Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 13114 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adware or PUA detected - Acknowledge Alert Permanently

P8 IT

Hi all,

I am probably searching on the wrong criteria and the answer to this is no doubt as basic as it gets but how do I acknowledge an "Adware and PUA" alert permanently in SEC?

Our users with remoteware always come up with the alert: Adware or PUA detected.

At the moment I right click on the relevant pc in SEC and select "Resolve Alerts And Errors".

I then hook the relevant check boxes and the select the "Acknowledge" button.

24 to 72 hours later, depending on status of the machine, the Adware and PUA section will populate with these pcs again.

I want to be able to acknowledge the alert permanently as the alert is referring to the users remoteware which is legitimate.

Thanks in advance for any help.

JP

:11747


This thread was automatically locked due to age.
  • 0

    Apologies for the above question.

    With a bit of investigation I have found under policy details for Anti-Virus and HIPS that you can authorize adware and puas.

    Our remoteware was not listed as authorized.

    I've changed this and updated the pcs with the new policy.

    Should be sorted going forward.

    I'll update the post to confirm or seek help again.

    JP

    :11755
  • 0

    Hello JP,

    edit the Anti-Virus and HIPS policy, Authorization ..., tab Adware and PUAs. You should find it in the left pane, select it, click Add-> and save the policy. Note that this will then apply to all the clients in the applicable groups.

    HTH

    Christian

    :11757
  • 0

    Thanks Christian!

    I came to the same conclusion with a bit of investigation but nice to have someone familiar with SEC to confirm!

    This has done the trick as well as allow me to authorize the suspicious files that our backup software uses as well.

    Now onto computers differing from policy!

    :11761
  • 0

    I am trying to get my 5.0 console ready for deployment. For some reason I do not see anything populated on the left hand pane "Known adware and PUAs". It will place it there only if I go to the client and manually authorize it. This is stopping my rollout on my new server. Any help would be appreciated.

    :22063
  • 0

    HI,

    So if you go to a manged client (with Adware and PUA detection enabled in the policy) and try to run for example:

    PSKill or PSExec (Sysinternals tools).

    These should be deletected on the client, the alert should go back to SEC and these detected applications should appear in the Authorization Manager in the SAV policy in SEC (left column).  You can then authorise them as required.  This doesn't happen?  Does the alert appear against the client?

    Regards,

    Jak

    :22067
  • 0
    We have PsExec, psexec.exe, PSEXESVC, PSEXESVC.EXE all listed under the Authorized adware and PUAs. However, using PsExec still gets blocked, even though the host is in the group that this policy is applied to!
    :29497
  • 0

    Hello ttl,

    don't have access to the console right now - authorization acts on individual files/versions (thus in the left known pane an application can appear more than once with different checksums). Is it indeed the "same" file which gets blocked?

    Christian

    :29501
  • 0

    Got it working -- host was a VM that had been refreshed and it looks like there was some confusion on the console when the host was re-Protected. Works now, thanks.

    :29513