What is a PUP or Potential Unwanted Program?
By Timothy Tibbetts |
The world, especially the tech world, is full of acronyms. Some we are very familiar with, like; CPU (Central Processing Unit), RAM (Random Access Memory), or even WWW (World Wide Web). However, although some say that PCRAM (People Can't Remember Acronyms Meanings), more acronyms pop up daily.
Recently, the one that is confusing folks is the term "PUP." You'll see this term pop up in your antivirus or anti-malware program. PUP stands for 'Potentially Unwanted Program.' These are different than virus detection, and not all antivirus companies detect them. There is no such thing as a Potentially Unwanted Virus. Those companies that see PUP use this term to warn their customers of programs that may be on your machine without your knowledge.
Why is a PUP labeled differently?
Well, this is because of PPI. (Yeah, you knew I was going to throw another acronym at you.) PPI stands for 'Pay Per Install." PPI is how some software marketers pay advertisers to promote their software. This style became popular a few years back as the industry went toolbar crazy. Everyone seemed to have a toolbar they wanted to force you to install because they could make decent money from search companies like Google, ASK, and Yahoo. This practice expanded into "bundled offers," and those stupid "installers" that would sometimes trick the user into installing a few programs offers before getting the one you wanted. These bundles let authors of freeware products make a very nice profit without going shareware and charging for their product. But greed took over, and the consumer would try a freeware, and the next thing you know, they would have ten damn toolbars, 15 pieces of shareware, and a hijacked browser with all sorts of nonsense. Yeesh! Much of the shareware was junk developed by people bent on overtaking your search or running ads on your PC. However, in the "bundle," the user typically agreed to install the junk to get the freeware. Always read the EULA, folks! (End User License Agreement).
Antivirus companies responded by detecting the more prolific abusers of the PPI system, but they didn't know what to call them. They weren't viruses, and they weren't malware (for the most part), and the user typically agreed to install them. Many were legit programs dumped into aggressive marketing runs on affiliate networks. But, the user may not have wanted them in the first place. Hence, the term Potentially Unwanted Program was coined by MacAfee with the general definition of something like PUP = Software that may have been installed without the user's knowledge or an explicit opt-out. Simple, right? Well, not so fast.
Mainly by Google's efforts, the whole toolbar/ installer/ bundleware/ crapware industry is pretty much old news. There are still some remnants, but they are much rarer and nowhere near as profitable. However, that doesn't mean people have stopped trying to abuse consumers and continually push the limits. This attitude has led AV companies to adapt and expand the PUP concept. The new expansions have resulted in all sorts of criteria that are now beginning to confuse the consumer.
So what's new?
90% of the criteria for a PUP is pretty much enforcing the standards of what you would expect when installing and uninstalling a program from a legitimate company. The program should work, play nice with your computer, and go away if you ask it to do so. However, while researching, I found new criteria that would be hard for any program to pass if evenly enforced. I found one company will detect software as a PUP if it is in a nonstandard install directory. So, with that logic, any portable app is a PUP. Another I saw will call a program a PUP if it tracks your usage or data regardless of consent. So, I suppose, in this case, Google would then be considered a PUP? Some have criteria for the inclusion of encrypted data as a PUP. This rule could hurt legit authors who use encrypted data to secure their program executables or digitally sign them. Some companies now use their community as a gauge, and if they do not like something - it's a PUP. Some reach out to advertising formats as well. Regardless of your program works, if your banners do not meet with their approval - you're a PUP. I'm pretty sure that means the Flex-Seal guy is a PUP. Further mucking the waters, each company has different criteria for what is, what isn't, and how they rate PUP detection. There is by no means a standard, and hence, enforcement is arbitrary. Lack of clarity makes it harder for legit programmers to have their programs appear false positives and twice as difficult to get off the list if added. False positives are already a huge issue for smaller program authors; we don't need more.
The current situation is starting to remind me of when detecting cookies became all the rage. Antivirus companies would market themselves with something like, "We're awesome because we detect 200 viruses!". This marketing behavior forced other companies to claim more effective rates and say they identified 210+, and the battle was on. Then one day, somebody said, "Hmmm, a cookie can track data; theoretically, a cookie be bad...... So let's detect cookies! BOOM, they now caught 10,000+ virii and malware more than the next guy! Great sales pitch, and it worked. Of course, that approach was mainly nonsense and ended with half-baked EU Cookie Laws, and ironically, would have had tagged themselves as a PUP today for false detection.
I fear, in this way, PUPs may become the new cookie. If history repeats itself, antiviral companies, to remain relevant, may feel forced to detect more and more arbitrary PUPs redefining what they are as they go to keep up with the next guy leading to an ever-spiraling inclusion list of what may be, which will result in an ever-expanding list of false positives.
Now, don't get me wrong. I have no complaints about PUP detection. On the contrary, it's beneficial, a service for consumer advocacy, and it's probably a good idea for an anti-malware company to err on the side of being too safe than not safe enough. Let's face it; some for-profit PUPs can be buggers to get rid of without some help. Also, having a heavier than necessary enforcement of rule-breaking behavior has inherent advantages.
I am beginning to have a problem with the expansion of criteria and how unevenly these rules would need to be enforced, leaving the industry with false positives. False Positives are already an issue, and more may make users less likely to protect themselves.
I don't think security companies should be diving into the marketing world. Frankly, a PUP detection is a cop-out of a detection. If the program were valid malware or a virus, it would be tagged as such. But, there's something the antivirus company doesn't like, so they label it a PUP or Optional so as not to get sued. Expanding that now into the marketing world seems like a slippery slope that overreach malware detection scope. In other words, I don't care that the pitchman for OxyClean was annoying - I care that the product works.
I'm also not a fan of how some scans display PUP detections. You may see something like 'pup.programname.exe' highlighted in red in a list of other malware, confusing the labeling. MacAfee addresses that with terms like PUPFOG, PUPFNK, and Generic PUP. (I have no idea what the letters stand for, but, PUPFOG is super nasty, PUPFNK is an advertising PUP, and Generic is for something more common). Again, more acronyms confuse and scare the average user. Potentially Unwanted Programs should be marked differently to avoid confusing or damaging legitimate programs. A separate tab would seem easy enough, but this is avoided by all the major players, leading me to think that the scaring part is intentional.
So what's a PUP?
In a nutshell, the definition of PUP is a moving target right now. The fact that it took me multiple paragraphs to get to that point says something in itself. The term no longer means what it was intended to convey. To use a pun, think of a PUP as more of a lousy watchdog. It barks at the window if it senses something iffy. Sometimes it's something. Sometimes it's nothing. But it is always a good idea to see why the watchdog is barking.
So here's the definition I'll go with for now. A PUP is a program found on your computer that may have been installed on your computer with or without your knowledge and may display undesirable behavior like running unwanted ads on your computer, system performance problems, intrusive data tracking, or other aggressive marketing tactics.
What should you do?
Simply put, use common sense. If you see something you do not recognize and never purchased or installed yourself -- delete it. You didn't want it in the first place. Suppose you know a program shown on a scan you've used for a while and have not seen system issues or strange pop-up ads. Don't panic. You can likely assume it is a false positive and add the item to the ignore list. Most anti-malware programs also can turn off PUP detection entirely if they become too annoying. If you are worried, write the company that flagged the program for an explanation or ask someone in our MajorGeeks Forums. They'll help.
comments powered by Disqus