AMP family(WD/MSE) can killing some PUA now, like you wish

Started by BenYeeHua, October 29, 2015, 04:04:47 PM

Previous topic - Next topic

BenYeeHua

Look like Jeremy is right, MS is start doing something about bundle, well, by start killing some PUA(potentially unwanted application) or PUP(potentially unwanted program) with any AMP family.(WD/MSE/Microsoft Safety Scanner and other that are not for normal user)

They even crazy enough to detect and remove any iframe that inject into Bing UX, and it has been enabled from October 28, 2015.
Some PUA also listed as Severe, so...

Of cause they also reach out these people that provide bundle, and telling them why their installer is getting flagged as virus, and remove it after newer installer is clean.
Will Java Online Installer be flagged and killed? I has no idea... ::)

For more information, just read the report link below. ;)

Warning, Chinese words, basically it is talking about why WD start killing much more virus in the Virus Testing (forum) board. ;)
http://bbs.kafan.cn/thread-1860302-1-1.html

Report about PUA, like what is PUA, how MS naming them, kill/uninstall them etc.
https://www.microsoft.com/security/portal/enterprise/threatreports_october_2015.aspx

The change log of the definition(may be gone after a few new definition pushed)
https://www.microsoft.com/security/portal/definitions/whatsnew.aspx?RequestVersion=1.209.596.0&Release=Released&Package=AM

The detailed information about which PUA it will be killed, it will be changed when it is needed, and informed before it changed.
https://www.microsoft.com/security/portal/mmpc/shared/ObjectiveCriteria.aspx

BenYeeHua

A little update on this one, you need to enable it yourself, and be aware that enable it might start getting false report, and also found that PUA kill is not effective. ::)

http://bbs.kafan.cn/thread-1864226-1-1.html
https://technet.microsoft.com/en-us/library/hh508770.aspx#BKMK_Step1

WD
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000001



MSE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft AntiMalware\MpEngine]
"MpEnablePus"=dword:00000001