Restrict AIM with GPO now that it installs in random directory name

I installed the newest AIM on two different computers and it installs the exe file under what looks like a string of random numbers folder name.  For example on one machine it installed itself on

c:\program files\common files\aol\1139541093\ee\aim6.exe

and another computer the numbers were different.  So i can't stop this IM running from GPO with a standard path rule.  Anyone else know of any other way to stop it from running on the domain?
menreeqAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LimeSMJCommented:
Instead of using the Path ... create a rule using a HASH (software fingerprint regardless of file name or location).

http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

That link shows you how.

Good luck.
LimeSMJCommented:
Oh yeah... if they update the executable (like say using a different version due to an AIM upgrade) you might want to try and use the Registry rule also - check the same link.
menreeqAuthor Commented:
How do you figure out what the HASH is for the program?
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

menreeqAuthor Commented:
Ok, i got the hash think working but that won't work well for reasons that you already stated, so how about the registry, how do i know which registry items to block?
LimeSMJCommented:
4. Click Browse to find a file, or paste a precalculated hash in the File hash box.  <---- In your case, you would just browse to the file you do not wish users to run (the AIM executable) and press OK.   The hash is created then.
LimeSMJCommented:
Oh the path that you browse to makes no difference in the HASH as the program just looks at the file itself... and not where the file is.
LimeSMJCommented:
Oops... disregard last comments - didn't refresh.

The registry path restriction works almost the same way as the regular directory path restriction in a sense that for applications that install to different directories, the registry will hold the information as to where the program got installed.  For instance, AIM on my home computer looks to this registry key:

HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\AppPath

to find the directory where all of it's DLL and other application files it needs to run are stored.  In this case I would use the Registry restriction:

%HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\AppPath%

(Do not leave out the % signs).

You might want to look on your client computers to see what registry keys you have as they MAY be different than my example.  Oh.  By the way... from what it looks like, AIM installs itself in different directories but you know you can use wildcards in the path definition too like making a rule where the path is:

C:\*\AOL\*

In that case ANY directory on C with the folder AOL in it will not run.

... hope this helps.
mvvinodCommented:
Cant you just block the port on the firewall with a single rule.

AIM uses port 5190. Other AOL service uses port 5191-5193.

Would it be easier to do this for you rather than tracking down executables ????

Vinod.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
menreeqAuthor Commented:
If I block the port can i just block it to any destination ip, any reason why i need to figure out the ip address AIM uses?
mvvinodCommented:
You can block it to any destination...

You typical rule on the firewall would look like this....(not windows firewall...your mail gateway firewall)

Rule         Source                Destination          Service
DENY        LAN                        WAN                 AIM

Then you might have to define the service.

AIM = Port 5190, protocol=TCP.

Depending on the firewall, the way you do it is different but you get the idea right.....?

Vinod.
mvvinodCommented:
I'm sorry, i meant to say your MAIN firewall or gateway firwall..

Vinod.
menreeqAuthor Commented:
I have it configured and it's working, but I told it to block that port to * destination.  Any good reason why I should limit that, can are these ports perhaps used for legitimate purpose so that I should discover the AIM server and block them specifically?
mvvinodCommented:
Nope. You are fine...AS far as i know only AIM uses those ports...

Unless you have custom application, the possibilities are lean....even with custom apps, they use ports over 10,000. So you shouldnt have any problems..

Vinod.
mvvinodCommented:
Here is a list of well defined ports for your reference...

http://www.networksorcery.com/enp/protocol/ip/ports05000.htm

You can clearly see ports 5190-5193.

Usually if its a well defined port, nobody will use it.

Vinod.
LimeSMJCommented:
The problem with the port blocking approach is that AIM can use port 80 (as well as any other port it can find open) to send/receive IM messages.  Another problem is AIM Express (their web based chat program) which can bypass any GPO policy and firewall port block.  If you find your users using AIM express, the only way to block that is to circumvent the webpage address itself - either using a custom local hosts file or editing your DNS server to point "aimexpress.aol.com" to a blackhole ip.
mvvinodCommented:
limesmj,
  Even if you block aim.exe, the web version might still run as it doesnt use the .exe file locallly but just an activex control.

Also in 1 network i blocked all outgoing ports except 80 and 443 and user complained that their AIM is not working....so AIM doesnt seem to automatically try port 80. I know MSN does this....but havent seen AIM do it.... I had to open port 5190-5193 for them to use AIM. Only then it would work..

I dont know if there is a manual configuration where you can switch but AIM doesnt seem to do it automatically.

Vinod.
LimeSMJCommented:
You can set the port manually... or have AIM look for you.

From AIM's website:
Q: Why am I unable to connect to AIM through my company LAN? In the past, I made the connection with no problem.
A: Ask your system administrator to update login.oscar.aol.com on the LAN's DNS table. Also, ask the administrator to make sure that Port 5190 is open for outbound TCP connections. (Other ports can also be used. If your administrator decides on a different port, then you can specify it in Connection preferences.)

Also, the whole reason I mentioned the DNS block was to prevent people from even getting to the AIM Express site since the Registry HASH will be bypassed as you mentioned.

All in all... it is pretty impossible to prevent savvy AIM users from chatting online as in spite of all the mentioned options in this dialogue, they can always use an external proxy server and/or use programs such as Trillian to sneak past everything.  
mvvinodCommented:
You can block users from enabling or entering their own proxy by group policy also...

Vinod.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.