Monitor - Potentially Unwanted Applications

1. Import-Module $env:SyncroModule -WarningAction SilentlyContinue
2. <# For full functionality:
3. Create an 'Allowed Apps' customer custom field and asset custom field in Syncro Admin
4. Add Syncro platform script variables for $OrgAllowList and $AssetAllowList and link them to your custom fields
5.  
6. Version 1.1 - 2025/06/02
7.     Added - Skype to EOL list
8.     Added - Aweray Remote to RemoteAccess list
9.     Changed - RMM list to use actual verified agent names
10. #>
11.  
12. # Application list arrays, you can add more if you want
13. $Security = @("ahnlab", "avast", "avg", "avira", "bitdefender", "checkpoint", "clamwin", "comodo", "dr.web", "eset ", "fortinet", "f-prot", "f-secure", "g data", "immunet", "kaspersky", "mcafee", "nano", "norton", "panda", "qihoo 360", "reason", "segurazo", "sophos", "symantec", "trend micro", "trustport", "webroot", "zonealarm")
14. $RemoteAccess = @("aeroadmin", "alpemix", "ammyy", "anydesk", "asg-remote", "aspia", "aweray remote", "bomgar", "chrome remote", "cloudberry remote", "dameware", "dayon", "deskroll", "dualmon", "dwservice", "ehorus", "fixme.it", "gosupportnow", "gotoassist", "gotomypc", "guacamole", "impcremote", "instant housecall", "instatech", "isl alwayson", "isl light", "join.me", "jump desktop", "kaseya", "lite manager", "logmein", "mikogo", "meshcentral", "mremoteng", "nomachine", "opennx", "optitune", "pilixo", "radmin", "remotetopc", "remotepc", "remote utilities", "rescueassist", "screenconnect", "showmypc", "simplehelp", "splashtop", "supremo", "take control", "teamviewer", "thinfinity", "ultraviewer", "vnc", "wayk now", "x2go", "zoho assist")
15. $RMM = @("Advanced Monitoring Agent", "Windows Agent", "Datto RMM", "Kaseya", "Ninja", "GFI", "Atera", "Tactical RMM", "ITSupport247", "RMM Agent", "Pulseway")
16. $EOL = @("Adobe Flash Player", "Adobe Shockwave Player", "Microsoft Silverlight", "QuickTime", "Skype")
17. $Junk = @("Clear ", "Toolbar", "Internet Explorer", "Homepage", "OneLaunch", "New tab", "Wave", "Winzip")
18.  
19. # Combine our lists, if you create more lists be sure to add them here
20. $AppWatchList = $Security + $RemoteAccess + $RMM + $EOL + $Junk
21.  
22. # Allowlist array, you must use the full name for the matching to work!
23. $AllowList = @("ScreenConnect Client (12345youridnumberhere)", "Bitdefender Endpoint Security Tools")
24. Write-Output "Allowed Apps at Root Level:" ($AllowList -join ", ")
25. $AllowList += ($OrgAllowList -split ",").Trim()
26. Write-Output "Allowed Apps at Organization Level: $OrgAllowList"
27. $AllowList += ($AssetAllowList -split ",").Trim()
28. Write-Output "Allowed Apps at Asset Level: $AssetAllowList"
29.  
30. # This section courtesy of https://github.com/darimm/RMMFunctions
31. # Registry paths
32. $32BitPath = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
33. $64BitPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"
34. # Create empty array to store applications
35. $InstalledApps = @()
36. # Retreive globally installed applications
37. $InstalledApps += Get-ItemProperty "HKLM:\$32BitPath"
38. $InstalledApps += Get-ItemProperty "HKLM:\$64BitPath"
39. #Retrieve user installed applications
40. $AllProfiles = Get-WmiObject Win32_UserProfile |
41.     Select-Object LocalPath, SID, Loaded, Special |
42.         Where-Object { $_.SID -like "S-1-5-21-*" -or $_.SID -like "S-1-12-1-*" } # 5-21 regular users, 12-1 is AzureAD users
43. $MountedProfiles = $AllProfiles | Where-Object { $_.Loaded -eq $true }
44. $MountedProfiles | Foreach-Object {
45.     $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\$($_.SID)\$32BitPath"
46.     $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\$($_.SID)\$64BitPath"
47. }
48. $UnmountedProfiles = $AllProfiles | Where-Object { $_.Loaded -eq $false }
49. $UnmountedProfiles | ForEach-Object {
50.     $Hive = "$($_.LocalPath)\NTUSER.DAT"
51.     if (Test-Path $Hive) {
52.         REG LOAD HKU\temp $Hive 2>&1>$null
53.         $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\temp\$32BitPath"
54.         $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\temp\$64BitPath"
55.         # Run manual GC to allow hive to be unmounted
56.         [GC]::Collect()
57.         [GC]::WaitForPendingFinalizers()
58.         REG UNLOAD HKU\temp 2>&1>$null
59.     }
60. }
61.  
62. # Clear the output variable so we don't get confused while testing
63. $Output = ''
64.  
65. # Cycle through each app in the apps array searching for matches and store them
66. $Output = foreach ($App in $AppWatchList) {
67.     @($InstalledApps | Where-Object { $_.DisplayName -match "$App" -and $AllowList -notcontains $_.DisplayName } | Select-Object -ExpandProperty DisplayName)
68. }
69.  
70. # If we found something, report it
71. if ($Output) {
72.     Write-Output "Apps Found:"
73.     $report = ($Output | Sort-Object | Get-Unique)
74.     $report
75.     Rmm-Alert -Category 'Potentially Unwanted Applications' -Body "Apps Found: $report"
76.     exit 1
77. }
78. else {
79.     Write-Host "No Apps Found."
80.     Close-Rmm-Alert -Category "Potentially Unwanted Applications"
81. }
82.