the entire contents if requested by Sunbelt.

"You might ask yourself: "Is Sunbelt also downgrading their threat
definitions to "ignore" for Claria and other adware like Microsoft
is doing in their Windows Antispyware?". The answer is NO, we ignore
Microsoft's threat scoring values. We only use their threat data
(the file names, and locations where malware is found, etc.). We
have not downgraded our Claria or other adware recommendations and
do not plan to, unless they shape up, get straight and behave like
decent Internet citizens, like WhenU recently did."

emphasis is mine, but even emphasised, I wouldn't call this disclosure by any stretch. This is the official newsletter sent to all CounterSpy" subscribers. Selectively full disclosing is not full disclosure.]]> http://www.dslreports.com/forum/remark,13960909 Fri, 22 Jul 2005 19:14:47 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960903 BillPStudios :

quote:
I think Sunbelt should be applauded for calling a duck a duck,Don't you ?

I think Sunbelt should be applauded for many things. They're the only large vendor who I've seen actually get down in the fox holes with us. The white papers that have been created by Sunbelt show that they are serious and willing to put in the sweat it will take to create a fair and safe computing world.

quote:
Recently most Vendors are running scared from C&D's,One whiff of potential damages and they drop the whole detection.

Agreed which is why I've ignored any C&D's or threats we've received. We don't have a lot to lose and in Scotty's case we let the users make the decision. We've still been threatened just for alerting users to a change.

quote:
Were on a slippery slope to where adware is acceptable and legitimate software even if it is unwanted

What really annoys me that all legitimate companies now feel it's ok to include "Always-run" components with their software. CD Burners, Multimedia players, Adobe, Quicken, Printer Software, etc... All the typical "Run when I want you" programs now install Always-run programs or auto-updates.]]> http://www.dslreports.com/forum/remark,13960903 Fri, 22 Jul 2005 19:13:49 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960702 Tekkanano :

said by WALL_E

:

[Disclaimer] I'm 17 and work at the local supermarket. Not much of a bias, eh?

I'm 24 and I have no job...*cries*...

I don't see what the big deal is anyways. These spyware/adware software don't detect anything. ;) The scan always comes up zero, and it's been like that for over a year now.
--
Cox gave me the speed I wanted, so no more dreaming of DSL...humm, got fiber?]]> http://www.dslreports.com/forum/remark,13960702 Fri, 22 Jul 2005 18:42:03 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960637 mers2 : I read the white paper before I posted my first post in this thread. My opinion is this: as long as a company has one program out there that is still moderate risk malware then all of their side programs - particularly those that are bundlers for the adware - should be kept listed as moderate risk. This company has not completely cleaned up it's act and should not be rewarded for partially changing it's behavior.

Having said that, I am pleased that Sunbelt was up front with the disclosure and that they retained the definitions for the programs with downgraded threat levels.

Thank you Eric for your continuing research and reporting.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. ]]> http://www.dslreports.com/forum/remark,13960637 Fri, 22 Jul 2005 18:31:22 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960599 Martinus :

said by Mike_Healan:

But hey, at least they announced it publicly instead of having to be CAUGHT the way Lavasoft and Microsoft were.

Agree.

An out-of-the-closet spinned move is way better than getting caught with your pants down. At least it won't trigger an outrage as in »MS Downgrades Claria Detections, 'cos it's only an "adjustment".
--
From the GSV "Ethics Gradient"]]> http://www.dslreports.com/forum/remark,13960599 Fri, 22 Jul 2005 18:26:13 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960546 anon : I think the one's who object to the downgrading just miss the good old days, when the only targeting criteria that really mattered was: "do our users want this thing gone?"

Personally, I don't care how you define the various terms we give to these programs or how some vendor assigns threat levels. I just want to be able to tell a person that "yes, XYZ Antispy will find whatever it is causing those pop-ups. Run it and remove whatever it detects" and not have to go through a HijackThis log afterward to clean up something that wasn't removed because it doesn't meet some targeting guideline written to satisfy the legal department.

But hey, at least they announced it publicly instead of having to be CAUGHT the way Lavasoft and Microsoft were. I can give them some points for that.]]> http://www.dslreports.com/forum/remark,13960546 Fri, 22 Jul 2005 18:21:03 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960529 Martinus :

said by fatdcuk

:

Not all WhenU software is adware/spyware...

Not all cancers are deadly, but you sure don't want them near you.
--
From the GSV "Ethics Gradient"]]> http://www.dslreports.com/forum/remark,13960529 Fri, 22 Jul 2005 18:18:40 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960473 B :

said by fatdcuk

:

Any ideas how you can target a brand name and not get ripped to shreds in court ?

Uh, yeah, as I just indicated, I've already presented some. See pages 1 and 2 of this thread as well as »MS Downgrades Claria Detections .

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13960473 Fri, 22 Jul 2005 18:11:32 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960443 Martinus :

said by John2g

:

However, from reading this thread, it doesn't seem all the difficult to change the setting (once it is detected) from ignore to remove. It is not exactly rocket science.

Certainly not for you and not for the chaps in this forum, but there is quite a big market out there - the one that makes the bucks come in - the, dare I say, unsavvy users? who would be better served with more prudent out of the box settings like "this is definitely an unhealthy piece of ~~shyte~~ software. You don't want that to cripple your laptop or that high-end gaming rig you've invested in".

Let's compare it to those loved/loathed opt-in, opt-out schemes.

Edit: But, then again, you are using Boclean, so what do you care about spyware anyway?
--
From the GSV "Ethics Gradient"]]> http://www.dslreports.com/forum/remark,13960443 Fri, 22 Jul 2005 18:07:07 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960316 fatdcuk :

said by Bill:
I respect Sunbelt's attempt to somehow classify functionality of programs user's might find on their computers. I fear however that by defining the guidelines, it provides the intruders what they need to side step rules and still intrude where they're not wanted.

A lot of companies that have spent years using the system to take advantage of users and cash in on their lack of expertise. While most of them claim a new more respectable approach, none of made amends for their previous behavior and I'm hard press to trust anything they offer.

"Adjusting" the classification can be dangerous and given the possibility of changes and/or embedded time bombs within software it's tough to determine the real threat of any unwanted software.

As they say, if it looks like a duck, smells like a duck and walks like a duck it's probably a duck.

Bill

Hi Bill,A huge thanks for Scotty the dog !

I think Sunbelt should be applauded for calling a duck a duck,Don't you ?

Recently most Vendors are running scared from C&D's,One whiff of potential damages and they drop the whole detection.They don't see any ducks at all from certain vendors.
At least Sunbelt continue to call a duck a duck and are prepared to see it through the courts if needed.

CJ got it bang on the money earliar on in this thread with "Times are a changin'" statement.

Were on a slippery slope to where adware is acceptable and legitimate software even if it is unwanted:(

PS Roamer 1

Not all WhenU software is adware/spyware that is the crux of the matter which some people have problems grasping.
I hope you find the PDF enlightening.
The truth of the matter is Sunbelt are looking after their customers interests and ahead of the their rivals with the way they do this.

Apologies B i did'nt see your last post:(
Any ideas how you can target a brand name and not get ripped to shreds in court ?]]> http://www.dslreports.com/forum/remark,13960316 Fri, 22 Jul 2005 17:50:55 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960255 B :

said by fatdcuk

:

Being of a brand name is not enough to warrant removal and would be indefensible in a court of law reguardless of past exploits.
Why is that so hard for you to grasp ?

Not hard at all; not only have I acknowledged it several times, but I've made two specific separate suggestions as to how to work around that reality. I could ask why it's so hard for you to acknowledge that truth and perhaps offer your own suggestions.

That said, it's somewhat of a mystery to me why Company A can sue Company B because Company B provided me tools that let ME identify and remove Company A's software.

I'm specifically NOT talking about cheating the spyware-using Company A by disabling ads (which would violate the EULA). I'm talking about identifying Company A's product as a spyware bundle, notifying the user, and allowing the user to choose not to install Company A's software.

Oh, you say, Company B's not allowed to say Company A is spyware; that's defamation or something. What a load of crap. I understand that's the litigious reality of it, that Company B will have to fight, but it's just crazy. It's as if movie reviewers were held legally accountable for saying Star Wars sucks.

Eric tried to explain all this to me once, but either it didn't really make sense or my skull was too thick.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,13960255 Fri, 22 Jul 2005 17:43:33 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960200 roamer_1 : Eric,

There is GREAT validity in B's assertion: "Because it's from WhenU".

I can't help but believe that any wiggling or "gray area" can only be beneficial to adware and spyware companies- It is absurd to believe that these companies are trying to protect their "name", as their past practices have damaged their names FOREVER.

A good point was made (sorry, forget who made it) that it is much simpler to set up a secondary company to sell legit software out of, or to reorganize under a different name to continue drive-bys with... as many have done (Claria is a good example).

The only readily apparent reason for classification is to allow a condition wherein adware software has a possibility to survive, and once instituted, one can easily see a slippery slope developing- Levels of complication in definition make tracking and "adjustments" harder to do in the long run... One can imagine anti-ad software makers eventually getting thousands of applications for adjustment of classification per month or per week, overwhelming the anti-ad people's ability to cope. Soon bloody well everything will be set to ignore until you can get around to re-determining class....

I really don't care about how you wish to classify anything, it is really the default action that matters..

When I use an anti-virus program I expect it to remove all viruses by default- not just the really, really bad ones.

In the same way all software is judged by it's performance "out-of-the-box", Anti-ad / anti-spy should work the same way, with the default stock installation ready to remove EVERYTHING from every classification.

If you wish to add an option for the user to ignore certain items or items under a class number of [1,2,3,etc], that would be fine- but the default should set to "whack 'em all!"

Then an installing adware would have to inform the user in no uncertain terms that it detects [Spybot S&D, AdAware, CounterSpy, MSAS, etc] installed on the box, and that the user must set it to ignore the offender or lower the ignore level to it's class... (Hey, we could call it the ignorance level :)) thus informing the user.

When in time the poor ill-informed user stuffs his box full of adware and is at a loss as to why it is so slow, He can pay me my $45 house call and I will crank up [Spybot S&D, AdAware, CounterSpy, MSAS, etc] and reset to "Whack 'em all", clean out all the crap, turn my collar around, and preach to him incessantly that he is never, never to lower the "allow classification" option...

That way I can trust you, ad\spyware will continue to prey on ill-informed users, and everything will be back to normal :)

(I have marked your WhenU stuff fo later reading...)
Bruce]]> http://www.dslreports.com/forum/remark,13960200 Fri, 22 Jul 2005 17:37:19 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960066 eburger68 : Jim:

You wrote:

said by StraitShoot

:

Eric, you're playing "solid evidence", where is the analysis flawed, or have you read the analysis...games now, eh?

It's not a "game" to request solid evidence or good reasons. Evidence and reasons are the minimum expected from folks who want to maintain that Sunbelt's wrong. If you can't provide it, then you don't have good grounds to maintain that Sunbelt has erred.

You still want to maintain Sunbelt has misanalyzed those three particular WhenU programs? Fine. Then tell me WHY.

said by StraitShoot

:

Say what you wannna say, man, but a lot of people don't know better, and won't move it from "ignore" to remove... Wheras, by having it in "remove" Sunbelt was more protecting of the average user (not us exalted DSLR members, LOL) now that level of protection is not as strong.. If I have the brains to install WhenU, then in detection, I can choose to remove... or ignore...

B, I'm totally with you on this one..

So, let's suppose that some user picked up WhenUSearch along with a free screensaver or wallpaper. The thing's been on the desktop for a few days. Maybe this person finds it slightly annoying, maybe not.

This user then scans with CounterSpy and see sees the "Recommended Action" of "Ignore." And let's assume worst case scenario where the user places all faith in that, reads nothing of the additional descriptive text presented about WhenUSearch, and decides not to remove the WhenUSearch bar.

My question to you, Jim, is this: what will happen? Can you tell me what ills will befall the user who who leaves WhenUSearch installed?

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13960066 Fri, 22 Jul 2005 17:21:31 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13960022 fatdcuk : Reality check for the dreamers and ideaologists here !

You cannot target a company because of past exploits especially if they have brought out new more compliant software even if they dispensed some majot SH*T in the past.

The Vendor will get ripped to shreds in legal action subsequently:(

Yes we all bear a grudge against Gator and such puke but if claria brings out software that is'nt adware/spyware you cannot target it like spyware/adware.End of story.

What part of that can you people not understand ?

Eric has challenged you to identify problems with certain software and all you can do is say well its from "WhenU" thats the problem.

Being of a brand name is not enough to warrant removal and would be indefensible in a court of law reguardless of past exploits.

Why is that so hard for you to grasp ?

:(]]> http://www.dslreports.com/forum/remark,13960022 Fri, 22 Jul 2005 17:15:11 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13959982 ctrip : Personally, this reclassification doesn't really bother me. The program still detects the stuff, right? So I can just change their recommended "ignore" to remove. No biggie.

This is the same attitude I had about 3 weeks ago when I first saw the thread started by the Sunbelt shill about Microsoft Antispyware "downgrading" Claria recommendations.

»MS Downgrades Claria Detections

I thought the same thing then. It still gets detected I just change their "ignore" to remove...No biggie.

But what I do find entertaining, is that during the course of that 8 page thread all the outrage directed at MS and all the praise heaped on Counterspy who would never do such a rotten and evil thing.
--
Spread Internet Explorer! - The browser you can trust to not have those annoying Firefox twits pushing it!]]> http://www.dslreports.com/forum/remark,13959982 Fri, 22 Jul 2005 17:11:03 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13959853 StraitShoot :

said by John2g

:

I have never installed CounterSpy, so I doon't know exactly how it works.

However, from reading this thread, it doesn't seem all the difficult to change the setting (once it is detected) from ignore to remove. It is not exactly rocket science.

Eric, you're playing "solid evidence", where is the analysis flawed, or have you read the analysis...games now, eh?

Say what you wannna say, man, but a lot of people don't know better, and won't move it from "ignore" to remove... Wheras, by having it in "remove" Sunbelt was more protecting of the average user (not us exalted DSLR members, LOL) now that level of protection is not as strong.. If I have the brains to install WhenU, then in detection, I can choose to remove... or ignore...

B, I'm totally with you on this one..]]> http://www.dslreports.com/forum/remark,13959853 Fri, 22 Jul 2005 16:57:57 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13959773 John2g : I have never installed CounterSpy, so I doon't know exactly how it works.

However, from reading this thread, it doesn't seem all the difficult to change the setting (once it is detected) from ignore to remove. It is not exactly rocket science.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,13959773 Fri, 22 Jul 2005 16:49:23 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13959769 eburger68 : Jim:

You wrote:

said by StraitShoot

:

1. Okay, so Sunbelt is "Notifying" us users? We as users are notifying Sunbelt our opinion is that Sunbelt is wrong, and we do not think Sunbelt should classify WhenU as lowrisk...

Why? I've been asking this question all day now, and neither you nor anyone else has come up with a solid reason to continue classifying WhenUSearch, Weathercast, and ClockSync as something higher than "Low risk."

Also, would you please report Sunbelt's decisions accurately? Sunbelt did not "classify WhenU as low risk" -- it classified three specific programs as "Low risk," while leaving WhenU's main adware application as "Moderate risk."

said by StraitShoot

:

2. It looks like no matter what, Sunblet should have left everything the way they were, now I, along with others, it seems, lost a little of that "trust" I previously had.. I trialed CounterSpy for two weeks, and I was close to buying it.. Now, I think I'll wait it out...

Again, WHY? Simply repeating ad nauseam that you don't like the decisions isn't going to be convincing, if you can't provide good reasons and solid evidence to believe you're right.

Have you read the Sunbelt analysis, Jim? Can you tell us point by point where that analysis is flawed or what evidence we've overlooked?

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13959769 Fri, 22 Jul 2005 16:49:05 EDT Re: Sunbelt Adjusts WhenU Detections http://www.dslreports.com/forum/remark,13959734 hpguru : Thank