Handling Potentially Unwanted Products (PUPs)

Red Canary maintains an extensive list of software products we've observed running in our users’ environments and we flag those we consider to be Potentially Unwanted Programs (PUPs). In contrast to malware, which has only malicious intent, PUPs might have a legitimate purpose. However, they can still compromise system security or privacy. Our past analysis, described in this blog post, shows a strong correlation between PUP presence on an endpoint and the increased risk of malicious activity.

To mitigate the risk posed by PUPs, our Application Analytics track the execution of these products across your organization and publish a Threat for any detected instance, using the Unwanted Software classification.

If you determine that any of these products are approved software, you can configure Red Canary to simply observe the execution. Observed executions do not result in the publication of Unwanted Software threats, but can still be reviewed as potentially threatening events.

Viewing the List of Products

1. From your Red Canary homepage, go to Analytics > Applications.
   

2. Use the search bar to filter the list, or sort using the column headings.

The following information is displayed for each product:

Product Name
Red Canary’s assigned name for the product.

Prevalence
The number of times we detected the product in your environment. The first number shows the execution count over the trailing seven days, while the percentage tracks the count against the allowed global threshold (see High Volume Products). These calculations are refreshed hourly and do not include any occurrences to which an exclusion rule was applied.

Status
The currently-assigned status for the product (see Changing Product Threat Status).

Classification
The threat classification for the product. Everything on the Applications page is primarily classified as Unwanted Software, with three sub-classifications:

• Adware
  Programs that use deceptive techniques such as changing browser settings and home pages, redirecting search results, displaying advertisements, or using bundled software to install additional unwanted software packages.

• Riskware
  Programs designed to circumvent licensing, policy, or security controls, including password bypass utilities, license or policy bypass, host-based proxies, and anonymization services. Riskware may also use deceptive techniques, such as pop-up notifications or misleading product claims.

• Peer-to-Peer (P2P)
  Programs used to share digital content or computing resources in a decentralized way, such as BitTorrent clients and cryptocurrency miners.

Exclusions
The number of exclusion rules configured for the product (see Excluding Products Under Specific Circumstances).

Changing Product Threat Status

To change the threat publishing behavior for a product, click the Status dropdown.

You can set the status to the following values:

Publishing Threats
Detections for this application are actively escalated and published as a threat.

Not Publishing Threats
This application is ignored. Detections don’t generate events and aren’t published as a threat.

Observed Without Threats
This application generates events but they won’t be escalated and published as a threat.

Bulk Changing the Status

You can also update the status of multiple products at the same time by checking the box in the Product Name column and assigning a new value using the button.

Excluding Products Under Specific Circumstances

If necessary, you can choose to exclude a product under specific conditions. For example, an individual user might be authorized to run a program for testing purposes.

1. Click on the Edit button for the product you want to exclude.

   

2. Click Add New Exclusion.

3. Using the Exclusion fields, create one or more rules that define where the product is allowed to execute in your environment. The rules are based on the values of your defined Endpoint and Identity reporting tags. For more information, see Tag Endpoints for Context and Reporting. You can also use glob pattern wildcards to match the exclusion tag values.

4. (Optional) Add Justification Notes to describe why the product is acceptable under these conditions.

5. Click Save.

The number of active exclusions for each product is shown in the Exclusions column.

Disabling a Product from a Published Threat

You can also disable or exclude products directly from a published Threat.

1. On the main Threats page, click the Threat number to open the details page.
   

2. In the This threat has been... panel at the bottom of the Threat, click Not Remediated.

3. In the Why are you choosing not to remediate? panel, select This is authorized, non-testing activity.
   

4. Specify the authorization scope. The scope you choose will determine which status and exclusion rule will be assigned to the product.

   Scope	Product Status	Exclusion Rule Match
   for my entire org	Not Publishing Threats	N/A
   on this endpoint	Publishing Threats	Endpoint Hostname
   by this user	Publishing Threats	Executing Username
   on this sensor group	Publishing Threats	Endpoint Tags: endpoint_sensor_group

5. Add a justification note.

6. Select the “I would prefer not to see threats in the future regarding:” checkbox.

7. Click Mark as will not remediate.

8. On the Applications page, the product will now have an exclusion rule based on the information you entered.
   

FAQ