Endpoint web categorisation failures, SSL errors on blocked sites

Hello!

Recently I've had to investigate how people have been bypassing XG and Endpoint filters, the XG was simple to fix however the Endpoint (intercept x advanced) has proven problematic.

The biggest offender is CroxyProxy, which runs a web based proxy. The site itself is blocked, however when you use it it then generates URLs via other domains which are not categorised at all.

For example, discord is blocked but staff seem to use their home computers in the evenings to use CroxyProxy to generate the URL of https://msmedia.surf/?__cpo=aHR0cHM6Ly9kaXNjb3JkLmNvbQ and sometimes that link is replaced with random numbers with a .online TLD, or another .surf address.

As there are so many of them it's just impossible to keep track of do manual blocks all the time.

Also we don't get the blocked message on the endpoint, we only see the below.

Hmmm… can't reach this page Check if there is a typo in msmedia.surf.
If spelling is correct, try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN

Sometimes we recieve 

domain.xyz sent an invalid response.

  • Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

For reference, XG filtering was fixed by blocking the category 'none' and 'parked domains' - something we don't get in endpoint filtering for protecting devices when working remotely.

Any ideas on fixing this for good?

Thanks