Adware Prevention?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-19-2015 11:57 AM
AdwareMedic works great for removing adware. I found that Sophos does deal with some of the adware. Does anyone know of anti-virus software, or the like, that can actively prevent adware from being installed? Looking for another hammer to take care of these pesky annoyances.
Thanks!
Ed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-19-2015 12:40 PM
I wish I had some recommendations. The problem seems to have exploded in the last 2 months in my environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-19-2015 01:30 PM
We use ESET in a test bed of macs so far and love it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 05:40 AM
I wish I had a better answer for you. We also have been seeing a huge uptick in the amount of Adware installed on our systems. We make Adware Medic available in Self Service and have been instructing our users how to use it to clean their systems.
I use the restricted process to block the execution (not necessarily the installation) of some of the NuisanceWare out there like MacKeeper and TuneUpMyMac, because these are just apps that are very easy to block the execution of. For other Adware like Geneio, Downlite, VidX, and VSearch, it's harder to block said execution. I've written some EA's to look for the installation of some of this software so I at least have some idea where it's installed, but my detection methods are not complete nor foolproof, and still requires the running of Adware Medic. I wonder if Tom Reed would share his Adware Medic code with us, so I could reverse-engineer his app to create an EA or series of EAs that scan for everything in his excellent app...
The bottom line is that Adware for our platform isn't going away and the best thing we can do is continue to teach our end-users to be careful about what they install. User education is the only surefire solution.
It's getting better though. The makers of Downlite recently stepped over the arbitrary line with Apple and had their software added to the XProtect list in December. Sophos has also started to detect some of this Adware as true malware (like Geneio). If we continue to report these Adwares as malware to Apple, Sophos, and others, our tools and methods of detection will improve.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 05:46 AM
Sophos has been detecting Geneio for awhile, it's a pain because it doesn't remove it from what I can tell.
Are you guys supporting users as administrators? Except Geneio, we haven't seen any of this and wondering if that's why. Our xprotect update is off as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 06:11 AM
Yes, almost all of our users are admins. And most of this Adware is installed alongside (mostly) legitimate installers. Unscrupulous websites will take free software like MPlayerX and bundle it alongside their Adware installer, so the end-user gets MPlayerX but also Geneio, or Downlite, etc. Part of the user education of which I speak is teaching people to be observant and aware of the state of their system and to not install software from untrusted places. We'd have anarchy if we restricted GateKeeper to only App Store purchases, so then must deal with the consequences--Adwareapalooza.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 06:46 AM
Hey @damienbarrett do you mind posting your EA's for what you have completed? Much appreciated my friend!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 07:35 AM
I would also be interested in seeing what you've come up with for EAs @damienbarrett. Although I don't think we have a big problem with adware where I am, I'll admit that we aren't actively looking for any of this stuff. I might be surprised of what a search in our JSS would turn up, but hopefully not.
That said, I have a feeling this is one of those topics that I need to get better educated in, as there seem to be more and more of this crapware coming out all the time. Such is the result of the Mac becoming more mainstream I suppose.
It does seem like user education is the only real way to stop this stuff, but if we can at least run reports, get better detection of what is being installed, etc. we can take some actions.
Incidentally, I just downloaded the latest Adware Medic just to try it out. I'm getting an immediate NilOjbect exception error when trying to run a scan. From everything I've read here, this app works, but doesn't seem to work for me :( I guess I will report it to the developer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 07:38 AM
Mostly, they are just searches for specific files on /. All based on the excellent work and documentation over at Tom Reed's TheSafeMac. http://www.thesafemac.com/arg-identification/
Example, for Geneio. (Remember that I'm mostly just scanning for presence of the AdWare, not to remove it; although I suppose I could begin to work on a type of automated AdWare removal tool based on AdwareMedic).
Geneio:
#!/usr/bin/bash
[ -f /private/etc/launchd.conf ] && echo "Found" || echo "Not found"
Downlite:
#!/usr/bin/env bash
file="/Library/LaunchDaemons/Jack.plist"
if [[ -e $file ]]; then
echo <result>yes</result>
elif [[ ! -e $file ]]; then
echo <result>no</result>
fi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 07:46 AM
I've starting blacklisting nefarious websites on our web filter to see if that helps. Found a list of some annoying websites to start with here https://sites.google.com/site/appleclubfhs/support/advice-and-articles/browser-popup-hijack-safari Better to get a Firewall block message than a frustrating YOUR LAPTOP IS ABOUT TO BLOW UP!!! message. Also hoping it prevents people installing the ad/malware in the first place.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 07:54 AM
I'd hope web filters should already block a lot of these URLs. I just submitted this list of URLs to ours (iboss) so they can update ones they had uncategorized. Better to crowd source so all of their customers benefit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 08:07 AM
Thanks for the info guys. I do have three EA's set up to search for a few adware installs, and based on info from AdwareMedic I created some scripts that the end users can run to remove the adware. Educating the end users sounds like the best option at this point.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 08:34 AM
Based on the interest shown in this thread, I'm going to be expanding my EA's for Adware detection. @elund, will you share your scripts for removal? (Why re-invent the wheel).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 08:58 AM
I'm still learning how to write scripts, so these may need some help.
Trovi-
#!/bin/bash
# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
###
#
# Description: Casper extension attribute that checks whether Trovi is
# detected.
#
###
if [[ -d '/Users/$loggedInUser/Trovi' ]] || [[ -e '/Library/LaunchDaemons/com.perion.searchprotectd.plist' ]] || [[ -e '/Users/$loggedInUser/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin' ]] || [[ -e '/Library/LaunchAgents/palmall-1-2_updater.plist' ]] || [[ -e '/Library/LaunchAgents/palmall-1-2_updater.sh' ]] || [[ -d '/Library/PrivilegedHelperTools/Jack' ]] || [[ -e '/Library/LaunchAgents/palmall-1-2.ver' ]]; then
resultString="Trovi detected."
else
resultString="Trovi not detected."
fi
echo "<result>$resultString</result>"
exit 0
VSearch-
#!/bin/bash
###
#
# Description: Casper extension attribute that checks whether VSearch is
# detected.
#
if [[ -d '/Library/Application Support/VSearch' ]] || [[ -e '/Library/LaunchAgents/com.vsearch.agent.plist' ]] || [[ -e '/Library/LaunchDaemons/com.vsearch.daemon.plist' ]] || [[ -e '/Library/LaunchDaemons/com.vsearch.helper.plist' ]] || [[ -e '/Library/LaunchDaemons/jack.plist' ]] || [[ -d '/Library/PrivilegedHelperTools/Jack' ]] || [[ -e '/System/Library/Frameworks/VSearch.framework' ]]; then
resultString="VSearch detected."
else
resultString="VSearch not detected."
fi
echo "<result>$resultString</result>"
exit 0
Conduit-
#!/bin/bash
# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
# Description: Casper extension attribute that checks whether Conduit is detected.
if [[ -d '/Users/$loggedInUser/Conduit' ]] || [[ -e '/Users/$loggedInUser/Library/LaunchAgents/com.crossrider.wss002505.agent.plist' ]] || [[ -e '/Users/$loggedInUser/Library/LaunchAgents/com.webhelper.plist' ]] || [[ -e '/Users/$loggedInUser/Library/LaunchAgents/com.webtools.update.agent.plist' ]] ; then
resultString="Conduit detected"
else
resultString="Conduit not detected"
fi
echo "<result>$resultString</result>"
exit 0
Genio-
#!/bin/bash
###
#
# Description: Casper extension attribute that checks whether Genieo is detected.
#
###
if [[ -a '/Applications/Genieo.app' ]] || [[ -a '/Applications/Uninstall Genieo.app' ]] || [[ -a '/Applications/Uninstall IM Completer.app' ]] || [[ -a '/Applications/InstallMac.app' ]] || [[ -e '/Library/LaunchAgents/com.genieoinnovation.macextension.plist' ]] ; then
resultString="Genieo detected"
else
resultString="Genieo not detected"
fi
echo "<result>$resultString</result>"
exit 0
& part 2 of Genio
#!/bin/bash
###
#
# Description: Casper extension attribute that checks whether Genieo 2nd part is detected.
#
###
if [[ -a '/Library/Frameworks/GenieoExtra.framework' ]] ; then
resultString="Genieo 2nd part detected"
else
resultString="Genieo 2nd part not detected"
fi
echo "<result>$resultString</result>"
exit 0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 09:04 AM
Here are scripts to remove the Adware-
Conduit-
#!/bin/bash
#This will remove the Conduit virus pieces. It does require a restart of the system.
sudo rm -rf /Library/InputManagers/CTLoader/
sudo rm -f /Library/LaunchAgents/com.conduit.loader.agent.plist
sudo rm -f /Library/LaunchDaemons/com.perion.searchprotectd.plist
sudo rm -rf /Library/Application Support/SIMBL/Plugins/CT2285220.bundle
sudo rm -rf /Library/Application Support/Conduit/
sudo rm -rf /Applications/SearchProtect.app
sudo rm -rf /Applications/SearchProtect/
Sudo rm -rf ~/Library/Application Support/Conduit/
sudo rm -f ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
sudo rm -rf ~/Conduit/
sudo rm -f ~/Library/LaungAgents/com.crossrider.wss002505.agent.plist
sudo rm -rf ~/Library/LaunchAgents/WebSocketServerApp
sudo rm -f ~/Library/LaunchAgents/com.webhelper.plist
sudo rm -f ~/Library/LaunchAgents/com.webtools.update.agent.plist
sudo rm -rf ~/Library/Application Support/webHelperApp
sudo rm -rf ~/Library/WebTools
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
sudo jamf recon
exit
Genio part one-
#!/bin/bash
# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
#This will remove the Genieo pieces. It does require a restart of the system.
sudo rm -f /private/etc/launchd.conf
sudo rm -f /Applications/Genieo.app
sudo rm -f /Applications/InstallMac.app
sudo rm -f /Applications/Uninstall Genieo.app
sudo rm -f /Applications/Uninstall IM Completer.app
sudo rm -rf /Users/$loggedInUser/Library/Application Support/com.genieoinnovation.Installer
sudo rm -rf /Users/$loggedInUser/Library/Application Support/Genieo/
sudo rm -f /Users/$loggedInUser/Library/LaunchAgents/com.genieo.completer.download.plist
sudo rm -f /Users/$loggedInUser/Library/LaunchAgents/com.genieo.completer.update.plist
sudo rm -f /Users/$loggedInUser/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
sudo rm -f /Library/LaunchAgents/com.genieoinnovation.macextension.plist
sudo rm -f /Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
sudo rm -f /Library/LaunchAgents/com.genieo.engine.plist
sudo rm -f /Library/LaunchAgents/com.genieo.completer.update.plist
sudo rm -f /Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
sudo rm -f /Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
sudo rm -f /usr/lib/libgenkit.dylib
sudo rm -f /usr/lib/libgenkitsa.dylib
sudo rm -f /usr/lib/libimckit.dylib
sudo rm -f /usr/lib/libimckitsa.dylib
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
sudo jamf recon
exit 0
Genio part two, runs at login
#!/bin/bash
#This will remove the Genieo pieces. It does require a restart of the system.
sudo rm -f /Library/Frameworks/GenieoExtra.framework
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
exit 0
Trovi-
#!/bin/bash
#This will remove the Trovi virus pieces. It does require a restart of the system.
sudo rm -f /Library/LaunchDaemons/com.perion.searchprotectd.plist
sudo rm -rf ~/Trovi
sudo rm -f ~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
sudo rm -f ~/Library/Safari/Extensions/searchExt.safariextz
sudo rm -f ~/Library/Safari/Extensions/searchme.safariextz
sudo rm -f ~/Library/Safari/Extensions/palmall-1-2.safariextz
sudo rm -f ~/Library/Safari/Extensions/Omnibar-2.safariextz
sudo rm -f ~/Library/LaunchAgents/palmall-1-2_updater.plist
sudo rm -f ~/Library/LaunchAgents/palmall-1-2_updater.sh
sudo rm -f ~/Library/LaunchAgents/palmall-1-2.ver
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
sudo jamf recon
exit
VSearch-
#!/bin/bash
#This will remove the V-Search virus pieces. It does require a restart of the system.
sudo rm -rf /Library/Application Support/VSearch
sudo rm -f /Library/LaunchAgents/com.vsearch.agent.plist
sudo rm -f /Library/LaunchDaemons/com.vsearch.daemon.plist
sudo rm -f /Library/LaunchDaemons/com.vsearch.helper.plist
sudo rm -f /Library/LaunchDaemons/Jack.plist
sudo rm -rf /Library/PrivilegedHelperTools/Jack
sudo rm -rf /System/Library/Frameworks/VSearch.framework
sudo rm -rf ~/Library/Application Support/MPlayerX
sudo rm -f /Applications/MPlayerX
## sudo rm -rf /Users/$3/Library/Application Support/Google/Chrome/Default/Extensions/opdpamfhblfneelhonneggbfmiekhocl
## sudo rm -rf /Users/$3/Library/Application Support/Google/Chrome/Default/Extensions/glnjcddbgikodiblgodmdibdkhgkcnkl
sudo jamf setHomePage -homepage "http://www.webpage.com" -feu
sudo jamf recon
exit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 09:40 AM
What I would like to see:
All end user installations initiate the creation of a pre-post snapshot.
List of items installed creates an index.
Auto generation of removal script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2015 11:11 AM
@TSOAFTVPPC - That's a great idea.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 10:44 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 11:34 AM
That's me!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 11:41 AM
I'll have to read through all of this stuff to add to my script. Nice work folks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 12:23 PM
@adamcodega @scraig I like! Thanks for building/posting!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 02:06 PM
@elund I would like to add my thanks (to you)! I stole... uh, borrowed these and they are running nicely in our environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 06:17 AM
I just wrote a v1 of my own extension attribute to identify adware. Primary difference with this is that it pulls the adware signatures directly from AdwareMedic's website so it should keep itself up to date. Additionally it only imports OS so you shouldn't ever need to distribute any dependencies for it to work. I have a few more things that I need to work on to handle everything but right now this will parse 99% of what AdwareMedic does. I have not built in removal just yet.
#!/usr/bin/python
import os
user = os.popen("echo $(ls -la /dev/console | cut -d " " -f 4)").read().split("
")[0]
signatures = os.popen("curl http://www.adwaremedic.com/signatures.xml").readlines()
result = "<result>"
for line in signatures:
if "<adware name=" in line:
adware = line.split('"')[1]
print "Checking for " + adware
else:
if "type="path"" in line and "havingContent" not in line:
if "relativeTo=" in line:
path = line.split("relativeTo="")[1].split(""")[0]
if path == "home":
path = "/Users/" + user + "/" + line.split("</item>")[0].split(">")[1]
if "." in path:
if os.path.isfile(path) and adware not in result:
result = result + adware + "
"
else:
if os.path.isdir(path) and adware not in result:
result = result + adware + "
"
else:
path = line.split("</item>")[0].split(">")[1]
if "." in path:
if os.path.isfile(path) and adware not in result:
result = result + adware + "
"
else:
if os.path.isdir(path) and adware not in result:
result = result + adware + "
"
if result == "<result>":
print result + "No adware detected</result>"
else:
print result[:-1] + "</result>"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 06:43 AM
here's something that was posted in the IRC channel yesterday...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 06:51 AM
Thank you Shea for your EA and Adware-removal tool. I've just implemented pieces of it in my environment this morning. I'm opting to send my end-users to Self Service to install and run Adware Medic (as we have training around this already in place), but the EA for detection of Adware is very useful.
Edit: That'll teach me not to preview before commenting. The EA that jesseshipley wrote that checks against AdwareMedic's signatures file is even better for my environment, as we already train around our users running Adware Medic. This will help me to detect the Adware and then throw up a message to prompt them to go run Adware Medic. I'm considering using Yo for this but for now will just use jamfmessage.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 07:21 AM
Nice work on that EA @jesseshipley! I'm testing it now, and although thankfully its reporting no adware on my systems, this looks really good. I love that its using the signatures from Adware Medic's site. I'll admit I never even knew there was such a signature xml file or I might have looked into doing exactly what your EA is doing. But no sense reinventing anything. Thanks for posting it.
@scraig's post on the detection and removal process is also quite useful.
As I've said elsewhere, I don't think we have a significant problem with Adware in our environment, but I'm really looking to get ahead of this in case we start to see it become an issue, so both of your posts will be very helpful in that regard.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 07:24 AM
Thanks @mm2270, truth is that XML file isn't publicly mentioned any place I've seen. I found it by doing a pcap while AdwareMedic was launched the first time to see where it grabbed its updates from. Turned out to be an XML file. I'm pretty sure the EA should work moving forward fairly well as the AdwareMedic app is coded to us that format so it is unlikely the format of the XML would change unless the app were rewritten. I should have an updated version of the EA today hopefully though that handles the final 1% of stuff.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 08:40 AM
For those using AutoPkg, I noticed that there were not .pkg or .jss recipes available for AdwareMedic. I've now addressed that by adding AdwareMedic recipes:
https://github.com/autopkg/rtrouton-recipes/tree/master/AdwareMedic
https://github.com/autopkg/rtrouton-recipes/blob/master/JSS/AdwareMedic.jss.recipe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 11:20 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 11:57 AM
Updated my script to parse a bit more of the AdwareMedic signatures. Again, should cover about 99% of stuff still as almost all things leave behind more than just one kind of file.
#!/usr/bin/python
import os
user = os.popen("echo $(ls -la /dev/console | cut -d " " -f 4)").read().split("
")[0]
signatures = os.popen("curl http://www.adwaremedic.com/signatures.xml").readlines()
result = "<result>"
for line in signatures:
if "<adware name=" in line:
adware = line.split('"')[1]
print "Checking for " + adware
else:
if "type="path"" in line and "havingContent" not in line:
if "relativeTo=" in line:
path = line.split("relativeTo="")[1].split(""")[0]
if path == "home":
path = "/Users/" + user + "/" + line.split("</item>")[0].split(">")[1]
if "." in path:
if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
else:
if os.path.isdir(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
if path == "ffprofile":
ff_profiles = os.popen("echo $(ls ~/Library/Application Support/Firefox/Profiles)").read().split()
for profile in ff_profiles:
path = "/Users/" + user + "/Library/Application Support/Firefox/Profiles/" + profile + "/" + line.split("</item>")[0].split(">")[1]
if "." in line.split("</item>")[0].split(">")[1]:
if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
else:
if os.path.isdir(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
else:
path = line.split("</item>")[0].split(">")[1]
if "." in path:
if os.path.isfile(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
else:
if os.path.isdir(path) and "optional="true"" not in line and adware not in result:
result = result + adware + "
"
if result == "<result>":
print result + "No adware detected</result>"
else:
print result[:-1] + "</result>"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2015 06:39 AM
I wanted to add on that I've got SavingThrow pretty much done here. It can report back as an Extension Attribute, as well as remove Adware files.
It can be configured to use as few or as many "Adware Definition Files", which is a simple XML format, to determine what to report on or remove. These files can be hosted on the internet (I have mine all as GitHub gists.)
It will also unload launchd agents and daemons, and kill running processes if they're in the ADF.
Finally, it can, in addition to removal, do a "quarantine" where it zips up all of the files to backup folder so admins can later poke around and see what was found.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 11:08 AM
@scraig can you post some info about how to setup the JSS to report and do the arguments?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 12:06 PM
@jwojda I think this link should cover what you're looking for.
http://labs.da.org/wordpress/sheagcraig/2015/03/25/how-we-are-removing-adware/
I've got it set up and detecting machines, but I'm a little wary of using it for removals without test just yet. Anyone have suggestions on an easy way to get various adwares and test it out? My users never remember where they got the infections.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 12:20 PM
it is, but I was looking at the saving throw that replaced it. No sense in putting in old methods :) is it the same?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 12:33 PM
It was when I implemented it. I'm using the SavingGrace in the same manner.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 12:52 PM
doh
Update:All you reckless folks using 9.7 already, guess what? The “Execute Command” described below doesn’t work. Stand by for a way to do this using a script that is bulletproof.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-12-2015 09:17 PM
@jesseshipley thanks for your Adware Medic script. It has been very useful. Do you have an update for the updated Malwarebytes Anti-Malware definitions xml?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-04-2015 02:35 PM
Came to ask the same thing as @appleconvert.
Looking at SavingThrow too though...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-05-2015 03:59 AM
All good work, but if you already pay for a solution (you mentioned Sophos), then hassle them with a request. They do Adware detection for Windows, but don't bother for Mac!
If you want the details:
Reckon we should all be demanding a discount if they continue to not bother. But that is the problem. They aren't going to bother unless enough people put in the request. Disappointing they don't see it as a necessity.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-16-2016 07:43 PM
I am working to implement @scraig 's procedure. Amazing work. So far, I have the EA working, and devices are starting to hop into my smart group. Any suggestions or changes for JSS 9.81?