Jump to content

Recommended Posts

  • Staff

Hi,

 

We detect as PUP - Potentially Unwanted Program, so it's users choice whether they want to remove it or not.

Other Vendors also seem to agree with this detection: https://www.virustotal.com/nl/file/30d8f5da134b31bd6cbc20e8f0e16910ec653d2d35faa402a6cef6f967dd9493/analysis/1419425696/and it has been reported by many users to us as Unwanted, hence the detection as Potentially Unwanted Program also because of the additional bundles prechecked & installed - has changed the startpage to yandex;ru, has set the searchengine to the same, istalled Yandex Elements + installed some other add-on for firefox that is called Visual Bookmarks.

On top, the installscreens are in Russian, so for non Russian speakers, they have no clue what is prechecked or installed as additional elements.

Also, prechecking bundles is bad practice, because that way, in 80% of the cases, users just click the proceed button anyway and end up with installing something they never wanted at all.

If you want to include bundles, let the user select/check what he wants to install instead of prechecked, before he can proceed.

Uninstalling whatever additional it has installed doesn't restore the startpage nor searchengine back. It sticks to yandex.ru

We won't delist detection.

Link to post
Share on other sites

Thank you for detailed reply.
First of all we believe that each Antivirus Vendor wants to make it software as much accurate and precise as possible and that is what make some Vendors standing out.

 

It is strange that you have seen the install screen in Russian, because the language of the installer depends on the language of the OS. And if you use e.g. English as the default language of Windows, then the installer will be shown in English.

 

Next, we think that prechecked bundles is very common practice. For example could you please comment why uTorrent is not detected as PUP:

https://www.virustotal.com/ru/file/9fe77cdf803cadb9f40d9519dfd17648951b73b8d312e4663897b6c71f8232b4/analysis/1419431708/

It has the same prechecked bundles in the installer.

If user does not want to install additional software or set up start page to Yandex, then he/she can uncheck it. Also, we do not install anything irreversible - if user wants to uninstall or set search engine back, he/she can do it.

 

Hi,

 

We detect as PUP - Potentially Unwanted Program, so it's users choice whether they want to remove it or not.

Other Vendors also seem to agree with this detection: https://www.virustotal.com/nl/file/30d8f5da134b31bd6cbc20e8f0e16910ec653d2d35faa402a6cef6f967dd9493/analysis/1419425696/and it has been reported by many users to us as Unwanted, hence the detection as Potentially Unwanted Program also because of the additional bundles prechecked & installed - has changed the startpage to yandex;ru, has set the searchengine to the same, istalled Yandex Elements + installed some other add-on for firefox that is called Visual Bookmarks.

On top, the installscreens are in Russian, so for non Russian speakers, they have no clue what is prechecked or installed as additional elements.

Also, prechecking bundles is bad practice, because that way, in 80% of the cases, users just click the proceed button anyway and end up with installing something they never wanted at all.

If you want to include bundles, let the user select/check what he wants to install instead of prechecked, before he can proceed.

Uninstalling whatever additional it has installed doesn't restore the startpage nor searchengine back. It sticks to yandex.ru

We won't delist detection.

Link to post
Share on other sites

  • Staff

Next, we think that prechecked bundles is very common practice.

 

Hence why we also detect most as PUP as well, the same as most other vendors do too. 

Prechecking items to be installed is shady practice to trick the user into installing it anyway.

Also see here: https://blog.malwarebytes.org/malvertising-2/2014/07/pups-are-persistent/

We both know that in 80% of the cases, users won't uncheck, simply because of these "dark patterns": http://darkpatterns.org/

 

Basically, let the user select, instead of selecting for the user instead - before the user can proceed.

That way, there can never be any misunderstanding - since the user actually selected it.

 

Below is an example of the installplatform Chip.de uses - where they do it the correct way.

 

post-102-0-88024100-1419434801_thumb.png

 

As you see, nothing is selected there. The user either has to choose to install the bundle or to not install the bundle. Once the user has made the selection, then the "Next" button becomes active.

We can only applaud this, since it forces the user to read first & select what they want, before he can move on with the next step.

 

 

 

This typical installer of Utorrent doesn't have any additional bundles here. The installer installs utorrent only. Hence why I don't see a reason to detect either. And I believe that's also why almost all other vendors don't detect this either.

 

Main checkmarks we use for PUP when using an "install wrapper/bundler"

1) Prechecked offers in install screen

2) Prechecked offers in install screen with no way to opt out

3) Prechecked offers where the wording makes it sound like the offers are recommended to install

4) Install screens, with the offer displayed where it's unclear for the user what action to take. For example, a skip or proceed button. Users believe that using the skip button will just abort the entire installation of the "end software" (as what has been reported many times)

5) Prechecked offers, or install screens, where user opt out or chooses not to install the offers, but the offers get installed anyway (user selection is ignored)

6) Nature of the offers - If the offers are known as PUP already or frequently reported by users as unwanted

7) Nature of the offers - If the offers force the user in a way into purchasing the Software

8) Nature of the offers - If they have been often refered to as malware/virus by the user, where users are stating it clearly that they don't want it - or if the offers are Ad supported

9) Is this software submitted to us as Unwanted

10) How are other Vendors detecting it? Are they detecting it? If so, then this means that it has been reported to them as unwanted as well

To get classified as PUP (installscreen wise), we need at least to have 3 checkmarks

 

Hope this clarifies it.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.