At present no reliable way to block Tor Browser?

Although I had enabled "Filter avoidance apps" (app control) as well as SSL inspection, Tor Browser managed to connect to the internet. As Sophos support told me on the phone, this problem seems to be known.

Are there any experiences here in blocking Tor Browser reliably?
Maybe more steps are necessary to block, like outlined here for another manufacturer?

  • Hi,

    I  have been able to stop downloading the tor browser using the application and web policies. I created my own web url group and added torproject.org to it. Then I added that to my 'block bad stuff' policy and while I can access the tor site, I cannot download the tor browser.

    I have not installed tor browser so I cannot tell if this approach stops the tor browser from connecting. Also there was a post by one the Sophos Devs about tuning the IPS settings to assist with blocking tor.

     

    Ian

  • In reply to rfcat_vk:

    I removed my web block and installed tor browser on my MBP running Mojave latest version.

    I was unable to connect using tor browser with and without setting up the proxy bypass int per browser. It failed to connect to two different IP addresses.

    I have application and web policies using standard XG supplied lists.

    Ian

  • In reply to rfcat_vk:

    On my side, after starting Tor Browser, the process is stuck at stage "Establishing an encrypted directory connection" and it seems that blocking works. When I then press "Cancel" and press "Connect" in the following screen, then Tor connects successfully to the internet. Also when I choose "Configure" and check "Tor is censored in my country" and choose a bridge under "select a built-in bridge", the Tor connects sucessfully also.
    What's happening on your side if you do these steps?

  • In reply to Sacha Roland:

    Hi,

    I tried many different combinations and all failed. Direct connection, using proxy, using bridge, using proxy and bridge.

    Ian

  • In reply to rfcat_vk:

    After following the guide on https://sophos.com/kb/132436 for better application detection, the blocking works so far.

    It's cumbersome, why it's working on your side without these tweaks, rfcat_vk?

  • In reply to Sacha Roland:

    Hi Sacha,

    I did some of those tweaks sometime ago, but not all of them. I will check what my current settings are.

    I am writing a document on how I have blocked TOR in this case. This will take a couple of days to complete because my wife has had an operation on her hand and requires my assistance for most tasks.

    Ian

     

    Checked my IPS settings and they are different, the midstream is off, but the max packets is different and so is one other value.