Like other AV firms that have plunged into the antispyware business, Symantec has found this nuisance is harder to tackle than the average worm or virus. All worms and viruses are considered bad. Not so with spyware.
"Malware is never appropriate to have on a machine," said Dave Cole, product management director for Symantec Security Response. "It's not as simple with spyware and adware, because sometimes there are things you want on your machine."
To separate the sinister from the benign, the Cupertino, Calif.-based enterprise security provider has drawn up a system to measure the potential risk of what it detects. While Symantec's Threat Severity Assessment measures the dangerousness of traditional malcode based on how fast it spreads and what kind of damage it can cause, the firm's Risk Impact Model will evaluate applications that look like spyware for malicious tendencies. After that, the user is left to decide if the application should be killed, quarantined or allowed through.
"The heart of this approach is to tell the user what we have found and let them determine for themselves if they want to keep it or kill it," Cole said. "We make a recommendation and then you choose what to do from there."
Cole said the new risk model coincides with the launch of Symantec's new antispyware program, which it unveiled at last month's RSA Security conference in San Francisco. The company said the feature is included in Client Security 3.0 and AntiVirus Corporate Edition 10, giving enterprise users "comprehensive protection" against spyware, adware and blended threats.
Symantec isn't alone in its quest to better define the malevolent spyware from legitimate and wanted items. For example, the beta version of Microsoft AntiSpyware includes a worldwide SpyNet community -- a voluntary network of users that helps separate the good from the bad, reporting the sinister-looking programs to the software giant. Spybot also takes measures to separate the good from the bad.
Symantec's model judges the severity of spyware by its impact on computer performance and privacy, how difficult it is to remove and detect, and how prevalent it is on the network. The high-risk warning goes to items that:
- Significantly affect system performance;
- Release confidential information; and
- Appear to avoid "uninstall" programs.