Customize Handling of Potentially Unwanted Programs (PUPs)

What are Potentially Unwanted Programs (PUPs)?

Malware is, by definition, unwanted. Malware may install itself with a user’s interaction, but not with their express permission. PUPs, on the other hand, often require the user’s consent to download and install. We classify PUP threats as Unwanted Software. This encompasses applications that, while not always malicious, may compromise system security or privacy.

Potentially unwanted software implies that the program may or may not have a legitimate purpose in your environment. We can use virtual private network (VPN) software and Remote Monitoring & Management (RMM) tools as examples, while considering an organization’s policies around them.

Red Canary maintains an inventory of products and tracks their execution throughout your organization. There are products that we define as "Unwanted Software," or that may be unauthorized for specific users or for your entire organization.

By default, all executions of software classified as unwanted will result in a threat designated Unwanted Software.

If your security policy does not classify one of these products as unwanted software, you can configure Red Canary to simply observe its execution. Observed executions do not result in confirmed Unwanted Software threats, but can still be reviewed as potentially threatening events. 

NOTE: Some attributes related to endpoint and user metadata are best effort and may not be known when a potentially threatening event occurs; this can cause the rules to be skipped and the product to not be ignored.

Red Canary’s view on PUPs

We aim to inform you about common PUPs we've seen among our users or tools we've seen being abused by threat actors, such as RMM tools. The published threats are to help improve your overall security posture. Our past analysis, detailed in this blog post, showed a strong correlation between PUP presence on an endpoint and the increased risk of malicious activity.  Rather than aiming to detect every PUP, the threats that we publish for PUPs are meant to demonstrate how users can strengthen their security posture.

Given that some PUPs may serve valid purposes in an organization, we allow each user to specify which PUPs they want to monitor.

You will no longer receive threats with an Unwanted classification if it is not tied to a defined product that you can choose to observe or ignore. We will continue to review the raw telemetry, native alerts, and user feedback to identify new PUPs we should be detecting.

Identify which applications should not trigger threats

1. From the navigation menu, click the Analytics dropdown, and then click Applications. A sortable table with a search bar displays.

2. Use the search bar to filter applications, or sort using the table columns.

3. Each row in the table offers a short description with a dropdown arrow. Click the dropdown arrow for the application in which you are interested. A new window displays that enables you to customize whether a product is classified as unwanted software.

4. Follow the directions on the screen, then click Save.

Automatically disable future Threats for a product from an existing Threat

If Red Canary publishes a Threat for a product that is deemed acceptable in your environment, you can create a suppression rule directly from the published threat.

1. At the bottom of the Threat, click Not Remediated

2. Select This is authorized, non-testing activity when prompting to provide a reason for marking “Not Remediated”

3. Specify the scope and add Justification Notes that describe why the product is acceptable in your environment.

4. Click I would prefer not to see threats for [Product Name] in the future

5. Click Mark as will not remediate

6. A message will flash indicating an ignore rule was created

7. The row for the selected product will now include an ignore rule based on the specifications provided on the remediation form.

Disable all threats for a product

In some cases, it may be relevant to disable all threats for a product and instead simply observing that the application was used. This my be useful for a commonly-used application that’s used widely across an environment.

1. From the navigation menu, click Analytics, and then click Applications.

2. Click on the product that you wish to adjust.

3. Add Justification Notes that describe why the product is acceptable in your environment.

4. Click Save.

5. The toggle for this product will slide to Observed.

   

Disable Threats for a product under specific circumstances

1. From the navigation menu, click Analytics, and then click Applications.

2. Click on the product that you wish to adjust.

3. Use the Endpoint Tag, Identity Tag, Hostname, or Username fields to specify situations where the product is acceptable in your environment.

4. Add Justification Notes that describe why the product is acceptable under these conditions.

5. Click Save.

6. The toggle for this product will slide to the middle in a partially Observed, partially Unwanted Software state.

   

   Wildcards

• Wildcards can be used to construct suppression rules for specific PUP alerts.

• In the Endpoint Hostname and Executing Username fields wildcards are represented by an *. 

  • If you want to search for multiple matches use an * to start and end the tag (example: *admin*).

  • If you want to search for a singular match start the tag with * (example: *username).