Monitor - Potentially Unwanted Applications

1. Import-Module $env:SyncroModule -WarningAction SilentlyContinue
2.  
3. # For full functionality:
4. # Create an 'Allowed Apps' customer custom field and asset custom field in Syncro Admin
5. # Add Syncro platform script variables for $orgallowlist and $assetallowlist and link them to your custom fields
6.  
7. # Application list arrays, you can add more if you want
8. $security = @("ahnlab", "avast", "avg", "avira", "bitdefender", "checkpoint", "clamwin", "comodo", "dr.web", "eset ", "fortinet", "f-prot", "f-secure", "g data", "immunet", "kaspersky", "mcafee", "nano", "norton", "panda", "qihoo 360", "reason", "segurazo", "sophos", "symantec", "trend micro", "trustport", "webroot", "zonealarm")
9. $remoteaccess = @("aeroadmin", "alpemix", "ammyy", "anydesk", "asg-remote", "aspia", "bomgar", "chrome remote", "cloudberry remote", "dameware", "dayon", "deskroll", "dualmon", "dwservice", "ehorus", "fixme.it", "gosupportnow", "gotoassist", "gotomypc", "guacamole", "impcremote", "instant housecall", "instatech", "isl alwayson", "isl light", "join.me", "jump desktop", "kaseya", "lite manager", "logmein", "mikogo", "meshcentral", "mremoteng", "nomachine", "opennx", "optitune", "pilixo", "radmin", "remotetopc", "remotepc", "remote utilities", "rescueassist", "screenconnect", "showmypc", "simplehelp", "splashtop", "supremo", "take control", "teamviewer", "thinfinity", "ultraviewer", "vnc", "wayk now", "x2go", "zoho assist")
10. $rmm = @("Advanced Monitoring Agent", "Windows Agent", "Datto RMM", "Kaseya", "Ninja", "GFI", "Atera", "Tactical RMM", "ITSupport247", "RMM Agent", "Pulseway")
11. $eol = @("Adobe Flash Player", "Adobe Shockwave Player", "Microsoft Silverlight", "Quicktime")
12. $junk = @("Clear ", "Toolbar", "Internet Explorer", "Homepage", "OneLaunch", "New tab", "Wave", "Winzip")
13.  
14. # Combine our lists, if you create more lists be sure to add them here
15. $appwatchlist = $security + $remoteaccess + $rmm + $eol + $junk
16.  
17. # Allowlist array, you must use the full name for the matching to work!
18. $allowlist = @("ScreenConnect Client (1234567890)", "Bitdefender Endpoint Security Tools")
19. Write-Output "Allowed Apps at Root Level:" ($allowlist -join ", ")
20. $allowlist += ($orgallowlist -split ",").Trim()
21. Write-Output "Allowed Apps at Organization Level: $orgallowlist"
22. $allowlist += ($assetallowlist -split ",").Trim()
23. Write-Output "Allowed Apps at Asset Level: $assetallowlist"
24.  
25. # This section courtesy of https://github.com/darimm/RMMFunctions
26. # Registry paths
27. $32BitPath = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
28. $64BitPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"
29. # Create empty array to store applications
30. $InstalledApps = @()
31. # Retreive globally installed applications
32. $InstalledApps += Get-ItemProperty "HKLM:\$32BitPath"
33. $InstalledApps += Get-ItemProperty "HKLM:\$64BitPath"
34. #Retrieve user installed applications
35. $AllProfiles = Get-WmiObject Win32_UserProfile |
36.     Select-Object LocalPath, SID, Loaded, Special |
37.         Where-Object { $_.SID -like "S-1-5-21-*" -or $_.SID -like "S-1-12-1-*" } # 5-21 regular users, 12-1 is AzureAD users
38. $MountedProfiles = $AllProfiles | Where-Object { $_.Loaded -eq $true }
39. $MountedProfiles | Foreach-Object {
40.     $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\$($_.SID)\$32BitPath"
41.     $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\$($_.SID)\$64BitPath"
42. }
43. $UnmountedProfiles = $AllProfiles | Where-Object { $_.Loaded -eq $false }
44. $UnmountedProfiles | ForEach-Object {
45.     $Hive = "$($_.LocalPath)\NTUSER.DAT"
46.     if (Test-Path $Hive) {
47.         REG LOAD HKU\temp $Hive 2>&1>$null
48.         $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\temp\$32BitPath"
49.         $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\temp\$64BitPath"
50.         # Run manual GC to allow hive to be unmounted
51.         [GC]::Collect()
52.         [GC]::WaitForPendingFinalizers()
53.         REG UNLOAD HKU\temp 2>&1>$null
54.     }
55. }
56.  
57. # Clear the output variable so we don't get confused while testing
58. $output = ''
59.  
60. # Cycle through each app in the apps array searching for matches and store them
61. $output = foreach ($app in $appwatchlist) {
62.     @($InstalledApps | Where-Object { $_.DisplayName -match "$app" -and $allowlist -notcontains $_.DisplayName } | Select-Object -ExpandProperty DisplayName)
63. }
64.  
65. # If we found something, report it
66. if ($output) {
67.     Write-Output "Apps Found:"
68.     $report = ($output | Sort-Object | Get-Unique)
69.     $report
70.     Rmm-Alert -Category 'Potentially Unwanted Applications' -Body "Apps Found: $report"
71.     exit 1
72. }
73. else {
74.     Write-Host "No Apps Found."
75.     Close-Rmm-Alert -Category "Potentially Unwanted Applications"
76. }
77.