BLOCKING of ULTRASURF addons/extensions in Google Chrome browser?

I'm seeing this issue too with UTM 9.  How can the Ultrasurf Chrome addin be blocked?

Also seeing the same thing. I've even got it blocked in the application control settings.

Hi Sir Patrick,

Good Day

I already apply your configurations BUT Ultrasurf in this problem is not an application it is a ADDONS/EXTENSION on gchrome browser.... We already know that UTM can block Ultrasurf Application. Sadly under Application > Proxy configurations as you said.. Ultrasurf is still active.. users may still access blocked url..

But how to block ultrasurf on ADDONS and EXTENSION like this one?

Gracias

Mine is also seeing the same issue, I can't see why you'd want my configuration

I have this setup this way already and it is not working for the Chrome plugin.  Also it is not working on the new Ultrasurf Beta 1.0.7 on Android.

Support tells me that they can block ultra surf no problem, but he's running 9.503-4 and I am still on 9.413-4

What firmware are you guys running?

I'm on the latest firmware and still have the problem.  It probably only effect upgraded UTMs.  I'm guessing that Sophos Support has a fresh installed version of the UTM.

I put in a ticket for this issue with Sophos and received a totally different response from others in this thread.  This is what they said:

 "This is a known bug with Sophos, ultrasurf is not getting blocked by application control." 

 So we are in the waiting loop to get this fixed.  I've asked for an ETA on the patch for the fix.  I'll let everyone know what Sophos says.

Lol, here was my response

I tried reaching you via phone to further discussed the issue you are experiencing but got voice mail.

I was tested with version 9.503-4 and was able to block UltraSurf.

Let me know your availability so we can do some tests.

Thanks

LOL is right.  They must have not known that this was an issue until we all put in tickets.

I heard back from support and they said: "Unfortunately, there is no ETA that when this bug will get fix."  So who knows when it will get fixed. 

Looks like I'm going to have to put in an Untagle box in transparent bridge mode between my LAN and Sophos UTM to block this.  I can turn off IPS on my Sophos UTM and hand this off to the Untangle box too.  Then I won't have 50% - 60% CPU use on the Sophos UTM.

Do you really have users who are using UltraSurf to bypass your proxy? Instead of doing all this extra work I'd think a stern taking to would fix this. This is a policy breach in many companies

Yes they are using it.  I've talked to them already but they will come back with something else to bypass the proxy.  The Untangle transparent bridge is not an issue to setup.  Hardware req plus 20 minutes to setup.  No problem at all.  Then I'll feel much better about my edge security setup.  Not being able to block something like this is a large Pita.     

Yes they are using it.  I've talked to them already but they will come back with something else to bypass the proxy.  The Untangle transparent bridge is not an issue to setup.  Hardware req plus 20 minutes to setup.  No problem at all.  Then I'll feel much better about my edge security setup.  Not being able to block something like this is a large Pita.     

Here's Sophos take / reply on the issue if anyone is interested

After testing in my lab environment, I've been able to confirm the following:

a.  The browser Chrome add-on/extension version of Ultrasurf is not covered under Ultrasurf for Application Control

- as per Development, "Our current product limits application control block only to executable components, meaning that jar files, msi's, configuration files, etc won't be block which causes us problems with the browser plugins or extension as category. "

b.  In order for the desktop application version of Ultrasurf to get blocked by Application Control, you must have a HTTPS decrypt & scan Transparent Policy covered the intended networks.  Reason being is that Ultrasurf doesn't adhere to the PAC file telling it to proxy traffic through the UTM, therefore when the application tries to connect directly to the public IP address, it would technically be hitting the next Transparent Mode policy (which for your environment is URL filtering only)

c.  Oddly enough, even though the add-on version of Ultrasurf isn't covered by Application Control, enabling a Transparent mode HTTPS decrypt & scan policy seems to stop Ultrasurf from connecting, or stops browsing through Ultrasurf if it does connect......almost as if decrypting the traffic breaks the application