Posted on 01-09-2014 07:03 AM
Good Morning everyone!
I am looking into anyone that has a list of their restricted process apps with JSS. I have seen a lot of people have been doing this and with this my first year with 1:1 and with JSS-I was looking into some insight or apps that you are blocking in your schools.
With all of this knowledge now going into our second year should be a lot better then this one!
Thanks again everyone
Posted on 01-09-2014 11:52 AM
Okay, I'll bite on this one. Here is my list. It changes regularly. Mostly we're blocking P2P, Usenet downloaders (NZB) and Bitcoin. Mavericks installer is in there now, but will be removed once we're done vetting it.
Also killing (and deleting) the common drive-by malware MacKeeper and Genieo.
1 Transmission
2 BitTorrent
3 UTorrent
4 Cabos
5 Frostwire
6 Vuze
7 Acqlite
8 BitRocket
9 Bits on Wheels
10 Mojo
11 Nativa
12 Phex
13 qbbittorrent
14 ShakesPeer
15 Tribler
16 XFactor
17 XTorrent
18 Acquisition
19 all.com
20 Poisoned
21 aMule
22 xDonkey
23 EasyMule
24 iSoul
25 PeerGuardian
27 Tomato Torrent
28 AdmitOne
30 MacKeeper
32 OS X Mavericks
33 BitTorrent Sync
34 Torch
36 BitLord
37 Asteroid
38 Bitcoin-Qt
39 cgminer for Mac OS X
40 Electrum
42 Qt Bitcoin Trader
43 Hive
44 guiminer
45 bfgminer
46 cgminer
47 MacMiner
48 Genieo
49 Unison
50 NZBVortex
51 SABnzbd+
52 Hogwasher
53 MacSoup
54 NZB Drop
55 NZB Vortex
56 SuperNZB
57 Thoth
Posted on 01-09-2014 01:14 PM
Thanks @damienbarrett!! Now all of these have .app at the end of them correct? I saw the Bitcoin post earlier and would of never have thought about that because I have some students as well that would be trying to that (because they have been trying to push the right buttons with me from day 1 of the rollout).
Posted on 01-11-2014 03:27 PM
Added a few more this weekend after scouring a few of my more industrious users' Applications list:
- MultiBit.app
- Deluge.app
- Litecoin-Qt.app
- dogecoin-qt.app
- TorBrowser.app
At some point, we all realize it's a cat-and-mouse game, and a truly determined student will figure out ways around the software restrictions. But...I can still see what's been installed (even if it's renamed or modified, etc.) and then it becomes even more of a disciplinary issue. If a student is actively trying to circumvent controls we put in place, it goes to a whole new level and the consequences are more severe. For 99% of our AUP violations, these app restrictions act as a first level of warning basically saying, "Knock it off!". If a student persists, we get the Adminisratio and Disciplinary committees involved. It very rarely ever gets to that point.
So, app restrictions are a first line of defense and pretty good one. Despite the incredible latitude our students have in using their laptops, we look at blocking these apps as ways of protecting our network and our equipment (and to a certain extent, protecting the student from themselves).
Posted on 01-12-2014 01:15 PM
It would sure be nice if there was a template of sorts that could be shared here and then downloaded and imported for those here that were interested. Why reinvent the wheel by people having to enter all of this in on each casper install if they need it?
Posted on 01-13-2014 07:42 AM
@jhuls][/url, you might want to vote up this Feature Request:
https://jamfnation.jamfsoftware.com/featureRequest.html?id=21
Posted on 01-13-2014 09:00 AM
Just wanted to say thanks for sharing your list!
Posted on 05-13-2014 07:21 AM
Please accept my thanks for your work on this list of applications as well.
We have just begun to see Genieo and MacKeeper on our School District's computers. This is the only search result for Genieo. Has any one run these installers with Composer to capture the locations of the changes they create?
Posted on 05-13-2014 09:51 AM
http://www.thesafemac.com/arg-genieo/
I've actually been working on a "Nuke Geneio" uninstaller but have hit some snags with file detection in my scripting. When I have a bit more time, I'll get back to it.
Then I'll work on a "Nuke & Pave MacKeeper" uninstaller.
Note that I recently saw a variant of Geneio called "InstallerMac". It was the same shitware, but named differently.
Posted on 05-13-2014 10:43 AM
Hi Damien,
I believe we met at JAMFNation in Oct. The link you have posted is one that I am using to start my work from as well. My scripting skills will need to improve a great deal before I can do more than edit someone else's work to the situation at hand. I do have some excellent mentors that have unique positions; such that they can point out better ways to the solution.
* I do wonder if this topic needs to be Posted under a "Malware" title or specific "Geneio" title. Personally I used the search so it didn't affect my research. Maybe JAMF moderators can decide.
Our 1-to-1 deployment includes a killer AppleCare contract. So I have started a Case with them so that it might get enough votes in the grand scheme of AppleCare attention to get developer attention. We'll see.
Thank you again, (For your presentation as well.)
Posted on 09-22-2014 07:25 PM
I found an application at "The Safe Mac" that works at detecting and removing Genio and other malware/adware applications. It isn't perfect...I had to reimage a laptop this weekend...but it is a start...and it's free.
Posted on 09-23-2014 09:45 AM
Yeah, I added it as a 3rd-party resource about a week ago.
https://jamfnation.jamfsoftware.com/viewProduct.html?id=358&view=info
I use Adware Medic on a daily basis. I've long been developing an app that will nuke MacKeeper from my users' systems. I doubt that Tom will ever include MacKeeper in his list of detected adware because ZeoBIT has a long history of defending their terrible software (and also for astroturfing positive reviews all over the place and for extremely aggressive and deceptive advertising).
Right now, I simply use a Restricted Application rule to keep MacKeeper from being run on my users' systems. Once I've completed the "Nuke MacKeeper" tool, I'll execute it on a Smart Group for everyone that has it installed.
Edit (for clarification): Any software where the end-user must be tricked or coerced into installing meets my personal definition of malware and will not be allowed on the systems I control. MacKeeper falls into this category.
Posted on 09-23-2014 09:57 AM
Agreed on MacKeeper. We had been asked about it here by some users and techs and I was vehement about not allowing that on any of our Macs. While we haven't yet put a Restricted Software item in place to stop it, we may do that. So far searches for it haven't turned it up in our JSS, but given the crazy aggressiveness they use, I don't doubt some user will be fooled into thinking they need it and install it eventually. The tactics they use to promote their crapware are ridiculous.
Posted on 11-19-2014 01:05 PM
@damienbarrett quite a comprehensive list, thanks for sharing. I added these to my list, if I had any that you missed I would add them, but none to be found! I voted up the feature request as well. Curious on 2 things if you have time.
Thx, Tom
Posted on 11-20-2014 06:56 AM
1) I found most of these by good old-fashioned GoogleFu and searching MacUpdate.com for keywords. Download, get the binary name, add it as a restricted process. I do this every month or so and my list has grown a bit since I posted this. If I have time later, I'll re-post my updated list.
About every two months or so, I export the "Installed Applications" list to an Excel spreadsheet and then start Googling to see what kind of gak the kids have installed. It's often very illuminating. You can simply leave the search box blank with Applications selected and search JSS and it'll return everything. Then export, clean, and Google.
2) My approach to fighting of this recent scourge of Adware is multi-fold. Here's how I've ben doing it:
What's going to work the best? In my opinion, user education is better than heavy-handed lockdown. Teaching the end-users about being careful about installing software and not using questionable browser extensions will go a lot farther to our end-goal than obtuse and overbearing management. At my school, out end-goal is to teach the users how to use the technology safely and effectively, regardless of whether they are in our classroom(s) or not.
Posted on 11-26-2014 07:40 AM
Thanks for "biting" on the question. The lists are great for people new to the group / profession.
Posted on 02-12-2015 07:24 AM
Okay, so how do you block Tor Browser? I can't get it to work. I've tried using the Process name in Activity Monitor: Tor Browser, I've tried using the app name: TorBrowser and TorBrowser.app. I've tried /Tor Browser, /TorBrowser, /TorBrowser.app, and all of those with Restrict Exact Process Name checked and unchecked.
Every time that frelling application just opens itself up like it has not a care in the world.
How did you block it?
Posted on 02-12-2015 07:30 AM
@micah002 - When the application is running, run the following command in Terminal, and look for how it appears in the list
ps axc
Whatever you see there for the Tor browser is what you would want to put into the Restricted software item process to check for.
Also, silly question, but have you made sure the Macs you've tested on have the latest management framework pulled down from your Casper server? Run a sudo jamf manage on the test Mac to ensure its getting the latest settings and try again.
Posted on 02-12-2015 07:41 AM
Ahh, snap @mm2270 It's running as Firefox:
724 ?? S 0:08.00 Microsoft Remote Desktop 728 ?? S 0:00.29 CVMCompiler 732 ?? Ss 0:00.02 com.apple.hiservices-xpcservice 733 ?? Ss 0:00.09 systemstats 735 ?? S 0:02.87 firefox 737 ?? S 0:01.07 tor.real 739 ?? Z 0:00.00 (SFLSharedPrefsTo) 579 s000 Ss 0:00.04 login 580 s000 S 0:00.01 -bash 740 s000 R+ 0:00.01 ps
The PID 735 corresponds to the process in Activity monitor labeled Tor Browser.
Posted on 02-12-2015 07:46 AM
Okay, I can block the tor.real process (PID 737) and while the browser still launches, it gives an error stating it can't get anywhere because the tor service failed to launch.
It's at least a start.
Posted on 02-12-2015 07:50 AM
Wow, it masks itself as Firefox? Are you certain about that? You didn't also have Firefox open at the same time did you? If that's what its actually doing, that's pretty sneaky!
Edit: Nevermind. I can confirm it in fact masks itself as Firefox. In fact, there is an executable inside the TorBrowser.app bundle in the "MacOS" folder labeled as "Firefox" There are several other folders inside it with other executables like "tor" and the "tor.real" one. Unbelievable.
And yes, it seems killing the tor.real process causes it to complain that it had a problem and needs to be restarted, but doesn't completely kill the app.
If it were me, I would take a multi pronged approach here. Have the Restricted Software item in place to locate and kill tor.real, and also delete the tor.real executable. I haven't tested this, but my guess is this may work to make the application unusable once that executable is deleted.
I might also have a Smart Group that looks for the TorBrowser.app on systems, and a corresponding policy to delete it with a script. Since users may be installing this outside of the main Applications folder, you may need to either add /Users/ as a path to capture applications from in your inventory settings, or create an Extension Attribute that scans the system for TorBrowser.app using something like mdfind or find. Then use those results for the scope of the policy.
I think having both of those in place will send a message to end users that its not wanted on your network. If they see it keep disappearing and/or stop functioning, they'll get the message.
Posted on 02-12-2015 08:14 AM
Thinking that perhaps the TorBrowser bundle had been changed since I built my Restricted Apps list, I re-downloaded the latest version and ran it. It was blocked, as it's always been by my list.
Perhaps you're not restricting by the exact process name or by the .app name? Or maybe you're not re-managing your test machine after you've changed the name. You can force the test machine to be managed by typing "sudo jamf manage" at the command line, and it will pull down a fresh copy of your restricted apps. Here's how mine is set up.
I have a similar one for "Vidalia.app" which for awhile was the name of the TorBrowser bundle.
Posted on 02-12-2015 09:20 AM
I don't even have Firefox installed on my machine. I hate it. With hate.
I have forced manage, I have done everything I can think of it and it just won't stop running (except with the tor.real block I talked about earlier).
And if I block Firefox, Tor is blocked.
Posted on 02-12-2015 01:37 PM
We're more worried about malware/adware stuff that torrents, bitcoin, etc. And we're just starting, but the two I've listed are...
Installer.app
MPlayerX.app
The Installer.app is the installer for apps downloaded from Softonic.com. They take 3rd party shareware, wrap their own installer around it to change default browser settings, etc. I'm wary though because it's a very generic application name and might catch some legit app.
The second is one of those "You need this codec to watch this video" crapware, which doesn't do jack except hijack your browser.
Posted on 02-12-2015 01:50 PM
dupe post
Posted on 02-20-2015 09:07 AM
MPlayerX is a legitimate media player available through the App Store:
https://itunes.apple.com/us/app/mplayerx/id421131143?mt=12
Although, the latest version is available directly from the dev:
And it is a real app:
http://www.macworld.co.uk/download/audio-video-photo/mplayerx-10221-3328598/
However, there is a known adware masquerading as MPlayerX:
https://discussions.apple.com/thread/6241637
We use the legit MPlayerX (which is similar to VLC) with no issues. In fact, it works quite well. It looks as if the "Ads by MPlayerX" is one of those "bundled" double-whammies:
Posted on 02-20-2015 11:02 AM
Some background: I do work in a university environment with faculty, staff, and lab Macs enrolled... So some things like BitTorrent are not allowed in labs, but are allowed in others areas for "legitimate reasons."
The message that the user receives varies by restriction and each message ends with a statement to contact our support center.
Here are some examples:
"MacKeeper is not a recommended way to clean or "speedup" your Mac. It can destabilize an otherwise stable Mac."
"A key logger was found to be running on this Mac. It has been shutdown."
"MacProtector is a fake antivirus program that is designed to scare people into thinking that their computers are infected. "
Abk (Keylogger)
BitTorrent
Black Hole
BPK (Keylogger)
CleanGenius (CrapApp)
CleanMyMac2 (CrapApp)
FontNuke
LimeWire
MacBooster (CrapApp)
MacBooster mini (CrapApp)
MacDefender (Virus)
MacDefender.app (Virus)
MacKeeper (CrapApp)
MacProtector.app (Virus)
MacScan (Virus)
MacSecurity.app (Virus)
OnyX
SearchProtect
uTorrent
Good list @damienbarrett and the feature request for the "Black List" template would be a good thing.
Posted on 02-20-2015 01:03 PM
I just added a "new" shitware app to my list last night called "DetoxMyMac". It's very much like MacKeeper and tries to scare the end-user into installing their software to "clean" their Mac. It doesn't really do much and has an aggressive affiliate marketing program that causes idiot get-rick-quicksters to post links and fake reviews of Detox to blog articles and new stories.
I also had to start blocking "Popcorn-Time.app". At some point, they renamed it wit the hyphen.
@jedfry, you have a few in your list I hadn't heard of. Will be appending my list. Thanks.
Posted on 04-30-2015 01:44 PM
@damienbarrett Is "Popcorn-Time.app" the actual process name? If not, can you provide the process name. Thanks! ;)
Posted on 05-04-2015 11:15 AM
Hey @damienbarrett how do you export the Installed Applications report? Are you running a search right from Computers and just changing the search drop down to Applications? I don't see an export button.
Posted on 12-22-2015 08:32 AM
Has anyone had success with blocking .jar files from launching via restricted software? I'm trying without much luck. I thought this used to work.
Posted on 12-23-2015 11:34 AM
@CasperSally I'm not sure I have your answer, but how are you trying to block them?
Posted on 09-04-2017 01:46 PM
If I don't have any of these installed on a device, how do I find the .app name so that I can delete the application instead of just killing a process. Many I block by killing a wildcard service - Mackeeper and clean but apparently the processes are constantly being closed, every two seconds. This is reeking havoc on our current deployment. Bold = asterisks.
2017-09-02 13:00:36,378 [INFO ] [Tomcat-51 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 8435):
ID: 59
Process: clean
Owner: root
PID: 61529
PID: 4918
2017-09-02 13:57:58,131 [INFO ] [Tomcat-25 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 4949):
ID: 41
Process: MacKeeper
Owner: root
PID: 18376
Posted on 03-28-2019 05:54 PM
Bump, good point. What did you end up doing?
Posted on 03-28-2019 10:33 PM
You could always install Malware Bytes for mac free and remove the MacKeeper, Genio etc.