Potentially Unwanted Programs (PUP), also known as Potentially Unwanted Applications (PUA), are applications that are considered traditionally harmless. However since it exhibits unwanted behavior to a reasonable amount of users, anti-virus engines have classified them as a potential threat.

Why has [Insert Anti-Virus Engine Here] Detected it as a PUP/PUA?

There are plenty of reasons why a particular anti-virus engine will perceive an application as unwanted.

The most obvious reasons are:

  1. Undesired Software Installation. This means that this application was installed, potentially unknowingly (due to pre-filled options and checkboxes) of another program installation. A common example is that the software is installed under express settings and can only be opted out of when the user chooses to install under Custom/Advanced installation.
  2. Modifies Unrelated Elements. It makes unnecessary changes to the computer settings (i.e. default browser & homepage) and registry. This is also commonly attributed to express install settings that are often overlooked by the user when installing.
  3. Advertising. Programs that are usually ad supported make extensive use of advertising to make up for its development cost. This may result in slowdowns on the installed device as the application makes use of processes and Internet bandwidth to operate.
  4. Privacy Concerns. When an application contains elements that allow it to regularly send and receive user data automatically, usually without permission.
  5. Uninstallation Woes. The process of uninstalling is either unclear, unavailable, or leaves undesirable elements behind that may cause or continue to cause performance issues.

There are other reasons why applications may be classified as unwanted software such as behavior (underlying or hidden code) that is dangerously close to malware, specifically adware and spyware.

The line between PUP/PUAs and these variants of malware is very thin so one might not detect it as a threat while the other will.

How to identify if a Detected File is PUP/PUA?

When opening up a diagnosis by either Universal AV or a 2nd opinion scanner, the Virus name/label may indicate the following or some variation of it:

  1. Potentially Unwanted
  2. PUP
  3. PUA
  4. Not.a.Virus

Note that there will be other terms and the ones each engines use differ and change with time. The above keywords will only serve to give an idea on whether a detection is for a legitimate threat or a potentially unwanted program.

Should I Quarantine, Delete, Block, or Unblock & Trust?

It depends on a lot of factors but below are some points to consider for each,

Quarantine

  • Universally available option and most non-destructive option
  • Once files are quarantined, they are modified to be disabled and to prevent further detection of the file while it is kept
  • Files can be restored at a later time for an updated diagnosis
  • Restored files are rescanned by Universal AV with its latest diagnosis

Delete

  • Reserved only if you have no intention of using the program/application

Block

  • Option is only available if the software is trying to launch/run
  • Choosing to block only prevents it from running and may try to launch again
  • As it is a temporary solution till eventually trusted, consideration should be made for Quarantine or Delete if the launch of the application is undesired

Unblock & Trust

  • If the program launching is either desired or intended then Unblock & Trust will allow it to run

SecureAPlus Considerations

Since SecureAPlus makes use of multiple engines, the detection rate of PUP or PUAs is higher since it represents the combined sensitivities and aggression of the included antivirus engines against unwanted software.

Considerations should be made to the amount of engines that flag it as potentially unwanted software as well as the engines themselves.

Regardless of the criteria, the biggest benefit of using SecureAPlus is that unless Unblock & Trust is chosen as the course of action, the system is relatively safe from harm due to Application Whitelisting.

This post is also available in: Japanese