• Total Posts: 28069
  • Total Topics: 8067
  • Online Today: 964
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: Windows Defender can block PUPs (Potentially Unwanted Programs) - REGISTRY HACK  (Read 2187 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
Windows Defender (Windows 8.x/10) can block PUPs too after just a simple registry hack. Good find :)

Summary: make a file with extension .reg. Contents of this file:
Code: [Select]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]

Let us know how you liked it!

Dutch source:

Gives original article:

Shields up on potentially unwanted applications in your enterprise
 msft-mmpc msft-mmpc 26 Nov 2015 1:15 AM 6
Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.


What is PUA and why bother?
Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.


PUA protection for enterprise
The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft's existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting into PUA protection.


Deploying PUA protection
Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine

Value Name:      MpEnablePus


Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine

Value Name:      MpEnablePus


The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)      Description
 0 (default)   Potentially Unwanted Application protection is disabled
1   Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.


PUA threat file-naming convention
When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

Software bundling technologies
PUA applications
PUA frameworks

What does PUA protection look like?
By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

The file is being scanned from the browser
The file has Mark of the Web set
The file is in the %downloads% folder
Or if the file in the %temp% folder

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

 The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario
Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it's recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you'd want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported - file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines


Handling false positives
If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.


We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor


More information about bitcoin, altcoin & crypto in general? GO TO

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist

Samker's Computer Forum -


  • SCF Administrator
  • *****
  • Posts: 7152
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Windows Defender (Windows 8.x/10) can block PUPs too after just a simple registry hack. Good find :)


Inded! Thanks again D. :thumbsup:


For other SCforum's visitors, here is a Win Defender's official Topic:,1737.0.html


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising