This article explains why some legitimate admin tools may be detected as a Potentially Unwanted Application(PUA). The following sections are covered:
Applies to the following Sophos products and versions
Not product specific
Any application detected as a PUA is a legitimate (clean) application that is not malicious by itself. Often these are created for a variety of different purposes and used by IT admins to do their job.
Many of these tools include features that while intended for legitimate use, can be used for malicious purposes. For example:
These type of tools are often referred to as a "Hackers Toolkit" or "Living off the land" where an attacker will try and use as many legitimate applications as possible before turning to malicious files, in order to help prevent being discovered. Sophos is constantly monitoring these type of attacks and the tools being used by attackers, we block these by default as PUAs to help protect customers who don't want these type of applications being used on their network.
The list of applications being blocked for this reason is not published due to it regularly changing, examples include:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.