Help

Prevent dummy malware files from being downloaded

ssrai20
New Contributor

‎04-20-2023 03:39 AM - edited ‎04-20-2023 03:40 AM

Hi,

We need a way to stop dummy eicar malware files being downloaded from online in Chrome, Edge and Safari.

It looks like Jamf Protect or Jamf Radar can not do this. It can only stop the files being executed after they have been downloaded to the Macbook. Is there a way we can implement download restrictions using Jamf Pro?

thanks

 

0 Kudos
Reply
3 REPLIES 3

sdagley
Esteemed Contributor II

Posted on ‎04-20-2023 05:45 AM

@ssrai20 Jamf Pro does not have any built-in capabilities for restricting downloads. You could use it to install a tool if you find, or write, one to do that, but it's not going to do it by itself.

0 Kudos
Reply

hepvd
Contributor

Posted on ‎04-21-2023 01:33 AM

To prevent common Malwares I'm using a combination of EA, Smart Group and Script.

For example Mackeeper :

The EA : 

#!/bin/bash


###############
# Variables   #
###############

user=`ls -la /dev/console | cut -d " " -f 4`
result=()
filesFound=0
suspiciousFiles=(
    "/Applications/MacKeeper.app"
    "/Applications/JustCloud.app"
    "/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78"
    "/private/var/folders/mh/yprf0vxs3mx_n2lg3tjgqddm0000gn/T/MacKeeper*"
    "/private/tmp/MacKeeper*"
    "/Users/$user/Library/Application Support/MacKeeper Helper"
    "/Users/$user/Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist"
    "/Users/$user/Library/LaunchAgents/com.jdibackup.JustCloud.autostart.plist"
    "/Library/LaunchAgents/com.jdibackup.JustCloud.notify.plist"
    "/Users/$user/Library/Logs/JustCloud"
    "/Users/$user/Library/Logs/MacKeeper.log"
    "/Users/$user/Library/Logs/MacKeeper.log.signed"
    "/Users/$user/Library/Logs/SparkleUpdateLog.log"
    "/Users/$user/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D"
    "/Users/$user/Library/Preferences/com.zeobit.MacKeeper.Helper.plist"
    "/Users/$user/Library/Preferences/com.zeobit.MacKeeper.plist"
    "/Users/$user/Library/Saved Application State/com.zeobit.MacKeeper.savedState"
    "/Users/$user/Downloads/MacKeeper*"
    "/Users/$user/Documents/MacKeeper*Library/Application Support/MacKeeper Helper"
    "/Users/$user/Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist"
    "/Users/$user/Library/LaunchAgents/com.jdibackup.JustCloud.autostart.plist"
    "/Users/$user/Library/LaunchAgents/com.jdibackup.JustCloud.notify.plist"
    "/Users/$user/Library/Logs/JustCloud"
    "/Users/$user/Library/Logs/MacKeeper.log"
    "/Users/$user/Library/Logs/MacKeeper.log.signed"
    "/Users/$user/Library/Logs/SparkleUpdateLog.log"
    "/Users/$user/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D"
    "/Users/$user/Library/Preferences/com.zeobit.MacKeeper.Helper.plist"
    "/Users/$user/Library/Preferences/com.zeobit.MacKeeper.plist"
    "/Users/$user/Library/Saved Application State/com.zeobit.MacKeeper.savedState"
    "/Users/$user/Downloads/MacKeeper*"
    "/Users/$user/Documents/MacKeeper*"

)

###############
# Script      #
###############

for suspiciousFile in "${suspiciousFiles[@]}"; do
echo "Looking for $suspiciousFile"
if [ -e "$suspiciousFile" ]; then
    filesFound=$(expr $filesFound + 1)
    result+=("$suspiciousFile")
    fi
done

if [ $filesFound -ne 0 ]; then
    echo "<result>"Yes: "${result[@]}</result>"
else
    echo "<result>No</result>"
fi

exit

A smart group is populated with "YES" and then a script to remove then is executed.

Following that blog here to list the files :

 

https://applehelpwriter.com/2018/08/02/latest-mackeeper-file-paths/

 

 

 

0 Kudos
Reply

AJPinto
Honored Contributor III

Posted on ‎04-21-2023 09:20 AM

JAMFs products all operate on the device level. EDR clients are responsive by nature, to prevent the file from getting to the device you need a network security tool. A network security tool can inspect traffic in flight, and quarantine traffic with malicious or undesired content. 

0 Kudos
Reply