In advance of the release of its Windows AntiSpyware product, Microsoft has published more detailed criteria for categorizing potentially unwanted software (PUS), such as adware or spyware. The criteria will continue to evolve as Microsoft and its partners work to balance the interests of users, who do not want software that threatens their security, privacy, or the stability of their computer, and software developers, who continue to create a variety of applications for Windows that use new business models, such as having the user agree to view advertising in exchange for using the software or service.

Basic Classification Scheme

The PUS taxonomy is the basis for a library of information about software, which, like antivirus software's signature files, is used to decide whether a piece of software should be quarantined until it can be determined whether the user wants it or removed if the user does not want it. To determine if software is PUS, the taxonomy attempts to balance the following factors:

Potential harm. The potential of the software or the software's behavior to do harm or cause disruption, ranked from none to extreme.

Threat category. This describes specific types of threats, including deceptive behavior (such as installing without the user's consent), violation of privacy (such as tracking a user's Web browsing behavior without explicit permission), security threats (such as disabling or interfering with firewalls, antivirus, or other security software), and performance or system stability impacts (such as creating a noticeable slowdown in performance due to a drain on system resources).

Microsoft acknowledges that it will be necessary to consider the context and intent of an application when attempting to determine if it is PUS. For example, a system service such as a print spooler needs to start automatically and run continually in the background with a limited user interface, and security software such as an antivirus program also needs to start and run without user input.

Avoiding Incorrect Classification

Although Microsoft does not provide guidance about how to design and develop software to avoid being incorrectly detected and labeled as PUS by Windows AntiSpyware, the new details will be helpful to software developers. The best guideline for how to design and develop software for Windows is still the "Designed for Microsoft Windows" logo, which is most often used to identify hardware and hardware drivers that work and behave well with Windows. But even following these guidelines for writing Windows applications may not prevent false positives, in which a product (or portions of it) is misidentified as known spyware. Developers and users who discover a case in which Windows AntiSpyware misidentifies a useful or desirable software product or component as PUS can fill out an online form at the SpyNet Web site, which Microsoft will review and, if warranted, make the appropriate changes to its spyware library.

Software developers who think their software has been incorrectly classified by Windows AntiSpyware as PUS can try to get their classification changed by submitting a similar online Vendor Dispute Form.

Some vendors may be reluctant to use either form, however. Both require developers to report details about how their software works, how it installs, how it hooks to the Windows Shell, where it stores configuration information, and whether or not the user can uninstall it, for fear that Microsoft will not respect their intellectual property or will use the information to compete with the vendor. However, Microsoft says it will only use the information for the purposes of deciding whether or not the software should be included in the Windows AntiSpyware library as PUS.

Microsoft has not expressed any plans to create an antispyware alliance similar to the Virus Information Alliance (VIA), whose members (including Microsoft) exchange valuable technical information on newly discovered viruses so that they can more quickly communicate to customers their targets, impact, and methods of remediation. A similar alliance of antispyware detection software vendors would be useful in providing a common, industrywide set of criteria for classifying PUS and for sharing information to limit its damage.

Resources

How Windows AntiSpyware classifies PUS is described at www.microsoft.com/athome/security/spyware/software/analysis.mspx.

The "Designed for Windows" logo program, which documents best practices for developing hardware and software for Windows, is detailed at www.microsoft.com/whdc/winlogo/default.mspx.

Vendors whose software is being misdetected should fill out the Web form at www.spynet.com/falsepositive.aspx. Vendors who feel that their software is being incorrectly labeled as PUS should fill out the Web form at www.spynet.com/vendors.aspx.

The VIA is described at www.microsoft.com/technet/security/alerts/info/via.mspx.