As a systems administrator it's useful to see when that extension is installed so we can monitor if there is a connection between thousands of hits to potentially malicious webpages and the installation of the extension. Chrome doesn't make it easy to know what extension folder is for what extension, but they are consistent, and pulling that information is something you can do with the certainty that the main extension folder name won't change for a certain version of an extension.
Lately at work we've found that a particular Chrome Extension is beaconing out to websites. Our InfoSec team clearly sees this as a security issue, so we're following up with users that have the offending extension installed to kindly ask them to remove it.
The latest extension we've found that makes calls out to webpages continuously (thousands of times a day) is Awesome Screenshot, which seems like a handy little extension that takes full shots of webpages. We have a lot of designers that like to take snapshots for reference, so I can see why they'd want this extension.
As a systems administrator it's useful to see when that extension is installed so we can monitor if there is a connection between thousands of hits to potentially malicious webpages and the installation of the extension. Chrome doesn't make it easy to know what extension folder is for what extension, but they are consistent, and pulling that information is something you can do with the certainty that the main extension folder name won't change for a certain version of an extension.
First step: finding the extension folders.
If you have Chrome installed on your Mac, you can go to
And see a big list of folders there. These are where the extensions live.
So in an extension attribute you can use a -d to locate the directory of a questionable extension installed on the machine, then have the attribute report if the extension is or isn't installed based on the existence of the directory.
I found the folder of the extension by temporarily adding it to a copy of Chrome on a machine and then "managing" the extension. The Chrome settings then showed me the id of the extension in question:
I could then use that directory to create an extension attribute that looked for the offending Chrome extension and report if it is or is not installed.
You can then go in and make a Smart Computer Group that uses results from the EA for reporting/scoping/etc.
You can even use some fun Valley Girl Grammar when you make your smart group.
This could obviously be used for other extensions, you'd just need to know what the id is/directory is called.
As always, be careful with copy-pasta, and this script is here as-is with no warranty, etc. It's just an EA so it won't do any damage, but if it doesn't work I'm not liable. Or whatever. Gotta love legalese.
Did you find this post useful? Leave me a tip!
💖
The latest extension we've found that makes calls out to webpages continuously (thousands of times a day) is Awesome Screenshot, which seems like a handy little extension that takes full shots of webpages. We have a lot of designers that like to take snapshots for reference, so I can see why they'd want this extension.
As a systems administrator it's useful to see when that extension is installed so we can monitor if there is a connection between thousands of hits to potentially malicious webpages and the installation of the extension. Chrome doesn't make it easy to know what extension folder is for what extension, but they are consistent, and pulling that information is something you can do with the certainty that the main extension folder name won't change for a certain version of an extension.
First step: finding the extension folders.
If you have Chrome installed on your Mac, you can go to
/Users/user_name/Library/Application Support/Google/Chrome/Default/Extensions/
And see a big list of folders there. These are where the extensions live.
So in an extension attribute you can use a -d to locate the directory of a questionable extension installed on the machine, then have the attribute report if the extension is or isn't installed based on the existence of the directory.
I found the folder of the extension by temporarily adding it to a copy of Chrome on a machine and then "managing" the extension. The Chrome settings then showed me the id of the extension in question:
I could then use that directory to create an extension attribute that looked for the offending Chrome extension and report if it is or is not installed.
#!/bin/sh
#
# script by emily k @volusion 2014-07-29
# to detect if the Awesome Screenshot Extension is installed on Google Chrome
#
currentUser=`ls -l /dev/console | cut -d " " -f 4`
if [ -d "/Users/$currentUser/Library/Application Support/Google/Chrome/Default/Extensions/alelhddbbhepgpmgidjdcjakblofbmce" ] ; then
STATUS="Awesome Screenshot Installed."
else
STATUS="Not installed."
fi
echo "<result>$STATUS</result>"
You can then go in and make a Smart Computer Group that uses results from the EA for reporting/scoping/etc.
This could obviously be used for other extensions, you'd just need to know what the id is/directory is called.
As always, be careful with copy-pasta, and this script is here as-is with no warranty, etc. It's just an EA so it won't do any damage, but if it doesn't work I'm not liable. Or whatever. Gotta love legalese.
Did you find this post useful? Leave me a tip!
💖
Very nice! We use puppet/munki in our environment so I'll write a custom fact to collect a user's installed extensions.
ReplyDeleteThis is a fairly simple script and doesn't use any scripting that any OS couldn't report on, so I can definitely see this being used by other Mac management services. We just happen to use Casper, so much of what I put together is for that service.
ReplyDelete