Malwarebytes Endpoint Security keeps detecting the same Potentially Unwanted Program

Document created by jyamada Employee on Mar 14, 2018Last modified by bgoddard on Sep 27, 2019
Version 5Show Document
  • View in full screen mode

You have removed a Potentially Unwanted Program (PUP) but Malwarebytes Endpoint Security keeps detecting the same PUP. The user's device may be reinfected via a browser sync with another device or rootkit infection.


About browser related PUP

PUPs are commonly found in browsers, so it can make PUP removal challenging if the browser is synced across multiple devices. If your user is logged into their browser, there's a chance the browser is syncing PUPs from their personal devices. 



When a PUP is detected and before you remove it, note the location/file/folder path. If the path relates to a browser, like Google Chrome, the PUP may be an extension or browser setting, which is syncing between the user's work machine and their personal machine or mobile device.


Remove the PUP from the managed client

  1. Have the user sign out of their web browser's profile and reset their browser to default settings. 
    To ensure the PUP does not infect other installed browsers, it is best practice to reset all web browsers installed on the user's device.  For instructions on how to reset a browser, refer to:
  2. Scan the user's machine with Malwarebytes Management Console.

  3. Scan the user's machine with ADWCleaner. For instructions, refer to Malwarebytes AdwCleaner features 


To mitigate this risk in the future, you may choose to disable the browser syncing functionality on corporate-managed devices. This Chrome function can be disabled via Group Policy Objects (GPO), refer to Google's support document Set Chrome policies for devices.


In case of Rootkit Infection PUP

If the path does not involve a browser, then the PUP is likely being placed back on the machine via a rootkit infection. An administrator will need to scan the user's machine.


Additional information