Staying in control of your browser: New detection changes

This week we made some important changes to how we detect browser modifiers and adware. These changes are designed to better protect your browsing experience.

We have already blogged about the changes to the behaviors we detect as adware. I will explain the changes to our browser modifier detections below.

Our objective criteria has all the details about how and why we detect unwanted software.

Unacceptable behaviors

There are two new browser modifier behaviors that we detect:

  1. Bypassing consent dialogs from browsers that ask you if you want to install browser toolbars/extensions/add-ons.
  2. Preventing you from viewing or modifying browser features or settings.

We care about your experience in all the major web browsers and as such we will detect these behaviors in all browsers. The next two sections go into detail about what these rules mean and what some of the abuses we’ve been seeing in the wild look like.

Browser consent dialogs

Most of the leading web browsers have a disabled-by-default model for newly-installed extensions with the goal of keeping you in control. When a new extension is added into Internet Explorer, it is disabled until the next time the browser starts and asks you to make a decision:

IE prompts you to enable a new extension 

Figure 1: New extensions are disabled in Internet Explorer
Other major browsers such as Firefox and Chrome have similar models for newly installed extensions. These are great features to keep you in control of your browsers, however, we’ve observed a trend where software developers are side-stepping these dialogs, and this is not acceptable.

Some of the technical methods behind the bypasses we’ve been seeing include Group Policy settings, registry changes, and preferences file modification. For example, using Group Policy settings to sidestep your consent to install an extension is not acceptable – these features are designed only for use by organizations to deploy an extension. The bottom line is when installing an extension into the browser, barring a few exception cases (such as Internet Explorer’s ActiveX PreApproved List), the browser consent dialog should be prompted. Failure to do so can result in the application being detected as a browser modifier by our security products.

User control over browser settings and features

We’ve seen applications and extensions prevent you from viewing or modifying your browser settings, or change the settings back after you make a modification to them. This is not allowed. One prevalent example is browser extensions that don’t let you to disable or remove them. In this case, within the manage add-ons interface of Internet Explorer, you cannot disable or remove the extension as shown below:

An extension with a blocked 'disable' option 

Behaviors such as these qualify for detection as a browser modifier by our security products.

We will continue to monitor and reevaluate our criteria to better protect your experience. Meanwhile, you can read more about how and why we detect unwanted software on our objective criteria page.

Geoff McDonald

Microsoft Malware Protection Center
Secure Hunter Anti -Malware

You may also like...

Popular Posts