Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 9050 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iTunes installer being blocked on Endpoints - Windows 7 clients

IAMU

The iTunes installer (iTunes_Setup.exe) is being blocked as a potential PUA on my endpoints (version 10.3). 

I've add iTunes_Setup.exe in as a file exclusion in SEC (5.2.2), but it isn't working and it is still picked up.

Is there another way I can exlude this file from being blocked?

:55325


This thread was automatically locked due to age.
  • 0

    Hello IAMU,

    first of all, please always state the name of the detection

    I've add iTunes_Setup.exe in as a file exclusion

    if you exclude the file from On-Access scanning - note that this is rather ominous, (fake) installers for popular applications make expedient hosts for malware - it should not trigger a PUA detection.  

    Is there another way I can exclude this file from being blocked?

    There is - instead of excluding it from scanning you can authorize (button Authorization, tab Adware and PUAs in the AV policy) a specific PUA (this way it will still be scanned for malware). You should do so only for named, i.e. non-Generic detections. If it's a Generic PUA it's a good idea to send a sample - if it's a false positive the detection will be amended (which also helps other users), otherwise a named detection might be added, or - there's indeed some "additional functionality" in the package which shouldn't be there.

    Christian

    :55337
  • 0

    Looking at it again, I see it actually isn't being considered a "PUA", it is being flagged as "Install Core Click Run Software".  This is happening with the installer downloaded directly from the Apple website.

    I'm a little reluctent to authorize such a generic detection type, but I need this file to not be blocked every time a client attempts to install it.  It's a vastly popular program from Apple.  It shouldn't be flagged at all coming from Apple themselves.

    :55350
  • 0

    Hello IAMU,

    isn't being considered a "PUA"

    I beg to differ - Install Core Click Run Software is a PUA and from the analysis it doesn't look likely that the genuine iTunes installer would trigger this detection.

    Anyway, the academic discussion is not productive. I've already suggested that you send a sample but apparently I couldn't convince you :smileyhappy:.

    I'm a little reluctant to authorize such ...

    and rightly so

    but I need this file

    famous last words :smileywink:

    It shouldn't be flagged 

    right, if indeed it's coming from Apple themselves

    Clearly something is not as it should be. Either it's an incorrect (false positive) detection, or the file is not coming from Apple (even if you think so), or Apple have decided to beef up the installer. Won't speculate which is the most likely (even though I did not get the alert scanning - not running - the 12.0.1 installers for Windows). The best course of action is to send a sample to Labs - please do so.

    Christian  

    :55367