PUP Guidelines for detection in G DATA products

This article explains the rules we use to generate PUP (Possibly Unwanted Program) detections

We are publishing these guidelines in order to allow our customers and partners to determine if a software should be classified as PUP (Possibly Unwanted Program). G DATA analysts strongly adhere to these guidelines whenever they issue a PUP verdict to software we analyze at G DATA. However, this is not limited to single instances of the software itself but also encloses the behavior of the company behind the software. Usage of a software boils down to a consensual contract between two parties, the user and the software developer/vendor/distributor, subsequentially called distributor in this document.

All features in a software cost time and money for development, testing and maintenance. However, it is highly unlikely that commercial software includes unnecessary features. Therefore all features encountered have to be assumed added for specific purposes.

That said it is possible for mistakes to happen, however mistakes are expected to be fixed especially if they are to the disadvantage of the user. Repeated "mistakes" that disadvantage users are highly unrealistic.

If a software violates one or several of the following rules, a classification by G DATA as “potentially unwanted” is very likely. Customers who still want to continue using such software can always choose to do so by disabling the detection of “potentially unwanted programs” in G DATAs Antivirus software suites.

Fraud

Hereby defined as "wrongful or criminal deception intended to result in financial or personal gain." Fraud is always intentional, any kind of fraud will result in a PUP classification or worse.

Examples of fraudulent software behavior:

  • Pretending to be software or a service from Microsoft or another legitimate vendor while that is not true

  • Showing a fake countdown for a fake limited time offer

  • Registration which turns out to be purchase or subscription

  • Showing different behavior in virtual environments than on real hardware

  • Showing fake warnings or pop-ups that do not have basis in facts

Misleading

Hereby defined as "giving the wrong idea or impression”. Misleading a user is not necessarily happening intentional, it can be the result of a bad choice of words, for example due to bad translation. However, if we find misleading information to be intentional we will classify software as potentially unwanted.

Intention may be difficult to prove, but some examples of where information about misleading users can be found are

  • Software behavior (claiming to optimize your PC, instead not doing that)

  • Dialogs and texts in the applications GUI (graphical user interface), for instance hiding the fact that software is extensively collecting personally identifiable information

  • Distributor or software history

  • Other software from the same vendor and website/web shop

  • Campaigns limited to for example:

    • Zeit

    • Region

    • Software/Hardware-Umgebung

Purpose and Benefit

Purposes of a software can be divided in 2 categories: purpose for user benefit and purpose for distributor benefit.

For software to be viable it has to have user benefit or else no one is willing to use it. On the other hand the software must give the distributor some benefit or development of the software was a waste of time and money. In most cases software is intended to generate some kind of revenue.

For a fair contract the benefits for both sides have to be balanced. If the balance however tilts too heavily in direction of the distributor then there is a higher chance that this software is potentially unwanted.

  • Software must have user benefit

  • Each feature should have purpose towards user benefit

  • If a feature does not directly benefit the user it must have a written justification

  • The price the user pays must be clear and not outweigh user benefit

Advertising

Offers the software makes during/after installation, runtime or uninstall are also counted as advertisement.

Advertising can be divided into 2 categories:

Advertising promoting the software/service

  • Affiliate Marketing usually advertises the software

    • It is the distributors' responsibility for keeping affiliates in line, violations against these guidelines from affiliates will also result in a “potentially unwanted” verdict for the software developer and distributor

    • AAffiliates cannot be used as an excuse for unwanted installations

    • Affiliates must not violate any of the ad rules laid out in the section for advertising done by the software/services below

  • Self-advertising in other software from the same vendor

Advertising done by the software/service

  • Distributor takes full responsibility for ads shown to the user

  • Ads must be law-abiding to the user’s region

  • Ads must not be fraudulent or misleading

  • Ads mut not be offensive

  • Ads must not be malicious

  • Ads must not advertise known potentially unwanted applications

  • Ads must not hinder or interfere with operation of computer and/or other software

  • Advertised software must be installable with explicit user consent only

Environmental Awareness

Environmental awareness can be used legitimately to provide the correct language and files for the operating system.

However, it is often used by potentially unwanted software as a means to determine which offensive behavior can be done without being detected. This is equal to using a defeat device as in the Volkswagen Diesel scandal. When detecting that the software runs In a test environment, the software behaves differently than on potential customers PCs.

Examples of detected environments:

  • Virtual Machine (VMWare, VirtualBox, …​)

  • Anti-virus software

  • Anti Spyware

  • Region (geo IP, language, day time, …​)

Examples of differing actions

  • Installing a trial version only on real hardware, installing the full version on virtual machines

  • Showing ads only on real hardware, not showing ads on virtual machines

  • IInstalling intrusive browser add-ins or other software modules only on real hardware, not in virtual machines

Installation

here are very few legitimate use cases for silent installation features of common installers like Innosetup. The most common legitimate case is the deployment by a network administrator. However, in this case the EULA of the software in question need to explicitly label the software as intended for business use.

Mostly silent installation features are used so affiliates can install without proper user consent.

  • Trial versions do not have legitimate use cases for silent installation

  • Software for consumers usually does not have legitimate use cases for silent installation

  • Silent installation removes all consent to all installation dialogs, EULA and Privacy Policy. Since it voids those, there is no valid legal contract between the user and the distributor

EULA (End User License Agreement)

The EULA (End User License Agreement) must not contain anything surprising or anything violating the law in the country the software wants to be used in. All surprising or unreasonable items are illegitimate. Examples for such items are:

  • Use of fake malware to demonstrate malware detection

  • Use of cryptocurrency miners

  • Collection and/or trade of personally identifiable information

Everything that additionally benefits the distributing party must be explicitly declared during the installation process outside the EULA, for examples see above paragraph.

Data Privacy Policy

Certain principles should be observed in data protection regulations.

The privacy policy

  • MMust be GDPR compliant if the software wants to operate in Europe

  • Must not contain anything surprising

  • Must not declare personally identifiable information as “pseudonym” or “anonymous”. Use of personally identifiable information must not be hidden.

All irregular contents must be explicitly stated in an installation dialog. This means everything that any additional data gathering that is not necessary for the application to function must be opt-in (the user has to actively set it to active), and it must be explained in the installation dialogue in a way that everybody can understand it and the resulting consequences. Examples of data collection that should be explained properly if used:

  • Collection and/or trade of PII (personally identifiable information)

  • Collection and/or trade of hardware information

  • Collection and/or trade of 3rd party software usage/install information

  • Collection and/or trade of visited web pages

  • Collection and/or trade of credentials for 3rd party service

Trial/Full version

The nature of the software must be made clear during installation. This means it must be explicitly made clear if it is a full or trial version and which features and functionality are given and which restrictions are in place. Trial versions are not entitled to any kind of compensation from the user except for contact information, they must not monetize in any way until user decides to upgrade to the full version.

Autostart

Autostart entries must be justified and necessary for the application to function. Examples of possible autostart entry locations are:

  • Autorun

  • Service

  • Scheduled task

Examples of legitimate autostart entries are:

  • Running an antivirus service

  • Checking for software updates

Example of non-legitimate autostart entries:

  • Driver updater scan on every system start

  • Multiple scheduled tasks for registry cleaner trial

  • Service installed by software downloader

Runtime

During runtime a software must work as promised to reach the users expectations and the user benefit. Any functionality that does not work towards these goals must be justified.

Examples of justified distributor benefit:

  • Occasional reminder of software being in trial period

  • Advertising benefit of full version

  • Appropriately showing advertising in ad-supported software

Examples of non-justified distributor benefit:

  • Checking for competitor software

  • Showing 3rd party or other software of the same distributor advertising in trial version

  • Other software of the same distributor advertising disguised as feature

Uninstallation

Uninstallation must be easy to find and execute.

  • Must be complete and not leave files, autostart entries, registry manipulations on the system

  • Default action for uninstallation must be uninstall

  • Must not be harder than installation

Website / Web shop

Website and/or web shop represent the company and the software.

  • Must be truthful and clear and must not obscure/hide information

Examples of illegitimate website/web shop practices:

  • Showing a product matrix but all links to the different products lead to the same product

  • Use of fast countdowns to pressure customer

  • Use of fake countdowns

  • Number of remaining units is made up (there is no “limited stock” in software downloads)

  • Countdown stops without offer period ending

  • Application is always on sale or sales “events” are outdated

  • Adding other products to the shopping cart by default

Reputation

The history and reputation of a distributor and its software can tell about the distributors stance in the present as well as how the software may behave.

Depending on the history a distributor has a different level of credibility. A vendor will get low credibility by:

  • Being a repeated PUP offender

  • Feigning ignorance towards PUP criteria

  • "Testing" new violations

  • Implementing aggressive affiliate programs

  • Prioritizing profit over user benefit

  • Using very generic product names that may not even use persistent company names or advertising the company name with the product at all

  • Being reported by users to be misleading or even fraudulent

  • Communicating in a harsh, threatening or insulting manner

  • Trying to bypass detection

  • Feigning ignorance on basic technologies

Vendors are able to get high credibility within the industry when they

  • Fixed all PUP offenses in the past or never had PUP offenses

  • Prioritize user benefit

  • Adhere to software industry standards like the CSA