声明:
Declaration:
由于网络中的病毒virus/malware等存在随时变异或者对应多种感染方式等情况,本文所针对的处理方法仅针对本次样本负责,个人如有误操作,后果自负。如需帮助,可以关注我的公众号(我在全球村)然后回复关键词:”加微信“ 获取我的微信号,或通过文末二维码添加messager联系我!
Because the virus/malware in the network is mutated at any time or corresponds to multiple infection methods, the processing method targeted in this paper is only responsible for this sample. If the individual has misoperation, the consequences are at your own risk. If you need help, you can follow my public account (MyGlobalVillage) and then reply to the keyword: "Add WeChat" to get my WeChat ID, or contact me via the messager QR code at the end of the post!
现象
Phenomenon:
最近协助移除恶意插件时,遇到一些网友反馈移除清理不干净的情况,并说右键菜单或者Chrome浏览器出现了“由贵单位管理(Managed by your organization)“的选项,感觉是莫名其妙,而且清理后,主页没有被自动恢复,哎,看来生产恶意软件的人又开始利用浏览器的漏洞了!经过一天的折腾捣鼓,终于搞清楚了来由和解决方法,现写出来留给需要的人尝试!
When assisting in the removal of malicious plug-ins recently, I encountered some netizens' feedback that the removal and cleaning was not clean, and said that the "Managed by your organization" option appeared in the right-click menu or Chrome browser. And after cleaning, the homepage was not automatically restored. Hey, it seems that the people who produced the malware started to use the browser's loopholes again! After a day of tossing, I finally figured out the reason and solution, and now write it down for those who need it!
很多谷歌浏览器用户发现设置选项多了一个提示由贵单位管理,论坛上有很多人反馈,并且寻求移除的方法。
Many Google Chrome users find that the setting option has an additional reminder managed by your organization, and many people on the forum have feedback and seek ways to remove it.
如何确定自己的电脑有没有发生类似的情况呢?
How can I determine if something similar has happened to my computer?
其实很简单,一个是看Chrome 右上角菜单选项中是否有该选项.
It ’s actually very simple, one is to see if it is available in the menu option in the upper right corner of Chrome.
或者浏览器中输入:chrome://management/
Or enter in your browser: chrome: // management /
被接管时是:
When it taken over:
未被接管时是:
When not taken over:
分析
Analysis:
如果是企业用户遇到这个通知可能还能理解但不少个人用户也遇到这种情况,使用的并非谷歌浏览器企业版。同时遇到这个问题的不仅仅是国内网友而是全球网友都遇到了,谷歌官方已经发布声明解释(见下文 “Managed by your organization” messages)。
If this notice is encountered by business users, it may be understood, but many individual users also encounter this situation, not using Google Chrome Enterprise Edition. At the same time, not only domestic netizens but global netizens who encountered this problem encountered Google ’s official statement statement (see “Managed by your organization” messages below).
先来看看谷歌对该功能的官方定义:
Let's take a look at Google's official definition of this feature:
对与公司电脑来说,如果你们公司部署了策略,比如添加了一些重要的内网站点到书签里。那么不要试图取消,应该公私分明。
对于家庭或个人电脑,第三方软件却将这个功能乱用,设置企业策略应用到了个人的电脑,导致浏览器显示:“浏览器有所属组织管理”。
绝大多数情况下,这些策略是安全的,比如一个第三方软件是不需要使用企业策略的,但是有些第三方软件可能有特殊目的所以会添加企业策略。例如诸如LastPass这类密码管理器可能就会触发这类策略,导致用户在浏览器里看到由贵单位管理相关字样。
同时有些第三方软件没有明说目的但也会使用企业策略,而且恰好这种情况被恶意劫持类软件看上了,简直是如虎添翼,让人删直呼删不掉,移除不掉,包含很多昂贵的杀毒软件也没能清理掉,有试过的同学应该都知道。
谷歌浏览器打开Chrome://policy,你会看到哪些策略在Chrome里被启用了。比如你的密码管理扩展或者其他被信任的程序启用的策略。
For corporate computers, if your company has a strategy in place, such as adding some important intranet sites to bookmarks. Then don't try to cancel it. It should be clearly public and private.
For home or personal computers, third-party software uses this function arbitrarily, setting corporate policies to personal computers, causing the browser to display: "The browser is managed by its organization."
In most cases, these policies are secure. For example, a third-party software does not need to use enterprise policies, but some third-party software may have special purposes and therefore add enterprise policies. For example, password managers such as LastPass may trigger this type of policy, causing users to see related words managed by your organization in the browser.
At the same time, some third-party software does not have a clear purpose but also uses corporate policies, and this happens to be seen by malicious hijacking software. It is really powerful, making it impossible to remove, not to remove, including many expensive The anti-virus software has not been cleaned up. Students who have tried it should know it.
Open Chrome: // policy in Google Chrome and you will see which policies are enabled in Chrome. Such as your password management extension or other policies enabled by trusted programs.
其中一个网友同学的策略如下:
The strategy of one of the netizens is as follows:
导出来的json文件类似如下:
The exported json file is similar to the following:
{"chromeMetadata": {"OS": "macOS 版本 10.13.6(版号 17G11023)","application": "Google Chrome","revision": "fcea73228632975e052eb90fcf6cd1752d3b42b4-refs/branch-heads/3987@{#974}","version": "80.0.3987.132 (正式版本) (64 位)"},"chromePolicies": {"DefaultSearchProviderEnabled": {"level": "recommended","scope": "machine","source": "platform","value": true},"DefaultSearchProviderName": {"level": "recommended","scope": "machine","source": "platform","value": "SearchMine"},"DefaultSearchProviderNewTabURL": {"level": "recommended","scope": "machine","source": "platform","value": "https://www.searchmine.net/search/?asset=hp&wtguid=59730897629213944&wtmacid=692cb6d70138b337cc4092a0d10777eb&wtsrc=8291&wtdt=031420&wtbr=1&wtpl=10.13.6.0&v=6.0"},"DefaultSearchProviderSearchURL": {"level": "recommended","scope": "machine","source": "platform","value": "https://www.searchmine.net/search/?asset=ds&wtguid=59730897629213944&wtmacid=692cb6d70138b337cc4092a0d10777eb&wtsrc=8291&wtdt=031420&wtbr=1&wtpl=10.13.6.0&v=6.0&q={searchTerms}"},"HomepageIsNewTabPage": {"level": "recommended","scope": "machine","source": "platform","value": true},"HomepageLocation": {"level": "recommended","scope": "machine","source": "platform","value": "https://www.searchmine.net/search/?asset=hp&wtguid=59730897629213944&wtmacid=692cb6d70138b337cc4092a0d10777eb&wtsrc=8291&wtdt=031420&wtbr=1&wtpl=10.13.6.0&v=6.0"},"NewTabPageLocation": {"level": "recommended","scope": "machine","source": "platform","value": "https://www.searchmine.net/search/?asset=hp&wtguid=59730897629213944&wtmacid=692cb6d70138b337cc4092a0d10777eb&wtsrc=8291&wtdt=031420&wtbr=1&wtpl=10.13.6.0&v=6.0"}},"extensionPolicies": {"kbfnbcaeplbcioakkpcpgfkobkghlhen": {}}
}
我们可以看到其中某几个字段很显然已经被曾经安装的插件修改了,但是用户又无法通过其展示的页面和选项进行修改删除,这样的结果就是即使你移除了本地和浏览器的插件,但是这个配置仍会生效,依然没有释放你的主页和后续新窗口的默认搜索引擎!
处理方法:
Approach:
好了,下面来讨论移除方法(针对Mac OS):
We can see that some of these fields have obviously been modified by the plug-ins that have been installed, but users cannot modify and delete the pages and options displayed by them. The result is that even if you remove the local and browser plug-ins , But this configuration will still take effect, the default search engine for your homepage and subsequent new windows is still not released!
Well, let's discuss the removal method (for Mac OS):
1)首先,你得关闭Chrome的云同步和退出当前登录账号,防止修改和移除的数据被自动同步回来;
退出方法:
First of all, you have to turn off Chrome ’s cloud sync and log out of the current login account to prevent the modified and removed data from being automatically synced back;
Exit method:
您可以从Chrome退出Google帐户。
1.在计算机上,打开Chrome。
2.在右上角,单击“配置文件退出”。
如果您打开了同步功能,则可以将其关闭。这也将使您退出Gmail等Google帐户服务。
1.在计算机上,打开Chrome。
2.单击右上角的“配置文件同步到[电子邮件]”。
3.在“人员”下,单击“关闭”,然后单击“关闭”。
注意:如果您在Chrome中打开了同步功能,并退出了Gmail之类的Google服务,那么您也将退出Chrome。这将暂停同步,直到您使用同一帐户重新登录。
关闭Chrome登录通过Gmail之类的服务登录Google帐户后,您将自动登录Chrome。如果您不想登录Chrome或打开同步功能,则可以更改设置。
1.在计算机上,打开Chrome。
2.单击右上角的“其他设置”。
3.在“隐私和安全性”下,关闭“允许Chrome登录”。
*如果您在Chrome中打开了同步功能,则关闭此设置也会关闭同步功能。You can sign out of your Google Account from Chrome.
On your computer, open Chrome.
At the top right, click Profile
Sign out.
If you have sync turned on, you can turn it off. This will also sign you out of your Google Account services, like Gmail.
On your computer, open Chrome.
At the top right, click Profile
Syncing to [email].
Under "People," click Turn off
Note: If you turned sync on in Chrome and sign out of a Google service, like Gmail, you'll also be signed out of Chrome. This will pause sync until you sign back in with the same account.
Turn off Chrome sign-in
When you sign in to your Google Account, through a service like Gmail, you’ll be automatically signed in to Chrome. If you don’t want to ever sign in to Chrome or turn sync on, you can change your settings.
On your computer, open Chrome.
At the top right, click More
Settings.
Under "Privacy and security," turn off Allow Chrome sign-in. If you turned sync on in Chrome, turning off this setting will also turn off sync.
2)关闭浏览器,通过系统给的接口,移除相关profile配置
Close the browser and remove the related profile configuration through the interface provided by the system
/usr/bin/profiles -D -f3)关闭浏览器,通过Chrome的接口,移除相关配置:
Close the browser and remove the related configuration through the interface of Chrome:
sudo defaults delete com.google.Chrome HomepageIsNewTabPage
sudo defaults delete com.google.Chrome NewTabPageLocation
sudo defaults delete com.google.Chrome HomepageLocation
sudo defaults delete com.google.Chrome DefaultSearchProviderEnabled
sudo defaults delete com.google.Chrome DefaultSearchProviderSearchURL
sudo defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
sudo defaults delete com.google.Chrome DefaultSearchProviderName4,这样之后,再重启电脑,重置浏览器,一般都能解决上述问题了啦!解决后的chrome://policy/ 显示的干干干净,如下:
After that, restarting the computer and resetting the browser can usually solve the above problems! The resolved chrome: // policy / is displayed as follows:
通过上述方法一般都能解决删除恶意软件之后,Chrome主页不能被重置的问题,感兴趣的可以试试哈!
The above method can generally solve the problem that the Chrome home page cannot be reset after removing the malware. Those who are interested can try it!
顺便说下Windows的解决办法:
下载后管理员权限运行
https://download.csdn.net/download/julius_lee/12253192
或者通过删除注册表进行移除;
1.在浏览器访问这个:Chrome://policy,会看到政策名为EnabledPlugins
2.按win+R:输入:%systemroot%\syswow64\regedit,跳转到注册表编辑器
3.按Ctrl+F,查找政策名为EnabledPlugins的目录,然后右键删除
4.重启Chrome,由贵单位管理消失
By the way Windows solutions:
Run with administrator rights after download
https://download.csdn.net/download/julius_lee/12253192
Or remove it by deleting the registry;
1. Visit this in your browser: Chrome: // policy, you will see the policy named EnabledPlugins
2. Press win + R: Enter:% systemroot% \ syswow64 \ regedit, jump to the registry editor
3. Press Ctrl + F, find the directory named EnabledPlugins, and right-click to delete
4.Restart Chrome, disappeared by your organization management
忠告:
Advice:
1,苹果电脑要更新和下载软件尽量去App Store,其他浏览器突然弹出的说电脑有问题或者软件需要更新,都尽量不要点!!!!
2,电脑设置中安全设置,选项选择只安装认证过的软件!!!
3,要使用破解版软件,就必须做好被安装广告和恶意插件的心理准备!
1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !
2, the security settings in the computer settings, the option to choose only installed certified software! ! !
3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!
如果觉得本文对你有帮助,那就赞一个或者评论一个吧,您的支持是我继续前进的动力!
If this article is helpful to you, please click like or comment on it. Your support is my motivation to move forward!
