I have been trying to block the hotspot shield and Betternet VPN. I have included them in the Applications Filter.
I created a support ticket with Sophos and we were able to block the said applications by decrypting HTTPS using web proxy. It is also blocking other applications like Facebook, Instagram, etc. I can't deploy CA certificates on the end devices for HTTPS decryption.
The client is able to download the applications and use them. The firewall isn't blocking the hotspot shield and Betternet VPN traffic.
I am looking for a way to block those applications using DPI/Applications Filter. These apps use TCP, 443 port.
I am using an XGS 136.
Hi Vineeth Penugonda
Please check by creating the DNS service base firewall rule as shown below and create separate application filter policy to block high risk application as per link and apply on same
Please check by creating the DNS service base firewall rule as shown below and create separate application filter policy to block high risk application as per link and apply on same DNS service base firewall rule.
Please try the below steps too in case the application still not getting blocked :
show advanced-firewallshow ips-settings
set advanced-firewall midstream-connection-pickup offset ips maxsesbytes-settings update 0set ips maxpkts 80set ips packet-streaming on
Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.
The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.
Thanks and Regards
I tested with all the settings you provided. I am able to block "Hotspot Shield" by blocking "www.hsselite.com" and blocking "Risk 4 and Risk 5 apps" in the applications filter.
Interestingly, the Applications Filter detects the Hostspot Shield as "Facebook Website". (Attached Screenshot).
Sometimes, Psiphon Proxy is detected by the Applications Filter and blocks it. Users are still able to use "Psiphon Proxy" and "Betternet VPN".
The issue is that it appears to use the proxy from my investigation and it not blocked in the proxy. I have tried blocking IP addresses, urls but to no avail and none the addresses appear in log viewer.
XG115W - v19 GA - Home
1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.
If a post solves your question please use the 'Verify Answer' button.
I tried looking at the traffic for Betternet VPN too. I will try to spin up an android virtual image and check the traffic flow for the application.
I have been working this issue most of the afternoon without great success. I broke my users access to the internet by blocking https in a specific rule that stopped the VPN. I had to use my CM access to restore connectivity. I have searched to see if I can identify the servers it uses to no avail. I d have a list of IP addresses but that continual grows so maintaining it would be a pain. Using betternet co or betternet.com does not return any results that get blocked except web access.
It uses 443 to access the internet but how because nothing is logged, no error messages are created or displayed. I would have build a network analyser to hang across the output of the Mac mini to see what is happening. While it might be installed as betternet vpn it obviously does not identify itself as that when setting up the tunnel.
I was able to block Betternet VPN on the iPhone once by listing all the IP addresses it connects to. I uninstalled the application and redownloaded it after a few weeks. It was able to connect again. Sophos is able to block Betternet VPN chrome browser extension but not the iPhone app. I will try it out on the mac mini and check too.
Hope we come up with a working solution soon! :)
So, in summary the classification is not complete, there is more to this vpn than Sophos appears to have tested.
Yeah. Is there any way we can reach out to the team which works on detecting app IDs and updating the signatures? I would like to report that Hotspot Shield is being misclassified as "Facebook Website" and Betternet VPN is able to bypass the firewall even if it is added to the applications filter.
I did a packet capture of Betternet VPN. It is disguising itself as WhatsApp/Twitter/Facebook. This explains why Hotspot Shield was being detected as Facebook Website by the firewall. I have seen references to Hotspot Shield (Anchorfree) inside Betternet VPN's application folder.