Classifying
Potentially Unwanted
& Unwanted
Applications

More about how F-Secure classifies programs as Potentially Unwanted Applications (PUA) or Unwanted Applications (UA)

About PUAs and UAs

Also known as: Potentially Unwanted Program (PUP), Potentially Unwanted Software (PUS), grayware or unwanted software

A Potentially Unwanted Application (PUA) has behaviors or aspects that can be considered undesirable or unwanted, depending on the user's context. For example, a network monitoring application may be considered useful to a system administrator using it to monitor an office workstation, but undesirable to the workstation user, whose security and privacy may be impacted.

An Unwanted Application (UA) has a significant number of questionable or risky characteristics, putting it on the extreme end of the PUA range. For example, an application bundle that leverages on the popularity of one application to entice users into installing a second included application, which serves aggressive or annoying ads.

PUAs and UAs do not meet the stricter definition of malware.

How could a PUA or UA affect me?

A PUA or UA can impact your privacy and security. It can also affect your productivity, or put unwanted stress on your device's resources.

Examples of some of the potential effects a PUA can have include:

Unwanted impact on productivity:

  • Disrupting the desired user experience
  • Waste of time
  • Program performs unexpected, unwelcome and unauthorized actions, which lead to unwanted distractions, lost opportunities or lowered productivity
  • Time or monetary cost of cleaning, maintaining or reformatting the affected device

Unwanted stress on the device's resources:

  • Excessive use of computing resources - disk space, SSD writes, Memory, CPU time, etc
  • Excessive bandwidth or data plan consumption

Compromises security:

  • Exposure to unexpected, questionable or unverified content, location or applications

Compromises privacy:

  • Personal information is unnecessarily exposed to unknown or unauthorized parties

Guideline for classifying PUAs / UAs

Classifying a program as a PUA or UA can be a challenge, as the same elements that seem attractive and useful to one person can be considered unwanted by another. To account for this, suspected PUAs and UAs undergo an additional evaluation.

We check the program being evaluated against the following list of behaviors or traits (divided into 5 categories) which are generally considered unwanted or risky. General consumer opinion of the program is also taken into account.

A program is considered a PUA if it has behavior or traits that match, or have the same effect as, one or more of the listed items. If the program has a significant number of behavior or traits that match items in this list, it is considered a UA.

It is very important to note that the guideline here is a non-exhaustive list. Because new forms of software are constantly being developed, we may update, expand or amend this list over time without prior announcement or notice to adapt to the ever-changing security landscape.

 

Identification and Purpose

The application makes claims about its identification, source, owner, purpose, functionality or features that are fraudulent, misleading or unclear. It does not fully disclose its functionalities, bundled components and other information relevant to how it affects the user's system prior to or during installation.

Examples include, but are not limited to:

  • Inadequate disclosure or misleading claims of the following:
    • Application's name
    • Source
    • Key features and functionality prior to installation
    • Any system and browser settings or existing applications impacted by the installation
    • Whether the product is supported by advertisements
    • Collection or transmission of private user information
    • Bundled components or software
  • Uses misleading, unclear, deceptive or coercive texts or graphics
  • Makes false or exaggerated claims to induce, compel or cause the users to install or run a software or perform an action, such as clicking on an advertisement

Installation and Uninstallation

Installation of the application is initiated based on false, misleading or fraudulent representation. It does not seek user consent and/or provide adequate control of the components that perform the installation and/or changes made to the user's system. Uninstallation is difficult, misleading or not straightforward.

Examples include, but are not limited to:

  • An End User License Agreement (EULA) and Privacy Policy are not provided to the user prior the installation
  • Adds or modifies unrelated, out-of-context system changes
  • Does not seek user consent or does not provide opt-in or opt-out controls for individual bundled components (e.g. toolbars)
  • The language used during installation is intentionally confusing to the user (for example, double negative questions to confuse opt-out with opt-in)
  • Installation is in an unexpected location and/or without clear identification of the application or the vendor
  • Requires unnecessary permissions not related to the application's functionality
  • The uninstaller does not offer the ability to completely remove the application (including all its bundled components)
  • The uninstaller does not roll back any system or setting changes it makes to restore the user's system to its original state prior to the application's installation, or does not provide the user with instructions how to do so manually

Advertisement

Misleading, intrusive or out-of-context advertisements.

Examples include, but are not limited to:

  • Unauthorized or misleading use of endorsements (trust marks, certificates, etc) or brand identity marks
  • Falsely claims to be, or misleadingly implies it is an application from an unaffiliated software vendor
  • Impersonates a system message or component
  • Misleads users into believing they need something which is missing from the user's system, or that they have an issue or problem with their system
  • Misleads users into visiting unintended websites or downloading files
  • Uses language or visual content that can be construed as 'threatening'
  • Content directs or redirects a user to an unintended, unexpected or questionable location
  • Content unexpectedly invokes a direct file download
  • Unexpectedly replaces or otherwise alters web page content, such as search results or links
  • Does not provide a clear way of closing the ad, or spawns additional ads when an attempt is made to close the ad

Unwanted Behavior

The application performs unexpected or misleading behavior (and often, without consent). 

Examples include, but are not limited to:

  • Contains one or more components that heavily consumes computing or network resources
  • Contains one or more components that heavily intervenes with normal user experience (outside the context of its stated functionality)
  • Unexpectedly hides and/or limits the user's ability to end, disable or delete its main interface or processes
  • Hides, disables or modifies other programs without notification and/or consent from the user.
  • Modifies system or web browser settings without notification and/or consent from the user.
  • Leads to a potential compromise of the user's data or system
  • Does not meet the user's expectations that the actions it takes (for example, for system maintenance or performance optimization) are actually beneficial
  • Subsequent updates to the application materially alters its functions to differ from the original statement(s) made during installation, without notification and/or consent from the user.

Privacy

An application collects or transmits private information and does not disclose this behavior to the user prior to installation. Furthermore, the application does not provide a way for the user to give consent to such collection or transmission, or does not provide adequate details about the use of the collected or transmitted information.

Additional: Consumer Opinion

F-Secure values input from our users and the online community as additional key factors in helping us identify new potentially unwanted or offending behaviors, and applications that affect the user's computing experience.

If you believe an application should be classified as PUA - or alternatively, if a PUA should be reassessed - you can submit it for review at the Submit A Sample page (select 'Potentially Unwanted Application' as the Sample Type).

How F-Secure products handle PUAs and UAs

Potentially Unwanted Applications:

F-Secure products will display a warning notification message before the application or file is allowed to run normally.

You can also opt to have the F-Secure product block a PUA.

Unwanted Applications:

F-Secure products will automatically block and quarantine the application or file.

If you are certain you want to keep using the application or file, you can exclude it from further scanning by the product.