How to block Teamviewer using Application Filter

Hi,

do you decrypt and scan enabled? Have you installed the ca on the offending pc?
what other rules do you active that allow this pc to access the internet?

are you using ips in the rule?

and finally please check the TeamViewer exceptions are disabled.

ian

Hi Ian,

yes decrypt and scan is enabled and to test the block for Teamviewer i create a test Application filter.

I not installed the CA yet and i use IPS rule.

Using other vendors UTM i was able to select the single application to block from a panel, without deploy certificates and without using any other configuration.

I made some test in Sophos XG and i was able to block  i.e. Whatsapp. The only thing i need to do is select the app filter for whatsapp and the game is on.

Can you describe to me the correct sequence i need to apply at the XG configuration to use the correct blocking rules for Teamviewer, please?

Many thanks

Claudio

Hi,

did you disable the teamviewer exceptions in web proxy?

ian

Yes,

of course.

Claudio

Hi  Claudio,

from memory teamviewer is also a web URL. I don’t have access to my XG at the moment to add extra information.

ian

Hi Claudio,

I installed team viewer and tried to block it using an application filter (TeamViewer is only a desktop application which uses web browser), that failed because team viewer users a web interface and needs web filters built to block it.

If you you would like I will continue in the morning and post my suggested filter settings.

Ian

Hi Ian,

Thanks a lot for your help.

I'll waiting for your indication, after you'll check the configuration.

Regards

Claudio

Hi Ian,

Thanks a lot for your help.

I'll waiting for your indication, after you'll check the configuration.

Regards

Claudio

Hi Claudio,

a caveat to my testing. I run both IP4 and IPv6 and due to limitation within the current XG version of IPv6 I am not able to block TeamViewer.

I was able to block TeamViewer through IP4 firewall rules.

Steps

1/. create a FQDN group of teamviewer

2/. create and FQDN of *.teamviewer.com add to FQDN group.

3/. create an FQDN of *.teamviewer-iot.com add to FQDN group

4/. create a firewall rule at the top of your rule list

a) drop

b) Source LAN

c) source network 

d) destination zone WAN

e) destination network - select Teamviewer from FQDN group

f). save

You can choose to log the traffic while you are testing, but afterwards I would disable the log.

I hope you find this helpful?

I will be starting another thread on how to block website using IPv6.

Ian

Hi Ian,

i tried you configuration but it doesn't work for me.

Is there any other configuration i need to apply?

Thanks a lot

Claudio

Hi Claudio,

when you review logviewer filtering on your test IP what do you see? I suspect that there are specific country servers that might be bypassing your firewall rule.

I could not find any, but looking at the web exception setting indicates there are other countries involved.

Ian

Hi Ian,

i find the solutiion visiting the community portal, under this Knowledge Base page:https://community.sophos.com/kb/en-us/123078

In the past days i tried to use a logical way of thinking. I have a lan to wan rule and i applied to it the app filter i create. I thought this was the logical way to use the block of applications.

The KB i found explain the way is to add a new firewall rule, in which you need to accept and don't deny the use of the application filter. I create this new rule and i give to it the top position. Then i add the filter and i was able to block Teamviewer in my LAN.

In this way all my traffic was blocked. So i push the rule at the last position of my rules group and the game is done.

Sophos Knowledge Base is a good way to find solutions. Just one suggest for the editorial staff. For me the Community homepage is not friendly and doesn't give access immeditaely to these good informations.

Thank you for your help

Claudio

Hi Claudio,

that doesn’t quite make sense to me because there is no teamviewer application in the XG list.

what did you use for teamviewer in the application policy?
ian

Hi Ian,

i use TeamViewer Conferencing and TeamViewer FileTransfer.

Claudio

I will try them on my ipv6 policies.

ian

Hi,

removed my firewall rule and all the FQDNs I created, added the two applications. Result unable to sign in using the signing panel, but f you click on the pilot url at the bottom right of the team viewer page you can login.

I will add my block firewall back and see what happens.

Ian

Hi,

I added my reject firewall rule and I can get the teamviewer management console but no further

I might have been little hasty with my test after the firewall rule was added, I cannot access the login pages anymore using the application  to create a new sign.

Ian

This is failure in both IP4 and IPv6 connection attempts.