Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

Blocking Tiktok via Firewall Application Control and Endpoint Application and Web policies

Defense contractors and others with government contracts are now required to block access to TikTok.  We have a number of customers that fit into this category.

Sophos has long had Musical.ly as an available application to block in SF, even in the last couple of days. As of today, now it can be found in the application Filter as TikTok instead of Musical.ly. Same thing, different name.  Not sure why it was called Musical.ly in the first place. but now it's much more clear.

My employer sent me a firewall for my home-office as I'm remote. since I'm trying to resolve this for our customers, I'm applying it to myself. I created a new Application filter named Block level 5 and TikTok.  I added TikTok Deny Always..



Here I have the Application Control applied to my LAN to WAN rule.

And Here is TikTok running on Windows just fine.



Sophos endpoint will block the website easily enough. I've actually added all the IP addresses, subnets, and FQDNs from the Netify page and from SonicWall's document for blocking TikTok.  Here you can see a Web policy (which works) and a Application control policy for BlueStacks.  There is no application control for TikTok or Windows Subsystem for Android.

It still runs. Packet Capture shows traffic to an IP that resolves as an Akamai server.  Akamai serves a lot of streaming media so we can't just block them.

TikTok is like some crazy virus that works around every effort to block it.  

Support on ticket 06916584  wants me to submit the executables to Sophos, but not understanding the Microsoft Store doesn't do exe files like the olden days of Windows.  Now they are packaged in a different way now and are placed in a folder inaccessible, even to local admin.  Unless one wishes to take ownership from Trusted Installer and see what happens for C:\Program Files\WindowsApps\.
https://answers.microsoft.com/en-us/windows/forum/all/microsoft-store-downloads-folder/cc682ce8-6e1e-404e-a27e-a543e3afac7f

BlueStacks is another Android emulator and that's why the Application control policy for it.  Does nothing to stop BlueStacks 5 and BlueStacks X from loading but looks pretty in Central.

How do we stop this scourge?

Thanks!

David

Sophos Firewall Architect 18-19.5
Sophos Firewall Engineer 16.0-19.5
Sophos Firewall Technician 18-19.5
Sophos Central and Endpoint Engineer 3.0-4.0
Sophos Central and Endpoint Architect 3.0-4.0
Among others...



Added tags
[edited by: Raphael Alganes at 12:20 AM (GMT -7) on 21 Aug 2023]
  • Here is the endpoint policy. A community mod on Reddit suggested adding WSA here.  It wasn't immediately obvious that it's there, but I did find it searching for it spelled out and it DOES work to block WSA.  It doesn't block BlueStacks though.

    With regards,
    David

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited

  • The XG does not stop tiktok when it is embed in things like facebook pages, maybe Endpoint can but I don't have endpoint at home to try.

    Ian

    XG115W - v19.5.3 mr-3 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian,

    SF does not block TikTok when used directly in Windows either.  Likely won't on mobile but I'm loath to install it on my mobile phone.  I know I will at some point because I want to know.

    Edit - Yep, TikTok still works on my mobile when on my network.

    I'm running XGS116 on 19.5.2 with XStream Protection.

    With regards,
    David

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited

  • My Mac shows TikTok blocked when I try to access it directly but not through secondary applications.ian

    XG115W - v19.5.3 mr-3 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  ,

    Good day and  thanks for reaching out to Sophos Community.

    Upon simulating, I managed to block Tiktok on Web and Mobile  (On Sophos Firewall) using the following instructions from this past thread:

     How to block Tiktok App  (I followed this plainly, even w/o SSL/TLS inspection it was able to stop Tiktok from running on my Windows laptop and Android, iOs device)

     i can't block tiktok app 

    I am yet to test if Tiktok would be blocked if it is embedded to another allowed website e.g. Facebook. 

    Many thanks for your time and patience and thank you for choosing Sophos

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello  ,


    We tried replicating your scenario and can confirm that Tiktok wasn’t yet added to our app control Database. For the Bluestacks, we need to further check if the currently added version is the one you're currently using. We also tried blocking Bluestacks, and it was accessible after blocking. Note: We used Bluestacks5 for our testing. 

    That said, I would like to ask your help in raising two support cases, one for TikTok, an application control request, and the second for the Bluestacks application. You can share both case IDs once created here or directly send a PM to me with the details so that I can help monitor the support cases. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • I have case 06916584 to block TikTok with Endpoint.  Blocking WSA seems to be effective but if it's needed for any other business purposes, it would be nice if only TikTok could be blocked by it.

    I opened case 06920646 for BlueStacks.

    I looked for an embedded TikTok video and this is blocked by Endpoint. From https://embedsocial.com/blog/embed-tiktok-video/:

    Based on Endpoint events, this was blocked by the Web policy as I've added all the FQDNs and IP addresses from Netify and SonicWall.  It's interesting to see TikTok trying to use other addresses to work around being unable to access www.tiktok.com/...

    I applied a rule correctly (facepalm) in my firewall and now TikTok is being blocked for all devices when on network.

    With regards,
    David

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited

  • Hi Raphael,

    After resetting the rule in the firewall, TikTok is blocked on mobile devices as long as they are behind the firewall. Application Control apparently works without all the Netify IP addresses and FQDNs. 

    As IP addresses are subject to change, using the Netify method is a temporary brute-force method.

    In the Firewall, last week, in Application Control, one could apply musical.ly without effect, but this week it's now TikTok (Musical.ly is nowhere to be found in Application filter) and seems to work better.  An update must have come through.

    Because I have an endpoint rule to block all of the Netify and SonicWall addresses/hosts/subnets, the embedded web links are blocked for Windows. 

    I imagine building out the list of Netify and SonicWall addresses into the Firewall will help also.  It stinks that one has to do so much work to block one app/site.  Have to block the application, have to block the web with ~100 entries.  So users that are mobile with Windows are controlled, have to build it out in Central, then for devices that are mobile, an MDM solution needs to be in place with the same repetition.  

    Then repeat for every one of our customers that needs this.

    With regards,
    David

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited

  • As a recap,

    I have TikTok blocked on the network with firewall, 2 different ways:

    Application Control, TikTok is now available and works to block TikTok running on Windows or Android in the app. I assume it will block iOS as well.

    Web Control, Blocking the entire list from Netify and SonicWall, TikTok can no longer load in a browser, including ads.

    I have TikTok blocked in Windows (for mobile users not behind the firewall) with Endpoint using 

    Web Control - to block the same list of IPs/Subnets/FQDNs from Netify and SonicWall when using a browser.

    Application Control - to Block Windows Subsystem for Android (WSA) when using the App. This blocks anything running on WSA.

    To-Do

    1) Figure out how to get iOS/Android devices running TikTok marked as non-compliant in Intune. Although my device is Android and registered, I cannot apply any policies to it. This is outside of the scope of working with Sophos.  Approaching this using Android Device Administrator (which is now deprecated) allows me to select applications to block.  Using Android Enterprise, there is no option to select applications to block <facepalm>.  So it looks like we might have to use Sophos MDM. And build all of this out in a third place.

    2) Get Sophos to block BlueStacks X (have an open case for this).

    With regards,
    David

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited

  • This just keeps growing.  And I'm groaning.  

    Opened case 06925511 to block CapCut.  Another ByteDance product.
    The U.S. Federal Government has ruled that all products from ByteDance be prohibited for all contractors of NASA, DOD and GSA.
    This includes TikTok, but also applications CapCut, Temu, Schein. And websites us.shein.com, www.douyin.comwww.toutiao.comwww.ixigua.comwww.helo.comwww.larksuite.comwww.byteplus.com

    With regards,
    David

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited