Why is WinZIp a PUA?

ptoye
ptoye Posts: 18 Enthusiast
edited November 2023 in Web Browsing

All of a sudden, my copies of WinZip executables have been identified as PUAs. It's not a major issue for me, as I hardly ever use the program, but it wl dbe good to know why this has suddenly appeared. Any ideas, anyone?

Accepted Answers

  • Ukko
    Ukko Posts: 3,728 Superuser
    Answer ✓

    Hello,

    Maybe good to know version of WinZip (if not the latest) and name/wording of detection by F-Secure.

    As such, maybe trying to install additional bundled software. Why just 'all of a sudden' detection is arrived - well, only added to signatures(?) databases, which F-Secure uses.

    However, it is not an explanation why 'all of copies of WinZip executables' (if this is not about installers) detected. Then, since I do not use WinZip - need to know if there any 'extra' functionality (more than archiver/zipper) - and if yes, maybe this module or that is a bit of tricky in its design.

    There is also a possibility that some generic detection claimed that WinZip is PUA erroneously (false positive). If so, it is always possible to share detected item with F-Secure Labs via F-Secure SAS page there: Submit a sample | F-Secure

    And, usually F-Secure follows next guide about PUA/UA detections:

    After a brief web-search - I also found that, from time to time, WinZip is subject of PUA detections by different security vendors.

    Thanks!

  • Firmy
    Firmy Posts: 1,887 Community Manager
    Answer ✓

    Hello @ptoye

    Welcome to the F-Secure Community. Thank you for your post.

    The reason that the WinZip executables are detected as PUA is because they are installers bundled with the OpenInstall library. This means that the installer can potentially install other applications on top of the intended software. We determined that this is not a False Positive, and will not be whitelisting the installers.

    If you still need to use the software, please exclude it from our scanning engine. This can be done by following the steps in this link: https://help.f-secure.com/product.html#home/total-windows/latest/en/task_13205052E3D44C44BA2491A55A7F818F-latest-en

    If you have any further questions or concerns, please don't hesitate to let us know.

    Thank you, and have a great day!

    Firmy
    Community Manager | F-Secure Community
    🔐 Strengthening digital security through knowledge and collaboration
    🌐 Explore our User Guides | Knowledge Base for self-help resources
    💻 Empower yourself with Cybersecurity Insights and protect what matters
    📢 Help Shape Our New Homepage! Share your input in our design survey.

Answers

  • ptoye
    ptoye Posts: 18 Enthusiast

    Thanks for this, Ukko. The versions of WInZip are ancient: 155 and 170 (I said I don't often use it!). They've been quarantined by F-Secure and I've deleted them.

    There seems to be a bit of a design bug: when I drill down to the quarantined programs there doesn't seem to be a way of finding out what's been quarantined. It just says 'multiple items'. It's possible (and in my opinion, reasonable) that there's more than one item in the list and the user wants to keep one and remove the others. I can't see a way of doing this.

  • ptoye
    ptoye Posts: 18 Enthusiast

    Thanks @Firmy . All sorted now.

  • Ukko
    Ukko Posts: 3,728 Superuser
    edited May 2023

    Hello,

    Good that situation is sorted!

    There seems to be a bit of a design bug: when I drill down to the quarantined programs there doesn't seem to be a way of finding out what's been quarantined. It just says 'multiple items'. It's possible (and in my opinion, reasonable) that there's more than one item in the list and the user wants to keep one and remove the others. I can't see a way of doing this.

    Yes, but I think this situation should only be when 'multiple items' found per directory. Or something which is treated/marked as an infection. Maybe it can be 'same' signature/type of threat more than twice.

    So, 'pack' of items are quarantined as "multiple items"; in other words: 'infection' is quarantined. With no option to restore only some of them. Which is a bit of odd too, though. But can be okay if there is a real dangerous state.

    As such, Quarantine (App and file control) should allow to restore or delete a certain item from list - if they were put in quarantine with no relation between each other. When it is possible - items are listed instead of one item with the name 'multiple items'.

    // one addition: however, when we talk about PUA detection - it is a bit of strange, perhaps. Even if this situation is treated as infection.

    Thanks!

This discussion has been closed.