How to Identify Potentially Unwanted Applications
460 views
22 slides
Dec 31, 2015
Slide 1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Presentation
With an ever-changing threat landscape, certain software applications have become difficult to detect and define potential threats by anti-malware technologies. This type of applications is commonly known as a potentially unwanted application (PUA). These applications can open users to vulnerabiliti...
Slide Content
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 1
HOW TO IDENTIFY
POTENTIALLY UNWANTED
APPLICATIONS
By Jianpeng Mo
Software Engineering Manager
OPSWAT
HOW TO IDENTIFY
POTENTIALLY UNWANTED
APPLICATIONS
By Jianpeng Mo
Software Engineering Manager
OPSWAT
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 1
As the computer security industry has grown, many technologies have emerged that can identify
software applications that are truly malicious without too much difficulty. However, there are many other
applications that are not as easy to define and whose maliciousness cannot always be confirmed. This type of
application is now commonly referred to as a potentially unwanted program (PUP) or a potentially unwanted
application (PUA).
Applications may be potentially unwanted if they include security vulnerabilities, are unlicensed, or are not
sanctioned by the network administrator, among other reasons. According to the Microsoft Security Intelligence
Report 2013, more than 30% of known vulnerabilities come from small vendor applications that are not
comprehensively tested or do not have solid maintenance procedures.
Because potentially unwanted applications can be introduced to a corporate network in many ways, network
administrators need to be concerned about mobile users connecting to infected networks and end users
unwittingly infesting their office desktops with vulnerable applications. In some cases, end users may knowingly
download non-sanctioned applications such as peer-to-peer file-sharing, instant messaging, and mp3 applications.
This type of behavior, combined with the recent BYOD (Bring Your Own Device) concept, greatly facilitates the
possibility of PUPs and PUAs getting into a corporate network.
There are many other applications...whose
maliciousness cannot always be confirmed
As the computer security industry has grown, many technologies have emerged that can identify
software applications that are truly malicious without too much difficulty. However, there are many other
applications that are not as easy to define and whose maliciousness cannot always be confirmed. This type of
application is now commonly referred to as a potentially unwanted program (PUP) or a potentially unwanted
application (PUA).
Applications may be potentially unwanted if they include security vulnerabilities, are unlicensed, or are not
sanctioned by the network administrator, among other reasons. According to the Microsoft Security Intelligence
Report 2013, more than 30% of known vulnerabilities come from small vendor applications that are not
comprehensively tested or do not have solid maintenance procedures.
Because potentially unwanted applications can be introduced to a corporate network in many ways, network
administrators need to be concerned about mobile users connecting to infected networks and end users
unwittingly infesting their office desktops with vulnerable applications. In some cases, end users may knowingly
download non-sanctioned applications such as peer-to-peer file-sharing, instant messaging, and mp3 applications.
This type of behavior, combined with the recent BYOD (Bring Your Own Device) concept, greatly facilitates the
possibility of PUPs and PUAs getting into a corporate network.
There are many other applications...whose
maliciousness cannot always be confirmed
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 2
Interestingly, there seems to be some inconsistency in the classification of the types of products that fall under
PUPs or PUAs. Almost every security vendor, including Symantec, McAfee, ESET, Sophos and Kaspersky, has its own
definition of these terms.
Symantec: Programs which computer users wish to be made aware of. These programs include
applications that have an impact on security, privacy and resource consumption, or are
associated with other security risks. These programs can show a pattern of installation without
user permission, or notice, on a system or be deemed to be separate and different from the
application installed.
McAfee: PUPs are any piece of software which a reasonably security or privacy-minded computer user
may want to be informed of, and, in some cases, remove.
ESET: A potentially unwanted application is a program that contains adware, installs toolbars or has
other unclear objectives. There are some situations where a user may feel that the benefits of a
potentially unwanted application outweigh the risks.
Sophos: Applications that, while not malicious, are generally considered unsuitable for business
networks. The major PUA classifications are: adware, dialer, non-malicious spyware, remote
administration tools and hacking tools.
Kaspersky: Programs which are developed and distributed by legitimate companies but have functions
which make it possible for them to be used maliciously. AdWare, RiskWare and PornWare are
the three classes of program which are categorized as potentially unwanted.
Interestingly, there seems to be some inconsistency in the classification of the types of products that fall under
PUPs or PUAs. Almost every security vendor, including Symantec, McAfee, ESET, Sophos and Kaspersky, has its own
definition of these terms.
Symantec: Programs which computer users wish to be made aware of. These programs include
applications that have an impact on security, privacy and resource consumption, or are
associated with other security risks. These programs can show a pattern of installation without
user permission, or notice, on a system or be deemed to be separate and different from the
application installed.
McAfee: PUPs are any piece of software which a reasonably security or privacy-minded computer user
may want to be informed of, and, in some cases, remove.
ESET: A potentially unwanted application is a program that contains adware, installs toolbars or has
other unclear objectives. There are some situations where a user may feel that the benefits of a
potentially unwanted application outweigh the risks.
Sophos: Applications that, while not malicious, are generally considered unsuitable for business
networks. The major PUA classifications are: adware, dialer, non-malicious spyware, remote
administration tools and hacking tools.
Kaspersky: Programs which are developed and distributed by legitimate companies but have functions
which make it possible for them to be used maliciously. AdWare, RiskWare and PornWare are
the three classes of program which are categorized as potentially unwanted.
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 3
If we take a step back and review the underlying meanings of these PUP and PUA definitions, it is clear that they all
boil down to one key classification standard – applications that contain potential functionalities that, when active,
users wish to be made aware of.
Many users may not be concerned about PUPs and PUAs on their systems. Some may even intentionally introduce
them due to a specific feature these applications offer. But in general, once these applications are running on the
system, they are granted access to the registry, file system and services. Once this occurs, users need to be notified
as potential vulnerabilities can be introduced.
Taking the varying nature of the definitions above into consideration, it is difficult for end users to classify
applications as unwanted without additional guidelines. Therefore, we would like to propose a set of detailed
guidelines that help to define PUPs or PUAs in the current marketplace. In order to notify users of applications
which may be risky, we need to determine what traits these applications have, and what they are trying to achieve
by entering the user’s system, so that they can be flagged as PUPs or PUAs.
applications that contain potential functionalities
that, when active, users wish to be made aware of.
If we take a step back and review the underlying meanings of these PUP and PUA definitions, it is clear that they all
boil down to one key classification standard – applications that contain potential functionalities that, when active,
users wish to be made aware of.
Many users may not be concerned about PUPs and PUAs on their systems. Some may even intentionally introduce
them due to a specific feature these applications offer. But in general, once these applications are running on the
system, they are granted access to the registry, file system and services. Once this occurs, users need to be notified
as potential vulnerabilities can be introduced.
Taking the varying nature of the definitions above into consideration, it is difficult for end users to classify
applications as unwanted without additional guidelines. Therefore, we would like to propose a set of detailed
guidelines that help to define PUPs or PUAs in the current marketplace. In order to notify users of applications
which may be risky, we need to determine what traits these applications have, and what they are trying to achieve
by entering the user’s system, so that they can be flagged as PUPs or PUAs.
applications that contain potential functionalities
that, when active, users wish to be made aware of.
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 4
Common characteristics of PUPs or PUAs
on user systems
Unlike malware applications, PUPs or PUAs do not infect or destroy the end user’s system directly. But this does
not mean they are harmless; in fact, they can actually be more dangerous than certain viruses and spyware.
Potentially unwanted software can be a catalyst for the introduction of malware to a system and subsequently
increase the possibility of infection or of user data to be stolen. Here are some common behaviors of potentially
unwanted software:
INSTALLING ADWARE APPLICATIONS
Users commonly download applications which possess features they don’t understand. Moreover, they may not
read through all the information in the pre-installation window. PUPs or PUAs target these user habits. Offering
users adware applications during installation is a very common method of pushing suspicious programs through to
the end user system. For example, in the screenshots below, we have downloaded a backup application download
manager called “EaseUS Todo Backup Free”. The extent to which programs such as this attempt to place additional
applications onto your system can be seen here as this particular download manager offers 3 additional
applications to users: “Search Protect”, “RRSavings” and “PC Drivers”.
1
Common characteristics of PUPs or PUAs
on user systems
Unlike malware applications, PUPs or PUAs do not infect or destroy the end user’s system directly. But this does
not mean they are harmless; in fact, they can actually be more dangerous than certain viruses and spyware.
Potentially unwanted software can be a catalyst for the introduction of malware to a system and subsequently
increase the possibility of infection or of user data to be stolen. Here are some common behaviors of potentially
unwanted software:
INSTALLING ADWARE APPLICATIONS
Users commonly download applications which possess features they don’t understand. Moreover, they may not
read through all the information in the pre-installation window. PUPs or PUAs target these user habits. Offering
users adware applications during installation is a very common method of pushing suspicious programs through to
the end user system. For example, in the screenshots below, we have downloaded a backup application download
manager called “EaseUS Todo Backup Free”. The extent to which programs such as this attempt to place additional
applications onto your system can be seen here as this particular download manager offers 3 additional
applications to users: “Search Protect”, “RRSavings” and “PC Drivers”.
1
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 5
SHOWING ADVERTISEMENTS
PUPs or PUAs are also widely used for advertising purposes. Images and pop-ups for advertisements unrelated to
the program or application that was installed are very common. This type of behavior often comes from toolbars or
video player applications.
COLLECTING PRIVATE INFORMATION OR DATA MINING
By installing an application, users are allowing this software to gain access to their system. A lot of the user’s private
information is stored here for performance purposes. In Windows, for example, “%appdata%”, “%localappdata%”
and “%programdata%” can contain a large amount of the user’s sensitive information, like browser cookies, an
application’s login username, temporarily stored files, and more. With this information, it is relatively easy for
hackers to analyze and mine data. PUPs or PUAs, if installed, will be granted this access also.
OFFERING FAKE SECURITY FEATURES
Internet security is a big concern for end users, and many are willing to pay to protect their systems. Some
potentially unwanted software targets these people by appearing under the guise of security applications. They
may report security alarms from time to time in order to seem like they are protecting the system, but they may
actually be welcoming in viruses, worms, Trojan horses and other malicious programs. They may also falsely report
serious infections and ask the user to input credit card information to purchase “malware removal software”.
MONITORING AND HIJACKING PERSONAL MESSAGES
Rather than being publicly available, point-to-point communications are intended to be private, and messages need
to be protected during transmission. There are a number of applications that offer users online chatting services.
However, they do not reveal that all messages sent through the application travel through the public network
3
4
2
5
SHOWING ADVERTISEMENTS
PUPs or PUAs are also widely used for advertising purposes. Images and pop-ups for advertisements unrelated to
the program or application that was installed are very common. This type of behavior often comes from toolbars or
video player applications.
COLLECTING PRIVATE INFORMATION OR DATA MINING
By installing an application, users are allowing this software to gain access to their system. A lot of the user’s private
information is stored here for performance purposes. In Windows, for example, “%appdata%”, “%localappdata%”
and “%programdata%” can contain a large amount of the user’s sensitive information, like browser cookies, an
application’s login username, temporarily stored files, and more. With this information, it is relatively easy for
hackers to analyze and mine data. PUPs or PUAs, if installed, will be granted this access also.
OFFERING FAKE SECURITY FEATURES
Internet security is a big concern for end users, and many are willing to pay to protect their systems. Some
potentially unwanted software targets these people by appearing under the guise of security applications. They
may report security alarms from time to time in order to seem like they are protecting the system, but they may
actually be welcoming in viruses, worms, Trojan horses and other malicious programs. They may also falsely report
serious infections and ask the user to input credit card information to purchase “malware removal software”.
MONITORING AND HIJACKING PERSONAL MESSAGES
Rather than being publicly available, point-to-point communications are intended to be private, and messages need
to be protected during transmission. There are a number of applications that offer users online chatting services.
However, they do not reveal that all messages sent through the application travel through the public network
3
4
2
5
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 6
without any encryption. Message redirection is a risk when using potentially unwanted software. Since all the
message packages are open to the network, all the information is exposed to the public. There are plenty of 3rd
party tools available online which can be used to capture and redirect these messages to a different destination.
IRRITATING USERS
Some PUPs or PUAs are developed merely as pranks. They do not try to attack the system, impact security or steal
private information. In fact, they may not actually contain any functionality at all and exist only to impair the user’s
experience through irritating messages and false reports of viruses or other network issues.
BEING DIFFICULT TO REMOVE
Potentially unwanted software usually makes its main process as difficult to uninstall as possible. They do not
report to the operating system, so users may not be able to execute the uninstallation through the system’s central
software management console, such as the Control Panel on Windows. In extreme cases, they may even lock their
running process or services with low-level drivers. This would result in the system returning the uninstallation
request as “Access Denied” regardless of the user’s permissions, making the removal of these programs extremely
difficult.
6
7
without any encryption. Message redirection is a risk when using potentially unwanted software. Since all the
message packages are open to the network, all the information is exposed to the public. There are plenty of 3rd
party tools available online which can be used to capture and redirect these messages to a different destination.
IRRITATING USERS
Some PUPs or PUAs are developed merely as pranks. They do not try to attack the system, impact security or steal
private information. In fact, they may not actually contain any functionality at all and exist only to impair the user’s
experience through irritating messages and false reports of viruses or other network issues.
BEING DIFFICULT TO REMOVE
Potentially unwanted software usually makes its main process as difficult to uninstall as possible. They do not
report to the operating system, so users may not be able to execute the uninstallation through the system’s central
software management console, such as the Control Panel on Windows. In extreme cases, they may even lock their
running process or services with low-level drivers. This would result in the system returning the uninstallation
request as “Access Denied” regardless of the user’s permissions, making the removal of these programs extremely
difficult.
6
7
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 7
There are a lot of other potentially suspect behaviors which PUPs or PUAs can exhibit on a user’s system. Above is
simply a high-level summary of the seven most common. Different behaviors possess different levels of risk or
threat and need to be considered individually. The following chart helps users to understand the variety of
potentially unwanted software behaviors and their potential risks:
SYSTEM
INFECTION
LOSS OF
PRIVACY
NEGATIVE
USER EXPERIENCE
DECREASED SYSTEM
PERFORMANCE
ADWARE INSTALLATION
ADVERTISING
DATA MINING
FAKE SECURITY
MESSAGE HIJACKING
IRRITATE USERS
DIFFICULT TO REMOVE
+
+
+
+
+
+
+
+
+
+
+
+
+
There are a lot of other potentially suspect behaviors which PUPs or PUAs can exhibit on a user’s system. Above is
simply a high-level summary of the seven most common. Different behaviors possess different levels of risk or
threat and need to be considered individually. The following chart helps users to understand the variety of
potentially unwanted software behaviors and their potential risks:
SYSTEM
INFECTION
LOSS OF
PRIVACY
NEGATIVE
USER EXPERIENCE
DECREASED SYSTEM
PERFORMANCE
ADWARE INSTALLATION
ADVERTISING
DATA MINING
FAKE SECURITY
MESSAGE HIJACKING
IRRITATE USERS
DIFFICULT TO REMOVE
+
+
+
+
+
+
+
+
+
+
+
+
+
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 8
Product categories likely to be
considered PUPs or PUAs
Thousands of new applications appear online every day, and it is not always clear whether they are safe or not.
Determining whether an application falls into the PUA pool can be extremely challenging. This requires an
understanding of not only the application’s behavior but also its intent. However, there are certain types of
applications which are more likely to be deemed a PUP or PUA than others.
TOOLBAR ADD-ONS
The toolbar add-on is a type of browser extension that typically provides users with various additional
functionalities by including a bar with several buttons within a browser. Generally, they do not provide as much
value as the cost and risk they introduce. Screen space, performance, privacy, viruses and spywares are all
potential trade-offs to having a toolbar running on your system.
PUBLIC FILE SHARING
Public file sharing applications, like µTorrent, eDonkey and FlashGet for example, are designed to bypass system
firewalls. This can prevent the corporate network security from protecting a single point of entry to the network.
Instead, the network becomes reliant on individual users assigning the correct access controls to files and
directories, which are coming through these applications, on their own workstations.
Product categories likely to be
considered PUPs or PUAs
Thousands of new applications appear online every day, and it is not always clear whether they are safe or not.
Determining whether an application falls into the PUA pool can be extremely challenging. This requires an
understanding of not only the application’s behavior but also its intent. However, there are certain types of
applications which are more likely to be deemed a PUP or PUA than others.
TOOLBAR ADD-ONS
The toolbar add-on is a type of browser extension that typically provides users with various additional
functionalities by including a bar with several buttons within a browser. Generally, they do not provide as much
value as the cost and risk they introduce. Screen space, performance, privacy, viruses and spywares are all
potential trade-offs to having a toolbar running on your system.
PUBLIC FILE SHARING
Public file sharing applications, like µTorrent, eDonkey and FlashGet for example, are designed to bypass system
firewalls. This can prevent the corporate network security from protecting a single point of entry to the network.
Instead, the network becomes reliant on individual users assigning the correct access controls to files and
directories, which are coming through these applications, on their own workstations.
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 9
INSTANT MESSAGING
Instant messaging applications are commonly installed and used on home computers as well as corporate
workstations. However, while these are helpful for internal communication, they also present a high risk. All
messages sent using these applications may travel unencrypted across the public network and can easily be
hijacked.
CLOUD STORAGE
Cloud storage applications, such as Dropbox, Box Sync and CrashPlan, offer end users the ability to backup and
store all their important documents. As dependence on the Internet has grown over time, in correlation with
increased Wi-Fi coverage and speed, these cloud storage programs are also being used by some people as their
primary base for storing information. However, allowing your private data to be kept online increases the risk of
leaving it open to mining from third parties.
ROGUE SECURITY
Rogue security applications have been another central component in the PUA scene. Generally, they consume a
system’s CPU and memory and cause the system to behave strangely and erratically. In the best-case scenario, the
protection offered by the application will be ineffective. For some instances, however, they might go as far as to
prevent users from installing or launching a real security program. Furthermore, they may even inform users of
non-existent threats in order to convince the user that they are performing efficiently when that is not the case.
INSTANT MESSAGING
Instant messaging applications are commonly installed and used on home computers as well as corporate
workstations. However, while these are helpful for internal communication, they also present a high risk. All
messages sent using these applications may travel unencrypted across the public network and can easily be
hijacked.
CLOUD STORAGE
Cloud storage applications, such as Dropbox, Box Sync and CrashPlan, offer end users the ability to backup and
store all their important documents. As dependence on the Internet has grown over time, in correlation with
increased Wi-Fi coverage and speed, these cloud storage programs are also being used by some people as their
primary base for storing information. However, allowing your private data to be kept online increases the risk of
leaving it open to mining from third parties.
ROGUE SECURITY
Rogue security applications have been another central component in the PUA scene. Generally, they consume a
system’s CPU and memory and cause the system to behave strangely and erratically. In the best-case scenario, the
protection offered by the application will be ineffective. For some instances, however, they might go as far as to
prevent users from installing or launching a real security program. Furthermore, they may even inform users of
non-existent threats in order to convince the user that they are performing efficiently when that is not the case.
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 10
Eight clues to help users determine
whether there is any PUP or PUA running
on the system
CHECK WHETHER THE RUNNING PROCESS IS DIGITALLY
SIGNE D AND CERTIFIED.
A digital signature is a “fingerprint” which is unique to both the file and the signer and binds them together. It
requires the signer to have a certificate-based digital ID to ensure their authenticity. Therefore, if a running process
has a valid digital signature, it can be considered more secure. On the other hand, a running process which does
not have any digital signature could come from any source, so there is no way to verify its reliability; it could
potentially be considered as an unwanted application.
1
Eight clues to help users determine
whether there is any PUP or PUA running
on the system
CHECK WHETHER THE RUNNING PROCESS IS DIGITALLY
SIGNE D AND CERTIFIED.
A digital signature is a “fingerprint” which is unique to both the file and the signer and binds them together. It
requires the signer to have a certificate-based digital ID to ensure their authenticity. Therefore, if a running process
has a valid digital signature, it can be considered more secure. On the other hand, a running process which does
not have any digital signature could come from any source, so there is no way to verify its reliability; it could
potentially be considered as an unwanted application.
1
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 11
CHECK WHETHER THE PARENT OF THE RUNNING PROCESS
EXISTS.
In some cases, unlike most other processes, a running process will try hiding its source. It may block the connection
between the running process and its on-demand trigger. This kind of application would create a child process on
the user’s system, and then terminate or close down. After that it would execute the malicious code from its child
process. Microsoft offers a very useful tool called “Process Explorer” which can help users retrieve most of the
process information. Once Process Explorer is launched, if you select the suspect process, right-click on it and then
go to ‘Properties’, the process’s parent information will appear on the pop-up window under the ‘Image’ tab.
2
CHECK WHETHER THE PARENT OF THE RUNNING PROCESS
EXISTS.
In some cases, unlike most other processes, a running process will try hiding its source. It may block the connection
between the running process and its on-demand trigger. This kind of application would create a child process on
the user’s system, and then terminate or close down. After that it would execute the malicious code from its child
process. Microsoft offers a very useful tool called “Process Explorer” which can help users retrieve most of the
process information. Once Process Explorer is launched, if you select the suspect process, right-click on it and then
go to ‘Properties’, the process’s parent information will appear on the pop-up window under the ‘Image’ tab.
2
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 12
CHECK WHETHER THE RUNNING PROCESS COMES FROM
ON-DEMAND OR PERSISTENT APPLICATIONS.
On-demand version processes may not leave any logs or footprints in the system, regardless of their functionalities.
A lot of PUP or PUA vendors distribute on-demand versions of their applications. These applications minimize user
interaction. They do not require any installation, they are not persistent on the system and they are executed
based on a user trigger which is activated regardless of whether the user’s action is intentional or not. Although
antivirus vendors released updated PUP or PUA definition databases to monitor these on-demand processes and
ensure consistent protection, it is virtually impossible to fully monitor this area. Users can verify whether an
application is a persistent version under ‘Control Panel\Programs\Programs and Features’. All the persistent
installed applications would show up as an entry within this control panel page.
3
CHECK WHETHER THE RUNNING PROCESS COMES FROM
ON-DEMAND OR PERSISTENT APPLICATIONS.
On-demand version processes may not leave any logs or footprints in the system, regardless of their functionalities.
A lot of PUP or PUA vendors distribute on-demand versions of their applications. These applications minimize user
interaction. They do not require any installation, they are not persistent on the system and they are executed
based on a user trigger which is activated regardless of whether the user’s action is intentional or not. Although
antivirus vendors released updated PUP or PUA definition databases to monitor these on-demand processes and
ensure consistent protection, it is virtually impossible to fully monitor this area. Users can verify whether an
application is a persistent version under ‘Control Panel\Programs\Programs and Features’. All the persistent
installed applications would show up as an entry within this control panel page.
3
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 13
CHECK WHETHER THE RUNNING PROCESS HAS A PURE
BROWSER PLUG-IN COMPONENT.
In most cases, processes which contain pure browser plug-in classes, such as “Chrome_WidgetWin”, “Internet
Explorer_Server” and “MozillaWindowClass”, are used for advertisement purposes. These processes are usually
launched by another process when a certain condition is triggered. They can be very disruptive for end users and
considered as potentially unwanted applications. However, detecting whether a given process contains any pure
browser plug-in is not always easy for end users. Fortunately, there is a developer tool from Microsoft called
“Spy++” which can help users identify this information by giving them a graphical view of their system’s processes.
4
CHECK WHETHER THE RUNNING PROCESS HAS A PURE
BROWSER PLUG-IN COMPONENT.
In most cases, processes which contain pure browser plug-in classes, such as “Chrome_WidgetWin”, “Internet
Explorer_Server” and “MozillaWindowClass”, are used for advertisement purposes. These processes are usually
launched by another process when a certain condition is triggered. They can be very disruptive for end users and
considered as potentially unwanted applications. However, detecting whether a given process contains any pure
browser plug-in is not always easy for end users. Fortunately, there is a developer tool from Microsoft called
“Spy++” which can help users identify this information by giving them a graphical view of their system’s processes.
4
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 14
5. CHECK WHETHER THE RUNNING PROCESS HAS MODIFIED
THE BROWSER SETTINGS.
There are some processes that may attempt to update the browser settings every time they are launched. They
overwrite the pre-configurations and redirect the user to a specific website. In extreme cases, they may even install
browser plug-ins or adware applications without notifying the user. If users find that their browser homepage has
been modified or see any unwanted browser plug-ins installed after running an application, it is likely that this
application is what we consider a PUP or PUA.
5
5. CHECK WHETHER THE RUNNING PROCESS HAS MODIFIED
THE BROWSER SETTINGS.
There are some processes that may attempt to update the browser settings every time they are launched. They
overwrite the pre-configurations and redirect the user to a specific website. In extreme cases, they may even install
browser plug-ins or adware applications without notifying the user. If users find that their browser homepage has
been modified or see any unwanted browser plug-ins installed after running an application, it is likely that this
application is what we consider a PUP or PUA.
5
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 15
6. CHECK WHETHER THE RUNNING PROCESS CONSUMES HUGE
AMOUNTS OF SYSTEM RESOURCES.
Applications are designed to leverage an operating system’s resources in order to employ certain features and
actions. However, if an application occupies a lot of CPU or memory without any valuable returns, it is counter-
productive. For example, some poorly-developed applications may crash easily and generate a lot of system errors.
There is a built-in Windows utility called “Event Viewer” which can be used to validate a given application’s stability.
After launching the “Event Viewer”, users should go to the ‘Application’ section under ‘Windows Logs’, and then
create a filter to review event logs for any given application. If there are a considerable amount of errors generated
by a specific application, then it should be regarded as a PUP or PUA.
6
6. CHECK WHETHER THE RUNNING PROCESS CONSUMES HUGE
AMOUNTS OF SYSTEM RESOURCES.
Applications are designed to leverage an operating system’s resources in order to employ certain features and
actions. However, if an application occupies a lot of CPU or memory without any valuable returns, it is counter-
productive. For example, some poorly-developed applications may crash easily and generate a lot of system errors.
There is a built-in Windows utility called “Event Viewer” which can be used to validate a given application’s stability.
After launching the “Event Viewer”, users should go to the ‘Application’ section under ‘Windows Logs’, and then
create a filter to review event logs for any given application. If there are a considerable amount of errors generated
by a specific application, then it should be regarded as a PUP or PUA.
6
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 16
7. CHECK WHETHER THE RUNNING PROCESSES CONSISTENTLY
CREATE NEW CHILD PROCESSES OR LAUNCH WINDOW
PROMPTS.
A typical characteristic of PUA is to push advertisements or adult content to the end users. Traditional antivirus
vendors may not easily be able to define such content as threats because some users may actually wish to receive
these. However, most end users would have no interest in them. Therefore, PUP and PUA would be a reasonable
classification for this type of application.
7
7. CHECK WHETHER THE RUNNING PROCESSES CONSISTENTLY
CREATE NEW CHILD PROCESSES OR LAUNCH WINDOW
PROMPTS.
A typical characteristic of PUA is to push advertisements or adult content to the end users. Traditional antivirus
vendors may not easily be able to define such content as threats because some users may actually wish to receive
these. However, most end users would have no interest in them. Therefore, PUP and PUA would be a reasonable
classification for this type of application.
7
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 17
8. CHECK WHETHER THE RUNNING PROCESS LISTENS TO ANY
SPECIFIC PORT AND PROVIDES REMOTE SYSTEM ACCESS.
Remote desktop access is a valuable feature, but also a potentially dangerous one. Users should be absolutely
confident and trusting of an application that provides this feature before using it. Opening remote access from an
external network through a little-known application is almost as dangerous as leaving your laptop in Time Square
without setting any password. If there is an application running on the system which offers remote access, and it is
not from a reputable vendor, then it should most certainly be considered a PUP or PUA. This information could
easily be retrieved by running command “netstat -o” from the Windows built-in “Command Prompt” utility.
8
8. CHECK WHETHER THE RUNNING PROCESS LISTENS TO ANY
SPECIFIC PORT AND PROVIDES REMOTE SYSTEM ACCESS.
Remote desktop access is a valuable feature, but also a potentially dangerous one. Users should be absolutely
confident and trusting of an application that provides this feature before using it. Opening remote access from an
external network through a little-known application is almost as dangerous as leaving your laptop in Time Square
without setting any password. If there is an application running on the system which offers remote access, and it is
not from a reputable vendor, then it should most certainly be considered a PUP or PUA. This information could
easily be retrieved by running command “netstat -o” from the Windows built-in “Command Prompt” utility.
8
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 18
Conclusion
In conclusion, there is no straight-forward answer to whether an application is unwanted or not. A lot of PUPs or
PUAs get onto the user’s system through user action, either intentionally or unintentionally. The word “potentially”
represents an important factor here. It is very necessary for users to understand the benefits and risks of any
application before installing or using it. Unfortunately, this is not easy for most end users to determine.
Nonetheless, this does not mean that users are not able to take steps to protect their systems. Educating end
users is an important security practice as they play a key role in helping to identify suspicious applications as PUPs
or PUAs.
If a set of categories were established for these types of applications, based on their behavior, this could help users
to identify whether an application is suspect or not. Applications that support file-sharing, instant messaging, cloud
storage, additional unknown software, remote desktop access and adult content advertisements, or that are
vulnerable, unlicensed, and unsanctioned, along with toolbars and rogue security programs, all have a much higher
chance of being labeled as PUPs or PUAs than other programs.
Potentially unwanted applications do not bring in viruses or steal the user’s sensitive data directly, but they do
introduce security risks to the system, decreases the system’s efficiency and performance, and disrupt the user
experience. It is always a good idea to remove any potentially unwanted software to keep the system safe and
clean.
Conclusion
In conclusion, there is no straight-forward answer to whether an application is unwanted or not. A lot of PUPs or
PUAs get onto the user’s system through user action, either intentionally or unintentionally. The word “potentially”
represents an important factor here. It is very necessary for users to understand the benefits and risks of any
application before installing or using it. Unfortunately, this is not easy for most end users to determine.
Nonetheless, this does not mean that users are not able to take steps to protect their systems. Educating end
users is an important security practice as they play a key role in helping to identify suspicious applications as PUPs
or PUAs.
If a set of categories were established for these types of applications, based on their behavior, this could help users
to identify whether an application is suspect or not. Applications that support file-sharing, instant messaging, cloud
storage, additional unknown software, remote desktop access and adult content advertisements, or that are
vulnerable, unlicensed, and unsanctioned, along with toolbars and rogue security programs, all have a much higher
chance of being labeled as PUPs or PUAs than other programs.
Potentially unwanted applications do not bring in viruses or steal the user’s sensitive data directly, but they do
introduce security risks to the system, decreases the system’s efficiency and performance, and disrupt the user
experience. It is always a good idea to remove any potentially unwanted software to keep the system safe and
clean.
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 19
About OPSWAT
OPSWAT is a San Francisco based software company that provides solutions to secure and manage IT
infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks,
and that help organizations protect against zero day attacks by using multiple anti-malware engine scanning, data
sanitization, and file filtering. OPSWAT’s intuitive applications and comprehensive development kits are deployed by
SMB, enterprise, and OEM customers to more than 100 million endpoints worldwide.
OPSWAT’s software management solutions offer streamlined technology partnerships between leading technology
solutions and software vendors. By enabling seamless compatibility and easy management capabilities, we allow
network security and manageability solutions to provide visibility and management of multiple application types
installed on an endpoint, as well as the ability to remove unwanted or non-compliant applications.
Our innovative multi-scanning solutions deliver anti-malware protection with increased detection rates and
minimized performance overhead. In addition to maximizing detection rates, we provide the ability for customers
to easily adapt our solutions to their existing infrastructure to add control over the flow of data into and out of
secure networks.
ABOUT THE AUTHOR
Jianpeng Mo holds the position of Software Engineering Manager in OPSWAT, where he leads an engineering team
for developing software management toolkits OESIS and AppRemover. He specializes in developing modern
concept products, leading the engineering groups in solving unique and difficult technical problems. He and his
About OPSWAT
OPSWAT is a San Francisco based software company that provides solutions to secure and manage IT
infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks,
and that help organizations protect against zero day attacks by using multiple anti-malware engine scanning, data
sanitization, and file filtering. OPSWAT’s intuitive applications and comprehensive development kits are deployed by
SMB, enterprise, and OEM customers to more than 100 million endpoints worldwide.
OPSWAT’s software management solutions offer streamlined technology partnerships between leading technology
solutions and software vendors. By enabling seamless compatibility and easy management capabilities, we allow
network security and manageability solutions to provide visibility and management of multiple application types
installed on an endpoint, as well as the ability to remove unwanted or non-compliant applications.
Our innovative multi-scanning solutions deliver anti-malware protection with increased detection rates and
minimized performance overhead. In addition to maximizing detection rates, we provide the ability for customers
to easily adapt our solutions to their existing infrastructure to add control over the flow of data into and out of
secure networks.
ABOUT THE AUTHOR
Jianpeng Mo holds the position of Software Engineering Manager in OPSWAT, where he leads an engineering team
for developing software management toolkits OESIS and AppRemover. He specializes in developing modern
concept products, leading the engineering groups in solving unique and difficult technical problems. He and his
HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 20
team are responsible for a variety of activities, including delivering a software detection, classification and
manageability framework and researching application vulnerabilities and potential unwanted application removal.
Jianpeng received his M.S. from New York University with a major in Electrical Engineering.
team are responsible for a variety of activities, including delivering a software detection, classification and
manageability framework and researching application vulnerabilities and potential unwanted application removal.
Jianpeng received his M.S. from New York University with a major in Electrical Engineering.
Disclaimer. © 2014. OPSWAT, Inc. (“OPSWAT”). All rights reserved. All product and company names herein may be trademarks of their respective owners.
The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied,
including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. OPSWAT is not liable for any damages,
including any consequential damages, of any kind that may result from the use of this document. Though reasonable effort has been made to ensure the accuracy of
the data provided, OPSWAT makes no claim, promise or guarantee about the completeness, accuracy and adequacy of information and is not responsible for misprints,
out-of-date information, or errors. OPSWAT makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of
any information contained in this document.
If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.
http://www.opswat.com/
The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied,
including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. OPSWAT is not liable for any damages,
including any consequential damages, of any kind that may result from the use of this document. Though reasonable effort has been made to ensure the accuracy of
the data provided, OPSWAT makes no claim, promise or guarantee about the completeness, accuracy and adequacy of information and is not responsible for misprints,
out-of-date information, or errors. OPSWAT makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of
any information contained in this document.
If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.
http://www.opswat.com/
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 460
- Slides 22
- Favorites 1
- Age 3623 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views