{"id":17660,"date":"2020-02-06T11:10:17","date_gmt":"2020-02-06T19:10:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/02\/06\/news-11395\/"},"modified":"2020-02-06T11:10:17","modified_gmt":"2020-02-06T19:10:17","slug":"news-11395","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/02\/06\/news-11395\/","title":{"rendered":"Adware.Adposhel takes over your web push notifications administration"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Thu, 06 Feb 2020 18:10:02 +0000<\/strong><\/p>\n

Since late last year our researchers have been monitoring a new method concerning web push notifications<\/a> being deployed by an adware family detected by Malwarebytes as Adware.Adposhel<\/a>.<\/p>\n

What does Adware.Adposhel change?<\/h3>\n

The adware uses Chrome policies to ensure that notification prompts will be shown and add some of their own domains to the list of sites that are allowed to push web notifications. So far not very new. The recent twist however is that it enforces these settings as an administrator. This is done so the regular Chrome user will not be able to change the settings in the Notifications menu.<\/p>\n

It seems they have now decided to fully deploy this tactic as we are seeing complaints about it emerging on computer forums and Reddit. <\/p>\n

Victims will complain about being unable to remove domains from the list of domains that are allowed to show web push notifications and being unable to change the setting that controls whether websites can ask you to allow notifications.<\/p>\n

\"default<\/figure>\n

Disabling that setting would stop a user from seeing prompts like these:<\/p>\n

\n
\"notifications<\/figure>\n<\/div>\n

If I were to click Allow<\/strong> on that prompt this domain would be added to my allow list of URLs, but with the understanding that I would be able to remove it manually in the Notifications menu. <\/p>\n

Adware.Adposhel uses the NotificationsAllowedForUrls<\/a> policy to block users from removing their entries from the Allow list. <\/p>\n

Where you would normally see the three dots (ellipsis) menu icon representing the settings menu.<\/p>\n

\n
\"settings<\/figure>\n<\/div>\n

For the entries submitted to a policy by Adware.Adposhel you will see the icon that tells you the setting is enforced by an administrator. And the accompanying text if you hover over the icon.<\/p>\n

\n
\"setting<\/figure>\n<\/div>\n

How do I undo the changes made by Adware.Adposhel?<\/h3>\n

This does not mean that you can change that setting just because you are the administrator of the system you are working on by the way. But if you are the system administrator you can fix the notifications changes made by the Adposhel installer by applying a simple registry fix:<\/p>\n

Windows Registry Editor Version 5.00  [HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome] \"DefaultNotificationsSetting\"=dword:00000001  [-HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeNotificationsAllowedForUrls] <\/code><\/pre>\n
This is safe to do unless there were legitimate URLs in the list of URLs that are allowed to show notifications by policy, which I doubt. But we always advise to create a backup of the registry before making any changes. <\/p>\n
                                                  Backing up Registry with ERUNT<\/strong><\/p>\n
 Modifying the registry may create unforeseen results, so we always recommend creating a backup prior to doing that!<\/strong><\/p>\n
 Please download ERUNT<\/a><\/strong> and save the file to the desktop.<\/p>\n