This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BLOCKING of ULTRASURF addons/extensions in Google Chrome browser?

Hi Sophos Community

Good Day,

Is there any way to block  ultrasurf addons/extensions in google chrome browser?

Or is there anyway that the users may have not access to add utilities on Google chrome - browser?

Scenario.

Web protection > transparent mode > decrypt and scan > anonimyzers and utilities

Filter action

* Block anonymizers and utilities
* Block jobsearch

But after turning on of ultrasurf addons in my browser.. you can now browse anything you want

Thank you

PS.
I already been blocked these urls after searching in sophos community but sadly no luck, ultrasurf still running

https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
http://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
https?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/

 

 

 

 



This thread was automatically locked due to age.
Parents Reply
  • I put in a ticket for this issue with Sophos and received a totally different response from others in this thread.  This is what they said:

     "This is a known bug with Sophos, ultrasurf is not getting blocked by application control." 

     So we are in the waiting loop to get this fixed.  I've asked for an ETA on the patch for the fix.  I'll let everyone know what Sophos says.

Children
  • Lol, here was my response

     

    I tried reaching you via phone to further discussed the issue you are experiencing but got voice mail.

    I was tested with version 9.503-4 and was able to block UltraSurf.

    Let me know your availability so we can do some tests.

    Thanks

  • LOL is right.  They must have not known that this was an issue until we all put in tickets.

    I heard back from support and they said: "Unfortunately, there is no ETA that when this bug will get fix."  So who knows when it will get fixed. 

    Looks like I'm going to have to put in an Untagle box in transparent bridge mode between my LAN and Sophos UTM to block this.  I can turn off IPS on my Sophos UTM and hand this off to the Untangle box too.  Then I won't have 50% - 60% CPU use on the Sophos UTM.

  • Do you really have users who are using UltraSurf to bypass your proxy? Instead of doing all this extra work I'd think a stern taking to would fix this. This is a policy breach in many companies

  • Yes they are using it.  I've talked to them already but they will come back with something else to bypass the proxy.  The Untangle transparent bridge is not an issue to setup.  Hardware req plus 20 minutes to setup.  No problem at all.  Then I'll feel much better about my edge security setup.  Not being able to block something like this is a large Pita.     

  • Here's Sophos take / reply on the issue if anyone is interested

     

    After testing in my lab environment, I've been able to confirm the following:

    a.  The browser Chrome add-on/extension version of Ultrasurf is not covered under Ultrasurf for Application Control

    - as per Development, "Our current product limits application control block only to executable components, meaning that jar files, msi's, configuration files, etc won't be block which causes us problems with the browser plugins or extension as category. "

    b.  In order for the desktop application version of Ultrasurf to get blocked by Application Control, you must have a HTTPS decrypt & scan Transparent Policy covered the intended networks.  Reason being is that Ultrasurf doesn't adhere to the PAC file telling it to proxy traffic through the UTM, therefore when the application tries to connect directly to the public IP address, it would technically be hitting the next Transparent Mode policy (which for your environment is URL filtering only)

    c.  Oddly enough, even though the add-on version of Ultrasurf isn't covered by Application Control, enabling a Transparent mode HTTPS decrypt & scan policy seems to stop Ultrasurf from connecting, or stops browsing through Ultrasurf if it does connect......almost as if decrypting the traffic breaks the application