Microsoft this week described how its forthcoming anti-spyware software classifies potentially harmful software and the actions it will let users take to prevent spyware and other malicious software from damaging PCs. The Windows AntiSpyware security software, current in beta testing, uses a library of more than 100,000 threats to identify potential problems and make recommendations to users as to whether the questionable software should be ignored, quarantined, or removed.

Microsoft's security software has been highly anticipated because its Windows operating system and applications have been the main target of viruses, worms, spyware, and other forms of malicious software that infect the Internet and servers and PCs. The seven-page white paper, entitled Windows AntiSpyware (Beta): Analysis Approach and Categories, says one of the problems with dealing with spyware is that much of it falls into a gray area, where it isn't clear whether the software is "bad" or "good." That makes it hard to single out the truly damaging spyware. "With the exception of malicious behaviors, many of the behaviors [of spyware] could have legitimate purposes," the paper notes.

So the Microsoft program looks at the type of software (adware, software bundler, browser modifier, etc.) as well as the risk posed by the software when it makes recommendations to users about actions they should take. "The user ultimately makes the decision to keep or remove any software," the paper says.

Microsoft researchers look at a variety of criteria when determining whether software should be added to the threat library so the AntiSpyware program can detect it and determine how that software should be classified. They look for software that practices deceptive behavior, which could mean problems involving providing notice of what's running on the user's machine or problems over control of actions taken by the software. They also look for software that collects, uses, and communicates personal information without explicit consent, that circumvents or disables security software, and that slows or damages a computer's performance, reduces productivity, or corrupts the operating system.

Microsoft engineers are expected to look at content, intent, and the source of a program when deciding which criteria categories apply. The white paper notes that certain useful software starts automatically without user input, such as antivirus products, and that other software such as print spoolers run in the background. Legitimate programs like those could be flagged as threats if care isn't taken in classifying programs.

The white paper describes in detail some of the factors the AntiSpyware program looks for when trying to determine if a program is a threat. Programs that don't provide clear information about their purpose, origin, and expected behavior before a user installs or runs it violate notice and consent expectations. Another major problem is software that installs itself without approval, a classic spyware move, as is software that initiates an outbound connection without user consent or restoring files that a user deleted.

Once a program is installed, it is essential that a user has the "ability to start, stop, and otherwise revoke authorization to a program," the white paper says. Signs of unwanted spyware include resistance to user attempts to close a program, browser windows opening up without authorization, or redirection of searches to other sites.

Windows AntiSpyware also will deal with adware and alert users to programs not under their control that automatically generate pop-up advertising. Microsoft says such advertising interferes with a user's computing experience.

Programs that don't install and uninstall themselves in a clear and straightforward manner also are potential problems. Installation of code in an obscure directory is a sure sign of trouble, the white paper says. Other potential problems can include a lack of help files for removing a program, the need to connect to the Internet to uninstall a program, and an outright failure to remove or disable a program despite a user's request.

The paper also describes examples of poor privacy and security practices exhibited by some software. Privacy problems include the absence of an easily accessible privacy policy, programs that track user browsing behavior without permission, and those that install of software for monitoring or redirecting user communications. Security problems include disabling or interfering with firewall or antivirus software, changing operating-system security settings, or running in a mode that hides processes from management tools.

Microsoft highlights six types of "malware" software that demonstrate illegal, viral, fraudulent, or malicious behavior. They include creating a back door to gain access to a program or computer system, dialers that get in and dial numbers without user knowledge, and phishing software that enters as a legitimate E-mail message or appears as a real Web site, and than scams the user for information that could be used for identity theft.

The white paper also describes ways for vendors who think their software has been wrongly classified as a threat to work with Microsoft to reclassify their programs. It also describes the SpyNet user community, made up of Windows AntiSpyware beta testers, and how they help the company discover new threats and develop definitions and classifications for those threats that are shared with others.