Sophos has recently been taken to task for detecting dialler software produced by Coulomb Ltd, a UK-based developer. Sophos originally classified the software as a Trojan, but David Knell, chief exec of Coulomb Ltd, said its application did "exactly what it says on the tin". Its dialler is offered as a payment option on various adult entertainment (sex) websites. The dialler clearly states that a premium rate number will be used, and spending is capped at £20 per session in line with recommendations from premium rate regulator ICSTIS, Knell says.
Sophos confirmed that it had removed detection of the dialler, following legal advice. However, some users questioned the move, citing that Sophos specialises in the enterprise market, and few enterprises authorise the use of porn diallers on their computers. Some security software may still detect the dialler, Symantec has categorised it as an Expanded Threat, which are only detected by some of the company's products.
Deciding which software should be detected by security applications has always been a difficult decision. In the early days, some researchers fiercely advocated that anti-virus software should only detect viruses - programs capable of replicating themselves, and not programs that were intended to be viruses, but did not work, or corrupted samples that were incapable of spreading etc. Nowadays, anti-virus software should probably be called anti-malware software. Later, there was disagreement over whether Back Orifice and NetBus should be detected, when the largely similar remote control software PCAnywhere was not.
The best option is to categorise the software accurately, and to let the responsible administrator choose which categories to allow, in line with the organisation's security policy. However, occasional mis-classifications are almost inevitable.