Yesterday I spoke with Paul Bryan at MIcrosoft about the company's new converged enterprise anti-spyware/anti-virus product, which was announced today under the unofficial name Microsoft Client Protection (see the story). We talked about the new product and also the difficulty of identifying, labeling and assessing the risk of programs that could be deemed to be spyware. I also asked Bryan, who is director of product management for client security, why Microsoft had downgraded some Claria Corp. software from "quarantine" to "ignore" in its Microsoft Windows AntiSpyware beta software.
First the new product: Microsoft is the latest to offer a combined anti-virus/anti-spyware client. That's a win since it means no loading of a separate anti-spyware agent onto already overburdened desktops and laptops. The product combines anti-spyware technology from Microsoft's aquisition of Giant Company Software Inc. (a standalone beta version, Microsoft Windows AntiSpyware, is available for free download) and its anti-virus product based on technology it acquired from GeCAD Software (now RAV). Microsoft now produces signature updates for RAV's product, Bryan says.
The new product will support centrally controlled deployment, policies, reporting and distribution of signature updates. It will support Active Directory and Windows Software Update Services (WSUS). In addition to signature-based identification, it will offer some protection againsts rootkits, Bryan says. A beta is due by year-end. Bryan declined to project a release date or reveal pricing.
On another note, a few months ago Microsoft demoted some programs, including some from Claria Corp., from a "quarantine" recommendation to "ignore." Bryan points out that Microsoft still flags all types of adware, including Claria's GAIN program, and that the categorization simply means that the program is not malicious. "The terminology is 'default ignore' and what that means is literally, remind me next time," Bryan says. "The user will see that show up and there will be a default there but they can take any action. The default is just a matter of severity."
The problem Microsoft and other vendors face is that spyware is an amorphous term that applies to not just what the software does but how it gets on the machine and how easy it is to remove.
Identifying what is spyware and whether the burden it puts on the machine is acceptable to the consumer of that free software program or the corporation that owns the machine is a grey area that can't be determined entirely by the anti-spyware vendor. But that doesn't mean they shouldn't try.
The easiest way out would seem to be to simply lump all questionable programs under the "unwanted programs" banner and let the user/administrator decide. But even that doesn't help. In environments where the desktop is locked down, all unwanted programs can be rejected by default. But most organizations can't do that. Users demand some flexibilty and autonomy. So somewhere along the line, someone must make a judgement call as to which Active-X programs, plug-ins, and other software are undesirable and which are not. "Undesirable" to IT means it causes instability and/or is a security risk. For users there is a third consideration: did the program install itself surrepticiously or did I agree and fully understand what I was putting on my machine? Consumers have the right to put anything on their machines they desire; corporate users do not. But if anti-spyware vendors can't clearly define the attributes of potential spyware and make a recommendation, where does that leave IT? Anti-spyware vendors need to give IT both the tools to identify potential spyware and the necessary context context to make a decision.
IT needs the programs clearly identified as well as the specific behaviors. It needs to know whether or not the program installed itself without the end user's full knowledge, and whether the program can be fully removed through standard mechanisms if the user doesn't want it. Without that context, neither the user nor IT can't make the necessary judgements.