Advertisement
nullzilla

Monitor - Potentially Unwanted Applications

Aug 25th, 2021 (edited)
4,099
1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Import-Module $env:SyncroModule -WarningAction SilentlyContinue
  2.  
  3. # For full functionality:
  4. # Create an 'Allowed Apps' customer custom field and asset custom field in Syncro Admin
  5. # Add Syncro platform script variables for $orgallowlist and $assetallowlist and link them to your custom fields
  6.  
  7. # Application list arrays, you can add more if you want
  8. $security = @("ahnlab", "avast", "avg", "avira", "bitdefender", "checkpoint", "clamwin", "comodo", "dr.web", "eset ", "fortinet", "f-prot", "f-secure", "g data", "immunet", "kaspersky", "mcafee", "nano", "norton", "panda", "qihoo 360", "reason", "segurazo", "sophos", "symantec", "trend micro", "trustport", "webroot", "zonealarm")
  9. $remoteaccess = @("aeroadmin", "alpemix", "ammyy", "anydesk", "asg-remote", "aspia", "bomgar", "chrome remote", "cloudberry remote", "dameware", "dayon", "deskroll", "dualmon", "dwservice", "ehorus", "fixme.it", "gosupportnow", "gotoassist", "gotomypc", "guacamole", "impcremote", "instant housecall", "instatech", "isl alwayson", "isl light", "join.me", "jump desktop", "kaseya", "lite manager", "logmein", "mikogo", "meshcentral", "mremoteng", "nomachine", "opennx", "optitune", "pilixo", "radmin", "remotetopc", "remotepc", "remote utilities", "rescueassist", "screenconnect", "showmypc", "simplehelp", "splashtop", "supremo", "take control", "teamviewer", "thinfinity", "ultraviewer", "vnc", "wayk now", "x2go", "zoho assist")
  10. $rmm = @("Advanced Monitoring Agent", "Windows Agent", "Datto RMM", "Kaseya", "Ninja", "GFI", "Atera", "Tactical RMM", "ITSupport247", "RMM Agent", "Pulseway")
  11. $eol = @("Adobe Flash Player", "Adobe Shockwave Player", "Microsoft Silverlight", "Quicktime")
  12. $junk = @("Clear ", "Toolbar", "Internet Explorer", "Homepage", "OneLaunch", "New tab", "Wave", "Winzip")
  13.  
  14. # Combine our lists, if you create more lists be sure to add them here
  15. $appwatchlist = $security + $remoteaccess + $rmm + $eol + $junk
  16.  
  17. # Allowlist array, you must use the full name for the matching to work!
  18. $allowlist = @("ScreenConnect Client (1234567890)", "Bitdefender Endpoint Security Tools")
  19. Write-Output "Allowed Apps at Root Level:" ($allowlist -join ", ")
  20. $allowlist += ($orgallowlist -split ",").Trim()
  21. Write-Output "Allowed Apps at Organization Level: $orgallowlist"
  22. $allowlist += ($assetallowlist -split ",").Trim()
  23. Write-Output "Allowed Apps at Asset Level: $assetallowlist"
  24.  
  25. # This section courtesy of https://github.com/darimm/RMMFunctions
  26. # Registry paths
  27. $32BitPath = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
  28. $64BitPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"
  29. # Create empty array to store applications
  30. $InstalledApps = @()
  31. # Retreive globally installed applications
  32. $InstalledApps += Get-ItemProperty "HKLM:\$32BitPath"
  33. $InstalledApps += Get-ItemProperty "HKLM:\$64BitPath"
  34. #Retrieve user installed applications
  35. $AllProfiles = Get-WmiObject Win32_UserProfile |
  36.     Select-Object LocalPath, SID, Loaded, Special |
  37.         Where-Object { $_.SID -like "S-1-5-21-*" -or $_.SID -like "S-1-12-1-*" } # 5-21 regular users, 12-1 is AzureAD users
  38. $MountedProfiles = $AllProfiles | Where-Object { $_.Loaded -eq $true }
  39. $MountedProfiles | Foreach-Object {
  40.     $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\$($_.SID)\$32BitPath"
  41.     $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\$($_.SID)\$64BitPath"
  42. }
  43. $UnmountedProfiles = $AllProfiles | Where-Object { $_.Loaded -eq $false }
  44. $UnmountedProfiles | ForEach-Object {
  45.     $Hive = "$($_.LocalPath)\NTUSER.DAT"
  46.     if (Test-Path $Hive) {
  47.         REG LOAD HKU\temp $Hive 2>&1>$null
  48.         $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\temp\$32BitPath"
  49.         $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\temp\$64BitPath"
  50.         # Run manual GC to allow hive to be unmounted
  51.         [GC]::Collect()
  52.         [GC]::WaitForPendingFinalizers()
  53.         REG UNLOAD HKU\temp 2>&1>$null
  54.     }
  55. }
  56.  
  57. # Clear the output variable so we don't get confused while testing
  58. $output = ''
  59.  
  60. # Cycle through each app in the apps array searching for matches and store them
  61. $output = foreach ($app in $appwatchlist) {
  62.     @($InstalledApps | Where-Object { $_.DisplayName -match "$app" -and $allowlist -notcontains $_.DisplayName } | Select-Object -ExpandProperty DisplayName)
  63. }
  64.  
  65. # If we found something, report it
  66. if ($output) {
  67.     Write-Output "Apps Found:"
  68.     $report = ($output | Sort-Object | Get-Unique | Out-String)
  69.     $report
  70.     Rmm-Alert -Category 'Potentially Unwanted Applications' -Body "Apps Found: $report"
  71.     exit 1
  72. }
  73. else {
  74.     Write-Host "No Apps Found."
  75.     Close-Rmm-Alert -Category "Potentially Unwanted Applications"
  76. }
  77.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement