Issue
What factors determine the Prevalence value reported for a given PUP on the Applications page?
Environment
Red Canary Portal
Customizations > Applications
Resolution
Prevalence represents the approximate number of executions over the last 7 days, and can increment multiple times for the same user in a single day. This is true for all Product Threat Statuses, including applications in Needs Review state.
These figures can include counts for operations beyond installing or starting an application, like opening new browser tabs/windows or running command line arguments. The exact logic cannot be shared as the contributing activity is directly related to the logic of the underlying product detector. In general, PUPs are identified based on a mix of atomic indicators (filenames, cert info, etc.) and binary signatures.
The percentage denotes execution volume relative to the threshold for High Volume Products. PUPs exceeding 100% of the threshold will be set to Not Publishing Threats and cannot be modified as a High Volume Product until prevalence again drops below the threshold. When the High Volume Product tag is removed after reducing Prevalence, the profile is left in Not Publishing Threats until a new state is chosen.
Cause
PUP executions matching existing exclusions will continue to contribute to overall Prevalence count.