Q&A Kaspersky and PUP detection

Status
Not open for further replies.

Ahmed Uchiha

Level 1
Feb 5, 2021
32
88
Illegal software is a different topic than PUP (it's actually grayware, not PUP). Policy for most AV vendors is to either ignore them, which means these will be shown as clean even if they contain malware, or to flag them as a risk regardless whether they contain malware. Both ways are not helpful for you determine whether they are safe.
Illegal (pirated) software in my opinion should be marked as Riskware cause many cracked games contain mining malware, ransomware, and spyware there is nothing for free also it puts the user at risk of a hack or anything like that Kaspersky one of the AVs that doesn't mark pirated software as Riskware.

Kaspersky my not good at detecting PUPs or Adware because it focuses on low false positives this means not flagging many PUP apps because they said in their license agreement (PUP apps) that they offer ads and the user agreed to this license.
 

Andrew3000

Level 9
Verified
Malware Tester
Feb 8, 2016
403
4,722
Illegal (pirated) software in my opinion should be marked as Riskware cause many cracked games contain mining malware, ransomware, and spyware there is nothing for free also it puts the user at risk of a hack or anything like that Kaspersky one of the AVs that doesn't mark pirated software as Riskware.

Kaspersky my not good at detecting PUPs or Adware because it focuses on low false positives this means not flagging many PUP apps because they said in their license agreement (PUP apps) that they offer ads and the user agreed to this license.
I disagree. Kaspersky's policy is fair. It is not true that all cracks contain mining and other things (the ones that do are detected by Kaspersky). It is useless, and it creates only problems to mark as malware something that is not.
 

Ahmed Uchiha

Level 1
Feb 5, 2021
32
88
I disagree. Kaspersky's policy is fair. It is not true that all cracks contain mining and other things (the ones that do are detected by Kaspersky). It is useless, and it creates only problems to mark as malware something that is not.
I know that Kaspersky doesn't flag anything as malware unless they are sure it is malicious but these kind of files are suspicious I saw many YouTubers who got hacked because of using pirated editing software and most of the time cracked software it will contain malware few of them are clean it is a risk at the end so, at least they should the user, hey this is pirated software and might cause damage to your data also to warn the user from these software some users don't know if this game legal or not it would be always good to notify the user about everthing.
 

peterfat111

Level 8
Mar 25, 2021
365
1,283
IDK, but I got a web browser redirected(adware? PUP?)Kaspersky did nothing at all didn't fix it.

I disagree. Kaspersky's policy is fair. It is not true that all cracks contain mining and other things (the ones that do are detected by Kaspersky). It is useless, and it creates only problems to mark as malware something that is not.
true, many cracks are safe, some times cracks can be as safe as normal software. I don't like antivirus always aim on keygen when all they do is just crack the software(but maybe the antivirus want to support the creator and kill cracks? idk)

"low detection of PUP", this is one of the reasons I like Kaspersky, it just detects real treats. I hate applications that alert you because you are using a crack or other application that don't represent a danger to the user. I hate moralist applications, that alert the user because that applications is not complete legal.
Tanks Kaspersky to be the real deal...

A good example:

View attachment 258437

View attachment 258438
but sometimes pup can be harmful(or annoying), it will be great if Kaspersky detect more "real "pup, not cracks.
 

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
I am not speaking about those specific samples because I did not analyse them, but generally, many system cleaners and optimizers are considered PUP because:
  • They exaggerate scan results and show hundrets of problems/issues/warnings, even on a freshly installed system --> this is regarded as scare tactic, they use fear to make the user buy the product. Most of the time the demo product cannot fix those issues, only the paid version.
  • Sometimes it is hard to uninstall them.
  • A lot of them have strong VM detection mechanisms, and will not show any exaggerated warnings or tone them down if executed in a VM, they will also be less annoying and may refrain from nagging pop-ups and warning pop-ups after trying to close the application if executed in a VM. --> this is to prevent proper analysis in the hopes that vendors will not flag them as PUP. But it's even more a reason to flag them if the analyst detects this behaviour.
  • A lot of them do not improve anything at all. Windows is fully capable to take care of its own registry and also defragging by now.

but, in my opinion, a useless app that just wants your money and doesn't do anything that kind of scam and potentially damage PC stability or may corrupt registry keys is in my opinion is PUP cause of course no one would like to see this kind of apps on his computer or Adware apps that show Ads on your desktop.
I don’t disagree that a lot of these programs are potentially PUPs, and a lot of these behaviors should be labeled as PUPs. But my concern is that if one is making the case that Kaspersky is doing a bad job at PUP detection, the specifics of the 3 examples matters, especially when there’s basically no consensus except occasionally Fortinet (very false positive happy with non-enterprise software) and ESET and maybe one machine learning engine thinks it’s bad.

Trying to draw the line here can be really difficult and needs to be done carefully. Just because the OS has some functionality doesn’t mean that third party apps deserve to be destroyed by antivirus software. Like is WinRAR a PUP because Windows knows how to unzip files and WinRAR constantly nags you to buy it despite the purchased version doing nothing special? What about third party text editors that don’t carefully manage file associations so it’s hard to delete them. Windows already has NotePad. Photoshop has a very anti-consumer subscription model now so why have it when Microsoft Paint comes free? The Google Chrome updater on Mac has had bugs which brick macOS on 2 separate occasions last year. That’s caused more actual damage to computers than most register cleaner scams.

Of course there’s subtleties there — Auslogics Disk Defrag also supports operations like consolidating free space for VM disk resizing which the built in Windows defragger doesn’t. It also tries to get you to buy the Pro version, sure. That’s what makes PUPs such a gray area.

In my opinion if AVs want to detect PUPs they must be able to accurately and clearly separate these categories:
  • Software that doesn’t intentionally harm your machine but provides very little useful benefit, and there’s better alternatives.
  • Software that is slightly more evil than the above category and basically doesn’t do anything useful and purely uses aggressive tactics to get you to pay.
  • Hacking tools that are sometimes used maliciously but they only do what the user tell it to do (for example, PasswordFox, penetration testing tools, WireShark, etc)
  • ”legitimate” piracy tools - cracks, keygens, etc that do what they claim without intent to damage the system
  • fake piracy tools - pretend to be piracy tools but actually deliver malware.

The latter two, as others have touched on, is a major problem with AVs these days. Microsoft Defender and BitDefender, in particular, will aggressively flag both categories of piracy tools the same way with very generic signatures. Kaspersky actually does a good job here the last time I tried googling “KMS Activator” and downloading and analyzing a few samples. Kaspersky didn’t care about the legit KMS activators but did flag the ones that were fake or also bundled malware payloads. BitDefender and in particular MS Defender just flagged them all as generic trojans.
 

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
47,749
IDK, but I got a web browser redirected(adware? PUP?)Kaspersky did nothing at all didn't fix it.

true, many cracks are safe, some times cracks can be as safe as normal software. I don't like antivirus always aim on keygen when all they do is just crack the software(but maybe the antivirus want to support the creator and kill cracks? idk)

but sometimes pup can be harmful(or annoying), it will be great if Kaspersky detect more "real "pup, not cracks.
You solved the issue with Norton Power Eraser, but didn't mention what the actual cause was.
Link: cj.dotomi.com

Warez tools are unsafe and may contain hidden threats, they are also not a legitimate way of acquiring licensed software.

Malwarebytes AdwCleaner is a free on-demand tool for detecting Adware/PUP software on Windows.
 

peterfat111

Level 8
Mar 25, 2021
365
1,283
You solved the issue with Norton Power Eraser, but didn't mention what the actual cause was.
Link: cj.dotomi.com

Warez tools are unsafe and may contain hidden threats, they are also not a legitimate way of acquiring licensed software.

Malwarebytes AdwCleaner is a free on-demand tool for detecting Adware/PUP software on Windows.
yes, but antivirus should contain cleans adware functions, I don't really know what is removed, I will checked the log

I know but still... they are not virus or PUP, and shouldn't killed if they are safe
 
Last edited by a moderator:

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
47,749
yes, but antivirus should contain cleans adware functions, I don't really know what is removed, I will checked the log
Most PUA/PUP scanners are disabled by default, or require user interaction to enable during the first run.

Potentially Unwanted Apps do not necessarily need to be removed. If you are careful about your mouse clicks, you can avoid most unwanted software.
I know but still... they are not virus or PUP, and shouldn't killed if they are safe
Ever considered buying the software?
 

peterfat111

Level 8
Mar 25, 2021
365
1,283
Most PUA/PUP scanners are disabled by default, or require user interaction to enable during the first run.

Potentially Unwanted Apps do not necessarily need to be removed. If you are careful about your mouse clicks, you can avoid most unwanted software.

Ever considered buying the software?
That is why I opened them, but still....not doing anything
then why PUP it unwanted? And there is no way I can afford 300+ dollar adobe pdf as a student
 

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
Even though I’m not a big fan of pirating software, I think it’s still interesting to try to hold AV software to the high standard that even if I intentionally try to execute something sketchy, AV software can and should try to protect my machine. Of course you put yourself at a lot less risk if you don’t engage in piracy or download sketchy things, but the reality is that it’s common enough of a practice that anti malware needs to be able to deal with it.
 

Ahmed Uchiha

Level 1
Feb 5, 2021
32
88
This why ESET has better detection to PUP [KB2629] What is a potentially unwanted application or potentially unwanted content?
especially this "

Potentially unwanted applications – Registry cleaners

Registry cleaners are programs that may suggest that the Windows registry database requires regular maintenance or cleaning. Using a registry cleaner might introduce some risks to your computer system. Additionally, some registry cleaners make unqualified, unverifiable, or otherwise unsupportable claims about their benefits and/or generate misleading reports about a computer system based on the results of a "free scan". These misleading claims and reports seek to persuade you to purchase a full version or subscription, usually without allowing you to evaluate the registry cleaner before payment. For these reasons, ESET classifies such programs as PUA and provides you the option to allow or to block them."

they consider registry cleaners as PUP and the explanation very convincing.
 

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
This why ESET has better detection to PUP [KB2629] What is a potentially unwanted application or potentially unwanted content?
especially this "

Potentially unwanted applications – Registry cleaners

Registry cleaners are programs that may suggest that the Windows registry database requires regular maintenance or cleaning. Using a registry cleaner might introduce some risks to your computer system. Additionally, some registry cleaners make unqualified, unverifiable, or otherwise unsupportable claims about their benefits and/or generate misleading reports about a computer system based on the results of a "free scan". These misleading claims and reports seek to persuade you to purchase a full version or subscription, usually without allowing you to evaluate the registry cleaner before payment. For these reasons, ESET classifies such programs as PUA and provides you the option to allow or to block them."

they consider registry cleaners as PUP and the explanation very convincing.

ESET writes a lot of stuff but that doesn't necessarily reflect how the product behaves. They document a ransomware behavior blocker module that we've discussed at length and have never managed to activate in any testing.


Here's the top 4 "register cleaner" google results. ESET only flagged one of them and it's the one from Auslogics. In fact they detect almost every download from Auslogics as PUA. Even similar cleaner apps from other vendors like O&O don't get detected: VirusTotal

It just simply doesn't seem consistent with any vendor and I don't see a reason why Kaspersky is being singled out here. Even vendors like Microsoft and MalwareBytes who claim to take an aggressive stance against these apps magically don't care to detect any of them.
 

Ahmed Uchiha

Level 1
Feb 5, 2021
32
88
ESET writes a lot of stuff but that doesn't necessarily reflect how the product behaves. They document a ransomware behavior blocker module that we've discussed at length and have never managed to activate in any testing.


Here's the top 4 "register cleaner" google results. ESET only flagged one of them and it's the one from Auslogics. In fact they detect almost every download from Auslogics as PUA. Even similar cleaner apps from other vendors like O&O don't get detected: VirusTotal

It just simply doesn't seem consistent with any vendor and I don't see a reason why Kaspersky is being singled out here. Even vendors like Microsoft and MalwareBytes who claim to take an aggressive stance against these apps magically don't care to detect any of them.
CCleaner is known to be safe as it is just junk cleaner but look at something like ASC that boosts 300% of your computer performance and in some case, it can break your PC which happened to me in the past they are risky apps in my opinion
 

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
CCleaner is known to be safe as it is just junk cleaner but look at something like ASC that boosts 300% of your computer performance and in some case, it can break your PC which happened to me in the past they are risky apps in my opinion
Not really convinced there. They advertise a Pro and Business version and claim it makes your computer more secure and safer. It used to bundle Avast Free until Microsoft threatened to mark it as a PUA for doing so (Reports of Windows Defender Classifying CCleaner as PUA). It also silently collected data from machines by default: CCleaner provokes fury over Active Monitoring, user data collection | ZDNet

1622062320571.png

So once again, if you can evaluate some of the samples you sent to Kaspersky and find that they behave in a predatory way that fits the classifications that others use as PUA, I think it would be far more interesting to see how each vendor reacts to such a report. Otherwise, as you've demonstrated, simply lumping programs into categories like "driver updater" or "registry cleaner" are not enough to determine if something is a PUA or not.
 
Last edited by a moderator:

Ahmed Uchiha

Level 1
Feb 5, 2021
32
88
Not really convinced there. They advertise a Pro and Business version and claim it makes your computer more secure and safer. It used to bundle Avast Free until Microsoft threatened to mark it as a PUA for doing so (Reports of Windows Defender Classifying CCleaner as PUA). It also silently collected data from machines by default: CCleaner provokes fury over Active Monitoring, user data collection | ZDNet
View attachment 258466

So once again, if you can evaluate some of the samples you sent to Kaspersky and find that they behave in a predatory way that fits the classifications that others use as PUA, I think it would be far more interesting to see how each vendor reacts to such a report. Otherwise, as you've demonstrated, simply lumping programs into categories like "driver updater" or "registry cleaner" are not enough to determine if something is a PUA or not.
I really don't know but, Microsoft doesn't recommend registry cleaners as they might break PCs and some false claims it's like a scam by providing not rea; software like scareware
but, I am not an expert to judge them more precisely.

 
Last edited by a moderator:

peterfat111

Level 8
Mar 25, 2021
365
1,283
CCleaner is known to be safe as it is just junk cleaner but look at something like ASC that boosts 300% of your computer performance and in some case, it can break your PC which happened to me in the past they are risky apps in my opinion
Here is why you shouldn't use it
 
Status
Not open for further replies.
Top