Today our Websense filter identified that a user was repeatedly trying to access a proxy/VPN type site. I did some sleuthing and found that the user had installed Chrome (to her appdata directory, of course) and the Hola browser extension (in case you’re not aware, they were exposed last week as selling a VPN service that used the Hola browser extension as an exit node.). Upon checking SolarWinds I could see a lot of traffic to and from various cloud CDNs, with Cloudfront (AWS?) showing the most traffic.
What have your experiences been so far regarding Hola in the enterprise environment? How do you detect/block it? We’re probably going to be asked to provide a report through SCCM so I’m trying to figure out the best way to query each computer’s hardware scan in order to best identify it firmwide. Any pointers and discussion would be helpful!
Since you mention SCCM I’m assuming Windows systems. Google has group policy extensions for Chrome that lets you configure allowed or disallowed extensions. You block them by their store GUID.
As far as I know this works for both enterprise deployed Chrome and if a user installs Chrome themselves.
Applocker? Stop Chrome altogether?
Had a friend that used it a lot to watch Netflix stuff in the UK, always had a bad feeling about it, guess this is proof that I was right.
Edit: Followed up with my friend, he said he thought he uninstalled it, turns out it he didn’t, and he hadn’t been using Chrome because of how slow it had been, which was odd to me. After uninstalling he said Chrome worked much better. Funny what happens when you uninstall stupid shit in your browser.
That person just wants to get their Netflix on.
Good call! It looks like the GUID is gkojfkhlekighikafcpjkiklfbnlmeio, which is also the name of the folder that you can find the Hola extension in.
I wish, but our business analysis department has whitelisted Chrome. Plus, we haven’t implemented Applocker yet. However, we have packaged and deployed a locked-down version of Chrome to whomever requests it. Unfortunately, until we deploy Applocker, we’re not going to be able to easily block people from installing it to their appdata directories.
We haven’t been asked to present a report yet, which is good, as SCCM doesn’t let you scan for folder names. Our best bet would be to create a Powershell script, as you suggested.
They’re not going to be using my company’s network as their VPN exit node on my watch.
This is an HR problem really. If this is a clear violation of the employment contract then fire them and make an example.
You don’t need Applocker. Just setup a software restriction policy, %AppData%\*\Chrome.exe
You wanna see how Walt’s gets away with it? TOO BAD.
Edit - To clarify, I am on OP’s side in blocking this… Certainly not appropriate for work.
Check the link in my post above. It was just revealed last week that they are selling Hola users’ connections as VPN exit nodes. Bad news all around.
Wow, really? I am going to read that, interesting. I know a lot of people who use it in their homes.
I was just being facetious, by the way. Block it for sure, if you haven’t already.
I figured you weren’t aware. 
Now do your part and spread the word that Hola is bad!
Now do your part and spread the word that Hola is bad!