Issue
An Unwanted Software threat was published for an application that is permitted in the environment.
Environment
Red Canary Portal
Resolution
There are multiple ways to add PUP exclusions within Red Canary. For more detailed information on PUPs, see Handling Potentially Unwanted Products (PUPs) in the User Guide.
From an Unresolved Threat
- From the published threat, scroll to the bottom of the threat and select Not Remediated
- Select This is authorized, non-testing activity
- Under The detected activity is authorized behavior, select the desired exclusion scope:
- for my entire org: This application is permitted to execute by any user on any endpoint
- on this endpoint: This application is permitted to execute by any user on the device named in this threat
- by this user: This application is permitted to execute by the user named in this threat on any endpoint
-
on this sensor group: This application is permitted to execute by any user on any endpoint tagged with the
endpoint_sensor_groupvalue named in this threat
- Fill out the reason for the exclusion in the because field
- Enable the checkbox next to I would prefer not to see threats in the future regarding
- Note: If this box is not checked, this will be logged as a one-off dismissal and subsequent executions will continue to publish new threats.
- Review and save exclusions using Mark as will not remediate
- Note: More granular exclusion criteria can only be configured from the Applications page.
From the Applications Page
- Navigate to Customizations > Applications and search for the PUP by name
- Click the Edit button next to the relevant PUP, then Add new exclusion
- Select the desired criteria field(s) and input value(s), keeping in mind these rules:
- Logical AND: Multiple fields in a single exclusion creates an AND operator
- No Commas: Comma-separated values are not supported; enter individual values separately
-
Wildcards: Wildcards are supported via glob patterns (e.g.
ITDEPT*)
Note: Suspicious follow-on activity is generally expected to trigger other detectors that are not affected by exclusions.
Cause
When set to Publish threats, Red Canary's detectors will publish threats for observed executions of Potentially Unwanted Products (PUPs). If not tuned, this results in threats for legitimately used instances of PUPs.
Tags
PUP, Potentially Unwanted Product, Software Exclusion, Threat Exclusion, Low-Severity Threat, Application Exclusion, Product Detector, Wildcard Exclusion