What is a PUA and why does it matter?

In the field of cybersecurity, we often hear about viruses, ransomware, or Trojans. But there is a lesser-known, and potentially dangerous, category of software: PUAs, or Potentially Unwanted Applications.

Unlike traditional malware, a PUA is not necessarily malicious in the strict sense of the term. It is software that, depending on the context or environment in which it is installed, may be considered unwanted or problematic. The word "potentially" is key here: what is acceptable in one environment may be unacceptable in another.

Here are some concrete examples of PUAs you might encounter:

• Adware: software that displays advertising in an intrusive manner and collects data on your browsing habits.
• Remote access tools: software such as VNC, TeamViewer, or AnyDesk is legitimate for a technician, but entirely unwanted if installed without a user's knowledge.
• Surveillance software (stalkerware): applications that allow monitoring of a user's activity without their consent.
• Dubious system optimizers: software that claims to improve your computer's performance, but whose actual usefulness is questionable and which may collect personal data.
• Unsolicited browser extensions: installed alongside other software without the user being fully aware of it.
• Cryptominers: software that uses your machine's resources to mine cryptocurrencies without your knowledge.
• Outdated JS or PHP libraries containing known vulnerabilities, such as old versions of jQuery.

Even if they do not directly destroy your data, PUAs pose concrete risks: degraded system performance, unauthorized collection of personal or professional data, opening of security vulnerabilities that can be exploited by attackers, and in some cases, the silent installation of other malicious software. In a professional environment where data security is paramount, the presence of a single undetected PUA can have serious consequences.

This is why the question of their detection, and of the policy adopted by organizations regarding them, is a strategic issue in cybersecurity.

PUA detection policies: a strategic choice for each organization

Different needs depending on the organization

When it comes to PUAs, not all organizations react in the same way, and that is perfectly normal. The detection policy adopted depends largely on how IT tools are used, the sector of activity, the sensitivity level of the data processed, and the applicable regulatory requirements.

Here are a few concrete examples to illustrate this diversity:

A medical practice or healthcare facility handles extremely sensitive patient data subject to medical confidentiality. In this context, even the slightest data breach can have serious legal and human consequences. The security policy will therefore be very strict: any software not expressly authorized will be blocked, including PUAs. A remote access tool installed on a medical workstation without prior validation is an unacceptable threat.

A software development agency may need to use security testing tools, key generators, network analysis software, or advanced debugging tools. These tools are often classified as PUAs by antivirus solutions, as they can be used for malicious purposes. Systematically blocking all PUAs in this environment would harm the productivity of technical teams.

A large industrial company may have different levels of IT workstations: administrative workstations for which a very strict policy is applied, and technical workstations on the shop floor where certain diagnostic software, usually classified as PUAs, is essential for smooth production operations.

Highly varied antivirus use cases

It is also important to keep in mind that antivirus signatures are not only used to protect workstations. Their scope of application is much broader, and the use case directly determines the PUA detection policy to adopt.

On a file server, antivirus signatures are used to scan files stored and shared on the internal network. The goal is to prevent an infected or unwanted file from spreading throughout the organization. In this case, detecting PUAs is often desirable, as they can serve as an infection vector.

On a mail server, the antivirus scans attachments in incoming and outgoing emails. Remote control tools, administration scripts, or test tools sent by email may legitimately be classified as PUAs. The policy to adopt will depend on the type of attachments the company is likely to receive.

On a network proxy, signatures are used to analyze web traffic in real time. The goal is to block the download of unwanted software before it even reaches the workstations. This is often the environment where a maximum PUA detection policy is most relevant.

In summary, PUA detection policy is not a binary choice ("detect everything" or "detect nothing") but a strategic decision that must be tailored to each environment, each use case, and each level of risk. The challenge lies in finding the right balance between maximum security and operational continuity.

The SecuriteInfo.com approach: maximum detection and total control for the user

The founding principle: let nothing slip through

SecuriteInfo.com has made a deliberate choice to adopt a maximum detection philosophy. The reasoning is simple and pragmatic: it is better to detect too much than not enough. When software represents a potential risk, whether classified as malware, exploit, known vulnerability, or PUA, SecuriteInfo.com's antivirus signatures are designed to detect it.

This approach guarantees "0 hour" coverage, meaning the earliest possible detection of new threats, without waiting for unwanted software to be officially recognized as malicious by the entire cybersecurity community. In the field of IT security, every hour of delay in detecting a threat can result in a data breach or propagation across the entire network.

This extended coverage applies to all threat categories: malware (viruses, trojans, ransomware), exploits (code that exploits software vulnerabilities), known vulnerabilities (CVEs), and of course PUAs in all their diversity.

Why SecuriteInfo.com cannot tailor its signatures to each client

SecuriteInfo.com provides its antivirus signatures to a multitude of clients with very different profiles and needs. Some use them to secure a file server, others to filter email flows, and others still to control network traffic via a proxy. Each deployment is unique, and each organization has its own cybersecurity policy.

It would therefore be impossible, and counterproductive, for SecuriteInfo.com to offer "custom" signatures tailored to each client's specific needs. On the other hand, it is entirely possible to provide the most comprehensive signatures possible, while leaving each client the responsibility and freedom to adapt this detection to their context.

This is precisely the approach adopted by SecuriteInfo.com. The rule is as follows: maximum detection by default, customization by choice.

The .ign2 file: the customization tool at the service of your needs

To allow each client to fine-tune detection according to their internal policy, SecuriteInfo.com offers a simple and effective mechanism: the exclusion file with the .ign2 extension, used within the ClamAV antivirus framework.

The operation is intuitive: in this file, simply list the names of the signatures you wish to disable. ClamAV will then ignore these signatures during scans, without affecting other detections.

Here is how it works in practice:

Suppose your company legitimately uses a remote access tool that is detected by SecuriteInfo.com's signatures as a PUA. Rather than disabling the entire PUA detection, which would significantly weaken your security level, you can simply add the name of that specific signature to your .ign2 file. The tool will then be ignored during scans, while all other PUAs will continue to be detected normally.

This mechanism offers several major advantages:

• Fine granularity: you choose exactly which signatures to disable, without impacting the others.
• Traceability: the .ign2 file serves as a record of all exclusions voluntarily granted by your security team.
• Reversibility: if a previously authorized tool becomes a threat (for example after a malicious update), simply removing its entry from the .ign2 file is enough to reactivate detection.
• Documentation of exceptions: since exclusions are explicit, they can be subject to periodic review as part of your security audits.

Full documentation on setting up the .ign2 file and the ClamAV signature whitelisting process is available directly on the SecuriteInfo.com website, on the dedicated ClamAV signature whitelisting page.

Concrete added value for IT professionals and security teams

The SecuriteInfo.com approach addresses a real need expressed by many system administrators and IT security managers: having a comprehensive, regularly updated signature database, without being forced to choose between exhaustiveness and operability.

In cybersecurity, the precautionary principle prevails: it is better to investigate an alert on an authorized PUA (a controlled false positive) than to let genuinely malicious software slip through. The use of the .ign2 file allows these false positives to be managed in a structured way, by documenting and explicitly validating them.

Furthermore, SecuriteInfo.com's signatures are continuously updated to incorporate new threats as early as possible. "0 hour" detection ensures that even very recent threats, which have not yet been integrated into the official databases of major antivirus vendors, will be identified and blocked.

Conclusion: maximum PUA detection, a cornerstone of robust cybersecurity

PUAs are not trivial threats. Although they are not always malicious in every context, they represent a real risk to the security of your information system, whether through unauthorized data collection, performance degradation, or their use as a vector for more serious attacks.

PUA detection policy is a strategic choice that must reflect the reality of your IT environment: the type of data processed, the tools used, regulatory requirements, and the specific usage patterns of your teams. There is no universal answer, but there is an approach that gives every organization the means to make the right decision.

This is precisely what SecuriteInfo.com offers: antivirus signatures that provide the most comprehensive detection possible (malware, exploits, vulnerabilities, and PUAs), updated in real time for "0 hour" protection, combined with a simple and powerful customization tool via the .ign2 file. You thus get the best of both worlds: maximum security by default and the flexibility needed to adapt this protection to your specific needs.

By adopting this approach, you are choosing proactive and responsible cybersecurity: you do not wait for a threat to be officially recognized before acting, you have full visibility into what is circulating within your information system, and you retain control over granted exceptions, with complete transparency.

In a constantly evolving threat landscape, where attackers are endlessly inventive in their efforts to bypass protections, maximum detection is not excessive caution: it is a necessity.



ClamAV™ is a trademark of Cisco Systems, Inc.

A few suggestions on the topic of malware and PUAs

Did you enjoy this article? Here are a few suggestions you might like:

• Learn how to whitelist signatures for ClamAV antivirus - Step-by-Step Guide
• Detect even more malware with our signatures for the ClamAV antivirus

Tags

ANTIVIRUS CLAMAV LINUX MALWARE

Inscription à notre lettre d'information

Inscrivez-vous à notre lettre d'information pour vous tenir au courant de nos actualités et de nos dernières trouvailles.

SecuriteInfo.com est une entreprise française de cybersécurité. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...