Criteria for detection for the CRDF Threat Center database

The following criteria is part but not limited to what determines whether a program and or a website domain(s) is added for inclusion in the CRDF Labs malicious database.

Last update: December 2021

Distribution and Installation

• Installs without user permission, user interaction or an installation interface
• Bundles other known/unknown adware, spyware, or malicious software including potentially unwanted software
• Installs hidden plug-ins in the Web browser that do not have a user interface
• Is installed by an ActiveX control or Exploits a security vulnerability in any way
• Installs using deceptive or questionable methods or tactics
• Installs even if the user clicks No or cancels the installation
• Is installed by third-party affiliates
• Offers an affiliate program that pays a fee for distributing potentially unwanted software
• Is affiliated with malicious or questionable portals, search engines, or hacking sites

Behavioral Criteria

• Modifies the HOSTS file without full disclosure in an acceptable and enforceable EULA
• Modifies or replaces the HOSTS file without creating a valid backup
• Modifies registry setting related to the HOSTS file
• Changes common settings, such as the home page or search page, without user permission
• Changes any Web browser configuration which the user can not undo
• Uninstalls existing software without user consent
• Includes a process that cannot be manually terminated by the user
• Displays pop-up or pop-under windows outside of the application
• Displays pop-up or pop-under advertisements that cannot be closed by clicking a Close button
• Modifies Web site content, such as changing search results or substituting certain advertisements for other advertisements
• Displays pop-up advertisements when the Web browser is not running
• Displays pop-ups or 3rd party banners or images
• Automatically restarts itself if the user terminates its process
• Restores registry keys or file entries that are removed by the user
• Redirects or blocks searches, queries, user-entered URLs, and other sites without notification or user consent

Security Criteria

• Changes operating system security settings without user permission
• Changes software security settings, such as a Web browser security settings, without user permission
• Silently adds entries to the browsers web content zones (Trusted, Restricted Zone, etc.)
• Silently adds entries to the users Firewall to bypass detection
• Connects to the Internet without user permission
• Disables firewalls, Antivirus software, or Anti-spyware software or other Security related programs
• Opens a port on the computer without user knowledge
• Silently reinstalls or updates components
• Adds a new dial-up connection or other network connection
• Initiates a connection to the Internet or initiates a dial-up connection without user interaction
• Prevents Anti-spyware or Antivirus software from removing the program
• Downloads and installs software or updates without user permission
• Runs in a mode that hides processes from the user or system tools
• Provides remote administration or file transfer capabilities
• Monitors sensitive items without explicit notice and consent, such as keystrokes, emails, instant messages screenshots, or the history or open programs and documents
• Runs malicious or questionable scripts
• A remote server making unsuccessful bruteforce attempts on machines
• A remote server making illegitimate requests, scanning servers for vulnerabilities and hosting unsecured Proxy / VPN / Open Relay

Privacy Criteria

• Does not contain a Privacy policy, or uses a 3rd party privacy policy which fails to provide an easily accessible privacy policy that explains data collection and other practices used by the program or site.
• Does not contain or display an acceptable and enforceable EULA (End User License Agreement)
• Installs a LSP (layered service provider) without full disclosure and explicit user permission
• Silently tracks sites visited without user permission, such as by IP address, GUID, email address, name or other identifier such as 3rd party hit counters, web beacons, and or uses non-session third-party Cookies.
• Tracks Web browsing behavior and transmits this information to a remote server
• Tracks online activity and matches it to personally identifiable information without clear notice and consent, including but not limited to Web pages viewed or accessed, user selected content, keywords and search terms
• Tracks Web browsing behavior via 3rd party Cookies (aka: Data Miners) or requires the user to access another site for the purpose of using an "opt-out" Cookie
• 3rd party surveys that may or may not be part of third-party advertising, marketing, or metrics/measurement networks without full disclosure of information obtained or where this information is retained and with whom specifically this information is shared
• Collects personally identifiable information without express consent in statements other than the EULA or privacy policy

Removal

• Does not include a working uninstaller that is compatible with "Add or Remove" or  "Programs and Features"
• Automatically reinstalls itself after the user uninstalls it or part of it
• Requires the user to download an uninstaller from a Web site
• Requires Internet access to uninstall
• Requires additional information to uninstall the software, such as email address
• Uninstalling the software causes the system to become unstable or vulnerable

Other

• A website accessible via the Internet network and offering solutions to users in the European Union who clearly do not comply with the personal data protection obligations arising from the GDPR ("The General Data Protection Regulation"). Any company that does not comply with this regulation and for which we have the necessary proof will be listed in our databases.
• A software program or website including any other Web sites or domains owned, maintained or affiliated with, that are detected by an but not limited to any Antivirus or Anti-Spyware type program or mentioned in their Database
• Any Web site that is determined to be in a Blacklist Status in a Domain whois lookup
• Any site that uses bogus, misleading or non-existent information in the Domain Registration
• Advertisers or other 3rd party providers that run their content on sites that are known to install/distribute malicious software including potentially unwanted software
• Any site that is involved in Spamdexing (search engine spamming) or intentional redirection links
• Web sites or domains owned, maintained or affiliated with, that are determined to be involved in Phishing or other undesirable conduct
• A shop or website masquerading as another brand and selling products in a completely illicit way
• A company distributing advertisements (= advertising) links redirecting to illegal, dangerous and / or contain security risks for a client computer
  • URLs that advertising will be considered malicious
  • The advertising agency is responsible for ads served through its network
  • An integrated advertising in our database will be banned for a period of six months without any possible reserves