---

HoogendoornJH wrote:

 

Well, I think this post is losing track and can be finalized.

 

Unfortunately, the concept of ‘total care’ is not shared by most contributors to this post. I think the challenge for protection software developers is in offering a complete, configurable suite covering all the protection you need to avoid unwanted and ‘sneaky’ intrusions, invasions, PUPs, PUMs, USIs or whatever  in data exchange between devices (whether by internet, USB-ports, telephone lines or whatever). This holds especially for paid protection software as it should supply ‘added value’ amongst separate, more specialized and often free protection software.

 

For me, the most valuable contribution to this post was message number 3 from lmacri. My conclusion is that NIS will not deliver the ‘added value’ I demand from a paid package and a will compose a suite myself with free software, saving me the contribution fee for Norton in the future.

 

---

Other members of the Norton Community share your view on this issue though. Please see my posts here:

http://community.norton.com/t5/Tech-Outpost/Malwarebytes/m-p/1078497/highlight/true#M8897

http://community.norton.com/t5/Tech-Outpost/Why-does-Norton-360-NOT-warn-against-sites-like-Open-Candy-and/m-p/1106438/highlight/true#M9455

NIS already has the Download Insight reporting feature which could handle potentially unwanted programs; all it needs is for detections for the files to be added.

For example, if I launch the PUP that lmacri described earlier, the following dialog is displayed which asks me what action do I want to take:

If I launch the same file using Malwarebytes Pro 2.0 (beta), the following dialog is displayed which asks me what action do I want to take:

The Malwarebytes alert clearly warns me that the file contains a PUP. If I choose to proceed with the install, then at least I'll be on my guard to look out for all those 'sneaky' checkboxes.

.

---

elsewhere wrote:

---

 

---

Non-Malware Detected.  It's fine if Malwarebytes wants to alert to those sorts of things, but it does point up the bottom line that we are talking about programs that are not malicious.  I'm not saying that Norton shouldn't also alert to non-malware, but certainly it does get into a legal gray area when you are blocking someone else's legitimate program only because you think the user might not really want it. 

---

SendOfJive wrote:

I'm not saying that Norton shouldn't also alert to non-malware, but certainly it does get into a legal gray area when you are blocking someone else's legitimate program only because you think the user might not really want it.

---

Hi SendOfJive:

I'm not sure that presenting a pop-up asking a user if they would like to quarantine or install a bundled PUP creates a legal grey area.   A wrapped installer might not carry a malicious payload capable of corrupting my OS or stealing passwords, but I always worry about PUPs like browser re-directors that could expose my system to other malicious software.  I still think MBAM's "Non-Malware Detected" warning shown in message # 41 is much better than Norton's green checkmark and "Safe to Run" notification, but I concede I might be in the minority.

I have a paid version of MBAM PRO on my system so I thought users might be interested to know what happens when I run both NIS and MBAM PRO together in realtime protection mode and try to download the test file (SoftangoDownloader_SysinternalsProcessMonitor.exe) mentioned in message # 30.  The malicious website blocking feature of MBAM's realtime protection blocks the connection to the humiapp.com server and prevents the "infected" wrapped installer from downloading to my hard drive.  The message displayed in my Firefox browser is "Unable to Connect - Firefox can't establish a connection to the server at www. humipapp.com".

Norton ConnectSafe provides users with similar protection from malicious web sites, but I think this speaks to the OPs comments about "total protection".  Newbies who purchase an Internet Security suite (and I include any IS suite from Norton, McAfee, Kaspersky, etc. here) and are infected by one of these PUPs are often surprised when they post in the forum and learn that they should also perform on-demand scans with MBAM or SUPERAntiSpyware, reconfigure DNS settings to use the SafeConnect IP addresses, and take other preventative measures to supplement their IS protection.  I missed the point the OP was trying to raise when I read his initial post and I apologize to HoogendoornJH if my early replys in this thread sounded like I was dismissing his concerns.
------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 27.0.1* IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

"The protection module protects you from malicious threats..."  I am in complete agreement that malicious threats should be blocked.  Software that installs without providing a way for the user to know or to opt out is malicious.  That should not include anything labled "non-malware."  If the Softango downloader installs any secondary software without notice, then yes, it should be blocked, but if it simply offers InstalBrain, that is the gray area.

---

SendOfJive wrote:

 

"The protection module protects you from malicious threats..."  I am in complete agreement that malicious threats should be blocked.  Software that installs without providing a way for the user to know or to opt out is malicious.  That should not include anything labled "non-malware."  If the Softango downloader installs any secondary software without notice, then yes, it should be blocked, but if it simply offers InstalBrain, that is the gray area.

---

All Malwarebytes is doing is warning the user that it has detected InstallBrain in the installation file that the user is running. InstallBrain has been classified as a PUP because it exhibits one or more of the bad behaviours listed on Malwarebytes' PUP checklist. If the creators of InstallBrain want to dispute that classification then they can do that via a PUP Reconsideration request. Keep in mind that we wouldn't be discussing this issue if PUP removal was always as simple as a Control Panel uninstall that removed all traces of the PUP in question.

Symantec's position on dealing with PUPs is inconsistent across operating systems as well. Norton Spot on the Android OS will rate apps based on a potential annoyance factor. Here is an example of Norton Spot detection for an app:

Potential annoyance is medium.

Ad Network: <Name>

- Displays ads in the app

- Collects location coordinates

That's all it detects for that app. What are the options presented to the user to deal with this app? Only one - Uninstall. If those two criteria above are enough to trigger a detection with an annoyance level of medium, then why aren't PC applications subjected to the same 'potential annoyance factor' criteria?

With respect to not including anything labled "non-malware", consider the cases where a PUP installs a Bitcoin miner on the unsuspecting user's PC:

http://blog.malwarebytes.org/fraud-scam/2013/11/potentially-unwanted-miners-toolbar-peddlers-use-your-system-to-make-btc/

Quoting that article:

So now that we have proof that a PUP is installing miners on users systems, do they do it without ever letting the user know? Well not exactly, their EULA specifically covers a section on Computer Calculations:

COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.

Their explanation is basically the purpose of Bitcoin Miners and that they will install this software on the system, run it, use up your system resources and finally keep all rewards from the effort YOUR system puts in.

Talk about sneaky.

How many users here would have read that part of the EULA and thought "Oh, it's going to install a Bitcoin miner."? Given the potential for a Bitcoin miner to damage the hardware, isn't the best time to warn the user about this potentially unwanted program the moment they try to install it?

---

HoogendoornJH wrote:

Well, I think this post is losing track and can be finalized.

 

Unfortunately, the concept of ‘total care’ is not shared by most contributors to this post. I think the challenge for protection software developers is in offering a complete, configurable suite covering all the protection you need to avoid unwanted and ‘sneaky’ intrusions, invasions, PUPs, PUMs, USIs or whatever  in data exchange between devices (whether by internet, USB-ports, telephone lines or whatever). This holds especially for paid protection software as it should supply ‘added value’ amongst separate, more specialized and often free protection software.

 

For me, the most valuable contribution to this post was message number 3 from lmacri. My conclusion is that NIS will not deliver the ‘added value’ I demand from a paid package and a will compose a suite myself with free software, saving me the contribution fee for Norton in the future.

 

---

Hi,
Just one request. When you have built that package please share it.

Thanks

---

SendOfJive wrote:

I'm not saying that Norton shouldn't also alert to non-malware, but certainly it does get into a legal gray area when you are blocking someone else's legitimate program only because you think the user might not really want it.

---

Hi SendOfJive:

I suspect our opinions about the grey area that companies like Malwarebytes and Symantec face when it comes to distinguishing PUPs vs. malware is quite similar.   I was only objecting to the term "legal gray area" since, as elsewhere noted in message # 45, Malwarebytes has posted a comprehensive list of unacceptable behaviours for their PUP criteria (e.g., hijacking search engines, hijacking the home page, out-of-context advertising, etc.) and has a formal appeal process that software developers can follow if they feel their software has been unfairly classifed as a PUP.

I posted a question in the Malwarebytes forum here and asked if MBAM PRO should be able to detect bundled PUPs during downloads (i.e., similar to the "infected" SoftangoDownloader_SysinternalsProcessMonitor.exe wrapped installer I tested in message # 30).  The replies from Malwarebytes employee AdvancedSetup are very much in line with your comments.  AdvancedSetup also recommended I read his post titled The Complexity of Finding, Preventing and Cleanup from Malware that includes comments on the role of individual users (e.g., keep Flash/Java/Windows up-to-date, back up important data, etc.) in preventing/recovering from malware infections.

------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 28.0* IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

---

dickevans wrote:

---

HoogendoornJH wrote:

Well, I think this post is losing track and can be finalized.

 

Unfortunately, the concept of ‘total care’ is not shared by most contributors to this post. I think the challenge for protection software developers is in offering a complete, configurable suite covering all the protection you need to avoid unwanted and ‘sneaky’ intrusions, invasions, PUPs, PUMs, USIs or whatever  in data exchange between devices (whether by internet, USB-ports, telephone lines or whatever). This holds especially for paid protection software as it should supply ‘added value’ amongst separate, more specialized and often free protection software.

 

For me, the most valuable contribution to this post was message number 3 from lmacri. My conclusion is that NIS will not deliver the ‘added value’ I demand from a paid package and a will compose a suite myself with free software, saving me the contribution fee for Norton in the future.

 

---

Hi,
Just one request. When you have built that package please share it.

Thanks

---

Your comment comes across as rather flippant, dickevans. If Norton products don't provide the protection that users expect, then those users may very well turn to free products that do meet their needs. User feedback like this important to Symantec as it provides further insight into the reasons behind their recent lacklustre financial results:

http://news.techworld.com/security/3499736/symantecs-results-show-firm-battling-changing-security-market/?olo=rss

Objectively speaking, what is your position on this Norton PUP detection issue?

Moving on then.

Please find below another impressive example of EULA abuse:

http://blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/

Highlights from the article above include:

Worth noting that if you read all of the listed EULAs and policy pages, you’re looking at something like 18,000 words to plough through. I say “something like”, because one of the pages isn’t text you can tally up – it’s one gigantic screenshot of text instead.

A dialog box presented during the install that advises that:

“…we would like to install on your machine the following program that uses your CPU for virtual currency mining and other computational activities when it is idle / standby, this program does not interfere with normal operations of the processor while you are working on the machine”

...and then there is this little gem in the EULA (emphasis mine):

Here’s the bit that made me sit up and take notice:

2) “…may do but not limited to the following actions to your personal computer: utilize all computing processing unit and graphics processing unit, power, random access memory, virtual memory…network capacity and bandwidth and any other resources it sees fit, activate all fans and generate an unlimited amount of heat, and utilize an unlimited amount of electricity (outlet and battery). This may damage and cause irreparable harm to your computer”

That sound you hear is the ever increasing distance of my footsteps, breaking into a mad dash for freedom. [...]

On the one hand, the people behind this bundle are being surprisingly upfront about the system stressing possibilities of a miner (assuming you click the links in the installer, otherwise you’re going to miss it). On the other hand, who would read all of the above and think “Yes please, sign me up”?

Luckily for end-users, Symantec products detect this file as Trojan.ADH.2, as per the VirusTotal results noted in the link above.

However, if you applied the ‘legal gray area’ argument to this file though, then Norton products should not be detecting this file. The EULA and installation dialog boxes associated with this file clearly state that the software vendor is going to install a virtual currency miner on the end-user's machine and that, as a consequence, this software may potentially damage and cause irreparable harm to that end-user’s computer. If the end-user has consented to the terms of this EULA (by mindlessly clicking through the EULA/installation dialogs or otherwise), then what right, under the ‘legal gray area’ argument, has Symantec to interfere with this software installation process by detecting this file as Trojan.ADH.2? Food for thought.

If Symantec wishes to continue taking a risk-averse position in terms of their Norton product’s Potentially Unwanted Program (PUP) detection capabilities, then, at the very least, they should consider introducing a new global detection for virtual currency miners eg. a Bitcoin miner.  This detection would give the Norton end-users, who have fallen foul of a rogue virtual currency miner installation, a method of removing the miner from their system. This Norton-detected miner removal process would, in some ways, make amends for their Norton product’s initial failure to block the Potentially Unwanted Program that installed the miner in the first place...