Adware: A new approach


​Here at the Microsoft Malware Protection Center (MMPC) we understand advertising is part of the modern computing experience. However, we want to give our customers choice and control regarding what happens with their computers. To that end we have recently undergone some changes to both the criteria we use to classify a program as adware and how we remediate it when we find it. This blog will help explain the new criteria and how it affects some programs.

Our updated objective criteria also explains how advertising software can provide users with choice and control. Programs that do not follow these rules will be detected as adware and immediately removed from the user’s machine:

Programs that promote a product or service outside of their own program can interfere with your computing experience. You should have clear choice and control when installing programs that open advertisements.

The advertisements that are opened by these programs must:

  • Include an obvious way to close the ad.
  • Include the name of the program that created the ad.

 

The program that creates these advertisements must:

  • Provide a standard uninstall method for the program using the same name as shown in the ads it produces.

It is important that both developers and our customers understand this criteria. I will look at each of the points individually. But first, let’s look at which programs can qualify as adware.

What can be classified as adware

We only consider classifying a program as adware if it runs on the user’s machine and produces notifications promoting goods or services in programs other than itself. If the program shows advertisements within its own borders it will not be assessed any further.

Many programs use advertising as a form of payment for the program and that is also an acceptable practice. We are more concerned with the advertising that interferes with our customer’s Windows experience without giving them choice and control over it. To that end, programs that produce notifications promoting goods and services in programs other than themselves must adhere to the following rules:

A method to close the ad

As part of the advertisement there must be a method to close the ad. This must be a clear and obvious method. Suggested methods are an ‘X’ or the word ‘close’ in the corner of the ad.

Visible ads

Figure 1: Our new objective criteria states that the ads must have a visible close button

If you are going to have a group of ads, it is acceptable to have a single close button as long as the ads are clearly grouped together. If the ads are not grouped each ad will need its own close button. Some of the better groupings we have seen are lines around all of the ads or a different colour background for the ads.

Single close

Figure 2: A single close button is acceptable for ads that are clearly grouped

In the case of pop-up advertisements, a working close button on the window is acceptable.

Window close

Figure 3: Pop-up ads must have a working window close button

The name of the program that is creating the ad

It is important for the user to know that these ads are being shown by a specific program and would not be there if it was not for this program. To tell the user that your program is making the ads, you need to make it clearly known in the advertisement. For example, some of the clearer ways that we see this done are phrases like “Ads by …”, “… ads”, “Powered by …”, “This ad served …”, or “This ad is from …”.

Ad identification

Figure 4: Our new objective criteria states that the ads must clearly mention which program is producing the ads

These methods all meet our updated objective criteria by clearly informing users which program is showing the ads. Using abbreviations or company logos alone are not considered clear enough. Also, only using “Ads not by this site” does not meet our criteria, because the user does not know which program created the ad.

A way to uninstall the program that is making the ads

The final part of giving a user choice and control is giving them a way to uninstall the program that is making the ads. For example, candidate programs that produce independent promotion notifications or promotion notifications in Internet Explorer must have an uninstall entry in the Windows control panel. It is very important that the name of the program in the uninstall entry exactly matches the name shown in the advertisement.

uninstall entry

Figure 5: There must be an uninstall entry for the program producing the ads and the name in the entry must match that on the ads

We know that for some browsers extensions are only removable through the browser’s own controls. This is considered a standard uninstall method and meets our objective criteria as long as the name still matches the name in the ad.

What happens to detected adware

Currently, when our security products detect a program as adware they alert the user and offer them a recommended action. If they don’t respond, the security product will let the program run until the user makes a decision.

With our updated objective criteria, this is going to change. Now, when one of our products detects adware it will immediately stop the program and the user will be notified. The user then then has the ability to restore the program if they wish.

When is this going to happen?

Changes to our objective criteria for classifying adware will come into effect on July 1, 2014. This gives developers three months to comply with the new rules.

We have already started reassessing our current adware detections against this new criteria. If your program is still being detected as adware but meets the new criteria you can let us know through the Developer Contact form.

We are very excited by all of these changes. We believe that it will make it easy for software developers to utilize advertising while at the same time empowering users to control their experience.

Michael Johnson
MMPC


Comments (44)

  1. Sachin Joseph says:

    This is amazing. Everyone I know has been troubled by adware and I think this is a brilliant step from Microsoft to provide a better experience to users.

  2. Squuiid says:

    About time. It is amazing that this wasn't done sooner, especially for paying customers of Forefront and SCEP.

  3. James Fallon says:

    I would love to know how this will all affect companies like CONDUIT SEARCH, MYPCBACKUP, and the rest of the scumbag "elite", if at all. I am actually to the point of telling most NON-savvy users of real computers (as opposed to tablets) to not install anything over the internet. Nothing. An internet search for anything to install on your computer can only lead to Malware for non-savvy users.

    The internet has become a cesspool for these guys to continually pollute, and it pains me to see these guys and their packaged products remain a the TOP of the PAID internet search results from BOTH Google and Bing. It doesn't matter that most folks are getting fooled into downloading this crap, it matters what it does to the reputation of Windows. I hope it matters to someone up at MS.

  4. Langenge says:

    Great 🙂

  5. Peter says:

    i think that microsoft should improve realtime protection or a filter for block malicious pages before include adware detection

  6. Peter Frederiksen - www.skov.com says:

    There is another kind of malware Microsoft should stop, which is causing a lot of harm and wasting time for IT-departments worldwide: As an example, when users download and install Java from java.com, they will automatically get the Ask Toolbar or Google Chrome, depending of which browser they use. They must actively turn off the option to install software they did not ask for. In case of the Chrome browser, it is even automatically set as default browser! This causes a lot of troubles with intranets and enterprise apps, which is mostly designed for the browser the enterprise have chose as their standard. Such behavior is what we usually would call malware. It is OK that the user is offered additional software, but he should actively select it if he wants it, the default selection must not be to install it as most users don't read or understand all the options. If Microsoft would block such automatic installs, it would save a lot of time and trouble for IT-departments worldwide.

  7. Rob Campbell says:

    Great News!! Get it done MSFT!!

  8. Rob Campbell says:

    I ditto James Fallon's post to the letter.. Well said

  9. Scrappy says:

    And I want to ditto Peter Frederiksen – http://www.skov.com 's post, because I could not agree more!!!

  10. Jesper Johag says:

    I do also agree, problems generated by Ask and Chrome take up a quite sizeable time of our helpdesk. Not to mention the frustrated users.

  11. S Clark says:

    How can you trust any programme or service when the anti-virus and anti spyware software themselves are unreliable. SpyHunter tells me I have over 300 infections but my regular antivirus software say I am clean as does Windows defender. I need clear and concise instructions on how to remove malware files WITHOUT having to use ANY expensive or so-called free programmes. What''s the problem other than greed? A file is a file and if it exists it should be possible to locate and delete it. SpyHunter wants to chahge me nearly $90 to fix problems that don't exist according to other software, including Windows Defender.

  12. tt1 says:

    Why doesn't Microsoft Security Essentials remove Conduit Malware? Why has a conduit "Search Protect" program been installed on my computer without permission?

    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/why-doesnt-microsoft-security-essentials-remove/2f46d488-542b-4084-ad68-f8810ecb0a0a

  13. adwbust says:

    don't forget to detect and remove linkury adware (smartbar and quickshare widget)!

  14. adwbust says:

    July 1 is taking too long. Your users are plagued with Adware!

    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/adinfo/2ed0b433-0f68-4199-b5d0-5a921827cacd
    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/visualbee/12647028-e3fb-430d-acaf-166e0d6a25ea
    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/how-do-i-get-rid-of-default-searchnet/3303ad8c-2544-4bb2-bad8-d79352517841

    This one seems to be a Windows Update/Fixit rogue?

    http://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/windows-xp-microsoft-security-essentials-update/09455a04-67df-4285-b90f-e4c644a512ef

    Not even a tech rep from MS/MMPC is helping them and gathering samples for perusal. All I see are stuck-up academe MSVPs giving lectures (put blame on user than give help blah blah ~ lazy) which frankly don't help at all! They don't want their hands dirty. Pathetic! Might as well tell (put a sticky with links) your users to go to a Malware removal forum. 🙂

  15. adwbust says:

    webmaster, can you pls fix your comment form's formatting? i use firefox 29 on xp and after submitting my comment, my comment appears with all those broken tags. it's hard to read! how to disable html format when typing my comment? i want to make it text-only!

  16. adwbust says:

    thank you webmaster. submitted comments are now readable in firefox. 🙂

    just encountered this in IE 9 on Vista and MSE didn't mind. is this a mindspark adware or just a harmless toolbar powered by Ask? thanks.

    download.allin1convert.com/index.jhtml?partner=^AYY^xdm239&sub_id=263963&theme=english0

  17. adwbust says:

    On the mse forum, there's still no MS tech rep that works with the users to obtain a threat (usually adware) sample for perusal. The forum helpers are just giving third party links to guides and tools lol. Why not create a sticky thread pointing users
    to seek MS support, go to a malware removal forum (create a list) or create a malware removal subforum on microsoft answers and invite trained volunteers to help?

    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/i-have-barowwsoe2save-virus-by-adware-and-ilivid/ad32c56a-7fa2-4a9d-887a-8910d4e5b74c
    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/pop-up-like-malware/c364d864-abf0-4d9e-9b94-b04dea624214
    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/how-di-i-remove-searchgboxappcom/df93d20c-221b-4a1c-ab9e-8bdceb7a7fcf

  18. adwbust says:

    zensearch browser hijacker isn't detected by mse also!

    answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/how-do-i-remove-zensearch-from-browser/0de4b811-2d2b-47c8-abcd-6f5934c3c1ba#LastReply

  19. adwbust says:

    submitted sweetim before and still has received status up to this time. mse still doesn't detect and remove the browser parasite/hijacker and your users are left dumbfounded and helpless.

    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/sweet-page-virus/2e5c7a77-0126-4fa6-8d15-2267c3580a8a#LastReply

  20. adwbust says:

    it seems the most prevalent browser hijacker that MSE doesnt detect and remove at this time is conduit with searchprotect and pcreg. pls do something MMPC!

  21. adwbust says:

    multiplug browser hijacker isn't detected and removed by mse! hint hint vaudix is just one of the variants! you haven't updated vaudix signatures for a while now.

    answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/multi-browser-adware-infection-not-found-by/6a7cdf52-96a3-4ed4-8bf8-6bd5879234dc#LastReply

  22. adwbust says:

    why isn't mse detecting fastcleanpro as misleading app?

    answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/trouble-uninstalling-fastclean-pro/bc907aa4-ac83-4cc7-8b0b-32fb0cdafd8c#LastReply

    this is most likely a multiplug variant related to searchnewtab. user was expecting to get adblockplus but got a multiplug variant instead. mse let it pass easy. tsk.

    answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/acceleratetab-adblock11042exe/17b28e82-3aaa-4141-904f-3b981dced9c5

    mse is lousy when it comes to grey threats. lol. proof below. btw, i know you recently added ways to monitor browser addons as suggested 😉

    http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/help-with-win-7-program-files-spyware-virus-remove/32785616-9df7-4879-afc9-aec484641174#LastReply
    http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/does-microsoft-have-the-definitive-solution-to/970fa97b-9154-4bcb-b1cd-be06ce4c745a#LastReply
    http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/gorillaprice-file-will-not-uninstall/c97ec9a9-72c9-40e0-b9a3-e5c41e08e721?page=3&tm=1401925909664

  23. adwbust says:

    it bogs me why mmpc needs to wait for july 1 just to detect and remove conduit. why would a browser addon need searchprotect or pcreg in the first place anyway? i don't see any legit/valid reason for it. well unless, they don't want the user removing their
    junk. why isn't mmpc acting on this? use your common sense pls. you're too focused on your flawed criteria. be decisive for the user's sake.

  24. adwbust says:

    V9 and Speedial junk grey threats also allowed by mse. 🙁

    answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/remove-v9-portal-browser-hijacker/1b5e14ce-ef49-4ab4-9f65-2d7dd2e0c1a0
    http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/how-to-delete-speedial-search/46cf64a1-d70e-4722-af21-7b24eed802af

  25. adwbust says:

    Pls detect and remove Regcure, Regcure Pro and SpeedyPC. Categorize them as Misleading threat.

    answers.microsoft.com/en-us/windows/forum/windows_7-system/how-safe-is-regcure-pro/77693962-496f-40cd-aabc-ba5aae583700?page=8

    Mse doesn't detect and remove Smartbar and another browser hijacker

    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/yahoo-community-smartbar-engine/12b6f202-c9f4-47e0-967a-55216bfcecd9
    http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/malware-on-ie-11/551e6bb6-fe3f-4a65-8f70-65372b7e5c81#LastReply

  26. adwbust says:

    btw, why is mmpc only adding general browser and addons-related behavior sensors less than a month before the supposed changed view on adware? i think they're doing this frantically. this should have been done before or at the time this blog entry was
    posted. they wasted more than 2 months time for what?

  27. adwbust says:

    another user's system infested with browser hijackers and dropped affiliate junk programs. mse didn't even flinch. it doesn't care. and yet we see people saying this isn't an issue? well you can't just disable and uninstall most of these hijackers. they
    hang well and tight.

    answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/help-having-trouble-removing-malware/96d01427-7f89-41ef-9fa7-211d5784c699

    and oh a bonus. mse also isn't good at protecting against and removing locker malware. if kaspersky can offer unlock tools, why can't people from mmpc do same? does this mean analysts from mmpc are inferior or just lazy?

    http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/encrypted-locked-file-virus-changes-all-pdf-mp4/a3a2dc89-98d3-4247-a9ad-0d4b96bbe358#LastReply

  28. adwbust says:

    mse left cowering against this browser hijacker infestation bonanza. what a joke.

    answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/how-to-get-rid-of-plurpush-conduit-redirectcom/a21c80cf-48cc-4d28-a256-4b66a362ef58#LastReply

    this user can't restore files from a backup because of mse false alarm on macro files. ask him for sample to check if they are indeed FPs

    http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/windows-image-backup-with-microsoft-security/238079c7-92fa-4fc2-a136-120ec12a340a

  29. adwbust says:

    mse doesn't block and remove this websteroid browser hijack scum

    answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/cant-uninstall-or-even-find-websteroids-on-my/d9539675-81fc-467f-be0d-680da7e108c3#LastReply

  30. adwbust says:

    pls detect and remove the sponsor included in/dropped by legit utorrent and bittorrent setup. they hijack the browser. seen default-search homepage and conduit. the utorrent setup is very nifty. it's as if you need to accept the sponsor to continue/finish
    the installation.

  31. Ughhh says:

    I can't believe how much Microsoft is bending over backwards to allow people to install crap on our computers. An ad that says "Your PC performance is poor" is deceptive, whether it says the name of the app or not. All these apps should be blocked and
    destroyed with extreme prejudice.

  32. TrafficTalks.com says:

    Great post. I made sure to include it on our forums for future discussions as well.
     

  33. Andrew says:

    Microsoft is offloading 18,000 employees, it allows programs such as search protect and tovi to be installed and we are basically told its ok we are doing something about it? I downloaded a file from Microsoft and conduit installed itself no warning nothing.
    I strongly believe that Microsoft as seriously lost the plot and just do not care

  34. Hanand says:

    Peter Frederiksen yes i do agreed wth u …..ms have to look abt this issue ,this issue making the IT department to waste their time .

  35. K Top says:

    Hatelijk dank voor uw informatie

  36. Toni Brown says:

    I found Ads by DealScout adware infection in my computer two weeks ago. It always redirects me to some strange websites and always keeps popping up each time I open the browser. I found my default homepage replaced with some unknown

  37. Joseph says:

    Well i don’t see any improvement yet. There are still adwares on the Edge and IE. Shopperz creates drivers called bsdriver.sys and cherimoya.sys which are not getting removed. Along with that they run services to disable stopping the program. I request Microsoft to look into this and strengthen the security.

  38. Robert says:

    This would be amazing! Would save countless hours in removing adware.

  39. Andy Cooper says:

    Book Marker is a newly came adware program that once installed badly influence the system. It not on;y affect the PC performances, but can also take control over whole browser and meanwhile users’ personal and confidential data can be accessed bringing them in great trouble. Also, all times, it keeps popping up various advertisements on the browser while surfing Internet. To know more about Book Marker removal, you can take help from
    http://www.howtoremovemalwarepc.com/uninstall-book-marker-with-expert-guidelines

  40. We first developed a “scorecard” in the early 2000’s (about April 2003) for our PestPatrol Anti-Spyware program. Over the years we evolved the scorecard and made it more specific, providing less ambiguity for researchers making a judgement call on adware, BHOs, and other unwanted software. This category of unwanted software seemed to pretty much disappear sometime in the late 2000’s (maybe 2008 or 2009). So it has been surprising to see adware and other unwanted software make a comeback. Here is a link to the latest version of our Scorecard: http://benjamingoogins.com/computer-security-blog/ca-anti-spyware-scorecard-v3-0/

  41. Mirian says:

    Well, I’m stupid and I allowed some download program to install and it installed bunch of adware. most of it I uninstalled and cleaned with numerous adware and spyware programs. Security essentials wouldn’t recognize programs after I allowed their installation and still can’t find them. Process are not listed in Task manager, I can’t find them in google chrome’s extension (not even from regedit). It feels like every time I run cleaning they get deleted but after hour or so ad’s get downloaded and when I click some link browser jumps to some advertising pages and what not.

    Help :/