Windows Defender Blocks PUAs
Among a surprisingly complex and interesting collection of advanced features, Windows Defender blocks PUAs. PUA stands for “potentially unwanted application.” According to Trend Micro, PUAs are best understood as follows:
Potentially unwanted application or applications (PUAs), classified as grayware, refer to applications installed in a mobile device or a computer that may pose high risk or have untoward impact on user security and/or privacy. It may also contribute in consuming computing resources. It may be unwanted by the user even if it is installed with users’ consent. Most often than not, PUAs do not explicitly and completely state their functions and purpose. The impact the application causes may either inadvertently or simply be a part of its design. PUAs are created by legitimate or illegitimate software publishers.
Trend Micro goes on to explain (and my own experience confirms) that PUAs often involve bundling. This describes other stuff that comes along for the ride when a user installs some specific application. PUAs may also display oodles of ads, collect user information without notification and/or consent, issue exaggerated or bogus notifications (“scareware”), provide little or no control to users, run unwanted processes or applications (coin miners, for example), and require unorthodox or difficult uninstall processes. The “unwanted” moniker is pretty easy to understand, in light of all these potential gotchas.
How Windows Defender Blocks PUAs
Turns out that a variety of mechanisms permit Windows Defender to turn on a PUA blocking function. In enterprise environments, this might happen using InTune or System Center Configuration Manager (SCCM). Microsoft’s Windows IT Pro Center offers specific guidance on this process. A July 2018 article entitled “Detect and block Potentially Unwanted Applications” provides all the necessary details for using either of these tools. In addition, a single PowerShell command run with admin privileges can also enable (or disable) the appropriate setting. Here’s a screen capture that shows the “enable” command:
The command string is Set-MpPreference -PUAProtection Enabled. The following Get-MPPreference command shows Defender security settings currently in effect.
[Click image for full-sized view.]
The precise syntax for this command (for easy cut’n’paste) is:
Set-MpPreference -PUAProtection Enabled
To view all current Windows Defender security settings, use the following command:
Get-MpPreference
In the preceding screencap, the information of interest appears in the next-to-last line. It reads "PUAProtection : 1", which means that PUA blocking is turned on. A zero (0) value means PUA blocking is off. Thus, the command to disable PUAProtection is:
Set-MpPreference -PUAProtection Disabled
Easy-peasey.
Bypassing Windows Defender’s PUA Protection
Occasionally, one may wish to run a program that Windows Defender blocks. All blocked programs go into Quarantine, where you can access them quickly and easily. Just follow these steps:
- Click Settings → Update & Security → Windows Security.
- Select Virus & threat protection.
- Click “Threat History,” the click the item you wish to run, and click the “Restore” button.
Most of the time, it’s just that easy. If you can’t find the threat in this location, click “See full history” and look for it in the complete list of items there. Enjoy!
[Note: Here’s a shout-out to Martin Brinkman at Ghacks.net. His excellent 8/20/2018 story “How to enable Windows Defender’s potentially unwanted programs protection” inspired and informed this blog post. Vielen Dank, Martin!]