Shields up on potentially unwanted applications in your enterprise


Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it’s good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft’s existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft’s enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)    Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

  • Software bundling technologies
  • PUA applications
  • PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

  • The file is being scanned from the browser
  • The file has Mark of the Web set
  • The file is in the %downloads% folder
  • Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it’s recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you’d want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

Comments (19)

  1. Sebastian says:

    Please make this at least a settings option in the UI for the home version, but I would prefer if you would enable it by default.

  2. markus says:

    I completely agree with Sebastian.

  3. Simon says:

    A Group Policy for this would be nice.

  4. Meitzi says:

    What is Microsoft definition for potentially unwanted application ?

  5. Meitzi says:

    Does anyone have test (or real) file to test this?

  6. Nonsense says:

    Neither the reg keys exist nor does it work on Windows 7. Useless.

  7. Dekre says:

    Working also in Windows 7 with reg keys. I have tested it.

  8. GTJayG says:

    Agreed, a test file would be nice.

  9. MR says:

    I have been waiting for this feature for years, so finally, thank you Microsoft!

  10. DJane says:

    Why do I need to be an 'enterprise client' to protect my computer?

  11. neildotwilliams says:

    +1 to Meitzi – What is MS definition of 'unwanted? Also badly needs a test file aka PUA:Eicar, how else do we know it's enabled?

  12. Moneymasternow says:

    Thank you clear description

  13. Nate says:

    Set the MpEnablePus reg key but can run any program in the %downloads% folder. Using SCEP 4.8.204.0.

  14. Dave says:

    What added this functionality? Is it a specific patch? Does it get added by the virus definitions? I'm trying to test but not sure it is working.

  15. adwbust says:

    mmpc can remotely enable it in registry via maps or signature update… hopefully they do but i believe this is already enabled by default they just changed detection name to pua instead of unwanted software? hmm maybe theyll change hacktool to unsafe
    software? lol naming convention influenced by eset. pusa – potentially unsafe and puwa – potentially unwanted.

    btw mse on vista and win7, you cant enable or join customer experience improvement program (ceip) despite allowing in uac prompt. fix that!

  16. RR says:

    im wondering as well – how do we test if the feature is enabled. I tried
    http://www.amtso.org/feature-settings-check-potentially-unwanted-applications/ and I'm able to download the file via IE and Chrome and its not being detected as a PUA. thanks.

  17. Kirk says:

    Question – as Microsoft Intune uses the guts of SCEP for its AV provision, and also can manage Windows Defender as it exists in Windows 10, is use of this PUA feature allowed/supported in the scope of an Intune (agent, rather than MDM based) managed device?

    1. Tim Bailen says:

      Kirk, great question- I’d love to know the answer, too. Microsoft– does this feature work on Intune Endpoint Protection? I tried testing using the amsto.org test file and I got inconsistent results– I’m not sure how reliable that site is– it sometimes displays “page can’t be displayed, make sure the web address is correct”. With the registry key turned on I was sometimes able to download the file and Run it (after telling SmartScreen that I wanted to), and sometimes IE said “PotentiallyUnwanted.exe couldn’t be downloaded” instead.

      (I tried turning on the feature by setting the reg key described in “System Center Endpoint Protection” since I have a hive for “Microsoft Antimalware”, not one for “Windows Defender”

  18. broonie27 says:

    This blog would suggest you have to explicitly enable PUA but that has not been the case in my environment. I’m using SCCM 1606 with SCEP client 4.9.219 and one day I started getting bombarded with PUA email alerts from SCEP without any configuration. Very annoying indeed.