List of Restricted apps

rohrt85
New Contributor II

Good Morning everyone!

I am looking into anyone that has a list of their restricted process apps with JSS. I have seen a lot of people have been doing this and with this my first year with 1:1 and with JSS-I was looking into some insight or apps that you are blocking in your schools.

With all of this knowledge now going into our second year should be a lot better then this one!

Thanks again everyone

34 REPLIES 34

damienbarrett
Valued Contributor

Okay, I'll bite on this one. Here is my list. It changes regularly. Mostly we're blocking P2P, Usenet downloaders (NZB) and Bitcoin. Mavericks installer is in there now, but will be removed once we're done vetting it.

Also killing (and deleting) the common drive-by malware MacKeeper and Genieo.

1 Transmission 2 BitTorrent
3 UTorrent
4 Cabos
5 Frostwire
6 Vuze
7 Acqlite
8 BitRocket
9 Bits on Wheels
10 Mojo 11 Nativa
12 Phex
13 qbbittorrent
14 ShakesPeer
15 Tribler
16 XFactor
17 XTorrent
18 Acquisition
19 all.com
20 Poisoned
21 aMule
22 xDonkey
23 EasyMule
24 iSoul
25 PeerGuardian
27 Tomato Torrent
28 AdmitOne
30 MacKeeper
32 OS X Mavericks
33 BitTorrent Sync
34 Torch
36 BitLord
37 Asteroid
38 Bitcoin-Qt
39 cgminer for Mac OS X
40 Electrum
42 Qt Bitcoin Trader
43 Hive
44 guiminer
45 bfgminer
46 cgminer
47 MacMiner
48 Genieo
49 Unison
50 NZBVortex
51 SABnzbd+
52 Hogwasher
53 MacSoup
54 NZB Drop
55 NZB Vortex
56 SuperNZB
57 Thoth

rohrt85
New Contributor II

Thanks @damienbarrett!! Now all of these have .app at the end of them correct? I saw the Bitcoin post earlier and would of never have thought about that because I have some students as well that would be trying to that (because they have been trying to push the right buttons with me from day 1 of the rollout).

damienbarrett
Valued Contributor

Added a few more this weekend after scouring a few of my more industrious users' Applications list:

- MultiBit.app
- Deluge.app
- Litecoin-Qt.app
- dogecoin-qt.app
- TorBrowser.app

At some point, we all realize it's a cat-and-mouse game, and a truly determined student will figure out ways around the software restrictions. But...I can still see what's been installed (even if it's renamed or modified, etc.) and then it becomes even more of a disciplinary issue. If a student is actively trying to circumvent controls we put in place, it goes to a whole new level and the consequences are more severe. For 99% of our AUP violations, these app restrictions act as a first level of warning basically saying, "Knock it off!". If a student persists, we get the Adminisratio and Disciplinary committees involved. It very rarely ever gets to that point.

So, app restrictions are a first line of defense and pretty good one. Despite the incredible latitude our students have in using their laptops, we look at blocking these apps as ways of protecting our network and our equipment (and to a certain extent, protecting the student from themselves).

jhuls
Contributor III

It would sure be nice if there was a template of sorts that could be shared here and then downloaded and imported for those here that were interested. Why reinvent the wheel by people having to enter all of this in on each casper install if they need it?

damienbarrett
Valued Contributor

@jhuls][/url, you might want to vote up this Feature Request:

https://jamfnation.jamfsoftware.com/featureRequest.html?id=21

david_yenzer
Contributor II

Just wanted to say thanks for sharing your list!

tsivonen
New Contributor II

Please accept my thanks for your work on this list of applications as well.

We have just begun to see Genieo and MacKeeper on our School District's computers. This is the only search result for Genieo. Has any one run these installers with Composer to capture the locations of the changes they create?

damienbarrett
Valued Contributor

http://www.thesafemac.com/arg-genieo/

I've actually been working on a "Nuke Geneio" uninstaller but have hit some snags with file detection in my scripting. When I have a bit more time, I'll get back to it.

Then I'll work on a "Nuke & Pave MacKeeper" uninstaller.

Note that I recently saw a variant of Geneio called "InstallerMac". It was the same shitware, but named differently.

tsivonen
New Contributor II

Hi Damien,

I believe we met at JAMFNation in Oct. The link you have posted is one that I am using to start my work from as well. My scripting skills will need to improve a great deal before I can do more than edit someone else's work to the situation at hand. I do have some excellent mentors that have unique positions; such that they can point out better ways to the solution.

* I do wonder if this topic needs to be Posted under a "Malware" title or specific "Geneio" title. Personally I used the search so it didn't affect my research. Maybe JAMF moderators can decide.

Our 1-to-1 deployment includes a killer AppleCare contract. So I have started a Case with them so that it might get enough votes in the grand scheme of AppleCare attention to get developer attention. We'll see.

Thank you again, (For your presentation as well.)

bozemans
New Contributor III

I found an application at "The Safe Mac" that works at detecting and removing Genio and other malware/adware applications. It isn't perfect...I had to reimage a laptop this weekend...but it is a start...and it's free.

damienbarrett
Valued Contributor

Yeah, I added it as a 3rd-party resource about a week ago.

https://jamfnation.jamfsoftware.com/viewProduct.html?id=358&view=info

I use Adware Medic on a daily basis. I've long been developing an app that will nuke MacKeeper from my users' systems. I doubt that Tom will ever include MacKeeper in his list of detected adware because ZeoBIT has a long history of defending their terrible software (and also for astroturfing positive reviews all over the place and for extremely aggressive and deceptive advertising).

Right now, I simply use a Restricted Application rule to keep MacKeeper from being run on my users' systems. Once I've completed the "Nuke MacKeeper" tool, I'll execute it on a Smart Group for everyone that has it installed.

Edit (for clarification): Any software where the end-user must be tricked or coerced into installing meets my personal definition of malware and will not be allowed on the systems I control. MacKeeper falls into this category.

mm2270
Legendary Contributor III

Agreed on MacKeeper. We had been asked about it here by some users and techs and I was vehement about not allowing that on any of our Macs. While we haven't yet put a Restricted Software item in place to stop it, we may do that. So far searches for it haven't turned it up in our JSS, but given the crazy aggressiveness they use, I don't doubt some user will be fooled into thinking they need it and install it eventually. The tactics they use to promote their crapware are ridiculous.

TomDay
Release Candidate Programs Tester

@damienbarrett quite a comprehensive list, thanks for sharing. I added these to my list, if I had any that you missed I would add them, but none to be found! I voted up the feature request as well. Curious on 2 things if you have time.

  1. How did you "scan" of your users Applications?
  2. Have you had any luck removing browser extensions? We are seeing a high volume of palmall, genio and truvi

Thx, Tom

damienbarrett
Valued Contributor

1) I found most of these by good old-fashioned GoogleFu and searching MacUpdate.com for keywords. Download, get the binary name, add it as a restricted process. I do this every month or so and my list has grown a bit since I posted this. If I have time later, I'll re-post my updated list.

About every two months or so, I export the "Installed Applications" list to an Excel spreadsheet and then start Googling to see what kind of gak the kids have installed. It's often very illuminating. You can simply leave the search box blank with Applications selected and search JSS and it'll return everything. Then export, clean, and Google.

2) My approach to fighting of this recent scourge of Adware is multi-fold. Here's how I've ben doing it:

  • First and foremost, user education. We've been training (and retraining) our users to be careful about what they install. Every single time I have to clean a machine of Adware, I give a small lecture to the student about being more careful about what they install. I explain how they were probably tricked into installing it and show them how to use Adware Medic to keep their machines clean(er).
  • Adware Medic. This newish tool has really really helped us to fight this plague. It's easy to use and pretty comprehensive. I sometimes send the developer samples of newish malware that I find. I've also sent him money and encourage everyone to do so that's using his donation-ware software.
  • Sophos has begun to list some of this Adware/Malware to its virus definitions listings, like Geneio and Palmall. This has been helping me to detect which machines have some malware and then I can pull them in, or send the user an email telling them to download AdWare Medic from Self Service and scan.
  • For MacKeeper, which is not detected by Sophos or Adware Medic, I've added the binary as a "restricted application" so if a user actually manages to install it, when it attempts to run, the management will kill it, delete it, pop up a message to the end-user, and then email me.
  • For a few of the more gray-area browser extensions (Hola, Tor, Cupcake, etc.), I've written some extension attributes that scan the browsers looking for them. When found, I have a smart group that emails me once one of them is installed and then I can call the end-user in for a conversation about the AUP violation of attempting to bypass our network filter.

What's going to work the best? In my opinion, user education is better than heavy-handed lockdown. Teaching the end-users about being careful about installing software and not using questionable browser extensions will go a lot farther to our end-goal than obtuse and overbearing management. At my school, out end-goal is to teach the users how to use the technology safely and effectively, regardless of whether they are in our classroom(s) or not.

RMc
New Contributor

Thanks for "biting" on the question. The lists are great for people new to the group / profession.

micah002
New Contributor

Okay, so how do you block Tor Browser? I can't get it to work. I've tried using the Process name in Activity Monitor: Tor Browser, I've tried using the app name: TorBrowser and TorBrowser.app. I've tried /Tor Browser, /TorBrowser, /TorBrowser.app, and all of those with Restrict Exact Process Name checked and unchecked.

Every time that frelling application just opens itself up like it has not a care in the world.

How did you block it?

mm2270
Legendary Contributor III

@micah002 - When the application is running, run the following command in Terminal, and look for how it appears in the list

ps axc

Whatever you see there for the Tor browser is what you would want to put into the Restricted software item process to check for.
Also, silly question, but have you made sure the Macs you've tested on have the latest management framework pulled down from your Casper server? Run a sudo jamf manage on the test Mac to ensure its getting the latest settings and try again.

micah002
New Contributor

Ahh, snap @mm2270 It's running as Firefox:

724 ?? S 0:08.00 Microsoft Remote Desktop 728 ?? S 0:00.29 CVMCompiler 732 ?? Ss 0:00.02 com.apple.hiservices-xpcservice 733 ?? Ss 0:00.09 systemstats 735 ?? S 0:02.87 firefox 737 ?? S 0:01.07 tor.real 739 ?? Z 0:00.00 (SFLSharedPrefsTo) 579 s000 Ss 0:00.04 login 580 s000 S 0:00.01 -bash 740 s000 R+ 0:00.01 ps

The PID 735 corresponds to the process in Activity monitor labeled Tor Browser.

micah002
New Contributor

Okay, I can block the tor.real process (PID 737) and while the browser still launches, it gives an error stating it can't get anywhere because the tor service failed to launch.

It's at least a start.

mm2270
Legendary Contributor III

Wow, it masks itself as Firefox? Are you certain about that? You didn't also have Firefox open at the same time did you? If that's what its actually doing, that's pretty sneaky!

Edit: Nevermind. I can confirm it in fact masks itself as Firefox. In fact, there is an executable inside the TorBrowser.app bundle in the "MacOS" folder labeled as "Firefox" There are several other folders inside it with other executables like "tor" and the "tor.real" one. Unbelievable.
And yes, it seems killing the tor.real process causes it to complain that it had a problem and needs to be restarted, but doesn't completely kill the app.

If it were me, I would take a multi pronged approach here. Have the Restricted Software item in place to locate and kill tor.real, and also delete the tor.real executable. I haven't tested this, but my guess is this may work to make the application unusable once that executable is deleted.
I might also have a Smart Group that looks for the TorBrowser.app on systems, and a corresponding policy to delete it with a script. Since users may be installing this outside of the main Applications folder, you may need to either add /Users/ as a path to capture applications from in your inventory settings, or create an Extension Attribute that scans the system for TorBrowser.app using something like mdfind or find. Then use those results for the scope of the policy.

I think having both of those in place will send a message to end users that its not wanted on your network. If they see it keep disappearing and/or stop functioning, they'll get the message.

damienbarrett
Valued Contributor

Thinking that perhaps the TorBrowser bundle had been changed since I built my Restricted Apps list, I re-downloaded the latest version and ran it. It was blocked, as it's always been by my list.

Perhaps you're not restricting by the exact process name or by the .app name? Or maybe you're not re-managing your test machine after you've changed the name. You can force the test machine to be managed by typing "sudo jamf manage" at the command line, and it will pull down a fresh copy of your restricted apps. Here's how mine is set up.

external image link

I have a similar one for "Vidalia.app" which for awhile was the name of the TorBrowser bundle.

micah002
New Contributor

I don't even have Firefox installed on my machine. I hate it. With hate.

I have forced manage, I have done everything I can think of it and it just won't stop running (except with the tor.real block I talked about earlier).

And if I block Firefox, Tor is blocked.

cwaldrip
Valued Contributor

We're more worried about malware/adware stuff that torrents, bitcoin, etc. And we're just starting, but the two I've listed are...

Installer.app
MPlayerX.app

The Installer.app is the installer for apps downloaded from Softonic.com. They take 3rd party shareware, wrap their own installer around it to change default browser settings, etc. I'm wary though because it's a very generic application name and might catch some legit app.

The second is one of those "You need this codec to watch this video" crapware, which doesn't do jack except hijack your browser.

cwaldrip
Valued Contributor

dupe post

pearlin
New Contributor III

MPlayerX is a legitimate media player available through the App Store:

https://itunes.apple.com/us/app/mplayerx/id421131143?mt=12

Although, the latest version is available directly from the dev:

http://mplayerx.org

And it is a real app:

http://www.macworld.co.uk/download/audio-video-photo/mplayerx-10221-3328598/

However, there is a known adware masquerading as MPlayerX:

https://discussions.apple.com/thread/6241637

We use the legit MPlayerX (which is similar to VLC) with no issues. In fact, it works quite well. It looks as if the "Ads by MPlayerX" is one of those "bundled" double-whammies:

http://malwaretips.com/blogs/ads-by-mplayerx-removal/

jedfrye
New Contributor III

Some background: I do work in a university environment with faculty, staff, and lab Macs enrolled... So some things like BitTorrent are not allowed in labs, but are allowed in others areas for "legitimate reasons."

The message that the user receives varies by restriction and each message ends with a statement to contact our support center. Here are some examples: "MacKeeper is not a recommended way to clean or "speedup" your Mac. It can destabilize an otherwise stable Mac."
"A key logger was found to be running on this Mac. It has been shutdown."
"MacProtector is a fake antivirus program that is designed to scare people into thinking that their computers are infected. "

Abk (Keylogger)
BitTorrent
Black Hole
BPK (Keylogger)
CleanGenius (CrapApp)
CleanMyMac2 (CrapApp)
FontNuke
LimeWire MacBooster (CrapApp)
MacBooster mini (CrapApp)
MacDefender (Virus)
MacDefender.app (Virus)
MacKeeper (CrapApp)
MacProtector.app (Virus)
MacScan (Virus)
MacSecurity.app (Virus)
OnyX SearchProtect uTorrent

Good list @damienbarrett and the feature request for the "Black List" template would be a good thing.

damienbarrett
Valued Contributor

I just added a "new" shitware app to my list last night called "DetoxMyMac". It's very much like MacKeeper and tries to scare the end-user into installing their software to "clean" their Mac. It doesn't really do much and has an aggressive affiliate marketing program that causes idiot get-rick-quicksters to post links and fake reviews of Detox to blog articles and new stories.

I also had to start blocking "Popcorn-Time.app". At some point, they renamed it wit the hyphen.

@jedfry, you have a few in your list I hadn't heard of. Will be appending my list. Thanks.

spraguga
Contributor

@damienbarrett Is "Popcorn-Time.app" the actual process name? If not, can you provide the process name. Thanks! ;)

jgrubbs
New Contributor III

Hey @damienbarrett how do you export the Installed Applications report? Are you running a search right from Computers and just changing the search drop down to Applications? I don't see an export button.

CasperSally
Valued Contributor II

Has anyone had success with blocking .jar files from launching via restricted software? I'm trying without much luck. I thought this used to work.

Chris_Hafner
Valued Contributor II

@CasperSally I'm not sure I have your answer, but how are you trying to block them?

tferguson
New Contributor

If I don't have any of these installed on a device, how do I find the .app name so that I can delete the application instead of just killing a process. Many I block by killing a wildcard service - Mackeeper and clean but apparently the processes are constantly being closed, every two seconds. This is reeking havoc on our current deployment. Bold = asterisks.

2017-09-02 13:00:36,378 [INFO ] [Tomcat-51 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 8435):
ID: 59
Process: clean
Owner: root
PID: 61529
PID: 4918
2017-09-02 13:57:58,131 [INFO ] [Tomcat-25 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 4949):
ID: 41
Process: MacKeeper
Owner: root
PID: 18376

AUjgriffin
New Contributor

Bump, good point. What did you end up doing?

Raven_D
New Contributor III

You could always install Malware Bytes for mac free and remove the MacKeeper, Genio etc.