Several PUPs flagged in MBAM Management Server

[keyboardwiz]

Every day when scans are run for users, several users come back with Malware Threats Detected. These generally include several lines of the following:

• PUP.Optional.ASK
• PUP.Optional.MindSpark
• PUP.Optional.WinYahoo
• PUP.Optional.MindSpark.Generic
• PUP.Optional.NotChromeRun

While they aren't causing any real threat, I'd prefer if they just didn't show up at all. Is there a way to get rid of them and restrict them from coming back or at least just ignore them and treat them as false positives? I apologize if there is another thread with the same issue, but any help would be appreciated.

[djacobson]

Mind Spark is a real threat, it modifies your user's search results and will land them on malicious pages. These are not items to ignore. If you are getting a "PUP No action taken", that means your console isn't fully configured yet. There's two stages to set up. You define what MBAM will be looking for and tagging for removal in Policy -> Scanner. Then, in your scan scheduler or on demand scan, you define what action will be taken on the items identified and tagged. See my screenshots...

 

[keyboardwiz]

Dyllon,

Thanks for the explanation and screenshots. The problem I'm having, especially with the MindSpark extension, is how to add it to Malwarebytes so that it quarantines and deletes the threat since there are several variations of it. Do I have to add every iteration or can I include a wildcard in my filter? Please see my screenshots that are attached.

 

[djacobson]

Go to Policy -> Scanner and change action for potentially unwanted program (PUP) to "show in results list and check for removal". Your screenshots show it to be set currently to "show in results list and do not check for removal", thus no action is taken upon them. 

Once that is set and you run a scan, either on-demand or scheduled, check the option to "remove and quarantine threats automatically". This is how the program checks the items to be removed once an action is performed. Whether the item is quarantined or deleted is decided by the Malware Research team and coded into the Anti-Malware signature itself.

There is an additional concern when dealing with Chrome extension PUP's, Chrome's autosync feature can place the infection right back onto the machine. If these items return after performing a scan with the recommended options, let me know and I'll help you change your approach to this PUP to be rid of it.

[keyboardwiz]

New update: So we have two policies, one for PUP removal which checks the infected file for removal and then a normal one which doesn't. We've tried placing the workstations in question in the PUP removal group and it removes the threat only for it to come back again as you stated. What are the next steps?

[djacobson]

Ok, here's what needs to be done

Reset Web Browsers:
Log onto the machine under the user-in-question's account. Start the user's Google Chrome and sign out of the Chrome profile. If you need it, use these instructions from Google for how to sign out - https://support.google.com/chrome/answer/2390059?hl=en

Proceed to reset all installed web browsers; IE, Firefox and Chrome:
How-to reset Internet Explorer - https://support.microsoft.com/en-us/help/923737/how-to-reset-internet-explorer-settings
How-to reset Mozilla Firefox - https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings?redirectlocale=en-US&redirectslug=reset-firefox-easily-fix-most-problems
How-to reset Google Chrome - https://support.google.com/chrome/answer/3296214?hl=en

Final Clean-up:
Download and run our ADWCleaner tool, it is much more aggressive against browser PUP's and will clean out any remainders after the resets. - https://www.malwarebytes.com/adwcleaner/

If the items return, yet again:
You may need to perform the same clean steps on the users home machine to which their Chrome is synced. I'm not sure how willing you are to clean this users home machine, if that is not within your scope or outside of company policy, but as an alternative to keep your environment safe, you can disable Chrome's autosync feature via Group Policy to restrict your users' ability to sync from their home Chrome. See this Google support forum post on how to do that - https://productforums.google.com/forum/#!topic/chrome/lD3Bttc2h8o

[keyboardwiz]

Changing the policies to quarantine PUPs seemed to do the trick for MindSpark and Ask.com. Another issue we're having is that one particular user is having folders generated on their behalf even after permanently deleting them from our server. Our users' application data is redirected via group policy to our server in their own folders. They appear like they should contain some files but are always empty.

[djacobson]

The quarantine and logging path for the application cannot be changed for the managed version, while you can set it via CMD, like the standalone version, as soon as the managed version syncs its policy with the server, it will revert the path back to C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine and C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs.