There is such thing as spyware, despite the news reports. No, really. I’ve been saying that since last year. But to review: Spyware is software that sends personally-identifiable information back to its publisher. But the software publishers involved all claim to send NON-personally-identifiable information back, and to be adware publishers. Therefore, there is no such thing as spyware, and no spyware problem. And if you say there is, expect warning letters from the attorneys of those not-spyware
products.

All this is part of the general security environment we have now. Windows, by cause of its evolution from DOS and Windows 3.1 through to 32-bit code, has had a long-standing tradition of no code left behind. All the old stuff runs, if it doesn’t involve graphics or peripherals. But the result is patch recalls on patches to patches. And the spyware issue is just a commercial method of doing what big business always does: it waits until a new industry gets big enough to be profitable, and then it finds a way to monetize it. Right, monetize was not a word until recently, but now that’s what we do to make money on information web sites–we add ads to it. So that’s what is happening now–spyware is the venture capital approach to making money from computer viruses and trojans, by using them to distribute and display advertising. Some of you have already seen my earlier post on the definition of startupware, but I’ll review the main one here:

stÃrt’-up-wÃre, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software. Startupware isn’t automatically good or evil, useful, or destructive. The definition is based on easily-verifiable action, mostly during installation, and never on the contents of license agreements, external documents, or off-site servers. It autoloads, or it doesn’t.

So startupware is a bigger category than spyware. It includes everything that autoplays. That means spyware, adware, viruses, trojans, toolbar accessories, system tray utilities, application software pre-loaders, application software phonehome-for-any-reason applets, and hardware drivers that substitute software for chips. Everything that autoplays that is not part of a default operating system configuration. Every program, process, or browser trigger. Everything in that category slows down our computers, most of it is installed by silent default, and most of it should be removed. I don’t need five autostart entries to run a color inkjet, thanks, anyway. No, I don’t want an autostart program to upload my photographs to the web. No, I don’t want a daily update check on checkbook software that’s five years and six versions out of date.

The problem is that even retail boxed software is getting into adware behavior in a big way, and if you buy a notebook computer, expect to spend hours unweaving a web of autoplaying software, all of which was installed without permission, where most does nothing for you–it just loads and tries to sell you wireless access subscriptions, or web photo service, or online this, and more of that. It’s a mess, and messes need management.

And of course, there is always the free antivirus software that doesn’t detect spyware, because the adware publisher has threatened legal action if the antivirus vendor dares to label it with such an evil label. The result is that on any one computer, we need to have antivirus software, antispyware software, popup blocker software, patches, more patches, and so on. And on. This model is too profitable for the publishers, and for me, too. I clean this stuff up, and charge by the hour. I and my clients would rather that I be paid for setting up new computers and new productivity tools, and not all this cleanup. But the tools are scattered.

OK, so what’s the programming challenge? Simple enough: create a startupware management and cleanup tool. Such a program would include these features:

Record all currently-running programs and processes for comparison on next run, including full file paths, where applicable.

Record user comments for all entries, such as “camera software–“only needed for cable sync”

Report all startupware currently set to run on the system.

Report all startupware that’ new since the last run, with options to remove it, add it to a commented ‘OK’ list, or add it to an ‘unknown, pending identification’ list.

Must be usable in safe mode.

Optional features:

Scan for viruses, trojans, and other malware based on a list of known bad products.

Block installation of startupware, with an option to add a new entry and comment to the ‘OK’ list.

Now, chunks of these programs exist. There are startup managers–that’s the closest category. But the programs currently out there can’ be used by anyone with less training than a system tech. You have to already know what every program is before you can do much of anything. Surprisingly, the closest program I’ve seen to a startupware manager is Microsoft’s MSconfig.exe. It doesn’t uninstall startupware, but it lists settings, and can temporarily block programs. There’s no record of previous settings, or commenting features.

A startupware manager is not antistartupware. Remember, startupware is neither good nor evil. Some users want popups of weather alerts. Some need reminders to get up and stretch. Some may need their software to be no more than 1 hour out of date. Well, very few, but some.

I’ll give a free mention here to at least the first five startupware managers that I find about that match the definition above, and that are usable by average computer end-users.

Today’s the day. It’s the second Tuesday of the month. That’s when Microsoft releases a month’s worth of patches, most months. Sometimes, they’ll skip a month. Now, many of the people reading this are thinking, “Why do I care? Automatic update is turned on.” Wrong. Nope. Gotcha–you’re now a target for the spyware of the month club.

The problem is two-fold. First, some spyware, and malware in general, disables the automatic update features of Windows. That keeps the early infectors from getting booted out of a computer when the patches arrive, because they won’t.

Second, Microsoft added a feature to Windows Update some months back that confirmed that the copy of Windows being updated was “genuine.” While I understand why–I’m a software publisher myself, after all–the Windows authentication program was designed to be politically correct, badly. It asks permission to check your Windows for authenticity, so the automatic update fails, and does so silently. To run it, you have to go to Windows Update (in the Tools menu of Internet Explorer), do an update run manually, and approve the installation and the running of the tool. Then go back to Windows Update and search for updates AGAIN, and you’ll probably find new patches that became available once Windows was validated as genuine.

So the moral of the story is to check Windows Update manually around once a month, after the second Tuesday, and see if the updates installed. More than half the machines I’ve checked manually in the last month needed manual patching, even though automatic updates were turned on.

While you’re checking software, check that antivirus programs and everything else are updating as designed. Don’t be a target–software, like people, does what you inspect, not what you expect.

It should be possible to rate individual products as startupware. Not just good or evil–that’s not it. What’s needed is a measure of how invasive they are, and how hard to remove.

Remember that this stuff isn’t all spyware; it includes antivirus software, overly-ambitious print drivers, and it’s not all evil, although most of it is bad, all of it need managing.

What’s that? Antivirus is never bad? Wrong. If in doubt, install two of them on a clean system, and try to do some work. Be sure to refresh your memory on safe-mode cleanups first, as most combos of this type will turn a computer into a vibrating doorstop. Like all startupware, it’s a management task.

To help consumers decide what products may be allowed on their systems, a scoring method is helpful. Scores skip technobabble–that’s good. They also can cause a blanket reaction of “take out all of it, don’t bother me.” That’s usually OK, but I don’t want the phone call when that breaks the antivirus software.

The basis for using startupware as a management tool for software products and their accumulations of autoplays is that no judgement calls are allowed. Again, here is the definition:

stärt’-up-wãre, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software.

Now, there are different ways to autostart, and it helps to know if a product cleans up its own mess on removal, so let’s find a way to score a program for startupware.

First, we need to keep track of how many programs are set to run on system startup, and if all of them are removed on uninstallation. If one program is installed, but results in two add/remove program entries, that’s backpackware, which is common in adware and spyware products, as well as simpler trojan horse programs.

Here’s a preliminary formula for Startupware scoring (version 0.1) .

Orphaned programs: 1000 x number of programs installed to autorun but not uninstalled by removing the product that was chosen to be installed. Note that one install program that results in two or more product installations will always result in a high score for deceptive behavior. Exception: One install that offers to run an additional OPTIONAL install program is counted as more than one install program, so that, for example, a camera driver install that offers to install a graphics program is counted and scored as two installations.

Orphaned settings and silent programs: 100 x number of settings changes made, but not uninstalled, and number of programs that run when product isn’t doing work for the user, such as displaying information or being on standby to do or prevent something.

Autorun count: 10 x number of programs installed to autorun.

Settings count: 1x Number of settings changes made.
comma, “version” and number of program, or “tested” and 6-digit date downloaded (yymmdd) if no version number is used.

So for some program categories, it’s impossible to have score of 0, which would be totally non-invasive and non-autoplaying; a screensaver would have a score of 11, minimum, and so would most system tray utilities, because it takes both a program and a setting change to have an autoplaying program. And some actions aren’t counted. There is no count of icons added to the desktop, the quicklaunch area, or to the menus. There is no count of file extensions modified to point to the new program.

Here are some examples: a toolbar program, with no version number, with one program running in the background while the toolbar was not on screen (100 points). It made 12 changes to system settings, and failed to uninstall 1 of them (12 + 100 points). Total 212 points.
Score: 212, tested 050825.

Example 2: a utility program, installs two programs that don’t autoplay and don’t run in the background, changes no settings, leaves no settings or programs behind, version number 2.1.
Score: 0, version 2.1.

Example 3: an application program, version 12.0. Installs 17 programs, 3 autoplaying. Uninstalls all of them. Makes 32 settings changes, removes 12 of them. (Typical big-product sloppyness, in short.) That’s 30 points for autoplays, 32 for settings, 2000 for orphaned settings, and no orphaned programs.
Score: 2062, version 12.0.

Note that spyware won’t always get the highest scores. Startupware is about invasive software that drags down system performance, and not about subtlety or theft.

Example 4: a screensaver, no version number, downloaded Sept 10, 2005. Installs one autoplay program, clean uninstall, one setting change that runs the screensaver.
Score: 11, tested 050910.

Example 5: printer driver, version 18.544. Installed 3 autoplays, left one behind on uninstall, 71 settings changes, 26 left behind. That’s 1000 + 2600 + 30 + 71
Score: 3701, version 18.544.

Example 6: anti-spyware program, bundled with toolbar with no option to install only one, installed with one program but resulting in two entries in add/remove list. That’s backpack startupware, and if no permission was asked first, it’s stealth startupware. Determining Stealth or Backpack isn’t needed–it depends on disclosures and agreements, and doesn’t affect product behavior, and so doesn’t affect scoring. There are 3 autoplays, and the uninstall that matches the downloaded product removes one of them. Settings changes: 15, 10 left behind. That’s 2000 points for orphaned programs, 1000 points for orphaned settings, 30 points for autoplays, and 15 points for settings.
Score: 3045, tested 050901.

Essentially, what we’re trying to achieve is a high score for programs that fail to uninstall themselves completely, or that massively invade the system. In other words, don’t install a program with a score above 50.

Comments? Additions? Modifications?