Under Review

Block All Bundled Software

  • 7 October 2014
  • 39 replies
  • 20593 views

Userlevel 7
We get a lot of questions/issues/complaints around PUA's.  They are one of the most irritating things.  WSA blocks many of them, but for a variety of reasons not all.  Specifically PUA's that are bundled with other software, are not hidden, have an opt out ability, are not currently blocked by Webroot.
 
Would it be possible to add a feature that the end user can choose when installing new software to block ALL bundled software?  That would:
 
1) Be an active choice by the user to block the bundles
 
2) Reduce vastly the number of PUA issues that we see
 
3) Keep things quite legal.
 
4) Help keep Webroot above and beyone the competition.  :)
 

39 replies

Userlevel 7
Oh it would be so great if this feature gets implemented. PUAs are such hassles.
Great idea! 
 
Although I noticed in our environment that Webroot already does a great job. Since the deployment WSA blocked many PUA which came from popular download websites; like I wrote in an other thread every downloader from a certain German portal gets blocked. It's cool to see a blocked threat with PC count equal to 1 ;) 
 
Userlevel 7
Badge +55
Well this subject I already have burs on my butt already and PUA's are considered Malware period. Maybe they have forgotten Adware is Malware and I want my AV or AM to protect me from them as a user. http://en.wikipedia.org/wiki/Adware so this Idea gets a Thousand Kudos from me.
 
Thanks,
 
Daniel
Userlevel 7
As I posted under the 2015 thread...why not just detect them and show them in Quarantine with the other 'more normal malware' but rather than checking it for removal by default present it UNCHECKED which gives the user the option to identify the PUA elements found and if they decide they want to remove them they check the relevant box(es) and these are included in the normal removal process otherwise they are effectively restored...just as would be something 'more normal' found in quarantine that the user decided this wanted to allow through?
 
Could even highlight/lowlight them in another colur text to make them stand out?
 
Just a thought.
Userlevel 7
Yes, these adwares are becoming more and more devious in persuing their 'mission'.
 
     http://www.ghacks.net/2014/10/07/new-adware-method-manipulating-browser-shortcuts-to-change-the-home-page/
    
Whenever browser makers tighten the defense systems of the browser it does not take long usually before advertising companies and malware writers find new methods to penetrate those defense.
Some browsers display information to the user when the homepage changes while others such as Chrome may even reset settings automatically when changes are noticed.
If you have installed the most recent version of Auslogics Disk Defrag, a popular disk defragmentation software for the Windows operating system, you may have noticed that it displays an offer after installation of the core program to install something that makes Bitable.com the home page in web browsers on the system.
Userlevel 7
Badge +55
Well here is a good Video and to the point!
 

Defcon 18 -My life as a spyware developer - Garry Pejski - Part.mov

 
Daniel
 
I used a program called 'Unchecky' that does this.
 
Unchecky unchecks all bundled Adware/PUA in a good program.
 
Why should AV programs be worried about legel implications. I don't know.
 
One of the reasons why Android/IOS systems work is because the market (downloads) is controled. 
Crap can't get into a cell phone like it can on a PC. Similiar to Default Deny. Everything is tightly monitored.
 
It's time for Webroot to toughen up. PUA's are a big problem. They are the new 'slow down computer' malware. When I go service a PC, the customers say ... my PC is slow, I have a virus...etc. please fix it. 90% of the time, it is PUA programs. That's makes me think: there is a big market out there to make good money blocking PUA...why hasn't someone created a full Anti-PUA program yet...I would so use this!!!!
Userlevel 7
Badge +55
Bump as we would like to hear what Webroot is going to do? I think it's time to decare war on PUA's and the WIN Cloud Database can do it and as I posted above it is Adware!
 
Thanks,
 
Daniel
 
http://en.wikipedia.org/wiki/Adware
 

As malware

The term adware is frequently used to describe a form of malware (malicious software),[19][20] usually that which presents unwanted advertisements to the user of a computer.[21][22] The advertisements produced by adware are sometimes in the form of a pop-up.[23]
When the term is used in this way, the severity of its implication varies. While some sources rate adware only as an "irritant",[24] others classify it as an "online threat"[25] or even rate it as seriously as computer viruses and trojans.[26] The precise definition of the term in this context also varies.[c] Adware that observes the computer user's activities without their consent and reports it to the software's author is called spyware.[28]
Programs have been developed to detect, quarantine, and remove advertisement-displaying malware, including Ad-Aware, Malwarebytes' Anti-Malware, Spyware Doctor and Spybot - Search & Destroy. In addition, almost all commercial antivirus software currently detect adware and spyware, or offer a separate spyware detection package.[29]
 
http://en.wikipedia.org/wiki/Malware#Grayware
 

Grayware

See also: Privacy-invasive softwareGrayware is a term applied to unwanted applications or files that are not classified as malware, but can worsen the performance of computers and may cause security risks.[56]
It describes applications that behave in an annoying or undesirable manner, and yet are less serious or troublesome than malware. Grayware encompasses spyware, adware, fraudulent dialers, joke programs, remote access tools and other unwanted programs that harm the performance of computers or cause inconvenience. The term came into use around 2004.[57]
Another term, PUP, which stands for Potentially Unwanted Program (or PUA Potentially Unwanted Application),[58] refers to applications that would be considered unwanted despite often having been downloaded by the user, possibly after failing to read a download agreement. PUPs include spyware, adware, fraudulent dialers. Many virus checkers classify unauthorised key generators as grayware, although they frequently carry true malware in addition to their ostensible purpose.
 
http://s2.quickmeme.com/img/b0/b0813ebdd95539d48845cd87d7d68922c6084b55e2601328d5880295a676d860.jpg ENZO! ;)
Userlevel 7
Badge +56
I've had some conversations with folks internally about this, and it's a thorny issue.  Having a separate category for "technically legal but still unwanted" would require massive infrastructure changes, and categorizing them as bad would open up a legal can of worms.  I'm still pushing for the latter, and I'll update you guys when I have some news.
Userlevel 7
My turn to be blunt :)
 
The legal challenges can be hurdled, as other solutions have done so.  
 
As for the other, well, yes change would need to be made, possibly having the ability to tell the customer basically "We know you have downloaded this as an Opt In, but many customers find it to be a problem.  Would you like to have us remove this now?"  
 
On a No.. simply have basically a "do not ask again' list, much like the text file for the Whitelist, so WSA will not be retriggered by the same PUA over and over if the customer really does want it.  WSA already has the ability to take what is a global block and over-ride it, the same can be done when it comes to PUA checking.
 
Besides... it will give the Dev's an interesting challenge to do.  Dev like challenge right?  ;)
 
More seriously, we see more and more problems with automatically opted in PUA's, and more and more comments from customers unhappy that Webroot did not detect it but 'such and such program' did.  In many ways WSA is way ahead of the curve technologically speaking, but it has to stay that way to keep ahead of the game.
 
Just my additional $0.02  :)
Userlevel 7
Badge +55
Thanks Nic but the Legal can of worms should be opened on PUA's = Adware see my edit above and it's running amok as over 90% of the users come here because of this Bundled Adware/Malware. Other AV companies are doing it and Webroot can do it and be better at it.
 
IMO,
 
Daniel 😉
Userlevel 7
Badge +56
I agree with you guys, which is why I'm championing this internally 🙂  Just giving you a sense of some of the things I'm running into.  One other option we discussed would be an OEM partnership with Unclicky or some other software that attempts to solve this problem. 
 
One way you guys can help is in reporting those toolbars and PUAs - one of the criteria that threat research uses is whether the software is wanted or not.
 
Anyway, I'll keep working on the issue, and keep sending me whatever ammo you have to help!
Userlevel 7
I know Nic 🙂  I know.  I just wanted to make sure that those 'upstairs' know, without any doubt, what the feelings down here are :)
 
As for reporting toolbars and PUA's that is easy.  Consider it done.  We have ways of doing that LOL!
Userlevel 7
This is a FANTASTIC idea. Not only would this be very helpful, but with the way malware is evolving I think it is inevitable that good AV programs will accept and adopt to detecting PUA and AdWare.
 
There is no way around it: AdWare is being manipulated and has become a serious threat to unsuspecting consumers and is costing them time and money.
Hell Webroots Weak PUA detectibility is one of the major reasons I am running ESET along with Webroot.  I honestly don't think that should be necessary nowdays...come on webroot fix your SDLKSDJ
Userlevel 5
Badge +16
 Having looked through this subject, my own thought is that it would be easier from a programming and legal perspective to simply have WR uncheck the boxes and flag up to the user to check that is what they require.
 
Or am I being a little naive here?
 
Moonzero2
Sounds like an interesting idea Moonzero2 🙂
Userlevel 7
So thats Java blocked then, the worlds most popular plugin for browsers. 
Userlevel 7
Not at all.. only the junk that comes in with it.  Java itself would of course still be quite allowed 🙂
 
 
PUP's / PUA's, as an Agent, these are the most notable in any device's programs. The ones that linger are the ones that can make damage happen. I see the Bloatware right out of the box and unless a client straight up ask's for it to be removed... Advice is all we can do. IT"S Da LAW!  In effect, like  ios/android phones the details are in the down load. which brings me to the table, WSA doesn't have to remove the program, but why not a soft quarentine, as in, when the program is closed the "product/service " is removed. On boot up its cleaned. If power is turned off there is no need for the program or service, nothing works. IF I shut my door and don't lock it you can still get in. but if i locked the door then shut it....you get my application drift.
 
 
 
 
 
 
 
 
Always Thinking on the other side.
Userlevel 7
Alright... my turn.
 
ESET and Kaspersky are a few of the major players that are adding PUP and PUA detection to their feature list. More companies will be adding this feature as well due to the necessity of keeping support costs down for one thing. 
 
If Webroot does not follow along and start detecting these types of programs, they will be left behind. 
 
It is easier to push and sell your product as an Industry Leader rather than a Follow-Along. Or worse, a "Could-Have-Been."
 
 
Perhaps this solution would circumvent the entire "can of worms."
 
1.  When a user launches a installer that is rated "Safe" or "Unknown", offer the user the abillity to set "All subsequent undled installers and processes to inherit monitoring."
 
2.  When the user enables this setting and launches an installer that is monitored, all subsequentundled installers and executables will be monitored as well - regardless of their WIN safe rating.
 
3.  The user can then decide what, if any of the safe files or unknown files to "Block," quarantine via scan and delete from the system.
 
In all cases unknown files are monitored and known malicious files are blocked anyway.
 
This completely removes any liability on Webroot's part from blocking any PUA file - as it is the user that makes that decision completely.
 
System files would have be excluded from inheriting monitoring: e.g. consent.exe, msiexec.exe, etc.
 
Admittedly, run sequences can get a bit messy.
 
And then there is the issue of an over-feed to WRData folder if the user keeps too many apps monitored for too long a period of time (In the past I've experienced PUA installers that place more than 10 apps onto my system... bad news).
 
Just food for thought...
Userlevel 7
Badge +34
I see it's over a year since this Feature was put forward and there seems little to report. Whilst WR contemplate the legal ramifications of blocking PUAs, their opposition is grasping the nettle and adopting far stricter blocking/ removal practices. One of the leaders in this regard is also a US based company so I am a little baffled why they seem able to do it whilst WR cannot.
 
As has been pointed out the helpers on this forum are in the front line in dealing with upset customers and users are often told that they need to contact support to remove the more nasty variations that are not easily uninstalled. This is both wearing and time-consuming for the community helpers and costly in support time for WR. Eventually, if nothing is done, it will lead to a loss of custom.
 
Whilst those of us on here know about the issue and can make alternative arrangements to ensure that we don't have any stray PUAs on our systems, it has to be a big factor in preventing outright recommendations of WSA for use by clients or friends who may not be very computer literate.
Userlevel 7
I think that the recently announced legal action (subject of a Security News thread) on this very subject explains why Webroot are being so cautious...the whole area is a legal minefield...and there are many companies out there with far more draconian approaches in this area that are just flirting with lawsuits against them...but luckily for them there does not seem to be any appetite for that from the 'oppressed' (those whose software could be claimed to be unjustly labelled by some as PUAs or PUPs, etc.Hopefully, the legal action will go the right way and clarify the overall vista and so allow the likes of Webroot to take firmer action.But who knows.Baldrick
Userlevel 7
Badge +48
Here is that link Baldrick from the news articles.
https://community.webroot.com/t5/Security-Industry-News/Avira-turns-tables-to-launch-lawsuit-against-crapware-slinger/m-p/224950#M19817

Reply