/build/static/layout/Breadcrumb_cap_w.png

Rogue software

Is there a way to setup a defined rogue software (ie toolbars, bittorent, and so on) in kace that if found it will automatically uninstall it? If so, then how?

K1000 version 5.4xx.

Please and thank you.

Asked 11 years ago 1471 views
0 Comments   [ + ] Show comments

Answers (3)

Answer Summary:
Posted by: ms01ak 11 years ago
10th Degree Black Belt
2

I would say the best way to achieve this would be to create a smart label which captures the rogue software ie toolbars, bittorents,etc. Then have a script that built to remove the software or better yet run the quarantine script and remove the machine from the network.

Posted by: SMal.tmcc 11 years ago
Red Belt
1

fixed my custom rule to make it much cleaner after the upgrade.

use

ShellCommandTextReturn(c:\windows\system32\wbem\WMIC.exe PROCESS where (executablepath like "%%AppDat%%") get executablepath)

then you will get a report like

Comments:
  • The above implies that your users have local administrator privileges - how else does "rogue software" get on to your boxes? - so I'd be fixing that before doing anything else. - anonymous_9363 11 years ago
    • This is not always the case that they need admin privileges.
      As in the case of what I am looking for they do not need to be an admin to install rogue software in their own profiles. Users have access to their own profile/ files. And attackers take advantage of this.
      A lot of the java attacks work around the need for admin privileges also. - SMal.tmcc 11 years ago
      • here is a hit of a user that has installed chrome and a web cam in his profile, he is not an admin.

        ExecutablePath
        C:\Users\cscott\AppData\Local\Logitechr Webcam Software\Logishrd\LU2.0\LULnchr.exe
        C:\Users\cscott\AppData\Local\Logitechr Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe

        or this user
        ExecutablePath
        C:\Users\kclough\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe
        C:\Users\kclough\AppData\Local\DIRECTV Player\NDSPCShowServer.exe - SMal.tmcc 11 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ