Recently, questions have arisen with respect to the “Ask.com” toolbar which is offered along with COMODO’s “Safe Surf” software, which is bundled with recent releases of the COMODO firewall. As a result of these questions, I was requested to provide an independent examination of these concerns as part of an internal review of the issues raised as an employee of COMODO. I can only offer that despite my employment by COMODO, it is important to note that my “independence” is contractual and therefore I’m putting my PERSONAL reputation “on the line” in this commentary. I speak for myself in what follows, without encumberances, directives or reservations.
Let’s begin with information as to the basis for malware detection with respect to “search bars” and BHO’s (“Browser Helper Objects”) in general not only by BOClean, but by the standards of the rest of the “anti-malware community” in general. Some programs and “system add-ons” can be useful and non-malicious. Other search toolbars provided by Google, Yahoo and others are considered inert or “safe” because they go about their installation in specific, proper ways, and do not compromise privacy or security. And when their actions are discretionary and do not interfere with normal internet activities, then they are routinely judged inert and not covered.
In past years, such operations as “AskJeeves,” “MyWay,” “MySearch” and other holdings had a long history of adverse behavior not only in the way their software was designed, but also their “affiliate” programs. These improper policies resulted in “hijacking” of existing home pages or URL requests, installation of what is referred to as “additional crapware,” false “click throughs” and “page hits” when the pages were never intended to be visited, as well as hiding of these mechanisms by other means preventing the user from correcting any of these changes. We’ve always referred to these as “rogue affiliates” and “drive-by installs.” In short, clearly “Malware.”
In addition, most of these “toolbars” were surreptitiously installed as part of a “drive-by download” with the toolbar provider taking few if any steps to control the behavior of their affiliates. All were well known as “rogue” and stopped by most anti-malware programs, including BOClean.
Since that time, IAC (the current owner of Ask.com) has changed their policies and practices and have since become “responsible parties.” It’s happened before with other programs. COMODO did extensive vetting of this toolbar supplier prior to accepting this “toolbar” as now have I. Regardless of their prior activities, they have “changed their ways” and have apparently found that the only way to be accepted is to follow the legitimate requirements of the " internet community."
BOClean, like most other anti-malware programs decides that a “toolbar” is malware if it meets one or more of the following suspicious behaviors, which are not listed in any particular priority:
- Installed without the knowledge of the user.
- Cannot be removed by either uninstall or control panel.
- Reinstalls itself once it has been removed.
- Changes system or browser settings without asking permission first.
- Redirects page requests to other “sites.”
- “Spoofs” search sites or other “phishing-like” actions.
- Removes other pages and replaces them with “affiliate” pages.
- Transmits personal information or reports back to a third party without the permission of the user or some form of prior notification.
- Downloads and/or installs other software without permission.
- Hides itself or other components.
- Results in noticeable deterioration of browser performance
- Results in spam.
There are other “egregious” behaviors I’ve likely forgotten, but the above are the more serious ones. Any one or more of the above will result in BOClean and most other anti-malware “detecting” any such toolbars or BHO’s as malware. However, there are “legitimate” and desireable “add-ons” which can be useful such as the “Google toolbar” or the “Yahoo toolbar” and numerous others which no one would classify as “malicious” or “suspicious” even if they are installed with other software installations.
I have personally performed a BOCLEAN analysis of the toolbar, subject to the ORIGINAL BOClean “standards” and have determined the following:
-
Notification is given to the user prior to completion of installation and the user has the option of not installing the software.
-
License agreement and privacy notification during installation is given.
-
User can readily decline the installation of the toolbar and other options because they are not hidden or placed beyond an “expert installation mode” and is clearly visible on a “main screen” during the installation.
[0.jpg]
- The toolbar can be readily uninstalled using “Add/Remove programs” in the control panel and the uninstall is successful after a system reboot has occurred, leaving behind only an “Uninstall Ask Toolbar.dll” in the “Program Files” folder. This file is both visible in the folder, and can be successfully deleted:
[1.jpg]
- In Internet Explorer, the toolbar can be successfully disabled if the following three settings in Internet Explorer are set to disabled. It does not perform a “zombie reload” if it hasn’t been uninstalled if these settings are made in Internet Explorer:
[2.jpg]
Under Firefox, the toolbar can be disabled by unchecking it as follows:
[3.jpg]
Obviously if there is concern about this toolbar, then it should be uninstalled using the Add/Remove Programs option in Control Panel (as shown in item #4 above) which assures a complete removal. It will not recur once uninstalled.
- Behavior analysis of the added toolbar indicates that it does not contain any personally-identifying information, does not create a unique ID within its programs, does not assert itself into any other interactions, and does not do anything unless you enter a search request and submit it to ask.com or click on a button which simply loads the URL into the browser as though it were a bookmark/favorite being clicked on. No other transactions were noted in traffic analysis. Therefore, even with the toolbar present on the browser, if it is not used, no interaction occurs. The individual files, configurations, registry data, and internet traffic were examined to arrive at this determination.
Conclusion: By BOClean’s long-standing standards since 1997, the IAC/Ask toolbar included with COMODO’s “Safe Surf” does not constitute malware and therefore does not qualify for detection.
(Please note that the screenshot images only appear for logged in members - guests will not see them)
[attachment deleted by admin]