We’re very pleased to announce that, as of today, Sunbelt Software has joined Google as a data partner, providing updated data about badware websites to our Clearinghouse. (See the press release.) Sunbelt’s research director, Eric Howes, has helped us out for a long time as part of our working group, and it’s great to have the company on board in a more formal way. The new data allow us to extend and deepen our analysis of, and insight into, the badware website landscape.

Adding a new data partner required us to rethink our database design and our Clearinghouse report page layout, so we’ve been hard at work redesigning everything. The new report (example) incorporates more information—both current and historical—than our old report page, and it displays Sunbelt’s and Google’s data side by side with our independent review history.

Do you have suggestions for future improvements to our report page or feedback on the changes? Let us know over at BadwareBusters.org!

StopBadware assisted the Open Net Initiative in evaluating China’s Green Dam filtering software, which the Chinese government recently mandated be installed on every new PC in the country.

The software violates our guidelines due to a lack of disclosure about some significant unexpected behavior. While the software advertises itself as protecting children from harmful content such as pornography and violence, it also filters political speech without notice. Also not mentioned is the fact that, if such political speech appears in an application window, whether Internet Explorer or Notepad, the window completely shuts down without advance notice and without saving the user’s work.

Based on our and ONI’s research, and also other research posted online, the software has additional flaws, as well, ranging from poorly implemented features to security vulnerabilities. The biggest flaw of all, though, appears to be China’s policy of mandating such a product. As ONI’s report, released yesterday, concludes:

The mandate requiring the installation of a specific product serves no useful purpose apart from extending the reach of government authorities. Given the resulting poor quality of the product, the large negative security and stability effects on the Chinese computing infrastructure and the intense backlash against the product mandate, the mandate may result in less government control.

Those interested should read the full report, which explains both the software’s behavior and the national reaction to the software, in detail.

A blog post at PC World by Frank Ohlhorst implies that Microsoft’s forthcoming free anti-malware product, Morro, will proxy users’ Internet traffic:

Morro will work by routing all of a users Internet traffic to a Microsoft datacenter, where the Morro application will process the traffic and identify and block malware in real time, by examining all of the rerouted traffic.

This seems very unlikely. First, the technical challenge of handling, and analyzing in real time, the Internet traffic of hundreds of millions of Internet users would be outrageous. Second, this would have tremendous privacy implications, and Microsoft has recently been pretty good at staying out in front of such issues.

An intern here at the Berkman Center e-mailed the article’s author to question his characterization of Microsoft’s new service. Ohlhorst answered that the Windows-based client would route traffic to Microsoft’s servers for analysis and back to the client, similar to "how Panda’s hosted security works."

I suspect Ohlhorst is referring to Panda’s Cloud Antivirus. If so, the comparison is probably closer to the truth than his explanation of it. Panda’s service has a client that monitors the PC for new processes and, when one is found, sends a cryptographic hash of the executable up to "the cloud" to learn whether the process is malware. This is, at least in theory, more efficient and effective than each client downloading definitions each day. Several AV products from other vendors use some variation on this theme, sending hashes, URLs, or sometimes even entire suspicious executables to a central server for analysis and/or checking against an updated block list. My educated guess, from what I’ve heard about Morro and seen elsewhere, is that Morro will do something similar, but will not route all of a user’s Internet traffic to Microsoft.