When is a virus not a virus?

Spyware and adware are becoming as big a problem as viruses, but the major anti-virus vendors have yet to make their move

Many of the leading anti-virus vendors are looking for ways to incorporate anti-spyware capabilities into their products, but there’s still a long way to go before virus and spyware protection will be fully integrated. Reviewing spyware products provided me with some insight into spyware and adware, and how detecting them differs from virus and Trojan detection.

For the most part, viruses behave along a certain set of well-known guidelines. In many cases they are crudely written and usually install into well-known locations on the computer. Based on this knowledge, anti-virus programs will detect anything trying to pass through their nets.

Spyware is quite different. Because it is written for financial gain, it tends to be more sophisticated in design and implementation. Spyware programs are harder to remove -- indeed, their creators don’t want them removed, given their pecuniary raison d’etre. Many of the more sophisticated spyware/adware programs use multiple launchers and “tricklers,” which allow them to re-install themselves if something tries to clean them up. Many do install to common locations, but some place their files in seemingly random locations on the system.

In addition to the two products reviewed, I contacted the top anti-virus vendors to see if they would also like to provide products or input for this review. Symantec declined to participate, stating that it is first and foremost an anti-virus company and that it is looking at adding anti-spyware in the future. At this time, Symantec AntiVirus Corporate Edition does not have a true anti-spyware detection and removal engine. It can detect and remove Trojans, but because most spyware does not come in that format, it isn’t helpful.

F-Secure stated that it is moving toward an integrated anti-virus/anti-spyware product, and that it is close to releasing a stand-alone detection product. But according to an F-Secure representative, detecting spyware with an anti-virus package is problematic due to end-user perception.

According to F-Secure, if an adware program is detected by a self-described anti-spyware program, the end-user perceives it in a certain way and acts accordingly. But if the same adware or spyware application is detected by an anti-virus solution, the user might perceive pop-up ads from The Weather Channel as being the result of a virus, rather than the more benign annoyance of unwanted advertising. Because most adware originates from brick-and-mortar, real-world companies, those companies tend to threaten anti-virus vendors with lawsuits when they cast the virus shadow on their software.

In the end, the top anti-virus vendors will likely provide an integrated anti-virus/anti-spyware package for one-stop desktop and server security. Exactly how long it will take them to work out all the kinks, however, remains to be seen. Until then, separate anti-virus and anti-spyware software will remain a fact of life for beleaguered enterprise admins.