Good Morning everyone!
I am looking into anyone that has a list of their restricted process apps with JSS. I have seen a lot of people have been doing this and with this my first year with 1:1 and with JSS-I was looking into some insight or apps that you are blocking in your schools.
With all of this knowledge now going into our second year should be a lot better then this one!
Thanks again everyone
Okay, I'll bite on this one. Here is my list. It changes regularly. Mostly we're blocking P2P, Usenet downloaders (NZB) and Bitcoin. Mavericks installer is in there now, but will be removed once we're done vetting it.
Also killing (and deleting) the common drive-by malware MacKeeper and Genieo.
9 Bits on Wheels
10 Mojo 11 Nativa
27 Tomato Torrent
32 OS X Mavericks
33 BitTorrent Sync
39 cgminer for Mac OS X
42 Qt Bitcoin Trader
54 NZB Drop
55 NZB Vortex
Thanks @damienbarrett!! Now all of these have .app at the end of them correct? I saw the Bitcoin post earlier and would of never have thought about that because I have some students as well that would be trying to that (because they have been trying to push the right buttons with me from day 1 of the rollout).
Added a few more this weekend after scouring a few of my more industrious users' Applications list:
At some point, we all realize it's a cat-and-mouse game, and a truly determined student will figure out ways around the software restrictions. But...I can still see what's been installed (even if it's renamed or modified, etc.) and then it becomes even more of a disciplinary issue. If a student is actively trying to circumvent controls we put in place, it goes to a whole new level and the consequences are more severe. For 99% of our AUP violations, these app restrictions act as a first level of warning basically saying, "Knock it off!". If a student persists, we get the Adminisratio and Disciplinary committees involved. It very rarely ever gets to that point.
So, app restrictions are a first line of defense and pretty good one. Despite the incredible latitude our students have in using their laptops, we look at blocking these apps as ways of protecting our network and our equipment (and to a certain extent, protecting the student from themselves).
Please accept my thanks for your work on this list of applications as well.
We have just begun to see Genieo and MacKeeper on our School District's computers. This is the only search result for Genieo. Has any one run these installers with Composer to capture the locations of the changes they create?
I've actually been working on a "Nuke Geneio" uninstaller but have hit some snags with file detection in my scripting. When I have a bit more time, I'll get back to it.
Then I'll work on a "Nuke & Pave MacKeeper" uninstaller.
Note that I recently saw a variant of Geneio called "InstallerMac". It was the same shitware, but named differently.
I believe we met at JAMFNation in Oct. The link you have posted is one that I am using to start my work from as well. My scripting skills will need to improve a great deal before I can do more than edit someone else's work to the situation at hand. I do have some excellent mentors that have unique positions; such that they can point out better ways to the solution.
* I do wonder if this topic needs to be Posted under a "Malware" title or specific "Geneio" title. Personally I used the search so it didn't affect my research. Maybe JAMF moderators can decide.
Our 1-to-1 deployment includes a killer AppleCare contract. So I have started a Case with them so that it might get enough votes in the grand scheme of AppleCare attention to get developer attention. We'll see.
Thank you again, (For your presentation as well.)
Yeah, I added it as a 3rd-party resource about a week ago.
I use Adware Medic on a daily basis. I've long been developing an app that will nuke MacKeeper from my users' systems. I doubt that Tom will ever include MacKeeper in his list of detected adware because ZeoBIT has a long history of defending their terrible software (and also for astroturfing positive reviews all over the place and for extremely aggressive and deceptive advertising).
Right now, I simply use a Restricted Application rule to keep MacKeeper from being run on my users' systems. Once I've completed the "Nuke MacKeeper" tool, I'll execute it on a Smart Group for everyone that has it installed.
Edit (for clarification): Any software where the end-user must be tricked or coerced into installing meets my personal definition of malware and will not be allowed on the systems I control. MacKeeper falls into this category.
Agreed on MacKeeper. We had been asked about it here by some users and techs and I was vehement about not allowing that on any of our Macs. While we haven't yet put a Restricted Software item in place to stop it, we may do that. So far searches for it haven't turned it up in our JSS, but given the crazy aggressiveness they use, I don't doubt some user will be fooled into thinking they need it and install it eventually. The tactics they use to promote their crapware are ridiculous.
@damienbarrett quite a comprehensive list, thanks for sharing. I added these to my list, if I had any that you missed I would add them, but none to be found! I voted up the feature request as well. Curious on 2 things if you have time.
1) I found most of these by good old-fashioned GoogleFu and searching MacUpdate.com for keywords. Download, get the binary name, add it as a restricted process. I do this every month or so and my list has grown a bit since I posted this. If I have time later, I'll re-post my updated list.
About every two months or so, I export the "Installed Applications" list to an Excel spreadsheet and then start Googling to see what kind of gak the kids have installed. It's often very illuminating. You can simply leave the search box blank with Applications selected and search JSS and it'll return everything. Then export, clean, and Google.
2) My approach to fighting of this recent scourge of Adware is multi-fold. Here's how I've ben doing it:
What's going to work the best? In my opinion, user education is better than heavy-handed lockdown. Teaching the end-users about being careful about installing software and not using questionable browser extensions will go a lot farther to our end-goal than obtuse and overbearing management. At my school, out end-goal is to teach the users how to use the technology safely and effectively, regardless of whether they are in our classroom(s) or not.
Okay, so how do you block Tor Browser? I can't get it to work. I've tried using the Process name in Activity Monitor: Tor Browser, I've tried using the app name: TorBrowser and TorBrowser.app. I've tried /Tor Browser, /TorBrowser, /TorBrowser.app, and all of those with Restrict Exact Process Name checked and unchecked.
Every time that frelling application just opens itself up like it has not a care in the world.
How did you block it?
@micah002 - When the application is running, run the following command in Terminal, and look for how it appears in the list
Whatever you see there for the Tor browser is what you would want to put into the Restricted software item process to check for.
Also, silly question, but have you made sure the Macs you've tested on have the latest management framework pulled down from your Casper server? Run a sudo jamf manage on the test Mac to ensure its getting the latest settings and try again.
Ahh, snap @mm2270 It's running as Firefox:
724 ?? S 0:08.00 Microsoft Remote Desktop 728 ?? S 0:00.29 CVMCompiler 732 ?? Ss 0:00.02 com.apple.hiservices-xpcservice 733 ?? Ss 0:00.09 systemstats 735 ?? S 0:02.87 firefox 737 ?? S 0:01.07 tor.real 739 ?? Z 0:00.00 (SFLSharedPrefsTo) 579 s000 Ss 0:00.04 login 580 s000 S 0:00.01 -bash 740 s000 R+ 0:00.01 ps
The PID 735 corresponds to the process in Activity monitor labeled Tor Browser.
Wow, it masks itself as Firefox? Are you certain about that? You didn't also have Firefox open at the same time did you? If that's what its actually doing, that's pretty sneaky!
Edit: Nevermind. I can confirm it in fact masks itself as Firefox. In fact, there is an executable inside the TorBrowser.app bundle in the "MacOS" folder labeled as "Firefox" There are several other folders inside it with other executables like "tor" and the "tor.real" one. Unbelievable.
And yes, it seems killing the tor.real process causes it to complain that it had a problem and needs to be restarted, but doesn't completely kill the app.
If it were me, I would take a multi pronged approach here. Have the Restricted Software item in place to locate and kill tor.real, and also delete the tor.real executable. I haven't tested this, but my guess is this may work to make the application unusable once that executable is deleted.
I might also have a Smart Group that looks for the TorBrowser.app on systems, and a corresponding policy to delete it with a script. Since users may be installing this outside of the main Applications folder, you may need to either add /Users/ as a path to capture applications from in your inventory settings, or create an Extension Attribute that scans the system for TorBrowser.app using something like mdfind or find. Then use those results for the scope of the policy.
I think having both of those in place will send a message to end users that its not wanted on your network. If they see it keep disappearing and/or stop functioning, they'll get the message.
Thinking that perhaps the TorBrowser bundle had been changed since I built my Restricted Apps list, I re-downloaded the latest version and ran it. It was blocked, as it's always been by my list.
Perhaps you're not restricting by the exact process name or by the .app name? Or maybe you're not re-managing your test machine after you've changed the name. You can force the test machine to be managed by typing "sudo jamf manage" at the command line, and it will pull down a fresh copy of your restricted apps. Here's how mine is set up.
I have a similar one for "Vidalia.app" which for awhile was the name of the TorBrowser bundle.
We're more worried about malware/adware stuff that torrents, bitcoin, etc. And we're just starting, but the two I've listed are...
The Installer.app is the installer for apps downloaded from Softonic.com. They take 3rd party shareware, wrap their own installer around it to change default browser settings, etc. I'm wary though because it's a very generic application name and might catch some legit app.
The second is one of those "You need this codec to watch this video" crapware, which doesn't do jack except hijack your browser.
MPlayerX is a legitimate media player available through the App Store:
Although, the latest version is available directly from the dev:
And it is a real app:
However, there is a known adware masquerading as MPlayerX:
We use the legit MPlayerX (which is similar to VLC) with no issues. In fact, it works quite well. It looks as if the "Ads by MPlayerX" is one of those "bundled" double-whammies:
Some background: I do work in a university environment with faculty, staff, and lab Macs enrolled... So some things like BitTorrent are not allowed in labs, but are allowed in others areas for "legitimate reasons."
The message that the user receives varies by restriction and each message ends with a statement to contact our support center.
Here are some examples:
"MacKeeper is not a recommended way to clean or "speedup" your Mac. It can destabilize an otherwise stable Mac."
"A key logger was found to be running on this Mac. It has been shutdown."
"MacProtector is a fake antivirus program that is designed to scare people into thinking that their computers are infected. "
LimeWire MacBooster (CrapApp)
MacBooster mini (CrapApp)
OnyX SearchProtect uTorrent
Good list @damienbarrett and the feature request for the "Black List" template would be a good thing.
I just added a "new" shitware app to my list last night called "DetoxMyMac". It's very much like MacKeeper and tries to scare the end-user into installing their software to "clean" their Mac. It doesn't really do much and has an aggressive affiliate marketing program that causes idiot get-rick-quicksters to post links and fake reviews of Detox to blog articles and new stories.
I also had to start blocking "Popcorn-Time.app". At some point, they renamed it wit the hyphen.
@jedfry, you have a few in your list I hadn't heard of. Will be appending my list. Thanks.
If I don't have any of these installed on a device, how do I find the .app name so that I can delete the application instead of just killing a process. Many I block by killing a wildcard service - Mackeeper and clean but apparently the processes are constantly being closed, every two seconds. This is reeking havoc on our current deployment. Bold = asterisks.
2017-09-02 13:00:36,378 [INFO ] [Tomcat-51 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 8435):
2017-09-02 13:57:58,131 [INFO ] [Tomcat-25 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 4949):