XBlock By Actiance - Home
Someone Spying on You? Fight Back!
Currently 25,860,543 Spy Software Busted!

Open Letter to Software Developers: Mind Your CLSIDs

by Jan Hertsens

From time to time, we are contacted by software developers with something along the lines of "You are detecting our legitimate software as a spyware program, fix this at once!".?

The Problem

  • Some legitimate programs are using the same "CLSID" as known spyware or adware programs.
  • Many anti-spyware programs use a "blacklist" of CLSIDs in their detections.
  • This causes the legitimate program to be indentified as a?suspect component, causing confusion for the users, and anger for the authors

The Cause

There are various "toolkits" on the market that allow developers to quickly create BHOs and toolbars, who even include sample code, with CLSID included. Many developers, both legitimate to illegitimate,?use this sample code in their own application, without any change to the CLSID. Any new component should have its own CLSID. Failure to generate a new one is poor programming practice?on the side of the developer.

Why This is Bad

The Windows system uses the CLSID a unique indentifier in the registry, to look up which "module" should be used with which program. Microsoft (rightfully) insists that each module should have it own CLSID. What happens if program A uses the same CLSID as program B you just created?
  • Program B breaks Microsoft requirements. You might shrug this off , but it can impact any "logo certification" afterwards.
  • If a user happens to have both A and B installed on the same machine (remeber that adware and spyware?are rampant, so if A is aggressive, it will probably be installed before B), then the Windows function to look up the module will fail. What the end result will be is undefined. Windows might launch either A or B or none or both or croak in another way. Rest assured that it will cause havoc on the user's machine, in the worst possible way (remember Murphy?). It also becomes a real pain to do customer support on this problem, because of the unpredictable behaviour. In short, you are breaking the user's installation.
  • If program A is a spyware or adware, its CLSID will be included in lots of online databases, message boards and spyware scanners. If you press hard enough (making yourself extremely unpopular in the progress) you might get one or two anti-spyware vendors to remove it (this would decrease their chances of finding adware and spyware), but you will never succeed in removing all references to your CLSID from the Internet. Message boards, forum posts, usenet groups, Google caches all?have a really long memory. If any user does a Google on the CLSID you are using and sees that it was used by some?questionable program?in the past,?the user?will not question the relevance of this post, or the date it was made, or in what context.?The user?will delete your program as fast as?possible. You really don't want any possible association between your program and any spyware, adware or general malware!
  • It makes you look sloppy! Personally, if I see that software B is using a duplicate CLSID, I think: "This is a developer that does copy&paste development, doesn't read the docs and hence does not know what he is doing. I should think twice before running this software, because who knows what else is wrong". Will your users think otherwise?

The solution

  • Read the Microsoft documentation
  • Create a fresh GUID using your favorite means of invoking the CoCreateGuid API (i.e. running GUIDGEN.EXE, UUIDGEN.EXE, calling Guid.NewGuid from managed code, etc.)
  • Recompile your application and distribute the new version

What doesn't work

Acting as if nothing has happened

This will cause trouble for you and your software in the future. The more popular your product gets, the more time and money you will spend on resolving these issues.

Saying: "This happened by accident. I got the same CLSID by chance"

Not only is this irrelevant, it also extremely hard to believe. While I take most Microsoft claims with a healthy dose of salt, their algorithm for the generation of unique IDs seems quite solid. In view of this and the large "keyspace" a CLSID has, the claim is about as credible as saying "I won the lottery 3 times in a row, without cheating".

Trying to force anti-spyware authors to change their detections

Not only will this not work (see reasons above, you cannot retract a statement that is published on the Internet), but you can be sure that word will get out of your actions, showing you "bullying anti-spyware authors", enforcing the suspicion of a link with the?questionable?behaviors?itself (see above).

Saying: "We used the CLSID first, THEY stole it from us!"

Cases like this have been known to happen, so you have my sympathy. However, I can only advise you to bite the bullet and go for the solution above. Getting the?illegitimate authors to change their CLSID (if you can even find them) will be as much fun as convincing a bank robber to wipe his feet before entering the bank. A CLSID is supposed to be a random number, without any specific functionality, so don't get too attached to it. The pain of the problems above will be much bigger.

This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.

Read other articles (back to full list)
© Copyright 2003-2011, Actiance, Inc. All rights reserved.   Privacy Policy