Is there a way to setup a defined rogue software (ie toolbars, bittorent, and so on) in kace that if found it will automatically uninstall it? If so, then how?

K1000 version 5.4xx.

Please and thank you.

Answer Summary:
Cancel
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

2

I would say the best way to achieve this would be to create a smart label which captures the rogue software ie toolbars, bittorents,etc. Then have a script that built to remove the software or better yet run the quarantine script and remove the machine from the network.

Answered 06/11/2013 by: ms01ak
Tenth Degree Black Belt

Please log in to comment
1

fixed my custom rule to make it much cleaner after the upgrade.

use

ShellCommandTextReturn(c:\windows\system32\wbem\WMIC.exe PROCESS where (executablepath like "%%AppDat%%") get executablepath)

then you will get a report like

Answered 06/11/2013 by: SMal.tmcc
Red Belt

  • The above implies that your users have local administrator privileges - how else does "rogue software" get on to your boxes? - so I'd be fixing that before doing anything else.
    • This is not always the case that they need admin privileges.
      As in the case of what I am looking for they do not need to be an admin to install rogue software in their own profiles. Users have access to their own profile/ files. And attackers take advantage of this.
      A lot of the java attacks work around the need for admin privileges also.
      • here is a hit of a user that has installed chrome and a web cam in his profile, he is not an admin.

        ExecutablePath
        C:\Users\cscott\AppData\Local\Logitechr Webcam Software\Logishrd\LU2.0\LULnchr.exe
        C:\Users\cscott\AppData\Local\Logitechr Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe
        C:\Users\cscott\AppData\Local\Google\Chrome\Application\chrome.exe

        or this user
        ExecutablePath
        C:\Users\kclough\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe
        C:\Users\kclough\AppData\Local\DIRECTV Player\NDSPCShowServer.exe
Please log in to comment
Answer this question or Comment on this question for clarity