[SOLVED] How can I prove to a customer that AV doesn't typically pick up adware and that it's intentional?

T

tgrundman

Member
Reaction score
2
All too often I have a customer that gets infected with adware/toolbars etc and asks "Why didn't my antivirus catch it?"

I always tell them that "anti-virus programs don't typically detect that stuff. They more protect against stuff that could potentially steal your data, but junkware isn't really classified as a virus since it doesn't do anything other than bog your computer down, even though it spreads like one".

They generally accept that line, but if I were to put myself in their shoes, then it seems like the guy who just fixed my computer said there's viruses that the anti-viruses companies intentionally don't catch. I wouldn't blame a customer for being wary of my explanation.

So is there any kind of reference that I can show a customer that is proof beyond just my word? Like maybe a written statement from Symantec or something. The only reason I know it is because I see it parroted on forums, I have never seen an official source.

Thanks!
 
Show them the scan results/log from Malwarebytes which (assuming there are no viruses) should list its findings as PUPs (Potentially Unwanted Programs), ie non-malicious items.
 
You know reading your post really makes me think about just how much effort an anti pup product must have to put in to keep up with thats legit and what isnt legit.

An antivirus company can send out spider bots and detect patterns of unwanted behavior and boom you got fresh variants ready to be added to the definitions but a PUP? I mean lets be serious here I have a good number of extensions running myself flagging whats potentially unwanted and what isnt is won't be as easy. You can't just flag all the ones that can manipulate a page as PUP since many legit extensions have that capability.
 
Moltuae said:
Show them the scan results/log from Malwarebytes which (assuming there are no viruses) should list its findings as PUPs (Potentially Unwanted Programs), ie non-malicious items.
Click to expand...

But won't that just solidify their argument against me? "But that program caught the virus! You're lying!"

I've also read MBAM shouldn't be used as a real-time scanner on a machine. Is that still true? I never see MBAM in any of the AV comparison charts.
 
tgrundman said:
I've also read MBAM shouldn't be used as a real-time scanner on a machine. Is that still true? I never see MBAM in any of the AV comparison charts.
Click to expand...

But MBAM is not a AV program. It is a anti malware program.

As an aside, do you install Unchecky on any of your clients machines?. If not, I suggest you start doing so, and explaining to the client how it works, and helps in stopping unwanted/unneeded programs from installing on your clients machines.
 
Moltuae said:
Surely the label, 'Potentially Unwanted Program', backs you up. That says it all for me -- It's not malicious, just probably not a piece of software they wanted.
Click to expand...

But that still doesn't solve the issue. In that scenario I'm literally showing them the opposite of what I'm telling them. I'm telling them that AV programs don't catch PUPs, but then I turn around and show how MBAM is catching PUPs. The customer won't understand the difference between AV and antimalware. I was just looking for some official announcement, surely there's got to be a large swath of Norton customers who've asked "why aren't you catching PUPs??" and there is no offical answer from them?

Cadishead Computers said:
But MBAM is not a AV program. It is a anti malware program.

As an aside, do you install Unchecky on any of your clients machines?. If not, I suggest you start doing so, and explaining to the client how it works, and helps in stopping unwanted/unneeded programs from installing on your clients machines.
Click to expand...

Okay, that's what I thought. I never recommend MBAM as a real-time antivirus. Typically a customer will bring be a machine that is infected with tons of PUPs that "got past their antivirus" and want to know why, so I want to have a little evidence beyond just my word showcasing "that's how it is, sorry".
 
This is kind of like trying to explain things to a customer that thinks antivirus companies and virus writers are working together. If they've got their tinfoil hat on, there isn't much use trying to reason with them. It's frustrating, but out of your control.
 
HCHTech said:
This is kind of like trying to explain things to a customer that thinks antivirus companies and virus writers are working together. If they've got their tinfoil hat on, there isn't much use trying to reason with them. It's frustrating, but out of your control.
Click to expand...

I don't think that's necessarily true in this case. I think it's completely reasonable for a customer to ask for a source on my claim, there's really no tin-foil hat needed for that.
 
tgrundman said:
Okay, that's what I thought. I never recommend MBAM as a real-time antivirus. Typically a customer will bring be a machine that is infected with tons of PUPs that "got past their antivirus" and want to know why, so I want to have a little evidence beyond just my word showcasing "that's how it is, sorry".
Click to expand...

You could always install mbam premium on your clients machines, and increase your rate to compensate for the cost.

Or install the free trial version of premium. Then add in your calendar for 14 days time to contact them, to see if they like what has happened, and if they want to go ahead with the premium version.
 
Cadishead Computers said:
You could always install mbam premium on your clients machines, and increase your rate to compensate for the cost.

Or install the free trial version of premium. Then add in your calendar for 14 days time to contact them, to see if they like what has happened, and if they want to go ahead with the premium version.
Click to expand...

I think maybe my question is not clear, sorry.

Customer: "Why didn't my antivirus program detect it?"
Me: "Because AV programs don't typically detect junk programs"
Customer: "Oh interesting. How do you know that?"
Me: "Because a bunch of uncredible sources on the internet said so"

I don't really like my response to the 2nd question. I'd like a credible source that backs up my claim, rather than just banter on some forum.

Thanks!
 
tgrundman said:
All too often I have a customer that gets infected with adware/toolbars etc and asks "Why didn't my antivirus catch it?"

I always tell them that "anti-virus programs don't typically detect that stuff. They more protect against stuff that could potentially steal your data, but junkware isn't really classified as a virus since it doesn't do anything other than bog your computer down, even though it spreads like one".

They generally accept that line, but if I were to put myself in their shoes, then it seems like the guy who just fixed my computer said there's viruses that the anti-viruses companies intentionally don't catch. I wouldn't blame a customer for being wary of my explanation.

So is there any kind of reference that I can show a customer that is proof beyond just my word? Like maybe a written statement from Symantec or something. The only reason I know it is because I see it parroted on forums, I have never seen an official source.

Thanks!
Click to expand...

I get that question all the time. My response is simply that adware/toolbars aren't viruses (in the sense that most people picture viruses as things that delete their files, crash their computer, kick their dog and steal their wife).

It isn't the job of antivirus to catch crappy add-ons and toolbars. A hammer drives nails, a screwdriver turns screws.
 
mraikes said:
I get that question all the time. My response is simply that adware/toolbars aren't viruses (in the sense that most people picture viruses as things that delete their files, crash their computer, kick their dog and steal their wife).

It isn't the job of antivirus to catch crappy add-ons and toolbars. A hammer drives nails, a screwdriver turns screws.
Click to expand...

That's what I tell them too, but I'm looking to provide them with something more than just my word, I'd like a credible source, but I'm starting to think that no AV company has ever stated outright that "We don't deal with PUPs because ____". Must just be an unwritten rule.
 
tgrundman said:
I think maybe my question is not clear, sorry.

Customer: "Why didn't my antivirus program detect it?"
Me: "Because AV programs don't typically detect junk programs"
Customer: "Oh interesting. How do you know that?"
Me: "Because a bunch of uncredible sources on the internet said so"

I don't really like my response to the 2nd question. I'd like a credible source that backs up my claim, rather than just banter on some forum.

Thanks!
Click to expand...

I can see why you don't like that response.

So how do we know A/V's don't catch toolbars and add-ons? First, not because we read it somewhere, but because most of them, as far as I know, don't claim to do that kind of thing. And if the customer is using a package that does claim to do it, then they should take it up with whoever they're using. Second, it's based on our experience as techs working on hundreds even thousands of computers. What is more credible than that?

But really, one reason may be that from the A/V's standpoint, one man's "potentially unwanted program" is another man's must have toolbar that he can't live without. And it's not illegal to create a toolbar or other BHO that people dislike. As much as we might like A/V's to be more aggressive in what they detect and eliminate, I can envision that they really have to walk a thin line. Maybe even liability issues if they block crappy but legal stuff.

Even programs like Malwarebytes don't automatically block or delete such things (the way A/V blocks and deletes viruses) - instead it detects and presents you with a list that YOU then choose to delete.
 
mraikes said:
I can see why you don't like that response.

So how do we know A/V's don't catch toolbars and add-ons? First, not because we read it somewhere, but because most of them, as far as I know, don't claim to do that kind of thing. And if the customer is using a package that does claim to do it, then they should take it up with whoever they're using. Second, it's based on our experience as techs working on hundreds even thousands of computers. What is more credible than that?

But really, one reason may be that from the A/V's standpoint, one man's "potentially unwanted program" is another man's must have toolbar that he can't live without. And it's not illegal to create a toolbar or other BHO that people dislike. As much as we might like A/V's to be more aggressive in what they detect and eliminate, I can envision that they really have to walk a thin line. Maybe even liability issues if they block crappy but legal stuff.

Even programs like Malwarebytes don't automatically block or delete such things (the way A/V blocks and deletes viruses) - instead it detects and presents you with a list that YOU then choose to delete.
Click to expand...

Excellent reply, unfortunately it didn't teach me anything that I didn't already know. I don't mean that as an insult, I just mean it might not be enough for the customer. But honestly, thanks, I will probably reference this thread in the future to my customers, as it's the best "source" available.

At any rate, based on the many responses I've gotten so far, I will mark this thread as solved because I don't think there exists what I am looking for. Thanks everyone!
 
Basically, they are telling you that your AV program sucks. And they are right. If your AV program doesn't block PUPs and every time you come out you remove them, then why are we paying you to do this? It is a valid complaint. Better web blocking tools that prevent them from visiting such sites to begin with will help with that. OpenDNS, UBlock, and Unchecky can help with that.
 
The reality is PUP's are installed by the EU's themselves. We see them all of the time, attached to freeware, games, etc. It's a matter of educating the customer to understand how these work and how to know when they are being installed. Like reading the small print when they download that free app. Remember nothing is free. There have been several threads in the last year or two on here about how many freeware apps we use are now bundled with PUP's so the developers can monetize their work rather than charge a fee or rely on the shareware model. The link below is a dated, but still relevant, white paper by McAfee which discusses these apps.

http://www.mcafee.com/us/resources/white-papers/wp-potentially-unwanted-programs-spyware-adware.pdf

The EU's need to understand that viri, root kits, etc are "anonymous" apps so to speak. Their behavior as well as authors cannot be understood or predicted until they have been "installed". PUP's on the other hand generally have a public face so to speak. A website or something similar as well as having some else "approve" them. Back when these things started popping up in the OS X world I did a bit of research. Apple has their own anti-malware built into OS X. It's an automatic thing and there is no interface for EU's. Other techs were saying that some of these apps, such as search engine highjacks, were being allowed because they were part of Apple's Developers Network. I never found any evidence of that but it does make sense to a point.

At this point, beyond some EU education, the only thing we can do in the M$ world is install things like Unchecky (thank Nige for mentioning that, I was trying to remember the name of that app today), AdBlocker Plus, etc. As well as having them use any browser but IE, which is what I recommend to all customers. Another tool I recommend to EU's is NoScript. It does require maintenance in the form of white listing sites so things like Java, Active X, Flash, etc will work.
 
Here is what i suggest to my clients who bring this question up. I bundle Malwarebytes Premium into my managed service packages. i explain to the customer that my managed service plan can help remove junkware/toolbars ct.

if they only have antivirus i tell them my managed service has antimalware and antivirus.
Your selling the cake not the ingredients so you dont even have to mention your installing Malwarebytes.

This combined with managed antivirus, web filter and patch management and a bit of user education on what not to do.
 
I've seen quite a few AVs had PuP detection as an additional option when ticked it does a fairly decent job. I've seen Bitdefender (logicnow mav) and avast start going after them quite a bit.
 
I think the biggest takeaway is that no antivirus is going to protect them from everything. Invest in a really good antivirus program. You can look at the AV Comparatives each year to see who's on top. Use a combination of other resources to offer multiple layers of protection. Use Malwarebytes Pro, Unchecky, OpenDNS etc. some here have also suggested tools like Noscript and Ublock. I also use CryptoPrevent because it can detect malicious behavior in programs. Also a properly configured web browser with an ad blocker and malicious website blocker prevents the majority of opportunities to get a virus.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Adding EDR to my stack and how to sell it.
Replies
6
Views
607
Sky-Knight
Sky-Knight
ThatPlace928
How do I Ferret out a Trojan When Anti-Malware Doesn't Detect it?
2 3
Replies
40
Views
3K
frase
frase
thecomputerguy
Question about chrome positioning that I don't know how to Google.
Replies
6
Views
1K
thecomputerguy
thecomputerguy
phaZed
[SOLVED] How to uninstall Forticlient AV that was installed from EMS management dashboard?
Replies
2
Views
17K
Your PCMD
Your PCMD
thecomputerguy
Got canned by a long-time client ...How to tell he'll be back
2
Replies
30
Views
3K
YeOldeStonecat
YeOldeStonecat
Back
Top