Keyloggers and malicious intentI saw a sad little email recently, apparently from a lady who believed her husband to be having an affair and wondering if a certain AV company has a keylogging product she could use to monitor messages between him and the other woman. It doesn't.
In fact, AV products actually detect quite a few keyloggers, though not necessarily as malware. There are programs which are detected under names like “Possibly Unwanted Programs” (PUPs) or “Possibly Unwanted Applications” (PUAs). In fact, ESET recently published a paper by my colleague Aryeh Goretsky on the subject (“Possibly Unwanted Applications: Problematic, Unloved and Argumentative”) Of course, not all PUAs are keyloggers. But there are programs which might be perfectly legitimate in some contexts but are known to be used for illegal purposes in other contexts.
Since AV is better at detecting malicious technology than it is at detecting malicious intent, it's sometimes necessary for a security vendor to ask the customer to decide whether it's a good idea to allow the program to execute or install. While a customer who wants to spy on his or her partner might be quite certain that the answer is yes, there are other contexts in which the customer may not be well enough informed to make that decision. Consider, for example, the case of those cold-call helpdesk ploys where the scammer asks the victim to install a remote access tool, in order to let the scammer install “better” security software and “clean” the system. (Remind me to tell you sometime about the Perfect Anti-virus, a concept invented by Dr. Alan Solomon.)
In fact, they're something of a problem for us in a number of contexts, such as testing, as Aryeh and I discussed in a blog/interview here: PUAs: ESET's Most Unwanted List.
Keylogger queries are surprisingly common in other support contexts. When I used to handle some incoming security queries for a site offering a volunteer support service, some of the most common queries were from mistrusting spouses and parents, wanting to find out what their partners or children were up to, whether it was playing away or surfing porn. Sometimes, the messages were from the other end of the problem, from people whose ex had bugged their PC. (Perhaps the most common queries came from users of a particularly poorly supported OEM AV product, but I don't think I'll expand on that one.)
Most of the time, it wasn't really a problem with a technical solution and the best suggestion we could offer was that sometimes honest communication was a better route than interception of communications. Easier said than done, of course, and I don't think I'll be branching out into relationship counselling.