Red Canary maintains an inventory of products and tracks their execution throughout your organization. These are products we either classify as “Unwanted Software” or may be considered unauthorized for certain users or globally throughout your organization. Learn more about why we care about unwanted software and potentially unwanted programs (PUPs).

By default, all executions of software we classify as unwanted will result in a confirmed threat with a classification of Unwanted Software.

If your security policy does not classify one of these products as unwanted software, you can customize Red Canary to simply observe its execution. Observed executions will no longer result in confirmed Unwanted Software detections, but can still be reviewed as potentially threatening events.

Configuring an unwanted software product to be observed

You can configure Red Canary to only observe the execution of an unwanted software product instead of producing Unwanted Software detections.

To disable all detections for a product:

1. Click Applications in the site navigation.
2. Click on the product that you wish to adjust.
3. Add Justification Notes that describe why the product is acceptable in your environment.
4. Click Save.
5. The toggle for this product will slide to Observed.

To disable detections for a product under specific circumstances:

1. Click Applications in the site navigation.
2. Click on the product that you wish to adjust.
3. Use the Endpoint Tag, Hostname, or Username fields to specify situations where the product is acceptable in your environment.
4. Add Justification Notes that describe why the product is acceptable under these conditions.
5. Click Save.
6. The toggle for this product will slide to the middle in a partially Observed, partially Unwanted Software state.

What if a new version of an unwanted software product is released?

Red Canary uses a mix of atomic indicators and binary signing signatures to identify unwanted software applications. This approach is imperfect in situations where new versions of applications are released with different signatures. Do not depend on this process to perfectly identify every execution of unwanted software in your environment.

What happens if the product executes in a manner that goes beyond the unwanted software classification?

If unwanted software does suspicious or malicious things, those activities should trigger other detectors that we triage separately from the product detectors that just look for the presence of the product.