Posted on 05-08-2017 10:45 AM
Reading about the recent malware issue with Handbrake, I was wondering if it's possible to create a smart group in JSS that would include any computers that have “Activity_agent” in the OSX Activity Monitor application.
Has anyone done anything like this?
Posted on 05-08-2017 12:37 PM
Two options. Can you see it with launchctl?
sudo launchctl list
(make sure you do sudo so you see root's processes as that's how jamf will run it) and see if it's listed there. If so, you can create a smart group with "Running Service 'Has' com.name.handbrake".
If it's only as a process, then you need to create an Extension Attribute
#!/bin/sh
hazIt=$(ps auxw |grep "Activity_agent"| grep -v grep)
if [ -z $hazIt ]; then
echo "<result>Not on this one</result>"
else
echo "<result>Has Activity Agent</result>"
fi
Posted on 05-08-2017 04:31 PM
Another thing you may want to do is set up a software restriction to kill the process if it tries to spawn on the machine.