ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
    • DDoSX®
    • Web Application Firewall
    • Threat Monitoring and Threat Response
      • General Information and FAQs
      • How does it work?
      • System Requirements
      • Getting Started
      • Installing on a UKFast hosted server
      • Installing on a non-UKFast hosted server
      • PCI DSS Compliance
      • Alerts and rulesets
      • Attack Ruleset
      • High Level Alerts Explained
      • Alert Remediation Tips
      • Common Attacks
      • Databases
      • Exploits
      • File Monitoring (FIM)
      • Malware
      • Service Specific Alerts
      • System
      • Windows
      • Scans and Reconnaissance
    • McAfee Antivirus
    • Vulnerability Scans
    • Keeping Magento secure
    • Keeping WordPress secure
    • Brute Force Attacks
    • CryptoLocker
    • Dirty COW
    • The Logjam attack
    • Meltdown and Spectre
    • Memcached security concerns and reflection/amplification DDoS attacks
    • Wana Decryptor / Wana Decrypt0r 2.0 / WannaCry
    • Log4J Vulnerability
    • Polkit Security Vulnerability CVE-2021-4034
    • CVE-2022-0847 - Dirty Pipe Vulnerability
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
  • Webcelerator
  • MyUKFast
  • Home >
  • Security >
  • Threat Monitoring and Threat Response >
  • High Level Alerts Explained >
  • MS Defender

MS Defender¶

Windows Defender detected potentially unwanted software.¶

What does this rule mean?

Defending your server from viruses and malware, this rule triggers when Windows Defender (Microsofts Anti Virus and Malware Solution) detects a suspicious PUP (Potentially Unwanted Program) program. As stated, this is flagged as a potentially unwanted program or software.

Many attackers follow an attack with malware. Installing a trojan, backdoor or, rootkit or RAT on your server is high on an attackers priority list. Should they be discovered, and the exploits patched, this malware could allow the attacker to regain access to your server, potentially bypassing authentication and auditing techniques.

What triggers this rule?

One of the most common triggers for this rule is unwanted software that is installed along with third-party applications, ranging Tool Bars to viruses like the infamous PCOptimiserPro Trojan. This rule can also trigger when legitimate software is triggered. This can happen when Windows doesn’t recognise an application.

What action do I need to take?

As a first responder, you should log into the server in question to determine whether the PUP (Potentially Unwanted Program) was deleted by the anti-virus software. If the action was taken, we recommend manually running another system scan to check for any remnants of the malware. Should the malware be present on the system still, it should be removed, either through the anti-virus program or manually? Then, a manual anti-virus scan should be run.

Next Article > Microsoft Security Essentials

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ