One of the latest additions to Windows Defender Antivirus' arsenal of protection tools blocks potentially unwanted programs, short PUPs, from landing on the system or being installed on Windows PCs.

Note: Potentially Unwanted Programs (PUPs) and Potentially Unwanted Applications (PUAs) refer to the same type of potentially unwanted software.

Microsoft improved the defensive capabilities of the built-in antivirus and security tool Windows Defender significantly for Windows 10.

The company added features such as Windows Defender System Guard and Application Guard, Network protection, Controlled Folder Access, or Exploit protection in recent years to the tool. Microsoft even published Windows Defender Browser Protection for Google Chrome.

Some features are reserved for Enterprise editions of Windows 10 but some are also available in Home editions.

Windows Defender's PUP Protection

Windows Defender may block potentially unwanted programs from being downloaded or installed on Windows 10 systems. The feature is not enabled by default and can only be enabled using PowerShell, InTune, or System Center.

Potentially Unwanted Programs are not classified as malware usually; these programs may come as extra installation offers during software installations on a Windows PC or as standalone programs that don't provide a lot of value, if at all.

Microsoft gives the following examples of typical PUA (Potentially Unwanted Applications):

  • Various types of software bundling
  • Ad-injection into web browsers
  • Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)

Windows Defender Antivirus does not block potentially unwanted programs by default. You can check the protection on Microsoft's Demo Scenario site to test a system's protection against various threats.

Just click on the link under Scenario to test the protection. This should work with Windows Defender and other antivirus software installed provided that they are configured to block PUPs.

The protection works in the following cases:

  • The file is downloaded in a browser.
  • The file is in a folder with "downloads" or "temp" in the path.
  • The file is on the user's Desktop.
  • The file is not under %programfiles%, %appdata%, or %windows%, and does not meet any of the conditions above.

Windows Defender Antivirus places files identified as PUP in the Quarantine. Users are informed about the identification of PUPs on the system similar to how they are informed about other threats detected by Windows Defender.

Admins and users can check the Windows Event Viewer for event ID 1160 as potentially unwanted program events are recorded under it.

Enable the potentially unwanted programs protection in Windows Defender

https://cdn.ghacks.net/wp-content/up...protection.png

Note that the following instructions apply to Windows 10 only and that you need elevated rights to make the change.

  1. Open Windows PowerShell with Windows-X and the selection of Windows PowerShell (Admin) from the context menu. - If you don't see Windows PowerShell (Admin) listed there do the following instead: open Start, type Windows PowerShell, right-click on the result, and select "run as administrator".
  2. Confirm the UAC prompt that is displayed.
  3. The console that opens should being with "Administrator".
  4. Type Set-MpPreference -PUAProtection Enabled and hit the Return-key.

Nothing is returned when you run the command. You can run the command Get-MpPreference to check the status of preferences of Windows Defender Antivirus. Find PUAProtection and make sure it is set to 1 (which means that it is enabled).

Tip: You can disable the protection again at a later point in time by running the command Set-MpPreference -PUAProtection Disabled. It is furthermore possible to set the feature to audit mode. Audit mode records events but won't interfere (read block) potentially unwanted programs. To set audit mode run MpPreference -PUAProtection AuditMode.

I recommend that you run the test scenario that Microsoft published to the demo site linked above to make sure the protection is enabled correctly.

Admins who work with Microsoft Intune or System Center Configuration Manager find instructions on enabling the Potentially Unwanted Applications protection of Windows Defender Antivirus on Microsoft's Doc website.

Whitelist blocked PUA applications

https://cdn.ghacks.net/wp-content/up...at-history.png

Detected PUAs are moved to the Quarantine of Windows Defender automatically. It happens that you want to keep a program that Windows Defender identified as a PUA.

You can restore any program that Windows Defender put into Quarantine and potentially unwanted programs are no exception to that.

  1. Use Windows-I to open the Settings application.
  2. Go to Update & Security > Windows Security.
  3. Select "Open Windows Security".
  4. Go to Virus & threat protection.
  5. Click on "Threat history".
  6. Select the threat that you want to recover and then restore.


  • If you don't see the threat listed there, as only some are displayed there, select "see full history" to get the complete listing.

Windows Defender restores the file to its original location, e.g. the Downloads folder. You should be able to run it from there then without any issues.