That is not what potentially unwanted program means. It simply means it is a program that displays behaviors that may mean it's unwanted by the user.
"A PUP (potentially unwanted program) is a program that may be unwanted, despite the possibility that users consented to download it. PUPs include spyware, adware, and dialers, and are often downloaded in conjunction with a program that the user wants."
A PUP is only a threat if you don't trust the entity who developed it. It is potentially something you didn't want. It doesn't have the potential to turn from something you do want to something you don't. It will be what it is. If you want it now, you'll want it later, unless your wants change. It isn't going to morph into something it isn't already. Our products aren't security risks nor do we put any third party spyware in our install process like a lot of companies do but because they interface with many different parts of the OS many antivirus flag certain .dlls as PUPs sometimes. It's called a false positive. It's very common with a lot of legitimate software.
The kind of behavior you are talking about requires extremely advanced programming and isn't delivered by viruses. It's delivered in rootkits. Feel free to wiki that stuff. Super interesting.
Essentially, you are the head of security and your antivirus is your security staff. Every time your staff runs across something they think is fishy they will come and ask you if they should do anything about it or not. Some staff you can hire are really suspicious. They worry about every little sound they hear, every guest that comes over. Some are a little more lax. They ignore more and bother you less. Some staff make decisions to exclude guests without even asking you, and they do so really quietly. They don't even mention they refused someone access. These usually interfere with installation and use of some safe programs. It's up to you what kind of staff you want to hire. But, at the end of the day you are the head of security. If you know where a guest came from and you trust the person who sent them over then you can tell your security staff they it's ok for them to be on the premises.
I can say with full confidence that nothing delivered in an install of TurboCAD is a security risk, malware or potentially dangerous. Viruses simply don't work like that. Any contact with Russia is due to the fact that our software is written in Russia by Russian programmers who get all the error reports. They are really nice guys, not criminals. I talk to them often. Dave Taylor just got back from visiting them for a week about a month ago. They aren't dropping zero day exploits in the software or anything like that. Besides, if the Ruskies wanted to infiltrate US cyber defenses using a CAD program it wouldn't be TurboCAD. AutoDesk has a lock on the infrastructure market.