Close means close: New adware detection criteria

In April we introduced the rules that software developers should follow when creating advertisements to avoid being detected by Microsoft security products as adware. These rules are designed to keep our customers in control of their Internet browsing experience. Since then, we have had great success working with some companies through our developer contact process.

At the same time we have started to see other advertising programs trying to bend and even circumvent our rules. These advertisements produce a negative Windows experience and we have decided that it is time to add some new rules and clarify our stance on what defines clean advertising.

Close means close

The criteria for detection we released in April  states that advertisements need to “include an obvious way to close the ad”. It was explained that this needs to be a method that is clear to the user, such as an “X” or the word “close”. This requirement was widely adopted.

However, we have also started to see the close button used as a trigger to open other advertisements. This is was not the intention of the rule and this behavior will be detected as adware.

Links must remain clear and unchanged

Another concerning practice is the manipulation and misrepresentation of links on a webpage, as outlined below.

Modifying a current link

We have been seeing some programs modifying or replacing hyperlinks with different URLs than those used by the website owner. This includes places where a hyperlink is directly misrepresented and sends users to a different webpage than the one they expected. A hyperlink that directs a user to an advertisement before they can view the webpage they intended is also considered a misrepresentation. All of these behaviors will qualify a program to be detected as adware.

Not highlighting hyperlinks

When a user is browsing a webpage it is essential that they know when they are clicking on a hyperlink. It is required that if a program inserts a link, the user knows that it is a link. You should do this in a method that is clear and obvious. The colored double underline style is very recognizable and the preferred method. A program that creates links that are not clearly identifiable will qualify as adware.

Some of the more common methods of obscuring hyperlinks that we detect as adware include:

Using the background as a hyperlink

We have seen a bunch of programs using the webpage background as a link. This means that when the user clicks anywhere on a page that is not already a link, an advertisement is triggered. The user doesn’t know they are clicking the link and thus they are not in control of their browsing experience. This behavior will be considered adware.

Mouse-over links

In my blog about “a particularly convincing nefarious ad” I explained the practice of adding mouse-over events to an advertisements to mimic the user clicking the ad. I will mention it here as well. The user must click on the ad to follow it away from the page they are on. Any method of mimicking an ad click is not acceptable and will be detected as adware.

As always, these new guidelines along with the additional reasons we detect programs can be found on our Objective Criteria page.

Michael Johnson

Comments (5)

  1. Robert Scroggins says:

    Good! These are common sense requirements/detections that should add additional user protection. Thanks!

  2. Q454 says:

    Great work Microsoft. its about time to step up and take care of these adware's s and PUP. everytime I go to a clients home to clean their computer, all I find is Adware and PUP all over there computers. and the think is not many antivirus detects these
    little pests. hope ya keep improving

  3. Website owner says:

    If websites want to monetize with ads, wouldn't it be fair if the site owners get the money? Why do adware creators have the right to profit from websites at all? Your recent policies seem to be encouraging adware authors to continue their behavior, but
    I challenge the whole "industry" as something that should be allowed at all.

  4. LRL says:

    Why use the word adware? The article's tone should suggest the control be applied to malware. Shouldn't it?

    Also, the writer seems somewhat surprised by all of this? Where's he been hiding?

  5. Rudy B says:

    Ads and adware is simply increasing the complexity of the internet. Time is the only resource on

    cannot recover, and as the complexity increases more children are wasting time by spending far

    to much time on the internet rather than being mentored by their mother and father.

    We now live in a manipulated (not a free) society. Remember the simple life of the 1950's and 60's?

Skip to main content