Monday, May 22, 2017

The problems of PUA (Potentially Unwanted Alerts)

Recently we had a client call us about a problem on their network.  Rendition Infosec runs a 24×7 security monitoring service and had a client call about an antivirus alert for PUA (potentially unwanted application).  This class of alert is often difficult to tune out since attackers and administrators often use the same software tools.

Frequent examples of this are netcat (nc.exe) and psexec from SysInternals.  These tools are like the infamous “dual use technology” we hear so much about when sanctioning oppressive regimes.  When we receive an alert like this, we most frequently find that the alert can be attributed to the activity of a systems administrator.  However, there is a possibility that the alert represents the activities of an attacker.