Is it just me, or am I missing something? I've speculated about this before, but the methodology that Trend uses to figure out their top threats makes no sense to me. As I write this, the "top threat" #5 is Gator. I commented on this a while back to the press, but I think it bears repeating since Trend hasn't done anything about it clearly: really, how much of a problem is Gator?
"Top Threat" to me implies "severity," which it can't be. Gator is a program that people have to actively download, agree to the license agreement (which spells out clearly what the software will and won't do,) and then it basically hangs around in the taskbar and displays marketing information. How is that "worse" than the daily deluge of "paypal account notices" and "Your Account Status at WAMU" that tries to trick me into becoming a target for identity theft? It isn't.
So, given that "Top Threat" doesn't imply severity, could it mean "pervasiveness"? Clearly not that either. Take Kazaa, for example. This is classified as Spyware as well. Claria (owns Gator) claims 38 million users of Gator (which is probably a stretch), whereas Kazaa has been downloaded 200 million times. Given that Kazaa typically has around 14 million users online at any given time (30% of total user population maybe?) - we would expect the user population to exceed even the inflated value attributed to Gator by Claria. So, clearly "top" doesn't mean "pervasive" either.
What if "top" means "difficulty in remediating"? Can't be. Unlike some of the other software that is classified as "Spyware", Gator is pretty easy to uninstall. In fact, you can uninstall it using the "Add/Remove Programs" area just like you would any other utility (really, I've tried it.) Grokster (also classified as Spyware,) on the other hand, is almost impossible to uninstall - there are processes that "watch" each other and restart each other if they get interupted, there are difficult to remove artifacts that linger around after uninstall, hard to find files left on the host, etc. So, Trend can't mean "remediation barriers" either.
So, what do they mean by "Top Threats?" Let me propose a theory: how about "highest frequency of detected files on hosts running Trend AV that the Trend engine is able to detect reliably using definition files of an unspecified age?" Given that there is no transparency into the Trend methodology, this would have to be my best guess. If that is the case, Trend's "Top Threats" is more of a sad commentary on their tool vs. an accurate metric to track...
Posted by Ed at March 30, 2005 11:27 AM