Re: Software Makers Fight Spyware Blacklist, Murky Definition
From: Martin (martin_nospam_at_btinternet.com)
Date: Sun, 13 Mar 2005 20:01:18 +0000 (UTC)
Joe Moore wrote:
> Martin <firstname.lastname@example.org> wrote:
>>>In at least two cases AOL removed programs from its spyware list:
>>>SideStep Inc., a closely held online travel service that downloads a
>>>program onto users' computers, and market researcher comScore Networks
>>>Inc., which pays Internet users to place its software on their
>>>computers to track their online behavior.
>>On a similar note, the Microsoft Beta tool highlights Real VNC as medium
>>risk because it can be used to take remote control of a PC. As far as I
>>know there isn't any malware in Real VNC and it's unjustified to
>>highlight it by an anti-spyware product.
> When you say that there isn't any malware in Real VNC, I think you're
> missing the point. Spyware detection should be based on the capability
> and behavior of the program, not the suspected motivation of the
I'd normally agree with you, but it's kind of hard when it comes to VNC.
I've never heard of VNC trying to install itself from an ActiveX
commponant, or just from clicking on a web page or through P2P
It's huntable if you know what you're looking for, otherwise you'd never
come across it accidentally.
On their home page it states "The system allows several connections to
the same desktop, providing an invaluable tool for collaborative or
shared working in the workplace or classroom. Computer support within
the geographically spread family is an ever popular use."
It does what it says on the tin! So what else do people expect when they
> If someone didn't know a program capable of allowing remote control of
> their PC was there, why not tell them?
It says on the home page of their web site, so they know what it does
when they grab it.
>It's their computer. If they
> know the programs capabilities, and still want it there, fine.
Absolutly, but it's not spyware
>>I'd also suggest that it's up to the user to know what is on his/her PC
>>and remove that shouldn't be there, not to just blindly go and execute
>>every recomended action willy-nilly.
> Using anti-spyware computers is an automated attempt for the user to
> know what's on his computer and remove what shouldn't be there.
Do you have the same kind of users I have to deal with? I know you do :)
Ok, we all have them, "Martin, I deleted the program with the little
Teddy Bear because it's an unknown virus and ... " Microsoft
highlighting none spyware programs as possible spyware is making our job
harder not easier.
I'd have a lot more sympathy if VNC actually spread through
spam/ActiveX/malicious web sites etc. but they don't. I can see it now
that system admins are going to be tearing their hair out because MS
classify things like VNC as "possible danger" and they get deleted.
> And when the number of actions recommended exceeds a certain
> threshold, they will be executed willy-nilly.
I know, and I've done it myself at times :~ you DO tend to get a bit
> That is just human
> nature. People whose computers have become infested with junk due
> to their trusting of untrustworthy folks will decide to trust
> their antispyware program in the hope that they made the right
> decision this time.
That means the anti- has to be accurate with the classification. Yes,
things like VNC are a potential security rick, but they are also a
godsend for admin types. They should not be highlighted by malware
scanners when they are not malware. I know the definition is hard
because a lot of what things like VNC do is what malware do, but there
is a vast difference in the use and implementation. I've met loads of
PCs with malware, I've never met one with an accidental install of VNC.
> The problem is not one of definition. The problem is one of behavior.
> When good programs start acting like bad ones (auto-updates over the
> net without asking for instance), even with the purest of motivation,
> they have to expect to be classified as bad until proven otherwise.
> And by "proven" I mean a credible explanation of why the behavior is
> _necessary_ not just convenient for the programmers.
Hee, not just the programmers :) I do agree with a lot of what you have
said. There is some responsability in the malware scanners to do a bit
of homework and not highlight none malware though.
I haven't tried yet, but presumably the MS tool will also throw up
things like Access-Remote, GoToMyPC, RemotePc....the real question is do
they also throw up Terminal Server? My guess is yes to the former and no
to the latter - but then I am cynical.