Standard company policy detected as PUM

[AndrewP]

Malwarebyes is detecting a standard company screensaver policy as a PUM.  (Not allowing access to that section)

I can understand why this would be detected in many cases, but it's a relatively standard setting for security reasons at many companies.

 

Since this is usually something pushed through group policy, could logic be added to not detect this (or at least not pre-select it) if the machine is joined to a domain, which would greatly increase the likelyhood that this is intentional.

 

Right now the only way to make that not pre-selected is to have MBAM set to not pre-select any PUM which is also not something we'd want to do for any user who installs and scans their machine.

MBAM-log-2013-10-24 (10-05-57).txt

[miekiemoes]

Hi,

 

Since this is a PUM detection, that's where the logic has been used already so the user can select to not display or not preselect PUM detections.

We cannot remove this detection since a lot of malware sets this policy as well in order to hide the screensaver display settings. This was a huge request by our users to have this added.

Alternatively, you can whitelist the detections in your results, so you can have PUM enabled.

[AndrewP]

So, there is no possibility to by default not detect it if the machine is joined to a domain?

That would eliminate the false positive for users in a domain environment where it's likely set with group policy, while still detecting it for almost every home user who almost certainly would not be using a machine joined to a domain.

[miekiemoes]

No, unfortunately, there's not.

Also, if we wouldn't detect this if the machine joined a domain and malware changed their desktop + screensaver and sets this policy so the user can't alter it anymore, they are lost here then - while otherwise, we would be able to detect and fix this.

This policy hasn't been reported a lot as a false positive though, so it seems like this policy (set manually) isn't that common.

While I understand that companies set certain policies to disable settings - it's unfortunately also often abused by malware, where they make a change and then apply that policy so the change cannot be reverted (or settings accessed) anymore.