Get Free Information Around Information Security &
The Latest News in Cybersecurity Right to Your Inbox

A macOS Perspective from SentinelOne: Remote Desktop and PuPs

By SentinelOne -

What are PUPs?

A PUP is a Potentially Unwanted Program. It is also known as a Potentially Unwanted Application (PUA). PUPs are software with implementations that can compromise privacy or otherwise weaken the security of a computer, a user, or the environment.

What is the danger of a PUP?

A PUP can cause excessive or deceptive illegitimate changes to system settings, security settings, and other configurations. Some PUPs diminish the end-user experience with pop-ups, pop-unders, ad-insertions, ad-overlays, or ad replacements. If unhandled, these innocuous-seeming add-ons can cause significant performance issues later, or they can open security holes for the future.

Other PUPs install certificates on the endpoint, which allow hackers to intercept private data, such as banking details. With the certificate installed and trusted, the browser does not warn the user of a security breach.

How do PUPs enter the environment?

PUPs often use pseudo-installers to push adware or spyware with commonly-used software. Sometimes the danger is a hidden feature of a product, added with the knowledge of the vendor and mentioned in the EULA. Most users do not read the EULA and thus miss the warning that they are not using the official installer, or that the vendor is pushing unwanted add-ons.

Why do we need to handle PUPs differently than malware?

The difference between a PUP and other malware, is the concept of “Potential”. If a user is aware of all actions of the program, and you (IT and SecOps) confirm it is not dangerous, you can allow the program in your environment. A mission-critical application can be detected as a PUP. It is unwanted for some users, but critical for others.

How does SentinelOne protect and detect correctly?

The unique Behavioral AI engines of the SentinelOne Agent detect dangerous back-end configuration changes. They also detect desirable or expected behavior. When both come from one parent process, SentinelOne detects the installer process or running process as a PUP.

You can make groups of endpoints, according to their use of programs that are detected as PUPs. For example, you can create a group for IT computers. The policy for IT computers will allow PUPs. When an IT user installs a PUP, you can see its Story Line and decide if it is safe for IT endpoints. If so, you can add an exclusion to the IT group policy, that allows that program by its default installation path.

For the policies of other groups, you can set PUPs for automatic Detect and Protect. The Agent will detect PUPs. It will kill the processes that cause suspicious backend behavior, quarantine the installer, and remediate configuration changes that were done (if any).

Test Case: Remote Desktop from Apple macOS 10.12 (Sierra)

RDP is a critical application for authorized personnel. It is safe when restricted to legitimate business purposes. You can put more security on RDP, such as authentication, authorization, and auditing.

 

Say a corporate employee wants to remote control  a corporate device from internet cafe, airport, home or someone else’s machine…) using a radially accessible RDP application, such as TeamViewer[1]. If this unauthorized use of TeamViewer succeeds, then anybody can use the unprotected host as a jump box to control hosts, using a legitimate corporate account – possibly sharing files, and changing anything though an uncontrolled tunnel or VPN.

To configure SentinelOne for automatic and correct PUP protection:

  1. Create a group for IT.
  2. Create groups for other users.
  3. In the policy of the IT group, set Suspicious to Detect.
  4. In the policies of the other groups, set Suspicious to Protect. See that the  Potentially unwanted applications Engine is enabled by default.
  5. When unauthorized users install a program, such as TeamViewer, they will see something like this:
  6. The SecOps administrator will see something like this appear on the Dashboard:
  7. The Forensic Analysis of the TeamViewer alert will show the Hash, certificate details, file, path, and other information.
  8. If you want to override the default settings, but only for authorized IT personal (not everyone), consider tweaking the IT staff associated policy to add an exclusion for TeamViewer, using its code-signing certificate ID (exclusion by file and path are also possible, and yet less favorable for cases where strict content control is expected).

Result: Authorized users can use TeamViewer,  and install or upgrade without interruption, while other users cannot install TeamViewer. If they attempt to install it, the installation will be blocked.

* For more information on macOS PuP detection capabilities and OSX.IronCore see: https://www.sentinelone.com/blog/osx-ironcore-a-or-what-we-know-about-osx-flashimitator-a/

[1] Please note that our use of TeamViewer is only as an example. SentinelOne is not connected in any way with TeamViewer, nor do we recommend or criticize its use.