You have removed a Potentially Unwanted Program (PUP) but Malwarebytes Endpoint Security keeps detecting the same PUP. The user's device may be reinfected via a browser sync with another device or rootkit infection.
About browser related PUP
PUPs are commonly found in browsers, so it can make PUP removal challenging if the browser is synced across multiple devices. If your user is logged into their browser, there's a chance the browser is syncing PUPs from their personal devices.
When a PUP is detected and before you remove it, note the location/file/folder path.
Remove the PUP from the managed client
- Have the user sign out of their web browser's profile and reset their browser to default settings.
To ensure the PUP does not infect other installed browsers, it is best practice to reset all web browsers installed on the user's device. For instructions on how to reset a browser, refer to:
- Scan the user's machine with Malwarebytes Management Console.
- Scan the user's machine with ADWCleaner. For instructions, refer to Malwarebytes AdwCleaner features
To mitigate this risk in the future, you may choose to disable the browser syncing functionality on corporate-managed devices. This Chrome function can be disabled via Group Policy Objects (GPO), refer to Google's support document Set Chrome policies for devices.
In case of Rootkit Infection PUP
If the path does not involve a browser, then the PUP is likely being placed back on the machine via a rootkit infection. An administrator will need to scan the user's machine.
- For Malwarebytes Endpoint Security or Standalone environments, download and run a scan with Malwarebytes Anti-Rootkit tool. Refer to Malwarebytes Anti-Rootkit beta information and How do I use Malwarebytes Anti-Rootkit?.