CA Anti-Spyware Scorecard v3.0

What follows is the third version of the CA Anti-Spyware Scorecard.  I am republishing it here, for reference purposes, since it is no longer published on CA’s website.  It is available on archive.org, here.  This document and all previous versions was created by myself and primarily one other colleague and with the help of fellow researchers.  In the early 2000’s there was an explosion of PUPs (potentially unwanted programs) – adware, dialers, spyware, browser extensions and plugins, etc – that our anti-spyware program was detecting and removing.  The criteria laid out in this document helped guide anti-spyware/anti-malware researchers on our team in determining if a piece of software warranted detection and helped create consistency between researchers (and other anti-spyware companies), as well as guidelines software developers could use in shaping their products and avoid being detected:

CA Anti-Spyware Scorecard v3.0

Applications detected by CA Anti-Spyware are evaluated against the characteristics listed below. These criteria describe behaviors that are typical of Spyware and which may cause a loss of productivity, privacy and security. When evaluating logical expressions, all uses of “or” are non-exclusive unless otherwise noted. Detailed information describing behaviors and attributes referenced within this Scorecard can be found in the “Behaviors – the Building Blocks of Spyware Analysis” and the “Attributes – Modifying Behaviors”. Note: Solely for the purposes of this Scorecard, acceptance or acknowledgement of a product’s end-user license agreement (EULA) or Privacy Policy does not constitute user permission, user knowledge or user consent. For guidelines on what does constitute user permission see the document “Spyware, Adware and User Permission: Meeting CA Anti-Spyware’s Requirements”.

Installs even when the user selects “no” or equivalent negative response when prompted or questioned about installing the application.
A program fails this item when, without obtaining user permission, it takes the following action:

Installs itself (A1)
Installs itself or any other item without clear notice to user and obtaining user permission at time of installation.
A program fails this item when, without obtaining user permission, it takes any of the following actions:

 

Installs itself (A1)
Is installed/bundled by an affiliate or business relation (A2)
Installs via a vulnerability (A3)
Downloads software that does not fail the eTrust Anti-Spyware scorecard (A4)
Installs software that does not fail the eTrust Anti-Spyware scorecard (A5)
Downloads software that fails the eTrust Anti-Spyware scorecard (A6)
Installs software that fails the eTrust Anti-Spyware scorecard (A7)
Creates new software that fails the eTrust Anti-Spyware scorecard (A8)
Installs itself without providing clear and explicit opt-out option from vendor’s site or associated application.
A program fails this item when, without obtaining user permission, it takes the following action:

Or takes the following action with or without obtaining user permission:

Installs itself (A1)

Installs via a vulnerability (A3)
Changes browser settings without clear notice to the user and obtaining user permission at the time of change.
A program fails this item when, without obtaining user permission, it takes one of the following actions:

 

Changes browser error page (I2)
Changes browser home page (I3)
Changes browser search page (I4)
Changes browser settings unrelated to security (I5)
Changes browser settings related to security (I6)
Changes system configuration in any manner without clear notice to the user and obtaining user permission at the time of change.
A program fails this item when, without obtaining user permission, it takes one of the following actions:

Proxies, redirects or relays the user’s network traffic or modifies the networking stack to send traffic through a third-party server (D1)
Creates or modifies “hosts” file to divert domain reference (D2)
Changes default networking settings (Broadband, telephony, wireless, etc.)(D3)
Hides files, processes, program windows or other information from the user or from other programs (F1)
Allows remote parties to read local files/registry entries/other data (F8)
Allows remote parties to modify or delete local files/registry entries/other data (F9)
Allows remote parties to identify vulnerabilities on the host (F10)
Allows remote parties to execute arbitrary code on the local system (F11)
Allows remote parties to take limited actions on a local system (F12)
Disables or removes security software, such as AntiVirus or Firewall software (F13)
Lowers security settings, such as in the browser, application, or operating system (F14)
Allows for remote control of the application, beyond self-update (F15)
Replaces or otherwise alters web page content beyond search results or advertisements (F16)
Replaces or otherwise alters web page content related to search results or advertisements (H4)
Changes system or application settings not enumerated elsewhere in such a way as to reduce user control (I1)
Changes browser error page (I2)
Changes browser home page (I3)
Changes browser search page (I4)
Changes browser settings unrelated to security (I5)
Changes browser settings related to security(I6)
Modifies user settings such as favorites, icons, shortcuts, etc. (I7)
Disables or interferes with functionality of system (M4)

Creates or modifies “hosts” file to divert domain reference without clear notice to the user and obtaining user permission at time of change.
A program fails this item when, without obtaining user permission, it takes the following action:

Creates or modifies “hosts” file to divert domain reference (D2)
Defends itself against removal of, or changes to, its components.
Takes any of the following actions:

Places passive defenses in place to defend against removal of or changes to its or other components (K2)
Requires unusual, complex or tedious manual steps to run the uninstaller (K3)
Uninstaller does not functionally remove the program, for example, leaves components running after reboot (K4)
Uninstaller repeatedly attempts to badger or coerce the user into cancelling the uninstall (K6)
Exhibits self-healing behavior that defends against removal or changes to its or other components (K1)

Dials phone numbers or holds connections open without clear notice to the user and obtaining user permission.
A program fails this item when, without obtaining user permission, it takes the following action:

Dials phone numbers or holds open connections (D4)

Displays popup/popunder ads when product is not actively in use, or which do not appear to be connected with the product.
A program fails this item when it takes the following action:

Or with attribute XXIII (Behavior occurs when the program is not in active use) takes any of the following actions:

Displays external advertisements that are not clearly attributed to their source program (H1)
Displays external advertisements that are indirectly attributed to the source program (such as a popup with a label) (H2)
Displays external advertisements that are clearly attributed to the source program (such as being launched through user action or coming up alongside initial program launch) (H3)
Displays popup/popunder ads that cannot be closed by clicking a clearly visible close button.
With Attribute XIX (Actively defends the results of an action, such as continually re-writing changed settings) or Attribute XX (Passively defends the results of an action, such as not offering a visible way to close a popup window), takes any of the following actions:

Displays external advertisements that are not clearly attributed to their source program (H1)
Displays external advertisements that are indirectly attributed to the source program (such as a popup with a label) (H2)
Displays external advertisements that are clearly attributed to the source program (such as being launched through user action or coming up alongside initial program launch) (H3)
Updates itself or any other item without clear notice to the user and obtaining user permission at time of update.
A program fails this item when, without obtaining user permission, it takes any of the following actions:

Software updates automatically (A10)
Modifies or updates non-executable files belonging to other programs (J4)
Transmits User Data without clear notice to the user and obtaining user permission.
A program fails this item when, without obtaining user permission, it takes any of the following actions:

Transmits potentially personally identifiable data (E1)
Transmits user data (E2)
Places tracking cookies on a machine to collect information (E5)
Covertly modifies another program’s information or website content as displayed – for example, changing search results, substituting ads for other ads, etc.
A program fails this item when, without obtaining user notice, takes any of the following actions:

Hides files, processes, program windows or other information from the user or from other programs (F1)
Replaces or otherwise alters web page content related to search results or advertisements (H4)
Replaces or otherwise alters web page content beyond search results or advertisements (F16)
Covertly tracks input or personally identifiable information without clear user permission.
A program fails this item when, without clear user permission, it takes any of the following actions:

Collects potentially personally identifiable data (E3)
Collects I/O from video card (E6)
Collects I/O from keyboard (E7)
Collects I/O from mouse or other non-keyboard input peripheral (E8)
Collects I/O from audio (E9)
Collects I/O from network device (E10)
Violates or bypasses the user rights schema inherent to the computer’s operating system without clear notice to each user and obtaining permission of each of the system users who are being impacted.
A program fails this item when, without obtaining user permission on the part of the system owner/administrator and each user account impacted, takes any of the following actions:

Allows host security to be bypassed via privilege elevation (F2)
Allows host security to be bypassed via credential spoofing (F3)
Cannot be uninstalled by Windows Add/Remove Programs and no uninstaller is provided with application.
A program fails this item when, without Attribute XVI (Program is a single executable file without installer and does not create registry keys at all, or create files outside of its immediate folder), it takes the following action:

Does not provide an easy, standard method to permanently stop, disable or uninstall the program (such as Add/Remove Programs or equivalent) (K5)
Uninstaller is actually a covert re-installer.
A program fails this item when it takes both of the following actions:

Exhibits self-healing behavior that defends against removal or changes to its or other components (K1)
Uninstaller does not functionally remove the program, for example, leaves components running after reboot (K4)
Uninstaller leaves potentially damaging running objects, executables, or other components after reboot.
A program fails this item when it takes the following action:

Uninstaller does not functionally remove the program, for example, leaves components running after reboot (K4)
Interferes with the regular operation of another program without obtaining user permission.
A program fails this item when, without obtaining user permission, it takes any of the following actions:

 

Uninstalls other applications, for example, competitor’s programs (A9)
Hides files, processes, program windows or other information from the user or from other programs (F1)
Lowers security settings, such as in the browser, application, or operating system (F14)
Replaces or otherwise alters web page content beyond search results or advertisements (F16)
Replaces or otherwise alters web page content related to search results or advertisements (H4)
Changes system or application settings not enumerated elsewhere in such a way as to reduce user control (I1)
Changes browser error page (I2)
Changes browser home page (I3)
Changes browser search page (I4)
Changes browser settings unrelated to security (I5)
Modifies user settings such as favorites, icons, shortcuts, etc. (I6)
Modifies or injects code in the memory space of other running applications (J1)
Modifies unrelated executable files on disk (J2)
Attaches to other programs, such as the browser, using a non-standard method (M3)
Displays behavior which harms or attacks another system or creates software that will harm or attack another system.
A program fails this item when, without obtaining user permission from the owner/operator of the system being targeted by the behavior, takes any of the following actions:

Floods a target with network traffic (G1)
Exploits a denial of service vulnerability on remote systems (G2)
Exploits a code execution vulnerability on remote systems (G3)
Identifies vulnerabilities on remote systems (G4)
Identifies points of entry to remote systems (G5)
Spoofs the identity of emails being sent (G6)
Spoofs the identity of TCP/IP/UDP packets being sent (G7)
Allows arbitrary code execution on a remote computer (G8)
Allows limited access to a remote computer (G9)
Sends unsolicited email to targets (G10)
Uses misleading, confusing, deceptive, or coercive text or graphics text, graphics, advertising or other false claims to induce, compel, or cause users to install or run the software or take actions (such as click on an advertisement)
A program fails this item when it takes the following action:

Uses misleading, confusing, deceptive, or coercive text or graphics text, graphics, advertising or other false claims to induce, compel, or cause users to install or run the software or take actions (such as click on an advertisement) (L1)

Scorecard Ownership and Responsibility
CA Anti-Spyware is solely responsible for the creation, interpretation, and application of this scorecard and its use in the determination of what products and/or programs are classified as Spyware.