You have removed a Potentially Unwanted Program (PUP) but Malwarebytes Endpoint Protection keeps detecting the same PUP. The user's device may be reinfected via a browser sync with another device or rootkit infection.
About browser related PUP
PUPs are commonly found in browsers, so it can make PUP removal challenging if the browser is synced across multiple devices. If your user is logged into their browser, there's a chance the browser is syncing PUPs from their personal devices.
When a PUP is detected and before you remove it, note the location/file/folder path. If the path relates to a browser, like Google Chrome, the PUP may be an extension or browser setting, which is syncing between the user's work machine and their personal machine or mobile device.
Remove the PUP from the endpoint machine
- Have the user sign out of their web browser's profile and reset their browser to default settings.
To ensure the PUP does not infect other installed browsers, it is best practice to reset all web browsers installed on the user's device. For instructions on how to reset a browser, refer to:
- Scan the user's machine with Malwarebytes Endpoint Protection.
- Scan the user's machine with ADWCleaner. For instructions, refer to Malwarebytes AdwCleaner features
To mitigate this risk in the future, you may choose to disable the browser syncing functionality on corporate-managed devices. This Chrome function can be disabled via Group Policy Objects (GPO), refer to Google's support document Set Chrome policies for devices.
In case of Rootkit Infection PUP
If the path does not involve a browser, then the PUP is likely being placed back on the machine via a rootkit infection. An administrator will need to scan the user's machine.
- For Malwarebytes Endpoint Protection or Malwarebytes Incident Response environments, scan the user's machine with rootkit options turned on.