With virus control, policies are simple. Basically, you catch a virus, you stop it, with a few extra options. With spam, it gets more complex. One man’s spam is another’s delicate repast. You need to tailor the definition of what happens to a user’s own preferences.
With spyware and adware, policy definition has to get substantially more granular. For example, it may be perfectly okay that for certain users, a favored vendor’s website gathers all sorts of information about purchase preferences (cf Amazon). Or that in return for free use of a product, users get to be presented with advertisements (cf, AOL’s instant messaging client).