How MSPs Can Stop PUP Reinstalls: A Caisey-Guided Workflow from Detection to Policy

When a user reports odd browser behavior or you spot unfamiliar software during routine checks, the real work isn't just uninstalling the program—it's understanding how it got there and how to keep it out. This case study walks through how one MSP technician used Caisey to investigate a potentially unwanted program (PUP), evaluate prevention options, and make a defensible recommendation to the client.

Initial Detection: From Simple Question to Deeper Inspection

The session started with a straightforward software inventory request. The technician asked whether Microsoft Word was installed on a managed endpoint. Caisey checked the registry, common installation paths, and executable locations, confirming Word was present as a Click-to-Run installation—a detail worth noting because these deployments don't always appear in standard uninstall registry keys.

The technician then pivoted to a more concerning question: was Wave Browser installed?

Confirming the PUP and Its Running State

Caisey executed a systematic check across three layers:

1. **Registry inspection** for uninstall entries matching "Wave"
2. **Process enumeration** to identify running executables
3. **Filesystem verification** of common per-user and system-wide install paths

The registry came back clean—no formal uninstall record. But process enumeration revealed multiple active wavebrowser processes running from a per-user application data directory. Filesystem checks confirmed the executable was present in that location, while standard Program Files and Program Files (x86) paths tested negative.

This pattern is characteristic of PUPs that bypass system-wide installation to evade administrative detection and traditional software inventory tools. The technician now had concrete evidence: Wave Browser was installed per-user, actively running, and not visible in standard software management consoles.

The Critical Follow-Up: Prevention, Not Just Removal

Rather than immediately terminating processes or deleting files, the technician asked a more strategic question: could Caisey prevent reinstallation?

This is where many PUP remediation efforts fail. Uninstalling the software without addressing the delivery mechanism or user behavior typically results in recurrence within days or weeks. Caisey outlined the investigation path: check for scheduled tasks, startup entries, and co-installed software that might serve as a bundler or reinstaller.

The technician clarified the root cause—the user had intentionally installed the software. This shifted the problem from malware-style persistence to policy and control.

Evaluating Application-Control Options

Caisey presented a tiered set of prevention mechanisms appropriate for MSP-managed environments:

AppLocker and Windows Defender Application Control (WDAC)

These native Windows technologies allow explicit blocking by publisher certificate, file name, or hash. For a PUP like Wave Browser, a rule targeting the "Wavesor Software" publisher certificate or the specific executable name would prevent execution even after successful download and per-user installation. Requirements: Windows Pro or Enterprise, with appropriate GPO or Intune deployment.

Standard User Privileges

Demoting the user from local administrator would block many system-wide installers. Caisey correctly flagged the limitation: this specific PUP installs per-user without elevation, so privilege reduction alone would not stop it.

Software Restriction Policies and GPO Blacklists

The legacy "Do not run specified Windows applications" policy can block by executable name. Simple to implement but easily bypassed if the distributor renames the file.

Microsoft Defender SmartScreen

Already active on most modern Windows systems, SmartScreen should flag this installer. However, user-click-through remains a vulnerability with intentional installations.

Mapping to MSP-Grade Security Tools

The technician then asked about third-party solutions purpose-built for this scenario. Caisey categorized the relevant product landscape:

• **EDR/EPP platforms** (CrowdStrike Falcon, SentinelOne, Sophos Intercept X, Microsoft Defender for Endpoint) support custom indicator blocking by hash, certificate, or publisher
• **Dedicated application-control tools** (ThreatLocker, PolicyPak) operate on default-deny or granular allowlist models, specifically designed to stop unauthorized executables including per-user installs
• **DNS and web filtering** (Cisco Umbrella, Webroot) intercept downloads at the network layer before execution

For MSPs without existing application-control capabilities, Caisey noted ThreatLocker's popularity in the MSP channel due to its default-deny architecture and policy-based approval workflows—aligning closely with how MSPs already manage change control.

Where Caisey Fits in the MSP Workflow

Throughout this session, Caisey served as an interactive endpoint investigation layer with three characteristics particularly valuable to MSPs:

1. **Contextual execution**: Every command ran against the specific endpoint in session, with results returned in natural language alongside raw output—reducing context-switching between RMM consoles, PowerShell sessions, and documentation.

1. **Approval-aware operation**: The technician explicitly held action at multiple points ("don't do anything yet"). Caisey respected these boundaries, providing analysis and recommendations without autonomous remediation that might bypass client change-control processes.

1. **Audit-record generation**: The complete command sequence, outputs, and decision points were captured in the session transcript—creating a defensible record for client reporting, compliance documentation, or technician training.

Key Takeaways for MSP Operators

• **Per-user PUP installations evade traditional inventory**: Registry-based software audits miss Click-to-Run Office deployments and per-user PUPs alike. Live endpoint inspection through Caisey closes this visibility gap.
• **Removal without prevention is temporary**: Always investigate persistence mechanisms and user intent before cleaning. The appropriate control depends on whether the software is self-propagating or user-installed.
• **Native Windows controls are underutilized**: AppLocker and WDAC require Pro/Enterprise licensing and policy infrastructure, but provide robust execution blocking at no additional licensing cost.
• **EDR application control is the scalable MSP path**: If already deployed, custom indicator blocking in your existing endpoint security stack is the fastest route to org-wide prevention. Dedicated tools like ThreatLocker fill gaps for MSPs building application-control practices from scratch.
• **Document the decision chain**: Caisey's session transcripts capture the technical reasoning, alternatives considered, and explicit approval holds that protect both the MSP and the client when prevention policies affect user workflow.

For MSPs managing diverse client environments, this workflow demonstrates how conversational endpoint access can accelerate triage, improve recommendation quality, and maintain the audit discipline that distinguishes professional services from break-fix operations.