Scareware and Legitimate Marketing

Kurt Wismer posted a much-to-the-point blog a few days ago about the way that purveyors of scareware (fake/rogue anti-virus/security products) mimic the marketing practices of legitimate security providers. You may remember that a while ago, I commented here about a post by Rob Rosenberger that made some related points.

If you’re a regular reader of my blogs here or elsewhere, it won’t surprise you that I have a lot of sympathy with these viewpoints, and I hope Kurt will agree that we don’t do the “buy our software so that you never have to take responsibility for your own security” message here. And some elements of the AV industry of which I have, in recent years, become a part, have not always done the industry or its customers any favours by hypeing media malware, TOAST marketing (The Only Antivirus Software That you’ll ever need… [hat tip to Padgett Peterson]), and other dubious marketing practices that have enthusiastically been picked up by those who rate a Good Story as being something quite different to an Accurate Story.

Well, I’ve been hearing rumours of marketing that sounds far too close to scareware for comfort. I’m not going to name names on this occasion. It’s bad karma for AV researcher to throw stones at another vendor’s glass house without hard evidence of unethical practice. So here are some entirely general thoughts.

It would, of course, be a very bad idea for a vendor to try to persuade its own customers to spend money on one of its other products by hypeing a non-existent threat. If a vendor was rash enough to indulge in such scareware tactics, its customers might want to consider whether:

  • the name of the threat in question looked kosher
  • whether they really have confidence in a company that apparently doesn’t share major threat samples with other companies so as to maintain a competitive advantage. AV companies share samples because they feel that where a major threat looming, they have a duty of care to the community as a whole, not just their own customers.
  • Whether marketing based on “our product detects this and these other companies can’t” can possibly be accurate. Even if the company making the claim didn’t share samples (and that would be really bad karma in this industry), and the claim of non-detection held true at a particular point in time, howlikely is it that the other companies wouldn’t encounter it and add detection for it, sooner rather than later? (Unless, of course, it was something so esoteric and obscure that its existence made no real difference to anyone anyway.)
  • Whether it’s appropriate to claim that a product doesn’t detect a given threat on the basis of a Virus Total report. As Kurt, myself, and Virus Total/Hispasec themselves have frequently pointed out in various contexts, the Virus Total service is not suitable or intended as a gauge of the comparative performance of AV products. That’s because a Virus Total report doesn’t demonstrate dynamic, whole product detection or non-detection of any threat. In many cases, malware that evades an on-demand scan will nevertheless be detected by an on-access scan, but that won’t show on a VT snapshot report. Always assuming that the press release (or whatever) actually links to a VT report.

Of course, this is all totally hypothetical. Surely no reputable AV company would make these mistakes, for both ethical and practical reasons (i.e. for fear of damage to its reputation and existing customerbase? I live in hope that these rumours will turn out to be based on some misunderstanding or misconception.

Senior Research Fellow

Author David Harley, ESET

  • Martha Bagwell

    I am the owner of a computer help group in Yahoo.  Several of our members are reporting scareware behavior on the part of Zone Alarm free.  I have removed the download links for Zone Alarm from my sites.
    It's too bad,
    FYI i do use EST Smart Security and wouldn't use anything else.

  • Adam Wilder

    Yes, that  makes  perfect  sense  as,  the  concept  of  fear  should  never  be  used  to get  someone to  use  something.I,myself  have  used  ESET  for  several  months  now and  was  never  goaded  into    purchasing  out  of   some  mareketing  measure(s)  or  such rather,  the  company and  it's  products  have a   solid  reputation.

  • Rob Rosenberger

    Hmmm.  You know, David, there is a … certain logic to this.  Scareware firms experiment with any number of psychological ploys to make people buy FAKE antivirus software.  If a legit antivirus firm did enough analyses on those marketing tactics…
    In theory, they might be swayed to adopt some of those tactics.  But that may be okay, because we're talking about a legit antivirus firm, not a fake antivirus firm.
    I mean, consider Dr. Joseph Mengele.  Yeah, sure, he performed gruesome medical experiments on Jews & Gypsies in WWII.  But legit surgeons made some amazing advances by studying Mengele's work.  So, uh … it ultimately benefits society when an ethical surgeon studies unethical medical procedures.  This ultimately means we should applaud Mengele for his … uh–
    Wait, this isn't going the way I wanted it to.  What I'm trying to say here is, if a legit antivirus firm adopts the practices of a fake antivirus firm, then we should thank the scareware industry for showing legit companies how to succeed in the marketpla–
    Uh, wait.  I'm back where I started.  Certainly there must be a way to study unethical tactics and use them in an ethical manner.  I'm probably just … you know what, I think I need to sleep on this.  I'm just not in the zone right now, and that alarms me.  Good night.

  • David Harley

    @adam: well, you could argue that fear of negative consequences is what sells security products. There is a difference, though, between selling an honest attempt to mitigate the problem and selling a dishonest attempt to profit from that fear without mitigating the problem. Selling an honest product using dishonest means is something different again. It's by no means unknown in the security industry, but ethical issues apart (and that doesn't mean I don't care about the ethical issues, only that it's a complex area), it seems to me that to be found to be dishonest in some respects is counter-productive for any company. The more so in a sector that's as distrusted as the security industry.
    @Rob: I guess Godwin's law hasn't been repealed, then. ;-) I guess you could argue that even if the end doesn't justify the means, it's not intrinsically evil to use the results of "evil" research as long as the way in which you use them isn't in itself evil. In the case of Mengele, you might even even argue that it's laudable to use the knowledge gained from that research if it means that the death and suffering has some positive results further down the line. But can (never mind the should…) the AV industry learn as much from scareware as the scareware guys have learned from marketing (in general, not just AV marketing)? Maybe we can, but I'd rather see us use that knowledge in countering scareware, rather than emulating it.

Follow us

Copyright © 2018 ESET, All Rights Reserved.