Jump to content

ERA6 - what to do with PUAs?


Recommended Posts

Hi

 

One of my clients has reported back to ERA a number of Potentially Unwanted Applications, e.g.:

 

potentially unwanted application   Win32/Toolbar.Conduit.B   icon_slider_high.png Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 15:57:58 Antivirus potentially unwanted application   Win32/Toolbar.Conduit.X   icon_slider_high.png Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 15:58:42 Antivirus potentially unwanted application   Win32/InstallCore.CH   icon_slider_high.png Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 15:59:00 Antivirus potentially unwanted application   Win32/Wajam.F   icon_slider_high.png Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 16:00:49 Antivirus potentially unwanted application   Win32/KoyoteLab.A   icon_slider_high.png Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 16:05:27 Antivirus potentially unwanted application   Win32/Toolbar.Conduit.X   icon_slider_high.png Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 18:02:39 Antivirus potentially unwanted application   Win32/Toolbar.Conduit.B   icon_slider_high.png Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 18:02:48 Antivirus potentially unwanted application   Win32/Wajam.F   icon_slider_high.png Jim Desktop 192.168.1.64

 

 

What is the recommended way to deal with these please? Although the threats tab lists the above, it does not give any clues as to the location of the files, so I'm working in the dark. Am I to visit the affected machine and run a manual scan? Or is there a way to remove the PUAs from ERA?

 

Many thanks

 

 

Jim

 

EDIT Well, that table formatted nicely in the forum, NOT! Hopefully you can make sense of the content....

Edited by jimwillsher
Link to post
Share on other sites

On the Threats tab against a computer - see attachment.  The PUAs are listed, but no clue as to where in the filesystem they are, so no helpers for getting rid of them.

 

Thanks

 

 

Jim

post-559-0-69663000-1425371630_thumb.jpg

Link to post
Share on other sites

I'm not an ESET employee so don't quote me on any of this.

 

Since they are potentially unwanted they aren't exactly malware or malicious. You should be able to go to the ERA6 installed applications tab and choose to uninstall them if they support agent uninstall. Otherwise you could just remote in to the machine and uninstall the applications. It looks like it uninstalled the Conduit.Y, maybe it is just a matter of time or it hasn't updated the newest information and it will get the rest? Is there any menu that pops up when you left click the red ones? Or is there any buttons at the bottom of the page (got cut off in your image)?

 

That being said I would probably choose to do a manual scan with malwarebytes because it will allow you to remove PUPs/PUAs.

 

I would go through and remove as many as I can through the normal add/remove process (I use CCleaner, so I can uninstall the programs and also check out the computer startup entries, IE/Firefox/Chrome Addons, and scheduled tasks), then run malwarebytes to see if it finds any files or folders that didn't get removed by ccleaner, reboot, then run ccleaners registry cleaner to get rid of any orphaned registry entries or folders. And I backup the registry file when it asks just in case.

 

I also will go through the users appdata folder and program files folders just to look for anything else that doesn't belong, but that might be overkill.

 

That's just my 2 cents. If you are in an enterprise environment it might be faster to just re-image the machine. And tell your user to stop installing software if they aren't going to pay attention to what gets installed along with it. Good luck!

Edited by short_bus4
Link to post
Share on other sites

I actually brought up this same point a few weeks ago. I believe I made a topic with the title, "Product Suggestion: More verbosity in logs", or something like that.

 

How am I supposed to track down and handle virus threats if I don't know where they are or what they're coming from? Because of this, I accidentally wiped out my boss's metasploit on his computer. Sure, we laughed at it, but what if something important gets deleted from one of my developers or QAs?

 

ERAC v5 had the path listed of the problematic file. If it was in a earlier version, then why is it not in the next release???

Link to post
Share on other sites
  • ESET Moderators

Hello,

 

you can find this information in Reports, I would recommend you to check it in Antivirus threats in last 7 days, you should be able to find all info required here.

If you need more info just customize the reports to add necessary columns into it.

 

P.R.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...