Imagine you have created a fantastic app that your customers love. You are just starting to see real business growth. Until one fateful day, when you notice that sales conversions are down, refund requests are way up, and your customer service queue shows some customers are complaining that their anti-virus software is removing your app – the very app they’ve paid for!

That nightmare scenario has happened to many well-meaning software companies – and probably thousands of startups – who went to market without considering how their apps might be viewed by the security industry.

What follows below are the reasons this can happen, what a software vendor can do when it does, and how to prevent it from happening in the first place.

Let’s begin with some basic acronyms: PUA, PUP, and UwS.

What is PUA, PUP, and UwS?

Security software companies are focused on preventing and removing malware and viruses from computers. Their customers, however, expect even more: to be protected from software that is deceptive in any way at all. For example, consumers expect their security provider to prevent installation on their devices of scareware, adware, and otherwise “unwanted” software.

To meet this consumer demand, each antivirus company categorizes such unwanted software as a Potentially Unwanted Application (PUA), a Potentially Unwanted Program (PUP), or the more recently added term of Unwanted Software (UwS). Each antivirus company has its own criteria defining what UwS is and dedicates some of its research to identifying such software. Keep in mind that each AV has its own criteria and not every AV publishes that criteria. Any software categorized as unwanted is blocked from installation or removed from the device once discovered. Even worse, the URLs to your web site, your cart, and your landing pages can also be blocked!

How A Single AV’s PUA Flag Impacts Revenue

Typically, the above nightmare scenario starts with just one security software company flagging your software. And if that company is Microsoft Defender, it is devastating to your business.

If the flag comes from a smaller AV that has little market share in the geographies where you operate, the initial impact is likely to be minimal. But the AV community is a close-knit group and AVs tend to share each other’s research in various ways.  What does that mean? It means that what starts with only one AV flag inevitably expands to multiple AV flags over time.

Moreover, once paying customers start to see a security company flag your software as unwanted (which they can see easily, especially if the security company they use has flagged it), they’ll tend to trust that assessment and start demanding refunds and complaining on public forums. That’s not a situation you can easily recover from.  After all, the security vendor has the moral high ground.

What does that mean for a software vendor? First, you should heed the old saying: “an ounce of prevention is worth a pound of cure.” Take steps to reduce the likelihood your software is classified as PUA, PUP, or UwS in the first place. That way, you can help avoid the huge blow to your revenue from reduced sales, increased refunds or charge-backs, consumer complaints, and eventual erosion of your brand’s reputation (more about all this in a moment).

But let’s assume you haven’t taken the necessary preventive steps – then what do you do?

What to do if Your Software has been Flagged

Let’s assume the security company has made a mistake in flagging your software. Your goal as a business is to resolve the issue as quickly as possible to minimize the negative impact.  Here are the steps you’ll need to follow:

  1. Replicate the issue on a PC capturing the following:
    1. Video or screenshots of the flag in action.
    2. The version of the operating system.
    3. The version of the security software as well as the version of the security software’s “database” in effect at the time of capture.
    4. The version of your software.
    5. Link to the downloaded version of your software used for the capture.
  2. Find the “false positive” submission page on the security software’s web site (or email) and send the above list of information asking for review of the issue.

Keep in mind that security companies may not treat your issue with the same priority as you might like. It’s an emergency for your business, but not necessarily for the security company.

My experience with this process is that it generally takes a bit of time to get a response. In addition, the first response is often non-actionable, vague, and unhelpful (e.g., “your software violates our PUA policy related to deceptive behavior”). The trick is to be patient. Demonstrate the many ways that your company makes good-faith efforts to be a good internet citizen and make clear that you just want to do the right thing. Ideally, you’ll be successful in showing the security company it’s made  a mistake, and it will remove the flag.

But what if the security company doesn’t think it’s a mistake? Then what? First, it’s important to keep in mind that their responses won’t be prescriptive (e.g., they won’t say “if you remove or change this specifically offending behavior in your software, we’ll remove the flag”).  While that would be enormously helpful to you, there are many reasons the security companies are reluctant to do this, including legal factors. But perhaps the most important reason: the truly bad guys would just abuse the process, fix the stated issue, and find another way to be deceptive and cause harm to consumers.

The bottom line: if your software is flagged, you are in a terrible pickle, with no easy path out.

Another Important Issue – How to Verify your Software has been Flagged

If this article topic is new to you as a software vendor, you’re probably wondering if you can verify if any security vendors are flagging you. The answer: yes.

The easiest way to do this is to visit a web site called VirusTotal and upload your software build for analysis. VirusTotal represents over 70 security companies so any one of those that is flagging you will be listed on a report.

Some software companies have internal processes that involve regularly uploading their latest builds to VT in order to receive early warning of any flags. That way, they can adjust their media buys while they take their software offline to do an internal review and make changes they hope will eliminate the flag. This can lead to both less money lost, and faster solutions.

One caveat about VT: the results only show what is called “static” detections. You don’t get to see which AVs actually exhibit behavior on the desktop.  So keep in mind that VT is more of a litmus test.  To know for sure which AVs are detecting on the desktop, you’ll have to install the AV on an actual desktop and see if it actively flags your software title.

Not surprisingly, there are a number of companies who offer services to do this for you (members of CleanApps.org have access to this list.)

How to Avoid having your Software Classified as PUA/PUP/UwS

Back to the prevention principle: To avoid being classified as PUA/PUP/UwS, your product managers, marketing team, and business development team first need to understand the various criteria that define this category. Because many of the security companies are tight-lipped about their criteria, this can be virtually impossible.

But there is one reference source that reflects how security vendors think about unwanted software. It’s hosted by a company called AppEsteem, which works with virtually every major security company in the industry. AppEsteem is on the CleanApps.org Advisory Board, and provides CleanApps.org with insight into how the security industry works and thinks about this aspect of consumer protection.

AppEsteem has created two checklists of criteria. The first lists the criteria that, if not met, will virtually guarantee that the app will be classified as unwanted. AppEsteem calls this their ‘Deceptor’ criteria: https://customer.appesteem.com/home/checklist?minbar=y

The second, more comprehensive list of criteria establishes a gold-standard for software behavior (and software promotional behaviors) that, if met, dramatically reduces the likelihood your software will be classified as unwanted by the security companies. Indeed, meeting these criteria provides a signal to the security companies that your software is the crème-de-la-crème (at least with regard to consumer protection). This list of approximately 125 criteria can be found on AppEsteem’s ”Certification Checklist” located here: https://customer.appesteem.com/home/checklist

AppEsteem’s business is certifying software, so you’ll be charged a fee to receive the full AppEsteem certification and seal (including invaluable compliance-related consulting services) informing the security companies that your software has met the gold standard. But keep in mind that the certification checklist is available at no cost, so any software company can use this publicly available information to audit its own software.

Whichever route you choose, the paid or unpaid route, it’s foolhardy to go to market with an app that doesn’t meet the full AppEsteem criteria. Public concern over privacy and security on the internet is growing, and the security companies aren’t immune. They’re likely to get even stricter over time. It’s not only better for consumers if you make sure your software meets the highest security and privacy standards – it’s just smart business.