Suggestion on managing clients

[TechGuy12]

I really like the management console in MEE but an issue is the removal of PUPs from client computers. Currelty there is no way to remove PUP software from a client computer. This would be a Great enhancement as users have a hard time understanding what to do.

 

My suggestion is to add the ability to remove PUP and other software from the MEE console by clicking on a client computer, clicking on the security logs and then right clicking on the object scanned and selecting Remove Item.

 

If there are any questions or comments please let me know as I will follow this topic.

 

Thanks

[AdvancedSetup]

We do remove files and we remove entries for IE the issue sometimes is for browsers like Firefox or Chrome which use SQLite to store that information in a database. We currently don't modify that database but we hope to be able to address this in the future.

Thank you

[TechGuy12]

Sure for IE but what I was refering to is different.

 

What I was refering to is the ability to remove a file/exec/directory such as C:\User\Jfrost\AppData\Roaming\OpenCandy.....

 

If I right click on that item within the Security Logs the options are to "Add to Ignor List" "Clear All Logs..." "All Logs" and " Filter Logs...."

 

would it be possible to add an option to "Remove Item" or "Remove Directory"

 

Thank you

[AdvancedSetup]

No we are probably never going to add that sort of feature as it would be very dangerous.

If we detect that folder, file then we will remove it already. If you have logs or evidence to show that we're detecting files and not removing them then please let me know.

We do have tool called FileASSASSIN that can be used for sort of what you're explaining but again that is a rare odd request and is not normal behavior for an antivirus or antimalware tool to just arbitrarily be able to remove a folder structure that the user selects on their own.

[TechGuy12]

I do have logs that show this item as a PUP and that it just stays on the client system.

 

If you do a option to "run a full scan" and automaticly remove threats this and many others like it will stay on the client system. We have had to remote into the client systems and manually remove the files and folders.

 

If there were a way to upgrade the PUP to a full threat that would be good too.

 

Where and how would I send such log files.

Thanks

[AdvancedSetup]

If you check on the clients settings by default PUP are not checked for removal. You can change that so that they are check for removal and then they should be removed.

[TechGuy12]

I made a change to one of my policies that has computer with PUP items and have a scan running against one computer that received the policy change. I will let you know how it goes. Thanks for the help.

[stew_case]

Hello,

 

In an enterprise situation with over 5,000 clients we feel very uneasy changing the default behavior for PUP  to "show in results list and check for removal". Especially since we have on a few occasions had files detected and blocked that were valid files being installed by one of our Vendors. 

 

That said, if we leave it as default, in no time at all we will have literally hundreds of machines showing the red stripe indicating a threat has been found. Most are viable threats, however they are just files that are present and not making any modifications unless activated.

 

The only way to clean the console up is to change the policy and check them for removal, or add them to the ignore list. With this many machines you can imagine this would be daunting manual task on a daily basis. We have to look at each and every threat and evaluate it and decide weather to remove or ignore it.

 

Would it be a viable strategy (Since these are only a threat when activated) to change the option for PUP to "do not show in results list"? AND leave the default option for PUM as "show in results list and check for removal"?

 

Will it then stop showing all of the PUP's as a detected threat while at the same time protect us from unwanted modifications?

 

Thanks in advance for your suggestions.

[AdvancedSetup]

Hi Stew,

 

Excellent question and I'm not on the Corporate Support Team but I have worked as the security lead in a company with over a 100,000 desktops.

 

What I would probably do is create a project plan to tackle this.  Generally speaking there are certain PUPs that may never affect the user, then there are others that sooner or later they're almost certainly going to lead the user to be on a site or click on a link that they would not have ever gone to or come into contact with had the adware not been installed.  So there is certainly a potential for increased risk.  However this is only a minor risk increase so one has to put that into perspective and decide how much time and effort your team can put into this project. 

 

I would create a new group PUP-Cleanup  ??  then place the computers that you're willing to work on to reset and remove PUP and place them into this new group and update their policy to do so.  Then you have a controlled group of computer that you decide what, when, how they detect.  

[stew_case]

Thanks Ron,

 

That is basically how we have been managing the PUP's that we have been seeing. I have a default policy with the default settings to detect only on PUP's and detect and remove PUM's, and a second policy set for removal of both PUP's and PUM's.

 

I have been switching machines back and forth between the two policies as needed. That said, I like your suggestion of creating a project to assess and focus on those that get threats. Instead of immediately cleaning, we could set the policy to prevent any modification and continue to monitor and clean as we have the resources to research and determine best course of action. Thanks for expertise.

 

Stew