This article originally appeared on SearchSecurity.com, a sister site of SearchSMB.com.
About this series: Spyware is quickly replacing worms and viruses as IT managers' biggest worry. In this two-part series, security professionals and others debate spyware detection and who is best qualified to define it.
Trust the vendors?
With the security market flooded with antispyware tools and more on the way, shouldn't IT professionals simply trust their vendors to make a reasonable determination of what is spyware? After all, they are experts and their products have been through countless hours of testing.
Richard Stiennon, Webroot's VP of threat research, believes his company has practiced due diligence in making sure legitimate programs aren't labeled as spyware.
"Our approach is that spyware is like pornography, you know what it is when you see it," he said. "Regardless of what these companies say, nobody in their right mind wants all these pop-up ads."
Webroot doesn't specifically label programs as spyware, Stiennon said. It identifies them as adware, cookies, Trojan horses, keyloggers or whatever else they look like. Yet it calls its product Spy Sweeper and released a report this month called "State of Spyware."
Todd Sawicki, senior marketing director of 180Solutions, said companies like Webroot may not call programs spyware in their scans, but when "the spy word" appears on the product and in reports, the affect is the same.
"To get fingered, all you have to do is show ads outside the application," he said. "We get dinged because we show ads."
Stiennon said entities like Cool Web Search, Claria and 180Solutions deserve the bad reputation. He said 180Solutions, for example, has a history of "drive-by" downloads, using ActiveX to drop adware onto systems without warning.
"Legislative efforts have forced them to clean up their act," Stiennon said. "Over three months, 180Solutions and Claria lost two-tenths of one percent of their penetration. As they are forced to comply with laws they'll improve their image and products. But they still must account for their past."
Cool Web Search vigorously defends itself against such claims on its Web site, saying, "These kinds of activities are firmly against our rules. Did anybody tell you differently? Perhaps you have read an article somewhere blaming Cool Web Search for everything wrong with the world short of world hunger… You will be shocked to find out that 95% of all so-called 'CWS hijacks' have NOTHING WHATSOEVER to do with Cool Web Search. These people have never worked with us, and never will. We have never condoned the use of 'hijacks' or 'exploits.' Unfortunately, due to carefully orchestrated framing and smear campaigns of unethical competitors, who even to this day are distributing spyware and calling them 'CWS hijacks,' our good name has been severely damaged."
For its part, Claria said on its Web site, "We have strictly abided to our commitment to privacy and are dedicated to providing valuable permission-based software applications in exchange for delivering targeted messages to our users based on their anonymous online behavior."
In its recent State of Spyware report, Webroot said that it would be folly to move away from the spy word.
"At a time when many consumers and businesses struggle to understand the threat posed by spyware, trying to move away from the term
In the end, many vendors have decided to proceed with caution and let users decide what is harmful to their computers.
To separate the sinister from the benign, Cupertino, Calif.-based antivirus giant Symantec recently drew up a system to measure the potential risk of what it detects. While Symantec's Threat Severity Assessment measures the danger level of traditional malcode based on how fast it spreads and what kind of damage it can cause, the firm's Risk Impact Model now evaluates applications that look like spyware for malicious tendencies. After that, the user is left to decide if the application should be killed, quarantined or allowed.
"The heart of this approach is to tell the user what we have found and let them determine for themselves if they want to keep it or kill it," said Dave Cole, product management director for Symantec Security Response. "We make a recommendation and then you choose what to do from there."
Making the most of what you have
Since most people agree no one entity can solve the whole problem, Skoudis suggests IT managers take matters into their own hands and figure out how to get the best defenses out of the tools they already have.
"If you manage an enterprise network, reconfiguring your infrastructure will help you the most," said Skoudis, also a handler at the Bethesda, Md.-based SANS Internet Storm Center. He recently posted a handler's diary outlining 19 ways an IT shop can fight spyware with the tools they already have.
Nat Howard is an independent system administrator and developer based in Vienna, Va., who also runs a Web site called Stupid Security. As far as he's concerned, the best way to keep spyware off the network is to avoid the products that are always attacked.
"I use Linux, OpenBSD, FreeBSD, and Mac OS X, so my recent experience with spyware has been -- so far as I can tell -- limited to watching it hurt other people," Howard said.