Jump to content

Standard company policy detected as PUM


AndrewP
 Share

Recommended Posts

Malwarebyes is detecting a standard company screensaver policy as a PUM.  (Not allowing access to that section)

I can understand why this would be detected in many cases, but it's a relatively standard setting for security reasons at many companies.

 

Since this is usually something pushed through group policy, could logic be added to not detect this (or at least not pre-select it) if the machine is joined to a domain, which would greatly increase the likelyhood that this is intentional.

 

Right now the only way to make that not pre-selected is to have MBAM set to not pre-select any PUM which is also not something we'd want to do for any user who installs and scans their machine.

MBAM-log-2013-10-24 (10-05-57).txt

Link to post
Share on other sites

  • Staff

Hi,

 

Since this is a PUM detection, that's where the logic has been used already so the user can select to not display or not preselect PUM detections.

We cannot remove this detection since a lot of malware sets this policy as well in order to hide the screensaver display settings. This was a huge request by our users to have this added.

Alternatively, you can whitelist the detections in your results, so you can have PUM enabled.

Link to post
Share on other sites

So, there is no possibility to by default not detect it if the machine is joined to a domain?

That would eliminate the false positive for users in a domain environment where it's likely set with group policy, while still detecting it for almost every home user who almost certainly would not be using a machine joined to a domain.

Link to post
Share on other sites

  • Staff

No, unfortunately, there's not.

Also, if we wouldn't detect this if the machine joined a domain and malware changed their desktop + screensaver and sets this policy so the user can't alter it anymore, they are lost here then - while otherwise, we would be able to detect and fix this.

This policy hasn't been reported a lot as a false positive though, so it seems like this policy (set manually) isn't that common.

While I understand that companies set certain policies to disable settings - it's unfortunately also often abused by malware, where they make a change and then apply that policy so the change cannot be reverted (or settings accessed) anymore.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.