Handling Potentially Unwanted Products (PUPs)

  • Updated on Feb 25, 2026
  • Published on Apr 8, 2025
  • 6 minute(s) read
Prev Next

Red Canary maintains an extensive list of software products we've observed running in our users’ environments and we flag those we consider to be Potentially Unwanted Programs (PUPs). In contrast to malware, which has only malicious intent, PUPs might have a legitimate purpose. However, they can still compromise system security or privacy. Our past analysis, described in this blog post, shows a strong correlation between PUP presence on an endpoint and the increased risk of malicious activity.

To mitigate the risk posed by PUPs, our application analytics track the execution of these products across your organization and publish a Threat for any detected instance, using the Unwanted Software classification.

If you determine that any of these products are approved software, you can configure Red Canary to simply observe the execution. Observed executions do not result in the publication of Unwanted Software threats, but can still be reviewed as potentially threatening events.

Viewing the List of Products

  1. From your Red Canary homepage, go to Customizations > Applications.

  2. Use the search bar to filter the list, or sort using the column headings.

The following information is displayed for each product:

Product Name
Red Canary’s assigned name for the product.

Category
The category Red Canary considers the product to be in (summarized in the Categories panel at the top of the page).

Prevalence
The number of times we detected the product in your environment. The first number shows the execution count over the trailing seven days, while the percentage tracks the count against the allowed global threshold (see High Volume Products). These calculations are refreshed hourly and do not include any occurrences to which an exclusion rule was applied.

Status
The currently-assigned status for the product (see Changing Product Threat Status).

Classification
The threat classification for the product. Everything on the Applications page is primarily classified as Unwanted Software, with three sub-classifications:

  • Adware
    Programs that use deceptive techniques such as changing browser settings and home pages, redirecting search results, displaying advertisements, or using bundled software to install additional unwanted software packages.

  • Riskware
    Programs designed to circumvent licensing, policy, or security controls, including password bypass utilities, license or policy bypass, host-based proxies, and anonymization services. Riskware may also use deceptive techniques, such as pop-up notifications or misleading product claims.

  • Peer-to-Peer (P2P)
    Programs used to share digital content or computing resources in a decentralized way, such as BitTorrent clients and cryptocurrency miners.

Exclusions
The number of exclusion rules configured for the product (see Excluding Products Under Specific Circumstances).

Changing Product Threat Status

To change the threat publishing behavior for a product, click the Status dropdown.

You can set the status to the following values:

Publishing Threats
Detections for this application are actively escalated and published as a threat.

Not Publishing Threats
This application is ignored. Detections don’t generate events and aren’t published as a threat.

Observed Without Threats
This application generates events but they won’t be escalated and published as a threat.

Bulk Changing the Status

You can also update the status of multiple products at the same time by checking the box in the Product Name column and assigning a new value using the Set Status button button.

Excluding Products Under Specific Circumstances

If necessary, you can choose to exclude a product under specific conditions. For example, an individual user might be authorized to run a program for testing purposes.

  1. Click on the Edit button for the product you want to exclude.

  2. Click Add New Exclusion.

  3. Using the Exclusion fields, create one or more rules that define where the product is allowed to execute in your environment. The rules are based on the values of your defined Endpoint and Identity reporting tags. For more information, see Tag Endpoints for Context and Reporting. You can also use glob pattern wildcards to match the exclusion tag values.

  4. (Optional) Add Justification Notes to describe why the product is acceptable under these conditions.

  5. Click Save.

The number of active exclusions for each product is shown in the Exclusions column.

High Volume Products

Red Canary will automatically stop escalating events and publishing threats for products that go above our global thresholds. Products that have been disabled for exceeding a threshold will be marked with a “High Volume Product” badge:

We’ll also send an email notification to everyone with a Technical Contact or Applications Manager role when an analytic is disabled due to high event volume.

You can only re-enable these products once the event execution volume goes back below the threshold. If you feel that a product was incorrectly disabled, please contact Red Canary Support.

Reviewing Newly-Published Products

Whenever Red Canary adds a new product, we set the status to Needs Review and disable threat publishing. The Applications page will prompt you to review new items and set the status depending on how the products are used in your organization.

We’ll also send an email to everyone with a Technical Contact or Applications Manager role whenever new application analytics are released.

Disabling a Product from a Published Threat

You can also disable or exclude products directly from a published Threat.

  1. On the main Threats page, click the Threat number to open the details page.

  2. In the This threat has been... panel at the bottom of the Threat, click Not Remediated.

  3. In the Why are you choosing not to remediate? panel, select This is authorized, non-testing activity.

  4. Specify the authorization scope. The scope you choose will determine which status and exclusion rule will be assigned to the product.

    Scope

    Product Status

    Exclusion Rule Match

    for my entire org

    Not Publishing Threats

    N/A

    on this endpoint

    Publishing Threats

    Endpoint Hostname

    by this user

    Publishing Threats

    Executing Username

    on this sensor group

    Publishing Threats

    Endpoint Tags: endpoint_sensor_group

  5. Add a justification note.

  6. Select the “I would prefer not to see threats in the future regarding:” checkbox (only users with Admin or Applications Manager roles can enable this).

  7. Click Mark as will not remediate.

  8. On the Applications page, the product will now have an exclusion rule based on the information you entered.

Filtering Applications

In addition to sorting the Applications page by columns, you can also filter the list using the search function.
pups_09.png

Using the Search Box

To manually build a filter:

  1. Enter your filter attributes in the Search by query or by keyword box. Note that you can click on the example searches in the UI to copy the text as a template.

  2. Press Enter to apply the filter.

Note: Multiple attributes are applied with the AND logical operator, so each attribute further narrows the filter.

The following filter attributes are available:

Attribute Name

Description

Example

Keywords

Plain keyword filtering (with no attribute specified) works against the Product Name field only. Unlike the defined attributes filters, keywords match on partial values.

browser

Status

Filter by the status of the application analytic

status:"Publishing Threats"

status:"Not Publishing Threats"

status:"Observed Without Threats"

status:"Needs Review"

Classification

Filter by the classification of the application analytic

classification:Riskware

classification:"Peer-to-Peer (P2P)"

Name

Filter by the name of the application analytic

name:BitTorrent

Category

Filter by the category of the application analytic

category:Remoting

category:"Cracking Utility"

Case Matching
All filter attribute matches are case-insensitive.

Multiple Values
All filter attributes accept | as an "OR" to search for multiple values. For example: name:MouseJiggle|TOR

Dates/Times
Date-based attributes are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times. For example:

  • 2025-01-01.. matches on or after (>=) the from date

  • ..2025-01-01 matches on or before (<= the to date

  • 2025-01-01..2025-01-31 matches on or after (>=) the from date and on or before (<=) the to date

Using the Filter Icon

As an alternative to entering attributes manually in the Search by query or by keyword box, you can use the UI to create your filter attributes.

  1. Click the filter icon to show available options.

  2. Use the dropdowns and text boxes to define the filters.

  3. Click Apply Filters to build the filter string and apply it.

FAQ

What if a new version of an unwanted product is released?

Red Canary uses a mix of atomic indicators and binary signing signatures to identify unwanted software applications. This method is imperfect when new versions of programs with different signatures are released. Do not rely on this approach to detect every instance of unwanted software in your environment.

What happens if the product executes in a manner that goes beyond the unwanted software classification?

If unwanted software performs suspicious or malicious actions, those activities should trigger other detectors that we triage separately from product detectors that only look for the presence of the product.