Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 41 replies
  • Subscribers 34 subscribers
  • Views 16635 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

At present no reliable way to block Tor Browser?

Sacha Roland

Although I had enabled "Filter avoidance apps" (app control) as well as SSL inspection, Tor Browser managed to connect to the internet. As Sophos support told me on the phone, this problem seems to be known.

Are there any experiences here in blocking Tor Browser reliably?
Maybe more steps are necessary to block, like outlined here for another manufacturer?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I  have been able to stop downloading the tor browser using the application and web policies. I created my own web url group and added torproject.org to it. Then I added that to my 'block bad stuff' policy and while I can access the tor site, I cannot download the tor browser.

    I have not installed tor browser so I cannot tell if this approach stops the tor browser from connecting. Also there was a post by one the Sophos Devs about tuning the IPS settings to assist with blocking tor.

     

    Ian

  • 0 in reply to rfcat_vk

    I removed my web block and installed tor browser on my MBP running Mojave latest version.

    I was unable to connect using tor browser with and without setting up the proxy bypass int per browser. It failed to connect to two different IP addresses.

    I have application and web policies using standard XG supplied lists.

    Ian

  • 0 in reply to Sacha Roland

    Hi Sacha Roland,

     

    please advise which ports you used to provide Skype access. I would like to try and replicate your issue hopefully with a fix.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    I found out, that skype isn't even capable to establish calls with the following ports, services an exceptions enabled:

    And I made these exceptions (disabling https decryption etc.):

    5342.skypeexceptions.xml

    Also, I additionally made a firewall rule with the above URLs as allowed destination networks and disabled decrypt https & scan.

    But no success: Skype can't establish calls and Tor Browser (version 9.0.9/macos) still is capable to connect to the internet. The only way to disable Tor Browser right now is to disallow UDP completely. And for sake of clarity: I made these settings at the very beginning: Application filter recommended settings for better application detection.

    I am curious.

  • 0 in reply to rfcat_vk

    Concerning the import of Tor Exit Nodes: unfortunately, it is not possible to import all exit nodes via API into a Host IP List, because the number of entries is limited:

    <Status code="522">Maximum limit reached for entity.</Status>

  • 0 in reply to Sacha Roland

    Dont waste your time, it has to be loaded manually and it has a limit or 1000 or so, which make it basically useless for any CTI purpose

    Even snort could handle this and block a given IP list but is simply not implemented in Sophos from the interface so you can not load a custom list in snort.

  • 0 in reply to Sacha Roland

    You have a cap of 1000 IPs per List. Therefore you would have this list to split into two Lists and use them in one firewall rule.

    The update can be used on the object, without touching the firewall object. 

    You can actually use this process:

    Load the current List from the website.

    Split the List into two objects, or make three, to be sure. 

    Split the List in your Cache by 2 or 3 and update each Object in XG with their own List.

    Repeat this every day with a script and Cron and thats it. 

     

  • 0 in reply to Sacha Roland

    Hi Sacha,

    why I asked about your ports was that the MS site advises not all ports are required except if you want really high quality calls.

    I shall experiment during the day, the weather's not inductive to working outside.

    Ian

  • 0 in reply to rfcat_vk

    Hi Sacha,

    a couple of points of interest

    1/. XG should have stopped me from downloading TOR - it didn't.

    2/. Sophos home should have blocked TOR - it didn't.

     

    The fowling are my attempts t connect to the TOR network, with and without configuring HTTP proxy.

    The only thing I can't really check is if Skype works, I have added all the ports you are using to my Skype firewall rule. My wife's Skype still connectds but has nothing total to at this stage.

    Ian

    Update point of interest - TOR currently does not try to use IPv6, if and when it does the current version of XG will not be able to block it easily if at all and allow other applications to function because the current version of XG does not support FQDN in the IPv6 rules.

  • 0 in reply to rfcat_vk

    Further, I have installed Skype and logged in, connects and authenticates okay.

    Ian

  • 0 in reply to rfcat_vk

    Hi Sacha Roland,

    i think part of your current issue is with your service definitions being too narrow.

    I think they should be like this.

    Ian

  • 0 in reply to rfcat_vk

    Thanks to Ian, I got Skype working while keeping Tor Browser blocked by removing services for High Quality Skype Calls and editing my standard skype ports to these:

Reply Children
No Data