Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Import-Module $env:SyncroModule -WarningAction SilentlyContinue
- # For full functionality:
- # Create an 'Allowed Apps' customer custom field and asset custom field in Syncro Admin
- # Add Syncro platform script variables for $orgallowlist and $assetallowlist and link them to your custom fields
- # Application list arrays, you can add more if you want
- $security = @("ahnlab", "avast", "avg", "avira", "bitdefender", "checkpoint", "clamwin", "comodo", "dr.web", "eset ", "fortinet", "f-prot", "f-secure", "g data", "immunet", "kaspersky", "mcafee", "nano", "norton", "panda", "qihoo 360", "reason", "segurazo", "sophos", "symantec", "trend micro", "trustport", "webroot", "zonealarm")
- $remoteaccess = @("aeroadmin", "alpemix", "ammyy", "anydesk", "asg-remote", "aspia", "bomgar", "chrome remote", "cloudberry remote", "dameware", "dayon", "deskroll", "dualmon", "dwservice", "ehorus", "fixme.it", "gosupportnow", "gotoassist", "gotomypc", "guacamole", "impcremote", "instant housecall", "instatech", "isl alwayson", "isl light", "join.me", "jump desktop", "kaseya", "lite manager", "logmein", "mikogo", "meshcentral", "mremoteng", "nomachine", "opennx", "optitune", "pilixo", "radmin", "remotetopc", "remotepc", "remote utilities", "rescueassist", "screenconnect", "showmypc", "simplehelp", "splashtop", "supremo", "take control", "teamviewer", "thinfinity", "ultraviewer", "vnc", "wayk now", "x2go", "zoho assist")
- $rmm = @("Advanced Monitoring Agent", "Windows Agent", "Datto RMM", "Kaseya", "Ninja", "GFI", "Atera", "Tactical RMM", "ITSupport247", "RMM Agent", "Pulseway")
- $eol = @("Adobe Flash Player", "Adobe Shockwave Player", "Microsoft Silverlight", "Quicktime")
- $junk = @("Clear ", "Toolbar", "Internet Explorer", "Homepage", "OneLaunch", "New tab", "Wave", "Winzip")
- # Combine our lists, if you create more lists be sure to add them here
- $appwatchlist = $security + $remoteaccess + $rmm + $eol + $junk
- # Allowlist array, you must use the full name for the matching to work!
- $allowlist = @("ScreenConnect Client (1234567890)", "Bitdefender Endpoint Security Tools")
- Write-Output "Allowed Apps at Root Level:" ($allowlist -join ", ")
- $allowlist += ($orgallowlist -split ",").Trim()
- Write-Output "Allowed Apps at Organization Level: $orgallowlist"
- $allowlist += ($assetallowlist -split ",").Trim()
- Write-Output "Allowed Apps at Asset Level: $assetallowlist"
- # This section courtesy of https://github.com/darimm/RMMFunctions
- # Registry paths
- $32BitPath = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
- $64BitPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"
- # Create empty array to store applications
- $InstalledApps = @()
- # Retreive globally installed applications
- $InstalledApps += Get-ItemProperty "HKLM:\$32BitPath"
- $InstalledApps += Get-ItemProperty "HKLM:\$64BitPath"
- #Retrieve user installed applications
- $AllProfiles = Get-WmiObject Win32_UserProfile |
- Select-Object LocalPath, SID, Loaded, Special |
- Where-Object { $_.SID -like "S-1-5-21-*" -or $_.SID -like "S-1-12-1-*" } # 5-21 regular users, 12-1 is AzureAD users
- $MountedProfiles = $AllProfiles | Where-Object { $_.Loaded -eq $true }
- $MountedProfiles | Foreach-Object {
- $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\$($_.SID)\$32BitPath"
- $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\$($_.SID)\$64BitPath"
- }
- $UnmountedProfiles = $AllProfiles | Where-Object { $_.Loaded -eq $false }
- $UnmountedProfiles | ForEach-Object {
- $Hive = "$($_.LocalPath)\NTUSER.DAT"
- if (Test-Path $Hive) {
- REG LOAD HKU\temp $Hive 2>&1>$null
- $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\temp\$32BitPath"
- $InstalledApps += Get-ItemProperty -Path "Registry::\HKEY_USERS\temp\$64BitPath"
- # Run manual GC to allow hive to be unmounted
- [GC]::Collect()
- [GC]::WaitForPendingFinalizers()
- REG UNLOAD HKU\temp 2>&1>$null
- }
- }
- # Clear the output variable so we don't get confused while testing
- $output = ''
- # Cycle through each app in the apps array searching for matches and store them
- $output = foreach ($app in $appwatchlist) {
- @($InstalledApps | Where-Object { $_.DisplayName -match "$app" -and $allowlist -notcontains $_.DisplayName } | Select-Object -ExpandProperty DisplayName)
- }
- # If we found something, report it
- if ($output) {
- Write-Output "Apps Found:"
- $report = ($output | Sort-Object | Get-Unique | Out-String)
- $report
- Rmm-Alert -Category 'Potentially Unwanted Applications' -Body "Apps Found: $report"
- exit 1
- }
- else {
- Write-Host "No Apps Found."
- Close-Rmm-Alert -Category "Potentially Unwanted Applications"
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement