Red Canary maintains an inventory of products and tracks their execution throughout your organization. There are products that we define as "Unwanted Software," also known as potentially unwanted programs (PUPs), or that may be unauthorized for specific users or for your entire organization. Learn more about why we care about unwanted software and potentially unwanted programs (PUPs).

By default, all executions of software classified as unwanted will result in a threat designated Unwanted Software.

If your security policy does not classify one of these products as unwanted software, you can configure Red Canary to simply observe its execution. Observed executions do not result in confirmed Unwanted Software threats, but can still be reviewed as potentially threatening events.

Configure an unwanted software product to be observed

You can configure Red Canary to only observe the execution of an unwanted software product instead of producing Unwanted Software detections.

Disable all threats for a product:

1. From the navigation menu, click Analytics, and then click Applications.
2. Click on the product that you wish to adjust.
3. Add Justification Notes that describe why the product is acceptable in your environment.
4. Click Save.
5. The toggle for this product will slide to Observed.
   

Disable threats for a product under specific circumstances:

1. From the navigation menu, click Analytics, and then click Applications.
2. Click on the product that you wish to adjust.
3. Use the Endpoint Tag, Hostname, or Username fields to specify situations where the product is acceptable in your environment. Learn more about wildcards and creating suppression rules.
4. Add Justification Notes that describe why the product is acceptable under these conditions.
5. Click Save.
6. The toggle for this product will slide to the middle in a partially Observed, partially Unwanted Software state.
   

Wildcards

• Wildcards can be used to construct suppression rules for specific PUP alerts.
• In the Endpoint Hostname and Executing Username fields wildcards are represented by an *. 
  • If you want to search for multiple matches use an * to start and end the tag (example: *admin*).
  • If you want to search for a singular match start the tag with * (example: *username).

What if a new version of an unwanted software product is released?

Red Canary uses a mix of atomic indicators and binary signing signatures to identify unwanted software applications. This method is imperfect when new versions of programs with different signatures are released. Do not rely on this approach to detect every instance of unwanted software in your environment.

What happens if the product executes in a manner that goes beyond the unwanted software classification?

If unwanted software performs suspicious or malicious actions, those activities should trigger other detectors that we triage separately from product detectors that only look for the presence of the product.