Shields up on potentially unwanted applications in your enterprise

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it’s good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft’s existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft’s enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderMpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)    Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

  • Software bundling technologies
  • PUA applications
  • PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

  • The file is being scanned from the browser
  • The file has Mark of the Web set
  • The file is in the %downloads% folder
  • Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

 The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it’s recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you’d want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC