Novell Home

Cool List/Spreadsheet: Apps You Might Want to Ban

Novell Cool Solutions: Trench

Digg This - Slashdot This

Updated: 26 May 2006
 

We got a great OPEN CALL suggestion from Bryen Y. Here's what he said:
Since one reallllly cool feature of ZENworks for Desktops 4 is the ability to block Rogue Applications, why not set up a list that Cool Solutions attendees can add to that identifies suggested applications to ban in their network?

No one knows EVERY questionable application that's out there, and keeping a user-friendly list like this will definitely keep us coming back to Cool Solutions for more!

We think that's a great idea. Send us the list of apps you ban (and why), and we'll start building the Cool List. We'll send you a Novell t-shirt for your trouble.

For more information on Rogue Process Management see this section of the documentation.

NOTE: One reader commented that he was testing the Rogue Process Management feature, but he was skeptical of its value because he thought that his students would be able to rename apps to prevent them from being closed. Here's what the ZENworks Product Manager had to say about that: "This is not the case, at least in our testing. Rogue Process Management doesn't rely on the filename, it relies on the program internals. In fact, when we demo this, we rename files and show that RPM shuts 'em down regardless."

NEW Rod U. wrote: Can Rogue Process Management stop certain DLLs from running? Some games can have the EXE renamed and will still run but the DLL needs to the original name.

Shaun Pond says: Renaming the EXE shouldn't stop RPM from killing it - it's the original name, that's buried in the executable, that's used to terminate it.

Spreadsheet Version of Apps to Ban

In true Cool Solutions fashion, Mike Murphy, a network engineer at Pewaukee School District, took it upon himself to make order out of the chaos. Here's what he said:

I've found the Rogue App Killer very helpful as well as the page listing the programs.

What's hard is that everyone enters things in different formats and there are a lot of duplicates to wade through - sifting the wheat from the chaff. I've done the work for you. I took all the exe's from the Suggestions listed on the page last updated on 12 Oct 2005 and I think I've eliminated all the duplicates, and alphabetized the list for you to easily check it against your files.

I did remove some Office programs that some people ban as that seems to be pretty site-dependant and any admin should know which of their common apps they want to ban.

Also, IMHO I think listing .EXE files is much more helpful than saying something like block the iMesh program. That makes each admin go out and figure out what the .EXE is that needs to be blocked. You almost might as well have not posted if we all have to go and figure the executables are. Hopefully other admins agree and we can try and list programs for the most part.

Here's the current version. I've put in a category field as well, with the autofilter option. I'm researching more keyloggers to add to this. What about a 'wiki' for this? Then anyone could edit it the list.....now that would be pretty sweet!

We thought Mike's spreadsheet and suggestion were both spectacular, and have now created a wiki page that contains his spreadsheet. The beauty is that as you find other things to add to the list (as you undoubtedly will) - you can pop out there and edit the spreadsheet in the wiki.

Check it out, and let's keep it updated with the latest wicked apps you may want to ban.


Suggestions

Dallas D. Schell Travis Becker Bryan Thoreson
Maarten Bruce Kiefaber Chris Hoare
Christopher Thorpe Ed Williams Elisabeth Curtner
Eric Gengler Gregory Pronovost Alain Sylvestre
Zach Thiel Peter I. Asp Glenn Sjögren
Kevin Calvert Andrew White Karl Tipping
Robert Yunker Scott Burmann Michael Fratini
Raffael Trotta Bryen Yunashko John Schultz
Matt Hudson Le Papa Ted Ziolkowski
Adam Reno Lawrence A. Bombac II Chad Miller
Joseph Sutton Mark Forbes Johnnie Carson
Neil Jensen Jim Pye Christian Kaiser
Anthony L. Preman Brett S. Miller Anonymous
Anonymous as well George Washington Klaus Schiffgens
Steve Shumski Martin van der Boon Mark Shoemaker
Dusty Lunn Paul McLean Ernesto Fox
Mark R. Fermin Nils Treu ryumaou
Jason Heiko Pletat David Cook
Mike Shore Kyle Jones Steven Turnbull
Rathna N John Phipps Earl Bryant
Christopher P. Smith Phillip Cross Dwayne Watkins
Manlio Fernando Bedoya Arango James Romer Nathan Tidd
Brandon Kirsch Andrew Palm Bob Fortin
Oivind Ekeberg Paul Staniford Bobby Guillory
Scott D. Jones Ryan A Wasek Frank Zomer
Phillip Cross Ed Martens Mike Murphy
Tim Dunkley Keith Pain Ray Southworth
Tom Dalton Alan Wells David White
Scott A. Murray John N. Shaw Russell Seibert
Billy Stokes Karl Reischl Chris Harwood NEW


  • Additional Requests
  • Dallas D. Schell

    • iTunes
    • MusicMatch

    Travis Becker

    Here at the University of Minnesota - College of Liberal Arts, we have a group policy profile that is set up for various grad labs, and we ban the following:

    • MSN Messenger
      - easily spreads worms and viruses because it is left on often and because of how simple it is for users to send and receive files that are potentially harmful.
    • Install and Setup.exe
      - this prevents users from installing any .exe applications.

    Bryan Thoreson

    • install.exe
    • setup.exe

    • Because not all apps follow Windows access rights in a FAT32 world. So we have Graduate Student Labs in which we do not want people installing some unauthorized app. install.exe and setup.exe will prevent this 99% of the time.
    • msimn.exe because Outlook or Lookout is a no-no for Grad labs.

    Maarten

    I read your comment about the application lists to ban with a ZENworks policy and I think it is a very cool idea! Here are some of mine:

    File Sharing/Copyright problem software:
    These programs use P2P protocols to share copyrighted files, music, movies and more. They could be a real strain on bandwidth if allowed to run, and since some of them can mimic a webbrowser through port 80 you can't really block it properly on most firewalls.

    Messengers and Chat Software: Most companies have a policy for leisure activities on the web and usually chatting ain't one of them:

    Please let me know if I qualify for a t-shirt. Summer is coming up and I'd love nothing more then to show off Novell NetWare!

    Bruce Kiefaber

    • aim.exe
    • aim95.exe
    • bbeagle.exe
    • cmd.exe
    • command.com
    • consoleone.exe
    • explorer.exe
    • kazaa.exe
    • mmc.exe
    • morpheus.exe
    • msmsgs.exe
    • msnmsgs.exe
    • poledit.exe
    • taskman.exe
    • trillian.exe

    Chris Hoare

    We thought about doing this and started with just a couple of things like:

    • Napster
    • Various Packet sniffer and scanners
    • ICQ

    It worked for about a week, until the students realised that all they had to do was to rename the exe and it would work.

    Still, it is a good idea for some of the less computer literate areas, like offices.

    Christopher Thorpe

    Awesome Idea. Things banned thus far.....

    • SOL.EXE
    • FREECELL.EXE
    • msnmsgr.exe - MSN Messenger
    • ipodservice.exe - ITunes Connect Software
    • winmx.exe - WinMX Download Service
    • weatherbug.exe
    • paint.exe

    Ed Williams

    May I suggest Lotus SmartSuite, all of it! it just keeps creeping back into our organisation due to a lack of document conversion features in Office XP.

    Elisabeth Curtner

    I use Program Killer from the Cool Solutions Free Tools section to block programs I do not want running in my school environment. I push Program Killer out with ZENworks, and have the program set to pull its configuration file from my server. I only have to amend one config file, and all desktops get that configuration. Below I have listed the contents of my configuration file:

    ; Program Killer Configuration File
    ; Version 3.0.1 Build 331
    ; Created on 05/27/02 at 18:05:16
    
    ; [Programs]
    AGSATELLITE.EXE||AudioGalaxy Satellite (0.608W)
    AGSATELLITE609.EXE||AudioGalaxy Satellite (0.609W)
    AIM.EXE||AOL Instant Messenger
    AIMSTER.EXE||Aimster File Sharing 
    ANTIVIRUS_INSTALL.EXE||StopSign (Spyware)
    AUDIOMP3FIND.EXE||AudioMP3Find P2P File Sharing
    AMM*.EXE||Advanced mp3 manager
    BADBLUE.EXE||BadBlue File Desktop File Server
    BARGAINS.EXE||Bargain Buddy (Spyware)
    BBSMARTSETUP.EXE||Bonzi Buddy Setup
    BEARSHARE.EXE||BearShare P2P File Sharing
    BLACKWIDOW.EXE||Blackwidow file Sharing
    BWWebloader.exe||Blackwidow web file sharing
    BLUBSTER.EXE||Blubster P2P File Sharing
    BODETELLA.EXE||BoDeTeLLa Gnutella Search Engine
    BONZIBDY.EXE||Bonzi Buddy (Highly Annoying) 
    BUDDY.EXE||MediaBuddy P2P File Sharing
    CASINOBROWSER.EXE||casino link installed by grokster (Spyware)
    CIRCLE.EXE||Circle Chat/gossip/file sharing app
    CLIENT*.EXE||Audiognome P2P File Sharing
    CRAPSTER.EXE||P2P File Sharing
    COMBackConsole.EXE||Comback Music Agent
    CLUSTONE.EXE||Clustone P2P File Sharing
    CMESYS.EXE||GAIN (Gator Spyware)
    CRAPSTER.EXE||P2P File Sharing
    DAP.EXE||Download Accelerator Plus
    DATEMANAGER.EXE||Date Manager (GAIN Spyware)
    DCPLUSPLUS.EXE||DC++ File Sharing
    DECONPRO.EXE||DconPro File Sharing Network
    DEFSCANGUI.EXE||StopSign scanner (Spyware)
    DIRECTCONNECT.EXE||DirectConnect Network 
    DSERVER.BAT||Dshare P2P File Sharing
    DSHARE.BAT||Dshare P2P File Sharing
    DW.EXE||DownloadWare (Spyware)
    EANTHOLOGY.EXE||eAnthology Online Services (Spyware)
    EBATESMOEMONEYMAKER*.EXE||(moneymaker Spyware)
    EMULE.EXE||eMule File Sharing Network 
    EVOLUTION.EXE||Evolution file sharing
    EVOLVER.EXE||Gnucleus P2P File Sharing
    FILEMINER.EXE||File Miner P2P File Sharing
    FILENAVIGATOR.EXE||AudioSwap P2P File Sharing
    FILEFURY.EXE||File Fury P2P File Sharing
    FILESHARE.EXE||FileShare P2P File Sharing
    FILETOPIA.EXE||Filetopia Network P2P File Sharing
    FILEZILLA.EXE||FileZilla FTP client
    FLOCATOR.EXE||FlashLocator P2P File Sharing 
    FREEWIRELAUNCHER.EXE||FreeWire P2P File Sharing
    FSG.EXE||Gator Subprogram
    FSG-AG_3102.EXE||GAINWare SubProgram (Gator)
    GATOR.EXE||Gator (Spyware)
    GIDGET.EXE||(spyware)
    GDONKEY.EXE||Edonkey2000 P2P File Sharing
    GMT.EXE||GAIN (Gator Spyware)
    GNEWTELLA.EXE||Gnewtella P2P File Sharing
    GNOTELLA.EXE||Gnotella P2P File Sharing
    GNUCLEUS.EXE||Gnucleus P2P File Sharing
    GPEER.EXE||GalaxyPeer Gnutella P2P File Sharing, IRC
    GROKSTER.EXE||Grokster P2P File Sharing
    GTL POLIANE.EXE||Poliane P2P File Sharing
    HLCLIENT*.EXE||Hotline Connect Client P2P File Sharing
    ICQ.EXE||ICQ Client
    IMESHCLIENT.EXE||iMesh File Sharing
    IMICI.EXE||IMICI Messenger
    INOIZE.EXE||Jackalope Audio player for Jackalope Audio Network
    JACKALOPE.EXE||Jackalope Audio Client
    JITZUSHARE.EXE||Jitzu P2P File Sharing
    KAST.EXE||Kast P2P File Sharing
    KAZAA.EXE||KaZaA Media  Desktop
    LIMEWIRE.EXE||LimeWire P2P File Sharing
    LOCATOR.EXE||WinMP3Locator locate MP3s over the internet
    MADSTER.EXE||P2P File Sharing
    MEDIAGRAB.EXE||MediaGrab P2P File Sharing
    MEDIASEEK.EXE||MediaSeek P2P File Sharing
    MCAGENT.EXE||Mcafee Security Center (Spyware)
    MESSENGER.EXE||Excite Messenger
    MMOD.EXE||Ezula P2P File Sharing
    MOJO NATION.EXE||Mojo Nation File Sharing
    MOODLOGIC.EXE||MoodLogic player
    MORPHEUS.EXE||Morpheus P2P File Sharing
    MP3FINDER.EXE||mp3 file sharing
    MP3 SWAPPER.EXE||mp3 file sharing
    MSBB.EXE||N-Case (Spyware)
    MSMSGS.EXE||MSN Messenger
    MSN6.EXE||MSN Explorer
    MYNAPSTER.EXE||MyNapster Gnutella P2P File Sharing
    MYSTER.EXE||Myster P2P File Sharing
    NAMSTER.EXE|| Namester P2P File Sharing 
    NAPSTER.EXE||Napster
    NEONAPSTER.EXE||NeoNapster P2P file sharing
    NETD.EXE||Odigo NetDetector
    NOVA.EXE||Nova P2P File Sharing
    OBRW.EXE||Odigo Subprogram
    ODIGO.EXE||Odigo Instant Messenger
    OFFERS.EXE||OfferCompanion
    OVERNET.EXE||Overnet P2P File Sharing
    PINPOST.EXE||Pinpost P2P File Sharing
    PIOLET.EXE||Piolet MP3 P2P File Sharing
    PLINK.EXE||part of Circle file sharing app 
    PLEBIO.EXE||P2P File Sharing
    PRECISIONTIME.EXE||Precision Time (GAIN Spyware)
    PUTTY.EXE||Telnet/Rlogon/SSH client 
    QT2.EXE||QtraxMax P2P File Sharing
    QUEUEMANAGER.EXE||FileShare queue manager
    QTRAX.EXE||File Sharing
    S4SETUP.EXE||MySearch bar (spyware)
    RIDEWAY.EXE||P2P File Sharing
    RIFFSHARE.EXE||P2P File Sharing
    SAVE.EXE||SaveNow (Spyware)
    SAVENOW.EXE||SaveNow (Spyware) 
    SHANKSTER.EXE||Shankster Gneutella P2P File Sharing 
    SHAREAZA.EXE||Shareaza Gneutella P2P File Sharing 
    SLAVANAP.EXE||SlavaNap P2P File Sharing
    SMIRK.EXE||P2P File Sharing
    SNATCHIN.EXE||P2P File Sharing
    SNOOD.EXE||Snood (Addictive Game)
    SOUNDCRAWLER.EXE||mp3 Finder
    SOULSEEK.EXE||SoulSeek P2P File Sharing
    SONGSPY.EXE||mp3 Finder
    SPINFRENZY.EXE||mp3 Finder
    SPLOOGE.EXE||P2P File Sharing
    SWAPPER.EXE||P2P File Sharing
    SWAPTOR.EXE||Swaptor P2P File Sharing 
    SWAPNUT.EXE||SwapNut P2P File Sharing
    TESLA.EXE||Tesla Client P2P File Sharing 
    THE BRIDGE.EXE||The Bridge P2P File Sharing
    TOADNODE.EXE||ToadNode P2P File Sharing 
    TRICKLER_BIC_GATORPT_3202.EXE||GAIN Trickler Tool (Spyware)
    TRICKLER3016.EXE||GAIN Trickler Tool (Gator Spyware)
    TRILLAN.EXE||Trillian Instant Messenger
    UCMORE.EXE||UCMore (Spyware)
    UCMOREIEX.EXE||UCMore (Spyware)
    URLBLAZE.EXE||URL sharing network
    WEATHER.EXE||Weather (Spyware)
    WEATHERBUG.EXE||Weatherbug (spyware)
    WEBSHAREIT.EXE||Websharing of local machine
    WEBVACUUMFREE.EXE||P2P File Sharing
    WHAGENT.EXE||WebHancer (Spyware)
    WHANCER.EXE||WebHancer (Spyware)
    WINAMP.EXE||mp3 player
    WINMX.EXE||WinMX P2P File Sharing
    WIPPIT.EXE||Wippit P2P File Sharing
    WNAD.EXE||Spyware (Hostile)
    WRAPSTER.EXE||Wrapster P2P File Sharing
    WRAPSTER*.EXE||Wrapster P2P File Sharing
    XSC*.EXE||XSClient P2P File Sharing
    XOLOX.EXE||XOLOX P2P File Sharing
    YMSGR_TRAY.EXE||Yahoo! Messenger TrayIcon
    YPAGER.EXE||Yahoo! Messenger
    ZPOC.EXE||mp3 Finder
    
    ; [Options]
    Password=70358a58409703b223576de9dc433758
    TrayTooltip=My Computer
    TimeToKill=30
    KillSwitch=1
    TrayIcon=1
    TrayMenu=1
    
    ; End of Line

    If you have any questions you may contact Elisabeth at ecurtner@newport.crsc.k12.ar.us

    Eric Gengler

    Here is my list of Apps to Ban:

    1. Kazaa (and other file sharing apps) Installs Spyware, pop ups, slows down network
    2. Yahoo & MSN Messenger - Students waste time during classes by chatting while they should be paying attention. Not to mention they are violating college policies by installing software
    3. Games - Same reason as #2

    Gregory Pronovost

    Webshots. Although many will say this is a great screen saver, which it is, it is also a tremendous bandwidth hog and spyware. The Webshots application maintains a constant connection with the website tracking your online activity.

    Of course you have your usual P2P applications (Kazaa, Grokster, iMesh, Soulseek, Sharezaz, Morpheus, eDonkey, and BitTorrent) for obvious bandwidth and security reasons.

    For the sake of maintaining productivity (hopefully) I also suggest, Windows Solitaire, Minesweep, MSHearts, etc. as these are just executables that a user can place on their hard drive.

    Well, that's my two cents worth, more to come I'm sure.

    Alain Sylvestre

    We start with the more common ones for installing a program. We don't want the users to install any applications without asking us.

    Here's my list:

    setup.com
    setup.bat
    setup.exe
    setup.vbs
    winsetup.com
    winsetup.exe
    winsetup.vbs
    install.com
    install.exe
    install.vbs
    msmgs.exe
    oemsetup.exe
    regedit.exe
    regedt32.exe
    sysedit.exe

    Zach Thiel

    • AOL Instant Messenger - users don't need it in the workplace enviorment
    • Webshots - a nice product but it causes a lot of issues with some applications
    • Comet Cursor - we see more problems with this being installed on users' PC's then anything else
    • Any music downloading applications (WinMX, etc) - illegal period!

    Peter I. Asp

    This is so cool that you're doing this! I just started looking into this. I can't wait for the list.

    We ban radmin and r_server.exe that are remote control products. More info can be found here.

    Glenn Sjögren

    I work in a municipality in Sweden. I?ve made an application to remove Gator every time it appears on a workstation. Why? Because programs like Gator means nothing but problems for administrators and users.

    Kevin Calvert

    Bandwidth wasters:

  • KaZaA
  • Morpheus
  • BearShare
  • Napster
  • Employee distracters:

    • Yahoo! Messenger
    • Cheetah Chat
    • MSN Messenger
    • ICQ
    • AOL Instant Messenger
    • mIRC

    Employee distracters/virus propogaters:

    • All POP3/IMAP4 mail clients
    • Outlook (all variations)

    Parasites/keyloggers/security risks:

    • GAIN
      (We're only getting started on this category)

    Windows destabilizers:

    • WebShots! Desktop

    Andrew White

    I use the third party application ScanWindows 1.0.5 which is available from Cool Tools http://www.novell.com/coolsolutions/tools/1609.html

    Click here to read Andrew's entire solution.

    Karl Tipping

    P2P non-business related file sharing apps such as KaZaa, LimeWire, etc., obviously because of the content shared, the bandwidth consumed and the security/virus risk to our internal network.

    (No doubt I won't be the only one posting this entry, just hoping for a free T-shirt for the summer ahead!)

    Robert Yunker

    • morpheus
    • kazaa
    • limewire
    • emule
    • Any instant messenger (students use this to pass answers)
    • Known backdoors and trojans
    • Anything related to Gator

    Scott Burmann

    Great open call. I have been struggling with this same issue for awhile. I'm going to investigate ZfD 4 and this additional functionality.

    Here is my list from problematic applications that are on my top offenders list:

    WebShots:

  • Slows Computer
  • Slows Boot
  • Slows Internet Link
  • Possible Spyware
  • Opens TCP/IP Ports (security risk)
  • Increases SPAM
  • Violates our strict privacy policies
  • Alexa:

  • Collects data of sites surfed
  • Collects data from on-line forms
  • Privacy violations - Records intranet sites
  • CometCursor:

  • Increases system utilization
  • Installs Spyware
  • Slows computer
  • WeatherBug:

  • Slows Computer
  • Eats bandwidth
  • Increases pop-up windows, which in turn, may increase threat of additional spyware
  • Realtime Automatic Updates:

  • RealPlayer Auto-Update
  • QuickTime Auto-Update
  • Acrobat Reader Auto-Update
  • (the uncontrolled updates, especially Reader, may make our web based services not work on that computer - as we test for and write code for certain versions of Reader)

    We have many remote small offices who may go 6 months without an IT visit. When I visit, I am often told that both the computers and Internet are slow. I usually run an anti-spyware software, and clean the garbage off their PC's. I would say 75% of the time, the users are extremely happy that their PC's are much faster! Anyhow, the above seem to be top offenders. When I explain the concepts of spyware, pop-up's, and bandwidth utilization to the users, not a single user has opted to keep the crap-ware.

    Michael Fratini

    GoToMyPC is one to ban as it allows an SSL connection to any pc that has access to the internet which could allow an employee to access their work computer from home. http://www.gotomypc.com

    Raffael Trotta

    That would be my list of apps to ban:

    • ICQ
      We don't want the students to chat. Blocking ICQ with BorderManager is nearly impossible. Only way would be to prevent the exe from running.
    • setup.exe & install.exe
      Because students shouldn't install any software. We can't take away the rights on the local machine, because this is causing different problems with installing MSI's and Snappshots.
    • Music Player
      Winamp.exe (Winamp), real.exe (Real One Player)
      Students should use integrated Media Player to listen music and internet radio.
    • All the P2P Apps
      Internet Bandwith is limited and should not be lost with leeching mp3's and such things. And it's illegal and the school can have legal problems.
      Includes Kazaa, Emule, ML-Mule, edonkey2000, gnutella, limewire, imesh, grokster, soul-seek, WinMX, MUTE, and so on...
    • Other chat clients
      MSN Messenger is prevented via BorderManager. Yahoo Messenger, Trillian, AOL IM and Jabber can't get stopped with BorderManager. Potential Security risks.
    • system tools
      regedit.exe, regedt32.exe, gpedit.msc
      Stability of the workstations is no longer guaranteed if students are playing around with such things.
    • Popular network games
      Half-Life, Counter-Strike, Warcraft, Rise of Nations, Q3, and how they are all called.
      Lost time and high usage of bandwith.
    • Remote Management Programs
      mstsc.exe (Terminal Services Client), vncviewer.exe (VNC Viewer).
      Students should not remote their "Home-Servers", they should learn;-)

    So, that's all the pps for the moment...but I'm sure, there are more to come.

    Bryen Yunashko

    Here's my suggested list:

    • KMD.EXE (This is the installer executable for Kazaa. This will prevent the execution of other programs installed by Kazaa, such as peer-to-peer networking and adware.)
    • Messenger programs: AIM.EXE (for AIM), YPAGER.EXE (For Yahoo), MSMSGS.EXE (For MSN.)
    • For certain lab environments where you don't want kids browsing around, OR if you want to encourage users to start using another browser, you could block out IEXPLORE.EXE, thereby forcing them to use a corporate preferred browser, such as Mozilla or NetScape.

    Another suggestion: Use ZENworks Inventory to see if there's any new suspicious looking programs out there!

    John Schultz

    • Kazaa
    • iMesh
    • Gookster
    • Winmx
    • Limewire

    P2P file sharing and mp3 sharing programs should not exist in the work place, as well as personal firewalls and personal spam filters on laptops that interfere with network activity and apps.

    Matt Hudson

    As a local council we attempt to stop people using the internet for personal use and this seems to block most the things that the staff try to use. Our main problem is people listening to the radio over the internet via port 80 and eating our meagre bandwidth!

    Here is my list:-

    hl.exe
    quake.exe
    doom.exe
    winamp.exe
    aim.exe
    aim95.exe
    bbeagle.exe
    icq.exe
    ICQLite.exe
    ipodservice.exe
    iTunes.exe
    MusicMatch.exe
    kazaa.exe
    kazaalite.kpp
    morpheus.exe
    msmsgs.exe
    msnmsgr.exe
    trillian.exe
    weatherbug.exe
    winmx.exe
    ypager.exe

    Le Papa

    • weaterbug
    • ncase
    • intelligent explorer
    • gator

    Ted Ziolkowski

    I saw your article and thought I would share the following list of applications that we are presently preventing. We presently implement this list through a registry hack, the same entries used by group policies if you are implementing them through GPO's. We intend to go to GPO's across the board soon, but progress is slow. Anyway, my disclaimer is that I don't guarantee the accuracy of the type of program listed and it is probably incomplete, and in some cases redundant, but after reading some of the other suggestions I thought I would share anyway. I have included the AOT file if any of your readers would like to implement this in this manner. Edit it according to your environment. Enjoy!

    TYPE of Program / Executable Name

    "AudioGalaxy Satellite v.608"="agsatellite.exe"
    "AudioGalaxy Satellite v.609"="agsatellite609.exe"
    "Bonzai Buddy"="bonzibdy.exe"
    "Bonzai Buddy Setup"="bbsmartsetup.exe"
    "Browser - MSN Explorer"="msn6.exe"
    "Chatware - AOL Instant Messenger"="aim.exe"
    "Chatware - Excite"="messenger.exe"
    "Chatware - IceChat"="icechat.exe"
    "Chatware - ICQ"="icq.exe"
    "Chatware - ICQ Client"="icqnet.exe"
    "Chatware - IM2001"="im2001.exe"
    "Chatware - IMICI Messenger"="imici.exe"
    "Chatware - Klient"="klient.exe"
    "Chatware - MIRC"="mirc.exe"
    "Chatware - MSN Messenger"="msmsgs.exe"
    "Chatware - Odigo"="odigo.exe"
    "Chatware - Trillian"="trillian.exe"
    "Chatware - Yahoo Messenger"="ypager.exe"
    "Chatware - Yahoo Messenger TrayIcon"="ymsgr_tray.exe"
    "File Sharing - Aimster"="aimster.exe"
    "File Sharing - Grokster P2P"="grokster.exe"
    "File Sharing - iMesh"="imeshclient.exe"
    "File Sharing - KaZaa"="kazaa.exe"
    "File Sharing - Morpheus"="morpheus.exe"
    "File Sharing - Napster"="napster.exe"
    "File Sharing - WinMX"="winmx.exe"
    "Game - Snood"="snood.exe"
    "Spyware - CME"="cmesys.exe"
    "Spyware - Date Manager"="datemanager.exe"
    "Spyware - Download Accelerator Plus"="dap.exe"
    "Spyware - FSG"="fsg.exe"
    "Spyware - FSG3102"="fsg-ag_3102.exe"
    "Spyware - Gain"="gmt.exe"
    "Spyware - Gator"="gator.exe"
    "Spyware - Hostile"="wnad.exe"
    "Spyware - Odigo Netdetector"="netd.exe"
    "Spyware - Odigo Subprogram"="obrw.exe"
    "Spyware - OfferCompanion"="offers.exe"
    "Spyware - Precision Time"="precisiontime.exe"
    "Spyware - SaveNow"="savenow.exe"
    "Spyware - Search Hijacker"="snrg.exe"
    "Spyware - srnghelp"="srnghelp.exe"
    "Spyware - srngutil"="srngutil.exe"
    "Spyware - Trickler Tool 3016"="trickler3016.exe"
    "Spyware - Trickler Tool 3202"="trickler_bic_gatorpt_3202.exe"
    "Spyware - WebHancer"="whancer.exe"
    "Telnet - Putty"="putty.exe"
    "Telnet - Putty Telnet"="puttytel.exe"

    Adam Reno

    Can be used to open other things:

    • Cmd.exe
    • command.com
    • mspaint.exe (yes there is a trick where you can open other programs with Paint and other 16 bit apps.... the ol' open, all files and "right click and select" trick...still works on XP...just tried it)

    Lawrence A. Bombac II

    A list of software to be banned:

    1-50 of these can be downloaded from http://www.zeropaid.com

    01 Shareaza
    02 BitTorrent
    03 KaZaA Lite
    04 Lan2P
    05 SoulSeek
    06 Ares
    07 GLT Poliane
    08 DC++ - BCDC++
    09 Emule
    10 Blubster
    11 XoloX
    12 Freenet
    13 WinMX
    14 Gnucleus
    15 BearShare
    16 ShareMonkey
    17 Direct Connect
    18 Overnet
    19 eDonkey
    20 Piolet
    21 LimeWire
    22 Mammoth
    23 iMesh
    24 KaZaA
    25 iMesh Light
    26 Filetopia
    27 Grokster
    28 Nova
    29 MLDonkey
    30 Morpheus
    31 ExoSee
    32 Diet Kaza
    33 Phex
    34 audioGnome
    35 PeerGuardian
    36 Napigator
    37 Waste
    38 iTunes(can be exploited:detectable)
    39 Warez(actual program called warez,not a reference)
    40 Zultrax
    41 AquaLime
    42 DICE
    43 Napster(can be exploited)
    44 BadBlue
    45 NeoNapster
    46 Peeranha
    47 The Bridge
    48 RockItNet
    49 The Circle
    50 Parrot
    51 Azureus
    52 BitTorrnado
    53 audiogalaxy
    54 Smirk
    55 Slyck
    56 File Sharing for net(mhttp corp)

    Chad Miller

    • Date Manager, Gator
    • File sharing apps

    Don't actually block these yet but are looking for a how to or something to help walk through setting these policies. Date Manager brings Gator in with it and has cost us many hours trying to figure out why we have had more network traffic than needed to be. File sharing apps are just a major nightmare in a k-12 environment.

    (Editor: You can get complete instructions about how to set up the Rogue Process blocking right here in the documentation.)

    Joseph Sutton

    While reading about the rogue applications to block I have learned that many users in my organization seem to have a distrust of the network time.

    Some of the programs I have stopped from running like those listed on the site were as follows:

    GAIN Spyware related programs

    • Gator.exe
    • gmt.exe
    • cmesys.exe
    • PrecisionTime.exe
    • DateManager.exe

    Other calendar programs like:

    • rainlendar.exe
    • Launcher.exe
    • webshots.exe

    I also learned that with Microsoft products like Office you need to block Data1.msi to keep it from running, since the setup.exe points back to data1.msi.

    Mark Forbes

    In a shared lab environment, we're constantly battling the students in killing apps that they shouldn't be installing. We have a strict policy on not allowing students to use the messenging clients, and use the computers for work only. Here's a couple more.

    ymsgr.exe | Yahoo Messenger installer
    msnmsgr.exe | MSN Messenger executable
    msconfig.exe | MS Config executable (so they can't fiddle)
    mmc.exe | Microsoft Management Console
    gpedit.msc | Group Policy Editor (stops altering settings)
    setup.exe | kind of obvious
    install.exe | same as setup.exe
    icq.exe | stops this running
    icqlite.exe | same as ICQ really
    gaim.exe | open source alternative is creeping in
    trillian.exe | this has been lurking about too
    winamp.exe | Winamp, not as popular as it was.

    We're currently looking at including msiexec.exe to stop additional software being installed. Any advice?

    Johnnie Carson

    This is kinda off topic, in response to those wanting to ban/block the games that come with MS Windows so people can't run them.

    WINMINE.EXE, SOL.EXE and some other files are Windows Protected files which means you normally can't just delete them and they will return. In our organization we modified a file called SYSOC.INF which is located in \WINNT\INF and searched for the word 'hide'.

    By removing this word next to Games and Pinball, we are now allowed to go into Add/Remove Programs and completely remove all the Windows games from the machine and not worry about the users playing those. Also, with ZENworks we push this file to everyone's machines for those that we have missed, and also with ZENworks we remove the .exe files for these games, and also delete these unwanted files from the Windows Directory AND from \WINNT\SYSTEM32\DLLCACHE so they can't mysteriously come back by a user copying them or windows restoring them.

    I believe that .INF file is found in Windows NT, 2000 and XP.

    Neil Jensen

    Isn't banning particular applications the hard way? ZENworks also lets you Run only Allowed Windows applications. In an educational environment, use Run only Allowed Windows applications for things like nalwin32, naldesk, and executables that printers and scanners need to initialize, etc. Use NAL objects for the majority of your applications.

    Initially, users will complain about certain apps that don't run. If they are legitimate, add them to the list. Otherwise, you're covered.

    Jim Pye

    I notice that none of the previous posts mentioned the good ol' bandwidth and time hogs:

    DOOM.EXE
    and
    QUAKE.EXE

    Or is this too much of a time warp ;-)

    Jim Pye,
    With bits of grey showing through the beard

    Christian Kaiser

    Why do you use the opposite way to block unwanted apps! We deny every Windows app, and only allow the apps listed below. We have an force-run apps every time our students login.

    Here are my reg-settings from this application. You can setup a report file, where you can see the apps your students want to launch, then you can add these apps to your apps-object to allow them to launch the apps or not!

    ""
    REGEDIT4
    
    // Registry file generated by the Application Launcher.
    
    [HKEY_CURRENT_USER]
    
    [HKEY_CURRENT_USER\Software]
    
    [HKEY_CURRENT_USER\Software\NetWare]
    
    [HKEY_CURRENT_USER\Software\NetWare\NAL]
    
    [HKEY_CURRENT_USER\Software\NetWare\NAL\1.0]
    
    [HKEY_CURRENT_USER\Software\NetWare\NAL\1.0\Process Management]
    "Default Action"=dword:00000001
    "Report Ignored"=dword:00000000
    "Report Terminated"=dword:00000001
    
    [HKEY_CURRENT_USER\Software\NetWare\NAL\1.0\Process Management\Exception List]
    ""C:\\Programme\\Windows Media Player\\mplayer2.exe""=dword:00000000
    ""C:\\Programme\\Windows NT\\Zubeh?r\\WORDPAD.EXE""=dword:00000000 
    "Acrobat.exe"=dword:00000000
    "acrodist.exe"=dword:00000000
    "acrord32.exe"=dword:00000000
    "AdobeDownloadManager.exe"=dword:00000000
    "amcap.exe"=dword:00000000
    "AOM.exe"=dword:00000000
    "arach.exe"=dword:00000000
    "articulation 1.exe"=dword:00000000
    "articulation 2.exe"=dword:00000000
    "audacity.exe"=dword:00000000
    "c:\\-net-\\vscan71_setup\\setup.exe"=dword:00000000 
    "C:\\Programme\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=dword:00000000 
    "C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\MODI\\11.0\\MSPVIEW.EXE"=dword:00000000 
    "C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\VS7DEBUG\\VS7JIT.EXE"=dword:00000000 
    "C:\\Programme\\Microsoft Office 2003\\OFFICE11\\MSTORDB.EXE"=dword:00000000 
    "C:\\Programme\\Windows Media Player\\mplayer2.exe"=dword:00000000
    "C:\\Programme\\Windows NT\\Zubeh?r\\WORDPAD.EXE"=dword:00000000 
    "C:\\WINNT\\system32\\SNDVOL32.EXE"=dword:00000000 
    "C:\\WINNT\\system32\\svchost.exe -k wugroup"=dword:00000000
    "calc.exe"=dword:00000000
    "cdplayer.exe"=dword:00000000
    "cmd.exe"=dword:00000000
    "coreldrw.exe"=dword:00000000
    "CorelPP.exe"=dword:00000000
    "daemon.exe"=dword:00000000
    "Demo.exe"=dword:00000000
    "drwtsn32.exe"=dword:00000000
    "excel.exe"=dword:00000000
    "explorer.exe"=dword:00000000
    "freecell.exe"=dword:00000000
    "fusion.exe"=dword:00000000
    "GRAPH.EXE"=dword:00000000
    "grep.exe"=dword:00000000
    "hp precisionscan pro.exe"=dword:00000000
    "idrisi32.exe"=dword:00000000
    "IEXPLORE.EXE"=dword:0c8c3900
    "immac_S.exe"=dword:00000000
    "isrf1.exe"=dword:00000000
    "isrf2.exe"=dword:00000000
    "isri1.exe"=dword:00000000
    "isri2.exe"=dword:00000000
    "isriik.exe"=dword:00000000
    "isrs1.exe"=dword:00000000
    "isrs2.exe"=dword:00000000
    "isrsik.exe"=dword:00000000
    "java.exe"=dword:00000000
    "javaw.exe"=dword:00000000
    "KODAKIMG.EXE"=dword:00000000
    "Map Galerie.exe"=dword:00000000
    "MapAut32.exe"=dword:00000000
    "mathematica.exe"=dword:00000000
    "MathKernel.exe"=dword:00000000
    "mcconsol.exe"=dword:00000000
    "mcshield.exe"=dword:00000000
    "mdm.exe"=dword:00000000
    "MindManSM.exe"=dword:00000000
    "mplayer2.exe"=dword:00000000
    "msaccess.exe"=dword:00000000
    "mse.exe"=dword:00000000
    "msiexec.exe"=dword:00000000
    "MSOHELP.EXE"=dword:00000000
    "mspaint.exe"=dword:00000000
    "MSPVIEW.EXE"=dword:00000000
    "MSTORDB.EXE"=dword:00000000
    "MSTORE.EXE"=dword:00000000
    "net.exe"=dword:00000000
    "netscape.exe"=dword:00000000
    "Notepad.exe"=dword:00000000
    "nslookup.exe"=dword:00000000
    "ntvdm.exe"=dword:00000000
    "ois.exe"=dword:00000000
    "Orient.exe"=dword:00000000
    "ose.exe"=dword:00000000
    "PHOTOED.EXE"=dword:00000000
    "photopnt.exe"=dword:00000000
    "pietro.exe"=dword:00000000
    "ping.exe"=dword:00000000
    "powerpnt.exe"=dword:00000000
    "primary.exe"=dword:00000000
    "prodinfi.exe"=dword:00000000
    "radio.exe"=dword:00000000
    "RealPlay.exe"=dword:00000000
    "regdel.exe"=dword:00000000
    "SAPfewgsrv.exe"=dword:00000000
    "saplgpad.exe"=dword:00000000
    "saplogon.exe"=dword:00000000
    "scan32.exe"=dword:00000000
    "scncfg32.exe"=dword:00000000
    "scoach.exe"=dword:00000000
    "setup_wm.exe"=dword:00000000
    "shapeidr.exe"=dword:00000000
    "sndvol32.exe"=dword:00000000
    "sol.exe"=dword:00000000
    "SPSSRTF.EXE"=dword:00000000
    "spsswin.exe"=dword:00000000
    "SymbolManager.exe"=dword:00000000
    "taskmgr.exe"=dword:00000000
    "UGS Sim.exe"=dword:00000000
    "update.exe"=dword:00000000
    "VS7JIT.EXE"=dword:00000000
    "vtf.exe"=dword:00000000
    "vti.exe"=dword:00000000
    "vts.exe"=dword:00000000
    "winhlp32.exe"=dword:00000000
    "winoncd.exe"=dword:00000000
    "wintv2k.exe"=dword:00000000
    "wintvsel"=dword:00000000
    "winword.exe"=dword:00000000
    "WiseUpdt.exe"=dword:00000000
    "WISPTIS.EXE"=dword:00000000
    "wmplayer.exe"=dword:00000000
    "wmsched.exe"=dword:00000000
    "wordpad"=dword:00000000
    "wordpad.exe"=dword:00000000
    "ws_ftp32.exe"=dword:00000000
    "wuauclt.exe"=dword:00000000
    
    [HKEY_CURRENT_USER\Software\NetWare\NAL\1.0\Process Management\Reporting Targets]
    "Database"=dword:00000000
    "File"=hex(2):5c,5c,73,31,34,61,70,70,73,32,5c,65,64,76,64,6f,73,32,5c,6e,6f,63,68,77,69,6e,\
       2e,33,31,31,5c,72,6f,67,75,65,2e,74,78,74,
    
    [HKEY_LOCAL_MACHINE]
    
    [HKEY_USERS]
    
    [HKEY_CURRENT_CONFIG]
    
    [HKEY_DYN_DATA]
    
    ""

    Anthony L. Preman

    • Webshots - Huge bandwidth hog and filled with spyware.
    • Morpheus - The name should be sufficient
    • Kazaa - See above
    • ConsoleOne - Helps defend against possible user curiosity in network.

    Brett S. Miller

    Hard to say what hasn't already been said, but here goes:

    • WinVNC
    • Xdrive
    • ANYTHING FTP (the IT department will take care of that if it's needed)
    • telnet.exe (same as ftp)

    Anonymous

    • httport.exe (http://www.htthost.com/) - Allows unfiltered/unrestricted surfing through BorderManager 3.6 via re-routing through external proxy. Blocking all external proxies can prove difficult.
    • regedit.com - Any of your users can copy regedit.exe from a PC that has it, rename it to regedit.com and edit the registry. Don't believe me? Copy regedit.exe to your desktop, rename it to regedit.com and open it up.

    Anonymous as well

    In reponse to Anonymous regarding the regedit.exe being renamed to regedit.com, in fact regedit will run under ANY name you give, even cool.com, cmd.exe etc. So it's a harder one to block than blocking just the exe/com file.

    Programs that block via the title bar, do a better job in their area of course.

    George Washington

    One program to scan for is regedit.com, which is just regedit.exe copied and renamed. The other program to ban is http3s2 aka httport.exe. This program allows redirect through Border 3.6 and 3.5 to external proxies that have no filters.

    Klaus Schiffgens

    This is the software I'd add to your list:

    • P2P Software (non business software)
    • Media Players (MP3, Video Playback etc.)
    • LAN Software (Packet Scanner, Port-Sniffers)

    Very interested in the results of this!

    Steve Shumski

    Games like:

    • counter strike
    • battlefield vietnam
    • 1942

    Internet exe's like:

    • itunes
    • Lycos search
    • Quicktime player
    • Kazaa lite
    • Morpheus
    • Windows messenger

    Thanks, I look forward to the complete list.

    Martin van der Boon

    We use ScanWin too. But we use it together with a self-written tool, to make sure users don't kill ScanWin. You can download the tool from http://www.MandM.nl/down/loader.zip

      Applications to add to the list:

    • HOPSTER.EXE; Hopster
    • HOPSTERSETUP.EXE; Setup - HOPSTER
    • HTTPTUNNEL_SETUP.EXE; HTTP Tunnel bypass proxy setup
    • HTTP-TUNNELCLIENT.EXE; HTTP Tunnel bypass proxy setup
    • SETUP9X.exe; MSN Messenger
    • SETUPNT.exe; MSN Messenger

    Hopster and HTTPTunnel are BorderManager proxy bypass programs and we don't want those do we?

    Mark Shoemaker

    Bandwidth Issues

    • Peer-to-peer products (Kazaa, Morpheus, etc.)
    • Lan-based Games

    Desktop Problems

    • WebShots
    • Accuweather
    • Yahoo Messenger
    • Microsoft Messenger
    • Gator
    • Gain
    • Bunzi Buddy
    • My Search Bar

    I am sure there are many more out there. Too little time.

    Dusty Lunn

    Some of the apps that we currently disallow are as follows: This list is being added to frequently. This is a Great Deal! Sorry I couldn't contribute more.

    Aim.exe
    sol.exe
    gator.exe
    cmd.exe
    kazaa.exe
    winmx.exe
    msmsgs.exe
    taskman.exe
    snood.exe
    trillian.exe
    weatherbug.exe
    winamp.exe
    ypager.exe
    winmx.exe
    whahancer.exe
    grabit.exe
    icq.exe
    morpheous.exe
    precisiontime.exe
    datemanager.exe
    kazaalite.exe
    bbeagle.exe
    doom.exe
    mirc.exe
    grokstar.exe
    napster.exe
    winipcfg.exe
    winmine.exe
    hostile.exe
    imesh.exe
    mspaint.exe

    Paul McLean

    My name is Paul McLean from New Zealand. The apps we ban at our Academic Institute for students are:

    ACONTI.EXE||CHAT PROGRAM
    ACTALERT.exe||Internet Optimizer
    AGSATELLITE.EXE||AudioGalaxy Satellite (0.608W)
    AGSATELLITE609.EXE||AudioGalaxy Satellite (0.609W)
    AIM.EXE||AOL Instant Messenger
    AIMSTER.EXE||Aimster File Sharing
    BearShare.exe||Bear Share
    BBSMARTSETUP.EXE||Bonzi Buddy Setup
    BOL.EXE||Rediff Messenger
    BONZIBDY.EXE||Bonzi Buddy (Highly Annoying)
    CMESYS.EXE||GAIN (Gator Spyware)
    CMD.EXE||COMMAND PROMPT
    COMMAND.COM||COMMAND PROMPT
    compmgmt.msc||Computer Management
    DAP.EXE||Download Accelerator Plus
    DATEMANAGER.EXE||Date Manager (GAIN Spyware)
    DEVMGMT.MSC||Device Management Win2k
    DCPLUSPLUS.EXE||DC ++
    FSG.EXE||Gator Subprogram
    FSG-AG_3102.EXE||GAINWare SubProgram (Gator)
    GATOR.EXE||Gator (Spyware)
    GETRIGHT.EXE||Get Right downloader
    GMT.EXE||GAIN (Gator Spyware)
    GROKSTER.EXE||Grokster P2P File Sharing
    ICQ.EXE||ICQ Client
    IMESHCLIENT.EXE||iMesh File Sharing
    INETWIZ.exe|| Internet Connection Wizard
    IMICI.EXE||IMICI Messenger
    Incredimail.exe||Mail client
    Installing software||Install.exe
    INTERNET DOWNLOADER||iks2k21d.exe
    IPSCANNER.EXE||IPSCANNER
    HOMEKEYLOGGER-SETUP.EXE||KEYLOGGER
    LC_CLI.EXE||PASSWORD SCANNER
    PCV7.EXE||PROXY CHECKER
    GKLDEMO.EXE||KEYLOGGER
    SYNCCONFIG.EXE||KEYLOGGER
    SYNCAGENT.EXE||KEYLOGGER
    KAZAA.EXE||KaZaA Media Desktop
    KPP.EXE||Kazaa Lite
    KHttp2t.exe||KAZAA HTTP
    lusrmgr.msc||USERS AND PASSWORDS
    MESSENGER.EXE||Excite Messenger
    MicWin.exe||Karaoke Program
    MORPHEUS.EXE||Morpheus P2P File Sharing
    MMCLIENT.EXE||Chat Program
    MSMSGS.EXE||MSN Messenger
    MSNMSGR.exe||New MSN
    MIRC.EXE||MIRC CHAT PROGRAM
    MSN6.EXE||MSN Explorer
    MMC.EXE||Microsoft Management Console
    MMCLIENT.EXE||MMCLIENT INDIAN CHAT PROGRAM
    NAPSTER.EXE||Napster
    NARRATOR.EXE||NARRATOR APPLICATION
    NBSRVR.EXE||NETBUS TROJAN
    NETBUS.EXE||NETBUS TROJAN
    NETD.EXE||Odigo NetDetector
    NETSONIC||NetSEI.exe
    NJCOM32.EXE||NJStar Communicator
    NWADMN32.EXE||NWADMIN
    OBRW.EXE||Odigo Subprogram
    ODIGO.EXE||Odigo Instant Messenger
    OFFERS.EXE||OfferCompanion
    ONEMX.EXE||MUSIC DOWNLOADER
    OPTIMIZE.EXE||Internet Optimizer
    PRECISIONTIME.EXE||Precision Time (GAIN Spyware)
    PLAYER.EXE||VIDOMI PLAYER
    POLEDIT.EXE||POLEDIT UTILITY
    PTANKS.EXE||Tanks game
    PWDUMP.EXE||PASSWORD DUMPER
    PWDUMP3.EXE||PASSWORD DUMPER
    PWSERVICE.EXE||PASSWORD DUMPER
    REGEDIT.EXE||REGISTRY EDITOR
    REGEDT32.EXE||REGISTRY EDITOR
    RUNAS.EXE||RUNAS UTILITY
    SAVENOW.EXE||SaveNow (Spyware)
    SENTRY.EXE||Sentry (unknown)
    SLAVE.EXE||REMOTE SLAVE CONNECTION
    SNOOD.EXE||Snood (Addictive Game)
    SYSEDIT.EXE||Configuration screens Win2k
    Swift3D.exe||Swish program
    SWISH.EXE||Swish program
    QQ.EXE||Chinese Chat Program
    PHONE PROGRAM||SJPHONE.EXE
    TELNET.EXE||TELNET
    ThePlaya.exe||The Playa
    TRICKLER_BIC_GATORPT_3202.EXE||GAIN Trickler Tool (Spyware)
    TRICKLER3016.EXE||GAIN Trickler Tool (Gator Spyware)
    TRICKLER GETRIGHT||fsg.exe
    TRILLAN.EXE||Trillian Instant Messenger
    VIDOMI.EXE||VIDEO PLAYER
    WHANCER.EXE||WebHancer (Spyware)
    WINMX.EXE||WinMX P2P FileSharing
    UNKNOWN||WISEUPDT.EXE
    WINAMP AGENT||winampa.exe
    WINAMP.EXE||WINAMP
    WNAD.EXE||Spyware (Hostile)
    YMSGR_TRAY.EXE||Yahoo! Messenger TrayIcon
    YSERVER.EXE||Yahoo Messenger
    YPAGER.EXE||Yahoo! Messenger
    YUPDATER.EXE||Yahoo Updater
    YOINK.EXE||STUDENT PROGRAM

    We block most of these apps because they tie up PC's for one, and also they use precious network bandwidth and some contain viruses and other problems.

    Ernesto Fox

    I would add IncrediMail to the list as it is a source of a great number of problems, as far as stability is concerned, even at shutdown time.

    Mark R. Fermin

    In our law firm, we ban the general user community from installing unauthorized software by blocking:

    • setup.exe
    • install.exe

    We also have (by group policy) disabled the installation of any software from removable media or CD. Additionally, we ban all IM applications and related services, as well as Outlook Express.

    This, in combination with a third-party anti-spyware application, has reduced the amount of issues related to non-standard applications, plug-ins, etc. that we take at our Help Desk. And it has probably increased productivity with some users due to their inability to install their favorite casino software or P2P music sharing software on their business PC!

    Nils Treu

    Here are the apps I ban in our PC pools. The reasons are they install spyware, sometimes viruses, worms, trojans and they cost bandwidth.

    ; [Programs]
    BARGAINS.EXE||verschiedenes
    BEARSHARE.EXE||bearshare450b21
    BLUBSTER.EXE||blubster25
    CLIENT4.EXE||audiognome
    DCPLUSPLUS.EXE||dc++0307 
    EDONKEY2000.EXE||edonkey
    EMULE.EXE||emule1k
    FILETO~1.EXE||filetopia304
    GAIM.EXE||messaging
    GROKSTER||grokster.exe
    ICQLITE.EXE||icq-messenging 
    JAVAW.EXE||limewire 
    KAZAALITE.KPP||mp3easy
    KMD263||kazaa.exe
    MIRANDA32.EXE||messaging
    MORPHEUS.EXE||morpheus
    MORPHEXE.EXE||morpheus
    MP3EASYKL.EXE||mp3easy
    MP3STARSEARCH.EXE||mp3starsearch
    MP3WOLF.EXE||mp3wolfv2
    NEONAPSTER.EXE||neonapster
    NETBRILLIANT.EXE||nb200
    OSSPROXY.EXE||groksterpro 
    OVERNET.0.53.EXE||overnet053
    OVERNET.EXE||overnet053
    P2P NETWORKING.EXE||kmd263
    PIOLET.EXE||piolet105
    SHAREAZA.EXE||shareaza18112
    SLSK.EXE||soulseek152
    WINMX.EXE||winmx331
    YPAGER.EXE||yahoomessenger

    ryumaou

    Feedback: I can't believe that no one mentioned HotBar! Terrible program that users volunteer to install and will cripple a Windows XP workstation.

    Jason

    We are investigating the possibility of Linux desktops. That being the case, how about blocking win.exe, excel.exe, msword.exe, msaccess.exe, mspub.exe, frontpg.exe and powerpnt.exe?

    Heiko Pletat

    I use also Program Killer from the cool solutions tree in my company.

    We block some programs like P2P-Filesharing tools (Emule, Kazaa, eDonkey, Overnet) and the complete messenger stuff (aol, yahoo and msn). So I have a clean enviroment and "long lived" workstations.

    David Cook

    As well as banning selected apps through ZENworks, you can block http://*.exe*/* with BorderManager (you may have to allow some specific exe's). I know, I know, this is a ZENworks forum.

    Mike Shore

    Here is what we currently ban, but it is out of date as it is time-consuming to keep up to date on all the new rogue apps appearing. I will be updating the list as per other suggestions in this column. I am looking forward to a standardized blacklist. We kill apps based on the image ID (app's internal identifier) and/or the EXE name. Thanks!

    Kyle Jones

    I won't mention any that are already on this list so this is all I have that differs: Tibia726.exe is an online game like Dungeons and Dragons. Caught half of our High School labs with this one installed. People chat live with others and online chat is always a risky thing for schools legally due to predators etc... Plus goofing around with online games instead of learning isn't cool.

    Steven Turnbull

    We are an educational institution, so we have varying degrees of restriction. This is the list of apps we block in our 24-Hr access suite. It has proven to be very effective.

    yahoo!_messenger_install.exe
    ..torrent
    agent.exe
    AGSATELLITE
    AIM
    aim.exe
    Anarchy.exe
    AnarchyPatcher.exe
    angel.exe
    aod.exe
    AOLauncher.exe
    autorun
    autoupdate.exe
    AudioGnome
    BBSMARTSETUP.EXE
    bit torrent
    bittorrent
    RealPlayer10Gold.exe
    blubster.exe
    BONZIBDY.EXE
    bootstrap.exe
    bpc.exe
    btdownloadgui.e
    ce_xxx.exe
    clientr.exe
    CMESYS.EXE
    comwiz.exe
    DATEMANAGER.EXE
    Direct Connect
    DCPlusPlus.exe
    Donkey
    Donor.exe
    Dune
    Dune2
    EarthStation5
    es5.exe
    es5uk.exe
    es5us.exe
    flashget.exe
    FSG.EXE
    fsg_4010.exe
    FSG-AG_3102.EXE
    FY2000R.exe
    GameChanel.exe
    GATOR.EXE
    gdthin
    GMT.EXE
    GMTZGM.exe
    grokster.exe
    GROKSTER.EXE
    Gnucleus
    hotaction_nz
    icq
    icq.exe
    ICQLite.exe
    ICQLRun.exe
    ICQLSRP.exe
    icqpro2003b.exe
    icqsrp.exe
    imesh
    IMESHCLIENT.EXE
    IMICI.EXE
    install.exe
    instant access.
    KAZAA.EXE
    kazaalite.kpp
    klrun.exe
    kpp
    Konspire
    Lemonade.exe
    livecam_nz.exe
    Limewire
    li-xdial
    memory~1.exe
    MESSENGER.EXE
    minibug.exe
    mirc
    mlink.exe
    morpheus
    mp3player
    msmsgs
    MSN6.EXE
    msnmsgr
    myphotos.exe
    N2PDialr.exe
    NAPSTER.EXE
    NapShare
    NetAnts.exe
    NETD.EXE
    NetTransport.ex
    newzealand_dude
    NJCOM32.exe
    NJCOM23.exe
    OBRW.EXE
    ODIGO.EXE
    OFFERS.EXE
    OverNet
    optimize.exe
    playlist.exe
    popsrv140.exe
    popsrv146.exe
    precisiontime
    PRECISIONTIME.EXE
    PrecisionTimeSetup.exe
    p2p Networking.
    p2p
    qq.exe
    QQ.exe
    qq2000c0630_eng.exe
    quake
    RadLight.exe
    rb32
    realevent.exe
    realjbox.exe
    realplay.exe
    realsched.exe
    RocketMania.exe
    soap.exe
    sahagent.exe
    setup.exe
    setupnt.exe
    SETUPNT.EXE
    sexy_newzealand.exe
    shaonv
    Shareaza
    SNOOD.EXE
    SongSpy
    speed up
    srng.exe
    sysmong.exe
    TBrowser.exe
    TBrowser.exe
    torrent.exe
    TRICKLER_BIC_GATORPT_3202.EXE
    TRICKLER3016.EXE
    TRILLAN
    trillian.exe
    trillian-v0.74f.exe
    tvtmd.exe
    update.exe
    utopia.exe
    URLBlaze
    videoaction_nz.
    videoaction_nz.ex
    videoaction_nz.exe
    Voodoo Vision
    weather
    webscene.exe
    webshots
    webshots.scr
    webshotstray.ex
    WHANCER.EXE
    winactive
    winamp
    winmx
    winnet.exe
    WINMX.EXE
    WNAD.EXE
    Yahoo Ten Pin Championship Bowling
    yahoo!_messenge
    ymsgr.exe
    YMSGR_~1.exe
    YMSGR_TRAY.EXE
    ypager.exe
    YPAGER.EXE
    zonealarm.exe

    That's the lot. Happy blocking!

    Rathna N

    • MSN Messenger, Yahoo Messenger & others - sometimes it's a total distraction and waste of time.
    • P2P sharing apps
    • POP up ads
    • WebShots
    • Some unknown apps *.exe 's, which get installed on the machine and it's a pain to uninstall them. :(

    John Phipps

    We ban Microsoft Outlook and Outlook Express from our ASP Data Centre. The reason is a fairly obvious one - Outlook introduces too many vulnerabilities that could knock ALL of our clients off the air. For clients that absolutely must have Outlook, we isolate their Citrix servers from the rest of the farm, and have them sign a release to exempt us from the terms of our SLA (Service Level Agreement) concerning guaranteed uptime.

    Earl Bryant

    About whitelists. This is how I'm implementing RPM in my environment, and it's working great. I'll bet most places have a slate of "approved" corporate apps. Anything outside of this should have a target on its back unless it's justified.

    Someone mentioned that it would be tedious creating the list of all possible apps that are allowed to run in the environment/in the OS. RPM does a pretty good job of this already, and I've only had to add some more MS apps that I want to allow to run (msohelp for MS Office help, for example). Besides, anything launched from within NAL is "protected", so even if I've disallowed say, Internet Explorer from being launched within Windows, if I've provided a icon to launch it from within the NAL Window, it will run fine.

    As for Windows Support Packs making whitelists a headache. Most service packs replace file for like file, so if it did not kill the program before the SP, then it'll probably live afterwards. I find if I miss a filename that has gotten by me in testing?we of course ALL DO TEST these things, right? :), or has been newly introduced, it's a trivial matter to add it to my exceptions list, and repush the RPM out.

    Now, talk about keeping track of all POSSIBLE new programs for a blacklist. Unless their makers have conveniently labeled their internal filenames "setup.exe" or "install.exe" for me, I'm simply committing myself to an "arms race" with my users, trying to keep up on the latest filename to ban in order to maintain my exceptions list?now THAT'S tiring! I'd rather spend my time learning more about ZENworks and less in researching shareware/spyware crud!

    Now, if RPM could be enhanced to allow for wildcards as well, that would make it very versatile. Example: if Kazaa had kazaa123install.exe as its installer filename, and I could include "*kazaa*" as a value in the blacklist, then ANY file with "kazaa" ANYWHERE in the internal filename could be shut down. Feature request?

    Christopher P. Smith

    This link could well be of some help when trying to decide what to ban? Windows Process Library

    Phillip Cross

    I saw this in a Dave Kearns article:
    Today's focus: Ideas for blocking software on users' machines
    By Dave Kearns
    Virtues of Program Monitor
    The first idea, actually, doesn't require any new programming, just some listings. PM as it exists now requires you to list the software you wish to have blocked. Roy Pait (among others, but he was first) suggested that what's needed is a starter list of generally blocked applications. Sounds like a good idea. If you have a shortlist, I'd suggest submitting it to Novell - you might get a cool T-shirt.

    Here is a short list of programs we would like to block:

    AOL AIM
    GAIN
    GATOR
    BARGAIN BUDDY
    PRECISION TIME
    ANY NON MS SCREEN SAVER
    WEB SHOTS
    HACKED OR CRACKED PROGRAMS
    INTERNET HISTORY ERASING PROGRAMS
    PORN OF ANY TYPE

    Dwayne Watkins

  • GPedit.msc - on 2k and XP machines because of policy changes to a local machine
  • Webshots - Most definitely
  • Also why install the local games on a computer when doing the build? Automated build can allow you do customize a machine to your liking and begin to relieve some of the problems.

    Manlio Fernando Bedoya Arango

    I want to add some W2K and XP games files we banned:

    asm.exe
    autorun.exe
    bckgzm.exe
    chkrzm.exe
    CMEsys.exe
    freecell.exe
    GMT.EXE
    gpedit.msc
    hotbar.exe
    hrtzzm.exe
    install.exe
    kazaa.exe
    msblast.exe
    mshearts.exe
    P2P networking.exe
    pinball.exe
    points manager.exe
    rvsezm.exe
    setupid.exe
    shvlzm.exe
    sol.exe
    spider.exe
    updmgr.exe
    winmine.exe

    James Romer

    I ban the usual exe's that you would expect,(mainly flash apps from the web) but also routinely go through ZENworks inventory to highlight new programs that have been installed without authorisation and add to the list if necessary.

    I am looking at using rogue process management to stop those that know a little from renaming files.

    Also due to us locking the users' desktops, a lot of exe's historically got sent using GroupWise and were kept in GroupWise. We get round this by using MTASieve (now named GWAVA), blocking not only the file extensions we choose but also file size we choose.

    Apps banned so far:

    msn.exe
    aim.exe
    sol.ex
    winmine.exe
    sheep.exe
    balistic.exe
    beertend(4).exe
    beertend.exe
    Benidorm.exe
    BubblePuzzle97.exe
    chickens.exe
    Dynmite.exe
    elves.exe
    elves2.exe
    fart-mac.exe
    footy.exe
    freecell.exe
    ghouls.exe
    gift.exe
    golf.exe
    hearts.exe
    mario.exe
    milliona.exe
    napster.exe
    pinball.exe
    pool.exe
    quake.exe
    same.exe
    santafree.exe
    stressreducers.exe
    talkany.ee
    teletuby.exe
    tuxracer.exe

    Nathan Tidd

    How about a few of my Pet Peeves that are the most common nuisances? All of these pretty much just use up bandwidth and resources. They are all unneeded for the workplace except maybe Realplayer for certain situations.

    • Webshots
    • WeatherBug
    • Comet Cursor
    • Atomic Clock
    • Realplayer

    Brandon Kirsch

    Google Directory gave me extensive lists of software to block, depending on what admins want to target. If users are managing to get by RPM with odd software, it should be listed here.

    Things I found worth noting:

    • Gaim - Instant Messenging client for many (including Novell!) protocols
    • GoToMyPC - Employees can access their home PCs
    • Quake.exe - Even with decent policies a user can simply run this exe out of any folder (usually for us, it's one on the network)
    • Ettercap - This one can really mess your network (and your day) up if you're not careful

    Andrew Palm

    Since reviewing this article a while ago, we have been looking at and evaluating scanwin. This looks to be a really useful and great product.

    One of the pluses is that you can get it to 'block' any setup install routines and this stops the users from installing applications. You can also add the spyware programs (or any program) to the list and stop them from running also.

    Our install blocking section of titles is

    Stop ANY Setup Programs Running:

    • Setup
    • Install
    • Windows Installer
    • installshield

    We are currently adding to it as we find more installs that slip around the above lines.

    This seems to work better than blocking the program once installed. For example, blocking ICQ.EXE is ok, but it's better not to have it installed in the first place, so you don't end up with a machine full of software that won't work and bogging the machine down.

    The latest version of scanwin also lets you customise the warning prompt, which is good as the original was designed for a school and our users would laugh if they saw an error message saying contact your teacher if you need to run this program.

    Of course we use ZENworks to drop all our apps, so there are no manual installs. If you need to do manual installs, you can disable the scanwin program during the install process and then turn it back on when it's done.

    Bob Fortin

    Great posting! Just by reading through I caught many that I had missed. We strive to block the following:

    • Messenger (of all sorts)
    • Kazaa, Grokster, etc, etc
    • Trillian
    • X8pplay, etc
    • Webshots

    And the list grows and grows?

    Oivind Ekeberg

    Apps we ban!

    All Gator-related apps (Gain Publishing). Spyware!

    • Gator
    • Weatherscope
    • PrecisionTime
    • Date Manager
    • Dashbar

    Since we're running GroupWise:

    • Outlook Express
    • Outlook
    • MSN Messenger
    • Trillian
    • ICQ
    • AOL

    File-sharing apps other than iFolder:

    • eMule
    • eDonkey2000
    • Kazaa
    • Bittorrent

    But after reading the list, I see that we have to do a major update on ours!

    Paul Staniford

    We have been having a lot of trouble with the Popup ring tone adverts.

    We have now blocked the following sites to prevent a majority of the infected sources of the adware. (The first two are used to reinstall the adware, the rest host components of the exploit.)

    *.default-homepage-network.com
    *.smartbotpro.com

    *.passthison.com
    209.50.251.182
    209.50.251.152
    209.50.251.151
    69.50.139.61
    *.achtungachtung.com
    *.2nd-thought.com
    *.7search.com
    *.680180.com

    This adware is made up of 6 viruses:

    HTML_REDIR.A
    JS_IESTART.PS
    CHM_Psyme.Y
    CHM_Psyme.C
    TROJ_SMALL.GO
    TROJ_SILEN.A

    and 3 pieces of adware:

    ClientMan
    CleverIEHooker
    IGetNet.ClearSearch

    They put loads of components on the computer and make a lot of registry changes, IE crashes after McAfee attempts removal because it doesn't unregister the BHO's. If you miss a part when removing the remaining bit will download the parts you removed and reinstall them. In the end we find it easier to reimage the computer.

    The exploit was patched in Feb 2004 with patch KB832894 so it might be an idea to make sure all your XP machines have this patch on them. Even with this patch machines still manage to get some of files listed below.

    I have also have a ZEN app check for the following files/reg entry on the machines and if they are present they are deleted.

    %WinDir%\System32\AdStartup.exe
    %WinDir%\System32\AdUpdater.exe
    %WinDir%\System32\AdUpdManager.xml
    %WinDir%\System32\data.xml
    %WinDir%\System32\IeEnhancer.dll
    %WinDir%\System32\AutoMove.exe
    %WinDir%\System32\Trans.exe
    %WinDir%\System32\SWin32.dll

    There is also a registry key that runs AdStartup.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdStartup

    Bobby Guillory

    Another app to consider blocking would be the Ezula.exe which downloads a ton of malware and spyware to machines. This program also installs the dreaded sahagent.* files which is considered parasitic. If not uninstalled a certain way it can completely disable the NIC card of a machine.


    Additional Requests

    Toby Fruth

    I don't have a list of apps to ban, but I was wondering if you have any articles in disallowing USB flash drives and the like. Some of the 'banned' apps are standalone executables that run from any drive. Also, I was imagining the ZEN script only scanning the C:\ drive. I don't suppose anyone has disabled the use of CD/DVD drives.

    George Washington

    On a different note, I would like to see a Cool Solution on how to effectively scan other drives in addition to c:\. The problem is removable flash drives. Sol.exe and spider.exe are standalone solitaire programs that can be run from any drive.

    Jesse Schulman

    We would love to see RPM being able to ban the opening of specific file extensions, such as .mp3 or .avi and so on. I know that?s a big step, but it would be wonderful if we could stop users from using files of that type. Also the flash drive and other USB device issue is a big one with us.

    Scott D. Jones

    We also ban a lot of the "features" of Windows.

    finger.exe
    ftp.exe
    install.exe
    ipconfig.exe
    mmc.exe
    netbt.exe
    netstat.exe
    nslookup.exe
    nwsndmsg.exe
    nwtray.exe
    poledit.exe
    regedit.exe
    regedit32.exe
    setup.exe
    setup1.exe
    shrpubw.exe
    telnet.exe
    tftp.exe
    tlntsvr.exe

    Ryan A Wasek

    I work in a Laboratory Environment where everything is highly regulated & confidential. As with many of the most obvious apps, our highest priority is file sharing apps such as:

    KaZaA
    Limewire
    Morpheus
    MyNapster
    Napster
    BadBlue
    Bearshare
    Swapper
    WinMP3locator
    WinMX
    iMesh
    Direct Connect
    eDonkey

    Frank Zomer

    Another suggestion. Maybe it's also a good idea to make a list of websites you might want to ban. e.g. the web version of msn messenger at http://webmessenger.msn.com/.

    Hope you think so too!

    Phillip Cross

    Here is a short list of programs we would like to block:

    AOL
    AOL AIM
    GAIN
    GATOR
    BARGAIN BUDDY
    PRECISION TIME
    ANY NON MS SCREEN SAVER
    WEB SHOTS
    HACKED OR CRACKED PROGRAMS
    INTERNET HISTORY ERASING PROGRAMS
    PORN OF ANY TYPE

    Ed Martens

    What about BAN all apps except:

    wmrundll.exe
    wm.exe
    nwtray.exe
    nalwin32.exe
    nalstart.exe
    nalntsrv.exe
    nal.exe
    naldesk.exe

    use Shell=nalwin32

    Mike Murphy

    Apps to Ban - Most of these are related to Keyloggers.

    kldec.exe
    wsys.exe
    RunDll16.exe
    KeyPatrol.exe
    unsetup.exe
    cisvc.exe
    logger.exe
    TinyKL.exe
    csrss.exe
    svcmcrv.exe
    akl.exe
    handy_keylogger.exe
    NBSvr.exe
    keycorder.exe
    keycord1.exe
    SYS.EXE
    bpk.exe
    Keyloggerpro.exe
    aak.exe
    keylogger.exe
    Activeshield.exe
    antikey.exe
    bpk.exe
    std.exe
    EANTHO~1.EXE
    sys_alert.exe
    cisvc.exe
    fhtisxk.exe
    csrss.exe
    KeyPatrol.exe
    Krnlmod.exe
    Mstapi.exe
    mswinpid32.exe
    Hello.exe
    SpooI32.exe
    Svchost.exe
    sysdiag.exe
    syncagent.exe
    sys32win.exe
    Rundll32.exe
    DEFSCANGUI.EXE
    WinVNC.exe
    vnc.exe

    Tim Dunkley

    This solution uses the DisallowRun feature .

    Here are two files -- one .XLS, and one .TXT (which you rename to .REG)

    The .REG file enables the DisallowRun feature & also includes the blocked exe's in List A. also included is an Excel file I use to update the .REG file (I Just find it easier when you want to add quite a few .exe's to the .REG file. If anyone can't figure the Excel file out, just e-mail me)

    The way I deploy this to all workstations across the network is by using a simple ZENworks App which force runs when a user logs on.

    All the folowing applications I've found in abundance all over the workstations on our network, the most of them all contain adware/spyware or malware, the others are applications that I find have no place in a business or any other enterprise environment.

    List A:

    "1"="AAWSEPERSONAL.EXE"
    "2"="ACONTI.EXE"
    "3"="ACTALERT.EXE"
    "4"="agsatellite.EXE"
    "5"="agsatellite609.EXE"
    "6"="aim.EXE"
    "7"="aim95.EXE"
    "8"="aimster.EXE"
    "9"="ANTIVIRUS_INSTALL.EXE"
    "10"="AQUATICA WATERWORLDS.EXE"
    "11"="AQUATICA-INSTALL-FSG.EXE"
    "12"="AUDIOMP3FIND.EXE"
    "13"="automove.EXE"
    "14"="BADBLUE.EXE"
    "15"="BARGAINS.EXE"
    "16"="bbeagle.EXE"
    "17"="bbsmartsetup.EXE"
    "18"="BBSMARTSETUP.EXE"
    "19"="BearShare.EXE"
    "20"="BLACKWIDOW.EXE"
    "21"="BLAT.EXE"
    "22"="BLUBSTER.EXE"
    "23"="BODETELLA.EXE"
    "24"="BOL.EXE"
    "25"="bonzibdy.EXE"
    "26"="BUDDY.EXE"
    "27"="BWWebloader.EXE"
    "28"="CASINOBROWSER.EXE"
    "29"="CIRCLE.EXE"
    "30"="CLIENT4.EXE"
    "31"="CLUSTONE.EXE"
    "32"="cmesys.EXE"
    "33"="COMBackConsole.EXE"
    "34"="COMET_INSTALL.EXE"
    "35"="CRAPSTER.EXE"
    "36"="dap.EXE"
    "37"="datemanager.EXE"
    "38"="DCPLUSPLUS.EXE"
    "39"="DECONPRO.EXE"
    "40"="DEFSCANGUI.EXE"
    "41"="DEVMGMT.MSC" "42"="DIRECTCONNECT.EXE"
    "43"="doom.EXE"
    "44"="DSERVER.BAT" "45"="DSHARE.BAT" "46"="DW.EXE"
    "47"="EANTHOLOGY.EXE"
    "48"="EBATESMOEMONEYMAKER*.EXE"
    "49"="EDONKEY2000.EXE"
    "50"="EMULE.EXE"
    "51"="EVOLUTION.EXE"
    "52"="EVOLVER.EXE"
    "53"="FILEFURY.EXE"
    "54"="FILEMINER.EXE"
    "55"="FILENAVIGATOR.EXE"
    "56"="FILESHARE.EXE"
    "57"="FILETO~1.EXE"
    "58"="FILETOPIA.EXE"
    "59"="FILEZILLA.EXE"
    "60"="FLOCATOR.EXE"
    "61"="FREECELL.EXE"
    "62"="FREEWIRELAUNCHER.EXE"
    "63"="fsg.EXE"
    "64"="fsg-ag_3102.EXE"
    "65"="screensaver.EXE"
    "66"="gaim.EXE"
    "67"="gator.EXE"
    "68"="GDONKEY.EXE"
    "69"="GETRIGHT.EXE"
    "70"="GIDGET.EXE"
    "71"="GKLDEMO.EXE"
    "72"="gmt.EXE"
    "73"="GNEWTELLA.EXE"
    "74"="GNOTELLA.EXE"
    "75"="GNUCLEUS.EXE"
    "76"="GPEER.EXE"
    "77"="grokster.EXE"
    "78"="GTL POLIANE.EXE"
    "79"="HLCLIENT*.EXE"
    "80"="HOMEKEYLOGGER-SETUP.EXE"
    "81"="HOPSTER.EXE"
    "82"="HOPSTERSETUP.EXE"
    "83"="httport.EXE"
    "84"="HTTPTUNNEL_SETUP.EXE"
    "85"="HTTP-TUNNELCLIENT.EXE"
    "86"="icechat.EXE"
    "87"="icq.EXE"
    "88"="ICQLITE.EXE"
    "89"="icqnet.EXE"
    "90"="IKEA KITCHEN PLANNER.EXE"
    "91"="im2001.EXE"
    "92"="imeshclient.EXE"
    "93"="imici.EXE"
    "94"="Incredimail.EXE"
    "95"="INETWIZ.EXE"
    "96"="INOIZE.EXE"
    "97"="ipodservice.EXE"
    "98"="IPSCANNER.EXE"
    "99"="JACKALOPE.EXE"
    "100"="JITZUSHARE.EXE"
    "101"="KAST.EXE"
    "102"="kazaa.EXE"
    "103"="KAZAALITE.KPP" "104"="KHttp2t.EXE"
    "105"="klient.EXE"
    "106"="kmd.EXE"
    "107"="KPP.EXE"
    "108"="launcher.EXE"
    "109"="LC_CLI.EXE"
    "110"="lights.EXE"
    "111"="LIMEWIRE.EXE"
    "112"="LOCATOR.EXE"
    "113"="lusrmgr.msc" "114"="MADSTER.EXE"
    "115"="MCAGENT.EXE"
    "116"="MEDIAGRAB.EXE"
    "117"="MEDIASEEK.EXE"
    "118"="MEGASEARCHBARSETUP.EXE"
    "119"="messenger.EXE"
    "120"="MicWin.EXE"
    "121"="MIRANDA32.EXE"
    "122"="mirc.EXE"
    "123"="misc.EXE"
    "124"="MMCLIENT.EXE"
    "125"="MMOD.EXE"
    "126"="MOJO NATION.EXE"
    "127"="MOODLOGIC.EXE"
    "128"="morpheus.EXE"
    "129"="MORPHEXE.EXE"
    "130"="MP3 SWAPPER.EXE"
    "131"="MP3EASYKL.EXE"
    "132"="MP3FINDER.EXE"
    "133"="MP3STARSEARCH.EXE"
    "134"="MP3WOLF.EXE"
    "135"="MSBB.EXE"
    "136"="msimn.EXE"
    "137"="msmsgs.EXE"
    "138"="msn6.EXE"
    "139"="msnmsgs.EXE"
    "140"="MYNAPSTER.EXE"
    "141"="MYSTER.EXE"
    "142"="NAMSTER.EXE"
    "143"="napster.EXE"
    "144"="NARRATOR.EXE"
    "145"="nastysex.EXE"
    "146"="NBSRVR.EXE"
    "147"="NETBRILLIANT.EXE"
    "148"="NETBUS.EXE"
    "149"="netd.EXE"
    "150"="NJCOM32.EXE"
    "151"="NOVA.EXE"
    "152"="NWADMN32.EXE"
    "153"="obrw.EXE"
    "154"="odigo.EXE"
    "155"="offers.EXE"
    "156"="ONEMX.EXE"
    "157"="OPTIMIZE.EXE"
    "158"="OSSPROXY.EXE"
    "159"="OVERNET.0.53.EXE"
    "160"="OVERNET.EXE"
    "161"="P2P NETWORKING.EXE"
    "162"="PCV7.EXE"
    "163"="PINPOST.EXE"
    "164"="PIOLET.EXE"
    "165"="PLAYER.EXE"
    "166"="PLEBIO.EXE"
    "167"="PLINK.EXE"
    "168"="poledit.EXE"
    "169"="polmx3.EXE"
    "170"="powerscan.EXE"
    "171"="ppdomu.EXE"
    "172"="precisiontime.EXE"
    "173"="preInsMt.EXE"
    "174"="PTANKS.EXE"
    "175"="putty.EXE"
    "176"="puttytel.EXE"
    "177"="PWDUMP.EXE"
    "178"="PWDUMP3.EXE"
    "179"="PWSERVICE.EXE"
    "180"="QQ.EXE"
    "181"="QT2.EXE"
    "182"="QTRAX.EXE"
    "183"="quake.EXE"
    "184"="QUEUEMANAGER.EXE"
    "185"="rainlendar.EXE"
    "186"="RIDEWAY.EXE"
    "187"="RIFFSHARE.EXE"
    "188"="RINGTONE.EXE"
    "189"="S4SETUP.EXE"
    "190"="SAVE.EXE"
    "191"="savenow.EXE"
    "192"="SENTRY.EXE"
    "193"="setuppestpatroleval.EXE"
    "194"="SETUPSCR.EXE"
    "195"="SHANKSTER.EXE"
    "196"="SHAREAZA.EXE"
    "197"="SHAREAZA.EXE"
    "198"="SLAVANAP.EXE"
    "199"="SLAVE.EXE"
    "200"="SLSK.EXE"
    "201"="SMIRK.EXE"
    "202"="SNATCHIN.EXE"
    "203"="snood.EXE"
    "204"="snrg.EXE"
    "205"="SOL.EXE"
    "206"="SONGSPY.EXE"
    "207"="SOULSEEK.EXE"
    "208"="SOUNDCRAWLER.EXE"
    "209"="SPINFRENZY.EXE"
    "210"="SPLOOGE.EXE"
    "211"="srnghelp.EXE"
    "212"="srngutil.EXE"
    "213"="SWAPNUT.EXE"
    "214"="SWAPPER.EXE"
    "215"="SWAPTOR.EXE"
    "216"="Swift3D.EXE"
    "217"="SWISH.EXE"
    "218"="SYNCAGENT.EXE"
    "219"="SYNCCONFIG.EXE"
    "220"="TESLA.EXE"
    "221"="THE BRIDGE.EXE"
    "222"="ThePlaya.EXE"
    "223"="TOADNODE.EXE"
    "224"="trickler_bic_gatorpt_3202.EXE"
    "225"="TRICKLER_BIC_GATORPT_3202.EXE"
    "226"="trickler3016.EXE"
    "227"="TRICKLER3016.EXE"
    "228"="trillian.EXE"
    "229"="UCMORE.EXE"
    "230"="UCMOREIEX.EXE"
    "231"="URLBLAZE.EXE"
    "232"="VIDOMI.EXE"
    "233"="VOUCHERS.EXE"
    "234"="WEATHER.EXE"
    "235"="weatherbug.EXE"
    "236"="WEBREBATES_AUTO_INSTALLSILENT.EXE"
    "237"="webrebates0.EXE"
    "238"="webrebates1.EXE"
    "239"="websearch1.EXE"
    "240"="WEBSHAREIT.EXE"
    "241"="webshots.EXE"
    "242"="WEBSHOTS_SETUP.EXE"
    "243"="WEBVACUUMFREE.EXE"
    "244"="WHAGENT.EXE"
    "245"="WHANCER.EXE"
    "246"="whancer.EXE"
    "247"="whse.EXE"
    "248"="WINAMPA.EXE"
    "249"="WINAMP.EXE"
    "250"="winmx.EXE"
    "251"="WIPPIT.EXE"
    "252"="wnad.EXE"
    "253"="WNAD.EXE"
    "254"="WRAPSTER.EXE"
    "255"="wssetup.EXE"
    "256"="wtoolsa.exe " "257"="XMAS2003_2.EXE"
    "258"="XMAS2003_2_1.EXE"
    "259"="XOLOX.EXE"
    "260"="xxxtoolbar.EXE"
    "261"="YAHOO!_MESSENGER_INSTALL.EXE"
    "262"="ymsgr_tray.EXE"
    "263"="YMSGRIE.EXE"
    "264"="YMSGRUK.EXE"
    "265"="YMSGRYIMS.EXE"
    "266"="YOINK.EXE"
    "267"="ypager.EXE"
    "268"="YSERVER.EXE"
    "269"="YUPDATER.EXE"
    "270"="ZPOC.EXE"
    "271"="errorguard.EXE"
    "272"="freezeday.EXE"
    "273"="CxtPls.EXE"
    "274"="Al-Thkir2.EXE"
    "275"="AlThkir3.EXE"
    "276"="AQ3Helper.EXE"
    "277"="Aquatica Waterworlds.EXE"
    "278"="TarjimTools1.EXE"
    "279"="SitePassMgr.EXE"
    "280"="Tvm.EXE"
    "281"="Weatherscope.EXE"
    "282"="disp1150.EXE"
    "283"="WebRebates0.EXE"
    "284"="WebRebates1.EXE"
    "285"="WebSecureAlert.EXE"
    "286"="blaster_blocks_demo.EXE"
    "287"="powerplay.EXE"
    "288"="athan.EXE"
    "289"="ButterflyOasis.EXE"
    "290"="BO1Helper.EXE"

    Reg File - Copy & paste to notepad & save as FILENAME.reg

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "DisallowRun"=dword:00000001

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
    "1"="AAWSEPERSONAL.EXE"
    "2"="ACONTI.EXE"
    "3"="ACTALERT.EXE"
    "4"="agsatellite.EXE"
    "5"="agsatellite609.EXE"
    "6"="aim.EXE"
    "7"="aim95.EXE"
    "8"="aimster.EXE"
    "9"="ANTIVIRUS_INSTALL.EXE"
    "10"="AQUATICA WATERWORLDS.EXE"
    "11"="AQUATICA-INSTALL-FSG.EXE"
    "12"="AUDIOMP3FIND.EXE"
    "13"="automove.EXE"
    "14"="BADBLUE.EXE"
    "15"="BARGAINS.EXE"
    "16"="bbeagle.EXE"
    "17"="bbsmartsetup.EXE"
    "18"="BBSMARTSETUP.EXE"
    "19"="BearShare.EXE"
    "20"="BLACKWIDOW.EXE"
    "21"="BLAT.EXE"
    "22"="BLUBSTER.EXE"
    "23"="BODETELLA.EXE"
    "24"="BOL.EXE"
    "25"="bonzibdy.EXE"
    "26"="BUDDY.EXE"
    "27"="BWWebloader.EXE"
    "28"="CASINOBROWSER.EXE"
    "29"="CIRCLE.EXE"
    "30"="CLIENT4.EXE"
    "31"="CLUSTONE.EXE"
    "32"="cmesys.EXE"
    "33"="COMBackConsole.EXE"
    "34"="COMET_INSTALL.EXE"
    "35"="CRAPSTER.EXE"
    "36"="dap.EXE"
    "37"="datemanager.EXE"
    "38"="DCPLUSPLUS.EXE"
    "39"="DECONPRO.EXE"
    "40"="DEFSCANGUI.EXE"
    "41"="DEVMGMT.MSC" "42"="DIRECTCONNECT.EXE"
    "43"="doom.EXE"
    "44"="DSERVER.BAT" "45"="DSHARE.BAT" "46"="DW.EXE"
    "47"="EANTHOLOGY.EXE"
    "48"="EBATESMOEMONEYMAKER*.EXE"
    "49"="EDONKEY2000.EXE"
    "50"="EMULE.EXE"
    "51"="EVOLUTION.EXE"
    "52"="EVOLVER.EXE"
    "53"="FILEFURY.EXE"
    "54"="FILEMINER.EXE"
    "55"="FILENAVIGATOR.EXE"
    "56"="FILESHARE.EXE"
    "57"="FILETO~1.EXE"
    "58"="FILETOPIA.EXE"
    "59"="FILEZILLA.EXE"
    "60"="FLOCATOR.EXE"
    "61"="FREECELL.EXE"
    "62"="FREEWIRELAUNCHER.EXE"
    "63"="fsg.EXE"
    "64"="fsg-ag_3102.EXE"
    "65"="screensaver.EXE"
    "66"="gaim.EXE"
    "67"="gator.EXE"
    "68"="GDONKEY.EXE"
    "69"="GETRIGHT.EXE"
    "70"="GIDGET.EXE"
    "71"="GKLDEMO.EXE"
    "72"="gmt.EXE"
    "73"="GNEWTELLA.EXE"
    "74"="GNOTELLA.EXE"
    "75"="GNUCLEUS.EXE"
    "76"="GPEER.EXE"
    "77"="grokster.EXE"
    "78"="GTL POLIANE.EXE"
    "79"="HLCLIENT*.EXE"
    "80"="HOMEKEYLOGGER-SETUP.EXE"
    "81"="HOPSTER.EXE"
    "82"="HOPSTERSETUP.EXE"
    "83"="httport.EXE"
    "84"="HTTPTUNNEL_SETUP.EXE"
    "85"="HTTP-TUNNELCLIENT.EXE"
    "86"="icechat.EXE"
    "87"="icq.EXE"
    "88"="ICQLITE.EXE"
    "89"="icqnet.EXE"
    "90"="IKEA KITCHEN PLANNER.EXE"
    "91"="im2001.EXE"
    "92"="imeshclient.EXE"
    "93"="imici.EXE"
    "94"="Incredimail.EXE"
    "95"="INETWIZ.EXE"
    "96"="INOIZE.EXE"
    "97"="ipodservice.EXE"
    "98"="IPSCANNER.EXE"
    "99"="JACKALOPE.EXE"
    "100"="JITZUSHARE.EXE"
    "101"="KAST.EXE"
    "102"="kazaa.EXE"
    "103"="KAZAALITE.KPP" "104"="KHttp2t.EXE"
    "105"="klient.EXE"
    "106"="kmd.EXE"
    "107"="KPP.EXE"
    "108"="launcher.EXE"
    "109"="LC_CLI.EXE"
    "110"="lights.EXE"
    "111"="LIMEWIRE.EXE"
    "112"="LOCATOR.EXE"
    "113"="lusrmgr.msc" "114"="MADSTER.EXE"
    "115"="MCAGENT.EXE"
    "116"="MEDIAGRAB.EXE"
    "117"="MEDIASEEK.EXE"
    "118"="MEGASEARCHBARSETUP.EXE"
    "119"="messenger.EXE"
    "120"="MicWin.EXE"
    "121"="MIRANDA32.EXE"
    "122"="mirc.EXE"
    "123"="misc.EXE"
    "124"="MMCLIENT.EXE"
    "125"="MMOD.EXE"
    "126"="MOJO NATION.EXE"
    "127"="MOODLOGIC.EXE"
    "128"="morpheus.EXE"
    "129"="MORPHEXE.EXE"
    "130"="MP3 SWAPPER.EXE"
    "131"="MP3EASYKL.EXE"
    "132"="MP3FINDER.EXE"
    "133"="MP3STARSEARCH.EXE"
    "134"="MP3WOLF.EXE"
    "135"="MSBB.EXE"
    "136"="msimn.EXE"
    "137"="msmsgs.EXE"
    "138"="msn6.EXE"
    "139"="msnmsgs.EXE"
    "140"="MYNAPSTER.EXE"
    "141"="MYSTER.EXE"
    "142"="NAMSTER.EXE"
    "143"="napster.EXE"
    "144"="NARRATOR.EXE"
    "145"="nastysex.EXE"
    "146"="NBSRVR.EXE"
    "147"="NETBRILLIANT.EXE"
    "148"="NETBUS.EXE"
    "149"="netd.EXE"
    "150"="NJCOM32.EXE"
    "151"="NOVA.EXE"
    "152"="NWADMN32.EXE"
    "153"="obrw.EXE"
    "154"="odigo.EXE"
    "155"="offers.EXE"
    "156"="ONEMX.EXE"
    "157"="OPTIMIZE.EXE"
    "158"="OSSPROXY.EXE"
    "159"="OVERNET.0.53.EXE"
    "160"="OVERNET.EXE"
    "161"="P2P NETWORKING.EXE"
    "162"="PCV7.EXE"
    "163"="PINPOST.EXE"
    "164"="PIOLET.EXE"
    "165"="PLAYER.EXE"
    "166"="PLEBIO.EXE"
    "167"="PLINK.EXE"
    "168"="poledit.EXE"
    "169"="polmx3.EXE"
    "170"="powerscan.EXE"
    "171"="ppdomu.EXE"
    "172"="precisiontime.EXE"
    "173"="preInsMt.EXE"
    "174"="PTANKS.EXE"
    "175"="putty.EXE"
    "176"="puttytel.EXE"
    "177"="PWDUMP.EXE"
    "178"="PWDUMP3.EXE"
    "179"="PWSERVICE.EXE"
    "180"="QQ.EXE"
    "181"="QT2.EXE"
    "182"="QTRAX.EXE"
    "183"="quake.EXE"
    "184"="QUEUEMANAGER.EXE"
    "185"="rainlendar.EXE"
    "186"="RIDEWAY.EXE"
    "187"="RIFFSHARE.EXE"
    "188"="RINGTONE.EXE"
    "189"="S4SETUP.EXE"
    "190"="SAVE.EXE"
    "191"="savenow.EXE"
    "192"="SENTRY.EXE"
    "193"="setuppestpatroleval.EXE"
    "194"="SETUPSCR.EXE"
    "195"="SHANKSTER.EXE"
    "196"="SHAREAZA.EXE"
    "197"="SHAREAZA.EXE"
    "198"="SLAVANAP.EXE"
    "199"="SLAVE.EXE"
    "200"="SLSK.EXE"
    "201"="SMIRK.EXE"
    "202"="SNATCHIN.EXE"
    "203"="snood.EXE"
    "204"="snrg.EXE"
    "205"="SOL.EXE"
    "206"="SONGSPY.EXE"
    "207"="SOULSEEK.EXE"
    "208"="SOUNDCRAWLER.EXE"
    "209"="SPINFRENZY.EXE"
    "210"="SPLOOGE.EXE"
    "211"="srnghelp.EXE"
    "212"="srngutil.EXE"
    "213"="SWAPNUT.EXE"
    "214"="SWAPPER.EXE"
    "215"="SWAPTOR.EXE"
    "216"="Swift3D.EXE"
    "217"="SWISH.EXE"
    "218"="SYNCAGENT.EXE"
    "219"="SYNCCONFIG.EXE"
    "220"="TESLA.EXE"
    "221"="THE BRIDGE.EXE"
    "222"="ThePlaya.EXE"
    "223"="TOADNODE.EXE"
    "224"="trickler_bic_gatorpt_3202.EXE"
    "225"="TRICKLER_BIC_GATORPT_3202.EXE"
    "226"="trickler3016.EXE"
    "227"="TRICKLER3016.EXE"
    "228"="trillian.EXE"
    "229"="UCMORE.EXE"
    "230"="UCMOREIEX.EXE"
    "231"="URLBLAZE.EXE"
    "232"="VIDOMI.EXE"
    "233"="VOUCHERS.EXE"
    "234"="WEATHER.EXE"
    "235"="weatherbug.EXE"
    "236"="WEBREBATES_AUTO_INSTALLSILENT.EXE"
    "237"="webrebates0.EXE"
    "238"="webrebates1.EXE"
    "239"="websearch1.EXE"
    "240"="WEBSHAREIT.EXE"
    "241"="webshots.EXE"
    "242"="WEBSHOTS_SETUP.EXE"
    "243"="WEBVACUUMFREE.EXE"
    "244"="WHAGENT.EXE"
    "245"="WHANCER.EXE"
    "246"="whancer.EXE"
    "247"="whse.EXE"
    "248"="WINAMPA.EXE"
    "249"="WINAMP.EXE"
    "250"="winmx.EXE"
    "251"="WIPPIT.EXE"
    "252"="wnad.EXE"
    "253"="WNAD.EXE"
    "254"="WRAPSTER.EXE"
    "255"="wssetup.EXE"
    "256"="wtoolsa.exe " "257"="XMAS2003_2.EXE"
    "258"="XMAS2003_2_1.EXE"
    "259"="XOLOX.EXE"
    "260"="xxxtoolbar.EXE"
    "261"="YAHOO!_MESSENGER_INSTALL.EXE"
    "262"="ymsgr_tray.EXE"
    "263"="YMSGRIE.EXE"
    "264"="YMSGRUK.EXE"
    "265"="YMSGRYIMS.EXE"
    "266"="YOINK.EXE"
    "267"="ypager.EXE"
    "268"="YSERVER.EXE"
    "269"="YUPDATER.EXE"
    "270"="ZPOC.EXE"
    "271"="errorguard.EXE"
    "272"="freezeday.EXE"
    "273"="CxtPls.EXE"
    "274"="Al-Thkir2.EXE"
    "275"="AlThkir3.EXE"
    "276"="AQ3Helper.EXE"
    "277"="Aquatica Waterworlds.EXE"
    "278"="TarjimTools1.EXE"
    "279"="SitePassMgr.EXE"
    "280"="Tvm.EXE"
    "281"="Weatherscope.EXE"
    "282"="disp1150.EXE"
    "283"="WebRebates0.EXE"
    "284"="WebRebates1.EXE"
    "285"="WebSecureAlert.EXE"
    "286"="blaster_blocks_demo.EXE"
    "287"="powerplay.EXE"
    "288"="athan.EXE"
    "289"="ButterflyOasis.EXE"
    "290"="BO1Helper.EXE"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableRegistryTools"=dword:00000001

    If you have any questions you may contact Tim at Tim.Dunkley@whittington.nhs.uk

    Keith Pain

    I would like to add to the growing list.....

    Things that might already be on there.

    • any file sharing software. ( Kazza, e-mule etc)
      as this opens up any network security
    • Windows 2000, XP, 2003
      Auto updates have to have a port out, and a port in. And with Microsoft's bad coding that opens up the security of most networks, unless you look right into the MS security and spend hours locking down the OSs, so users cannot move without IT being there to unlock their account.

    Ray Southworth

    Of course there are THOUSANDS of Spyware, games, and chat software that you would want to ban - but if you do a good job locking down the machines then there really is no reason to have a banned list that I have seen. When I converted my office environment to ZfD4, my users weren't really happy that they couldn't install their own personal software, but I would explain to them that they are not working on a PC - it's a BC (Business Computer). If they had software that they wanted installed on the computer, it needed to be tested on a non-production machine, and THEN I would add it to their NAL. This might not be an efficient way of doing things in a very large network, but as the only IT person on a staff of about 600 people with 350 desktops, it's worked for ME.

    Tom Dalton

    Great list!

    I won't echo the hundreds of great suggestions already out there, but thought I'd add a couple that we're seeing problems with:

    • n-case.exe (a variant of a program already submitted)
    • ezluu.exe (SurferBar)
    • sfbar.exe (another piece of the SurferBar)
    • mwsoemon.exe (the MyWebSearch toolbar)
    • sysupd.exe (a dialer program -- another bad one)

    For some reason, everyone in our company is a sucker for these search bars. We keep telling them, only Google and Yahoo! But they keep installing other ones.

    Oh well. Maybe we can stop them, finally, with this. :o)

    Alan Wells

    My list from School:

    Games:

    1320v151S.exe
        3footninja2.exe
        anman.exe
        B&ARROW.EXE
        BF1942Demo.exe
        bubble trouble.exe
        caste defender.exe
        cbdemo.exe
        cg.exe
        counterstrike2d.exe
        DESKTOP.EXE
        DESKTOPX.EXE
        DESKTOP_X.EXE
        Doom95.exe
        Drag Racer 3.exe
        dragracer.exe
        elma.exe
        et.exe
        fightr2.exe
        fms.exe
        fpupdate.exe
        gsarcade.exe
        if2.exe
        if2_v19.exe
        if2_v19c_Setup.exe
        madness.exe
        Mario.exe
        n_v14.exe
        nester.exe
        pacman.exe
        pacman2.exe
        pacmania.exe
        pclock.exe
        pikachu.exe
        pinball.exe
        prjcargame.exe
        project64.exe
        project64_1.6.exe
        ptanks.exe
        q3ademo.exe
        quake 3.exe
        quake3.exe
        quake3demo.exe
        sierraup.exe
        sliders.exe
        snood.exe
        spider.exe
        visualboyadvance.exe
        WALIENS.EXE
        winkawaks.exe
        Worm Wars IV.exe
        yetisports5.exe

    ScreenSavers:

    virtua1.exe
        virtua2.exe
        Virtuagirl2.exe
         

    I have created a small batch file that is delivered via ZENworks hidden (delivery and the execution). The files are distributed to the c:\windows directory via ZENworks and then the following script runs to detect and kill the game. It then emails the Dean of Studies at the school and shuts down the PC. Shutting down the PC discourages playing the game again. I do still have an issue with the script in that if the game taskname is seperated by a space the task is not 'kill' as the task 'bubble trouble.exe' makes the variable 'bubble'.

    I am also working on a banned.txt list to detect unwanted applications running on staff PCs which will email once detected.

    c:
        cd \windows
        attrib +H banned.txt
        attrib +H games.txt
        attrib +H blat.*
        attrib +H detector.bat
         
        :start
        sleep 30
        tasklist /V >c:\windows\tasklist.txt
        Echo %NWUSERNAME% >c:\windows\detect.txt
        Echo %COMPUTERNAME% >>c:\windows\detect.txt
        time /t >>c:\windows\detect.txt
        date /t >>c:\windows\detect.txt
        findstr /G:c:\windows\games.txt c:\windows\tasklist.txt >>c:\windows\detect.txt
        findstr /G:c:\windows\games.txt c:\windows\tasklist.txt >>c:\windows\detect.txt
        findstr /G:c:\windows\games.txt c:\windows\tasklist.txt >>c:\windows\detect.txt
        FOR /F "skip=5" %%1 IN (c:\windows\detect.txt) DO goto games
         
        goto start
         
        :games
        FOR /F "skip=5" %%i IN (c:\windows\detect.txt) DO set game=%%i
        taskkill /F /IM %game%
         
        sleep 3
        c:\windows\blat c:\windows\detect.txt -to mail@domain.com.au -f egames-detected@domain.com.au -s "**** Games Detected ****" -server 10.0.2.40
        shutdown -r -t 10 -c "Detected Banned Application...shuting down computer...Email notification sent!"
         
        goto end
         
        :end
        Echo why did I get here?

    David White

    When trying to track down spyware / adware on client PCs I have found it useful to compile the following list of "valid" system processes. It helps to quickly dismiss vaild processes from task manager / Hijack This etc and concentrate on investigating rogue processes. I have included other non-Novell processes, for example Windows 2000 OS processes and application processes in use in our environment.

    Most of the descriptions were taken from www.processlibrary.com and similar sites.

    Hope this is of use.

    Securelogin:

    CAPTAINHOOK.EXE
    COMBROKER.EXE or COMBRO~1.EXE
    PROTO.EXE

    Other Novell:

    CLNTRUST.EXE This is a program that allows the name of the user to be submitted with each Web request. Without clntrust.exe running, this information will not be submitted. As far as the proxy server is concerned, no one is logged-in.

    DPMW32.EXE dpmw32.exe is a part of the Novell Client. This process runs in the background and allows the computer to access NDPS print serves and assist in access to Netware security features.

    GSW32.EXE Graphics server for Border manager in NW Admin32

    NALDESK.EXE Allows NAL explorer and NAL to run locally

    NALNTSRV.EXE NAL NT Service

    NALWIN32.EXE Allows NAL to run locally

    NWTRAY.EXE nwtray.exe is the tray bar process for Novell NetWare. It gives the user easy access to essential NetWare features.

    WM.EXE Novell Workstation manager. Owns WMRUNDLL.EXE process

    WMRUNDLL.EXE The function of WMRUNDLL.EXE is to act as a buffer between Workstation Manager and the helper .DLL files (WM*.DLL)

    WUOLSERVICE.EXE Novell Wake-On-LAN service

    WUSER32.EXE ZEN remote control agent

    Operating System:

    CSRSS.EXE csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

    INTERNAT.EXE internat.exe is installed with Windows and is an process to providing Microsoft's multi-lingual features in Microsoft Windows. This program is important for the stable and secure running of your computer and should not be terminated.

    LSASS.EXE lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies.

    SERVICES.EXE services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of service during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

    SMSS.EXE smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

    SPOOLSV.EXE spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers.

    SVCHOST.EXE svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Use tlist utility to see which processes svchost is running.

    TASKMGR.EXE taskmgr.exe is the executable for the Windows Task Manager. It shows you the processes that are currently running on the system. This application is opened by pressing CTRL+ALT+DEL. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

    WINLOGON.EXE WinLogon.exe is the Windows NT login manager. It handles the login and logout procedures on your system. This process is an essential part of your OS and should be left alone.

    WINMGMT.EXE WinMgmt.exe is the Windows Management Instrumentation. It is used by system administrators to create Windows management scripts, for example, scripts that handles the user accounts on a server.

    Applications:

    VPTRAY.EXE VPTray.exe is the tray bar process for Norton Antivirus. It gives the user fast access to Norton Antivirus.

    DEFWATCH.EXE defwatch.exe is a part of Norton Antivirus Corporate Edition, and is responsible for monitoring the virus definition files and initiating processes to bring them up to date if they aren't.

    RTVSCAN.EXE rtvscan.exe is an executable of the Symantec Internet Security Suite. It is responsible for the execution of real-time virus-scanning in order to detect virus infected files as they enter your system. This program is important for the stable and secure running of your computer and should not be terminated.

    CAGENT32.EXE cagent32.exe is a process belonging to Centennial Discovery which monitors software licenses on the local machine for analysis.

    XFERWAN.EXE xferwan.exe is a process associated with Centennial Discovery

    HNDLRSVC.EXE hndlrsvc.exe is a process associated with Intel Alert Handler which alerts you regarding e-mails, and other options. This is a non-essential process. Disabling or enabling this is down to user preference.

    CTFMON.EXE ctfmon.exe is a part of the Microsoft Office suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar

    Scott A. Murray

    zango.exe and zangoinstaller.exe

    We found them to be the hottest IM app in our schools these days.

    John N. Shaw

    Here's my list - the majority of these are not in your list. The list is entirely P2P apps and only P2P apps, which I use when mothers are paranoid about their children's potential for lawsuits, (and they are sick of paying me to remove the malware from their systems too.) Save as a .reg file and merge on each user account. The list appears twice as I always get the .DEFAULT hive so new accounts created will also have the same restrictions.

    Thanks to your list, my list will double :D

    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "DisallowRun"=dword:00000001
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
    "1"="abc.exe"
    "2"="ares.exe"
    "3"="areslite.exe"
    "4"=" azureus.exe"
    "5"="bearshare.exe"
    "6"="bitcomet.exe"
    "7"="bitspirit.exe"
    "8"="bt lite.exe"
    "9"="btdownloadgui.exe "
    "10"="dcplusplus.exe"
    "11"="dcpro.exe"
    "12"="dietk.exe"
    "13"="edonkey2000.exe"
    "14"="emule.exe"
    "15"="es5.exe"
    "16"="fastmp3search.exe"
    "17"="filecroc.exe"
    "18"="freenet.exe"
    "19"="freewirelauncher.exe"
    "20"="grokster.exe"
    "21"="imesh.exe"
    "22"="kazaa.exe"
    "23"="kazaaghost.exe"
    "24"="kazza.exe"
    "25"=" kiwialpha.exe"
    "26"="limewire.exe"
    "27"="lordofsearch.exe"
    "28"="morpheus.exe"
    "29"="morphexe.exe"
    "30"="mp3 music search.exe"
    "31"="odc.exe"
    "32"="onemx.exe"
    "33"="phantomdc.exe"
    "34"="phex.exe"
    "35"="piolet.exe"
    "36"="rockitnet.exe"
    "37"="sdch.exe"
    "38"="slsk.exe"
    "39"="strongdc.exe"
    "40"="swapperstarter.exe"
    "41"=" trustyfiles.exe"
    "42"="ttorrent.exe"
    "43"="twister.exe"
    "44"="warez.exe"
    "45"="wwwfilesharepro.exe"
    "46"=" xolox.exe"
    "47"="zultrax.exe"
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "DisallowRun"=dword:00000001
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
    "1"="abc.exe"
    "2"="ares.exe"
    "3"="areslite.exe"
    "4"="azureus.exe"
    "5"="bearshare.exe"
    "6"=" bitcomet.exe"
    "7"="bitspirit.exe"
    "8"="bt lite.exe"
    "9"="btdownloadgui.exe"
    "10"="dcplusplus.exe"
    "11"="dcpro.exe "
    "12"="dietk.exe"
    "13"="edonkey2000.exe"
    "14"="emule.exe"
    "15"="es5.exe"
    "16"="fastmp3search.exe"
    "17"="filecroc.exe"
    "18"="freenet.exe"
    "19"="freewirelauncher.exe"
    "20"="grokster.exe"
    "21"="imesh.exe"
    "22"=" kazaa.exe"
    "23"="kazaaghost.exe"
    "24"="kazza.exe"
    "25"="kiwialpha.exe"
    "26"="limewire.exe"
    "27"="lordofsearch.exe "
    "28"="morpheus.exe"
    "29"="morphexe.exe"
    "30"="mp3 music search.exe"
    "31"="odc.exe"
    "32"="onemx.exe"
    "33"="phantomdc.exe"
    "34"="phex.exe"
    "35"="piolet.exe"
    "36"="rockitnet.exe"
    "37"="sdch.exe"
    "38"=" slsk.exe"
    "39"="strongdc.exe"
    "40"="swapperstarter.exe"
    "41"="trustyfiles.exe"
    "42"="ttorrent.exe"
    "43"="twister.exe "
    "44"="warez.exe"
    "45"="wwwfilesharepro.exe"
    "46"="xolox.exe"
    "47"="zultrax.exe"

    Here are some additions that I I've recently discovered from your list and other places, so some aren't on your list yet. Sorry for the redundancy but I already sorted them and don't feel like seperating the ones that aren't on your list from the ones that are. I'll add them to my file later. Again, all are P2P:

    AGSATELLITE.EXE
    AGSATELLITE609.EXE
    AUDIOMP3FIND.EXE
    BADBLUE.EXE
    BLACKWIDOW.EXE
    BO1HELPER.EXE
    BUDDY.EXE
    BWWEBLOADER.EXE
    CLIENT*.EXE
    CLIENT4.EXE
    CLUSTONE.EXE
    COMBACKCONSOLE.EXE
    CRAPSTER.EXE
    DECONPRO.EXE
    DIRECTCONNECT.EXE
    DSERVER.BAT
    DSHARE.BAT
    EVOLUTION.EXE
    EVOLVER.EXE
    FILEFURY.EXE
    FILEMINER.EXE
    FILENAVIGATOR.EXE
    FILESHARE.EXE
    FILETOPIA.EXE
    FILEZILLA.EXE
    FLOCATOR.EXE
    GDONKEY.EXE
    GNEWTELLA.EXE
    GNOTELLA.EXE
    GNUCLEUS.EXE
    GPEER.EXE
    GTL POLIANE.EXE
    HLCLIENT*.EXE
    IMESHCLIENT.EXE
    JITZUSHARE.EXE
    KAST.EXE
    KMD.EXE
    KPP.EXE
    LOCATOR.EXE
    MADSTER.EXE
    MEDIAGRAB.EXE
    MEDIASEEK.EXE
    MMOD.EXE
    MOJO NATION.EXE
    MP3 SWAPPER.EXE
    MP3EASYKL.EXE
    MP3FINDER.EXE
    MP3STARSEARCH.EXE
    MP3WOLF.EXE
    MYNAPSTER.EXE
    MYSTER.EXE
    NAMSTER.EXE
    NAPSTER.EXE
    NEONAPSTER.EXE
    NOVA.EXE
    OVERNET.EXE
    OVERNET053.EXE
    P2P NETWORKING.EXE
    PINPOST.EXE
    PIOLET.EXE
    PLEBIO.EXE
    PLINK.EXE
    QT2.EXE
    QTRAX.EXE
    QUEUEMANAGER.EXE
    RIDEWAY.EXE
    RIFFSHARE.EXE
    SHANKSTER.EXE
    SHAREAZA.EXE
    SLAVANAP.EXE
    SMIRK.EXE
    SNATCHIN.EXE
    SONGSPY.EXE
    SOULSEEK.EXE
    SPLOOGE.EXE
    SWAPNUT.EXE
    SWAPPER.EXE
    SWAPTOR.EXE
    TESLA.EXE
    THE BRIDGE.EXE
    TOADNODE.EXE
    URLBLAZE.EXE
    WEBSHAREIT.EXE
    WEBVACUUMFREE.EXE
    WINMX.EXE
    WIPPIT.EXE
    WRAPSTER.EXE
    WRAPSTER*.EXE
    XSC*.EXE
    ZPOC.EXE

    Btw, what a great idea for the list. It's exactly what I was hoping to find and I hope I have helped with the additions!

    Russell Seibert

    I think you may be approaching this the wrong way. As an administrator of a school district with a large number of PCs, I don't block any apps. I found it much easier to allow specific apps through policies. There are far too many apps that you would have to block that people can get to or bring in. (Games, messaging, peer to peer, etc.) As administrators we all know what is supposed to be on the end-users PCs. ZFD policies already has this built in. You just need to populate it. It takes a little time to gather all your apps but once you're done you don't have to mess with it anymore. If an end-user comes to you and says they need something to run you just add it to your policy, and distribute the app through ZEN to the users that need it. I know there is a hole with running this through policies, but that same hole exists with banning apps. I have found this to work much better than trying to ban what is not supposed to be there in the first place. If it is not supposed to be there don't let it run.

    Billy Stokes

    We currently have a list of .exe files we don't want users to have easy access to. As of now, we simply move these .exes to a folder we create, so they are not in the System Path. We do not have ZfD 4 yet, but are planning to upgrade shortly; at that point we will test this list with RPM. There may be some in here that admins might not want to ban through RPM; or it would be nice if, through RPM, you could grant certain users the rights to run the banned apps.

    At.exe
    Calcs.exe
    Cmd.exe
    Cscript.exe
    ftp.exe
    tftp.exe
    regedit.exe
    regedit32.exe
    runas.exe
    nbtstat.exe
    telnet.exe
    net.exe

    Here are some other .exes that we all-out ban:

    • aim.exe -- AOL Instant Messenger
    • itunes.exe -- iTunes
    • kazaa.exe -- Kazaa
    • LimeWire.exe -- Limewire
    • msmsgs.exe -- MSN Messenger
    • viewmgr.exe -- Malware component of Viewpoint Media Player (can be installed with AOL Instant Messenger)
    • *VNC*.exe -- Anything VNC (Real, Tight, etc.)

    Karl Reischl

    Google Desktop - especially since it will scan network drives and store it on the Google servers.

    Chris Harwood

    In response to your thread of creating an ever-increasing application list that an organization might want to block, I have this to offer:

    Because the list of applications an organization may want to block seems to be ever-increasing due to the constant development of "unwanted" applications, our organization has taken the approach of allowing ONLY applications that are allowed to be run. Further, we have ensured that EACH INDIVIDUAL workstation has its own, unique exception list for only those applications allowed on that particular PC. Because there is not one global exceptions list containing all executables, this further limits the ability for users to run applications which are allowed on another PC in the event that they are able to obtain and load the software. In our medical environment of 4500+ computers and 700 or so applications, creating a list of approved executables and distributing them to every computer would defeat our desire to allow ONLY those needed on EACH particular workstation.

    SOLUTION: We have therefore incorporated within each application object the necessary exceptions required to run that application and any needed modules. Consequently, the exception list of a PC is populated for an application during the distribution of that application.

    This has become a fairly simple task with the tools we have developed for our NAL developers. One, dubbed "Rogue Stamper" will scan an .axt file for needed executables and automatically compile a .reg file with required ALLOWED exceptions. This registry file is then simply imported into the NAL object, ready for distribution. Better, it can be called for importation as a Pre-launch script in order to re-distribute every time. This would simplify adding additional or missed executables since the version stamp of the NAL wouldn't have to change (thus re-distributing the ENTIRE application). MSI applications are handled by the Rogue Stamper as well, allowing the developer to browse to directories (locally or networked) in order to scan for executables in the directory and sub-directories in order to compile the .reg file. All files' Original Filename are checked and used if different from the actual filename.

    If you have any questions you may contact Chris at harwoodc@trinity-health.org


    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

    © 2014 Novell