Security Watercooler articles are designed to get you thinking -- and talking -- about issues facing information...
security professionals. Please Sound Off with your opinions.
Even AV vendors admit they initially failed when it came to protecting users from spyware. But they have their reasons.
"There's an argument that AV vendors dropped the ball, but it's a very slippery ball," said Roger Thompson, director of malicious content research at Computer Associates based in Islandia, NY. "Classifying spyware has never been an easy thing for AV vendors to do because of context -- it's all shades of gray, unlike viruses which are all black. It's only things like bots that everyone agrees are spyware."
A valid point given the spectrum of "spyware" that runs from bots to cookies, but analysts aren't buying it.
"I'm absolutely amazed AV vendors did nothing about spyware," said Amrit Williams, research director for Gartner's Information Security and Risk practice in Stamford, Conn. "It's bad stuff getting on your computer -- isn't that what they're supposed to prevent?
"AV vendors were in the best position to provide a level of protection against spyware, not simply detecting it, but preventing it in real-time as they have done with viruses," Williams concluded. "They should have provided this protection two to three years ago."
The buzzword this year is 'bot,' referring to millions of remote-controlled machines
Ed Skoudis, a noted author and security consultant, said AV vendors made their decision to not initially scan and quarantine or destroy spyware and bots for understandable, if debatable, reasons.
"From a legal perspective, if they characterize every overly aggressive advertiser as 'malicious code,' they'll face huge lawsuits. One person's spyware is another person's meal ticket," Skoudis said. "So, if an AV tool deletes the code used by such an advertiser, the advertiser's business model collapses, and a lawsuit results."
Part of the problem is because AV tools are designed to eliminate a threat, rather than advise that a potentially unwanted program [PUP] has been installed. And what is -- and isn't -- spyware is often in the eye of the beholder. Cookies are part of the Web browsing experience and many IT departments use remote management programs like PCAnywhere that others might classify as spyware.
Or AV vendors could just be greedy.
"The economic reason for minimizing spyware signatures in AV tools involves selling another product," Skoudis noted. "Why sell you just one product, when a vendor can sell you two: antivirus and antispyware."
Vincent Weafer, senior director of Symantec Security Response in Cupertino, Calif., said spyware isn't a technology
- Installation characteristics -- does it have active or passive user consent;
- Stealth properties -- silent install, no user interface, obscure naming etc;
- Privacy impact -- does it release confidential information;
- Integrity impact -- removes/lowers security protection, modifies browsers settings, overwrites system data;
- Performance impact -- system slowdown, stability, frequency of pop-ups, active conduit for additional security risks;
- Removal ease -- apparent avoidance of uninstall, non-functional uninstall, etc.
"Companies need to do a discovery scan for spyware and then decide which things they're prepared to exclude," Thompson agreed.
In an earlier interview at the Gartner IT Security Summit, a user in the financial services community who asked not to be identified, said an analyst report created for his organization examined deficiencies in the antivirus industry concerning the detection of spyware.
"While the larger antivirus vendors are neck-and-neck in functionality and capability, they have all ignored antispyware," the report said. "The smaller specialty software firms that have focused on developing antispyware are the recognized industry leaders. During the later half of 2004, Computer Associates acquired PestPatrol, Microsoft acquired Giant Software [and others], and McAfee released its initial version of antispyware -- all in an effort to have a showing in this space."