+9AdwareMedic works great for removing adware. I found that Sophos does deal with some of the adware. Does anyone know of anti-virus software, or the like, that can actively prevent adware from being installed? Looking for another hammer to take care of these pesky annoyances.
Thanks!
Ed
+13Thanks @mm2270, truth is that XML file isn't publicly mentioned any place I've seen. I found it by doing a pcap while AdwareMedic was launched the first time to see where it grabbed its updates from. Turned out to be an XML file. I'm pretty sure the EA should work moving forward fairly well as the AdwareMedic app is coded to us that format so it is unlikely the format of the XML would change unless the app were rewritten. I should have an updated version of the EA today hopefully though that handles the final 1% of stuff.
For those using AutoPkg, I noticed that there were not .pkg or .jss recipes available for AdwareMedic. I've now addressed that by adding AdwareMedic recipes:
https://github.com/autopkg/rtrouton-recipes/tree/master/AdwareMedic
https://github.com/autopkg/rtrouton-recipes/blob/master/JSS/AdwareMedic.jss.recipe
+13Updated my script to parse a bit more of the AdwareMedic signatures. Again, should cover about 99% of stuff still as almost all things leave behind more than just one kind of file.
#!/usr/bin/python
import os
user = os.popen("echo $(ls -la /dev/console | cut -d " " -f 4)").read().split("
")[0]
signatures = os.popen("curl http://www.adwaremedic.com/signatures.xml").readlines()
result = "<result>"
for line in signatures:
if "<adware name=" in line:
adware = line.split('"')[1]
print "Checking for " + adware
else:
if "type="path"" in line and "havingContent" not in line:
if "relativeTo=" in line:
path = line.split("relativeTo="")[1].split(""")[0]
if path == "home":
path = "/Users/" + user + "/" + line.split("</item>")[0].split(">")[1]
if "." in path:
if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
else:
if os.path.isdir(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
if path == "ffprofile":
ff_profiles = os.popen("echo $(ls ~/Library/Application Support/Firefox/Profiles)").read().split()
for profile in ff_profiles:
path = "/Users/" + user + "/Library/Application Support/Firefox/Profiles/" + profile + "/" + line.split("</item>")[0].split(">")[1]
if "." in line.split("</item>")[0].split(">")[1]:
if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
else:
if os.path.isdir(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
else:
path = line.split("</item>")[0].split(">")[1]
if "." in path:
if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
else:
if os.path.isdir(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
if result == "<result>":
print result + "No adware detected</result>"
else:
print result[:-1] + "</result>"
+3I wanted to add on that I've got SavingThrow pretty much done here. It can report back as an Extension Attribute, as well as remove Adware files.
It can be configured to use as few or as many "Adware Definition Files", which is a simple XML format, to determine what to report on or remove. These files can be hosted on the internet (I have mine all as GitHub gists.)
It will also unload launchd agents and daemons, and kill running processes if they're in the ADF.
Finally, it can, in addition to removal, do a "quarantine" where it zips up all of the files to backup folder so admins can later poke around and see what was found.
@jwojda I think this link should cover what you're looking for.
http://labs.da.org/wordpress/sheagcraig/2015/03/25/how-we-are-removing-adware/
I've got it set up and detecting machines, but I'm a little wary of using it for removals without test just yet. Anyone have suggestions on an easy way to get various adwares and test it out? My users never remember where they got the infections.
+23it is, but I was looking at the saving throw that replaced it. No sense in putting in old methods :) is it the same?
+23doh
Update:All you reckless folks using 9.7 already, guess what? The “Execute Command” described below doesn’t work. Stand by for a way to do this using a script that is bulletproof.
+4@jesseshipley thanks for your Adware Medic script. It has been very useful. Do you have an update for the updated Malwarebytes Anti-Malware definitions xml?
+12All good work, but if you already pay for a solution (you mentioned Sophos), then hassle them with a request. They do Adware detection for Windows, but don't bother for Mac!
If you want the details:
Reckon we should all be demanding a discount if they continue to not bother. But that is the problem. They aren't going to bother unless enough people put in the request. Disappointing they don't see it as a necessity.
+2I am working to implement @scraig 's procedure. Amazing work. So far, I have the EA working, and devices are starting to hop into my smart group. Any suggestions or changes for JSS 9.81?
@mpenrod I was just looking into this. The main problem is that none of the ADF files have been updated in 2+ years. This makes me think it's going to be of limited use. Apple used to publish a list of definitions, which the default ADF file was created from. They've since replaced this page with generic information about malware.
https://github.com/SavingThrows/AdwareDefinitionFiles
https://support.apple.com/en-us/ht203987
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
