There may be situations where you wish to block end-users from utilizing a specific Google Chrome browser extension. This can be accomplished via Application and Device Control in Symantec Endpoint Protection. The first part of this process is identifying not just the extension to block, but more importantly the unique ID associated with the extension. Below are the steps to find this UID and put the rule in place

*Note*

• Keep in mind that pre-existing extensions will not be blocked properly with this policy
• Test, test and test again. ADC is a very powerful tool, but if configured incorrectly it can cause other issues with your OS
• This is meant only to prevent future extension installation.
• Chrome users will be able to disable or delete an extension from within the browser, but the files will be left untouched on the system as ADC won't allow access.
• The extension ID may change when it is updated on the Google Web Store, so you may have to revise or add to the block rule.
• A similar configuration can be used with other browsers, but will require tweaking to the file/folder path and how extensions are identified.

Find the Chrome Extension UID:

1) Open up Chrome and type in chrome://extensions in the URL bar, or go to Settings > Extensions.

2) Enable "Developer Mode" by checking the checkbox in the top right.

3) Open up the Chrome Web Store via the "Chrome Web Store" hyperlink on the left.

4) Search for the extension(s) you wish to block.

5) Click on the "Add to Chrome" button to install the extension.

6) Confirm you wish to install by clicking the "Add extension" button in the new prompt.

7) Return to the chrome://extensions page and locate the extension in question.

8) Note that with "Developer Mode" enabled you will now see an ID: parameter. The string value listed is what is needed.

Create your new ADC block policy:

1) Within the SEP Manager console click on Policies then highlight Application and Device Control.

2) Either edit an existing policy or create a new one.

3) Within the policy, visit the "Application Control" section and add a new rule set.

4) Give your rule a meaningful name. (example: Block Chrome Extensions)

5) To the right under Properties for the "Apply this rule to the following processes" section, click "Add...".

The "Add Process Definition" window will open. Assign the * wildcard or the process name chrome.exe in the "Process name to match" section and click "Ok".

6) To the left, under "Rules" click the "Add..." button, then "Add Condition", finally selecting "File and Folder Access Attempts".

7) Again provide a meaningful name, then click "Add..." for the "Apply this rule to the following processes" section.

8) For the "File or Folder Name To Match" field use the following path with the Chrome extension ID appended:

• %systemdrive%\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\Enter_the_ChromeExtension_ID
• Alternatively, you could use an asterisk (*) wildcard in place of the extension ID to block all Chrome extensions.

9) Leave the option to "Use wildcard matching" enabled and click OK

10) At the top, switch to the "Actions" tab and set the Read Attempt and Create, Delete or Write Attempt options to "Block access"

11) Additionally you can set your notification and logging options as needed. Once done, click "OK".

12) Save the policy and assign to a test group to ensure that attempts to install the configured extension are blocked.

How to block specific Chrome browser extensions with Symantec Endpoint Security (SES)

Block or allow devices using Endpoint Protection

Block or log unauthorized software with Application and Device Control