home

Potentially Unwanted Program Policy

The following policy describes what we as well as most of the anti-virus community consider to be PUPs, or potentially unwanted programs (also known as adware). The list below describes unwanted or bad behaviors that an application might exhibit which could be used to classify it as a PUP. While some PUPs exhibit multiple criteria defined below, other may contain just one behavior that might classify it.

Advertising Criteria

Excessive or obtrusive advertising - If a program contains 'excessive' or obtrusive ads that blocks normal content that is not associated with the installing program in a non-standard location. If the ad hides content on a web page and/or the pop-up ad contains a close option that is too close to the ad itself and might inadvertently be clicked on by the end user.

Out of context advertising - If the program displays advertisements that are not relevant to the user and typically contain ads for unwanted products (other PUPs) or interfere with normal web browsing.

Malvertising ads - If the program syndicates or directly displays any ads for other programs that are deemed malicious or rightfully detected by any antivirus software.

Popups and Popunders - If the program displays any popups through the web browser or external to the browser in another browser window that is either triggered by the program or through injected code in the browser.

Ad insertation - If the program injects advertisements in web pages that do not directly belong to the program or are under explicit control of the program. This could include injecting banner ads in the top or bottom of a web browser page or injecting context text-link ads (ads that underline various words in the HTML of the page and provide a rollover advertisement).

Ad overlays - If the program inject or overlay an ad on top of a legitimate existing advertisement on a web page.

Ad replacement - If the program replaces the legitimate native advertisement of a web page that is not in explicit control of the program publisher with a new ads.

Ads without attribution - If an ad is included in a web page that is generated from the program's web browser extension, add-in or background process and does not contain clear attribution as to the ad's provider or host.

Sneaky advertisements - If a program includes advertisements that are not clearly identified as advertisements.

Page-click redirections - If the program monitors web page clicks and redirects or opens a new browser window to display some form of advertisement.

Competitive redirection - if the program in any way modifies the expect link or modifies the redirection or a hyperlink to a competitor web site instead of the desired page a user expected.

Proxy trapping - If the programs installs a proxy server that is used by the browser and modifies in anyway the normally expected rendered web page. This includes injecting ads or search results, etc.

Adds desktop shortcuts to unrelated products - if the program ads shortcuts on the users desktop to unrelated or partner programs that were not installed or are just advertisements.

Browser Criteria

Toolbars with little or no value - If the program is a toolbar or web browser extension/addin (depending on the browser) and brings little to no value other than pushing advertisements or modifying the browser's search, home or tab pages. This also includes extensions that are installed across all browsers and offer low value to the user except for advertising.

Modifying search results - If the search results or altered in anyway by the application, reguardless of the how the program is technically implemented. This includes any results from non-operated search portals that have results modified in anyway.

Inserting search results - If the program inserts additional search results in a search portal. This could also include modifying the legitimate ads on a search portals ad section with new advertisements.

Content injection - If the browser extension modifies a web page in anyway that is not expected from the end user (reguardless of they agreed with it in the EULA/Terms of Service). This could include adding additional content or removing content from a web page not operated by the program.

Home page hijacking - If the home page of the user's web browser is modified, this includes the default browser as well as all browsers.

Search hijacking - If the search page or search provider of the user's web browser is modified, this includes the default browser as well as all browsers.

Bookmark insertation - If the program adds an unsolicited bookmarks to the user's web browsers.

Browser extensions that are hidden - If the browser extension or add-on is not easily visible in the browser's default add-on manager and cannot therefore be managed or uninstalled by the browser. This also includes extensions that are protected or grey-out in the browser manager.

Browser extensions with misleading names - If the browser extension is not clearly named or easily identifiable by the end user, or is misnamed to confuse the user.

Bundling Criteria

Bundles by a 3rd-party program - If the software is bundled by another program such as a download manager and is included with another potentially unwanted program within the bundle.

Bundles 3rd-party programs - If the program's installer bundles additional software including any identified as unwanted. This includes bundling any form of PUP, adware or malicious program regardless if the program includes the EULA or Terms of Service. In addition in the bundle program(s) are pre-checked to be installed by default or fit any of the criteria for a PUP.

Using a service to bundle the program - If the program is bundled by or bundles additional software using any of the following services or download managers (subject to change); Open Candy, InstallCore, CodeFuel products, InstalleRex, InstallX, Tuguu, Solimba, Adknowledge, as well as dozens of others not explicitly defined here.

Additional Criteria

Creating excessive desktop shortcuts - If the program adds excessive shortcuts on the desktop.

Programs that do not have a standard uninstall procedure - If the program does not includes a standard uninstall procedure listed in Windows Add/Remove programs. This also includes programs that require an additional uninstaller to be downloaded.

Programs that do not have an uninstall procedure - If the program has no form of uninstall procedure or the uninstall procedure does not work or the program uses any features that prevents it from being easily removed.

Non-standard install locations - If the program does not install itself in a standard location in Windows such as the Programs Folder. This include programs installing components into temporary or system directories.

Self protection - If the program contains any process or background procedure including startup execution points designed to prevent the process from being removed or stopped or contains any mechanism designed to make uninstallation or removal more difficult by reinstalling the main application if it is removed. This also includes programs that attempt in anyway to prevent anti-virus programs from removing it if it was detected by the program and removal was initiated by the end user.

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.