At present no reliable way to block Tor Browser?

Although I had enabled "Filter avoidance apps" (app control) as well as SSL inspection, Tor Browser managed to connect to the internet. As Sophos support told me on the phone, this problem seems to be known.

Are there any experiences here in blocking Tor Browser reliably?
Maybe more steps are necessary to block, like outlined here for another manufacturer?

  • Hi,

    I  have been able to stop downloading the tor browser using the application and web policies. I created my own web url group and added torproject.org to it. Then I added that to my 'block bad stuff' policy and while I can access the tor site, I cannot download the tor browser.

    I have not installed tor browser so I cannot tell if this approach stops the tor browser from connecting. Also there was a post by one the Sophos Devs about tuning the IPS settings to assist with blocking tor.

     

    Ian

  • In reply to rfcat_vk:

    I removed my web block and installed tor browser on my MBP running Mojave latest version.

    I was unable to connect using tor browser with and without setting up the proxy bypass int per browser. It failed to connect to two different IP addresses.

    I have application and web policies using standard XG supplied lists.

    Ian

  • In reply to rfcat_vk:

    On my side, after starting Tor Browser, the process is stuck at stage "Establishing an encrypted directory connection" and it seems that blocking works. When I then press "Cancel" and press "Connect" in the following screen, then Tor connects successfully to the internet. Also when I choose "Configure" and check "Tor is censored in my country" and choose a bridge under "select a built-in bridge", the Tor connects sucessfully also.
    What's happening on your side if you do these steps?

  • In reply to Sacha Roland:

    Hi,

    I tried many different combinations and all failed. Direct connection, using proxy, using bridge, using proxy and bridge.

    Ian

  • In reply to rfcat_vk:

    After following the guide on https://sophos.com/kb/132436 for better application detection, the blocking works so far.

    It's cumbersome, why it's working on your side without these tweaks, rfcat_vk?

  • In reply to Sacha Roland:

    Hi Sacha,

    I did some of those tweaks sometime ago, but not all of them. I will check what my current settings are.

    I am writing a document on how I have blocked TOR in this case. This will take a couple of days to complete because my wife has had an operation on her hand and requires my assistance for most tasks.

    Ian

     

    Checked my IPS settings and they are different, the midstream is off, but the max packets is different and so is one other value.

  • In reply to rfcat_vk:

    Hi,

    Tor Browser version 9.0.5 couldn't be blocked anymore with my Sophos XG85 (latest firmware).

    Does anyone experience this, too?

  • In reply to Sacha Roland:

    Hi Sacha,

    Do you happen to have a license for Sophos Central Endpoint Protection?  Synchronized Application Control should detect Tor Browser and keep detecting it as it requests information on uncategorized traffic and ties to to an application running on the endpoint.

    https://community.sophos.com/kb/en-us/127565

  • In reply to Sacha Roland:

    Hi,

    firstly, I tried to download load the test version and was blocked by the XG (V18).

    What functions do you have enabled eg web proxy, block anonymises policy, https scanning etc?

    Ian

  • In reply to Sacha Roland:

    Sacha,

    you need to provide more information about your configuration, such as:

    • http and https scanning
    • IPS filter
    • web filtering
    • App filtering

    Thanks

  • In reply to lferrara:

    • https and https scanning is enabled, invalid or unknown certificates are blocked
    • web filtering is enabled: proxy & tunnel category
    • app filter: "filter avoidance apps" that include tor proxy, tor vpn etc. as well as "DNS Multiple QNAME, OpenVPN, QUIC, and Non-SSL/TLS traffic on port 443".
    • ips settings: I didn't edit anything here
  • In reply to Sacha Roland:

    Sascha,

    Please read and follow these instructions:

    Regards

  • In reply to lferrara:

    This KBA I already followed and implemented last year (rfcat_vk mentioned that kba on 25 May 2019 in this thread). After implementing it, Tor Browser was blocked successfully. But now it isn't blocked anymore. Checked settings in cli and re-implemented the kba, but without success.

  • In reply to Sacha Roland:

    I've been fiddling with this today. I'm also not able to prevent theTOR browser to start for 100%.
    Sometimes it doesn't start sometimes it does.

    What I was able to accomplish is to disable browsing from a TOR Browser session.
    If you're interested please let me know.

    Grtz, Peter-Paul

  • In reply to Peter-Paul Gras:

    Yes, I am very interested in the way you disabled browser sessions.

    Did you alter the settings mentioned here for better application detection?