Endpoint Protection

All About Grayware 

02-26-2015 07:00 AM

Introduction

This is the seventh in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated July 2019.

This new "All About Grayware" article describes software classified as “Potentially Unwanted Applications” (PUA) and Symantec’s response to them.

 

 

PUAs?  Pick Up Artists?

Well, kind of!

  • These sneaky programs make great promises, but might not have the best of intentions.
  • Often they claim that they wish to do nothing more than provide recipes, performance boosts, fun and discounts.  Next thing you know, they are consuming alarming amounts of resources and sharing your stuff without permission to strangers all over the world.
  • They definitely love to try to install themselves on as many machines as they can.
  • Even a savvy computer user will often find themselves asking, “how did that get past me?  I never even saw it happening!”
  • They often prove hard to get rid of once installed.

 

Within Symantec we typically refer to this software as Grayware.  Programs in this category are not purely malicious but they are not glowingly white either. We have seen web browser extensions, toolbars, download accelerators or other applications of questionable merit.  From Security Response's glossary:

 

Potentially Unwanted Application

Programs that computer users wish to be made aware of. These programs include applications that have an impact on security, privacy, resource consumption, or are associated with other security risks. These programs can show a pattern of installation without user permission or notice on a system or be deemed to be separate and different from the application installed.

 

 

Are PUAs Viruses?  I thought SEP detected Viruses.

Not everything SEP can detect is a "virus" just like not every stomach ache is "appendicitis."  The landscape of all the different types is pretty complex.

What is the difference between viruses, worms, and Trojans?
http://www.symantec.com/docs/TECH98539

About viruses and security risks
http://www.symantec.com/docs/TECH140085

Potentially Unwanted Applications are distinct from Threats.

 

Note that PUAs are classified as Risks as distinct from Threats. ("Threats" includes the malicious viruses, worms, etc that most people think of when they use the word "virus." Risks are, well... risks, to your security.  "Malware" is a useful umbrella term for Threats and Risks.) Admins can configure their SEP organization to allow end users to install products that fall into this Risks category, if they so wish.

 

 

Can you give me an example of a PUA?

Sure- I set up a brand-new Windows 8 machine and decided to personalize it.  During a quick visit to a well-respected download site, I spotted a screensaver that looked fun.  A few clicks later there was a big green “Agree & Install” to click....

defaults_to_install_extras_better.png

 

That fine print which few people pause to read is actually a legally-binding agreement to install optional browser extensions and make changes to the way I have my computer’s Internet settings configured.  This is a PUA attempting to get itself installed onto my new computer.

 

After a click, the next screen had more legal mumbo jumbo with an “Agree & Install.”  However, pausing for a closer look reveals that this screen refers to completely different product than the screensaver.  While there’s an implication that hitting Decline will cancel the whole screensaver install, it will actually just avoid the extra software product that is trying to bundle itself in.

implies_install_will_cancel_without_extra_programs_better.png

 

OK!  After more clicking the install finally proceeds.  During installation of the screensaver and extra bundled products, Symantec Endpoint Protection detected the presence of a .dll that meets our SearchProtection criteria.  (This was the browser extension that I did not opt out of.)  Note that the category is “Security Risk” as opposed to something more malevolent.

detected.png

 

Definitions were not yet in place for that second freebie.  Here’s the misleading message that it promptly began displaying when installed, telling me of hundreds of errors present on my brand-new computer.

free_scareware.png

 

Of course, the only way to fix these “errors” is to register the software and make a payment.

Neither of those two unwanted add-ons is particularly hazardous, they are just potentially unwanted.  I find it annoying to have them alter stuff or make misleading claims about my brand-new machine.

 

How can I see all the Security Risks detected in my environment?

From the SEPM, run a Risk Report with the Advanced option to just view "Security risk found."

SEPM_report_PUA.png

Or, if you have run the report with its default values, export that as .csv and import it into your favorite spreadsheet program.  Filter the results for Security Risk as opposed to any other event.

all_security_risks_excel.png

 

 

 

I like ads!  How can I configure my SEP environment to allow these programs?

 

All power (and responsibility) is in the hands of the administrator.  By default, Security Risks (including Grayware) is blocked.

About the default Virus and Spyware Protection policy scan settings
http://www.symantec.com/docs/HOWTO81377

 

If you really want to allow programs which fall under the Security Risk classification to be ignored by SEP, it is possible to set your policies to do so.

Within the Symantec Endpoint Protection Manager (SEPM), edit your Virus and Spyware Prevention policy.  Set  Auto-Protect actions to "leave alone" Security Risks.  (Granularity enables you to customize how SEP reacts to several different sub-categories….)

AV_exclusions.png

 

Be sure that Scheduled Scans are set the same way!

exclude_here_too.png

 

Don’t forget to assign that policy to the desired SEP Client Groups once you are done!

(Yes, it is possible to apply different policies to different groups of endpoints within the company.  Maybe only one department or office location really wants a lot of extra ads and scareware?  If so, the power is in your hands.)

After configuring AV to allow the presence of these products, also configure the Intrusion Prevention policy so that IPS will ignore the traffic that these programs generate.

IPS_Exceptions.png

Be sure to set them to Allow and not Block!

IPS_allow.png

The illustrations above are for all IPS signatures classified as "Security Risk".  Of course it is possible to create individual exceptions only for the traffic you wish.

 

 

 

Wait a minute – I like ONE program.

 

Rather than throwing the gates wide open to any PUA, it is possible to create an exception for just the Grayware products that you know and love.  Here is that scareware, later detected as ProPCCleaner by a scheduled scan which used newer definitions….

adding_exception_risk_logs.png

What if a case of rusty hammers falls on my head and I wake up convinced that this is a useful, must-have program? I want it to function without SEP's interference.  All I need to do is follow the instructions in this article:

 

Configuring Exceptions for Symantec Endpoint Protection (SEP) 12.1
http://www.symantec.com/docs/TECH176906

These illustrated articles also have details on Exceptions, and are mildly amusing: 

Exceptions, Illustrated: Part One
https://www.symantec.com/connect/articles/exceptions-illustrated-part-one

Exceptions, Illustrated: Part Two
https://www.symantec.com/connect/articles/exceptions-illustrated-part-two

 

Exceptions can be made several ways: ignore that file, ignore that folder, ignore that risk....

adding_exception_risk_logs_2.png

 

It's also possible to create exceptions before that first detection.

 

How to create an Application Exception in Symantec Endpoint Protection 12.1
http://www.symantec.com/docs/TECH203266

 

 

Just one word of caution: be very careful when creating any exception or exclusion in your environment.  When in doubt, allow it to be blocked!

 

 

I don’t like ads at all!  What can I do about Grayware?

The best defense against Grayware: educate end users not to install it!  Instruct them to opt out of the extra bundled programs which are offered with the download they were seeking. This is usually as simple as just unchecking a box or choosing a "custom install".

If the program has installed itself, see if it is possible to remove it from the Control Panel- Programs- Uninstall a Program (or, the Mac or Linux equivalent.)

If there is a program that has installed itself on your computer without your knowledge, seems to be making connections without your approval, is interfering with the computer’s normal operation and is resisting uninstallation, please do submit the file to Symantec Security Response for analysis!  It is best to locate the original installer file (.exe. or .msi) which can sometimes be found in the directory from which the program is running, and submit that.

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
 

 

Note that investigations into Grayware can require many weeks, and the program must be thoroughly explored.

Often times when a program has reached our attention, been thoroughly evaluated and defenses prepared against it, it is already installed on thousands of computers.  So, if a product that has been on hundreds of computers in your organization for a long time is suddenly detected- you know one possible reason why!

 

 

How come SEP detects yesterday's (for example) Outobox but not today's? And how come it does not detect the virtually-identical ClockHand?

Those are excellent cases in which we'd love to receive submissions of the undetected files.  There are endless clones of PUA programs, the same software with changed names and slightly different binaries used.  Please do submit any samples that we are missing so that we can complete our coverage!

One extra note: sometimes these Grayware programs pull an Anakin Skywalker and abandon the Dark Side of the Force.  It does not happen often, but it happens and I image that the Ewoks dance a happy celebratory dance.  Symantec continues to detect those older versions of products with behaviors which meet our criteria, but does not raise shields against the new releases which do not. One example of such a product is RegCurePro, and there are others across the galaxy for which a write-up remains posted. If in doubt, please don't search your feeling or attempt to use your Jedi mind powers.  Submit the files for analysis!

Symantec uses Appesteem for guidance. Their site contains a list of different behaviors that are used to make a judgement.

Conclusion

This article illustrates Windows PUAs but they exist wherever there's a buck to be made- Mac, Linux, mobiles.  Please do be aware of them, and be aware that not every program which meets one vendor's criteria for being considered malicious or a PUP (Potentially Unwanted Program) will also be categorized that way by Symantec.  Feel free to use Exceptions policies or SEP's Application and Device Control (ADC) to Block Software By Fingerprint if you don't want it in your organization, regardless of what anyone else thinks!

 

Many thanks for reading!  Please do leave comments and feedback below

 

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

07-24-2015 09:07 AM

Ninth article in this series now available!

 

Using Today's SymHelp to Combat Today's Threats
https://www-secure.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats

 

05-21-2015 07:28 AM

New article now live!

SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy
https://www-secure.symantec.com/connect/articles/sep-times-city-helpful-symantec-endpoint-protection-analogy

03-04-2015 11:15 AM

Good stuff, thanks Mick

Related Entries and Links

No Related Resource entered.