HOW TO IDENTIFY

POTENTIALLY UNWANTED APPLICATIONS

By Jianpeng Mo Software Engineering Manager OPSWAT

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 1 As the computer security industry has grown, many technologies have emerged that can identify software applications that are truly malicious without too much difficulty. However, there are many other applications that are not as easy to define and whose maliciousness cannot always be confirmed. This type of application is now commonly referred to as a potentially unwanted program (PUP) or a potentially unwanted application (PUA).

There are many other applications...whose maliciousness cannot always be confirmed

Applications may be potentially unwanted if they include security vulnerabilities, are unlicensed, or are not sanctioned by the network administrator, among other reasons. According to the Microsoft Security Intelligence

Report 2013, more than 30% of known vulnerabilities come from small vendor applications that are not comprehensively tested or do not have solid maintenance procedures.

Because potentially unwanted applications can be introduced to a corporate network in many ways, network administrators need to be concerned about mobile users connecting to infected networks and end users unwittingly infesting their office desktops with vulnerable applications. In some cases, end users may knowingly download non-sanctioned applications such as peer-to-peer file-sharing, instant messaging, and mp3 applications.

This type of behavior, combined with the recent BYOD (Bring Your Own Device) concept, greatly facilitates the possibility of PUPs and PUAs getting into a corporate network.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 1 Interestingly, there seems to be some inconsistency in the classification of the types of products that fall under

PUPs or PUAs. Almost every security vendor, including Symantec, McAfee, ESET, Sophos and Kaspersky, has its own definition of these terms.

Symantec: Programs which computer users wish to be made aware of. These programs include

applications that have an impact on security, privacy and resource consumption, or are

associated with other security risks. These programs can show a pattern of installation without

user permission, or notice, on a system or be deemed to be separate and different from the

application installed.

McAfee: PUPs are any piece of software which a reasonably security or privacy-minded computer user

may want to be informed of, and, in some cases, remove.

ESET: A potentially unwanted application is a program that contains adware, installs toolbars or has

other unclear objectives. There are some situations where a user may feel that the benefits of a

potentially unwanted application outweigh the risks.

Sophos: Applications that, while not malicious, are generally considered unsuitable for business

networks. The major PUA classifications are: adware, dialer, non-malicious spyware, remote

administration tools and hacking tools.

Kaspersky: Programs which are developed and distributed by legitimate companies but have functions

which make it possible for them to be used maliciously. AdWare, RiskWare and PornWare are

the three classes of program which are categorized as potentially unwanted.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 2 If we take a step back and review the underlying meanings of these PUP and PUA definitions, it is clear that they all boil down to one key classification standard – applications that contain potential functionalities that, when active, users wish to be made aware of.

applications that contain potential functionalities that, when active, users wish to be made aware of.

Many users may not be concerned about PUPs and PUAs on their systems. Some may even intentionally introduce them due to a specific feature these applications offer. But in general, once these applications are running on the system, they are granted access to the registry, file system and services. Once this occurs, users need to be notified as potential vulnerabilities can be introduced.

Taking the varying nature of the definitions above into consideration, it is difficult for end users to classify applications as unwanted without additional guidelines. Therefore, we would like to propose a set of detailed guidelines that help to define PUPs or PUAs in the current marketplace. In order to notify users of applications which may be risky, we need to determine what traits these applications have, and what they are trying to achieve by entering the user’s system, so that they can be flagged as PUPs or PUAs.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 3 Common characteristics of PUPs or PUAs on user systems

Unlike malware applications, PUPs or PUAs do not infect or destroy the end user’s system directly. But this does not mean they are harmless; in fact, they can actually be more dangerous than certain viruses and spyware.

Potentially unwanted software can be a catalyst for the introduction of malware to a system and subsequently increase the possibility of infection or of user data to be stolen. Here are some common behaviors of potentially unwanted software:

1 INSTALLING ADWARE APPLICATIONS

Users commonly download applications which possess features they don’t understand. Moreover, they may not read through all the information in the pre-installation window. PUPs or PUAs target these user habits. Offering users adware applications during installation is a very common method of pushing suspicious programs through to the end user system. For example, in the screenshots below, we have downloaded a backup application download manager called “EaseUS Todo Backup Free”. The extent to which programs such as this attempt to place additional applications onto your system can be seen here as this particular download manager offers 3 additional applications to users: “Search Protect”, “RRSavings” and “PC Drivers”.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 4 2 SHOWING ADVERTISEMENTS

PUPs or PUAs are also widely used for advertising purposes. Images and pop-ups for advertisements unrelated to the program or application that was installed are very common. This type of behavior often comes from toolbars or video player applications.

3 COLLECTING PRIVATE INFORMATION OR DATA MINING

By installing an application, users are allowing this software to gain access to their system. A lot of the user’s private information is stored here for performance purposes. In Windows, for example, “%appdata%”, “%localappdata%” and “%programdata%” can contain a large amount of the user’s sensitive information, like browser cookies, an application’s login username, temporarily stored files, and more. With this information, it is relatively easy for hackers to analyze and mine data. PUPs or PUAs, if installed, will be granted this access also.

4 OFFERING FAKE SECURITY FEATURES

Internet security is a big concern for end users, and many are willing to pay to protect their systems. Some potentially unwanted software targets these people by appearing under the guise of security applications. They may report security alarms from time to time in order to seem like they are protecting the system, but they may actually be welcoming in viruses, worms, Trojan horses and other malicious programs. They may also falsely report serious infections and ask the user to input credit card information to purchase “malware removal software”.

5 MONITORING AND HIJACKING PERSONAL MESSAGES

Rather than being publicly available, point-to-point communications are intended to be private, and messages need to be protected during transmission. There are a number of applications that offer users online chatting services.

However, they do not reveal that all messages sent through the application travel through the public network

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 5 without any encryption. Message redirection is a risk when using potentially unwanted software. Since all the message packages are open to the network, all the information is exposed to the public. There are plenty of 3rd party tools available online which can be used to capture and redirect these messages to a different destination.

6 IRRITATING USERS

Some PUPs or PUAs are developed merely as pranks. They do not try to attack the system, impact security or steal private information. In fact, they may not actually contain any functionality at all and exist only to impair the user’s experience through irritating messages and false reports of viruses or other network issues.

7 BEING DIFFICULT TO REMOVE

Potentially unwanted software usually makes its main process as difficult to uninstall as possible. They do not report to the operating system, so users may not be able to execute the uninstallation through the system’s central software management console, such as the Control Panel on Windows. In extreme cases, they may even lock their running process or services with low-level drivers. This would result in the system returning the uninstallation request as “Access Denied” regardless of the user’s permissions, making the removal of these programs extremely difficult.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 6 There are a lot of other potentially suspect behaviors which PUPs or PUAs can exhibit on a user’s system. Above is simply a high-level summary of the seven most common. Different behaviors possess different levels of risk or threat and need to be considered individually. The following chart helps users to understand the variety of potentially unwanted software behaviors and their potential risks:

SYSTEM LOSS OF NEGATIVE DECREASED SYSTEM INFECTION PRIVACY USER EXPERIENCE PERFORMANCE

ADWARE INSTALLATION + + +

ADVERTISING + +

DATA MINING + +

FAKE SECURITY + +

MESSAGE HIJACKING +

IRRITATE USERS + +

DIFFICULT TO REMOVE +

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 7 Product categories likely to be considered PUPs or PUAs

Thousands of new applications appear online every day, and it is not always clear whether they are safe or not.

Determining whether an application falls into the PUA pool can be extremely challenging. This requires an understanding of not only the application’s behavior but also its intent. However, there are certain types of applications which are more likely to be deemed a PUP or PUA than others.

TOOLBAR ADD-ONS

The toolbar add-on is a type of browser extension that typically provides users with various additional functionalities by including a bar with several buttons within a browser. Generally, they do not provide as much value as the cost and risk they introduce. Screen space, performance, privacy, viruses and spywares are all potential trade-offs to having a toolbar running on your system.

PUBLIC FILE SHARING

Public file sharing applications, like µTorrent, eDonkey and FlashGet for example, are designed to bypass system firewalls. This can prevent the corporate network security from protecting a single point of entry to the network.

Instead, the network becomes reliant on individual users assigning the correct access controls to files and directories, which are coming through these applications, on their own workstations.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 8 INSTANT MESSAGING

Instant messaging applications are commonly installed and used on home computers as well as corporate workstations. However, while these are helpful for internal communication, they also present a high risk. All messages sent using these applications may travel unencrypted across the public network and can easily be hijacked.

CLOUD STORAGE

Cloud storage applications, such as Dropbox, Box Sync and CrashPlan, offer end users the ability to backup and store all their important documents. As dependence on the Internet has grown over time, in correlation with increased Wi-Fi coverage and speed, these cloud storage programs are also being used by some people as their primary base for storing information. However, allowing your private data to be kept online increases the risk of leaving it open to mining from third parties.

ROGUE SECURITY

Rogue security applications have been another central component in the PUA scene. Generally, they consume a system’s CPU and memory and cause the system to behave strangely and erratically. In the best-case scenario, the protection offered by the application will be ineffective. For some instances, however, they might go as far as to prevent users from installing or launching a real security program. Furthermore, they may even inform users of non-existent threats in order to convince the user that they are performing efficiently when that is not the case.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 9 Eight clues to help users determine whether there is any PUP or PUA running on the system

1 CHECK WHETHER THE RUNNING PROCESS IS DIGITALLY SIGNED AND CERTIFIED.

A digital signature is a “fingerprint” which is unique to both the file and the signer and binds them together. It requires the signer to have a certificate-based digital ID to ensure their authenticity. Therefore, if a running process has a valid digital signature, it can be considered more secure. On the other hand, a running process which does not have any digital signature could come from any source, so there is no way to verify its reliability; it could potentially be considered as an unwanted application.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 10 2 CHECK WHETHER THE PARENT OF THE RUNNING PROCESS EXISTS.

In some cases, unlike most other processes, a running process will try hiding its source. It may block the connection between the running process and its on-demand trigger. This kind of application would create a child process on the user’s system, and then terminate or close down. After that it would execute the malicious code from its child process. Microsoft offers a very useful tool called Process“ Explorer” which can help users retrieve most of the process information. Once Process Explorer is launched, if you select the suspect process, right-click on it and then go to ‘Properties’, the process’s parent information will appear on the pop-up window under the ‘Image’ tab.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 11 3 CHECK WHETHER THE RUNNING PROCESS COMES FROM ON-DEMAND OR PERSISTENT APPLICATIONS.

On-demand version processes may not leave any logs or footprints in the system, regardless of their functionalities.

A lot of PUP or PUA vendors distribute on-demand versions of their applications. These applications minimize user interaction. They do not require any installation, they are not persistent on the system and they are executed based on a user trigger which is activated regardless of whether the user’s action is intentional or not. Although antivirus vendors released updated PUP or PUA definition databases to monitor these on-demand processes and ensure consistent protection, it is virtually impossible to fully monitor this area. Users can verify whether an application is a persistent version under ‘Control Panel\Programs\Programs and Features’. All the persistent installed applications would show up as an entry within this control panel page.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 12 4 CHECK WHETHER THE RUNNING PROCESS HAS A PURE BROWSER PLUG-IN COMPONENT.

In most cases, processes which contain pure browser plug-in classes, such as “Chrome_WidgetWin”, “Internet

Explorer_Server” and “MozillaWindowClass”, are used for advertisement purposes. These processes are usually launched by another process when a certain condition is triggered. They can be very disruptive for end users and considered as potentially unwanted applications. However, detecting whether a given process contains any pure browser plug-in is not always easy for end users. Fortunately, there is a developer tool from Microsoft called

“Spy++” which can help users identify this information by giving them a graphical view of their system’s processes.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 13 5 5. CHECK WHETHER THE RUNNING PROCESS HAS MODIFIED THE BROWSER SETTINGS.

There are some processes that may attempt to update the browser settings every time they are launched. They overwrite the pre-configurations and redirect the user to a specific website. In extreme cases, they may even install browser plug-ins or adware applications without notifying the user. If users find that their browser homepage has been modified or see any unwanted browser plug-ins installed after running an application, it is likely that this application is what we consider a PUP or PUA.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 14 6.6 CHECK WHETHER THE RUNNING PROCESS CONSUMES HUGE AMOUNTS OF SYSTEM RESOURCES.

Applications are designed to leverage an operating system’s resources in order to employ certain features and actions. However, if an application occupies a lot of CPU or memory without any valuable returns, it is counter- productive. For example, some poorly-developed applications may crash easily and generate a lot of system errors.

There is a built-in Windows utility called “Event Viewer” which can be used to validate a given application’s stability.

After launching the “Event Viewer”, users should go to the ‘Application’ section under ‘Windows Logs’, and then create a filter to review event logs for any given application. If there are a considerable amount of errors generated by a specific application, then it should be regarded as a PUP or PUA.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 15 7 7. CHECK WHETHER THE RUNNING PROCESSES CONSISTENTLY CREATE NEW CHILD PROCESSES OR LAUNCH WINDOW PROMPTS.

A typical characteristic of PUA is to push advertisements or adult content to the end users. Traditional antivirus vendors may not easily be able to define such content as threats because some users may actually wish to receive these. However, most end users would have no interest in them. Therefore, PUP and PUA would be a reasonable classification for this type of application.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 16 8.8 CHECK WHETHER THE RUNNING PROCESS LISTENS TO ANY SPECIFIC PORT AND PROVIDES REMOTE SYSTEM ACCESS.

Remote desktop access is a valuable feature, but also a potentially dangerous one. Users should be absolutely confident and trusting of an application that provides this feature before using it. Opening remote access from an external network through a little-known application is almost as dangerous as leaving your laptop in Time Square without setting any password. If there is an application running on the system which offers remote access, and it is not from a reputable vendor, then it should most certainly be considered a PUP or PUA. This information could easily be retrieved by running command “netstat -o” from the Windows built-in “Command Prompt” utility.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 17 Conclusion

In conclusion, there is no straight-forward answer to whether an application is unwanted or not. A lot of PUPs or

PUAs get onto the user’s system through user action, either intentionally or unintentionally. The word “potentially” represents an important factor here. It is very necessary for users to understand the benefits and risks of any application before installing or using it. Unfortunately, this is not easy for most end users to determine.

Nonetheless, this does not mean that users are not able to take steps to protect their systems. Educating end users is an important security practice as they play a key role in helping to identify suspicious applications as PUPs or PUAs.

If a set of categories were established for these types of applications, based on their behavior, this could help users to identify whether an application is suspect or not. Applications that support file-sharing, instant messaging, cloud storage, additional unknown software, remote desktop access and adult content advertisements, or that are vulnerable, unlicensed, and unsanctioned, along with toolbars and rogue security programs, all have a much higher chance of being labeled as PUPs or PUAs than other programs.

Potentially unwanted applications do not bring in viruses or steal the user’s sensitive data directly, but they do introduce security risks to the system, decreases the system’s efficiency and performance, and disrupt the user experience. It is always a good idea to remove any potentially unwanted software to keep the system safe and clean.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 18 About OPSWAT

OPSWAT is a San Francisco based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and that help organizations protect against zero day attacks by using multiple anti-malware engine scanning, data sanitization, and file filtering. OPSWAT’s intuitive applications and comprehensive development kits are deployed by

SMB, enterprise, and OEM customers to more than 100 million endpoints worldwide.

OPSWAT’s software management solutions offer streamlined technology partnerships between leading technology solutions and software vendors. By enabling seamless compatibility and easy management capabilities, we allow network security and manageability solutions to provide visibility and management of multiple application types installed on an endpoint, as well as the ability to remove unwanted or non-compliant applications.

Our innovative multi-scanning solutions deliver anti-malware protection with increased detection rates and minimized performance overhead. In addition to maximizing detection rates, we provide the ability for customers to easily adapt our solutions to their existing infrastructure to add control over the flow of data into and out of secure networks.

ABOUT THE AUTHOR

Jianpeng Mo holds the position of Software Engineering Manager in OPSWAT, where he leads an engineering team for developing software management toolkits OESIS and AppRemover. He specializes in developing modern concept products, leading the engineering groups in solving unique and difficult technical problems. He and his

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 19 team are responsible for a variety of activities, including delivering a software detection, classification and manageability framework and researching application vulnerabilities and potential unwanted application removal.

Jianpeng received his M.S. from New York University with a major in Electrical Engineering.

HOW TO IDENTIFY POTENTIALLY UNWANTED APPLICATIONS | PAGE 20 http://www.opswat.com/

Disclaimer. © 2014. OPSWAT, Inc. (“OPSWAT”). All rights reserved. All product and company names herein may be trademarks of their respective owners.

The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. OPSWAT is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. Though reasonable effort has been made to ensure the accuracy of the data provided, OPSWAT makes no claim, promise or guarantee about the completeness, accuracy and adequacy of information and is not responsible for misprints, out-of-date information, or errors. OPSWAT makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document.

If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.