- SpyHunter Risk Assessment Model -

Enigma Software Group USA, LLC ("ESG") offers its customers a license to use ESG's SpyHunter software. The license not only allows access to a robust selection of malware removal tools within the SpyHunter software, but also gives users access to a service called the Spyware Helpdesk, which provides personalized and individualized analysis and removal of the malware affecting a user's computer.

Malware comes in countless permutations and employs a wide range of deceptive or malicious functions. As is to be expected in such circumstances, Anti-Spyware vendors' rating systems will produce different results, and a program classified by one vendor as Spyware or as using other Potentially Unwanted Technologies may be differently classified by another vendor. According to industry standards, and in good standing with the Internet community, we believe it is important to be transparent about ESG's methods for determining whether particular software will be classified as a malware infection.

We have adopted the Anti-Spyware Coalition's ("ASC") risk model, and we have augmented it with internal risk models developed from our experience analyzing specific infections.  (The ASC risk model is available at http://antispywarecoalition.org/documents/documents/2007riskmodel.pdf, and because ESG has adopted ASC's risk model, it has incorporated into this document substantial parts of ASC's description of the ASC risk model.) In constructing ESG's model, we have identified a broad set of behaviors that can cause a program to be identified as malware. Since malware evolves or mutates every day, we expect the list to change over time as new bad practices are discovered.
This document describes our Risk Assessment Model. More specifically it:

  • Outlines the common terminology and process for classifying software on a user's computer as being potentially malicious or containing unwanted technologies;
  • Describes the behaviors that can lead to detection, so that our engineers, our technicians, Internet users, and our customers will have a better understanding of our decision-making process; and
  • Provides an overview of the approaches ESG uses to classify a software application.

Note: Our Risk Assessment Model is based on behavior. The criteria below are the key factors that ESG uses to make a determination. We may decide to use all or a subset of the criteria. In general, a program's rating will increase with risk behaviors, and decrease with behaviors that provide user consent and control. On unique incidents, you may encounter a useful program classified as malware because it bears aspects which we label as malware; therefore, we advise that when you run a scan with SpyHunter to check identified items on your computer before removing them.

1. Modeling Process Overview

The risk-modeling process is the method ESG uses to determine the classification of a program:

  1. Determine the installation method used
  2. Install and research software to determine areas of impact
  3. Measure the risk factors
  4. Measure the consent factors
  5. Weigh the risk factors against the consent factors to determine what classification and level apply, if any

Note: ESG weighs and combines these factors on its own scale, called the Threat Assessment Level, which we will define in this document. For example, we may detect a program that tracks the user, even if such behavior is turned 'off' by default. In such cases, we may detect the program as unwanted or as a threat, but assign a low warning level.

2. Overview of the Risk Categories

Spyware and other Potentially Unwanted Technologies encompass a wide variety of behaviors that can concern users. We generally focus on technologies in the following areas:

  1. Privacy - The risk that the user's personal information or data will be accessed or gathered, and the user will face:
    1. Exposure to fraud or identity theft
    2. Loss of personal information
    3. Unauthorized tracking
  2. Security - Threats to the system integrity of the computer, such as:
    1. Attacking the computer, or using it as part of an attack
    2. Exposing the computer to risk by lowering security settings
    3. Using computer resources in an unauthorized manner
    4. Hiding programs from the user
  3. User Experience - Impacting the user's ability to use the computer in the preferred manner, without disruption, such as:
    1. Delivering unexpected advertisements
    2. Changing settings
    3. Creating system instability or slowing performance

These risk categories are not mutually exclusive, and are not limited to the examples above. Instead, these risk categories represent the general areas we examine, and they help to describe-in short, common language-the impacts to users that we examine.

For example, SpyHunter may detect a program because it intercepts network traffic. When flagging the program, SpyHunter may explain that it has an impact on the user's privacy, rather than explaining the details of the underlying technology (which may be described in a more extensive write-up available on our website). To further describe a program, we may choose to rate a program along each risk category. We may also merge the categories into a single rating.

3. Risk and Consent Factors

Many applications have complex behaviors - the final determination of whether to identify a program as dangerous requires a judgment call on the part of our risk assessment team, based on our policies.  The following are key considerations in the risk modeling process:

  1. Technologies/activities are neutral: technologies and activities like data collection are neutral, and as such are harmful or helpful depending on their context. We may consider both the factors that increase risk and the factors that increase consent before making a determination.
  2. Many risk factors can be mitigated: a risk factor is an indication that a program has certain behavior. We may consider this behavior in context and decide whether the consent factors mitigate the risk. Some risk factors may not, on their own, lead to detection of a program, but they could lead to detection when considered in combination with other factors. Certain risk factors are impactful enough that they cannot be mitigated, such as installation by security exploit. The ESG risk assessment team may choose to always alert the user about programs with these types of behaviors.
  3. Strive for objective, consistent rules: the factors outlined below are meant to be objective and easy to apply consistently. However, certain factors cannot be determined programmatically. Those factors may nonetheless be important to users (such as a program's use of deceptive text or graphics). In these cases, we may determine the impact according to our own internal threat assessment policies. Our objective is to identify the factors that increase risk and the factors that increase consent and balance them to determine the threat that a program presents.
    The general advice for software authors who wish to avoid being detected by SpyHunter or our online database sites is to:

    1. Minimize the risk factors
    2. Maximize the consent factors

4. Risk Factors ("Bad Behaviors")

The following risk factors are behaviors that have the potential for user harm or disruption. In some cases, the behavior may be desired, such as data collection for personalization, but can still present a risk if unauthorized. Many of these risks can be mitigated by providing the appropriate consent factors.

In certain cases, a risk may be serious enough that a vendor should be sure to explicitly and prominently inform users of the risk, even if general consent was given through a EULA or other means. This may be the case for certain monitoring or security tools. (Users who want this functionality will install such programs after receiving the explicit warnings and will have given informed consent.) Some risks, however, such as "installing by security exploit" may warrant automatic detection, no matter what consent is given.

Some risk factors may be minor, and not enough to warrant detection on their own. However, low-risk behaviors can help differentiate two similar programs. In addition, low-risk behaviors may be combined, and if enough low-risk behaviors are present, may lead to a higher risk being assigned to a program. We may investigate confirmed user feedback, Terms of Service agreements, End User License Agreements ("EULA") or privacy policies when assessing a risk factor.

We rate and classify software based primarily on behaviors inherent in the software itself, but we also closely examine installation methods. Note that installation method varies not only from program to program, but also by the distributor of the software and in some cases even by distribution model. In cases where intrusive, covert or exploitative installation has been observed, this fact is taken into account by our risk assessment team.

Although all behaviors can be problematic if unauthorized, certain behaviors are inherently more serious because they have greater impact.  They are therefore treated with more severity. Also, the impact of a behavior can vary based on how frequently it is performed. The impact also can vary based on whether the behavior is combined with other behaviors of concern and based on the level of consent the user provided regarding specific behaviors.

The list in Section 6 below is a combined set of the risk factors that members of the ESG Risk Assessment team consider in their final assessment of the Threat Assessment Level. We may weigh the risk factors as we see fit in our modeling formula.

5. Consent Factors ("Good Behaviors")

As discussed in more detail in Section 6 below, a program that provides users with some level of notice, consent, and control may mitigate a risk factor. Certain behaviors may present such a high-level risk, however, that no level of consent can mitigate them.  We will warn users about such behavior.

It is important to note that consent factors are per-behavior. If a program has multiple risky behaviors, each is examined separately for its consent experience.

Although all attempts to obtain consent are helpful, some practices allow ESG to conclude more strongly that the user understands and has consented to the specific behavior in question. The weights (Level 1, Level 2, and Level 3) indicate a relative ordering for the consent behaviors.  These factors should be seen as cumulative. Level 1 represents less active consent while Level 3 represents the most active and, therefore, highest level of consent.

Consent is factored into the process of assessing risk.  For example, in the list below in Section 6, the term "Potentially Unwanted Behavior" refers to any program activity or technology that can present a risk to users if abused, such as data collection or changed system settings without user consent.

The list below contains the consent factors that members of the ESG Risk Assessment team consider in their final assessment of the Threat Assessment Level of the software being evaluated. We may weigh the consent factors as we see fit in our modeling formula.

6. The Final Threat Assessment Score ("Threat Assessment Level")

The ESG Risk Assessment determines the Final Threat Assessment Score or Threat Assessment Level by balancing the risk factors and consent factors, using the modeling process outlined above. As mentioned, ESG's determinations may be different than other vendors' determinations, but developers generally can avoid having their programs receive a high threat assessment score by minimizing the risk factors and maximizing the consent factors. Again, however, certain risks may be serious enough that ESG will always inform users about the impacts, regardless of the consent level.

The risk modeling process is a living document, and will change over time as new behaviors and technologies emerge. Presently, the final Threat Assessment Level we publish in our SpyHunter Anti-spyware utility, and in our online databases, is based on the analysis and correlation of the "consent factors/risk factors modeling process" described in the previous sections of this document. We will present the Threat/risk levels with a colored bar (high threat level), which is filled from left to right, based on a score from 0 to 10 generated from the modeling process.

The list below describes the features of each Threat Assessment Level SpyHunter uses. The Threat Assessment Levels are as follows:

  1. Unknown (unknown threat level), it has not been evaluated.
  2. Safe (safe threat level), a score of 0: These are safe and trustworthy programs, which have no risk factors and high consent factors levels. Typical behavioral characteristics of SAFE programs are as follows:
    1. Installation & Distribution
      • Distributed via download, in clearly labeled packages, and not bundled by affiliates Level 3
      • Requires high level of consent before installation, such as registration, activation, or purchase Level 3
      • Has clear, explicit setup experience that users can cancel Level 3
      • Potentially unwanted behaviors are clearly called out and prominently disclosed outside of EULA Level 2
      • Potentially unwanted behaviors are part of the expected functionality of the program (i.e., an email program is expected to transmit information) Level 3
      • User can opt-out of potentially unwanted behaviors Level 2
      • User must opt-in for potentially unwanted behaviors Level 3
      • Obtains user consent before software updates Level 3
      • Obtains user consent before using passive technologies, such as tracking cookies Level 3
    2. Bundled Software Components (separate programs that will be installed)
      • All bundled software components are clearly called out and prominently disclosed outside of EULA Level 2
      • User can review and opt-out of bundled components Level 2
      • User must opt-in for bundled components Level 3
    3. Visibility (Run-Time)
      • Files and directories have clear, identifiable names and properties in accordance with industry standards (Publisher, Product, File Version, Copyright, etc.) Level 1
      • Files are digitally signed by publisher Level 2
      • Program has a minor indication when it is active (tray icon, banner, etc.) Level 2
      • Program has major indication when it is active (application window, dialog box, etc.) Level 3
    4. Control (Run-Time)
      • Sponsor programs only run when sponsored program is active Level 2
      • Clear method to disable or avoid program, aside from uninstall Level 2
      • Program requires explicit user consent before starting (i.e., double-click an icon)Level 3
      • Program requires opt-in before starting automatically Level 3
    5. Program Removal
      • Provides straightforward, functional uninstaller in well-known location (such as Add/Remove Programs) Level 2
      • Program uninstaller removes all bundled components Level 2
  3. Low (low threat level), a score of 1 to 3: Low threat level programs typically do not expose users to privacy risks and cause annoyance more than any specific harm. They typically return only non-sensitive data to other servers. If they display advertisements, they display only nuisance advertisements in pop-up windows and low-impact advertisements. They can be uninstalled, but the process may be more difficult than for other programs.  Usually no EULA will be displayed during installation. If the software publishers of these low threat level programs have a high level of consent factors, we may reclassify the program as safe. Characteristics of LOW threat level programs could include:
    1. Identification & Control, including but not limited to:
      • No indication the program is running inside an application, such as an icon, toolbar or window - Low
      • No indication the program is running standalone, such as a taskbar, window or tray icon - Low
    2. Data Collection, including but not limited to:
      • Uploads data that can be used to track user behavior offline and online as well as other types of data that may be sensitive, yet not personally identifiable  - Low
      • Uses tracking cookies to collect information (Reminder: Each Anti-Spyware vendor weighs a behavior according to its own policy. ASC recommends that vendors that utilize tracking cookies as a criteria for classifying a program as spyware make it clear to users that they do so, affording users the opportunity to make an informed marketplace decision about whether tracking cookies are a threat) - Low
    3. User Experience, including but not limited to:
      • Advertising: Displays external advertisements that are clearly attributed to the source program, such as starting alongside the program - Low
      • Settings: Modifies user settings such as favorites, icons, shortcuts, etc. - Low
      • System Integrity: Attaches to other programs, such as the browser, using a non-standard method - Low
    4. Removal, including but not limited to:
      • Uninstaller repeatedly attempts to badger or coerce the user into cancelling the uninstall - Low
  4. Medium (medium threat level), a score of 4 to 6: At these threat levels, programs usually have features that are deceptive, malicious, and/or annoying. The programs may also cause inconvenience, display misleading information to end users, or transmit personal information and/or web surfing habits to malware publishers or identity thieves. Even with the high consent factors some of these programs may exhibit, we classify, detect, and remove these programs due to the deceptive, annoying, or nefarious practices of these malicious software developers. Typical characteristics of this MEDIUM threat level could include:
    1. Installation & Distribution, including but not limited to:
      • Software updates automatically without user's explicit consent, permission, or knowledge, such as not providing or ignoring user's request to cancel the update  - Medium
    2. Identification & Control, including but not limited to:
      • Program has incomplete or inaccurate identifying information - Medium
      • Program obfuscated with tools that make it difficult to identify, such as a packer - Medium
      • Previously installed program runs automatically without explicit user consent - Medium
    3. Networking, including but not limited to:
      • Floods a target with network traffic - Medium
    4. Data Collection, including but not limited to:
      • Collects personal information, but stores it locally - Medium
      • Uploads arbitrary user data, some of which could be personally identifiable - Medium
    5. User Experience, including but not limited to:
      • Advertising: Displays external advertisements that are indirectly attributed to the source program (such as a pop-up with a label)  - Medium
      • Settings: Changes browser pages or settings (error page, home page, search page, etc.)  - Medium
      • System Integrity: With other risk behavior, potential to cause frequent system instability, and with other risk behavior, potential to use excessive resources (CPU, Memory, Disk, Handles, Bandwidth) - Medium
    6. Non-Programmatic Behaviors, including but not limited to
      • Contains or distributes offensive language and content - Medium
      • Consists of advertising components and is installed at or through web sites designed for, targeted at, or heavily used by children under 13 - Medium
      • Uses misleading, confusing, deceptive, or coercive text or graphics, or other false claims to induce, compel, or cause users to install or run the software or take actions (such as click on an advertisement)  - Medium
    7. Other Behaviors, including but not limited to:
      • Program modifies other applications - Medium
      • Program generates serial numbers/registration keys - Medium
  5. High (high threat level), a score of 7 to 10: At these threat levels, the ESG Risk Assessment Team typically will not consider any consent factors, because these programs present serious risks to end users and the internet community at-large. Programs at this threat level tend to include keyloggers, trojans, worms, botnet-creation programs, dialers, viruses, and variants of rogue anti-spyware programs. Here is a list of  behavioral characteristics of programs we categorize at a threat level of HIGH:
    1. Installation & Distribution, including but not limited to:
      • Replication behavior (mass-mailing, worming, or viral re-distribution of the program) - High
      • Installs without user's explicit permission or knowledge, such as not providing, or ignoring, user's request to cancel installation, performing a drive-by installation, using a security exploit to install, or installing without notice or warning as part of a software bundle (Note: The rating of High indicates a typical rating for this item and its relative risk. The specific weight may vary depending on the impact and/or number of items installed.)  - High
      • Uninstalls other applications, such as competitive programs - High
      • Program downloads, is bundled with, or installs software that has potentially unwanted behavior (Reminder: The rating of High indicates a typical rating for this item and its relative risk. The specific weight may vary depending on the impact and/or number of items installed.)  - High
    2. Identification & Control, including but not limited to:
      • Creates polymorphic or randomly named files or registry keys - High
    3. Networking, including but not limited to:
      • Proxies, redirects or relays the user's network traffic or modifies the networking stack - High
      • Creates or modifies "hosts" file to divert domain reference - High
      • Changes default networking settings (Broadband, telephony, wireless, etc.)  - High
      • Dials phone numbers or holds open connections without user permission or knowledge - High
      • Alters the default Internet connection to connect at a premium rate (i.e. 2x normal rate)  - High
      • Sends communications including email, IM, and IRC without user permission or knowledge - High
    4. Data Collection, including but not limited to:
      • Transmits personally identifiable data (Reminder: Technologies are neutral, and they only become a high risk factor when abused. Transmission of personally identifiable data can be acceptable with notice and consent)  - High
      • Intercepts communication, such as email or IM conversations (Reminder: Technologies are neutral, and they only become a high risk factor when abused. Interception of communications can be acceptable, in appropriate circumstances, with notice and consent)  - High
    5. Computer Security, including but not limited to:
      • Hides files, processes, program windows, or other information from the user and/or from system tools - High
      • Denies access to files, processes, program windows or other information - High
      • Allows remote users to alter or access the system (files, registry entries, other data)  - High
      • Allows host security to be bypassed (privilege elevation, credential spoofing, password cracking, etc.)  - High
      • Allows remote parties to identify vulnerabilities on the host or elsewhere on the network - High
      • Exploits a vulnerability on the host or elsewhere on the network - High
      • Allows remote control over a computer, including process creation, sending spam through the computer, or using the computer to conduct attacks on third parties - High
      • Disables security software, such as Antivirus or Firewall software - High
      • Lowers security settings, such as in the browser, application, or operating system - High
      • Allows for remote control of the application, beyond self-update - High
    6. User Experience, including but not limited to:
      • Advertising: Displays external advertisements that are not attributed to their source program (this does not cover advertisements created by online content users deliberately visit, such as web pages). In addition, replaces or otherwise alters web page content, such as search results or links - High
      • Settings: Changes files, settings or processes to reduce user control - High
      • System Integrity: Disables or interferes with functionality of system (right-click behavior, ability to use system tools, etc.)  - High
    7. Removal, including but not limited to:
      • Self-healing behavior that defends against removal or changes to its components, or requiring unusual, complex or tedious manual steps to run the uninstaller - High
      • Uninstaller does not functionally remove the program, such as leaving components running after reboot, not offering to uninstall bundled applications, or silently reinstalling components - High
      • Does not provide an easy, standard method to permanently stop, disable or uninstall the program (such as Add/Remove Programs or equivalent)  - High
      • With other risk behavior, does not offer to uninstall bundled or subsequently installed software components - High