Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PestPatrol 'temporarily' drops Claria from defs


  • Please log in to reply
2 replies to this topic

#1 TeMerc

TeMerc

    Countermeasures Team Leader


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:04:39 PM

Posted 29 March 2005 - 02:29 AM

From Eric Howes at this DSLR thread.

Hi All:

Pest Patrol users should be aware that all of Claria's products -- including Dashbar, Date Manager, Gator/GAIN, GotSmiley, Precision Time -- have been temporarily removed from Pest Patrol's detections. This change is announced on CA's "Vendor Appeals" page:

http://www3.ca.com/securityadvisor/pest/content.aspx?q=67945

As that page explains,


said by CA:
--------------------------------------------------------------------------------
From time to time, Computer Associates receives requests from vendors whose products are detected by eTrust PestPatrol Anti-Spyware to stop detecting their products. When this happens, CA opens a Vendor Appeal.

The Vendor Appeals Process is designed to ensure the highest level of accuracy and quality in eTrust PestPatrol Anti-Spyware products. The first step of the Vendor Appeals process is to temporarily remove the product in question for the eTrust PestPatrol database, as well as the Spyware Encyclopedia, pending further evaluation. An evaluation of the product is then conducted using the eTrust PestPatrol Spyware Scorecard, a behavior-based list of criteria that defines what eTrust PestPatrol AntiSpyware products will detect, as well as the eTrust PestPatrol Anti-Spyware User Permission Requirements. A written report is provided to the vendor when the evaluation is complete. If the evaluation shows that the product continues to meet one or more of the criteria listed on the eTrust PestPatrol Spyware Scorecard, the product will be added back to the database and eTrust PestPatrol products will resume detection of it. It will also be added back to the Spyware Encyclopedia. In the event that the product does not meet any of the criteria on the eTrust PestPatrol Spyware Scorecard, the product will be permanently removed from both the eTrust PestPatrol database and the Spyware Encyclopedia. Products which have been temporarily removed from the database and the Spyware Encyclopedia will be listed on this page each week.
--------------------------------------------------------------------------------

On March 25, CA posted a notice to that page about Claria:


said by CA:
--------------------------------------------------------------------------------
March 25, 2005:

REMOVED: Gator/GAIN/Claria: all known products found in our database under the names Gator, GAIN, Claria or Gator/GAIN/Claria For those who wish to remove Gator/Gain/Claria while it is undergoing appeal, Manual Removal Instructions are available.
--------------------------------------------------------------------------------

Strangely, this removal is not announced on CA's "New & Improved Pest Detections" page, which appears to be out of date ("Changes for version: 05031815"):

http://research.pestpatrol.com/News/New_An..._Detections.asp


That page lists "Gator/GAIN/Claria" only as "Modified," not "Removed," nor does it mention the full range of Claria's products.

Still more oddly, that page does list "Whenu.ClockSync" as having been removed, though CA's "Spyware Information Center" home page lists "WhenU.Desktop Toolbar" as "newly discovered" -- see:

http://www3.ca.com/securityadvisor/pest/


A quick check of CA's information pages for both Claria and WhenU products reveals most of them (though not all) to be blank -- devoid of the usual information contained in CA's write-ups of targeted programs -- see CA's "Pest Encyclopedia":

http://research.pestpatrol.com/search/browse.aspx
or http://www3.ca.com/securityadvisor/pest/browse.aspx


Finally, a test with Pest Patrol 5 and KaZaA, which installs Claria's software (among several other adware programs), does indeed confirm that Pest Patrol 5 with the latest definitions does not detect and remove Claria's software, though as the second screenshot above illustrates, it still detects a few stray Claria Registry keys as "AdDestroyer" (an unrelated product from VirtualBouncer).

CA's "Vendor Appeals" page does contain a link to "Manual Removal Instructions," but clicking on that link only takes you back to CA's Spyware Information Center, which informs users that the "most rapidly spreading spyware" currently is Grokster:

http://www3.ca.com/securityadvisor/pest/co....aspx?cid=64477
As that page notes, Grokster (like KaZaA) installs numerous adware products, including Claria's (Gator). But of course Claria has been temporarily removed from Pest Patrol's detections.

Although Pest Patrol was wise to include a notice of some sort to its users on the "Vendor Appeals" page, many users simply won't know to look there. Thus, I think CA still has a ways to go in creating policies and procedures to notify its users of routine removals of products that it must know its users will be concerned about.

Best,

Eric L. Howes


Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

BC AdBot (Login to Remove)

 


#2 TeMerc

TeMerc

    Countermeasures Team Leader

  • Topic Starter

  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:04:39 PM

Posted 01 April 2005 - 08:14 PM

PestPatrol, which is marketed by Computer Associates International Inc., uses a strict, 21-point Spyware Scorecard to determine whether to flag a piece of software as a privacy or security threat.

"We use a behavior-based list of criteria, and we make that list public. If your software meets any of the criteria, you're classified as spyware in our database," said Tori Case, director of security management at eTrust PestPatrol.

That approach, Case argued, sets up a structure for a legitimate adware vendor with good intentions to "clean up their act" in an open, transparent way.

In stark contrast to the PestPatrol approach, anti-spyware players such as Webroot Software Inc., Sunbelt Software and newcomer Microsoft Corp. deliberately avoid limiting or restricting the definition criteria.

"The adware vendors want you to use strict definitions so they can play games and work around those lists. That's why PestPatrol is having problems with delisting and relisting," said Eric Howes, an anti-spyware advocate who provides consulting services for Sunbelt. "The minute you set up these definition lists, you are setting yourself up for cat-and-mouse games."


A better approach is to define a set of objectionable practices. Many people want to focus on the quality and functionality of the software, but that doesn't work because there's a lot of deceptive intent [from adware vendors]," Howes said in an interview with eWEEK.com.

"You have to focus on the business practices and outline a list of objectionable behavior. Yes, it can be subjective, but that's the only way it works in the interest of the consumer," Howes said.


Next Page:

PestPatrol's Tori Case defended the company's use of a rigid definition formula, which is revisited and updated to accommodate new threats.

"We revisit the scorecard every 90 days to make modifications to reflect the changing nature of the spyware market. That's how we address the issues of a company playing games. It's a rapidly evolving world out there, and we have systems in place to deal with it," Case said.

She said the vast majority of vendor appeals do not result in big changes to the PestPatrol product, and even when detections are removed, old versions of the adware program are still detected and deleted.

"We're very committed to the approach we've taken with the scorecard. That's not going to change anytime in the future," Case added.

PestPatrol's Case said she agrees. "Hindsight is 20-20 for all of us. Some big mistakes were made in COAST that we can all learn from. Although there is a place for certification [of adware applications], it should not be within an anti-spyware group. We need to build a wall to avoid those conflict-of-interest issues."


Full Read @eWeek
========================================================================


Hi All:

As reported earlier this week, CA Pest Patrol temporarily removed all of the Claria's products from its detections pending a vendor appeals process initiated at Claria's request:

»Pest Patrol: Claria Temporarily Removed

Today CA announced that it had restored all of the Claria's products to its detections -- see:
»www3.ca.com/securityadvisor/pest/conte..


said by CA Pest Patrol:
--------------------------------------------------------------------------------
April 1, 2005:

RESTORED: Gator/GAIN/Claria: After failing the eTrust PestPatrol scorecard, all products removed on March 25, 2005, were restored to the database under the names Claria or Gator/GAIN/Claria and new products were added to the database under the name Claria.
--------------------------------------------------------------------------------

But there's more here than might first meet the eye. It appears that during the vendor appeal process, not only did CA decide that five previously known and detected Claria products clearly met its criteria ("scorecard") for targeting programs, but CA discovered three NEW Claria products that it added for the first time into its detections database.

Still worse for Claria, in a number of cases the products that CA already knew about have received updated classifications that are more damning than they were before.

Here's a summary of the updates, changes, and additions to the Claria products included in CA Pest Patrol's definitions:

* Dashbar
was: Adware
now: Spyware/Toolbar/BHO

* Date Manager
was: Adware
now: Adware & Spyware

* PrecisionTime:
was: Adware
now: Adware & Spyware

* Weatherscope
was: Adware/Home Page Hijacker/Search Hijacker
now: Adware & Spyware

* WebSecureAlert
was: Adware
now: Adware & Spyware

* Claria/Gator/GAIN
was: Adware/Search Hijacker
now: Adware & Spyware

* GotSmiley (new)
was: n/a
now: Adware & Spyware

* Screencenes (new)
was: n/a
now: Adware & Spyware

* eWallet (new)
was: n/a
now: Adware & Spyware new

You can check out all of the Claria products now detected by CA Pest Patrol here:

»research.pestpatrol.com/search/search...

Search on the term "Claria."

You can find CA's "scorecard" for evaluating programs here:

»www3.ca.com/Content/default.aspx?CID=6..

Related criteria here:

»research.pestpatrol.com/WhitePapers/Sc..

CA's Vendor Appeals Process is explained here:

»www3.ca.com/Content/default.aspx?CID=6..

The moral of this story is, although Claria got a temporary one week reprieve by pressuring CA to review its products, it ultimately ended up losing big time. Not only were its products added back in, but they were added back into CA's detections with more severe classifications in some cases. Moreover, CA rubbed salt in the wound by adding three new Claria products to its detections.

Although I'm still not completely satisfied with the state of CA's vendor appeals process and the way that process is reported to customers and users, I must confess to being most pleased with the outcome of this particular vendor appeals process. Perhaps other adware firms will think twice before approaching CA with what, on the evidence we can see, must have been a frivolous appeal.

Best,

Eric L. Howes


From this DSLR thread
Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

#3 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:06:39 PM

Posted 02 April 2005 - 11:56 PM

There is a very good discussion (EWeek) of how definitions of what consitutes spyware are determined, why and how they vary between different applications, and the threat of lawsuits to the companies that produce them:

The Chaotic World of Defining Spyware
By Ryan Naraine
April 1, 2005

http://www.eweek.com/article2/0,1759,1781753,00.asp

Of curious interest is that, in addition to the normal criteria for spyware:

"Microsoft's criteria also address the general impact on performance, reliability and quality of the user's computing experience. For example, if an adware program slows down PC performance or corrupts the operating system, it is likely to be flagged as a spyware threat."

Regards,
John
Whereof one cannot speak, thereof one should be silent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users