How to block UltraSurf using Application and Device Control

Article:TECH184200  |  Created: 2012-03-19  |  Updated: 2013-03-04  |  Article URL http://www.symantec.com/docs/TECH184200
Article Type
Technical Solution


Issue



End users on the corporate network are using a proxy software tool called UltraSurf to bypass the corporate firewall or web filtering product, bypassing the restrictions of the company's content policy.  How can this be blocked with the Application and Device Control (ADC) component of Symantec Endpoint Protection (SEP)?

 


Error



 

 


Cause



End users are using UltraSurf to change the Internet Explorer proxy setting.

 


Solution



To prevent the use of UltraSurf in your network, follow these steps on the Symantec Endpoint Protection Manager (SEPM):
  1. Create the Policy in Application and Device Control
     
  2. Create the rule
    • Name. ex.: "Block UltraSurf"
       
  3. Create the condition "Registry Access Attempts"

     
  4. In  the "Apply this rule to the following processes"

    • add
    • in the box "Registry Key"
      • Put the Key:
        "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • In the Box "ProxyServer"
    • Then OK

  5. Click in the Action tab:
    • In Read Attempt
    • Select "Block Access"
    • In Create, Delete or Write Attempt
    • Select "Block Access"
    • Then OK

  6. In TEST/PRODUCTION
    • Put Production
       
  7. OK

 

The policy attached below may also be imported into a SEPM and assigned to the client groups for which UltraSurf should be disallowed.




Article URL http://www.symantec.com/docs/TECH184200


Terms of use for this information are found in Legal Notices