Applies to: Sophos Home Premium and Free (Mac/Windows)
What is a browser hijacker/redirector
Browser hijackers are usually installed by Potentially Unwanted Applications (PUAs ); they can also be found inside legitimate applications/websites. They typically change the default homepage and search engine of your web browsers, making it difficult to change them back. They may also include unwanted pop-ups and advertisements to show up in the browsers.
Sophos Home will block applications categorized as PUA by Sophos Labs, as well as malicious websites. However, Sophos Home cannot revert changes that have been made to the system by said PUAs.
if you believe that an application was not detected and needs to be re-categorized, please submit a sample to Sophos Labs so that they can review it: Sophos – Submit a sample
What to do
If your computer has been affected by a browser hijacker you may need to perform manual steps to revert changes made to your browsers. Sophos Home cannot revert these changes, so this is what we recommend:
1 – Uninstall any strange/unknown programs from the computer, or anything that may have been installed right before the issue started.
2 –Reset all web browsers, remove strange/unknown extensions, and clean the browser’s cache. Ensure to manually remove undesired search engines from each affected browser. (For unlisted browsers, please perform an online search on how to reset them).
Safari steps: Clear Safari’s browsing history | Change Safari’s homepage | Turn off Safari extensions
Chrome steps: Reset Chrome settings to default
2.a) MacOS: The steps to reset browser and homepage may need to be performed in Safe Mode or using the Terminal if unable to perform the above listed.
Ensure Google Chrome is closed. Then, enter each one of these commands in a terminal as an administrator: defaults write com.google.Chrome HomepageIsNewTabPage -bool false defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/" defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/" defaults delete com.google.Chrome DefaultSearchProviderSearchURL defaults delete com.google.Chrome DefaultSearchProviderNewTabURL defaults delete com.google.Chrome DefaultSearchProviderName Restart and retest
3 – Review any accounts linked to the browser that may be syncing unwanted changes.
4- Search the computer startup items for unwanted applications and disable/remove them:
Mac:
/Users/<REPLACEWITHYOURUSERNAME>/Library/LaunchAgents/
/Library/LaunchAgents/
/Library/LaunchDaemons/
Windows:
Task Manager –> Startup (Win 7–> type msconfig and access to the startup tab)
5- After having removed all the related files and applications, and having reset the web-browsers, we recommend to run a FULL system scan with Sophos Home to ensure no threats are found.
Additional steps – MacOS only:
Please see Apple recommended steps to handle hijackers
Some hijackers may install unwanted Device Profiles:
On your Mac, choose Apple menu > System Preferences, then click Profiles.
If you haven’t installed any configuration profiles, Profiles preferences isn’t available.
Select a profile in the Profiles list, then click the Remove button -.
More info about profiles here
An online search for the hijacker name will help you find additional steps for each one.
There is a third party tool called Knock-Knock that may help finding traces of the above mentioned. Here’s the support video regarding how to download and use it: https://www.youtube.com/watch?v=8hZPfuY4PaE&feature=youtu.be
-
ion