PUP and PUM FAQs for Endpoint Protection customers

Document created by jgolomb Employee on Dec 26, 2018Last modified by jyamada on Jan 23, 2019
Version 2Show Document
  • View in full screen mode

Malwarebytes Endpoint Protection and Malwarebytes Endpoint Protection and Response software detects Potentially Unwanted Programs (PUPs) and Potentially Unwanted Modifications (PUMs). PUPs and PUMs are not considered malicious, but they may have undesirable effects that Malwarebytes does not recommend.


What is the difference between a PUP and a PUM?

PUPs usually come in the form of toolbars, bundleware, bloatware, or similar programs that exhibit unwelcome behavior. PUPs can diminish an end user's experience, but they are not classified as malware. To see how a program is classified as a PUP, refer to the PUP Reconsideration Information.


PUMs are detected when specific modifications are made to the Windows Registry. Malware may modify the Windows registry to obfuscate its location and make remediation difficult. To ensure you have authorized these modifications, your Malwarebytes software alerts you whenever a PUM is detected.


Why am I seeing PUPs and PUMs?

If your users have permission to download toolbars, extensions, or other software, there's a high possibility your endpoints have PUPs and PUMs. Some PUPs and PUMs can be installed without administrator permissions; especially if you do not enforce permissions.  To help decrease PUP and PUM detections, you may want to implement or revise the permissions on your endpoints.  


Why is Malwarebytes repeatedly detecting the same PUPs?

If Malwarebytes does not remove a PUP completely, the PUP may restore itself, which can cause the PUP to continue appearing in your detections. PUPs are commonly found in browsers, which can make PUPs difficult to remove if your browser is synced across multiple devices.  If your end user is logged into their browser, there's a chance the browser is syncing PUPs from their personal devices. Refer to Malwarebytes Endpoint Protection keeps detecting the same PUP for more details.


Does Malwarebytes remove PUPs and PUMs automatically?

Malwarebytes Endpoint Protection and Incident Response removes PUPs and PUMs automatically. To configure how your Malwarebytes software treats PUPs and PUMs, refer to Configure Malwarebytes cloud platform to ignore PUPs or PUMs


Can I choose how Malwarebytes treats PUPs and PUMs?

Yes, you can choose how you want Malwarebytes to treat PUPs and PUMs on your endpoints. You can set Malwarebytes to ignore PUPs and PUMs completely or decide what Malwarebytes does when PUPs and PUMs are detected.


Cloud Console


How do I stop Malwarebytes from detecting a program I want to keep?

To prevent your Malwarebytes software from detecting a program, add the program to Malwarebytes' exclusions. If you need to exclude the PUP on all endpoints, you may want to consider adding a wildcard (*) in place of usernames or folders. For more information refer to Add exclusions to the Malwarebytes cloud platform.


How do I stop Malwarebytes from detecting a Group Policy registry key?

If your Malwarebytes software has detected a PUM that you configured from your Group Policy, you can add the PUM to your exclusions. For instructions on excluding PUMs, see Group Policy registry keys detected as Potentially Unwanted Modifications in Endpoint Security.