Endpoint Protection

 View Only
Back to Library

Block specific Chrome browser extensions with a SEP Application Device Control policy 

Feb 08, 2016 12:52 PM

Using ADC to block Chrome extensions

There may be situations where you wish to block end-users from utilizing a specific Google Chrome browser extension. This can be accomplished, fairly easily, via Application and Device Control in Symantec Endpoint Protection. The first part of this process is identifying not just the extension to block, but more importantly the unique ID associated with the extension. Below are the steps to find this UID and put the rule in place.

 

Find the Chrome Extension UID:

1) Open up Chrome and type in chrome://extensions in the URL bar, or go to Settings > Extensions.

2) Enable "Developer Mode" by checking the checkbox top right.

1.png

3) Open up the Chrome Web Store via the "Get more extensions" hyperlink.

2.png

4) Search for the extension(s) you wish to block.

5) Click on the "Add to Chrome" button to install the extension.

3.png

6) Confirm you wish to install by clicking the "Add extension" button in the new prompt.

7) Return to the chrome://extensions page and locate the extension in question.

8) Note that with "Developer Mode" enabled you will now see an ID: parameter. The string value listed is what we are after.

4.png

 

Create your new ADC block policy:

1) Within the SEP Manager console click on Policies then highlight Application and Device Control.

2) Either edit an existing policy or create a new one.

3) Within the policy, visit the "Application Control" section and add a new rule set.

5.png

4) Give your rule a meaningful name. (e.g. Block Chrome Extensions)

5) To the right under Properties, click "Add..." and either assign the * wildcard or the process name chrome.exe, click "OK".

6.png

6) At the bottom, under "Rules" click the "Add..." button, then "Add Condition", finally selecting "File and Folder Access Attempts".

7.png

7) Again provide a meaningful name, then click "Add..." to the right under properties.

8) For the "File or Folder Name To Match" field use the following path with the Chrome extension ID appended:

  • %systemdrive%\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
  • Alternatively, you could use an asterisk (*) wildcard in place of the extension ID to block all Chrome extensions.

9) Leave the option to "Use wildcard matching" enabled and click OK

10) At top, switch to the "Actions" tab and set the Read Attempt as well as Create, Delete or Write Attempt options to "Block access"

8_0.png

11) Additionally you can set your notification and logging options as needed.

12) Save the policy and assign to a test group to ensure that attempts to install the configured extension are blocked.

 

Things to consider:

  • Test, test and test again. ADC is a very powerful tool, but if configured incorrectly it can ruin your day.
  • Keep in mind that pre-existing extensions will not be blocked properly with this policy
  • This is meant only to prevent future extension installation.
  • Chrome users will be able to disable or delete an extension from within the browser, but the files will be left untouched on the system as ADC won't allow access.
  • The extension ID may change when it is updated on the Google Web Store, so you may have to revise or add to the block rule.
  • A similar configuration can be used with other browsers, but will require tweaking to the file/folder path and how extensions are identified.

Statistics
0 Favorited
27 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Ashish Kushwaha
Aug 05, 2019 02:15 AM

Interseting way to check google extensions. 

One different approach to control anything around Google Chrome is to use Group Policy. There you can enforce every aspect of Chrome browser to managed  domain machines. 

Blacklisting, whitelisting of extensions. selected whitelisting of plugins etc. Very effective and granular. 

refer link : https://support.google.com/chrome/a/answer/187202?hl=en

 

Irfaniffi
Aug 01, 2019 04:18 AM

@DSOLO

Thank You so much I have implemented this policy by adding exceptions of few Extensions like Zenmate but this is not working. Still, I am not being able to install Zenmate

 

DSOLO
Jan 31, 2019 04:15 PM

@Ahmed Saleem

It would depend on how you implemented this. Are you blocking by Extension ID (e.g. *\Extensions\aohghmighlieiainnegkcijnfilokake) or by wildcard (e.g. *\Extensions\*)?

If by ID, then just don't include the Extension ID for those extensions you want allowed (i.e. Acrobat, Ad Blocker, etc). However, if you are using the wildcard option, you will need to explictly exclude the ones you want. This can be done by adding the Extension IDs to not block into the "Do not apply to the following files and folders" section:

Ahmed Saleem
Jan 31, 2019 04:03 PM

Thanks for sharing this artical but i have one question i have successfully block all chrome extention's by using this policy but now i want to add exception for few extention's like Adobe Acrobat, AD Blocker etc. Your quick response will be highly appriciated.

Migration User
Jan 02, 2018 10:07 PM

Thank you for this enhancement.  I wanted to mentione that not all extensions, particularly malware show themselves in the extensions location.  You can find them here:  chrome://net-internals/#modules    (I have been fighting chrome malware for too long...

Also, if you are interested in seeing all available chrome settings/data you can access them here:  chrome://chrome-urls/

Chetan Savade
Aug 22, 2016 03:15 AM

Thanks for sharing. 

Related Entries and Links

No Related Resource entered.