PUP detections from MalwareBytes

The first word in most of these acronyms is "Potentially", which is of course for the user to decide if the potential Risk, is greater than the actual benefits

In my IT work I use a number of small apps to solve user issues, Some if not all of these have the potential to be used either illegally or for dubious purposes. I know what the programs do and have confidence that they are safe for me to use, However If I saw one of them on a client system I would strongly suggest that they remove it if they do not know how to use it, (owners of businesses, do not always know what is on the computers they own that are used by employees)

All of these programs are required and safe for the purposes I use them for ... ... All of them are flagged as PUPs ... I simply click on ignore or store them in password protected ZIP files.

Malwarebytes tends to be quite annoyingly overzealous when it come to PUP detection. Apparently, they translate "potentially" as "definitely". I've been forced to temporarily disable Malwarebytes when installing or updating FreeFileSync to keep Malwarebytes from automatically blocking the install or update and deleting the installer. Afterwards, like Nigel, I zip the installer to keep it from being deleted by Malwarebytes, although I don't passord protect it (zipping also bypasses Carbonite's exclusion of .exe files).

The reason I password protect the zips is dual purpose, It stops any unauthorized user accessing the applications, and it also stops Pro Anti Malware apps from accessing the contents of a Zip archive Which is normal

Barman58 said:

The reason I password protect the zips is dual purpose, It stops any unauthorized user accessing the applications, and it also stops Pro Anti Malware apps from accessing the contents of a Zip archive Which is normal

Your situation is different from mine--I'm the only user, for example--so I can understand you needng to password protect certain files. However, I'm also using the Pro version of Malwarebytes (I have four lifetime licenses grandfathered in) and I have yet to have it or anything else touch anything that has been zipped (I just now took a peek inside one just to be sure).

I personally (on all my own devices), use Bitdefender for security, The interesting difference with the commercial suite I use is that PUP/PUA is a warning only - It informs that it is recognising an app that may be an issue, and it gives the option to learn more about the potential issues and the actual program, and gives an option to Quarantine the app or delete it, but the default is always the Stop and Warn

Also a lot of Pro level network based endpoint security systems will include an option to scan inside Zip, Rar and zipped exe (installers that use Zip Compression), files as they are recognised as a serious threat for transmission of malware and other illegal content (after all a zip file opens easily in Windows these days

Some companies will also quarantine things like .ISO files until they are mounted and scanned for malicious content

Barman58 said:

I personally (on all my own devices), use Bitdefender for security, The interesting difference with the commercial suite I use is that PUP/PUA is a warning only - It informs that it is recognising an app that may be an issue, and it gives the option to learn more about the potential issues and the actual program, and gives an option to Quarantine the app or delay it, but the default is always the Stop and Warn

Pity Malwarebytes isn't like that. They default to search and destroy. It is possible to change thateach time when manually doing a scan but I have yet to get the default to change permanently for scheduled overnight scans. In the case of FreeFileSync, the developer has removed the PUP from the installer for that very reason yet Malwarebytes will still hit on it.

Seems like Malwarebytes, are working from a script, which will speed things up tremendously, but will, as in this case, still block a perfectly safe executable that happens to listed in the refused list. I wonder what would happen if you renamed the executable, would it then be forced to actually test it and find it to be clean and leave it alone ( I doubt the list would be that simple so am not suggesting you try it seriously, as if it was if you named a malware program to some known good name it might ignore it )

Barman58 said:

Seems like Malwarebytes, are working from a script, which will speed things up tremendously, but will, as in this case, still block a perfectly safe executable that happens to listed in the refused list. I wonder what would happen if you renamed the executable, would it then be forced to actually test it and find it to be clean and leave it alone ( I doubt the list would be that simple so am not suggesting you try it seriously, as if it was if you named a malware program to some known good name it might ignore it )

Actually, you may be partially right about that. I used to change the names of .exe, .msi, and .dll files by adding .disable to the end of them (still do for diagnostic purposes and temporary deletions) so Carbonite would automatically upload the without changing the file extension when downloaded later. However, it became a bit complicated for complicated program installers and I found it sometimes faked out Malwarebytes as well. I suspect they use a combination of a "hit list" as well as malware definitions and heuristics. My .zip files have the same file names as the original files but the extension is different.