This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Avira Phantom VPN

Hello,

i am trying to block the Avira Phantom VPN  using utm but it keep getting connected, also on utm log i found that avira-vpn.com usage is 85 GB, so i try block using domain but not work, using app filter this name not appear in the list, need your suggestion to block the vpn.



This thread was automatically locked due to age.
  • Hi ferozsyed,

    if you can see Phantom VPN as an application in one of the reports UTM should have traffic patterns to detect.

    if you cannot find it in the appcontroll menue, you can open flow monitor while launching a VPN session and block it via flow Monitor.

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • the flow monitor not show the app name.. still struggling to block.

  • Hi ferozsyed,

    since Avire uses OpenVPN (or ipsec with Android App) i'm afraid your only chance is to block "openVPN" in Application Control.

    for good reason they don't publish a list of backend-servers.

    please notice that you'll block other VPN Providers, too / you'll need to whitelist wanted VPN providers.

    if you don't want any Client to site VPN from you Network, you could block the whole "VPN and Tunneling" Category in App Control and the whole "Anonymizers" Category in Web Protection.

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • Both "VPN and Tunneling" "Anonymizers" are already blocked from App cntrl  and web category, still the application keep working.

  • I noted that Avira is only listed in Application Control as a File Transfer tool.   Apparently Sophos has never profiled their VPN tool, which means that you will have to profile it and create your own rules.  Since Sophos does not block the VPN program successfully, one has to wonder if the usage metric can be trusted, or if it represents something else.

    Based on my experience with other applications, I will make the following predictions:

    • The product does a DNS lookup to connect to an authentication server.
    • After authentication, the client is directed to create a session with a VPN server.
    • The VPN server is probably accessed using an IP rather than a DNS name, and the VPN servers scattered all over the Internet.

    If this is close to reality, then you have to concentrate on blocking the connection to the authentication server.    These options come to mind:

    1. Block the entire DNS lookup.
      Assuming you do not have a need for Avira, simply create a DNS domain for Avira.com on your internal network, and do not populate it with any information.
      A variant of this approach can be used to block a single host name.   Suppose you want to block vpn.avira.com:   you create a DNS domain for vpn.avira.com.   Optionally populate the domain with a default host (no name) host record that redirects to a dead end such as 127.0.0.1.

    2. Block access to the connection server.
      Assuming that you determine that the initial connection is made to vpn.avira.com, then you create UTM rules to block based on that host name and block based on whatever IP addresses the name resolves to at the moment that you create the blocks.   Just be sure to block using WebFilter (standard and transparent) as well as Firewall.
      If the host name is not available in Avira documentation, you will need to do a test connection with DNS logging enabled on your DNS server. 

    It is probably appropriate to block both the DNS lookup and the IP addresses to which it is known to resolve.   The DNS list may change in the future, but at least you have created obstacles for someone trying to workaround your DNS blocks.

  • i will try this procedure and update you, seems little complicated for me to follow the procedure.