back to article Malwarebytes may not be allowed to label rival's app as 'potentially unwanted'

The US Ninth Circuit Court of Appeals last week ruled that Enigma Software Group can pursue its long standing complaint against rival security firm Malwarebytes for classifying its software as "potentially unwanted programs" or PUPs. Florida-based Enigma has been trying to hold Malwarebytes accountable for blocking its …

  1. OhForF' Silver badge

    Legal definition of malicious software

    I'd love a rule that allows any functionality that is installed without the device administrators informed consent to be called malware.

    Even if it does not anything bad it should not be there if it comes as a surprise - especially (but not limited to) when it is automatically installed with some 3rd party software.

    1. Mark 85

      Re: Legal definition of malicious software

      That might be true for any enterprise that has professional admins. For most users, they just blindly install almost anything even at work on a company boxen. Hell, they click through just about averything that presents a "accept" button. I'm retired IT but get a lot of phone calls from "friends" who computers have suddently crashed or doing "strange things". I've been sending to local computer shops to get their boxes wiped and fresh OS and programs installed.

      1. Anonymous Coward
        Anonymous Coward

        Company boxen are easy to control for though

        This is a solved problem.

        On Windows: WDAC and/or Software Restriction Policy "just works" to restrict what can be executed. For lazy sysadmins, Smart App Control with Optional/Full Telemetry enabled (and appidtel start ran on boot) will outsource decisions to Microsoft instead. Group Policy and/or MDM allows you to deploy policies to all corporate machines at once. In the case of Smart App Control, this is available even to home users.

        On macOS: Google created an open-source tool called Santa which allows you to permit only approved Team IDs, certficates and hashes of binaries you wish to allow, blocking everything else. A central server can be used to share policies with large numbers of machines.

        On Linux: fapolicyd deals entirely with hashes of approved binaries, which on a RHEL or Fedora system, automatically permits installed RPMs which are part of the repos but nothing else by default. For extra protection, one can have all users log in with user_r SELinux role too.

    2. Joe W Silver badge
      Trollface

      Re: Legal definition of malicious software

      Now that would immediately affect all Microsoft programs, and especially the OS, wouldn't it[*]? (sorry... if I hadn't written that somebody else would arf)

      [*] it is, for example, unexpected that MS in their infinite wisdom always set the default programs (sorry, "apps") to their own offers, even when it makes no sense (like PDF or SVG files), even (and especially when) those have been associated with other programs...

  2. JessicaRabbit

    I'd be interested to hear Malware Bytes' justification for labelling Enigma's software as a PUP.

    1. diodesign (Written by Reg staff) Silver badge

      History

      It's a bit messy but it goes back to 2016 when Enigma sued a blog for posting a negative review of Enigma's Spyhunter. Enigma then, in a lawsuit against Malwarebytes, claimed the blog was affiliated with Malwarebytes, and the classification of its Spyhunter as a PUP was in part a retaliatory move.

      MB said at the time Spyhunter simply met its criteria of a PUP. Enigma says its tools aren't PUPs.

      C.

    2. that one in the corner Silver badge
      Trollface

      PUP or no PUP?

      Conversely, has Enigma ever *proven* that its software actually does anything and, if it does, does it do that thing completely and with total accuracy?

      If not, then does it have an argument for saying its software *isn't* "potentially unwanted"?

      Even if there is a totally benign bit of software (i.e. doesn't do anything bad) sitting on my system, if it doesn't do anything good either then I probably do not want it!

    3. Phones Sheridan Silver badge

      From Wikipedia - https://en.wikipedia.org/wiki/SpyHunter_(software)

      "SpyHunter is often labeled an Potentially Unwanted Program due to its misleading results of always showing infections, including on clean computers, and injects tracking cookies into a users browser, raising concern whether it is legitimate or not."

      Looks, walks and quacks like a PUP to me.

      That comment has been there since Jan 29 2021. If only a reputable IT publication could perform an independent and objective review of the current version of the software. Anyone know one?

      1. Anonymous Coward
        Anonymous Coward

        Love you guys

        but I'm not installing THAT crap on one of my machines to test it. Wouldn't put it on the Reg staff either, but they have a masochistic streak so I'd gladly read the account if they want to suffer through a write-up. I'm guessing wasting time putting scareware from thin skinned sue happy garbage peddlers might not suit them.

        I'd be inclined to listen more closely to their howls if they had made it above window defender in any of the industry testing in the last 20 years. There are plenty of other shady players in the industry too, but even some of the worst of them are ranked. Norton/Lifelocks management belongs in jail, along with McAffee (the company), but at least they at least beat Defender once or twice even if it was over a decade ago.

        Also, may the mad man himself rest in peace. I can only image his take on this, after telling his own company to change it's name years later.

      2. Dave K

        Should also add that the free version apparently cannot remove anything. So you run SpyHunter, it claims to find malware, then pushes you to buy a copy - even if the computer may be clean in reality.

        I should add that these are the claims floating around, what we really need is some independent verification of them - something that seems to be lacking from what I've seen. Either way, SpyHunter does currently have a decidedly fishy reputation, so it is understandable why it may be flagged as a PUP.

        1. Orv Silver badge

          Yeah, I don't know if it's *malicious* exactly, but it's shady, and I've had to deal with panicked users who installed it and thought their computer was infected. It doesn't help that there are several products with similar names and varying levels of legitimacy.

      3. Falmari Silver badge

        EndangeredPootisBird

        @Phones Sheridan "That comment has been there since Jan 29 2021."

        It's Wikipedia, so the comment must be true. After all we can rely on what user EndangeredPootisBird posted to be accurate and true, They have never posted misinformation before or since, as this is their one and only ever edit.

        I like @JessicaRabbit would like to know Malwarebytes' justification for labelling Enigma's software as a PUP. If they can justify labelling Enigma's software as a pup then Enigma have no case. But hiding behind Section 230(c)(2)(B) looks like they have no just reason to, they are just blocking a rivals software.

        Both companies have free and subscription versions of their software for download on the internet, meaning users may choose to install both companies apps.

        1. Orv Silver badge

          Re: EndangeredPootisBird

          But hiding behind Section 230(c)(2)(B) looks like they have no just reason to, they are just blocking a rivals software.

          Or they're looking for a blanket ruling so they don't end up in court every single time they label a product as harmful. That would make it pretty well impossible for them to operate.

      4. jgard

        Agreed, but given the shabby behaviour of the app, I'd suggest calling it PUP is letting it off lightly. There seems only one appropriate response: upgrade it to an UP! There's no P about it in my opinion!

      5. iron

        > injects tracking cookies into a users browser

        I'd go further, that is not a PUP, that is spyware.

        Spyhunter is no better than inviting NSO Group into your devices to spy on you for one of their despotic customers.

    4. CommanderGalaxian

      Think you'll that many things - e.g. the likes of NMap and Wireshark - also get classified as PUPs (by Malwarebytes and others) - and that's fine because if you have installed them yourself, all you do is tick the relevant tick-box to add them to the safe list. Of course, if you haven't installed them, then you need to be alerted to their presence and probably want to worry.

      Most vendors of "dual use" software aps don't get fussed - so what's Enigma trying to hide?

      1. BobTheIntern

        Absolutely agreed! I recall reading warnings from antivirus software prior to running a scan which explicitly stated that any other anti-virus/malware tool(s) installed on the system *might* be labeled as a PUP just due to the nature of the software. (I'm guessing primarily due to the presence of internal databases containing numerous definitions/hashes of various trackers, viruses, and other malware - but that is just a guess and likely a poor one at that).

    5. Agamemnon

      I actually just asked Marcus.. I'll get back when he responds.

  3. alain williams Silver badge

    What does this say about Microsoft ...

    not just labelling Firefox as bad but actively replacing it as the user chosen web browser and setting Edge as default ?

  4. Doctor Syntax Silver badge

    Somewhere the case seems to have lost site of the essentials: Can Malwarebytes prove that Spyhunter is a bug and/or can Enigma prove it isn't?

    1. Anonymous Coward
      Anonymous Coward

      Yeah, the burden may be on Enigma

      and most companies don't want to risk the brand damage of losing a case like this in court.

      Of course of the assertion holds that Enigma's customers/victims were tricked they may also end up proving themselves liable for further legal action, and giving up evidence showing that their users weren't aware of the companies practices.

      This has all the hallmarks of a suit that gets dropped a day before the court date.

      1. Not Yb Bronze badge

        Re: Yeah, the burden may be on Enigma

        This is an appeals court decision. It wouldn't have gotten this far if it was going to be "dropped a day before the court date."

    2. Mark 85

      Judges and juries and even most lawyers don't have a clue about IT matters so it's all voodoo to them.

    3. Orv Silver badge

      I think part of the problem for Malwarebytes is if they go that route, they're setting a precedent where every labeling decision they make can be litigated -- which would just make it impossible for them to operate.

      1. Anonymous Coward
        Anonymous Coward

        There's an easy way to solve the problem

        The security industry should set up an open source, openly documented encyclopaedia of malware, PUMs and PUPs, regulated by chartered institutions like the BCS. Any company blocking anything listed there can point to it as a resource and confidently state "this is what the foremost experts across the security industry, academia and IT in general have to say about this software". This would also allow people to make fully informed decisions too, as some detection signatures exist to "protect" home user systems against legitimate tools which are commonly abused as part of payloads, such as NirSoft password recovery tools and produkey.

        1. Orv Silver badge

          Re: There's an easy way to solve the problem

          That's not a bad idea, but in this case I think it's just adding another target for the lawsuit.

        2. JulieM Silver badge

          Re: There's an easy way to solve the problem

          The problem is, there are many people in the industry benefitting handsomely from business models which depend on opaque, proprietary software doing something other than what it said it was going to do.

    4. Michael Wojcik Silver badge

      That's not only not essential, it's not even relevant. The question for the court is whether one vendor needs to justify what its product says about another product in the first place, not the individual merits (or lack thereof) of Malwarebytes or Spyhunger.

      If, in general, a vendor can be compelled to provide such justification, then the court has effectively killed most anti-malware software.

      This is a terrible decision by the Ninth Circuit panel. I agree with Goldman; we need an en banc hearing, and if we get one, I certainly hope the majority are more sensible than the two who decided to return this case to the district court.

    5. druck Silver badge

      Maybe the judge can determine the answers to the following three questions:

      1. Does the program perform a useful and accurate service, or is it's primary reason to create fear and extract payment?

      2. Is any payment system reasonable and transparent, or does it use deceptive practices such as auto-renewal?

      3. Can the program be removed from the machine easily, or does it require specially software to eradicate it?

  5. Anonymous Coward
    Anonymous Coward

    Sold a PUP

    How about a new label?

    Something like:

    - Christ no

    - Hmmmmm

    - Come on now Ted

    - There be Dragons

    - You’re kidding, right?

    1. Blazde Silver badge

      Re: Sold a PUP

      I was thinking totally barefaced newspeak might be the thing if 'potentially unwanted'/pup isn't already weasel enough..

      "Malwarebytes has found something. Look! it's a totally adorable kitten answering to the name of Enigma. Would you like to give it a soft ball of wool to play with and put it safely in it's playpen so it won't be accidentally trodden on by any of your potentially wanted programs?"

    2. Orv Silver badge

      Re: Sold a PUP

      "Careful there."

  6. mmccul

    I'm just envisioning the implications to firewalls that do threat detection and classification of websites based on such precedents, not to mention other, more useful tools in the anti-malware arena.

    It would not be pleasant to say the least.

    1. Joe W Silver badge

      I recall a time, when dinosuars still ruled Earth (or maybe just as recent as the Pleistocene?) and the windows security components were all too happy to try to disable your virus scanner and other security related programs, locking up the machine in the process. Is that a desirable outcome? What if MS would use its market position to bring this behaviour back (only this time doing it right, i.e. without locking up the whole machine) and squeeze out any other security suite, because they are free to flag it as a PUP?

      It would not be pleasant, to say the least.

  7. Brewster's Angle Grinder Silver badge

    Fucking lawyers!

    1. Norman Nescio

      Get angry with the correct target.

      If, as I might surmise, you are not 100% positive in your feelings about members of the said august profession, then that is possibly the last activity you would want them to perform!

      And while people might feel aggrieved at lawyers doing their best for their clients, the people to be angry with are the ones who make the poorly drafted and illogical laws in the first place - the politicians, ably assisted by the lobbyists. Direct your ire to the cause of the disease, not the symptoms.

  8. katrinab Silver badge
    Unhappy

    There is one thing missing from this discussion

    Is this thing actually spyware or not? That surely is what matters, not some nebulous discussion about various competing legal rights.

    1. Michael Wojcik Silver badge

      Re: There is one thing missing from this discussion

      No, it very much is not what matters. See my response to Dr Syntax above.

      Some people seem to be having a forest-and-trees problem here.

    2. JulieM Silver badge

      Re: There is one thing missing from this discussion

      The "competing legal rights" here are the right of customers not to be spied on by suppliers, and the right of suppliers to spy on their customers.

  9. Anonymous Coward
    Anonymous Coward

    Is this an outlier?

    (Posting as anon as I used to work for a (respected) company that does anti-virus n stuff but I don't want anyone to think I speak for them.)

    Most apps classed as PUPs really are unwanted, and doing low-grade dodgy stuff like home page redirections or back door analytics tracking. Dubious, let's say (as the current phase has it, "unwise but not illegal"). The really bad stuff like installing trojans or stealing credentials are not graded as PUPs. Most of the people pushing PUPs get them installed by by taking advantage of naive users, stuffing them them into installation packages for otherwise useful stuff. In short most of the PUP farmers know they are being slightly dodgy but don't want to attract attention. If you're smart enough to have installed some endpoint virus detector, and remove their stuff from your PC, you're no longer their target market.

    Working at $ANTIVIRUSCOMPANY for eight years, I was only aware of a handful of cases where a PUP categorization had a strong objection from the PUP vendor. Errors do happen from time to time, so the $ANTIVIRUSCOMPANY updates its database, and does what it can to correct the record if it considers an error of fact has been made. I got involved a couple of times ensuring that long-archived webpages were properly updated.

    What I'm saying is that this specific case, regardless of its merits, feels very much like an outlier. I would hope that we don't get into a "hard cases make bad law" situation... <sigh>

  10. Mister Dubious
    Facepalm

    Bashing the competition

    Memories...

    Long ago I worked for a document-editing and -management company. We were not the only such company (just the best:), so we had competitors. All the competing products featured spelling checkers, and one competitor's checker flagged $OURPRODUCT as a misspelling and suggested $THEIRPRODUCT as the correction.

    Should we have sued?

  11. Anonymous Coward
    Anonymous Coward

    I'm torn on this one...

    On the one hand, from the descriptions above, Enigma really is an unwanted program - falsely claims infections to try to get you to buy it. Ugh. So in reality, I'd really appreciate REAL antivirus/antimalware programs detecting and removing it.

    On the other hand, being able to label something *legitimate* as unwanted and remove it with no legal recourse seems like a really bad idea. For instance, imagine Windows on a dual-boot machine suddenly saying "Windows detected the 'Linux' malware on another partition, and erased it. You're welcome." Using this to be anticompetitive really should be prohibited.

    So it boils down to the definition of malware and "potentially unwanted programs". How exactly do we codify that in law?

    (Amusing anecdote: Back when I ran Windows, I had a program that was routinely marked as a PUP. It was a small executable that, when run, would pop up a screen with Coca-Cola logos on it, thank you for being such a great customer, and had a button to receive a free cupholder. When pressed, the CD drive would open. Strictly a lark, but my AV definitely didn't like it.)

    1. Claptrap314 Silver badge
      Pint

      Re: I'm torn on this one...

      I had NO idea where that was going. Have one! ---------------------------------------------------------------------------------------------------^

    2. David 132 Silver badge

      Re: I'm torn on this one...

      > For instance, imagine Windows on a dual-boot machine suddenly saying "Windows detected the 'Linux' malware on another partition, and erased it. You're welcome." Using this to be anticompetitive really should be prohibited.

      Funny you should mention that as an example, because Windows already does something fairly similar. Who here has installed a Windows update, then booted to the desktop and had a popup along the lines of “$APPLICATION is not compatible with this version of Windows and has been uninstalled”?

      Which drives me mad. Firstly, it’s the unearned smugness of it. “We did you a favour and messed up your workflow!”

      Secondly though, define “not compatible”. That could be anything from “immediately crashes and takes down the whole system” to “works perfectly unless you try to print to a hard copy” (in which case, a perfectly reasonable response by the user might be: “I know, I don’t even have a printer anyway, and I need this old app to (access old financial records, photos, whatever)”. Or it might be that the app in question is installed on C: but is only ever run under WINE from the dual-boot Linux partition.

      Either way, my point - if I have one? - is that applications shouldn’t be uninstalled without the clear consent of the user.

      I’m NOT siding with Enigma here. What I have read here and elsewhere makes me inclined to never, ever let their software anywhere near my systems. And Malwarebytes aren’t automatically uninstalling it; they’re just flagging it as a PUP. To return to my analogy, if Windows simply popped up with “hey, $APPLICATION might not be fully compatible with this version of Windows, click here for details” - that would be a lot more acceptable.

  12. FarnworthexPat

    re: keyspace

    From a Social Security Administration publication:

    "Until 1972, the area number indicated the location (State, territory, or possession) of the Social Security of- fice that issued the number. When the Social Security numbering system was developed, one or more area numbers were allocated to each State based on the anticipated number of issuances in the State (table 1). Because an individual could apply for an SSN at any Social Security office, the area code did not necessarily indicate where the person lived or worked. Since 1972, the Social Security Administration has been issuing SSN’s centrally from its headquarters in Baltimore. The area code now indicates the person’s State of residence as shown on the SSN application."

    That would be consistent with my experience; my SS number is within the range for New Jersey, my residence when I applied, and my daughter reflects Massachusetts our residence when I applied on her behalf.

    1. Orv Silver badge

      Re: re: keyspace

      A university I went to had to explain to profs that listing partial social security numbers as student IDs was a bad idea, for this very reason. Under the old system, if you knew the last four digits of an SSN, and you knew where the person was from, guessing the whole thing was not hard; you already had seven of the nine digits.

    2. David 132 Silver badge
      Thumb Up

      Re: re: keyspace

      I am in full agreement with what you wrote, but what does it have to do with the discussion of Malwarebytes’ contentious classification of a PUP?

      Did you inadvertently reply to the wrong article, intending instead to contribute to this one about a university’s PII data leak? :)

      1. X5-332960073452
        Trollface

        Re: re: keyspace

        Just another PUP - potentially unwanted post

  13. DrG

    Seems to be beside the point

    If I'm using Malwarebytes, it is a choice. The choice of using their opinion on what is or isn't undesirable software on my computer. If their classification was more vindictive than accurate, I would simply stop using the software. Their expertise is what I, in this scenario, have voluntarily bought. Go ahead and classify away!

    What has the court have to do with anything here? Malwarebytes role to protect brands on my computer is non-existent. I really want them not to care about brands.

    What a world we live in. Please, technologically illiterate judges, tell me what is good for my PC...

  14. Lost in Cyberspace

    Where do we draw the line?

    It seems like every antivirus app could now be regarded as a PUP for adding extra features without making it completely clear and/or to sell extra features (even though the program was initially touted as complete protection).

    Even Malwarebytes does this (despite being one of my preferred cleanup tools). It tries to add browser add-ins and a VPN service.

    The Avast/AVG/CCleaner group have a particularly harmful business model. What starts as a free AV ends up selling 5 or 6 services and a browser that pops up on startup. I've even seen clients with several copies of apps doing the same thing, just branded as CCleaner or AVG instead. £200+ a year! That is a PUP I would not install.

    TotalAV - £149 a year and difficulty getting refunds.

    Even Norton and McAfee hijack your search results and replace your preferred SE with 'Secure Search' - full of junk results, plus a whole page of sponsored spam and scams. Definitely not as safe as Google or DDG.

    1. X5-332960073452
      Stop

      Re: Where do we draw the line?

      Yep, Avast Secure Browser (amongst others) 'says' it protects you from unwanted tracking, read the T&C's - Avast now gets all your juicy data !!!

    2. Cav Bronze badge

      Re: Where do we draw the line?

      "It tries to add browser add-ins and a VPN service."

      No, it doesn't. It offers you those extra features, with only the VPN costing more, which is perfectly reasonable. You don't have to install the extra features. I use Malwarebytes on all my devices. It most defintely doesn't meet the criteria for being a PUP.

  15. BPontius

    In Living Off the Land attacks hackers use legitimate apps and tools to access, control and destroy your PC and it's data. Alternate data streams is a legitimate way for programs to load data into memory but hiding and not showing obvious evidence of this to the user. A valid program included in Windows 10/11 is BITSadmin, Microsoft's freely available System Internals Suite has a program called stream that offers the same functionality. Among many others easily downloaded through an alternate data stream, hiding the activity from the user.

    Taskmgr, taskscd, BCDedit, format, msconfig, regedit, gpedit, rundll32, eventvwr...etc are all legitimate Windows 10/11 system tools and commands that can be used to subvert and damage your PC. Hackers are hiding malicious code in .ini files, storing scripts and programs as data to be translated and run in memory or through PowerShell. Javascript is standard and essential across the Internet and scripts can be hidden or encapsulated to run from seemingly innocuous sources. The NSA hacked most of the popular antivirus products to help spy on people after 9/11 (may still be doing so), so the very program(s) you depend on to protect you can be turned into a PUB and blocked or disabled. Windows 10/11 itself is full of PUBs. Where do you draw the line and who decides that line?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like