Jamf Nation Community

We use ESET in a test bed of macs so far and love it.

I wish I had a better answer for you. We also have been seeing a huge uptick in the amount of Adware installed on our systems. We make Adware Medic available in Self Service and have been instructing our users how to use it to clean their systems.

I use the restricted process to block the execution (not necessarily the installation) of some of the NuisanceWare out there like MacKeeper and TuneUpMyMac, because these are just apps that are very easy to block the execution of. For other Adware like Geneio, Downlite, VidX, and VSearch, it's harder to block said execution. I've written some EA's to look for the installation of some of this software so I at least have some idea where it's installed, but my detection methods are not complete nor foolproof, and still requires the running of Adware Medic. I wonder if Tom Reed would share his Adware Medic code with us, so I could reverse-engineer his app to create an EA or series of EAs that scan for everything in his excellent app...

The bottom line is that Adware for our platform isn't going away and the best thing we can do is continue to teach our end-users to be careful about what they install. User education is the only surefire solution.

It's getting better though. The makers of Downlite recently stepped over the arbitrary line with Apple and had their software added to the XProtect list in December. Sophos has also started to detect some of this Adware as true malware (like Geneio). If we continue to report these Adwares as malware to Apple, Sophos, and others, our tools and methods of detection will improve.

Sophos has been detecting Geneio for awhile, it's a pain because it doesn't remove it from what I can tell.

Are you guys supporting users as administrators? Except Geneio, we haven't seen any of this and wondering if that's why. Our xprotect update is off as well.

Yes, almost all of our users are admins. And most of this Adware is installed alongside (mostly) legitimate installers. Unscrupulous websites will take free software like MPlayerX and bundle it alongside their Adware installer, so the end-user gets MPlayerX but also Geneio, or Downlite, etc. Part of the user education of which I speak is teaching people to be observant and aware of the state of their system and to not install software from untrusted places. We'd have anarchy if we restricted GateKeeper to only App Store purchases, so then must deal with the consequences--Adwareapalooza.

Hey @damienbarrett do you mind posting your EA's for what you have completed? Much appreciated my friend!

I would also be interested in seeing what you've come up with for EAs @damienbarrett. Although I don't think we have a big problem with adware where I am, I'll admit that we aren't actively looking for any of this stuff. I might be surprised of what a search in our JSS would turn up, but hopefully not.
That said, I have a feeling this is one of those topics that I need to get better educated in, as there seem to be more and more of this crapware coming out all the time. Such is the result of the Mac becoming more mainstream I suppose.
It does seem like user education is the only real way to stop this stuff, but if we can at least run reports, get better detection of what is being installed, etc. we can take some actions.

Incidentally, I just downloaded the latest Adware Medic just to try it out. I'm getting an immediate NilOjbect exception error when trying to run a scan. From everything I've read here, this app works, but doesn't seem to work for me :( I guess I will report it to the developer.

Mostly, they are just searches for specific files on /. All based on the excellent work and documentation over at Tom Reed's TheSafeMac. http://www.thesafemac.com/arg-identification/

Example, for Geneio. (Remember that I'm mostly just scanning for presence of the AdWare, not to remove it; although I suppose I could begin to work on a type of automated AdWare removal tool based on AdwareMedic).

Geneio:

#!/usr/bin/bash  
[ -f /private/etc/launchd.conf ] && echo "Found" || echo "Not found"

Downlite:

#!/usr/bin/env bash 

file="/Library/LaunchDaemons/Jack.plist"

if [[ -e $file ]]; then
echo <result>yes</result>
elif [[ ! -e $file ]]; then
echo <result>no</result>
fi

I've starting blacklisting nefarious websites on our web filter to see if that helps. Found a list of some annoying websites to start with here https://sites.google.com/site/appleclubfhs/support/advice-and-articles/browser-popup-hijack-safari Better to get a Firewall block message than a frustrating YOUR LAPTOP IS ABOUT TO BLOW UP!!! message. Also hoping it prevents people installing the ad/malware in the first place.

I'd hope web filters should already block a lot of these URLs. I just submitted this list of URLs to ours (iboss) so they can update ones they had uncategorized. Better to crowd source so all of their customers benefit.

Thanks for the info guys. I do have three EA's set up to search for a few adware installs, and based on info from AdwareMedic I created some scripts that the end users can run to remove the adware. Educating the end users sounds like the best option at this point.

Based on the interest shown in this thread, I'm going to be expanding my EA's for Adware detection. @elund, will you share your scripts for removal? (Why re-invent the wheel).

I'm still learning how to write scripts, so these may need some help.

Trovi-

#!/bin/bash

# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

###
#
#     Description:  Casper extension attribute that checks whether Trovi is
#                   detected.
#
###

if [[ -d '/Users/$loggedInUser/Trovi' ]] || [[ -e '/Library/LaunchDaemons/com.perion.searchprotectd.plist' ]] || [[ -e '/Users/$loggedInUser/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin' ]] || [[ -e '/Library/LaunchAgents/palmall-1-2_updater.plist' ]] || [[ -e '/Library/LaunchAgents/palmall-1-2_updater.sh' ]] || [[ -d '/Library/PrivilegedHelperTools/Jack' ]] || [[ -e '/Library/LaunchAgents/palmall-1-2.ver' ]]; then
    resultString="Trovi detected."
else
    resultString="Trovi not detected."
fi

echo "<result>$resultString</result>"

exit 0

VSearch-

#!/bin/bash

###
#
#     Description:  Casper extension attribute that checks whether VSearch is
#                   detected.
#

if [[ -d '/Library/Application Support/VSearch' ]] || [[ -e '/Library/LaunchAgents/com.vsearch.agent.plist' ]] || [[ -e '/Library/LaunchDaemons/com.vsearch.daemon.plist' ]] || [[ -e '/Library/LaunchDaemons/com.vsearch.helper.plist' ]] || [[ -e '/Library/LaunchDaemons/jack.plist' ]] || [[ -d '/Library/PrivilegedHelperTools/Jack' ]] || [[ -e '/System/Library/Frameworks/VSearch.framework' ]]; then
    resultString="VSearch detected."
else
    resultString="VSearch not detected."
fi

echo "<result>$resultString</result>"

exit 0

Conduit-

#!/bin/bash


# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

# Description:  Casper extension attribute that checks whether Conduit is detected.

if [[ -d '/Users/$loggedInUser/Conduit' ]] || [[ -e '/Users/$loggedInUser/Library/LaunchAgents/com.crossrider.wss002505.agent.plist' ]] || [[ -e '/Users/$loggedInUser/Library/LaunchAgents/com.webhelper.plist' ]] || [[ -e '/Users/$loggedInUser/Library/LaunchAgents/com.webtools.update.agent.plist' ]] ; then
    resultString="Conduit detected"
else
    resultString="Conduit not detected"
fi

echo "<result>$resultString</result>"

exit 0

Genio-

#!/bin/bash

###
#
#     Description:  Casper extension attribute that checks whether Genieo is detected.
#
###

if [[ -a '/Applications/Genieo.app' ]] || [[ -a '/Applications/Uninstall Genieo.app' ]] || [[ -a '/Applications/Uninstall IM Completer.app' ]] || [[ -a '/Applications/InstallMac.app' ]] || [[ -e '/Library/LaunchAgents/com.genieoinnovation.macextension.plist' ]] ; then
    resultString="Genieo detected"
else
    resultString="Genieo not detected"
fi

echo "<result>$resultString</result>"

exit 0

& part 2 of Genio

#!/bin/bash

###
#
#     Description:  Casper extension attribute that checks whether Genieo 2nd part is detected.
#
###

if [[ -a '/Library/Frameworks/GenieoExtra.framework' ]] ; then
    resultString="Genieo 2nd part detected"
else
    resultString="Genieo 2nd part not detected"
fi

echo "<result>$resultString</result>"

exit 0

Here are scripts to remove the Adware-

Conduit-

#!/bin/bash

#This will remove the Conduit virus pieces. It does require a restart of the system.

sudo rm -rf /Library/InputManagers/CTLoader/
sudo rm -f /Library/LaunchAgents/com.conduit.loader.agent.plist
sudo rm -f /Library/LaunchDaemons/com.perion.searchprotectd.plist
sudo rm -rf /Library/Application Support/SIMBL/Plugins/CT2285220.bundle
sudo rm -rf /Library/Application Support/Conduit/
sudo rm -rf /Applications/SearchProtect.app
sudo rm -rf /Applications/SearchProtect/
Sudo rm -rf ~/Library/Application Support/Conduit/
sudo rm -f ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
sudo rm -rf ~/Conduit/
sudo rm -f ~/Library/LaungAgents/com.crossrider.wss002505.agent.plist
sudo rm -rf ~/Library/LaunchAgents/WebSocketServerApp
sudo rm -f ~/Library/LaunchAgents/com.webhelper.plist
sudo rm -f ~/Library/LaunchAgents/com.webtools.update.agent.plist
sudo rm -rf ~/Library/Application Support/webHelperApp
sudo rm -rf ~/Library/WebTools
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
sudo jamf recon

exit

Genio part one-

#!/bin/bash

# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

#This will remove the Genieo pieces. It does require a restart of the system.

sudo rm -f /private/etc/launchd.conf
sudo rm -f /Applications/Genieo.app
sudo rm -f /Applications/InstallMac.app
sudo rm -f /Applications/Uninstall Genieo.app
sudo rm -f /Applications/Uninstall IM Completer.app
sudo rm -rf /Users/$loggedInUser/Library/Application Support/com.genieoinnovation.Installer
sudo rm -rf /Users/$loggedInUser/Library/Application Support/Genieo/
sudo rm -f /Users/$loggedInUser/Library/LaunchAgents/com.genieo.completer.download.plist
sudo rm -f /Users/$loggedInUser/Library/LaunchAgents/com.genieo.completer.update.plist
sudo rm -f /Users/$loggedInUser/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
sudo rm -f /Library/LaunchAgents/com.genieoinnovation.macextension.plist
sudo rm -f /Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
sudo rm -f /Library/LaunchAgents/com.genieo.engine.plist
sudo rm -f /Library/LaunchAgents/com.genieo.completer.update.plist
sudo rm -f /Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
sudo rm -f /Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
sudo rm -f /usr/lib/libgenkit.dylib
sudo rm -f /usr/lib/libgenkitsa.dylib
sudo rm -f /usr/lib/libimckit.dylib
sudo rm -f /usr/lib/libimckitsa.dylib
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
sudo jamf recon

exit 0

Genio part two, runs at login

#!/bin/bash


#This will remove the Genieo pieces. It does require a restart of the system.

sudo rm -f /Library/Frameworks/GenieoExtra.framework
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu


exit 0

Trovi-

#!/bin/bash

#This will remove the Trovi virus pieces. It does require a restart of the system.

sudo rm -f /Library/LaunchDaemons/com.perion.searchprotectd.plist
sudo rm -rf ~/Trovi
sudo rm -f ~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
sudo rm -f ~/Library/Safari/Extensions/searchExt.safariextz
sudo rm -f ~/Library/Safari/Extensions/searchme.safariextz
sudo rm -f ~/Library/Safari/Extensions/palmall-1-2.safariextz
sudo rm -f ~/Library/Safari/Extensions/Omnibar-2.safariextz
sudo rm -f ~/Library/LaunchAgents/palmall-1-2_updater.plist
sudo rm -f ~/Library/LaunchAgents/palmall-1-2_updater.sh
sudo rm -f ~/Library/LaunchAgents/palmall-1-2.ver
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
sudo jamf recon

exit

VSearch-

#!/bin/bash

#This will remove the V-Search virus pieces. It does require a restart of the system.

sudo rm -rf /Library/Application Support/VSearch
sudo rm -f /Library/LaunchAgents/com.vsearch.agent.plist
sudo rm -f /Library/LaunchDaemons/com.vsearch.daemon.plist
sudo rm -f /Library/LaunchDaemons/com.vsearch.helper.plist
sudo rm -f /Library/LaunchDaemons/Jack.plist
sudo rm -rf /Library/PrivilegedHelperTools/Jack
sudo rm -rf /System/Library/Frameworks/VSearch.framework
sudo rm -rf ~/Library/Application Support/MPlayerX
sudo rm -f /Applications/MPlayerX
## sudo rm -rf /Users/$3/Library/Application Support/Google/Chrome/Default/Extensions/opdpamfhblfneelhonneggbfmiekhocl
## sudo rm -rf /Users/$3/Library/Application Support/Google/Chrome/Default/Extensions/glnjcddbgikodiblgodmdibdkhgkcnkl
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
sudo jamf recon

exit

What I would like to see:

All end user installations initiate the creation of a pre-post snapshot.
List of items installed creates an index.
Auto generation of removal script.

@TSOAFTVPPC - That's a great idea.

Boom. Detecting (known) adware with an extension attribute

That's me!

I'll have to read through all of this stuff to add to my script. Nice work folks!

@adamcodega @scraig I like! Thanks for building/posting!

@elund I would like to add my thanks (to you)! I stole... uh, borrowed these and they are running nicely in our environment.

I just wrote a v1 of my own extension attribute to identify adware. Primary difference with this is that it pulls the adware signatures directly from AdwareMedic's website so it should keep itself up to date. Additionally it only imports OS so you shouldn't ever need to distribute any dependencies for it to work. I have a few more things that I need to work on to handle everything but right now this will parse 99% of what AdwareMedic does. I have not built in removal just yet.

#!/usr/bin/python
import os

user = os.popen("echo $(ls -la /dev/console | cut -d " " -f 4)").read().split("
")[0]

signatures = os.popen("curl http://www.adwaremedic.com/signatures.xml").readlines()

result = "<result>"

for line in signatures:
    if "<adware name=" in line:
        adware = line.split('"')[1]
        print "Checking for " + adware
    else:
        if "type="path"" in line and "havingContent" not in line:
            if "relativeTo=" in line:
                path = line.split("relativeTo="")[1].split(""")[0]
                if path == "home":
                    path = "/Users/" + user + "/" + line.split("</item>")[0].split(">")[1]
                    if "." in path:
                        if os.path.isfile(path) and adware not in result:
                            result = result + adware + "
"
                    else:
                        if os.path.isdir(path) and adware not in result:
                            result = result + adware + "
"
            else:
                path = line.split("</item>")[0].split(">")[1]
                if "." in path:
                    if os.path.isfile(path) and adware not in result:
                        result = result + adware + "
"
                else:
                    if os.path.isdir(path) and adware not in result:
                       result = result + adware + "
"

if result == "<result>":
    print result + "No adware detected</result>"
else:
    print result[:-1] + "</result>"

here's something that was posted in the IRC channel yesterday...

link

Thank you Shea for your EA and Adware-removal tool. I've just implemented pieces of it in my environment this morning. I'm opting to send my end-users to Self Service to install and run Adware Medic (as we have training around this already in place), but the EA for detection of Adware is very useful.

Edit: That'll teach me not to preview before commenting. The EA that jesseshipley wrote that checks against AdwareMedic's signatures file is even better for my environment, as we already train around our users running Adware Medic. This will help me to detect the Adware and then throw up a message to prompt them to go run Adware Medic. I'm considering using Yo for this but for now will just use jamfmessage.

Nice work on that EA @jesseshipley! I'm testing it now, and although thankfully its reporting no adware on my systems, this looks really good. I love that its using the signatures from Adware Medic's site. I'll admit I never even knew there was such a signature xml file or I might have looked into doing exactly what your EA is doing. But no sense reinventing anything. Thanks for posting it.

@scraig's post on the detection and removal process is also quite useful.

As I've said elsewhere, I don't think we have a significant problem with Adware in our environment, but I'm really looking to get ahead of this in case we start to see it become an issue, so both of your posts will be very helpful in that regard.

Thanks @mm2270, truth is that XML file isn't publicly mentioned any place I've seen. I found it by doing a pcap while AdwareMedic was launched the first time to see where it grabbed its updates from. Turned out to be an XML file. I'm pretty sure the EA should work moving forward fairly well as the AdwareMedic app is coded to us that format so it is unlikely the format of the XML would change unless the app were rewritten. I should have an updated version of the EA today hopefully though that handles the final 1% of stuff.

For those using AutoPkg, I noticed that there were not .pkg or .jss recipes available for AdwareMedic. I've now addressed that by adding AdwareMedic recipes:

https://github.com/autopkg/rtrouton-recipes/tree/master/AdwareMedic

https://github.com/autopkg/rtrouton-recipes/blob/master/JSS/AdwareMedic.jss.recipe

You're doing good work, @scraig and @rtrouton!

Updated my script to parse a bit more of the AdwareMedic signatures. Again, should cover about 99% of stuff still as almost all things leave behind more than just one kind of file.

#!/usr/bin/python
import os

user = os.popen("echo $(ls -la /dev/console | cut -d " " -f 4)").read().split("
")[0]

signatures = os.popen("curl http://www.adwaremedic.com/signatures.xml").readlines()

result = "<result>"

for line in signatures:
    if "<adware name=" in line:
        adware = line.split('"')[1]
        print "Checking for " + adware
    else:
        if "type="path"" in line and "havingContent" not in line:
            if "relativeTo=" in line:
                path = line.split("relativeTo="")[1].split(""")[0]
                if path == "home":
                    path = "/Users/" + user + "/" + line.split("</item>")[0].split(">")[1]
                    if "." in path:
                        if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
                            result = result + adware + "
"
                    else:
                        if os.path.isdir(path) and "optional="true"" not in line and adware not in result:
                            result = result + adware + "
"
                if path == "ffprofile":
                    ff_profiles = os.popen("echo $(ls ~/Library/Application Support/Firefox/Profiles)").read().split()
                    for profile in ff_profiles:
                        path = "/Users/" + user + "/Library/Application Support/Firefox/Profiles/" + profile + "/" + line.split("</item>")[0].split(">")[1]
                        if "." in line.split("</item>")[0].split(">")[1]:
                            if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
                                result = result + adware + "
"
                        else:
                            if os.path.isdir(path) and  "optional="true"" not in line and adware not in result:
                                result = result + adware + "
"
            else:
                path = line.split("</item>")[0].split(">")[1]
                if "." in path:
                    if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
                        result = result + adware + "
"
                else:
                    if os.path.isdir(path) and "optional="true"" not in line and adware not in result:
                            result = result + adware + "
"

if result == "<result>":
    print result + "No adware detected</result>"
else:
    print result[:-1] + "</result>"

I wanted to add on that I've got SavingThrow pretty much done here. It can report back as an Extension Attribute, as well as remove Adware files.

It can be configured to use as few or as many "Adware Definition Files", which is a simple XML format, to determine what to report on or remove. These files can be hosted on the internet (I have mine all as GitHub gists.)

It will also unload launchd agents and daemons, and kill running processes if they're in the ADF.

Finally, it can, in addition to removal, do a "quarantine" where it zips up all of the files to backup folder so admins can later poke around and see what was found.

@scraig can you post some info about how to setup the JSS to report and do the arguments?

@jwojda I think this link should cover what you're looking for.

http://labs.da.org/wordpress/sheagcraig/2015/03/25/how-we-are-removing-adware/

I've got it set up and detecting machines, but I'm a little wary of using it for removals without test just yet. Anyone have suggestions on an easy way to get various adwares and test it out? My users never remember where they got the infections.

it is, but I was looking at the saving throw that replaced it. No sense in putting in old methods :) is it the same?

It was when I implemented it. I'm using the SavingGrace in the same manner.

doh

Update:All you reckless folks using 9.7 already, guess what? The “Execute Command” described below doesn’t work. Stand by for a way to do this using a script that is bulletproof.

@jesseshipley thanks for your Adware Medic script. It has been very useful. Do you have an update for the updated Malwarebytes Anti-Malware definitions xml?

Came to ask the same thing as @appleconvert.

Looking at SavingThrow too though...

All good work, but if you already pay for a solution (you mentioned Sophos), then hassle them with a request. They do Adware detection for Windows, but don't bother for Mac!

If you want the details:

Sophos Thread

Reckon we should all be demanding a discount if they continue to not bother. But that is the problem. They aren't going to bother unless enough people put in the request. Disappointing they don't see it as a necessity.

I am working to implement @scraig 's procedure. Amazing work. So far, I have the EA working, and devices are starting to hop into my smart group. Any suggestions or changes for JSS 9.81?