Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 3777 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking Ultrasurf

Zatol

Anyone else battled this? How do you block it with Sophos? I have Ultrasurf application set to disallow in application control, but it does absolutely nothing. Students in my environment are able to use ultrasurf off of any drive, or anything, run it and it works flawlessly. Sophos never so much as slows it down. 

I've blocked every Ultrasurf site I can find, but of course if the student has ultrasurf on a flash drive, I'm unable to stop that at the moment. There's way too many variations of the executable for me to successfully block it. Sophos looks to registry keys for installed applications under application control, correct?

Is there a fool proof way to eradicate this program? It's truly driving me insane. 

:19775


This thread was automatically locked due to age.
  • 0

    Multi-layer approach required for this one I suspect.  Here are a few I can think of off the top of my head.


    1. App Control policy will obviously block some versions but may lag behind to some degree but worth enabling.

    2. Use Web Control in SAV 10.  This uses a LSP so will be loaded into the main browsers so could block certain sites and categories using that.  Depends why they are using it, visting youtube.com?  If so you could just block Youtube.com as a website to block at the browser level.  Regardless of using the proxy or not this will still block sites plus it will block the categories you choose.

    3. Use software restriction polices to block the exe file using a hash rule.  This is something that could be added to each week as new versions appear.  One to maintain over time.

    4. Prevent the browser being pointed at the proxy port.  Maybe GPO the users browser proxy settings and/or set:

    "Disable changing Advanced page settings" gpo.

    "Disable changing connection settings" gpo

    "Disable changing proxy settings" gpo

    "Tools menu: Disable Internet Options... menu option" gpo

    Probably be able to do something with zones to prevent at least the default 127.0.0.1:9666 connections.

    5. block usb devices and cd-rom drives where possible to prevent it being run directly from media.

    6. Write an application that monitors for new IE, Chrome, FF, etc, processes, this would then call back and check the parent process, if it wasn't itself (for the new tabbed browsers), it could kill the browser and the parent, which could be the proxy app.

    7. Block https on the gateway a part from sites required?  Web appliance.

    If I think of anything else I'll update the post.

    Hope it offers some ideas.

    Regards,

    Jak

    :19777
  • 0

    Hi,

    I'd also recommend raising an email / web request with support to request the AppC identity is updated. If you can also provide a sample and / or version number then that is also helpful. We can usually turn around updated application identities within 24 hours. UltraSurf changes a lot so we occasionally lag behind in blocking the latest version or a oddly packed variant.

    Cheers,

    John

    :19823