The vast variety of available software for Windows—from little system utilities from independent developers to complex business software suites—has been key to the operating system's success. The downside to such an ecosystem is that it can be used to conceal undesirable code, ranging from nuisance code to adware-ridden software apps.
Now, Microsoft is helping administrators keep these drive-by downloads and other sneaky potential unwanted applications (PUAs) off their users' Windows devices with a new Microsoft System Center 2012 Configuration Manager feature, said Microsoft Malware Protection Center (MMPC) staffers Geoff McDonald, Deepak Manohar and Dulce Montemayor in a Nov. 26 announcement.
"If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature," they stated. "If enabled, PUA will be blocked at download and install time."
Apart from slowing down a PC's performance and cluttering up the Start menu, PUAs can put business data at risk and impose an additional burden on IT personnel.
Potential unwanted application "refers to unwanted application bundlers or their bundled applications," stated the MMPC crew. "These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste help desk, IT and user time cleaning up the applications."
PUAs run the gamut, they added. "Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims."
Available only for enterprise customers, the opt-in Potentially Unwanted Application Protection feature acts much like antivirus software.
"PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting in to PUA protection," they stated. When enabled, client systems will begin detecting and blocking PUAs after the next system restart or signature update. Blocked PUAs can be viewed in SCEP's history tab.
Naturally, false positives can crop up from time to time. Microsoft suggests that customers submit applications wrongfully flagged as PUAs to the MMPC developer resource site.
Before rolling out the new safeguard, Microsoft is advising enterprises to perform their due diligence and ensure that the feature adheres with an organization's policies toward allowable software. It also helps to keep end users in the loop.
"With a corporate policy or guidance in place, it's recommended to also sufficiently inform your end-users and your IT help desk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment," said McDonald, Manohar and Montemayor. "This will pre-emptively inform your end users as to why SCEP or FEP is blocking their download."
A concise deployment guide, including the required registry key policy settings, is available in this blog post.