Article

(View Disclaimer)

We got a great OPEN CALL suggestion from Bryen Y. Here's what he said: Since one reallllly cool feature of ZENworks for Desktops 4 is the ability to block Rogue Applications, why not set up a list that Cool Solutions attendees can add to that identifies suggested applications to ban in their network?

No one knows EVERY questionable application that's out there, and keeping a user-friendly list like this will definitely keep us coming back to Cool Solutions for more!

We think that's a great idea. Send us the list of apps you ban (and why), and we'll start building the Cool List. We'll send you a Novell t-shirt for your trouble.

For more information on Rogue Process Management see this section of the documentation.

NOTE: One reader commented that he was testing the Rogue Process Management feature, but he was skeptical of its value because he thought that his students would be able to rename apps to prevent them from being closed. Here's what the ZENworks Product Manager had to say about that: "This is not the case, at least in our testing. Rogue Process Management doesn't rely on the filename, it relies on the program internals. In fact, when we demo this, we rename files and show that RPM shuts 'em down regardless."

NEW Rod U. wrote: Can Rogue Process Management stop certain DLLs from running? Some games can have the EXE renamed and will still run but the DLL needs to the original name.

Shaun Pond says: Renaming the EXE shouldn't stop RPM from killing it - it's the original name, that's buried in the executable, that's used to terminate it.

Spreadsheet Version of Apps to Ban

In true Cool Solutions fashion, Mike Murphy, a network engineer at Pewaukee School District, took it upon himself to make order out of the chaos. Here's what he said:

I've found the Rogue App Killer very helpful as well as the page listing
the programs.

What's hard is that everyone enters things in different formats and
there are a lot of duplicates to wade through - sifting the wheat from
the chaff. I've done the work for you. I took all the exe's from the Suggestions listed on the page last updated on 12 Oct 2005 and I think I've eliminated all the duplicates,
and alphabetized the list for you to easily check it against your files.

I did remove some Office programs that some people ban as that seems
to be pretty site-dependant and any admin should know which of their
common apps they want to ban.

Also, IMHO I think listing .EXE files is much more helpful than saying
something like block the iMesh program. That makes each admin go out and
figure out what the .EXE is that needs to be blocked. You almost might
as well have not posted if we all have to go and figure the executables
are. Hopefully other admins agree and we can try and list programs for
the most part.

Here's the current version. I've put in a category field as well, with
the autofilter option. I'm researching more keyloggers to add to this.
What about a 'wiki' for this? Then anyone could edit it the list.....now that would be pretty sweet!

We thought Mike's spreadsheet and suggestion were both spectacular, and have now created a
wiki page
that contains his spreadsheet. The beauty is that as you find other things to add to the list (as you undoubtedly will) - you can pop out there and edit the spreadsheet in the wiki.

Check it out, and let's keep it updated with the latest wicked apps you may want to ban.

Suggestions

Dallas D. Schell	Travis Becker	Bryan Thoreson
Maarten	Bruce Kiefaber	Chris Hoare
Christopher Thorpe	Ed Williams	Elisabeth Curtner
Eric Gengler	Gregory Pronovost	Alain Sylvestre
Zach Thiel	Peter I. Asp	Glenn Sjögren
Kevin Calvert	Andrew White	Karl Tipping
Robert Yunker	Scott Burmann	Michael Fratini
Raffael Trotta	Bryen Yunashko	John Schultz
Matt Hudson	Le Papa	Ted Ziolkowski
Adam Reno	Lawrence A. Bombac II	Chad Miller
Joseph Sutton	Mark Forbes	Johnnie Carson
Neil Jensen	Jim Pye	Christian Kaiser
Anthony L. Preman	Brett S. Miller	Anonymous
Anonymous as well	George Washington	Klaus Schiffgens
Steve Shumski	Martin van der Boon	Mark Shoemaker
Dusty Lunn	Paul McLean	Ernesto Fox
Mark R. Fermin	Nils Treu	ryumaou
Jason	Heiko Pletat	David Cook
Mike Shore	Kyle Jones	Steven Turnbull
Rathna N	John Phipps	Earl Bryant
Christopher P. Smith	Phillip Cross	Dwayne Watkins
Manlio Fernando Bedoya Arango	James Romer	Nathan Tidd
Brandon Kirsch	Andrew Palm	Bob Fortin
Oivind Ekeberg	Paul Staniford	Bobby Guillory
Scott D. Jones	Ryan A Wasek	Frank Zomer
Phillip Cross	Ed Martens	Mike Murphy
Tim Dunkley	Keith Pain	Ray Southworth
Tom Dalton	Alan Wells	David White
Scott A. Murray	John N. Shaw	Russell Seibert
Billy Stokes	Karl Reischl	Chris Harwood NEW

Additional Requests

Dallas D. Schell

• iTunes
• MusicMatch

Travis Becker

Here at the University of Minnesota - College of Liberal Arts, we have a group policy profile that is set up for various grad labs, and we ban the following:

• MSN Messenger - easily spreads worms and viruses because it is left on often and
  because of how simple it is for users to send and receive files that are
  potentially harmful.
• Install and Setup.exe - this prevents users from installing any .exe
  applications.

Bryan Thoreson

• install.exe
• setup.exe

Because not all apps follow Windows access rights in a FAT32 world. So we have Graduate Student Labs in which we do not want people installing some unauthorized app. install.exe and setup.exe will prevent this 99% of the time.

• msimn.exe because Outlook or Lookout is a no-no for Grad labs.

Maarten

I read your comment about the application lists to ban with a ZENworks policy
and I think it is a very cool idea! Here are some of mine:

File Sharing/Copyright problem software: These programs use P2P protocols to
share copyrighted files, music, movies and more. They could be a real strain
on bandwidth if allowed to run, and since some of them can mimic a webbrowser
through port 80 you can't really block it properly on most firewalls.

• Kazaa (http://www.kazaa.com/)
• Kazaa Lite (http://www.k-lite.tk/)
• eMule (http://www.emule-project.net)
• eDonkey (http://www.edonkey2000.com)
• Overnet (http://www.overnet.org)
• Bittorrent (http://bitconjurer.org/BitTorrent/)
• Morpheus (http://www.morpheus.com/)
• Grokster (http://www.grokster.com/)
• iMesh (http://www.imesh.com/)
• Gnutella (http://www.gnutella.com/)
• LimeWire (http://www.limewire.com/)
• Soul-Seek (http://www.slsknet.org/)
• WinMX (http://www.winmx.com/)
• MUTE (http://mute-net.sourceforge.net/)

Messengers and Chat Software: Most companies have a policy for leisure
activities on the web and usually chatting ain't one of them:

• MSN Messenger(http://www.msnmessenger-download.com/)
• ICQ (http://www.icq.com)
• Trillian (http://www.trillian.cc) (often used to get around other blocks)
• mIRC (http://www.mirc.com)
• AOL Instant Messenger (http://www.aim.com)
• Yahoo Messenger (http://messenger.yahoo.com/)

Please let me know if I qualify for a t-shirt. Summer is coming up and I'd
love nothing more then to show off Novell NetWare!

Bruce Kiefaber

• aim.exe
• aim95.exe
• bbeagle.exe
• cmd.exe
• command.com
• consoleone.exe
• explorer.exe
• kazaa.exe
• mmc.exe
• morpheus.exe
• msmsgs.exe
• msnmsgs.exe
• poledit.exe
• taskman.exe
• trillian.exe

Chris Hoare

We thought about doing this and started with just a couple of things like:

• Napster
• Various Packet sniffer and scanners
• ICQ

It worked for about a week, until the students realised that all they had to do was to rename the exe and it would work.

Still, it is a good idea for some of the less computer literate areas, like offices.

Christopher Thorpe

Awesome Idea. Things banned thus far.....

• SOL.EXE
• FREECELL.EXE
• msnmsgr.exe - MSN Messenger
• ipodservice.exe - ITunes Connect Software
• winmx.exe - WinMX Download Service
• weatherbug.exe
• paint.exe

Ed Williams

May I suggest Lotus SmartSuite, all of it! it just keeps creeping back into our organisation due to a lack of document conversion features in Office XP.

Elisabeth Curtner

I use Program Killer from the Cool Solutions Free Tools section to block programs I do not want
running in my school environment. I push Program Killer out with ZENworks, and have
the program set to pull its configuration file from my server. I only have to amend one
config file, and all desktops get that configuration. Below I have listed the contents of
my configuration file:

; Program Killer Configuration File
; Version 3.0.1 Build 331
; Created on 05/27/02 at 18:05:16

; [Programs]
AGSATELLITE.EXE||AudioGalaxy Satellite (0.608W)
AGSATELLITE609.EXE||AudioGalaxy Satellite (0.609W)
AIM.EXE||AOL Instant Messenger
AIMSTER.EXE||Aimster File Sharing 
ANTIVIRUS_INSTALL.EXE||StopSign (Spyware)
AUDIOMP3FIND.EXE||AudioMP3Find P2P File Sharing
AMM*.EXE||Advanced mp3 manager
BADBLUE.EXE||BadBlue File Desktop File Server
BARGAINS.EXE||Bargain Buddy (Spyware)
BBSMARTSETUP.EXE||Bonzi Buddy Setup
BEARSHARE.EXE||BearShare P2P File Sharing
BLACKWIDOW.EXE||Blackwidow file Sharing
BWWebloader.exe||Blackwidow web file sharing
BLUBSTER.EXE||Blubster P2P File Sharing
BODETELLA.EXE||BoDeTeLLa Gnutella Search Engine
BONZIBDY.EXE||Bonzi Buddy (Highly Annoying) 
BUDDY.EXE||MediaBuddy P2P File Sharing
CASINOBROWSER.EXE||casino link installed by grokster (Spyware)
CIRCLE.EXE||Circle Chat/gossip/file sharing app
CLIENT*.EXE||Audiognome P2P File Sharing
CRAPSTER.EXE||P2P File Sharing
COMBackConsole.EXE||Comback Music Agent
CLUSTONE.EXE||Clustone P2P File Sharing
CMESYS.EXE||GAIN (Gator Spyware)
CRAPSTER.EXE||P2P File Sharing
DAP.EXE||Download Accelerator Plus
DATEMANAGER.EXE||Date Manager (GAIN Spyware)
DCPLUSPLUS.EXE||DC++ File Sharing
DECONPRO.EXE||DconPro File Sharing Network
DEFSCANGUI.EXE||StopSign scanner (Spyware)
DIRECTCONNECT.EXE||DirectConnect Network 
DSERVER.BAT||Dshare P2P File Sharing
DSHARE.BAT||Dshare P2P File Sharing
DW.EXE||DownloadWare (Spyware)
EANTHOLOGY.EXE||eAnthology Online Services (Spyware)
EBATESMOEMONEYMAKER*.EXE||(moneymaker Spyware)
EMULE.EXE||eMule File Sharing Network 
EVOLUTION.EXE||Evolution file sharing
EVOLVER.EXE||Gnucleus P2P File Sharing
FILEMINER.EXE||File Miner P2P File Sharing
FILENAVIGATOR.EXE||AudioSwap P2P File Sharing
FILEFURY.EXE||File Fury P2P File Sharing
FILESHARE.EXE||FileShare P2P File Sharing
FILETOPIA.EXE||Filetopia Network P2P File Sharing
FILEZILLA.EXE||FileZilla FTP client
FLOCATOR.EXE||FlashLocator P2P File Sharing 
FREEWIRELAUNCHER.EXE||FreeWire P2P File Sharing
FSG.EXE||Gator Subprogram
FSG-AG_3102.EXE||GAINWare SubProgram (Gator)
GATOR.EXE||Gator (Spyware)
GIDGET.EXE||(spyware)
GDONKEY.EXE||Edonkey2000 P2P File Sharing
GMT.EXE||GAIN (Gator Spyware)
GNEWTELLA.EXE||Gnewtella P2P File Sharing
GNOTELLA.EXE||Gnotella P2P File Sharing
GNUCLEUS.EXE||Gnucleus P2P File Sharing
GPEER.EXE||GalaxyPeer Gnutella P2P File Sharing, IRC
GROKSTER.EXE||Grokster P2P File Sharing
GTL POLIANE.EXE||Poliane P2P File Sharing
HLCLIENT*.EXE||Hotline Connect Client P2P File Sharing
ICQ.EXE||ICQ Client
IMESHCLIENT.EXE||iMesh File Sharing
IMICI.EXE||IMICI Messenger
INOIZE.EXE||Jackalope Audio player for Jackalope Audio Network
JACKALOPE.EXE||Jackalope Audio Client
JITZUSHARE.EXE||Jitzu P2P File Sharing
KAST.EXE||Kast P2P File Sharing
KAZAA.EXE||KaZaA Media  Desktop
LIMEWIRE.EXE||LimeWire P2P File Sharing
LOCATOR.EXE||WinMP3Locator locate MP3s over the internet
MADSTER.EXE||P2P File Sharing
MEDIAGRAB.EXE||MediaGrab P2P File Sharing
MEDIASEEK.EXE||MediaSeek P2P File Sharing
MCAGENT.EXE||Mcafee Security Center (Spyware)
MESSENGER.EXE||Excite Messenger
MMOD.EXE||Ezula P2P File Sharing
MOJO NATION.EXE||Mojo Nation File Sharing
MOODLOGIC.EXE||MoodLogic player
MORPHEUS.EXE||Morpheus P2P File Sharing
MP3FINDER.EXE||mp3 file sharing
MP3 SWAPPER.EXE||mp3 file sharing
MSBB.EXE||N-Case (Spyware)
MSMSGS.EXE||MSN Messenger
MSN6.EXE||MSN Explorer
MYNAPSTER.EXE||MyNapster Gnutella P2P File Sharing
MYSTER.EXE||Myster P2P File Sharing
NAMSTER.EXE|| Namester P2P File Sharing 
NAPSTER.EXE||Napster
NEONAPSTER.EXE||NeoNapster P2P file sharing
NETD.EXE||Odigo NetDetector
NOVA.EXE||Nova P2P File Sharing
OBRW.EXE||Odigo Subprogram
ODIGO.EXE||Odigo Instant Messenger
OFFERS.EXE||OfferCompanion
OVERNET.EXE||Overnet P2P File Sharing
PINPOST.EXE||Pinpost P2P File Sharing
PIOLET.EXE||Piolet MP3 P2P File Sharing
PLINK.EXE||part of Circle file sharing app 
PLEBIO.EXE||P2P File Sharing
PRECISIONTIME.EXE||Precision Time (GAIN Spyware)
PUTTY.EXE||Telnet/Rlogon/SSH client 
QT2.EXE||QtraxMax P2P File Sharing
QUEUEMANAGER.EXE||FileShare queue manager
QTRAX.EXE||File Sharing
S4SETUP.EXE||MySearch bar (spyware)
RIDEWAY.EXE||P2P File Sharing
RIFFSHARE.EXE||P2P File Sharing
SAVE.EXE||SaveNow (Spyware)
SAVENOW.EXE||SaveNow (Spyware) 
SHANKSTER.EXE||Shankster Gneutella P2P File Sharing 
SHAREAZA.EXE||Shareaza Gneutella P2P File Sharing 
SLAVANAP.EXE||SlavaNap P2P File Sharing
SMIRK.EXE||P2P File Sharing
SNATCHIN.EXE||P2P File Sharing
SNOOD.EXE||Snood (Addictive Game)
SOUNDCRAWLER.EXE||mp3 Finder
SOULSEEK.EXE||SoulSeek P2P File Sharing
SONGSPY.EXE||mp3 Finder
SPINFRENZY.EXE||mp3 Finder
SPLOOGE.EXE||P2P File Sharing
SWAPPER.EXE||P2P File Sharing
SWAPTOR.EXE||Swaptor P2P File Sharing 
SWAPNUT.EXE||SwapNut P2P File Sharing
TESLA.EXE||Tesla Client P2P File Sharing 
THE BRIDGE.EXE||The Bridge P2P File Sharing
TOADNODE.EXE||ToadNode P2P File Sharing 
TRICKLER_BIC_GATORPT_3202.EXE||GAIN Trickler Tool (Spyware)
TRICKLER3016.EXE||GAIN Trickler Tool (Gator Spyware)
TRILLAN.EXE||Trillian Instant Messenger
UCMORE.EXE||UCMore (Spyware)
UCMOREIEX.EXE||UCMore (Spyware)
URLBLAZE.EXE||URL sharing network
WEATHER.EXE||Weather (Spyware)
WEATHERBUG.EXE||Weatherbug (spyware)
WEBSHAREIT.EXE||Websharing of local machine
WEBVACUUMFREE.EXE||P2P File Sharing
WHAGENT.EXE||WebHancer (Spyware)
WHANCER.EXE||WebHancer (Spyware)
WINAMP.EXE||mp3 player
WINMX.EXE||WinMX P2P File Sharing
WIPPIT.EXE||Wippit P2P File Sharing
WNAD.EXE||Spyware (Hostile)
WRAPSTER.EXE||Wrapster P2P File Sharing
WRAPSTER*.EXE||Wrapster P2P File Sharing
XSC*.EXE||XSClient P2P File Sharing
XOLOX.EXE||XOLOX P2P File Sharing
YMSGR_TRAY.EXE||Yahoo! Messenger TrayIcon
YPAGER.EXE||Yahoo! Messenger
ZPOC.EXE||mp3 Finder

; [Options]
Password=70358a58409703b223576de9dc433758
TrayTooltip=My Computer
TimeToKill=30
KillSwitch=1
TrayIcon=1
TrayMenu=1

; End of Line

If you have any questions you may contact Elisabeth at ecurtner@newport.crsc.k12.ar.us

Eric Gengler

Here is my list of Apps to Ban:

1. Kazaa (and other file sharing apps) Installs Spyware, pop ups, slows down network
2. Yahoo & MSN Messenger - Students waste time during classes by chatting while they should be paying attention. Not to mention they are violating college policies by installing software
3. Games - Same reason as #2

Gregory Pronovost

Webshots. Although many will say this is a great screen saver, which it is, it is also a tremendous bandwidth hog and spyware. The Webshots application maintains a constant connection with the website tracking your online activity.

Of course you have your usual P2P applications (Kazaa, Grokster, iMesh, Soulseek, Sharezaz, Morpheus, eDonkey, and BitTorrent) for obvious bandwidth and security reasons.

For the sake of maintaining productivity (hopefully) I also suggest, Windows Solitaire, Minesweep, MSHearts, etc. as these are just executables that a user can place on their hard drive.

Well, that's my two cents worth, more to come I'm sure.

Alain Sylvestre

We start with the more common ones for installing a program. We don't want the users to install any applications without asking us.

Here's my list:

setup.com
setup.bat

setup.exe
setup.vbs
winsetup.com
winsetup.exe
winsetup.vbs
install.com
install.exe
install.vbs
msmgs.exe

oemsetup.exe
regedit.exe
regedt32.exe
sysedit.exe

Zach Thiel

• AOL Instant Messenger - users don't need it in the workplace enviorment
• Webshots - a nice product but it causes a lot of issues with some applications
• Comet Cursor - we see more problems with this being installed on users' PC's then anything else
• Any music downloading applications (WinMX, etc) - illegal period!

Peter I. Asp

This is so cool that you're doing this! I just started looking into this. I can't wait for the list.

We ban radmin and r_server.exe that are remote control products. More info can be found here.

Glenn Sjögren

I work in a municipality in Sweden. I?ve made an application to remove Gator every time it appears on a workstation. Why? Because programs like Gator means nothing but problems for administrators and users.

Kevin Calvert

Bandwidth wasters:

KaZaA

Morpheus

BearShare

Napster

Employee distracters:

• Yahoo! Messenger
• Cheetah Chat
• MSN Messenger
• ICQ
• AOL Instant Messenger
• mIRC

Employee distracters/virus propogaters:

• All POP3/IMAP4 mail clients
• Outlook (all variations)

Parasites/keyloggers/security risks:

• GAIN
  (We're only getting started on this category)

Windows destabilizers:

• WebShots! Desktop

Andrew White

I use the third party application ScanWindows 1.0.5 which is available
from Cool Tools http://www.novell.com/coolsolutions/tools/1609.html

Click here to read Andrew's entire solution.

Karl Tipping

P2P non-business related file sharing apps such as KaZaa, LimeWire, etc., obviously because of the content shared, the bandwidth consumed and the
security/virus risk to our internal network.

(No doubt I won't be the only one posting this entry, just hoping for a
free T-shirt for the summer ahead!)

Robert Yunker

• morpheus
• kazaa
• limewire
• emule
• Any instant messenger (students use this to pass answers)
• Known backdoors and trojans
• Anything related to Gator

Scott Burmann

Great open call. I have been struggling with this same issue for awhile. I'm going to investigate ZfD 4 and this additional functionality.

Here is my list from problematic applications that are on my top offenders list:

WebShots:

Slows Computer

Slows Boot

Slows Internet Link

Possible Spyware

Opens TCP/IP Ports (security risk)

Increases SPAM

Violates our strict privacy policies

Alexa:

Collects data of sites surfed

Collects data from on-line forms

Privacy violations - Records intranet sites

CometCursor:

Increases system utilization

Installs Spyware

Slows computer

WeatherBug:

Slows Computer

Eats bandwidth

Increases pop-up windows, which in turn, may increase threat of additional spyware

Realtime Automatic Updates:

RealPlayer Auto-Update

QuickTime Auto-Update

Acrobat Reader Auto-Update

(the uncontrolled updates, especially Reader, may make our web based services not work on that computer - as we test for and write code for certain versions of Reader)

We have many remote small offices who may go 6 months without an IT visit. When I visit, I am often told that both the computers and Internet are slow. I usually run an anti-spyware software, and clean the garbage off their PC's. I would say 75% of the time, the users are extremely happy that their PC's are much faster! Anyhow, the above seem to be top offenders. When I explain the concepts of spyware, pop-up's, and bandwidth utilization to the users, not a single user has opted to keep the crap-ware.

Michael Fratini

GoToMyPC is one to ban as it allows an SSL connection to any pc that has access to the internet which could allow an employee to access their work computer from home. http://www.gotomypc.com

Raffael Trotta

That would be my list of apps to ban:

• ICQ

  We don't want the students to chat. Blocking ICQ with BorderManager is nearly impossible. Only way would be to prevent the exe from running.

• setup.exe & install.exe

  Because students shouldn't install any software. We can't take away the rights on the local machine, because this is causing different problems with installing MSI's and Snappshots.

• Music Player

  Winamp.exe (Winamp), real.exe (Real One Player)
  Students should use integrated Media Player to listen music and internet radio.

• All the P2P Apps

  Internet Bandwith is limited and should not be lost with leeching mp3's and such things. And it's illegal and the school can have legal problems.
  Includes Kazaa, Emule, ML-Mule, edonkey2000, gnutella, limewire, imesh, grokster, soul-seek, WinMX, MUTE, and so on...

• Other chat clients

  MSN Messenger is prevented via BorderManager. Yahoo Messenger, Trillian, AOL IM and Jabber can't get stopped with BorderManager. Potential Security risks.

• system tools

  regedit.exe, regedt32.exe, gpedit.msc

  Stability of the workstations is no longer guaranteed if students are playing around with such things.

• Popular network games

  Half-Life, Counter-Strike, Warcraft, Rise of Nations, Q3, and how they are all called.
  Lost time and high usage of bandwith.

• Remote Management Programs

  mstsc.exe (Terminal Services Client), vncviewer.exe (VNC Viewer).
  Students should not remote their "Home-Servers", they should learn;-)

So, that's all the pps for the moment...but I'm sure, there are more to come.

Bryen Yunashko

Here's my suggested list:

• KMD.EXE (This is the installer executable for Kazaa. This will prevent the execution of other programs installed by Kazaa, such as peer-to-peer networking and adware.)
• Messenger programs: AIM.EXE (for AIM), YPAGER.EXE (For Yahoo), MSMSGS.EXE (For MSN.)
• For certain lab environments where you don't want kids browsing around, OR if you want to encourage users to start using another browser, you could block out IEXPLORE.EXE, thereby forcing them to use a corporate preferred browser, such as Mozilla or NetScape.

Another suggestion: Use ZENworks Inventory to see if there's any new suspicious looking programs out there!

John Schultz

• Kazaa
• iMesh
• Gookster
• Winmx
• Limewire

P2P file sharing and mp3 sharing programs should not exist in the work place, as well as personal firewalls and personal spam filters on laptops that interfere with network activity and apps.

Matt Hudson

As a local council we attempt to stop people using the internet for
personal use and this seems to block most the things that the staff try
to use. Our main problem is people listening to the radio over the
internet via port 80 and eating our meagre bandwidth!

Here is my list:-

hl.exe
quake.exe
doom.exe
winamp.exe
aim.exe
aim95.exe
bbeagle.exe
icq.exe
ICQLite.exe
ipodservice.exe
iTunes.exe
MusicMatch.exe
kazaa.exe
kazaalite.kpp
morpheus.exe
msmsgs.exe
msnmsgr.exe
trillian.exe
weatherbug.exe
winmx.exe
ypager.exe

Le Papa

• weaterbug
• ncase
• intelligent explorer
• gator

Ted Ziolkowski

I saw your article and thought I would share the following list of
applications that we are presently preventing. We presently implement
this list through a registry hack, the same entries used by group
policies if you are implementing them through GPO's. We intend to go to
GPO's across the board soon, but progress is slow. Anyway, my
disclaimer is that I don't guarantee the accuracy of the type of program
listed and it is probably incomplete, and in some cases redundant, but
after reading some of the other suggestions I thought I would share
anyway. I have included the AOT file if any of your readers would like
to implement this in this manner. Edit it according to your
environment. Enjoy!

TYPE of Program / Executable Name

"AudioGalaxy Satellite v.608"="agsatellite.exe"
"AudioGalaxy Satellite v.609"="agsatellite609.exe"
"Bonzai Buddy"="bonzibdy.exe"
"Bonzai Buddy Setup"="bbsmartsetup.exe"
"Browser - MSN Explorer"="msn6.exe"
"Chatware - AOL Instant Messenger"="aim.exe"
"Chatware - Excite"="messenger.exe"
"Chatware - IceChat"="icechat.exe"
"Chatware - ICQ"="icq.exe"
"Chatware - ICQ Client"="icqnet.exe"
"Chatware - IM2001"="im2001.exe"
"Chatware - IMICI Messenger"="imici.exe"
"Chatware - Klient"="klient.exe"
"Chatware - MIRC"="mirc.exe"
"Chatware - MSN Messenger"="msmsgs.exe"
"Chatware - Odigo"="odigo.exe"
"Chatware - Trillian"="trillian.exe"
"Chatware - Yahoo Messenger"="ypager.exe"
"Chatware - Yahoo Messenger TrayIcon"="ymsgr_tray.exe"
"File Sharing - Aimster"="aimster.exe"
"File Sharing - Grokster P2P"="grokster.exe"
"File Sharing - iMesh"="imeshclient.exe"
"File Sharing - KaZaa"="kazaa.exe"
"File Sharing - Morpheus"="morpheus.exe"
"File Sharing - Napster"="napster.exe"
"File Sharing - WinMX"="winmx.exe"
"Game - Snood"="snood.exe"
"Spyware - CME"="cmesys.exe"
"Spyware - Date Manager"="datemanager.exe"
"Spyware - Download Accelerator Plus"="dap.exe"
"Spyware - FSG"="fsg.exe"
"Spyware - FSG3102"="fsg-ag_3102.exe"
"Spyware - Gain"="gmt.exe"
"Spyware - Gator"="gator.exe"
"Spyware - Hostile"="wnad.exe"
"Spyware - Odigo Netdetector"="netd.exe"
"Spyware - Odigo Subprogram"="obrw.exe"
"Spyware - OfferCompanion"="offers.exe"
"Spyware - Precision Time"="precisiontime.exe"
"Spyware - SaveNow"="savenow.exe"
"Spyware - Search Hijacker"="snrg.exe"
"Spyware - srnghelp"="srnghelp.exe"
"Spyware - srngutil"="srngutil.exe"
"Spyware - Trickler Tool 3016"="trickler3016.exe"
"Spyware - Trickler Tool 3202"="trickler_bic_gatorpt_3202.exe"
"Spyware - WebHancer"="whancer.exe"
"Telnet - Putty"="putty.exe"
"Telnet - Putty Telnet"="puttytel.exe"

Adam Reno

Can be used to open other things:

• Cmd.exe
• command.com
• mspaint.exe (yes there is a trick where you can open other programs with Paint and other 16 bit apps.... the ol' open, all files and "right click and select" trick...still works on XP...just tried it)

Lawrence A. Bombac II

A list of software to be banned:

1-50 of these can be downloaded from http://www.zeropaid.com

01 Shareaza
02 BitTorrent
03 KaZaA Lite
04 Lan2P
05 SoulSeek
06 Ares
07 GLT Poliane
08 DC++ - BCDC++
09 Emule
10 Blubster
11 XoloX
12 Freenet
13 WinMX
14 Gnucleus
15 BearShare
16 ShareMonkey
17 Direct Connect
18 Overnet
19 eDonkey
20 Piolet
21 LimeWire
22 Mammoth
23 iMesh
24 KaZaA
25 iMesh Light
26 Filetopia
27 Grokster
28 Nova
29 MLDonkey
30 Morpheus
31 ExoSee
32 Diet Kaza
33 Phex
34 audioGnome
35 PeerGuardian
36 Napigator
37 Waste
38 iTunes(can be exploited:detectable)
39 Warez(actual program called warez,not a reference)
40 Zultrax
41 AquaLime
42 DICE
43 Napster(can be exploited)
44 BadBlue
45 NeoNapster
46 Peeranha
47 The Bridge
48 RockItNet
49 The Circle
50 Parrot
51 Azureus
52 BitTorrnado
53 audiogalaxy
54 Smirk
55 Slyck
56 File Sharing for net(mhttp corp)

Chad Miller

• Date Manager, Gator
• File sharing apps

Don't actually block these yet but are looking for a how to or something to help walk through setting these policies. Date Manager brings Gator in with it and has cost us many hours trying to figure out why we have had more network traffic than needed to be. File sharing apps are just a major nightmare in a k-12 environment.

(Editor: You can get complete instructions about how to set up the Rogue Process blocking right here in the documentation.)

Joseph Sutton

While reading about the rogue applications to block I have learned that many users in my organization seem to have a distrust of the network time.

Some of the programs I have stopped from running like those listed on the site were as follows:

GAIN Spyware related programs

• Gator.exe
• gmt.exe
• cmesys.exe
• PrecisionTime.exe
• DateManager.exe

Other calendar programs like:

• rainlendar.exe
• Launcher.exe
• webshots.exe

I also learned that with Microsoft products like Office you need to block Data1.msi to keep it from running, since the setup.exe points back to data1.msi.

Mark Forbes

In a shared lab environment, we're constantly battling the students in
killing apps that they shouldn't be installing. We have a strict policy
on not allowing students to use the messenging clients, and use the
computers for work only. Here's a couple more.

ymsgr.exe | Yahoo Messenger installer
msnmsgr.exe | MSN Messenger executable
msconfig.exe | MS Config executable (so they can't fiddle)
mmc.exe | Microsoft Management Console
gpedit.msc | Group Policy Editor (stops altering settings)
setup.exe | kind of obvious
install.exe | same as setup.exe
icq.exe | stops this running
icqlite.exe | same as ICQ really
gaim.exe | open source alternative is creeping in
trillian.exe | this has been lurking about too
winamp.exe | Winamp, not as popular as it was.

We're currently looking at including msiexec.exe to stop additional
software being installed. Any advice?

Johnnie Carson

This is kinda off topic, in response to those wanting to ban/block the
games that come with MS Windows so people can't run them.

WINMINE.EXE, SOL.EXE and some other files are Windows Protected files which means you
normally can't just delete them and they will return. In our
organization we modified a file called SYSOC.INF which is located in
\WINNT\INF and searched for the word 'hide'.

By removing this word next
to Games and Pinball, we are now allowed to go into Add/Remove Programs
and completely remove all the Windows games from the machine and not
worry about the users playing those. Also, with ZENworks we push this
file to everyone's machines for those that we have missed, and also with
ZENworks we remove the .exe files for these games, and also delete these
unwanted files from the Windows Directory AND from
\WINNT\SYSTEM32\DLLCACHE so they can't mysteriously come back by a user
copying them or windows restoring them.

I believe that .INF file is
found in Windows NT, 2000 and XP.

Neil Jensen

Isn't banning particular applications the hard way? ZENworks also lets you Run only Allowed Windows applications. In an educational environment, use Run only Allowed Windows applications for things like nalwin32, naldesk, and executables that printers and scanners need to initialize, etc. Use NAL objects for the majority of your applications.

Initially, users will complain about certain apps that don't run. If they are legitimate, add them to the list. Otherwise, you're covered.

Jim Pye

I notice that none of the previous posts mentioned the good ol'
bandwidth and time hogs:

DOOM.EXE
and
QUAKE.EXE

Or is this too much of a time warp ;-)

Jim Pye,
With bits of grey showing through the beard

Christian Kaiser

Why do you use the opposite way to block unwanted apps! We deny every Windows app, and only allow the apps listed below. We have an force-run apps every time our students login.

Here are my reg-settings from this application. You can setup a report file, where you can see the apps your students want to launch, then you can add these apps to your apps-object to allow them to launch the apps or not!

""
REGEDIT4

// Registry file generated by the Application Launcher.

[HKEY_CURRENT_USER]

[HKEY_CURRENT_USER\Software]

[HKEY_CURRENT_USER\Software\NetWare]

[HKEY_CURRENT_USER\Software\NetWare\NAL]

[HKEY_CURRENT_USER\Software\NetWare\NAL\1.0]

[HKEY_CURRENT_USER\Software\NetWare\NAL\1.0\Process Management]
"Default Action"=dword:00000001
"Report Ignored"=dword:00000000
"Report Terminated"=dword:00000001

[HKEY_CURRENT_USER\Software\NetWare\NAL\1.0\Process Management\Exception List]
""C:\\Programme\\Windows Media Player\\mplayer2.exe""=dword:00000000
""C:\\Programme\\Windows NT\\Zubeh?r\\WORDPAD.EXE""=dword:00000000 
"Acrobat.exe"=dword:00000000
"acrodist.exe"=dword:00000000
"acrord32.exe"=dword:00000000
"AdobeDownloadManager.exe"=dword:00000000
"amcap.exe"=dword:00000000
"AOM.exe"=dword:00000000
"arach.exe"=dword:00000000
"articulation 1.exe"=dword:00000000
"articulation 2.exe"=dword:00000000
"audacity.exe"=dword:00000000
"c:\\-net-\\vscan71_setup\\setup.exe"=dword:00000000 
"C:\\Programme\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=dword:00000000 
"C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\MODI\\11.0\\MSPVIEW.EXE"=dword:00000000 
"C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\VS7DEBUG\\VS7JIT.EXE"=dword:00000000 
"C:\\Programme\\Microsoft Office 2003\\OFFICE11\\MSTORDB.EXE"=dword:00000000 
"C:\\Programme\\Windows Media Player\\mplayer2.exe"=dword:00000000
"C:\\Programme\\Windows NT\\Zubeh?r\\WORDPAD.EXE"=dword:00000000 
"C:\\WINNT\\system32\\SNDVOL32.EXE"=dword:00000000 
"C:\\WINNT\\system32\\svchost.exe -k wugroup"=dword:00000000
"calc.exe"=dword:00000000
"cdplayer.exe"=dword:00000000
"cmd.exe"=dword:00000000
"coreldrw.exe"=dword:00000000
"CorelPP.exe"=dword:00000000
"daemon.exe"=dword:00000000
"Demo.exe"=dword:00000000
"drwtsn32.exe"=dword:00000000
"excel.exe"=dword:00000000
"explorer.exe"=dword:00000000
"freecell.exe"=dword:00000000
"fusion.exe"=dword:00000000
"GRAPH.EXE"=dword:00000000
"grep.exe"=dword:00000000
"hp precisionscan pro.exe"=dword:00000000
"idrisi32.exe"=dword:00000000
"IEXPLORE.EXE"=dword:0c8c3900
"immac_S.exe"=dword:00000000
"isrf1.exe"=dword:00000000
"isrf2.exe"=dword:00000000
"isri1.exe"=dword:00000000
"isri2.exe"=dword:00000000
"isriik.exe"=dword:00000000
"isrs1.exe"=dword:00000000
"isrs2.exe"=dword:00000000
"isrsik.exe"=dword:00000000
"java.exe"=dword:00000000
"javaw.exe"=dword:00000000
"KODAKIMG.EXE"=dword:00000000
"Map Galerie.exe"=dword:00000000
"MapAut32.exe"=dword:00000000
"mathematica.exe"=dword:00000000
"MathKernel.exe"=dword:00000000
"mcconsol.exe"=dword:00000000
"mcshield.exe"=dword:00000000
"mdm.exe"=dword:00000000
"MindManSM.exe"=dword:00000000
"mplayer2.exe"=dword:00000000
"msaccess.exe"=dword:00000000
"mse.exe"=dword:00000000
"msiexec.exe"=dword:00000000
"MSOHELP.EXE"=dword:00000000
"mspaint.exe"=dword:00000000
"MSPVIEW.EXE"=dword:00000000
"MSTORDB.EXE"=dword:00000000
"MSTORE.EXE"=dword:00000000
"net.exe"=dword:00000000
"netscape.exe"=dword:00000000
"Notepad.exe"=dword:00000000
"nslookup.exe"=dword:00000000
"ntvdm.exe"=dword:00000000
"ois.exe"=dword:00000000
"Orient.exe"=dword:00000000
"ose.exe"=dword:00000000
"PHOTOED.EXE"=dword:00000000
"photopnt.exe"=dword:00000000
"pietro.exe"=dword:00000000
"ping.exe"=dword:00000000
"powerpnt.exe"=dword:00000000
"primary.exe"=dword:00000000
"prodinfi.exe"=dword:00000000
"radio.exe"=dword:00000000
"RealPlay.exe"=dword:00000000
"regdel.exe"=dword:00000000
"SAPfewgsrv.exe"=dword:00000000
"saplgpad.exe"=dword:00000000
"saplogon.exe"=dword:00000000
"scan32.exe"=dword:00000000
"scncfg32.exe"=dword:00000000
"scoach.exe"=dword:00000000
"setup_wm.exe"=dword:00000000
"shapeidr.exe"=dword:00000000
"sndvol32.exe"=dword:00000000
"sol.exe"=dword:00000000
"SPSSRTF.EXE"=dword:00000000
"spsswin.exe"=dword:00000000
"SymbolManager.exe"=dword:00000000
"taskmgr.exe"=dword:00000000
"UGS Sim.exe"=dword:00000000
"update.exe"=dword:00000000
"VS7JIT.EXE"=dword:00000000
"vtf.exe"=dword:00000000
"vti.exe"=dword:00000000
"vts.exe"=dword:00000000
"winhlp32.exe"=dword:00000000
"winoncd.exe"=dword:00000000
"wintv2k.exe"=dword:00000000
"wintvsel"=dword:00000000
"winword.exe"=dword:00000000
"WiseUpdt.exe"=dword:00000000
"WISPTIS.EXE"=dword:00000000
"wmplayer.exe"=dword:00000000
"wmsched.exe"=dword:00000000
"wordpad"=dword:00000000
"wordpad.exe"=dword:00000000
"ws_ftp32.exe"=dword:00000000
"wuauclt.exe"=dword:00000000

[HKEY_CURRENT_USER\Software\NetWare\NAL\1.0\Process Management\Reporting Targets]
"Database"=dword:00000000
"File"=hex(2):5c,5c,73,31,34,61,70,70,73,32,5c,65,64,76,64,6f,73,32,5c,6e,6f,63,68,77,69,6e,\
   2e,33,31,31,5c,72,6f,67,75,65,2e,74,78,74,

[HKEY_LOCAL_MACHINE]

[HKEY_USERS]

[HKEY_CURRENT_CONFIG]

[HKEY_DYN_DATA]

""

Anthony L. Preman

• Webshots - Huge bandwidth hog and filled with spyware.
• Morpheus - The name should be sufficient
• Kazaa - See above
• ConsoleOne - Helps defend against possible user curiosity in network.

Brett S. Miller

Hard to say what hasn't already been said, but here goes:

• WinVNC
• Xdrive
• ANYTHING FTP (the IT department will take care of that if it's needed)
• telnet.exe (same as ftp)

Anonymous

• httport.exe (http://www.htthost.com/) - Allows unfiltered/unrestricted surfing through BorderManager 3.6 via re-routing through external proxy. Blocking all external proxies can prove difficult.
• regedit.com - Any of your users can copy regedit.exe from a PC that has it, rename it to regedit.com and edit the registry. Don't believe me? Copy regedit.exe to your desktop, rename it to regedit.com and open it up.

Anonymous as well

In reponse to Anonymous regarding the regedit.exe being renamed to
regedit.com, in fact regedit will run under ANY name you give, even cool.com,
cmd.exe etc. So it's a harder one to block than blocking just the exe/com
file.

Programs that block via the title bar, do a better job in their area of course.

George Washington

One program to scan for is regedit.com, which is just regedit.exe copied and renamed. The other program to ban is http3s2 aka httport.exe. This program allows redirect through Border 3.6 and 3.5 to external proxies that have no filters.

Klaus Schiffgens

This is the software I'd add to your list:

• P2P Software (non business software)
• Media Players (MP3, Video Playback etc.)
• LAN Software (Packet Scanner, Port-Sniffers)

Very interested in the results of this!

Steve Shumski

Games like:

• counter strike
• battlefield vietnam
• 1942

Internet exe's like:

• itunes
• Lycos search
• Quicktime player
• Kazaa lite
• Morpheus
• Windows messenger

Thanks, I look forward to the complete list.

Martin van der Boon

We use ScanWin too. But we use it together with a self-written tool, to make sure users don't kill ScanWin. You can download the tool from http://www.MandM.nl/down/loader.zip

Applications to add to the list:

• HOPSTER.EXE; Hopster
• HOPSTERSETUP.EXE; Setup - HOPSTER
• HTTPTUNNEL_SETUP.EXE; HTTP Tunnel bypass proxy setup
• HTTP-TUNNELCLIENT.EXE; HTTP Tunnel bypass proxy setup
• SETUP9X.exe; MSN Messenger
• SETUPNT.exe; MSN Messenger

Hopster and HTTPTunnel are BorderManager proxy bypass programs and we don't want those do we?

Mark Shoemaker

Bandwidth Issues

• Peer-to-peer products (Kazaa, Morpheus, etc.)
• Lan-based Games

Desktop Problems

• WebShots
• Accuweather
• Yahoo Messenger
• Microsoft Messenger
• Gator
• Gain
• Bunzi Buddy
• My Search Bar

I am sure there are many more out there. Too little time.

Dusty Lunn

Some of the apps that we currently disallow are as follows:
This list is being added to frequently. This is a Great Deal! Sorry I
couldn't contribute more.

Aim.exe
sol.exe
gator.exe
cmd.exe
kazaa.exe
winmx.exe
msmsgs.exe
taskman.exe
snood.exe
trillian.exe
weatherbug.exe
winamp.exe
ypager.exe
winmx.exe
whahancer.exe
grabit.exe
icq.exe
morpheous.exe
precisiontime.exe
datemanager.exe
kazaalite.exe
bbeagle.exe
doom.exe
mirc.exe
grokstar.exe
napster.exe
winipcfg.exe
winmine.exe
hostile.exe
imesh.exe
mspaint.exe

Paul McLean

My name is Paul McLean from New Zealand. The apps we ban at our Academic Institute for students are:

ACONTI.EXE||CHAT PROGRAM
ACTALERT.exe||Internet Optimizer
AGSATELLITE.EXE||AudioGalaxy Satellite (0.608W)
AGSATELLITE609.EXE||AudioGalaxy Satellite (0.609W)
AIM.EXE||AOL Instant Messenger
AIMSTER.EXE||Aimster File Sharing
BearShare.exe||Bear Share
BBSMARTSETUP.EXE||Bonzi Buddy Setup
BOL.EXE||Rediff Messenger
BONZIBDY.EXE||Bonzi Buddy (Highly Annoying)
CMESYS.EXE||GAIN (Gator Spyware)
CMD.EXE||COMMAND PROMPT
COMMAND.COM||COMMAND PROMPT
compmgmt.msc||Computer Management
DAP.EXE||Download Accelerator Plus
DATEMANAGER.EXE||Date Manager (GAIN Spyware)
DEVMGMT.MSC||Device Management Win2k
DCPLUSPLUS.EXE||DC ++
FSG.EXE||Gator Subprogram
FSG-AG_3102.EXE||GAINWare SubProgram (Gator)
GATOR.EXE||Gator (Spyware)
GETRIGHT.EXE||Get Right downloader
GMT.EXE||GAIN (Gator Spyware)
GROKSTER.EXE||Grokster P2P File Sharing
ICQ.EXE||ICQ Client
IMESHCLIENT.EXE||iMesh File Sharing
INETWIZ.exe|| Internet Connection Wizard
IMICI.EXE||IMICI Messenger
Incredimail.exe||Mail client
Installing software||Install.exe
INTERNET DOWNLOADER||iks2k21d.exe
IPSCANNER.EXE||IPSCANNER
HOMEKEYLOGGER-SETUP.EXE||KEYLOGGER
LC_CLI.EXE||PASSWORD SCANNER
PCV7.EXE||PROXY CHECKER
GKLDEMO.EXE||KEYLOGGER
SYNCCONFIG.EXE||KEYLOGGER
SYNCAGENT.EXE||KEYLOGGER
KAZAA.EXE||KaZaA Media Desktop
KPP.EXE||Kazaa Lite
KHttp2t.exe||KAZAA HTTP
lusrmgr.msc||USERS AND PASSWORDS
MESSENGER.EXE||Excite Messenger
MicWin.exe||Karaoke Program
MORPHEUS.EXE||Morpheus P2P File Sharing
MMCLIENT.EXE||Chat Program
MSMSGS.EXE||MSN Messenger
MSNMSGR.exe||New MSN
MIRC.EXE||MIRC CHAT PROGRAM
MSN6.EXE||MSN Explorer
MMC.EXE||Microsoft Management Console
MMCLIENT.EXE||MMCLIENT INDIAN CHAT PROGRAM
NAPSTER.EXE||Napster
NARRATOR.EXE||NARRATOR APPLICATION
NBSRVR.EXE||NETBUS TROJAN
NETBUS.EXE||NETBUS TROJAN
NETD.EXE||Odigo NetDetector
NETSONIC||NetSEI.exe
NJCOM32.EXE||NJStar Communicator
NWADMN32.EXE||NWADMIN
OBRW.EXE||Odigo Subprogram
ODIGO.EXE||Odigo Instant Messenger
OFFERS.EXE||OfferCompanion
ONEMX.EXE||MUSIC DOWNLOADER
OPTIMIZE.EXE||Internet Optimizer
PRECISIONTIME.EXE||Precision Time (GAIN Spyware)
PLAYER.EXE||VIDOMI PLAYER
POLEDIT.EXE||POLEDIT UTILITY
PTANKS.EXE||Tanks game
PWDUMP.EXE||PASSWORD DUMPER
PWDUMP3.EXE||PASSWORD DUMPER
PWSERVICE.EXE||PASSWORD DUMPER
REGEDIT.EXE||REGISTRY EDITOR
REGEDT32.EXE||REGISTRY EDITOR
RUNAS.EXE||RUNAS UTILITY
SAVENOW.EXE||SaveNow (Spyware)
SENTRY.EXE||Sentry (unknown)
SLAVE.EXE||REMOTE SLAVE CONNECTION
SNOOD.EXE||Snood (Addictive Game)
SYSEDIT.EXE||Configuration screens Win2k
Swift3D.exe||Swish program
SWISH.EXE||Swish program
QQ.EXE||Chinese Chat Program
PHONE PROGRAM||SJPHONE.EXE
TELNET.EXE||TELNET
ThePlaya.exe||The Playa
TRICKLER_BIC_GATORPT_3202.EXE||GAIN Trickler Tool (Spyware)
TRICKLER3016.EXE||GAIN Trickler Tool (Gator Spyware)
TRICKLER GETRIGHT||fsg.exe
TRILLAN.EXE||Trillian Instant Messenger
VIDOMI.EXE||VIDEO PLAYER
WHANCER.EXE||WebHancer (Spyware)
WINMX.EXE||WinMX P2P FileSharing
UNKNOWN||WISEUPDT.EXE
WINAMP AGENT||winampa.exe
WINAMP.EXE||WINAMP
WNAD.EXE||Spyware (Hostile)
YMSGR_TRAY.EXE||Yahoo! Messenger TrayIcon
YSERVER.EXE||Yahoo Messenger
YPAGER.EXE||Yahoo! Messenger
YUPDATER.EXE||Yahoo Updater
YOINK.EXE||STUDENT PROGRAM

We block most of these apps because they tie up PC's for one, and also they use precious network bandwidth and some contain viruses and other problems.

Ernesto Fox

I would add IncrediMail to the list as it is a source of a great number of problems, as far as stability is concerned, even at shutdown time.

Mark R. Fermin

In our law firm, we ban the general user community from installing
unauthorized software by blocking:

• setup.exe
• install.exe

We also have (by group policy) disabled the installation of any software
from removable media or CD. Additionally, we ban all IM applications and
related services, as well as Outlook Express.

This, in combination with a
third-party anti-spyware application, has reduced the amount of issues
related to non-standard applications, plug-ins, etc. that we take at our
Help Desk. And it has probably increased productivity with some users due to
their inability to install their favorite casino software or P2P music
sharing software on their business PC!

Nils Treu

Here are the apps I ban in our PC pools. The reasons are they install
spyware, sometimes viruses, worms, trojans and they cost bandwidth.

; [Programs]
BARGAINS.EXE||verschiedenes
BEARSHARE.EXE||bearshare450b21
BLUBSTER.EXE||blubster25
CLIENT4.EXE||audiognome
DCPLUSPLUS.EXE||dc++0307 
EDONKEY2000.EXE||edonkey
EMULE.EXE||emule1k
FILETO~1.EXE||filetopia304
GAIM.EXE||messaging
GROKSTER||grokster.exe
ICQLITE.EXE||icq-messenging 
JAVAW.EXE||limewire 
KAZAALITE.KPP||mp3easy
KMD263||kazaa.exe
MIRANDA32.EXE||messaging
MORPHEUS.EXE||morpheus
MORPHEXE.EXE||morpheus
MP3EASYKL.EXE||mp3easy
MP3STARSEARCH.EXE||mp3starsearch
MP3WOLF.EXE||mp3wolfv2
NEONAPSTER.EXE||neonapster
NETBRILLIANT.EXE||nb200
OSSPROXY.EXE||groksterpro 
OVERNET.0.53.EXE||overnet053
OVERNET.EXE||overnet053
P2P NETWORKING.EXE||kmd263
PIOLET.EXE||piolet105
SHAREAZA.EXE||shareaza18112
SLSK.EXE||soulseek152
WINMX.EXE||winmx331
YPAGER.EXE||yahoomessenger

ryumaou

Feedback: I can't believe that no one mentioned HotBar! Terrible program that users volunteer to install and will cripple a Windows XP workstation.

Jason

We are investigating the possibility of Linux desktops. That being the case,
how about blocking win.exe, excel.exe, msword.exe, msaccess.exe, mspub.exe,
frontpg.exe and powerpnt.exe?

Heiko Pletat

I use also Program Killer from the cool solutions tree in my company.

We block some programs like P2P-Filesharing tools (Emule, Kazaa,
eDonkey, Overnet) and the complete messenger stuff (aol, yahoo
and msn). So I have a clean enviroment and "long lived" workstations.

David Cook

As well as banning selected apps through ZENworks, you can block
http://*.exe*/* with BorderManager (you may have to allow some
specific exe's). I know, I know, this is a ZENworks forum.

Mike Shore

Here is what we currently ban, but it is out of date as it is time-consuming to keep up to date on all the new rogue apps appearing. I will
be updating the list as per other suggestions in this column. I am
looking forward to a standardized blacklist. We kill apps based on the
image ID (app's internal identifier) and/or the EXE name. Thanks!

Kyle Jones

I won't mention any that are already on this list so this is all I have that differs:
Tibia726.exe is an online game like Dungeons and Dragons. Caught half of our High School labs with this one installed. People chat live with others and online chat is always a risky thing for schools legally due to predators etc... Plus goofing around with online games instead of learning isn't cool.

Steven Turnbull

We are an educational institution, so we have varying degrees of restriction. This is the list of apps we block in our 24-Hr access suite. It has proven to be very effective.

yahoo!_messenger_install.exe
..torrent
agent.exe
AGSATELLITE
AIM
aim.exe
Anarchy.exe
AnarchyPatcher.exe
angel.exe
aod.exe
AOLauncher.exe
autorun
autoupdate.exe
AudioGnome
BBSMARTSETUP.EXE
bit torrent
bittorrent
RealPlayer10Gold.exe
blubster.exe
BONZIBDY.EXE
bootstrap.exe
bpc.exe
btdownloadgui.e
ce_xxx.exe
clientr.exe
CMESYS.EXE
comwiz.exe
DATEMANAGER.EXE
Direct Connect
DCPlusPlus.exe
Donkey
Donor.exe
Dune
Dune2
EarthStation5
es5.exe
es5uk.exe
es5us.exe
flashget.exe
FSG.EXE
fsg_4010.exe
FSG-AG_3102.EXE
FY2000R.exe
GameChanel.exe
GATOR.EXE
gdthin
GMT.EXE
GMTZGM.exe
grokster.exe
GROKSTER.EXE
Gnucleus
hotaction_nz
icq
icq.exe
ICQLite.exe
ICQLRun.exe
ICQLSRP.exe
icqpro2003b.exe
icqsrp.exe
imesh
IMESHCLIENT.EXE
IMICI.EXE
install.exe
instant access.
KAZAA.EXE
kazaalite.kpp
klrun.exe
kpp
Konspire
Lemonade.exe
livecam_nz.exe
Limewire
li-xdial
memory~1.exe
MESSENGER.EXE
minibug.exe
mirc
mlink.exe
morpheus
mp3player
msmsgs
MSN6.EXE
msnmsgr
myphotos.exe
N2PDialr.exe
NAPSTER.EXE
NapShare
NetAnts.exe
NETD.EXE
NetTransport.ex
newzealand_dude
NJCOM32.exe
NJCOM23.exe
OBRW.EXE
ODIGO.EXE
OFFERS.EXE
OverNet
optimize.exe
playlist.exe
popsrv140.exe
popsrv146.exe
precisiontime
PRECISIONTIME.EXE
PrecisionTimeSetup.exe
p2p Networking.
p2p
qq.exe
QQ.exe
qq2000c0630_eng.exe
quake
RadLight.exe
rb32
realevent.exe
realjbox.exe
realplay.exe
realsched.exe
RocketMania.exe
soap.exe
sahagent.exe
setup.exe
setupnt.exe
SETUPNT.EXE
sexy_newzealand.exe
shaonv
Shareaza
SNOOD.EXE
SongSpy
speed up
srng.exe
sysmong.exe
TBrowser.exe
TBrowser.exe
torrent.exe
TRICKLER_BIC_GATORPT_3202.EXE
TRICKLER3016.EXE
TRILLAN
trillian.exe
trillian-v0.74f.exe
tvtmd.exe
update.exe
utopia.exe
URLBlaze
videoaction_nz.
videoaction_nz.ex
videoaction_nz.exe
Voodoo Vision
weather
webscene.exe
webshots
webshots.scr
webshotstray.ex
WHANCER.EXE
winactive
winamp
winmx
winnet.exe
WINMX.EXE
WNAD.EXE
Yahoo Ten Pin Championship Bowling
yahoo!_messenge
ymsgr.exe
YMSGR_~1.exe
YMSGR_TRAY.EXE
ypager.exe
YPAGER.EXE
zonealarm.exe

That's the lot. Happy blocking!

Rathna N

• MSN Messenger, Yahoo Messenger & others - sometimes it's a total distraction and waste of time.
• P2P sharing apps
• POP up ads
• WebShots
• Some unknown apps *.exe 's, which get installed on the machine and it's a pain to uninstall them. :(

John Phipps

We ban Microsoft Outlook and Outlook Express from our ASP Data Centre.
The reason is a fairly obvious one - Outlook introduces too many
vulnerabilities that could knock ALL of our clients off the air. For
clients that absolutely must have Outlook, we isolate their Citrix
servers from the rest of the farm, and have them sign a release to
exempt us from the terms of our SLA (Service Level Agreement) concerning
guaranteed uptime.

Earl Bryant

About whitelists. This is how I'm implementing RPM in my environment, and it's working great. I'll bet most places have a slate of "approved" corporate apps. Anything outside of this should have a target on its back unless it's justified.

Someone mentioned that it would be tedious creating the list of all possible apps that are allowed to run in the environment/in the OS. RPM does a pretty good job of this already, and I've only had to add some more MS apps that I want to allow to run (msohelp for MS Office help, for example). Besides, anything launched from within NAL is "protected", so even if I've disallowed say, Internet Explorer from being launched within Windows, if I've provided a icon to launch it from within the NAL Window, it will run fine.

As for Windows Support Packs making whitelists a headache. Most service packs replace file for like file, so if it did not kill the program before the SP, then it'll probably live afterwards. I find if I miss a filename that has gotten by me in testing?we of course ALL DO TEST these things, right? :), or has been newly introduced, it's a trivial matter to add it to my exceptions list, and repush the RPM out.

Now, talk about keeping track of all POSSIBLE new programs for a blacklist. Unless their makers have conveniently labeled their internal filenames "setup.exe" or "install.exe" for me, I'm simply committing myself to an "arms race" with my users, trying to keep up on the latest filename to ban in order to maintain my exceptions list?now THAT'S tiring! I'd rather spend my time learning more about ZENworks and less in researching shareware/spyware crud!

Now, if RPM could be enhanced to allow for wildcards as well, that would make it very versatile. Example: if Kazaa had kazaa123install.exe as its installer filename, and I could include "*kazaa*" as a value in the blacklist, then ANY file with "kazaa" ANYWHERE in the internal filename could be shut down. Feature request?

Christopher P. Smith

This link could well be of some help when trying to decide what to ban?

Windows Process Library

Phillip Cross

I saw this in a Dave Kearns article:

Today's focus: Ideas for blocking software on users' machines

By Dave Kearns

Virtues of Program Monitor
The first idea, actually, doesn't require any new programming,
just some listings. PM as it exists now requires you to list the
software you wish to have blocked. Roy Pait (among others, but
he was first) suggested that what's needed is a starter list of
generally blocked applications. Sounds like a good idea. If you
have a shortlist, I'd suggest submitting it to
Novell - you might get a cool T-shirt.

Here is a short list of programs we would like to block:

AOL AIM
GAIN
GATOR
BARGAIN BUDDY
PRECISION TIME
ANY NON MS SCREEN SAVER
WEB SHOTS
HACKED OR CRACKED PROGRAMS
INTERNET HISTORY ERASING PROGRAMS
PORN OF ANY TYPE

Dwayne Watkins

GPedit.msc - on 2k and XP machines because of policy changes to a local machine

Webshots - Most definitely

Also why install the local games on a computer when doing the build? Automated build can allow you do customize a machine to your liking and begin to relieve some of the problems.

Manlio Fernando Bedoya Arango

I want to add some W2K and XP games files we banned:

asm.exe
autorun.exe
bckgzm.exe
chkrzm.exe
CMEsys.exe
freecell.exe
GMT.EXE
gpedit.msc
hotbar.exe
hrtzzm.exe
install.exe
kazaa.exe
msblast.exe
mshearts.exe
P2P networking.exe
pinball.exe
points manager.exe
rvsezm.exe
setupid.exe
shvlzm.exe
sol.exe
spider.exe
updmgr.exe
winmine.exe

James Romer

I ban the usual exe's that you would expect,(mainly flash apps from the web) but also routinely go through ZENworks inventory to highlight new programs that have been installed without authorisation and add to the list if necessary.

I am looking at using rogue process management to stop those that know a little from renaming files.

Also due to us locking the users' desktops, a lot of exe's historically got sent using GroupWise and were kept in GroupWise. We get round this by using MTASieve (now named GWAVA), blocking not only the file extensions we choose but also file size we choose.

Apps banned so far:

msn.exe
aim.exe
sol.ex
winmine.exe
sheep.exe
balistic.exe
beertend(4).exe
beertend.exe
Benidorm.exe
BubblePuzzle97.exe
chickens.exe
Dynmite.exe
elves.exe
elves2.exe
fart-mac.exe
footy.exe
freecell.exe
ghouls.exe
gift.exe
golf.exe
hearts.exe
mario.exe
milliona.exe
napster.exe
pinball.exe
pool.exe
quake.exe
same.exe
santafree.exe
stressreducers.exe
talkany.ee
teletuby.exe
tuxracer.exe

Nathan Tidd

How about a few of my Pet Peeves that are the most common nuisances? All of these pretty much just use up bandwidth and resources. They are all unneeded for the workplace except maybe Realplayer for certain situations.

• Webshots
• WeatherBug
• Comet Cursor
• Atomic Clock
• Realplayer

Brandon Kirsch

Google Directory gave me extensive lists of software to block, depending on what admins want to target. If users are managing to get by RPM with odd software, it should be listed here.

• Filesharing P2P - http://directory.google.com/Top/Computers/Software/Internet/Clients/File_Sharing/
• Instant Messenging - http://directory.google.com/Top/Computers/Software/Internet/Clients/Chat/Instant_Messaging/
• Packet Sniffers - http://directory.google.com/Top/Computers/Software/Networking/Network_Performance/Protocol_Analyzers/

Things I found worth noting:

• Gaim
  - Instant Messenging client for many (including Novell!) protocols
• GoToMyPC - Employees can access their home PCs
• Quake.exe - Even with decent policies a user can simply run this exe out of any folder (usually for us, it's one on the network)
• Ettercap - This one can really mess your network (and your day) up if you're not careful

Andrew Palm

Since reviewing this article a while ago, we have been looking at and
evaluating scanwin. This looks to be a really useful and great product.

One of the pluses is that you can get it to 'block' any setup install
routines and this stops the users from installing applications. You can also
add the spyware programs (or any program) to the list and stop them from
running also.

Our install blocking section of titles is

Stop ANY Setup Programs Running:

• Setup
• Install
• Windows Installer
• installshield

We are currently adding to it as we find more installs that slip around the
above lines.

This seems to work better than blocking the program once installed. For example,
blocking ICQ.EXE is ok, but it's better not to have it installed in the first
place, so you don't end up with a machine full of software that won't work
and bogging the machine down.

The latest version of scanwin also lets you customise the warning prompt,
which is good as the original was designed for a school and our users would
laugh if they saw an error message saying contact your teacher if you need
to run this program.

Of course we use ZENworks to drop all our apps, so there are no manual
installs. If you need to do manual installs, you can disable the scanwin
program during the install process and then turn it back on when it's done.

Bob Fortin

Great posting! Just by reading through I caught many that I had missed. We strive to block the following:

• Messenger (of all sorts)
• Kazaa, Grokster, etc, etc
• Trillian
• X8pplay, etc
• Webshots

And the list grows and grows?

Oivind Ekeberg

Apps we ban!

All Gator-related apps (Gain Publishing). Spyware!

• Gator
• Weatherscope
• PrecisionTime
• Date Manager
• Dashbar

Since we're running GroupWise:

• Outlook Express
• Outlook
• MSN Messenger
• Trillian
• ICQ
• AOL

File-sharing apps other than iFolder:

• eMule
• eDonkey2000
• Kazaa
• Bittorrent

But after reading the list, I see that we have to do a major update on ours!

Paul Staniford

We have been having a lot of trouble with the Popup ring tone adverts.

We have now blocked the following sites to prevent a majority of the
infected sources of the adware. (The first two are used to reinstall the
adware, the rest host components of the exploit.)

*.default-homepage-network.com
*.smartbotpro.com

*.passthison.com
209.50.251.182
209.50.251.152
209.50.251.151
69.50.139.61
*.achtungachtung.com
*.2nd-thought.com
*.7search.com
*.680180.com

This adware is made up of 6 viruses:

HTML_REDIR.A
JS_IESTART.PS
CHM_Psyme.Y
CHM_Psyme.C
TROJ_SMALL.GO
TROJ_SILEN.A

and 3 pieces of adware:

ClientMan
CleverIEHooker
IGetNet.ClearSearch

They put loads of components on the computer and make a lot of registry
changes, IE crashes after McAfee attempts removal because it doesn't
unregister the BHO's. If you miss a part when removing the remaining
bit will download the parts you removed and reinstall them. In the end
we find it easier to reimage the computer.

The exploit was patched in Feb 2004 with patch KB832894 so it might be
an idea to make sure all your XP machines have this patch on them. Even
with this patch machines still manage to get some of files listed
below.

I have also have a ZEN app check for the following files/reg entry on
the machines and if they are present they are deleted.

%WinDir%\System32\AdStartup.exe
%WinDir%\System32\AdUpdater.exe
%WinDir%\System32\AdUpdManager.xml
%WinDir%\System32\data.xml
%WinDir%\System32\IeEnhancer.dll
%WinDir%\System32\AutoMove.exe
%WinDir%\System32\Trans.exe
%WinDir%\System32\SWin32.dll

There is also a registry key that runs AdStartup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdStartup

Bobby Guillory

Another app to consider blocking would be the Ezula.exe which downloads a ton of malware and spyware to machines. This program also installs the dreaded sahagent.* files which is considered parasitic. If not uninstalled a certain way it can completely disable the NIC card of a machine.

Additional Requests

Toby Fruth

I don't have a list of apps to ban, but I was wondering if you have any articles in disallowing USB flash drives and the like. Some of the 'banned' apps are standalone executables that run from any drive. Also, I was imagining the ZEN script only scanning the C:\ drive. I don't suppose anyone has disabled the use of CD/DVD drives.

George Washington

On a different note, I would like to see a Cool Solution on how to effectively scan other drives in addition to c:\. The problem is removable flash drives. Sol.exe and spider.exe are standalone solitaire programs that can be run from any drive.

Jesse Schulman

We would love to see RPM being able to ban the opening of specific file extensions, such as .mp3 or .avi and so on. I know that?s a big step, but it would be wonderful if we could stop users from using files of that type. Also the flash drive and other USB device issue is a big one with us.

Scott D. Jones

We also ban a lot of the "features" of Windows.

finger.exe
ftp.exe
install.exe
ipconfig.exe
mmc.exe
netbt.exe
netstat.exe
nslookup.exe
nwsndmsg.exe
nwtray.exe
poledit.exe
regedit.exe
regedit32.exe
setup.exe
setup1.exe
shrpubw.exe
telnet.exe
tftp.exe
tlntsvr.exe

Ryan A Wasek

I work in a Laboratory Environment where everything is highly regulated & confidential. As with many of the most obvious apps, our highest priority is file sharing apps such as:

KaZaA
Limewire
Morpheus
MyNapster
Napster
BadBlue
Bearshare
Swapper
WinMP3locator
WinMX
iMesh
Direct Connect
eDonkey

Frank Zomer

Another suggestion. Maybe it's also a good idea to make a list of websites you might want to ban. e.g. the web version of msn messenger at http://webmessenger.msn.com/.

Hope you think so too!

Phillip Cross

Here is a short list of programs we would like to block:

AOL
AOL AIM
GAIN
GATOR
BARGAIN BUDDY
PRECISION TIME
ANY NON MS SCREEN SAVER
WEB SHOTS
HACKED OR CRACKED PROGRAMS
INTERNET HISTORY ERASING PROGRAMS
PORN OF ANY TYPE

Ed Martens

What about BAN all apps except:

wmrundll.exe
wm.exe
nwtray.exe
nalwin32.exe
nalstart.exe
nalntsrv.exe
nal.exe
naldesk.exe

use Shell=nalwin32

Mike Murphy

Apps to Ban - Most of these are related to Keyloggers.

kldec.exe
wsys.exe
RunDll16.exe
KeyPatrol.exe
unsetup.exe
cisvc.exe
logger.exe
TinyKL.exe
csrss.exe
svcmcrv.exe
akl.exe
handy_keylogger.exe
NBSvr.exe
keycorder.exe
keycord1.exe
SYS.EXE
bpk.exe
Keyloggerpro.exe
aak.exe
keylogger.exe
Activeshield.exe
antikey.exe
bpk.exe
std.exe
EANTHO~1.EXE
sys_alert.exe
cisvc.exe
fhtisxk.exe
csrss.exe
KeyPatrol.exe
Krnlmod.exe
Mstapi.exe
mswinpid32.exe
Hello.exe
SpooI32.exe
Svchost.exe
sysdiag.exe
syncagent.exe
sys32win.exe
Rundll32.exe
DEFSCANGUI.EXE
WinVNC.exe
vnc.exe

Tim Dunkley

This solution uses the
DisallowRun feature .

Here are two files -- one .XLS, and one .TXT (which you rename to .REG)

• banned_exes.xls
• banned_exes.txt

The .REG file enables the DisallowRun feature & also includes the blocked exe's in List A. also included is an Excel file I use to update the .REG file (I Just find it easier when you want to add quite a few .exe's to the .REG file. If anyone can't figure the Excel file out, just e-mail me)

The way I deploy this to all workstations across the network is by using a simple ZENworks App which force runs when a user logs on.

All the folowing applications I've found in abundance all over the workstations on our network, the most of them all contain adware/spyware or malware, the others are applications that I find have no place in a business or any other enterprise environment.

List A:

"1"="AAWSEPERSONAL.EXE"
"2"="ACONTI.EXE"
"3"="ACTALERT.EXE"
"4"="agsatellite.EXE"
"5"="agsatellite609.EXE"
"6"="aim.EXE"
"7"="aim95.EXE"
"8"="aimster.EXE"
"9"="ANTIVIRUS_INSTALL.EXE"
"10"="AQUATICA WATERWORLDS.EXE"
"11"="AQUATICA-INSTALL-FSG.EXE"
"12"="AUDIOMP3FIND.EXE"
"13"="automove.EXE"
"14"="BADBLUE.EXE"
"15"="BARGAINS.EXE"
"16"="bbeagle.EXE"
"17"="bbsmartsetup.EXE"
"18"="BBSMARTSETUP.EXE"
"19"="BearShare.EXE"
"20"="BLACKWIDOW.EXE"
"21"="BLAT.EXE"
"22"="BLUBSTER.EXE"
"23"="BODETELLA.EXE"
"24"="BOL.EXE"
"25"="bonzibdy.EXE"
"26"="BUDDY.EXE"
"27"="BWWebloader.EXE"
"28"="CASINOBROWSER.EXE"
"29"="CIRCLE.EXE"
"30"="CLIENT4.EXE"
"31"="CLUSTONE.EXE"
"32"="cmesys.EXE"
"33"="COMBackConsole.EXE"
"34"="COMET_INSTALL.EXE"
"35"="CRAPSTER.EXE"
"36"="dap.EXE"
"37"="datemanager.EXE"
"38"="DCPLUSPLUS.EXE"
"39"="DECONPRO.EXE"
"40"="DEFSCANGUI.EXE"
"41"="DEVMGMT.MSC"
"42"="DIRECTCONNECT.EXE"
"43"="doom.EXE"
"44"="DSERVER.BAT"
"45"="DSHARE.BAT"
"46"="DW.EXE"
"47"="EANTHOLOGY.EXE"
"48"="EBATESMOEMONEYMAKER*.EXE"
"49"="EDONKEY2000.EXE"
"50"="EMULE.EXE"
"51"="EVOLUTION.EXE"
"52"="EVOLVER.EXE"
"53"="FILEFURY.EXE"
"54"="FILEMINER.EXE"
"55"="FILENAVIGATOR.EXE"
"56"="FILESHARE.EXE"
"57"="FILETO~1.EXE"
"58"="FILETOPIA.EXE"
"59"="FILEZILLA.EXE"
"60"="FLOCATOR.EXE"
"61"="FREECELL.EXE"
"62"="FREEWIRELAUNCHER.EXE"
"63"="fsg.EXE"
"64"="fsg-ag_3102.EXE"
"65"="screensaver.EXE"
"66"="gaim.EXE"
"67"="gator.EXE"
"68"="GDONKEY.EXE"
"69"="GETRIGHT.EXE"
"70"="GIDGET.EXE"
"71"="GKLDEMO.EXE"
"72"="gmt.EXE"
"73"="GNEWTELLA.EXE"
"74"="GNOTELLA.EXE"
"75"="GNUCLEUS.EXE"
"76"="GPEER.EXE"
"77"="grokster.EXE"
"78"="GTL POLIANE.EXE"
"79"="HLCLIENT*.EXE"
"80"="HOMEKEYLOGGER-SETUP.EXE"
"81"="HOPSTER.EXE"
"82"="HOPSTERSETUP.EXE"
"83"="httport.EXE"
"84"="HTTPTUNNEL_SETUP.EXE"
"85"="HTTP-TUNNELCLIENT.EXE"
"86"="icechat.EXE"
"87"="icq.EXE"
"88"="ICQLITE.EXE"
"89"="icqnet.EXE"
"90"="IKEA KITCHEN PLANNER.EXE"
"91"="im2001.EXE"
"92"="imeshclient.EXE"
"93"="imici.EXE"
"94"="Incredimail.EXE"
"95"="INETWIZ.EXE"
"96"="INOIZE.EXE"
"97"="ipodservice.EXE"
"98"="IPSCANNER.EXE"
"99"="JACKALOPE.EXE"
"100"="JITZUSHARE.EXE"
"101"="KAST.EXE"
"102"="kazaa.EXE"
"103"="KAZAALITE.KPP"
"104"="KHttp2t.EXE"
"105"="klient.EXE"
"106"="kmd.EXE"
"107"="KPP.EXE"
"108"="launcher.EXE"
"109"="LC_CLI.EXE"
"110"="lights.EXE"
"111"="LIMEWIRE.EXE"
"112"="LOCATOR.EXE"
"113"="lusrmgr.msc"
"114"="MADSTER.EXE"
"115"="MCAGENT.EXE"
"116"="MEDIAGRAB.EXE"
"117"="MEDIASEEK.EXE"
"118"="MEGASEARCHBARSETUP.EXE"
"119"="messenger.EXE"
"120"="MicWin.EXE"
"121"="MIRANDA32.EXE"
"122"="mirc.EXE"
"123"="misc.EXE"
"124"="MMCLIENT.EXE"
"125"="MMOD.EXE"
"126"="MOJO NATION.EXE"
"127"="MOODLOGIC.EXE"
"128"="morpheus.EXE"
"129"="MORPHEXE.EXE"
"130"="MP3 SWAPPER.EXE"
"131"="MP3EASYKL.EXE"
"132"="MP3FINDER.EXE"
"133"="MP3STARSEARCH.EXE"
"134"="MP3WOLF.EXE"
"135"="MSBB.EXE"
"136"="msimn.EXE"
"137"="msmsgs.EXE"
"138"="msn6.EXE"
"139"="msnmsgs.EXE"
"140"="MYNAPSTER.EXE"
"141"="MYSTER.EXE"
"142"="NAMSTER.EXE"
"143"="napster.EXE"
"144"="NARRATOR.EXE"
"145"="nastysex.EXE"
"146"="NBSRVR.EXE"
"147"="NETBRILLIANT.EXE"
"148"="NETBUS.EXE"
"149"="netd.EXE"
"150"="NJCOM32.EXE"
"151"="NOVA.EXE"
"152"="NWADMN32.EXE"
"153"="obrw.EXE"
"154"="odigo.EXE"
"155"="offers.EXE"
"156"="ONEMX.EXE"
"157"="OPTIMIZE.EXE"
"158"="OSSPROXY.EXE"
"159"="OVERNET.0.53.EXE"
"160"="OVERNET.EXE"
"161"="P2P NETWORKING.EXE"
"162"="PCV7.EXE"
"163"="PINPOST.EXE"
"164"="PIOLET.EXE"
"165"="PLAYER.EXE"
"166"="PLEBIO.EXE"
"167"="PLINK.EXE"
"168"="poledit.EXE"
"169"="polmx3.EXE"
"170"="powerscan.EXE"
"171"="ppdomu.EXE"
"172"="precisiontime.EXE"
"173"="preInsMt.EXE"
"174"="PTANKS.EXE"
"175"="putty.EXE"
"176"="puttytel.EXE"
"177"="PWDUMP.EXE"
"178"="PWDUMP3.EXE"
"179"="PWSERVICE.EXE"
"180"="QQ.EXE"
"181"="QT2.EXE"
"182"="QTRAX.EXE"
"183"="quake.EXE"
"184"="QUEUEMANAGER.EXE"
"185"="rainlendar.EXE"
"186"="RIDEWAY.EXE"
"187"="RIFFSHARE.EXE"
"188"="RINGTONE.EXE"
"189"="S4SETUP.EXE"
"190"="SAVE.EXE"
"191"="savenow.EXE"
"192"="SENTRY.EXE"
"193"="setuppestpatroleval.EXE"
"194"="SETUPSCR.EXE"
"195"="SHANKSTER.EXE"
"196"="SHAREAZA.EXE"
"197"="SHAREAZA.EXE"
"198"="SLAVANAP.EXE"
"199"="SLAVE.EXE"
"200"="SLSK.EXE"
"201"="SMIRK.EXE"
"202"="SNATCHIN.EXE"
"203"="snood.EXE"
"204"="snrg.EXE"
"205"="SOL.EXE"
"206"="SONGSPY.EXE"
"207"="SOULSEEK.EXE"
"208"="SOUNDCRAWLER.EXE"
"209"="SPINFRENZY.EXE"
"210"="SPLOOGE.EXE"
"211"="srnghelp.EXE"
"212"="srngutil.EXE"
"213"="SWAPNUT.EXE"
"214"="SWAPPER.EXE"
"215"="SWAPTOR.EXE"
"216"="Swift3D.EXE"
"217"="SWISH.EXE"
"218"="SYNCAGENT.EXE"
"219"="SYNCCONFIG.EXE"
"220"="TESLA.EXE"
"221"="THE BRIDGE.EXE"
"222"="ThePlaya.EXE"
"223"="TOADNODE.EXE"
"224"="trickler_bic_gatorpt_3202.EXE"
"225"="TRICKLER_BIC_GATORPT_3202.EXE"
"226"="trickler3016.EXE"
"227"="TRICKLER3016.EXE"
"228"="trillian.EXE"
"229"="UCMORE.EXE"
"230"="UCMOREIEX.EXE"
"231"="URLBLAZE.EXE"
"232"="VIDOMI.EXE"
"233"="VOUCHERS.EXE"
"234"="WEATHER.EXE"
"235"="weatherbug.EXE"
"236"="WEBREBATES_AUTO_INSTALLSILENT.EXE"
"237"="webrebates0.EXE"
"238"="webrebates1.EXE"
"239"="websearch1.EXE"
"240"="WEBSHAREIT.EXE"
"241"="webshots.EXE"
"242"="WEBSHOTS_SETUP.EXE"
"243"="WEBVACUUMFREE.EXE"
"244"="WHAGENT.EXE"
"245"="WHANCER.EXE"
"246"="whancer.EXE"
"247"="whse.EXE"
"248"="WINAMPA.EXE"
"249"="WINAMP.EXE"
"250"="winmx.EXE"
"251"="WIPPIT.EXE"
"252"="wnad.EXE"
"253"="WNAD.EXE"
"254"="WRAPSTER.EXE"
"255"="wssetup.EXE"
"256"="wtoolsa.exe "
"257"="XMAS2003_2.EXE"
"258"="XMAS2003_2_1.EXE"
"259"="XOLOX.EXE"
"260"="xxxtoolbar.EXE"
"261"="YAHOO!_MESSENGER_INSTALL.EXE"
"262"="ymsgr_tray.EXE"
"263"="YMSGRIE.EXE"
"264"="YMSGRUK.EXE"
"265"="YMSGRYIMS.EXE"
"266"="YOINK.EXE"
"267"="ypager.EXE"
"268"="YSERVER.EXE"
"269"="YUPDATER.EXE"
"270"="ZPOC.EXE"
"271"="errorguard.EXE"
"272"="freezeday.EXE"
"273"="CxtPls.EXE"
"274"="Al-Thkir2.EXE"
"275"="AlThkir3.EXE"
"276"="AQ3Helper.EXE"
"277"="Aquatica Waterworlds.EXE"
"278"="TarjimTools1.EXE"
"279"="SitePassMgr.EXE"
"280"="Tvm.EXE"
"281"="Weatherscope.EXE"
"282"="disp1150.EXE"
"283"="WebRebates0.EXE"
"284"="WebRebates1.EXE"
"285"="WebSecureAlert.EXE"
"286"="blaster_blocks_demo.EXE"
"287"="powerplay.EXE"
"288"="athan.EXE"
"289"="ButterflyOasis.EXE"
"290"="BO1Helper.EXE"

Reg File - Copy & paste to notepad & save as FILENAME.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"="AAWSEPERSONAL.EXE"
"2"="ACONTI.EXE"
"3"="ACTALERT.EXE"
"4"="agsatellite.EXE"
"5"="agsatellite609.EXE"
"6"="aim.EXE"
"7"="aim95.EXE"
"8"="aimster.EXE"
"9"="ANTIVIRUS_INSTALL.EXE"
"10"="AQUATICA WATERWORLDS.EXE"
"11"="AQUATICA-INSTALL-FSG.EXE"
"12"="AUDIOMP3FIND.EXE"
"13"="automove.EXE"
"14"="BADBLUE.EXE"
"15"="BARGAINS.EXE"
"16"="bbeagle.EXE"
"17"="bbsmartsetup.EXE"
"18"="BBSMARTSETUP.EXE"
"19"="BearShare.EXE"
"20"="BLACKWIDOW.EXE"
"21"="BLAT.EXE"
"22"="BLUBSTER.EXE"
"23"="BODETELLA.EXE"
"24"="BOL.EXE"
"25"="bonzibdy.EXE"
"26"="BUDDY.EXE"
"27"="BWWebloader.EXE"
"28"="CASINOBROWSER.EXE"
"29"="CIRCLE.EXE"
"30"="CLIENT4.EXE"
"31"="CLUSTONE.EXE"
"32"="cmesys.EXE"
"33"="COMBackConsole.EXE"
"34"="COMET_INSTALL.EXE"
"35"="CRAPSTER.EXE"
"36"="dap.EXE"
"37"="datemanager.EXE"
"38"="DCPLUSPLUS.EXE"
"39"="DECONPRO.EXE"
"40"="DEFSCANGUI.EXE"
"41"="DEVMGMT.MSC"
"42"="DIRECTCONNECT.EXE"
"43"="doom.EXE"
"44"="DSERVER.BAT"
"45"="DSHARE.BAT"
"46"="DW.EXE"
"47"="EANTHOLOGY.EXE"
"48"="EBATESMOEMONEYMAKER*.EXE"
"49"="EDONKEY2000.EXE"
"50"="EMULE.EXE"
"51"="EVOLUTION.EXE"
"52"="EVOLVER.EXE"
"53"="FILEFURY.EXE"
"54"="FILEMINER.EXE"
"55"="FILENAVIGATOR.EXE"
"56"="FILESHARE.EXE"
"57"="FILETO~1.EXE"
"58"="FILETOPIA.EXE"
"59"="FILEZILLA.EXE"
"60"="FLOCATOR.EXE"
"61"="FREECELL.EXE"
"62"="FREEWIRELAUNCHER.EXE"
"63"="fsg.EXE"
"64"="fsg-ag_3102.EXE"
"65"="screensaver.EXE"
"66"="gaim.EXE"
"67"="gator.EXE"
"68"="GDONKEY.EXE"
"69"="GETRIGHT.EXE"
"70"="GIDGET.EXE"
"71"="GKLDEMO.EXE"
"72"="gmt.EXE"
"73"="GNEWTELLA.EXE"
"74"="GNOTELLA.EXE"
"75"="GNUCLEUS.EXE"
"76"="GPEER.EXE"
"77"="grokster.EXE"
"78"="GTL POLIANE.EXE"
"79"="HLCLIENT*.EXE"
"80"="HOMEKEYLOGGER-SETUP.EXE"
"81"="HOPSTER.EXE"
"82"="HOPSTERSETUP.EXE"
"83"="httport.EXE"
"84"="HTTPTUNNEL_SETUP.EXE"
"85"="HTTP-TUNNELCLIENT.EXE"
"86"="icechat.EXE"
"87"="icq.EXE"
"88"="ICQLITE.EXE"
"89"="icqnet.EXE"
"90"="IKEA KITCHEN PLANNER.EXE"
"91"="im2001.EXE"
"92"="imeshclient.EXE"
"93"="imici.EXE"
"94"="Incredimail.EXE"
"95"="INETWIZ.EXE"
"96"="INOIZE.EXE"
"97"="ipodservice.EXE"
"98"="IPSCANNER.EXE"
"99"="JACKALOPE.EXE"
"100"="JITZUSHARE.EXE"
"101"="KAST.EXE"
"102"="kazaa.EXE"
"103"="KAZAALITE.KPP"
"104"="KHttp2t.EXE"
"105"="klient.EXE"
"106"="kmd.EXE"
"107"="KPP.EXE"
"108"="launcher.EXE"
"109"="LC_CLI.EXE"
"110"="lights.EXE"
"111"="LIMEWIRE.EXE"
"112"="LOCATOR.EXE"
"113"="lusrmgr.msc"
"114"="MADSTER.EXE"
"115"="MCAGENT.EXE"
"116"="MEDIAGRAB.EXE"
"117"="MEDIASEEK.EXE"
"118"="MEGASEARCHBARSETUP.EXE"
"119"="messenger.EXE"
"120"="MicWin.EXE"
"121"="MIRANDA32.EXE"
"122"="mirc.EXE"
"123"="misc.EXE"
"124"="MMCLIENT.EXE"
"125"="MMOD.EXE"
"126"="MOJO NATION.EXE"
"127"="MOODLOGIC.EXE"
"128"="morpheus.EXE"
"129"="MORPHEXE.EXE"
"130"="MP3 SWAPPER.EXE"
"131"="MP3EASYKL.EXE"
"132"="MP3FINDER.EXE"
"133"="MP3STARSEARCH.EXE"
"134"="MP3WOLF.EXE"
"135"="MSBB.EXE"
"136"="msimn.EXE"
"137"="msmsgs.EXE"
"138"="msn6.EXE"
"139"="msnmsgs.EXE"
"140"="MYNAPSTER.EXE"
"141"="MYSTER.EXE"
"142"="NAMSTER.EXE"
"143"="napster.EXE"
"144"="NARRATOR.EXE"
"145"="nastysex.EXE"
"146"="NBSRVR.EXE"
"147"="NETBRILLIANT.EXE"
"148"="NETBUS.EXE"
"149"="netd.EXE"
"150"="NJCOM32.EXE"
"151"="NOVA.EXE"
"152"="NWADMN32.EXE"
"153"="obrw.EXE"
"154"="odigo.EXE"
"155"="offers.EXE"
"156"="ONEMX.EXE"
"157"="OPTIMIZE.EXE"
"158"="OSSPROXY.EXE"
"159"="OVERNET.0.53.EXE"
"160"="OVERNET.EXE"
"161"="P2P NETWORKING.EXE"
"162"="PCV7.EXE"
"163"="PINPOST.EXE"
"164"="PIOLET.EXE"
"165"="PLAYER.EXE"
"166"="PLEBIO.EXE"
"167"="PLINK.EXE"
"168"="poledit.EXE"
"169"="polmx3.EXE"
"170"="powerscan.EXE"
"171"="ppdomu.EXE"
"172"="precisiontime.EXE"
"173"="preInsMt.EXE"
"174"="PTANKS.EXE"
"175"="putty.EXE"
"176"="puttytel.EXE"
"177"="PWDUMP.EXE"
"178"="PWDUMP3.EXE"
"179"="PWSERVICE.EXE"
"180"="QQ.EXE"
"181"="QT2.EXE"
"182"="QTRAX.EXE"
"183"="quake.EXE"
"184"="QUEUEMANAGER.EXE"
"185"="rainlendar.EXE"
"186"="RIDEWAY.EXE"
"187"="RIFFSHARE.EXE"
"188"="RINGTONE.EXE"
"189"="S4SETUP.EXE"
"190"="SAVE.EXE"
"191"="savenow.EXE"
"192"="SENTRY.EXE"
"193"="setuppestpatroleval.EXE"
"194"="SETUPSCR.EXE"
"195"="SHANKSTER.EXE"
"196"="SHAREAZA.EXE"
"197"="SHAREAZA.EXE"
"198"="SLAVANAP.EXE"
"199"="SLAVE.EXE"
"200"="SLSK.EXE"
"201"="SMIRK.EXE"
"202"="SNATCHIN.EXE"
"203"="snood.EXE"
"204"="snrg.EXE"
"205"="SOL.EXE"
"206"="SONGSPY.EXE"
"207"="SOULSEEK.EXE"
"208"="SOUNDCRAWLER.EXE"
"209"="SPINFRENZY.EXE"
"210"="SPLOOGE.EXE"
"211"="srnghelp.EXE"
"212"="srngutil.EXE"
"213"="SWAPNUT.EXE"
"214"="SWAPPER.EXE"
"215"="SWAPTOR.EXE"
"216"="Swift3D.EXE"
"217"="SWISH.EXE"
"218"="SYNCAGENT.EXE"
"219"="SYNCCONFIG.EXE"
"220"="TESLA.EXE"
"221"="THE BRIDGE.EXE"
"222"="ThePlaya.EXE"
"223"="TOADNODE.EXE"
"224"="trickler_bic_gatorpt_3202.EXE"
"225"="TRICKLER_BIC_GATORPT_3202.EXE"
"226"="trickler3016.EXE"
"227"="TRICKLER3016.EXE"
"228"="trillian.EXE"
"229"="UCMORE.EXE"
"230"="UCMOREIEX.EXE"
"231"="URLBLAZE.EXE"
"232"="VIDOMI.EXE"
"233"="VOUCHERS.EXE"
"234"="WEATHER.EXE"
"235"="weatherbug.EXE"
"236"="WEBREBATES_AUTO_INSTALLSILENT.EXE"
"237"="webrebates0.EXE"
"238"="webrebates1.EXE"
"239"="websearch1.EXE"
"240"="WEBSHAREIT.EXE"
"241"="webshots.EXE"
"242"="WEBSHOTS_SETUP.EXE"
"243"="WEBVACUUMFREE.EXE"
"244"="WHAGENT.EXE"
"245"="WHANCER.EXE"
"246"="whancer.EXE"
"247"="whse.EXE"
"248"="WINAMPA.EXE"
"249"="WINAMP.EXE"
"250"="winmx.EXE"
"251"="WIPPIT.EXE"
"252"="wnad.EXE"
"253"="WNAD.EXE"
"254"="WRAPSTER.EXE"
"255"="wssetup.EXE"
"256"="wtoolsa.exe "
"257"="XMAS2003_2.EXE"
"258"="XMAS2003_2_1.EXE"
"259"="XOLOX.EXE"
"260"="xxxtoolbar.EXE"
"261"="YAHOO!_MESSENGER_INSTALL.EXE"
"262"="ymsgr_tray.EXE"
"263"="YMSGRIE.EXE"
"264"="YMSGRUK.EXE"
"265"="YMSGRYIMS.EXE"
"266"="YOINK.EXE"
"267"="ypager.EXE"
"268"="YSERVER.EXE"
"269"="YUPDATER.EXE"
"270"="ZPOC.EXE"
"271"="errorguard.EXE"
"272"="freezeday.EXE"
"273"="CxtPls.EXE"
"274"="Al-Thkir2.EXE"
"275"="AlThkir3.EXE"
"276"="AQ3Helper.EXE"
"277"="Aquatica Waterworlds.EXE"
"278"="TarjimTools1.EXE"
"279"="SitePassMgr.EXE"
"280"="Tvm.EXE"
"281"="Weatherscope.EXE"
"282"="disp1150.EXE"
"283"="WebRebates0.EXE"
"284"="WebRebates1.EXE"
"285"="WebSecureAlert.EXE"
"286"="blaster_blocks_demo.EXE"
"287"="powerplay.EXE"
"288"="athan.EXE"
"289"="ButterflyOasis.EXE"
"290"="BO1Helper.EXE"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001

If you have any questions you may contact Tim at Tim.Dunkley@whittington.nhs.uk

Keith Pain

I would like to add to the growing list.....

Things that might already be on there.

• any file sharing software. ( Kazza, e-mule etc)
  as this opens up any network security
• Windows 2000, XP, 2003
  Auto updates have to have a port out, and a port in. And with
  Microsoft's bad coding that opens up the security of most networks, unless you
  look right into the MS security and spend hours locking down the OSs, so
  users cannot move without IT being there to unlock their account.

Ray Southworth

Of course there are THOUSANDS of Spyware, games, and chat software that you would want to ban - but if you do a good job locking down the machines then there really is no reason to have a banned list that I have seen. When I converted my office environment to ZfD4, my users weren't really happy that they couldn't install their own personal software, but I would explain to them that they are not working on a PC - it's a BC (Business Computer). If they had software that they wanted installed on the computer, it needed to be tested on a non-production machine, and THEN I would add it to their NAL. This might not be an efficient way of doing things in a very large network, but as the only IT person on a staff of about 600 people with 350 desktops, it's worked for ME.

Tom Dalton

Great list!

I won't echo the hundreds of great suggestions already out there, but thought I'd add a couple that we're seeing problems with:

• n-case.exe (a variant of a program already submitted)
• ezluu.exe (SurferBar)
• sfbar.exe (another piece of the SurferBar)
• mwsoemon.exe (the MyWebSearch toolbar)
• sysupd.exe (a dialer program -- another bad one)

For some reason, everyone in our company is a sucker for these search bars. We keep telling them, only Google and Yahoo! But they keep installing other ones.

Oh well. Maybe we can stop them, finally, with this. :o)

Alan Wells

My list from School:

Games:

1320v151S.exe
    3footninja2.exe
    anman.exe
    B&ARROW.EXE
    BF1942Demo.exe
    bubble trouble.exe
    caste defender.exe
    cbdemo.exe
    cg.exe
    counterstrike2d.exe
    DESKTOP.EXE
    DESKTOPX.EXE
    DESKTOP_X.EXE
    Doom95.exe
    Drag Racer 3.exe
    dragracer.exe
    elma.exe
    et.exe
    fightr2.exe
    fms.exe
    fpupdate.exe
    gsarcade.exe
    if2.exe
    if2_v19.exe
    if2_v19c_Setup.exe
    madness.exe
    Mario.exe
    n_v14.exe
    nester.exe
    pacman.exe
    pacman2.exe
    pacmania.exe
    pclock.exe
    pikachu.exe
    pinball.exe
    prjcargame.exe
    project64.exe
    project64_1.6.exe
    ptanks.exe
    q3ademo.exe
    quake 3.exe
    quake3.exe
    quake3demo.exe
    sierraup.exe
    sliders.exe
    snood.exe
    spider.exe
    visualboyadvance.exe
    WALIENS.EXE
    winkawaks.exe
    Worm Wars IV.exe
    yetisports5.exe

ScreenSavers:

virtua1.exe
    virtua2.exe
    Virtuagirl2.exe
     

I have created a small batch file that is delivered via ZENworks hidden (delivery and the execution). The files are distributed to the c:\windows directory via ZENworks and then the following script runs to detect and kill the game. It then emails the Dean of Studies at the school and shuts down the PC. Shutting down the PC discourages playing the game again. I do still have an issue with the script in that if the game taskname is seperated by a space the task is not 'kill' as the task 'bubble trouble.exe' makes the variable 'bubble'.

I am also working on a banned.txt list to detect unwanted applications running on staff PCs which will email once detected.

c:
    cd \windows
    attrib +H banned.txt
    attrib +H games.txt
    attrib +H blat.*
    attrib +H detector.bat
     
    :start
    sleep 30
    tasklist /V >c:\windows\tasklist.txt
    Echo %NWUSERNAME% >c:\windows\detect.txt
    Echo %COMPUTERNAME% >>c:\windows\detect.txt
    time /t >>c:\windows\detect.txt
    date /t >>c:\windows\detect.txt
    findstr /G:c:\windows\games.txt c:\windows\tasklist.txt >>c:\windows\detect.txt
    findstr /G:c:\windows\games.txt c:\windows\tasklist.txt >>c:\windows\detect.txt
    findstr /G:c:\windows\games.txt c:\windows\tasklist.txt >>c:\windows\detect.txt
    FOR /F "skip=5" %%1 IN (c:\windows\detect.txt) DO goto games
     
    goto start
     
    :games
    FOR /F "skip=5" %%i IN (c:\windows\detect.txt) DO set game=%%i
    taskkill /F /IM %game%
     
    sleep 3
    c:\windows\blat c:\windows\detect.txt -to mail@domain.com.au -f egames-detected@domain.com.au -s "**** Games Detected ****" -server 10.0.2.40
    shutdown -r -t 10 -c "Detected Banned Application...shuting down computer...Email notification sent!"
     
    goto end
     
    :end
    Echo why did I get here?

David White

When trying to track down spyware / adware on client PCs I have found it
useful to compile the following list of "valid" system processes. It helps
to quickly dismiss vaild processes from task manager / Hijack This etc and
concentrate on investigating rogue processes. I have included other
non-Novell processes, for example Windows 2000 OS processes and application
processes in use in our environment.

Most of the descriptions were taken from www.processlibrary.com and similar
sites.

Hope this is of use.

Securelogin:

CAPTAINHOOK.EXE
COMBROKER.EXE or COMBRO~1.EXE
PROTO.EXE

Other Novell:

CLNTRUST.EXE This is a program that allows the name of the user to be
submitted with each Web request. Without clntrust.exe running, this
information will not be submitted. As far as the proxy server is concerned,
no one is logged-in.

DPMW32.EXE dpmw32.exe is a part of the Novell Client. This process
runs in the background and allows the computer to access NDPS print serves
and assist in access to Netware security features.

GSW32.EXE Graphics server for Border manager in NW Admin32

NALDESK.EXE Allows NAL explorer and NAL to run locally

NALNTSRV.EXE NAL NT Service

NALWIN32.EXE Allows NAL to run locally

NWTRAY.EXE nwtray.exe is the tray bar process for Novell NetWare. It
gives the user easy access to essential NetWare features.

WM.EXE Novell Workstation manager. Owns WMRUNDLL.EXE process

WMRUNDLL.EXE The function of WMRUNDLL.EXE is to act as a buffer
between Workstation Manager and the helper .DLL files (WM*.DLL)

WUOLSERVICE.EXE Novell Wake-On-LAN service

WUSER32.EXE ZEN remote control agent

Operating System:

CSRSS.EXE csrss.exe is the main executable for the Microsoft
Client/Server
Runtime Server Subsystem. This process manages most graphical commands in
Windows. This program is important for the stable and secure running of
your
computer and should not be terminated.

INTERNAT.EXE internat.exe is installed with Windows and is an process
to
providing Microsoft's multi-lingual features in Microsoft Windows. This
program is important for the stable and secure running of your computer and
should not be terminated.

LSASS.EXE lsass.exe is a system process of the Microsoft Windows
security
mechanisms. It specifically deals with local security and login policies.

SERVICES.EXE services.exe is a part of the Microsoft Windows Operating
System and manages the operation of starting and stopping services. This
process also deals with the automatic starting of services during the
computers boot-up and the stopping of service during shut-down. This
program is important for the stable and secure running of your computer and
should not be terminated.

SMSS.EXE smss.exe is a process which is a part of the Microsoft
Windows
Operating System. It is called the Session Manager SubSystem and is
responsible for handling sessions on your system. This program is important
for the stable and secure running of your computer and should not be
terminated.

SPOOLSV.EXE spoolsv.exe is a Microsoft Windows system executable
which
handles the printing process to your local printers.

SVCHOST.EXE svchost.exe is a system process belonging to the
Microsoft Windows Operating System which handles processes executed from
DLLs. This program is important for the stable and secure running of your
computer and should not be terminated. Use tlist utility to see which
processes svchost is running.

TASKMGR.EXE taskmgr.exe is the executable for the Windows Task Manager. It
shows you the processes that are currently running on the system. This
application is opened by pressing CTRL+ALT+DEL. This program is a
non-essential system process, but should not be terminated unless suspected
to be causing problems.

WINLOGON.EXE WinLogon.exe is the Windows NT login manager. It handles
the
login and logout procedures on your system. This process is an essential
part of your OS and should be left alone.

WINMGMT.EXE WinMgmt.exe is the Windows Management Instrumentation. It is
used by system administrators to create Windows management scripts, for
example, scripts that handles the user accounts on a server.

Applications:

VPTRAY.EXE VPTray.exe is the tray bar process for Norton Antivirus.
It gives
the user fast access to Norton Antivirus.

DEFWATCH.EXE defwatch.exe is a part of Norton Antivirus Corporate
Edition, and is responsible for monitoring the virus definition files and
initiating processes to bring them up to date if they aren't.

RTVSCAN.EXE rtvscan.exe is an executable of the Symantec Internet
Security Suite. It is responsible for the execution of real-time
virus-scanning in order to detect virus infected files as they enter your
system. This program is important for the stable and secure running of your
computer and should not be terminated.

CAGENT32.EXE cagent32.exe is a process belonging to Centennial
Discovery which monitors software licenses on the local machine for
analysis.

XFERWAN.EXE xferwan.exe is a process associated with Centennial Discovery

HNDLRSVC.EXE hndlrsvc.exe is a process associated with Intel Alert
Handler which alerts you regarding e-mails, and other options. This is a
non-essential process. Disabling or enabling this is down to user
preference.

CTFMON.EXE ctfmon.exe is a part of the Microsoft Office suite. It
activates the Alternative User Input Text Input Processor (TIP) and the
Microsoft Office XP Language Bar

Scott A. Murray

zango.exe and zangoinstaller.exe

We found them to be the hottest IM app in our schools these days.

John N. Shaw

Here's my list - the majority of these are not in your list. The list is entirely P2P apps and only P2P apps, which I use when mothers are paranoid about their children's potential for lawsuits, (and they are sick of paying me to remove the malware from their systems too.) Save as a .reg file and merge on each user account. The list appears twice as I always get the .DEFAULT hive so new accounts created will also have the same restrictions.

Thanks to your list, my list will double :D

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"="abc.exe"
"2"="ares.exe"
"3"="areslite.exe"
"4"=" azureus.exe"
"5"="bearshare.exe"
"6"="bitcomet.exe"
"7"="bitspirit.exe"
"8"="bt lite.exe"
"9"="btdownloadgui.exe "
"10"="dcplusplus.exe"
"11"="dcpro.exe"
"12"="dietk.exe"
"13"="edonkey2000.exe"
"14"="emule.exe"
"15"="es5.exe"
"16"="fastmp3search.exe"
"17"="filecroc.exe"
"18"="freenet.exe"
"19"="freewirelauncher.exe"
"20"="grokster.exe"
"21"="imesh.exe"
"22"="kazaa.exe"
"23"="kazaaghost.exe"
"24"="kazza.exe"
"25"=" kiwialpha.exe"
"26"="limewire.exe"
"27"="lordofsearch.exe"
"28"="morpheus.exe"
"29"="morphexe.exe"
"30"="mp3 music search.exe"
"31"="odc.exe"
"32"="onemx.exe"
"33"="phantomdc.exe"
"34"="phex.exe"
"35"="piolet.exe"
"36"="rockitnet.exe"
"37"="sdch.exe"
"38"="slsk.exe"
"39"="strongdc.exe"
"40"="swapperstarter.exe"
"41"=" trustyfiles.exe"
"42"="ttorrent.exe"
"43"="twister.exe"
"44"="warez.exe"
"45"="wwwfilesharepro.exe"
"46"=" xolox.exe"
"47"="zultrax.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000001

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"="abc.exe"
"2"="ares.exe"
"3"="areslite.exe"
"4"="azureus.exe"
"5"="bearshare.exe"
"6"=" bitcomet.exe"
"7"="bitspirit.exe"
"8"="bt lite.exe"
"9"="btdownloadgui.exe"
"10"="dcplusplus.exe"
"11"="dcpro.exe "
"12"="dietk.exe"
"13"="edonkey2000.exe"
"14"="emule.exe"
"15"="es5.exe"
"16"="fastmp3search.exe"
"17"="filecroc.exe"
"18"="freenet.exe"
"19"="freewirelauncher.exe"
"20"="grokster.exe"
"21"="imesh.exe"
"22"=" kazaa.exe"
"23"="kazaaghost.exe"
"24"="kazza.exe"
"25"="kiwialpha.exe"
"26"="limewire.exe"
"27"="lordofsearch.exe "
"28"="morpheus.exe"
"29"="morphexe.exe"
"30"="mp3 music search.exe"
"31"="odc.exe"
"32"="onemx.exe"
"33"="phantomdc.exe"
"34"="phex.exe"
"35"="piolet.exe"
"36"="rockitnet.exe"
"37"="sdch.exe"
"38"=" slsk.exe"
"39"="strongdc.exe"
"40"="swapperstarter.exe"
"41"="trustyfiles.exe"
"42"="ttorrent.exe"
"43"="twister.exe "
"44"="warez.exe"
"45"="wwwfilesharepro.exe"
"46"="xolox.exe"
"47"="zultrax.exe"

Here are some additions that I I've recently discovered from your list and other places, so some aren't on your list yet. Sorry for the redundancy but I already sorted them and don't feel like seperating the ones that aren't on your list from the ones that are. I'll add them to my file later. Again, all are P2P:

AGSATELLITE.EXE
AGSATELLITE609.EXE
AUDIOMP3FIND.EXE
BADBLUE.EXE
BLACKWIDOW.EXE
BO1HELPER.EXE
BUDDY.EXE
BWWEBLOADER.EXE
CLIENT*.EXE
CLIENT4.EXE
CLUSTONE.EXE
COMBACKCONSOLE.EXE
CRAPSTER.EXE
DECONPRO.EXE
DIRECTCONNECT.EXE
DSERVER.BAT
DSHARE.BAT
EVOLUTION.EXE
EVOLVER.EXE
FILEFURY.EXE
FILEMINER.EXE
FILENAVIGATOR.EXE
FILESHARE.EXE
FILETOPIA.EXE
FILEZILLA.EXE
FLOCATOR.EXE
GDONKEY.EXE
GNEWTELLA.EXE
GNOTELLA.EXE
GNUCLEUS.EXE
GPEER.EXE
GTL POLIANE.EXE
HLCLIENT*.EXE
IMESHCLIENT.EXE
JITZUSHARE.EXE
KAST.EXE
KMD.EXE
KPP.EXE
LOCATOR.EXE
MADSTER.EXE
MEDIAGRAB.EXE
MEDIASEEK.EXE
MMOD.EXE
MOJO NATION.EXE
MP3 SWAPPER.EXE
MP3EASYKL.EXE
MP3FINDER.EXE
MP3STARSEARCH.EXE
MP3WOLF.EXE
MYNAPSTER.EXE
MYSTER.EXE
NAMSTER.EXE
NAPSTER.EXE
NEONAPSTER.EXE
NOVA.EXE
OVERNET.EXE
OVERNET053.EXE
P2P NETWORKING.EXE
PINPOST.EXE
PIOLET.EXE
PLEBIO.EXE
PLINK.EXE
QT2.EXE
QTRAX.EXE
QUEUEMANAGER.EXE
RIDEWAY.EXE
RIFFSHARE.EXE
SHANKSTER.EXE
SHAREAZA.EXE
SLAVANAP.EXE
SMIRK.EXE
SNATCHIN.EXE
SONGSPY.EXE
SOULSEEK.EXE
SPLOOGE.EXE
SWAPNUT.EXE
SWAPPER.EXE
SWAPTOR.EXE
TESLA.EXE
THE BRIDGE.EXE
TOADNODE.EXE
URLBLAZE.EXE
WEBSHAREIT.EXE
WEBVACUUMFREE.EXE
WINMX.EXE
WIPPIT.EXE
WRAPSTER.EXE
WRAPSTER*.EXE
XSC*.EXE
ZPOC.EXE

Btw, what a great idea for the list. It's exactly what I was hoping to find and I hope I have helped with the additions!

Russell Seibert

I think you may be approaching this the wrong way. As an administrator of a school district with a large number of PCs, I don't block any apps. I found it much easier to allow specific apps through policies. There are far too many apps that you would have to block that people can get to or bring in. (Games, messaging, peer to peer, etc.) As administrators we all know what is supposed to be on the end-users PCs. ZFD policies already has this built in. You just need to populate it. It takes a little time to gather all your apps but once you're done you don't have to mess with it anymore. If an end-user comes to you and says they need something to run you just add it to your policy, and distribute the app through ZEN to the users that need it. I know there is a hole with running this through policies, but that same hole exists with banning apps. I have found this to work much better than trying to ban what is not supposed to be there in the first place. If it is not supposed to be there don't let it run.

Billy Stokes

We currently have a list of .exe files we don't want users to have easy access to. As of now, we simply move these .exes to a folder we create, so they are not in the System Path. We do not have ZfD 4 yet, but are planning to upgrade shortly; at that point we will test this list with RPM. There may be some in here that admins might not want to ban through RPM; or it would be nice if, through RPM, you could grant certain users the rights to run the banned apps.

At.exe
Calcs.exe
Cmd.exe
Cscript.exe
ftp.exe
tftp.exe
regedit.exe
regedit32.exe
runas.exe
nbtstat.exe
telnet.exe
net.exe

Here are some other .exes that we all-out ban:

• aim.exe -- AOL Instant Messenger
• itunes.exe -- iTunes
• kazaa.exe -- Kazaa
• LimeWire.exe -- Limewire
• msmsgs.exe -- MSN Messenger
• viewmgr.exe -- Malware component of Viewpoint Media Player (can be installed with AOL Instant Messenger)
• *VNC*.exe -- Anything VNC (Real, Tight, etc.)

Karl Reischl

Google Desktop - especially since it will scan network drives and store it on the Google servers.

Chris Harwood

In response to your thread of creating an ever-increasing application list that an organization might want to block, I have this to offer:

Because the list of applications an organization may want to block seems to be ever-increasing due to the constant development of "unwanted" applications, our organization has taken the approach of allowing ONLY applications that are allowed to be run. Further, we have ensured that EACH INDIVIDUAL workstation has its own, unique exception list for only those applications allowed on that particular PC. Because there is not one global exceptions list containing all executables, this further limits the ability for users to run applications which are allowed on another PC in the event that they are able to obtain and load the software. In our medical environment of 4500+ computers and 700 or so applications, creating a list of approved executables and distributing them to every computer would defeat our desire to allow ONLY those needed on EACH particular workstation.

SOLUTION: We have therefore incorporated within each application object the necessary exceptions required to run that application and any needed modules. Consequently, the exception list of a PC is populated for an application during the distribution of that application.

This has become a fairly simple task with the tools we have developed for our NAL developers. One, dubbed "Rogue Stamper" will scan an .axt file for needed executables and automatically compile a .reg file with required ALLOWED exceptions. This registry file is then simply imported into the NAL object, ready for distribution. Better, it can be called for importation as a Pre-launch script in order to re-distribute every time. This would simplify adding additional or missed executables since the version stamp of the NAL wouldn't have to change (thus re-distributing the ENTIRE application). MSI applications are handled by the Rogue Stamper as well, allowing the developer to browse to directories (locally or networked) in order to scan for executables in the directory and sub-directories in order to compile the .reg file. All files' Original Filename are checked and used if different from the actual filename.

If you have any questions you may contact Chris at harwoodc@trinity-health.org

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.