SpyHunter's Threat Assessment Criteria
The following description of SpyHunter's Threat Assessment Criteria model, which is applicable to SpyHunter Pro, SpyHunter Basic and SpyHunter for Mac, as well as SpyHunter Web Security (including both the version available in connection with SpyHunter Pro, SpyHunter Basic and SpyHunter for Mac and the standalone version) (hereinafter, all collectively referred to as "SpyHunter"), is presented to help users understand the parameters SpyHunter uses in identifying and generally classifying malware, potentially unwanted programs (PUPs), potentially unsafe websites and IP addresses, privacy issues, vulnerable applications and other objects.
As a general proposition, malware may include spyware, adware, trojans, ransomware, worms, viruses, and rootkits. Malware generally represents a security threat that should be removed from systems as soon as possible.
Another category of program users often want to address and potentially want to remove consists of potentially unwanted programs (PUPs) and/or potentially unsafe websites and IP addresses. A PUP is software that a user may perceive as unwanted (even if a user potentially consented to install it or wishes to continue to use it). PUPs may engage in unwanted behavior, such as installing toolbars in web browsers, displaying advertising, and changing the default browser homepage and/or search engine. PUPs may also consume system resources and cause operating system slowdowns, crashes, security breaches and other issues. Potentially unsafe websites and IP addresses may distribute malware, viruses, trojans, keyloggers, and/or PUPs. Potentially unsafe websites and IP addresses may also engage in phishing, data theft and/or other scams or unauthorized behaviors.
Although there has been some debate concerning cookies and the extent, if any, to which they represent an issue or threat for users' systems, cookies have been identified as potential privacy risks by many users over time. Cookies, depending upon their developer's designed objectives, may be used to track your personal information and browsing habits as you surf the web. Information may be retrieved by the company that set the cookie. Users may wish to remove these objects to help maintain their online privacy. Because some users view tracking cookies as a potential privacy issue, SpyHunter detects some, but not all, cookies on users' systems. For cookies detected by SpyHunter, users have the option to allow them on their individual systems or to remove them depending upon their personal preferences.
EnigmaSoft uses a combination of machine-based static and dynamic analysis, including heuristics and predictive behavior principles, along with general user experience metrics and its own technical expertise to analyze the behavior and structure of executable files and other objects. Through these and other proprietary processes, EnigmaSoft categorizes objects into categories including malware, PUPs and privacy issues to detect, block and/or remove items for users' protection.
Like certain other anti-malware program developers, EnigmaSoft has also considered and utilized the standards, update data, and criteria for setting its Threat Assessment Criteria available from respected third-party anti-malware research sources. For example, EnigmaSoft considers the standards and criteria set by AppEsteem, Inc., including in particular, AppEsteem’s ACRs ("AppEsteem Certification Criteria). As a further example, EnigmaSoft considers potentially relevant factors from the risk model previously developed by Anti-Spyware Coalition ("ASC") in connection with setting its Threat Assessment Criteria, including various substantive sections of ASC's risk model. EnigmaSoft has enhanced its SpyHunter Threat Assessment Criteria based on its technical expertise, it’s continuing research and updates of malware risks and the experience of users to develop EnigmaSoft's specific criteria. In constructing EnigmaSoft's Threat Assessment Criteria model, we have identified a set of specific features and behaviors that are used by EnigmaSoft to classify executable files and other objects for SpyHunter. Since malware, PUPs, unsafe websites and IP addresses, and/or other potential threats or objectionable programs are constantly evolving and adapting, we reassess and redefine our risk assessment model on a continual basis over time as new bad practices are discovered and exploited.
This document generally describes our Threat Assessment Criteria. More specifically it:
- Outlines the common terminology and process for classifying software on a user's computer as being potentially malicious or containing unwanted technologies;
- Describes the behaviors that can lead to detection, so that our engineers, our technicians, Internet users, and our customers will have a better understanding of our decision-making process; and
- Provides an overview of the approaches EnigmaSoft uses to classify software applications, websites and IP addresses.
Note: Our Threat Assessment Criteria is based on behavior. The criteria below are the key factors that EnigmaSoft uses to make a determination, but each and every one of them may not always be applied in every instance. Accordingly, we may decide to use all or a subset of the criteria, as well as additional factors - all with the goal of best protecting our users. In general, a program's rating will increase with risk behaviors, and decrease with behaviors that provide user consent and control. In rare instances, you may encounter a useful program classified as malware because it bears aspects which we label as malware; therefore, we advise that when you run a scan with SpyHunter to check identified items on your computer before removing them.
1. Modeling Process Overview
The Threat Assessment Criteria risk-modeling process is the general method EnigmaSoft uses to determine the classification of a program:
- Determine the installation method used
- Install and research software to determine areas of impact
- Measure the risk factors
- Measure the consent factors
- Weigh the risk factors against the consent factors to determine what classification and level apply, if any
Note: EnigmaSoft weighs and combines these factors on its own scale, called the Threat Assessment Level, which we will define in this document. For example, we may detect a program that tracks the user, even if such behavior is turned 'off' by default. In such cases, we may detect the program as potentially unwanted or as a threat, but assign a low warning level.
2. Overview of the Risk Categories
Malware and other Potentially Unwanted Programs (PUPs) encompass a wide variety of behaviors that can concern users. We generally focus on technologies in the following areas:
- Privacy – The risk that the user's sensitive personal information or data will be accessed, gathered and/or exfiltrated, and the user will possibly face:
- Exposure to fraud or identity theft
- Loss of personal information
- Unauthorized tracking
- Security – Threats to the system integrity of the computer, such as:
- Attacking the computer, or using it as part of an attack
- Exposing the computer to risk by lowering security settings
- Using computer resources in an unauthorized manner
- Hiding programs from the user
- Subjecting users to ransomware attacks or otherwise compromising user data
- User Experience – Impacting the user's ability to use the computer in the preferred manner, without disruption, such as:
- Delivering unexpected advertisements
- Changing settings without user disclosure and/or consent
- Creating system instability or slowing performance
These risk categories are not mutually exclusive and are not limited to the examples above. Instead, these risk categories represent the general areas we examine, and they help to describe – in short, common language – the impacts to users that we examine.
For example, SpyHunter may detect a program because it intercepts network traffic. When flagging the program, SpyHunter may explain that it has an impact on the user's privacy, rather than explaining the details of the underlying technology (which may be described in a more extensive write-up available on our website). To further describe a program, we may choose to rate a program along each risk category. We may also merge the categories into a single rating.
3. Risk and Consent Factors
Many applications have complex behaviors – the final determination of whether to identify a program as dangerous requires a judgment call on the part of our risk assessment team, based on our research, experience and policies. The following are key considerations in the risk modeling process:
- Technologies/activities are neutral: technologies and activities like data collection are neutral, and as such are harmful or helpful depending on their context. We may consider both the factors that increase risk and the factors that increase consent before making a determination.
- Many risk factors can be mitigated: a risk factor is an indication that a program has certain behavior. We may consider this behavior in context and decide whether the consent factors mitigate the risk. Some risk factors may not, on their own, lead to detection of a program, but they could lead to detection when considered in combination with other factors. Certain risk factors are impactful enough that they cannot be mitigated, such as installation by security exploit. The EnigmaSoft risk assessment team may choose to always alert the user about programs with these types of behaviors.
- Strive for objective, consistent rules: the factors outlined below are generally meant to be objective and easy to apply consistently. However, certain factors cannot be determined programmatically. Those factors may nonetheless be important to users (such as a program's use of deceptive text or graphics). In these cases, we may determine the impact according to our own internal threat assessment policies. Our objective is to identify the factors that increase risk and the factors that increase consent and balance them to determine the threat that a program presents.
- The general advice for software authors who wish to avoid being detected by SpyHunter or our online database sites is to:
- Minimize the risk factors
- Maximize the consent factors
4. Risk Factors ("Bad Behaviors")
The following risk factors are behaviors that have the potential for user harm or disruption. In some cases, the behavior may be desired, such as data collection for personalization, but can still present a risk if unauthorized. Many of these risks can be mitigated by providing the appropriate consent factors.
In certain cases, a risk may be serious enough that a vendor should be sure to explicitly and prominently inform users of the risk, even if general consent was given through a EULA/TOS or other means. This may be the case for certain monitoring or security tools. (Users who want this functionality will install such programs after receiving the explicit warnings and will have given informed consent.) Some risks, however, such as "installing by security exploit" may warrant automatic detection, no matter what consent is given.
Some risk factors may be minor, and not enough to warrant detection on their own. However, low-risk behaviors can help differentiate two similar programs. In addition, low-risk behaviors may be combined, and if enough low-risk behaviors are present, may lead to a higher risk being assigned to a program. We may consider a number of factors, including investigation of confirmed user feedback, general resources available to us for identifying malware, threats and/or PUPs, Terms of Service ("TOS") agreements, End User License Agreements ("EULA") or privacy policies when assessing risk factors.
We rate and classify software based primarily on behaviors inherent in the software itself, but we also closely examine installation methods. Note that installation method varies not only from program to program, but also by the distributor of the software and in some cases even by distribution model. In cases where intrusive, covert or exploitative installation has been observed, this fact is taken into account by our risk assessment team.
Although all behaviors can be problematic if unauthorized, certain behaviors are inherently more serious because they have greater impact. They are therefore treated with more severity. Also, the impact of a behavior can vary based on how frequently it is performed. The impact also can vary based on whether the behavior is combined with other behaviors of concern and based on the level of consent the user provided regarding specific behaviors.
The list in Section 6 below is a combined set of the risk factors that members of the EnigmaSoft Risk Assessment team consider in their final assessment of the Threat Assessment Level. We may weigh the risk factors as we see fit in our modeling formula. Note: If any software publisher's legal company or entity is only domiciled in the CIS (Commonwealth of Independent States), the PRC (People's Republic of China), or NAM (Non-Aligned Movement) countries, with no legal entities or company domiciles in the United States and its Territories, the European Union, and Commonwealth of Nations (which includes UK, Canada, Australia, New Zealand, Hong Kong, and the other top per capita members), we may determine that the risk factor of this publisher's software may be high, and thus we may categorize their products and services in our software database and websites as risky software. Countries only located in the CIS, PRC, and NAM are generally outside of the reach of Western laws and their law enforcement agencies.
5. Consent Factors ("Good Behaviors")
As discussed in more detail in Section 6 below, a program that provides users with some level of notice, consent, and control may mitigate a risk factor. Certain behaviors may present such a high-level risk, however, that no level of consent can mitigate them. We typically will warn users about such behavior.
It is important to note that consent factors are per-behavior. If a program has multiple risky behaviors, each is examined separately for its consent experience.
Although all attempts to obtain consent are helpful, some practices allow EnigmaSoft to conclude more strongly that the user understands and has consented to the specific behavior in question. The weight levels (Level 1, Level 2, and Level 3) indicate a relative ordering for the consent behaviors. These factors should be seen as cumulative. Level 1 represents less active consent while Level 3 represents the most active and, therefore, highest level of consent.
Consent is factored into the process of assessing risk. For example, in the list below in Section 6, the term "Potentially Unwanted Behavior" refers to any program activity or technology that can present a risk to users if abused, such as data collection or changed system settings without user consent.
The list below contains the consent factors that members of the EnigmaSoft Risk Assessment team consider in their final assessment of the Threat Assessment Level of the software being evaluated. We may weigh the consent factors as we see fit in our modeling formula.
6. The Final Threat Assessment Score ("Threat Assessment Level")
The EnigmaSoft Risk Assessment determines the Final Threat Assessment Score or Threat Assessment Level by balancing the risk factors and consent factors, using the modeling process outlined above. As mentioned, EnigmaSoft's determinations may be different than other vendors' determinations, but developers generally can avoid having their programs receive a high threat assessment score by minimizing the risk factors and maximizing the consent factors. Again, however, certain risks may be serious enough that EnigmaSoft will always inform users about the impacts, regardless of the consent level.
The risk modeling process is a living document and will change over time as new behaviors and technologies emerge. Presently, the final Threat Assessment Level we publish in SpyHunter, and in our online databases, is based on the analysis and correlation of the "consent factors/risk factors modeling process" described throughout this document. The determined severity level of an object is based on a score from 0 to 10 generated from the modeling process.
The list below describes the features of each Threat Assessment Level SpyHunter uses. The Threat Assessment Levels are as follows:
- Unknown, it has not been evaluated.
- Safe, a score of 0: These are safe and trustworthy programs, based on our available knowledge we understand have no risk factors and do have high consent factor levels. Typical behavioral characteristics of SAFE programs are as follows:
- Installation & Distribution
- Distributed via download, in clearly labeled packages, and not bundled by affiliates Level 3
- Requires a high level of consent before installation, such as registration, activation, or purchase Level 3
- Has a clear, explicit setup experience that users can cancel Level 3
- Potentially unwanted behaviors are clearly called out and prominently disclosed outside of EULA/TOS Level 2
- Potentially unwanted behaviors are part of the expected functionality of the program (i.e., an email program is expected to transmit information) Level 3
- User can opt-out of potentially unwanted behaviors Level 2
- User must opt-in for potentially unwanted behaviors Level 3
- Obtains user consent before software updates, where necessary under our model Level 3
- Obtains user consent before using passive technologies, such as tracking cookies, where necessary under our model Level 3
- Bundled Software Components (separate programs that will be installed)
- All bundled software components are clearly called out and prominently disclosed outside of EULA/TOS Level 2
- User can review and opt-out of bundled components Level 2
- User must opt-in for bundled components Level 3
- Visibility (Run-Time)
- Files and directories have clear, identifiable names and properties in accordance with industry standards (Publisher, Product, File Version, Copyright, etc.) Level 1
- Files are digitally signed by publisher with a valid digital signature from a reputable authority Level 2
- Program has a minor indication when it is active (tray icon, banner, etc.) Level 2
- Program has major indication when it is active (application window, dialog box, etc.) Level 3
- Control (Run-Time)
- Sponsor programs only run when sponsored program is active Level 2
- Clear method to disable or avoid program, aside from uninstall Level 2
- Program requires explicit user consent before starting (i.e., double-click an icon) Level 3
- Program requires opt-in before starting automatically or appropriately discloses the startup procedures, where necessary under our model Level 3
- Program Removal
- Provides a straightforward, functional uninstaller in a well-known location (such as "Add/Remove Programs") Level 2
- Program uninstaller removes all bundled components Level 2
- Installation & Distribution
- Low, a score of 1 to 3: Low threat level programs typically do not expose users to privacy risks. They typically return only non-sensitive data to other servers. Low threat level programs may display annoying and intrusive advertisements that may not be clearly identifiable as coming from the program. They can be uninstalled, but the process may be more difficult than for other programs. Usually, no EULA/TOS will be displayed during installation. If the software publishers of these low threat level programs have a high level of consent factors, we may reclassify the program as safe. Characteristics of LOW threat level programs could include:
- Identification & Control, including but not limited to:
- No indication the program is running inside an application, such as an icon, toolbar or window - Low
- No indication the program is running standalone, such as a taskbar, window or tray icon - Low
- Data Collection, including but not limited to:
- Uploads data that can be used to track user behavior offline and online as well as other types of data that may be sensitive, yet not personally identifiable - Low
- Uses tracking cookies to collect information - Low
- User Experience, including but not limited to:
- Advertising: Displays external advertisements that are clearly attributed to the source program, such as starting alongside the program - Low
- Settings: Modifies user settings such as favorites, icons, shortcuts, etc. - Low
- System Integrity: Attaches to other programs, such as the browser, using a non-standard method - Low
- Removal, including but not limited to:
- Uninstaller repeatedly attempts to badger or coerce the user into cancelling the uninstall - Low
- Identification & Control, including but not limited to:
- Medium, a score of 4 to 6: At these threat levels, programs usually have features that are deceptive, malicious, and/or annoying. The programs may also cause inconvenience, display misleading information to end users, or transmit personal information and/or web surfing habits to malware publishers or identity thieves. Even with the high consent factors some of these programs may exhibit, we classify, detect, and remove these programs due to the deceptive, annoying, or nefarious practices of these malicious software developers. Typical characteristics of this MEDIUM threat level could include:
- Installation & Distribution, including but not limited to:
- Software updates automatically without user's explicit consent, permission, or knowledge, such as not providing or ignoring user's request to cancel the update, except where necessary or appropriate under our model - Medium
- Identification & Control, including but not limited to:
- Program has incomplete or inaccurate identifying information - Medium
- Program is obfuscated with tools that make it difficult to identify, such as a packer - Medium
- Networking, including but not limited to:
- Floods a target with network traffic - Medium
- Data Collection, including but not limited to:
- Collects personal information, but stores it locally - Medium
- Uploads arbitrary user data, some of which could be personally identifiable - Medium
- User Experience, including but not limited to:
- Advertising: Displays external advertisements that are impliedly or indirectly attributed to the source program (such as a pop-up with a label) - Medium
- Settings: Changes browser pages or settings without disclosure and/or consent (error page, home page, search page, etc.), except where necessary or appropriate under our model - Medium
- System Integrity: With other risk behavior, potential to cause frequent system instability, and with other risk behavior, potential to use excessive resources (CPU, Memory, Disk, Handles, Bandwidth) - Medium
- Non-Programmatic Behaviors, including but not limited to
- Contains or distributes offensive language and content - Medium
- Consists of advertising components and is installed at or through web sites designed for, targeted at, or heavily used by children under 13 - Medium
- Uses misleading, confusing, deceptive, or coercive text or graphics, or other false claims to induce, compel, or cause users to install or run the software or take actions (such as click on an advertisement) - Medium
- Other Behaviors, including but not limited to:
- Program modifies other applications without disclosure and/or consent, except where necessary or appropriate under our model - Medium
- Program generates serial numbers/registration keys in an unauthorized fashion - Medium
- Installation & Distribution, including but not limited to:
- High, a score of 7 to 10: At these threat levels, the EnigmaSoft Risk Assessment Team typically will not consider any consent factors, because these programs present serious risks to end-users and the Internet community at-large. Programs at this threat level tend to include keyloggers, trojans, ransomware, rootkits, worms, botnet-creation programs, dialers, viruses, and variants of rogue anti-spyware programs. Here is a list of behavioral characteristics of programs we categorize at a threat level of HIGH:
- Installation & Distribution, including but not limited to:
- Replication behavior (mass-mailing, worming, or viral re-distribution of the program) - High
- Installs without user's explicit permission or knowledge, such as not providing, or ignoring, user's request to cancel installation, performing a drive-by installation, using a security exploit to install, or installing without notice or warning as part of a software bundle (Note: The rating of High indicates a typical rating for this item and its relative risk. The specific weight may vary depending on the impact and/or number of items installed.) - High
- Uninstalls other applications, competing programs and security programs, except where necessary or appropriate under our model - High
- Program downloads, is bundled with, or installs software that has potentially unwanted behavior (Reminder: The rating of High indicates a typical rating for this item and its relative risk. The specific weight may vary depending on the impact and/or number of items installed.) - High
- Identification & Control, including but not limited to:
- Creates polymorphic or randomly named files or registry keys, except where necessary or appropriate under our model - High
- Networking, including but not limited to:
- Proxies, redirects or relays the user's network traffic or modifies the networking stack - High
- Creates or modifies "hosts" file to divert domain reference, except where necessary or appropriate under our model - High
- Changes default networking settings (Broadband, telephony, wireless, etc.) without disclosure and/or consent, except where necessary or appropriate under our model - High
- Dials phone numbers or holds open connections without user permission or knowledge - High
- Alters the default Internet connection to connect at a premium rate (i.e. 2x normal rate) - High
- Sends communications including email, IM, and IRC without user permission or knowledge - High
- Data Collection, including but not limited to:
- Transmits personally identifiable data, without disclosure and/or consent, except where necessary or appropriate under our model (Reminder: Technologies are neutral, and they only become a high-risk factor when abused. Transmission of personally identifiable data can be acceptable with notice and consent) - High
- Intercepts communication, such as email or IM conversations, without disclosure and/or consent, except where necessary or appropriate under our model (Reminder: Technologies are neutral, and they only become a high-risk factor when abused. Interception of communications can be acceptable, in appropriate circumstances, with notice and consent) - High
- Computer Security, including but not limited to:
- Hides files, processes, program windows, or other information from the user and/or from system tools - High
- Denies access to files, processes, program windows or other information - High
- Allows remote users to alter or access the system (files, registry entries, other data) - High
- Allows host security to be bypassed (privilege elevation, credential spoofing, password cracking, etc.) - High
- Allows remote parties to identify vulnerabilities on the host or elsewhere on the network, except where necessary or appropriate under our model - High
- Exploits a vulnerability on the host or elsewhere on the network - High
- Allows remote control over a computer, including process creation, sending spam through the computer, or using the computer to conduct attacks on third parties - High
- Disables security software, such as Antivirus or Firewall software - High
- Lowers security settings, such as in the browser, application, or operating system - High
- Allows for remote control of the application, beyond self-update - High
- User Experience, including but not limited to:
- Advertising: Displays external advertisements that are not attributed to their source program (this does not cover advertisements related to online content that users deliberately visit, such as web pages). In addition, replaces or otherwise alters web page content, such as search results or links, except where necessary or appropriate under our model - High
- Settings: Changes files, settings or processes to reduce user control, without disclosure and/or consent, except where necessary or appropriate under our model - High
- System Integrity: Disables or interferes with system functionality (right-click behavior, ability to use system tools, etc.), without disclosure and/or consent, except where necessary or appropriate under our model - High
- Removal, including but not limited to:
- Self-healing behavior that defends against removal or changes to its components, or requiring unusual, complex or tedious manual steps to run the uninstaller, except where necessary or appropriate under our model - High
- Uninstaller does not functionally remove the program, such as leaving components running after reboot, not offering to uninstall bundled applications, or silently reinstalling components - High
- Does not provide an easy, standard method to permanently stop, disable or uninstall the program (such as "Add/Remove Programs" or equivalent) - High
- With other risk behavior, does not offer to uninstall bundled or subsequently installed software components - High
- Installation & Distribution, including but not limited to: