Searching for Superfish using PowerShell
Lenovo installed a piece of software that could arguably be called malware or spyware. Superfish, as this article indicates, installs a self-signed root certificate that is authoritative for everything. I wanted to be sure that this issue wasn’t present on any of our Lenovo systems, so I turned to PowerShell to help.
I found a copy of the certificate on Robert David Graham’s github here. I pulled the thumbprint from the cert which appears to be: c864484869d41d2b0d32319c5a62f9315aaf2cbd
Now, some simple PowerShell code will let you run through your local certificate store and see if you have it installed.
Get-ChildItem -Recurse cert:\LocalMachine\ |where {$_.Thumbprint -eq "c864484869d41d2b0d32319c5a62f9315aaf2cbd"}
You could just as easily replace the get-childitem with “Remove-Item -Path cert:\LocalMachine\root\c864484869d41d2b0d32319c5a62f9315aaf2cbd”, but I wanted to make sure the key wasn’t installed somewhere else.
Now, to take it a step further, I use the AD commandlets and some more simple PowerShell to search all my systems for it.
Import-Module ActiveDirectory $Cred = Get-Credential $Computers = Get-ADComputer -Filter {enabled -eq $true} | select Name foreach ($Computer in $Computers) { try{ if(test-connection -Count 1 -ComputerName $Computer.Name){ write-output (invoke-command -ComputerName $Computer.Name -Credential $Cred -ScriptBlock {Get-ChildItem -Recurse cert:\LocalMachine\ |where {$_.Thumbprint -eq "c864484869d41d2b0d32319c5a62f9315aaf2cbd"}}) } }catch{ Write-Error ("There was an issue connecting to computer $Computer : " + $_.Exception) } }
Is it perfect? No. But it gets the job done in relatively short order.