10 Replies Latest reply on Sep 5, 2017 11:19 PM by Peter Massa

    Blocking Google Extension

    BryanNg Apprentice

      Hi All,

       

      Would like to know is it possible to block google extension using the LDMS or LDSS suite?

        • 1. Re: Blocking Google Extension
          Peter Massa Expert

          Hey BryanNg,

           

          We block many Chrome Extensions via LDMS.

           

          We create a Custom Definition with-in patch management that has a Detection Logic -> Custom Script like this:

          EXTERNAL APPLICATION
          exe=powershell.exe
          args=-executionpolicy bypass %filename%
          filename=detect.ps1

          echo off
          if (Test-Path -Path HKLM:\Software\Policies\Google\Chrome) {

          } else {
          New-Item -Path HKLM:\Software\Policies -Name Google –Force
          New-Item -Path HKLM:\Software\Policies\Google -Name Chrome –Force
          }
          New-Item -Path HKLM:\Software\Policies\Google\Chrome -Name ExtensionInstallBlacklist –Force
          New-ItemProperty -Path HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlacklist -Name 1 -Value "example1hngddnoookogelabohpgabc" –Force

          New-ItemProperty -Path HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlacklist -Name 2 -Value "example2hngddnoookogelabohpgabc" –Force

           

          echo "detected=false"

          echo "found=ExtensionInstallBlacklist settings applied"

           

          Then you configure what systems you want to scan/block this via the Scan tab of the definition.

           

          Then any system that is a part of the scope you choose to scan against that runs a vulscan will add this setting to the system and block the extensions that you put the GUIDs in for.

           

          You could also create a powershell / batch script to do this and push the settings out.  We choose to do it via patch so that it is easily updated and centrally managed.

           

          Hope this helps,

          Peter

          • 2. Re: Blocking Google Extension
            BryanNg Apprentice

            Hi Peter,

             

            Thanks for information. Glad to know there's way to solve it. Is there any documentation guide for me to learn? I kinda have some hard time doing the scripting.

            • 3. Re: Blocking Google Extension
              Peter Massa Expert

              For this specific task you would have to learn about three items:

               

              1. Chrome Policies: Set Chrome policies for devices - Chrome for business and education Help

              2. PowerShell: Using Windows PowerShell | Microsoft Docs

              3. Ivanti Custom Definitions: Create custom security definitions

               

              The script I provided above covers items 1 and 2 already.  You just need to get your extension guids you want to block and add them into the script in place of the "example1hngddnoookogelabohpgabc" examples.  For each one you do - it needs to have a unique number as the name: -Name 1,  -Name 2, -Name 3, etc.

               

              Hope this helps,

              Peter

              • 4. Re: Blocking Google Extension
                BryanNg Apprentice

                Hi Peter,

                 

                I tried to use your script and change inserted the GUIDS in, but did not block the extension and stated not detect on the Security and Patch information.

                 

                • 5. Re: Blocking Google Extension
                  Peter Massa Expert

                  Hey Bryan,

                   

                  Can you post your script here.  I will check to see what may not be working.

                   

                  Thanks,

                  Peter

                  • 6. Re: Blocking Google Extension
                    BryanNg Apprentice

                    Hi Peter,

                     

                    Here are the script i tested:

                     

                    EXTERNAL APPLICATION

                    exe=powershell.exe

                    args=-executionpolicy bypass %filename%

                    filename=detect.ps1

                    echo off

                    if (Test-Path -Path HKLM:\Software\Policies\Google\Chrome) {

                    } else {

                    New-Item -Path HKLM:\Software\Policies -Name Google –Force

                    New-Item -Path HKLM:\Software\Policies\Google -Name Chrome –Force

                    }

                    New-Item -Path HKLM:\Software\Policies\Google\Chrome -Name ExtensionInstallBlacklist –Force

                    New-ItemProperty -Path HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlacklist -Name 1 -Value "niloccemoadcdkdjlinkgdfekeahmflj" –Force

                    New-ItemProperty -Path HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlacklist -Name 2 -Value "iolcbmjhmpdheggkocibajddahbeiglb" –Force

                     

                    echo "detected=false"

                    echo "found=ExtensionInstallBlacklist settings applied"

                    • 7. Re: Blocking Google Extension
                      Peter Massa Expert

                      That looks correct to me.

                       

                      Are you deploying regular Chrome or Chrome Enterprise?  I am wondering if it works for us because we deployed Chrome Enterprise to everyone which lets you configure this stuff.

                       

                      Can you look on a system in the registry and see those keys are now added?

                      HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlacklist -Name 1 -Value "niloccemoadcdkdjlinkgdfekeahmflj"

                      HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlacklist -Name 2 -Value "iolcbmjhmpdheggkocibajddahbeiglb"

                       

                      Peter

                      • 8. Re: Blocking Google Extension
                        Peter Massa Expert

                        If you are using Chrome Standard - instead of Enterprise - you can use Patch Manager to update your Chrome installs to the Enterprise version.

                         

                        If you do not want to do that - your other option if you have security suite is to use EPS to block the file location similar to how Symantec handles it but using landesk's file blocking tools:

                        https://www.symantec.com/connect/articles/block-specific-chrome-browser-extensions-sep-application-device-control-policy

                         

                        Peter

                        • 9. Re: Blocking Google Extension
                          BryanNg Apprentice

                          Hi Peter,

                           

                          I'm using the Standard Chrome right now to test. Is it the reason that it wont block? I tried to manually run the script and it appear in the registry but it still wont block the extension

                          • 10. Re: Blocking Google Extension
                            Peter Massa Expert

                            I believe that is correct.  The policies that you can set for Chrome I believe are only available for the Enterprise MSI install - which is what we are setting here.

                             

                            Peter