Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
If you are having a problem on blocking these kind of applications. Do not hesitate that the application filtering of SophosXG is not working or do not even try to block it on IPS (Custom IPS). Its a matter of adjustments in Console. See steps below:
1. Log in as a Super administrator (username: admin)
2. Go to admin drop-down options and choose CONSOLE.
3. As usual you have to log in again.
4. Chose option 4 which is Device Console.
5. Type this command "show ips-settings", maxpkts should be in default value = 8, and you have to change the value to 70.
6. Run this command "set ips maxpkts 70".
7. Run again to double check "show ips-settings".
8. Then try to test again if these applications are blocked already.
Deo Angelo Lim
Firstly I would to thank you , but the bad news is the PSiphon is still working after I set max pkts 70 as you explained, what I can do else to block this app permanently
its still working ,no way
In reply to nader alaa:
First of all you need to determine if it is actually psiphon or a misclassified application. Some of the Apple communications get classified as psiphon on my XG.
edit- fixed stupid spellchecker error
In reply to rfcat_vk:
Exactly...lot of genuine websites are being classified under psiphon,ultrasurf,thunder vpn etc.
I would download psiphon proxy executable on a test network and check the logs.
NO way , I tried to block psiphon by many solution but every time Psiphon still working, Sophos couldn't block this backdoor tools until now.
This is a serious matter and this application must be stopped permanently.
In reply to Sherif Hamed:
If you can download psiphon executable that means your firewall rules and policies are not correct. Attempts to download psiphon should be blocked by the web proxy.
What if I download the app at home?
In reply to GonFreecs:
And then try to run it at school/work almost makes it a sackable action.
I have not tried installing on a device then running it.
I can download and install but not run ultrasurf and xpvpn because if security settings on my MAC. Probably should try on W10 PC.
Right now, I still can't block this app..
Changed the maxpkts, enabled https scanning, block in app control, I even only allow http/s outgoing but SAD
Hi GonFreecs ,
We have created a KBA for this issue , please refer
show advanced-firewallshow ips-settings
set advanced-firewall midstream-connection-pickup offset ips maxsesbytes-settings update 0set ips maxpkts 80set ips packet-streaming on
Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.
The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.
In reply to Aditya Patel:
Still needs HTTPS scanning.
There are several ways to download the application. What we need to address here is how can SophosXG block the application itself.
In reply to Deo Angelo Lim:
Any development on this ? my XG on SFOS 17.5.3 MR-3 still application filter cannote block psiphon .
I am blocking Psiphon Proxy with below setup. And you must use https decryption for active scanning and blocking web/apps. Nearly %80 of services running on https.
Source Zone Lan
Destination Zone WAN
Source Service - Any
Destination Service DNS,FTP,HTTP,HTTPS,IMAP,SMTP(S),POP3,SMTP,ICMP (if you want)Scan OptionsSCAN HTTPSCAN HTTPSBLOCK GOOGLE QUICSCAN FTPWeb FilterNone - WarnUncategorized - WarnAnonymizers - BlockIPAddress - BlockPeer-to-peer & torrents - BlockRadio & Audio Hosting - BlockSex Education - BlockSexually Explicit - BlockSpam URLs - BlockSpyware & Malware - BlockUnauthorized Software Stores - BlockVideo hosting - BlockApp FilterHTTP Tunnel Proxy - DenySSH - DenyDNS - DenyProxy and Tunnel - Deny
has anybody tried creating an IPS signature for Psiphon? were you successful if you have attempted? any insights is much appreciated