Snort - Rule Docs

Rule Category

PUA-ADWARE -- Snort has detected a Potentially Unwanted Application (PUA). This Is a program which installs adware or toolbars, collects information, runs unwanted processes that consume computing resources, or has otherwise unclear objectives. These are usually additional programs bundled with legitimate programs. Some users consider the benefit of the main application to outweigh the risks of the PUA; you are paying for a free product by contributing with advertising or data. These alerts are often assigned a lower risk, as they are not directly malicious or as fast-spreading as worms or trojans. This alert concerns a PUA dealing with adware or spyware. This application might be trying to monitor your computer to relay user names and passwords, account numbers, or other sensitive data to a third party. This is not application-specific and is a more dangerous type of PUA.

Alert Message

PUA-ADWARE Adware aornum/iwon copilot runtime detection - config

Rule Explanation

This event is generated when activity relating to a spyware application is detected. Impact: Unknown. Possible information disclosure, violation of privacy, possible violation of policy. Details: Spyware is malicious software running on a host that may intercept or take information from the host system without a users consent or knowledge. Spyware is also capable of using a hosts Internet connection without the knowledge or consent of the user, in order to deliver that information to an unauthorized third party. This software not only uses available bandwidth on a network connection but also consumes system resources to the point of making the host unusable in some cases. Spyware can be classified into multiple categories depending on the behavior of the software. In particular this event indicates that the software detected is adware. Adware is responsible for generating pop-up advertisements on the host machine. Ease of Attack: Simple. This is spyware activity.

What To Look For

No information provided

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos

Rule Groups

No rule groups

CVE

None

Additional Links

Rule Vulnerability

No information provided

CVE Additional Information

None