So I decided to set up Software Restrictions on my Active Directory network. Of course, I needed a good list of paths to block (I'm using the path method). Unfortunately, I could find no such list and had to resort to digging through HiJackThis logs on Usenet and searches on Google. To help others, here's the list I'm using:
Chat
%ProgramFiles%\MSN\MSNCoreFiles\msn.exe - MSN IM Client 1
%ProgramFiles%\MSN\MSNIA\msniasvc.exe - MSN IM Client 2
%ProgramFiles%\MSN Messenger\msnmsgr.exe - MSN IM Client 3
%ProgramFiles%\Messenger\msmsgs.exe - Messenger IM Client
%ProgramFiles%\AIM\aim.exe - AOL IM Client
%ProgramFiles%\skype\phone\skype.exe - Skype VOIP/IM Client
%ProgramFiles%\AIM+\AIM+.exe - Aim+ IM Client
P2P
%ProgramFiles%\Kazaa Lite K++\kpp.exe - Kazaa Lite P2P Software
%ProgramFiles%\kazaa\kazaa.exe - Kazaa P2P Software
%ProgramFiles%\BearShare\BearShare.exe - Bearshare P2P Software
%ProgramFiles%\LimeWire\LimeWire.exe - Limewire P2P Software
%ProgramFiles%\Shareaza\Shareaza.exe - Shareaza P2P Software
%ProgramFiles%\Gnucleus\*.exe - Gnucleus P2P Software
%ProgramFiles%\Grokster\*.exe - Grokster P2P Software
%ProgramFiles%\eDonkey2000\edonkey2000.exe - eDonkey P2P Software
%ProgramFiles%\Audiogalaxy Satellite\AGSatellite.exe - AudioGalaxy P2P Software
%ProgramFiles%\WinMX\WinMX.exe - WinMX P2P Software
%ProgramFiles%\iMesh\Client\iMeshClient.exe - iMesh P2P Software
Spyware
%ProgramFiles%\free surfer\fs20.exe - Free Surfer Spyware
%ProgramFiles%\MyWay\bar\2.bin\MWSOEMON.EXE - MyWebSearch Email Spyware
%ProgramFiles%\WEBSHOTS\WEBSHOTSTRAY.EXE - Webshots Spyware
%ProgramFiles%\HOTBAR\BIN\4.1.8.0\HBSRV.EXE - HotBar Spyware 1
%ProgramFiles%\Hotbar\bin\Hbinst.exe - HotBar Spyware 2
%ProgramFiles%\COMMON FILES\GMT\GMT.EXE - Gator Spyware 1
%ProgramFiles%\COMMON FILES\CMEII\CMESYS.EXE - Gator Spyware 2
%ProgramFiles%\webHancer\Programs\whAgent.exe - WebHancer Spyware
%ProgramFiles%\AllSpamGone\AllSpamGone.exe - AllSpamGone Spyware
%ProgramFiles%\AdsGone\adsgone.exe - AdsGone Spyware
%ProgramFiles%\Morpheus\Morpheus.exe - Morpheus P2P Software
%ProgramFiles%\iMesh\Client\FTP_back.exe - iMesh Trojan
%ProgramFiles%\POP Peeper\POPPeeper.exe - PopPeeper Spyware
%ProgramFiles%\Power Soft\Free Notes\FreeNotes.exe - FreeNotes Spyware
%ProgramFiles%\SmartBarXP BETA4.9\SmartBarXP.exe - SmartBarXP Spyware
%ProgramFiles%\MYWEBSEARCH\bar\1.bin\mwsoemon.exe - MyWebSearch Toolbar Spyware
%ProgramFiles%\SAVE\SAVE.EXE - WhenU SaveNow Spyware
%ProgramFiles%\BullsEye Network\bin\bargains.exe - Bargain Buddy Spyware 1
%ProgramFiles%\Bargain Buddy\bin2\bargains.exe - Bargain Buddy Spyware 2
%ProgramFiles%\Internet Optimizer\optimize.exe - MoneyTree Dialer Spyware
%ProgramFiles%\Web_Rebates\WebRebates1.exe - TopRebates Spyware 1
%ProgramFiles%\Web_Rebates\WebRebates0.exe - TopRebates Spyware 2
%ProgramFiles%\Speed Disk\nopdb.exe - Speed Disk Spyware
%ProgramFiles%\GetRight\getright.exe - GetRight Spyware
%ProgramFiles%\Common files\WinTools\WToolsA.exe - HuntBar Spyware 1
%ProgramFiles%\Common files\WinTools\WSup.exe - HuntBar Spyware 2
%ProgramFiles%\Common files\WinTools\Wtoolss.exe - HuntBar Spyware 3
%ProgramFiles%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe - Ebates Spyware
*\win*\System32\msbb.exe - 180Solutions Spyware
%ProgramFiles%\INTERNET OPTIMIZER\ACTALERT.EXE - MoneyTree Dialer Spyware
%ProgramFiles%\ISTsvc\istsvc.exe - IST Spyware
%ProgramFiles%\PrecisionTime\PrecisionTime.exe - Gator Spyware 2
Of course, there are probably hundreds of spyware entries that I didn't include, but these are the most common I've seen. I also could have included more chat apps, like Gaim, Trillian, or Yahoo, but we currently use those in limited deployment. I'm also sure there's more P2P apps, but I don't use P2P so I've just included the ones I've heard of. Also, other apps like iTunes, Winamp, etc could also be inappropriate on other networks, but I tolerate it here.
Please feel free to comment with additional programs that you block...
Here's a link on how to set this up for your network:
Microsoft Windows XP: Using Software Restriction Policies to Protect Against Unauthorized Software: "Using Software Restriction Policies to Protect Against Unauthorized Software"
March 27, 2006
Subscribe to:
Post Comments (Atom)
5 comments:
A few more (after testing):
%ProgramFiles%\iMesh Applications\iMesh6\iMesh6.exe - iMesh6 P2P Software
%ProgramFiles%\Audiogalaxy Rhapsody\rhapsody.exe - Rhapsody
%ProgramFiles%\Gnucleus\Gnucleus.exe - Gnucleus P2P Software
%ProgramFIles%\Common Files\AOL\Launch\aollaunch.exe - AOL Launcher
%ProgramFiles%\POP Peeper\POPPeeper.exe - PopPeeper Spyware
How come ? I am confused ...
I used to run this prog to access my e-mail boxes (yahoo, gmail). Recently, our company migrated to active directory and since then I can not access anymore the mail boxes.
It seems that the majority of sites out there are still "researching" this software.. So I'd rather err on the side of caution. Also, I have no need for it, so I blocked it in my environment. You don't have the block it if you use it.
Block everything and then unblock the applications that you want the people to use. Just a thought.
There is an extensive list of P2P programs listed in a GPO here:
https://www.itscforum.dk/showthread.php?57-Windows-7-GPO-to-block-P2P-Applications
One can restore the GPO into an existing active directory and block more than 360 P2P programs within minutes.
It is free to download and is updated a couple of times a month.
Post a Comment