Microsoft Blocking Potentially Unwanted Programs

Microsoft has added opt-in protection for Windows enterprise users that blocks potentially unwanted programs and applications.

Microsoft has taken steps to address deceptive software, otherwise known as potentially unwanted programs or applications, with new opt-in protections for Windows users in the enterprise.

The new protection blocks behaviors such as ad-injection, or the bundling of nuisance programs with software legitimately downloaded by users.

“These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications,” Microsoft said in its announcement. “Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern.”

The feature is available as an opt-in only for enterprises running System Center Endpoint Protection (SCEP) or Forefront Endpoint Protection. Once enabled, any potentially unwanted programs are blocked at download and install time.

Microsoft said that Windows system administrators can deploy the feature via a Group Policy setting and upon new signature updates and a restart, the feature begins blocking.

Microsoft also said that the PUA protection quarantines suspicious files only if it is being scanned from the browser, if the file has Mark of the Web in Internet Explorer set, and if it is in the downloads or temp folders. In the meantime, Microsoft recommends that organizations at a minimum define potentially unwanted applications for their organizations and give users and help desk a head’s up about the additional scanning.

“If you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection,” Microsoft said. “In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you’d want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines.”

Suggested articles