How to block UltraSurf using Application and Device Control

book

Article ID: 156096

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

End users on the corporate network are using a proxy software tool called UltraSurf to bypass the corporate firewall or web filtering product, bypassing the restrictions of the company's content policy.  How can this be blocked with the Application and Device Control (ADC) component of Symantec Endpoint Protection (SEP)?

 

 

 

Cause

End users are using UltraSurf to change the Internet Explorer proxy setting.

 

Resolution

To prevent the use of UltraSurf in your network, follow these steps on the Symantec Endpoint Protection Manager (SEPM):
  1. Create the Policy in Application and Device Control
     
  2. Create the rule
    • Name. ex.: "Block UltraSurf"
       
  3. Create the condition "Registry Access Attempts"

     
  4. In  the "Apply this rule to the following processes"

    • add
    • in the box "Registry Key"
      • Put the Key:
        "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • In the Box "ProxyServer"
    • Then OK
       
  5. Click in the Action tab:
    • In Read Attempt
    • Select "Block Access"
    • In Create, Delete or Write Attempt
    • Select "Block Access"
    • Then OK
       
  6. In TEST/PRODUCTION
    • Put Production
       
  7. OK

 

The policy attached below may also be imported into a SEPM and assigned to the client groups for which UltraSurf should be disallowed.

 

 

Attachments

Application Control policy - Block Ultrasurf.zip get_app