What is Riskware?
Many Emsisoft Anti-Malware users find so-called Riskware on their computer when scanning for Malware. Those who are not familiar with the many special terms and meanings of the computer world may trip over this somewhat and place software in quarantine that is probably not damaging and which was intentionally installed. With this article from the Emsisoft Knowledgebase we would like to provide a more detailed explanation of exactly what Riskware is.
The meaning of the term Riskware can be simply derived from the two words "risk" and "ware". The "ware" in this case is of course software and not a physical object. Simply put, this is software whose installation presents a possible but not definite risk for the PC. Relatively normal programs can often fall into the category of Riskware because some applications can be modified for another purpose and used against the PC user. We would like to provide you with three different examples of this.
Example 1: IRC
IRC stands for Internet Relay Chat, a huge Chat system with innumerable servers
and networks. Millions of IRC users are spoilt for choice in the number of different
IRC clients available. Whether "mIRC", "Pirch", "Trillian" etc., there seems to
be as many possible IRC programs as grains of sand at the beach. Anti-Malware recognizes
all of them as Riskware. You may ask yourself what the reason for this is. After
all, one has downloaded the intended program from the official homepage, which should
rule out the possibility of Malware infection. This is a correct assumption and
the intentionally installed program itself does not normally present a risk. However,
there are certain types of Malware that use a built-in IRC client for communication
with the Malware author. These are usually Trojans that connect to a particular
IRC network once the system is infected. On the one hand the Malware author can
see how many infected computers are available, and on the other the infected computers
can then be controlled via keyboard commands over this IRC network.
These types of IRC networks are known as "Botnets". In this case the IRC client is not intentionally installed by the owner of the PC, but by the respective Trojan. The largest Botnets discovered so far contain several 10,000 infected computers. This is a somewhat alarming figure, since the Botnets are almost always used for criminal activities such as sending Spam, or even for "Flooding" (overloading) particular Websites or even Internet Providers. The user seldom notices the infection and can continue their normal working and surfing activities. At least until the point where the Internet connection suddenly becomes extremely slow because the entire bandwidth is currently being used for an attack.
Users of IRC for cultivated discussions do not need to be concerned; a normally installed IRC client usually presents no risk.
Example 2: VNC
While IRC is usually used for pleasure, there are also certain programs that you
perhaps use in your daily work. Good examples of this are so-called "Remote Desktop"
applications that allow the intentional use of a remote computer. For example, "VNC"
in all its variants allows the user to access a computer having the appropriate
server program and use this as if it was their own computer sitting in front of
them. It is irrelevant where the host computer is located, whether in the next room,
a few kilometers away, or on the other side of the planet. A normal Internet connection
and the appropriate software are sufficient for remote administration.
You can probably imagine the possible dangers here. What if someone smuggles a Trojan into my computer and this then installs a completely normal program such as VNC? Many Malware scanners will recognize the Trojan sooner or later, but will not recognize VNC as Malware because it is a completely normal program that is not in itself dangerous. Unfortunately, the attacker then has complete control over the infected computer and can truly do whatever they want with it.
Example 3: FTP
Our last example relates to FTP, one of the most heavily used protocols in the Internet. FTP stands for "File Transfer Protocol" and is used for the transfer of files over the Internet. Most of the users among you who have their own Homepage will probably have used an FTP client for uploading their carefully crafted web pages. Some of you have also perhaps installed an FTP server on your own computer and then wondered why Anti-Malware recognizes this as Riskware. The reason for this is relatively simple: As well as sometimes installing an IRC client, some Trojans also install an FTP server. This is created with a suitable user account providing full access rights to the entire computer. This means that while you are connected to the Internet the attacker has full control of all your files and can upload and download whatever they want. Not a pretty thought is it?
It should now be clear to you that Riskware CAN be a risk for PC security but does
not HAVE to be a risk. Programs that you have intentionally installed can thus be
indicated as Riskware by Anti-Malware. In this case, you can usually ignore the warning
with a clear conscience or place the relevant program on the exception list so that
is no longer recognized in future scans. However, if you discover software recognized
as Riskware that was previously unknown, and which lives in dubious directories,
then you should examine this more closely and if necessary remove it as soon as
possible. However, you should not forget that other users of the same computer might
have installed these programs on the hard drive.
For manufacturers of security tools such as Emsisoft Anti-Malware, a compromise must often be made between providing the best possible protection for the system on the one hand, and producing the smallest possible number of false notifications on the other. For this reason we allow you to deactivate specific Riskware notifications. Adjust the settings of your Emsisoft Anti-Malware so that it suits your operating requirements while still satisfying your security requirements.