I've just received an e-mail asking how I determine whether or not a site gets the FSA classification, so thought I'd post the answer I sent them, incase anyone else was wondering.
FSA classification is assigned to sites that fit one or more of the following criteria;
1. Using misleading means to peddle their products (e.g. claiming the product is free, when in actuality, it's just a free scan)
2. Not keeping their affiliates under control (i.e. those affiliates spamming, using BlackHat SEO, or otherwise misleading users)
This particular one is known to be controversial, but as I keep telling companies that complain - if you're going to have affiliates, it is YOUR responsibility to monitor them. We shouldn't have to do it for you, and aren't getting paid to do it for you.
3. Site is residing on a known malicious IP block
Software specific
4. Using deliberate F/P's that require payment to remove
5. Claiming threats were found that need payment to remove, when they aren't threats
For #4, an excellent example would be those rogues that claim threats were found when in actuality, they're just cookies
6. Claiming problems were found that need payment to remove, when in actuality, removal of such would lead to an unstable system and/or contrary to the claim, would not actually improve the systems performance (these tactics are used by a slew of bogus registry cleaners for example).
7. Require payment via the "infected" computer (requiring the user pay for removal from the machine, after you've just told them it is infected, is extremely bad ethics, and dangerous as it then leaves them open to identity theft for a start)
8. Software being installed via drive-by, exploits or other malware (such is the case with a slew of the worst rogues available at present)
9. Has at least one clone, for example;
http://www.malwarebytes.org/forums/inde ... opic=1526410. Begins scanning immediately after loading, instead of going to options or such, options which would likely have allowed the reduction of false positive detection
11. Does not provide for a log of the results to be saved (this must be combined with one of the above as it obviously couldn't be a determination on it's own)
12. After receiving payment from the victim either does not provide the keys it is supposed to, or does not remove the threats it claimed it detected (this is why I recommend companies offer a fully functional free trial instead), or as was the case with one we came across, does not remove the threats that the companies site/blog guaranteed it could remove.