Skip to main content
Microsoft Security
Protecting the modern workplace from a wide range of undesirable software

Our evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. Learn how we classify malicious software, unwanted software, and potentially unwanted applications. Read the blog post.

​Here at the Microsoft Malware Protection Center (MMPC) we understand advertising is part of the modern computing experience. However, we want to give our customers choice and control regarding what happens with their computers. To that end we have recently undergone some changes to both the criteria we use to classify a program as adware and how we remediate it when we find it. This blog will help explain the new criteria and how it affects some programs.

Our updated objective criteria also explains how advertising software can provide users with choice and control. Programs that do not follow these rules will be detected as adware and immediately removed from the user’s machine:

Programs that promote a product or service outside of their own program can interfere with your computing experience. You should have clear choice and control when installing programs that open advertisements.

The advertisements that are opened by these programs must:

  • Include an obvious way to close the ad.
  • Include the name of the program that created the ad.

The program that creates these advertisements must:

  • Provide a standard uninstall method for the program using the same name as shown in the ads it produces.

It is important that both developers and our customers understand this criteria. I will look at each of the points individually. But first, let’s look at which programs can qualify as adware.

What can be classified as adware

We only consider classifying a program as adware if it runs on the user’s machine and produces notifications promoting goods or services in programs other than itself. If the program shows advertisements within its own borders it will not be assessed any further.

Many programs use advertising as a form of payment for the program and that is also an acceptable practice. We are more concerned with the advertising that interferes with our customer’s Windows experience without giving them choice and control over it.

A method to close the ad

As part of the advertisement there must be a method to close the ad. This must be a clear and obvious method. Suggested methods are an ‘X’ or the word ‘close’ in the corner of the ad.

If you are going to have a group of ads, it is acceptable to have a single close button as long as the ads are clearly grouped together. If the ads are not grouped each ad will need its own close button. Some of the better groupings we have seen are lines around all of the ads or a different colour background for the ads.

In the case of pop-up advertisements, a working close button on the window is acceptable.

The name of the program that is creating the ad

It is important for the user to know that these ads are being shown by a specific program and would not be there if it was not for this program. To tell the user that your program is making the ads, you need to make it clearly known in the advertisement. For example, some of the clearer ways that we see this done are phrases like “Ads by …”, “… ads”, “Powered by …”, “This ad served …”, or “This ad is from …”.

These methods all meet our updated objective criteria by clearly informing users which program is showing the ads. Using abbreviations or company logos alone are not considered clear enough. Also, only using “Ads not by this site” does not meet our criteria, because the user does not know which program created the ad.

A way to uninstall the program that is making the ads

The final part of giving a user choice and control is giving them a way to uninstall the program that is making the ads. For example, candidate programs that produce independent promotion notifications or promotion notifications in Internet Explorer must have an uninstall entry in the Windows control panel. It is very important that the name of the program in the uninstall entry exactly matches the name shown in the advertisement.

We know that for some browsers extensions are only removable through the browser’s own controls. This is considered a standard uninstall method and meets our objective criteria as long as the name still matches the name in the ad.

What happens to detected adware

Currently, when our security products detect a program as adware they alert the user and offer them a recommended action. If they don’t respond, the security product will let the program run until the user makes a decision.

With our updated objective criteria, this is going to change. Now, when one of our products detects adware it will immediately stop the program and the user will be notified. The user then then has the ability to restore the program if they wish.

When is this going to happen?

Changes to our objective criteria for classifying adware will come into effect on July 1, 2014. This gives developers three months to comply with the new rules.

We have already started reassessing our current adware detections against this new criteria. If your program is still being detected as adware but meets the new criteria you can let us know through the Developer Contact form.

We are very excited by all of these changes. We believe that it will make it easy for software developers to utilize advertising while at the same time empowering users to control their experience.

Michael Johnson


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity.