Close means close: New adware detection criteria

In April we introduced the rules that software developers should follow when creating advertisements to avoid being detected by Microsoft security products as adware. These rules are designed to keep our customers in control of their Internet browsing experience. Since then, we have had great success working with some companies through our developer contact process.

At the same time we have started to see other advertising programs trying to bend and even circumvent our rules. These advertisements produce a negative Windows experience and we have decided that it is time to add some new rules and clarify our stance on what defines clean advertising.

Close means close

The criteria for detection we released in April  states that advertisements need to “include an obvious way to close the ad”. It was explained that this needs to be a method that is clear to the user, such as an “X” or the word “close”. This requirement was widely adopted.

However, we have also started to see the close button used as a trigger to open other advertisements. This is was not the intention of the rule and this behavior will be detected as adware.

Links must remain clear and unchanged

Another concerning practice is the manipulation and misrepresentation of links on a webpage, as outlined below.

Modifying a current link

We have been seeing some programs modifying or replacing hyperlinks with different URLs than those used by the website owner. This includes places where a hyperlink is directly misrepresented and sends users to a different webpage than the one they expected. A hyperlink that directs a user to an advertisement before they can view the webpage they intended is also considered a misrepresentation. All of these behaviors will qualify a program to be detected as adware.

Not highlighting hyperlinks

When a user is browsing a webpage it is essential that they know when they are clicking on a hyperlink. It is required that if a program inserts a link, the user knows that it is a link. You should do this in a method that is clear and obvious. The colored double underline style is very recognizable and the preferred method. A program that creates links that are not clearly identifiable will qualify as adware.

Some of the more common methods of obscuring hyperlinks that we detect as adware include:

Using the background as a hyperlink

We have seen a bunch of programs using the webpage background as a link. This means that when the user clicks anywhere on a page that is not already a link, an advertisement is triggered. The user doesn’t know they are clicking the link and thus they are not in control of their browsing experience. This behavior will be considered adware.

Mouse-over links

In my blog about “a particularly convincing nefarious ad” I explained the practice of adding mouse-over events to an advertisements to mimic the user clicking the ad. I will mention it here as well. The user must click on the ad to follow it away from the page they are on. Any method of mimicking an ad click is not acceptable and will be detected as adware.

As always, these new guidelines along with the additional reasons we detect programs can be found on our Objective Criteria page.

Michael Johnson

Microsoft Malware Protection Center
Secure Hunter Anti -Malware

You may also like...

Popular Posts