Author Topic: PUP's  (Read 7654 times)

0 Members and 1 Guest are viewing this topic.

Offline Wittmann

  • Pegasus
  • Sr. Member
  • ****
  • Posts: 228
  • Retired professional engineer BSc.Eng M.I.Mech.E
PUP's
« on: December 12, 2016, 03:48:07 PM »
Using the Avast scanner or any other reputable AV scanner, I seldom have any PUP's listed as threats. With Avast I have not had one PUP listed in all the times I have used it.

Using MBAM, this AV picks up many PUP's all of which are not picked up with Avast. Auslogics defrag places many PUP's on the system. Every time I use Auslogics and I use it often, many PUP's enter my  system which are apparently ignored by Avast and other AV's.

After using Avast for a period, I then used MBAM and 532 PUP's were listed as threats ! Obviously the accumulation of PUP's during the Avast period of use.

May I please have an explanation why Avast ignored these PUP's ?
UTRINQUE PARATUS
Windows 10 version 20H2 - Avast free AV - ZoneAlarm Firewall

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31072
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: PUP's
« Reply #1 on: December 12, 2016, 03:51:30 PM »
Do you have PUP detection enabled in avast ?

Offline Wittmann

  • Pegasus
  • Sr. Member
  • ****
  • Posts: 228
  • Retired professional engineer BSc.Eng M.I.Mech.E
Re: PUP's
« Reply #2 on: December 12, 2016, 04:00:05 PM »
Do you have PUP detection enabled in avast ?
Hello Eddy,
YES, I have always had the PUP box checked.
UTRINQUE PARATUS
Windows 10 version 20H2 - Avast free AV - ZoneAlarm Firewall

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89665
  • No support PMs thanks
Re: PUP's
« Reply #3 on: December 12, 2016, 04:09:55 PM »
If you know they are PUPs and you still allow them, then they aren't unwanted, the crucial word in Potentially Unwanted Program.

There are many instances of programs that do things that some malware may do, like system tools getting information on your system, etc.  For an AV, etc. trying to determine intent is the hardest thing, e.g. did you install it for a specific purpose or was it installed without your knowledge.

As for your comment "Auslogics defrag places many PUP's on the system." it isn't placing PUPs on your system it is placing tools to do the job. The fact that MBAM is very fussy about what determines a pup, may differ from mine or Avasts, it is all about intent and that is what a user has to determine.

The PUP scan on some shields is off by default and for many people this is just fine as crucially they wouldn't have knowledge of what the program does exactly to answer any interactive question raised by an AV alert.

Some security based software have a very different idea of what PUP encompasses
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD - 27" external monitor 1440p 2560x1440 resolution - avast! free  24.9.6130 (build 24.9.9452.762) UI 1.0.818/ Firefox, uBlock Origin Lite, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Wittmann

  • Pegasus
  • Sr. Member
  • ****
  • Posts: 228
  • Retired professional engineer BSc.Eng M.I.Mech.E
Re: PUP's
« Reply #4 on: December 12, 2016, 04:17:25 PM »
I would just add that the MBAM program does not pick up any PUP infections until it goes on the heuristic analysis. With MBAM, the heuristic analysis is a specified visual scan action, the files scan is immediately  before that.

If Avast does not scan  heuristics, then it will not pick the threats up  which MBAM does, neither will other will AV programs. So heuristic PUP's will simply  accumulate until MBAM is run again.
UTRINQUE PARATUS
Windows 10 version 20H2 - Avast free AV - ZoneAlarm Firewall

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: PUP's
« Reply #5 on: December 12, 2016, 04:25:39 PM »
avast is not as strict as to what they classify as PUP

Quote
Several years ago, I blogged that we would be increasing how aggressive we would be in detecting Potentially Unwanted Programs (PUPs) and our fantastic malware intelligence and research teams have delivered on that promise. Last year, we removed approximately 500 million traces of PUPs per month!

In response, a lot of the PUP developers are making efforts to circumvent our criteria and continue distributing their damaging software to users. This is why we are getting even more critical about what we call a PUP, and what we are going to be detecting and removing from user systems.

https://blog.malwarebytes.com/malwarebytes-news/2016/10/malwarebytes-gets-tougher-on-pups/

https://www.malwarebytes.com/pup/


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Re: PUP's
« Reply #6 on: December 12, 2016, 04:26:55 PM »
Hi wittman44,

Is your MBAM residental and/or could it not be that either MBAM
or avast for that better will alert on the other solution's detection?

Always assumed that MBAM and avast av could work happily  together
and alongside each other as an on-demand and residental av solution.

If you disable one or the other for the time of the scan could you evaluate what happens/happened?
Often the proof of the pudding is in the eating  ;)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: PUP's
« Reply #7 on: December 12, 2016, 04:28:27 PM »

Offline Wittmann

  • Pegasus
  • Sr. Member
  • ****
  • Posts: 228
  • Retired professional engineer BSc.Eng M.I.Mech.E
Re: PUP's
« Reply #8 on: December 12, 2016, 04:29:02 PM »
If you know they are PUPs and you still allow them, then they aren't unwanted, the crucial word in Potentially Unwanted Program.

There are many instances of programs that do things that some malware may do, like system tools getting information on your system, etc.  For an AV, etc. trying to determine intent is the hardest thing, e.g. did you install it for a specific purpose or was it installed without your knowledge.

As for your comment "Auslogics defrag places many PUP's on the system." it isn't placing PUPs on your system it is placing tools to do the job. The fact that MBAM is very fussy about what determines a pup, may differ from mine or Avasts, it is all about intent and that is what a user has to determine.

The PUP scan on some shields is off by default and for many people this is just fine as crucially they wouldn't have knowledge of what the program does exactly to answer any interactive question raised by an AV alert.

Some security based software have a very different idea of what PUP encompasses
I have done absolutely nothing. I am simply using two different AV programs and stating a difference in the treatment of PUP's, call them tools if you wish, the definition is in the mind of the beholder. How program technicians define a PUP is their business, not mine and everybody is well aware of MBAM's crucial definition and treatment of PUP's.

Bottom line - Whatever constitutes a PUP is either a threat or it is  not a threat. There is no middle ground.
UTRINQUE PARATUS
Windows 10 version 20H2 - Avast free AV - ZoneAlarm Firewall

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89665
  • No support PMs thanks
Re: PUP's
« Reply #9 on: December 12, 2016, 05:03:44 PM »
What I have been saying is determining the intent is in the eye of the beholder and a security based program may have a different decision on what is a PUP, but it can't determine intent. That is why the word Potential is used. If it knew exactly if this was harmful then it wouldn't be  Potentially Unwanted Program.

AI in security based programs isn't really available right now.

The threat as such, isn't a threat until it is determined if it is Unwanted by the user. Did they install it, did they know what it does and do they want it on their system (Unwanted or not Unwanted).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD - 27" external monitor 1440p 2560x1440 resolution - avast! free  24.9.6130 (build 24.9.9452.762) UI 1.0.818/ Firefox, uBlock Origin Lite, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Wittmann

  • Pegasus
  • Sr. Member
  • ****
  • Posts: 228
  • Retired professional engineer BSc.Eng M.I.Mech.E
Re: PUP's
« Reply #10 on: December 12, 2016, 05:20:03 PM »
What I have been saying is determining the intent is in the eye of the beholder and a security based program may have a different decision on what is a PUP, but it can't determine intent. That is why the word Potential is used. If it knew exactly if this was harmful then it wouldn't be  Potentially Unwanted Program.

AI in security based programs isn't really available right now.

The threat as such, isn't a threat until it is determined if it is Unwanted by the user. Did they install it, did they know what it does and do they want it on their system (Unwanted or not Unwanted).

I appreciate all you have said, but this controversy is a responsibility of the program vendors, nothing to do with me. I could not care less how a PUP is defined, I simply use the AV program.

From what is being said, it is obvious to me that there is a gross misunderstanding amongst the experts on how to define a PUP. This again does not bother me.

So, as the hundreds of "PUP's" as defined by MBAM are of no value to the user, it is beneficial to delete them. Consequently, as using Avast or any other AV program will leave these useless files on the PC, I find it a simple technical choice to exclusively use a globally acknowledged and respected program like MBAM which deletes this redundant rubbish. If deleting these files does no good, it certainly does no harm.
UTRINQUE PARATUS
Windows 10 version 20H2 - Avast free AV - ZoneAlarm Firewall

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89665
  • No support PMs thanks
Re: PUP's
« Reply #11 on: December 12, 2016, 05:57:49 PM »
There really is no way this can continue without details of what MBAM actually reported as PUPs.

I have seen MBAM report empty registry entries (a command without an associated file) as malicious. Without the file the command, etc. is inert.

Perhaps you can see why PUP scans ia disabled by default (on some shields/scans and not others) as the greatest majority of users can't really make the determination on is this Unwanted or not.

Without details how can a user determine that "the hundreds of "PUP's" as defined by MBAM are of no value to the user, it is beneficial to delete them."

That's me for this topic as one man's PUP is another's useful tool, we could bounce this around all day and that wouldn't change.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD - 27" external monitor 1440p 2560x1440 resolution - avast! free  24.9.6130 (build 24.9.9452.762) UI 1.0.818/ Firefox, uBlock Origin Lite, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Wittmann

  • Pegasus
  • Sr. Member
  • ****
  • Posts: 228
  • Retired professional engineer BSc.Eng M.I.Mech.E
Re: PUP's
« Reply #12 on: December 12, 2016, 06:12:02 PM »
Thank you so much for the constructive comments given on this controversial subject.

I get the message. My own conclusion is that if MBAM classify files as PUP's then PUP's they are.
All the hundreds of PUP's I have been talking about are  exclusively Auslogics. Well, they may be vital ingredients during the Auslogic defrag, but they are absolutely of no use afterwards, so deleting them is a beneficial action to take.

Adiós and thank you.

UTRINQUE PARATUS
Windows 10 version 20H2 - Avast free AV - ZoneAlarm Firewall

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31072
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: PUP's
« Reply #13 on: December 12, 2016, 06:28:59 PM »
Quote
I have done absolutely nothing. I am simply using two different AV programs and stating a difference in the treatment of PUP's
Well, that is already one point where you are wrong.
MBam is not a av, it only scans executable files (which can be read on the MBam website).

What a tool detects a PUP depends on how the developers define a PUP, and MBam has made their rules for it a lot stricter recently.
If you read them than even avast should be considered as a PUP.

Offline Happychappy

  • Jr. Member
  • **
  • Posts: 44
Re: PUP's
« Reply #14 on: December 12, 2016, 08:29:35 PM »
Same problem here,decided to uninstal and let MBam delete left over files.

https://forums.malwarebytes.org/topic/191656-pups/