The Most Detailed Way To Block UltraSurf
Here is the step by step process to disable Ultra Surf from being accessed by your clients.
To start with, Ultra Surf leaves a finger print that shall be needed by the admin as a constant value. It is very fortunate that the fingerprint is also included when you open the Ultra Surf. Listed below are the different fingerprints for the Ultra Surf variants available in the web namely:
1. UltraSurf 9.4 (.exe)
md5: 11bc744801b516d0b84fba5850ec8789
2. UltraSurf 9.4(.zip)
md5: 8aed5412df0f621e399c78a7f408c6fb
3. UltraSurf 9.2 (.exe)
4b498bcac14da546f420cd08bae1894b
4. UltraSurf 8.9 (.exe)
f556271e1338dfc224cbebf6fe8f8eae
5. UltraSurf 8.8 (.exe)
4e3a66482ef96368251d91b4f5ae0fda
6. Firefox add-on (.zip)
md5: 6ce151b1b0ef8430031a8e9a69f38806
We have to log in as a full administrator to the SEPM console and proceed first to the group that you will initiate the policy to. Under the policies tab, we must go to the “application and device control policy” that is found within the location specific policies.
Proceed to the application control and click on block applications from running. We could also put the enabled rule set as production or test only. It is advisable to set it first on test mode first and check later if the process was successful.
Edit the “block applications from running” rule and create a “Lunch process attempts” sub-rule under the “Block applications from running”. Click the add button under the “apply to the following process”. Click options to see the “Match the file fingerprint” and from their put the Ultra Surf MD5 on the space provided and click OK. When you are in front of the “Edit Application Control Set” page, click on the actions tab to choose among the following options that we administrators could use as an action namely:
1. Continue processing other rules
2. Allow access
3. Block access
4. Terminate process
We could also use the send the user a message option so that they would also be aware that they are being monitored thus intimidating them to use or access Ultra Surf in the near future.
Always remember the following after placing new policies in the specified computer groups:
1. Update contents needs to be pushed to the client group
2. We could also pull the update policy from the client
3. Better to reboot the computer for the updates to set
4. Verify if the policy serial number for the group is the same with the computers SEP policy number
5. Test if the policy is now working by checking the log via Truscan Proactive Threat Scan
6. Please note that if you put the enable rule set to test only, Ultra Surf might work but it will be logged via Logs under “Application and Device Control”
7. Enforce also any project to a small group of computers before implementing globally to the whole organization
8. Always do documentations for review
9. Always check for new fingerprints if new UltraSurf versions are available
Lastly, UltaSurf is not a bad application since it is used in the mainland China to have the freedom to be informed specifically about the outside world. It becomes a liability if they are using it to violate company rules that make a breech in the system for viruses to infect the computers they are using as well as others. I hope that this would help other administrators to block UltraSurf from being used.
I would also like to thank mon_raralio and trusted advisor RickJDS for all the valuable help and guidance.
This is just my simple way to repay their goodness by making this article to help others.
Thank you all...
Comments
Great write up!!! Yeah
Great write up!!! Yeah ultrasurf is quite a pain in the butt.
i also agree with you on
i also agree with you on this;
waiting for blocking of more proxies and those finger print
You are 100% right on the
You are 100% right on the dime shaun_b...
Now the clients are complaining about them not connecting to the internet but after checking that they are using proxies.. they became very silent... they dont want to get caught red handed...
thanks to all that help in the Symantec community...
We alll rock !
Nel Ramos
Well done bro... hope we have
Well done bro...
hope we have more detailed steps for us newbies in AV..
thanks...
Well done bro... hope we have
Well done bro...
hope we have more detailed steps for us newbies in AV..
thanks...
Thanks for the valuable
Thanks for the valuable information..
great work...
Keep on digging more MD5 for
Keep on digging more MD5 for ultrasurf..
by the way are there other proxies available that the users might use?
thanks...
list of other proxies
you can find huge list of proxy site in link below;
http://abhisays.com/internet/list-of-popular-proxy...
but blocking all of them may not be feasible; thus what is practcal is to block those proxies that are being used widely in your network
Thanks for the
thanks for the info it really
thanks for the info it really helps :)
no problem... I just learned
no problem...
I just learned that from the forum...
it is very helpfull.
thanks..
Nel Ramos
thanks for the info... what
thanks for the info...
what by the way is the latest version od ultrasurf?
thanks..
thanks also.. I believe that
thanks also..
I believe that Ultra Surf 9.4 is the newest we have...
guys, do we have a newer version..
by the way... please check this out that Astaro 7.4 defeats Ultra Surf...
Do you already have this on your network team?
Link listed below:
www.fose.com/files/content/docs/7_4_Release.pdf
thanks
Nel Ramos
they are still using u89.exe
they are still using u89.exe and they are all blocked by my peers..
very detailed! nice article!
very detailed! nice article!
UltaSurf is a good
UltaSurf is a good application used in the mainland China for freedom of information.
the problem is... we are abusing it...
bad...
Excellent article for
Excellent article for NEL.
Really Appreciated :)
Thnx....'
Rgrds,
SAM
Could SAV also detect this
Could SAV also detect this apps.?
thanks..
Nice
Nice article...
thanks...
hope this ultrasurf would be dealt with properly...
Nel
Nel,
Sorry, I've been meaning to comment on this thread. Excellent, detailed instructions. Congrats on the great article. This will help out a lot of people.
@RickJDS: Thank you Rick...
@RickJDS: Thank you Rick... it is truly an honor hearing that from you... you had helped me a million times.. i guess...
thanks team for supporting...
Nel Ramos
Hi Rick... hope you could
Hi Rick... hope you could also see this link.. It would benifit generous people like you that help us resolve issues... thanks again...
https://www-secure.symantec.com/connect/idea/community-give-points-deserving-members-please-read
Hi Team,
Please check it out and hope to hear from you...
thanks...
Nel Ramos
nice comment thakns you for
nice comment thakns you for all good advice and comment i learn a lot
well hope to see resolved
well hope to see resolved issues documented in this detailed fashion...
thanks Jobert...
thanks Jobert...
Nel Ramos
md5 for 15 Versions
Hi all!
I have listed below the md5 for Ultrasurf versions from 8.1 to 9.5 (latest).
8.1
c7c5c826fecacfa2f7dd48a762df1b2e
8.2
d2e86ccb87771e6d710ca25360585f14
8.3
224363c72b8b9722c9e0195d1877f906
8.4
44877c87a6edf1f54609c9abe8c6442a
8.5
be680ab187b543cdf87f75b23892075e
8.6
f53597f07ad9425d64a1eccd440e7b54
8.7
b6d9db95e947705eeaa98544de5647ce
8.8
4e3a66482ef96368251d91b4f5ae0fda
8.9
f556271e1338dfc224cbebf6fe8f8eae
9.0
faf9418cc0d4d4ff0a78f61283a9d29a
9.1
13f51c8c42e44bcb459c62e1c0e0e93b
9.2
bb97cf958f1d383e1316a0db06202e22
9.3
4b498bcac14da546f420cd08bae1894b
9.4
11bc744801b516d0b84fba5850ec8789
9.5
88a02758a8359def232956ef028b2b77
Please note that these are the md5 checksums for the executable files (.exe).
Nice! Hi Team, Please update
Nice!
Hi Team,
Please update your files for possible deny access...
Thanks...
Nel Ramos
Latest version UltraSurf 9.6
Latest version UltraSurf 9.6 (.zip)
(md5: e0724a56a972c791ce0e9077368dabc8)
Latest version UltraSurf 9.6(.exe)
(md5: e303bb009064e63e470326201da509d0)
Update your App and Device control policies!
UltraSurf 9.7 (.zip) (md5:
UltraSurf 9.7 (.zip)
(md5: 8600905280a3fd95b52c7ff97ac33aa2)
UUltraSurf 9.7(.exe)
(md5: 44385142f2d89be75502cff94d63f56b)
UltraSurf 9.8 (.zip)
(md5: 5d9565a71e262836efff071573082c17)
UltraSurf 9.8(.exe)
(md5: d446a55e30e28e2568ca0163f2737614)
305c26c3061829ee5d1ef29d324c9
305c26c3061829ee5d1ef29d324c9758 *u99.exe
e420c6aa42e11cf6a6349faf9ea14bee *u99.zip
8c6256f180bb8096011b3fe2511d228e *u991.exe
92c7cbb1dbf11c1c7de9b128cd02f103 *u991.zip
b32f45b81abd9ca395ca3940250bff81 *u992.exe
11f0901ce03eed2e71f72b754b56164c *u992.zip
UltraSurf blocking problem with fingerprint
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
I tried to block some different version of ultra surf like b32f45b81abd9ca395ca3940250bff81 *u992.exe but my client still can run it. How can I do?
Compilation of fingerprints
This is a compilation of the fingerprints on this post plus other versions that I found still downloadable on the Internet.
8.1 - c7c5c826fecacfa2f7dd48a762df1b2e
8aed5412df0f621e399c78a7f408c6fb
4ad849a04a53f8a5d93e85d186f556f6
e303bb009064e63e470326201da509d0
44385142f2d89be75502cff94d63f56b
d446a55e30e28e2568ca0163f2737614
e420c6aa42e11cf6a6349faf9ea14bee
92c7cbb1dbf11c1c7de9b128cd02f103
11f0901ce03eed2e71f72b754b56164c
e05d63120344f434fe4db0e82927db06
006aebd5f1a87c3ef5fe6eb87de353e1
d93410dbc8866fc421dbcb2a8338157c
can't copy paste fingerprint
do i have to type the fingerprint
manually in the "match the file fingerprint" text field ?
i can't copy and paste....
please help...
urgent
edit: solved
ctrl+c ctrl+v
https://www-secure.symantec.com/connect/forums/fin...
how to copy
you have to be assured of the fingerprint charachters long....so you can type it manually.
Compilation of fingerprints
Ultrasurf MD5's for all versions:
********************************************
u81.exe - c7c5c826fecacfa2f7dd48a762df1b2e
u82.exe - d2e86ccb87771e6d710ca25360585f14
u83.exe - 224363c72b8b9722c9e0195d1877f906
u84.exe - 44877c87a6edf1f54609c9abe8c6442a
u85.exe - be680ab187b543cdf87f75b23892075e
u86.exe - f53597f07ad9425d64a1eccd440e7b54
u87.exe - b6d9db95e947705eeaa98544de5647ce
u88.exe - 4e3a66482ef96368251d91b4f5ae0fda
u89.exe - f556271e1338dfc224cbebf6fe8f8eae
u90.exe - faf9418cc0d4d4ff0a78f61283a9d29a
u91.exe - 13f51c8c42e44bcb459c62e1c0e0e93b
u92.exe - bb97cf958f1d383e1316a0db06202e22
u93.exe - 4b498bcac14da546f420cd08bae1894b
u94.exe - 11bc744801b516d0b84fba5850ec8789
u95.exe - 88a02758a8359def232956ef028b2b77
u96.exe - e303bb009064e63e470326201da509d0
u97.exe - 44385142f2d89be75502cff94d63f56b
u98.exe - d446a55e30e28e2568ca0163f2737614
u99.exe - 305c26c3061829ee5d1ef29d324c9758
u991.exe - 8c6256f180bb8096011b3fe2511d228e
u992.exe - b32f45b81abd9ca395ca3940250bff81
u993.exe - e05d63120344f434fe4db0e82927db06
u994.exe - 17406ef606e38838be0b9b30f6f73358
u995.exe - d93410dbc8866fc421dbcb2a8338157c
u996.exe - 79ecb08ee9f9a3b6b768619819e82e80
u997.exe - f4310bda92aaf325cfb7e8273f7cb236
u998.exe - 7a69ea0b15862846e124cd70cef1a448
u999.exe - dd45ff3b146efdc64efe9213768dd522
u1000.exe - 7d50205ca169623d1ee46d15b047b77b
u1001.exe - ab2d18188d464972df0629f2c99f25f3
u1002.exe - bb4330922380177d417933a700d85c63
u1003.exe - 6440a96410a160d027bdde38b03402f6
u1004.exe - 8c180cf786a59eb7377bf51f51dc7623
u1005.exe - cca7284b61a8018d8541f8a7549b97b8
u1006.exe - 73f80bf48b02f0fa8e12d08460f7a131
u1007.exe - d28aba48a0910c248bf16203b55e5d8c
u1008.exe - b2d30ed05e7a230b1d6254666234d51f
u1009.exe - 46ec3c098bcbdf045489790368381327
u1010.exe - 6eb06c83f155a9991e7c030b0101fd6d
u1011.exe - a1d3182c2d389ad81fb5d8c0010be6e5
u1012.exe - 46b270fd52ef2606f9aa5f90ba2071b0
u1013.exe - ab5df308f5586d30f3ca287b139b861a
Firefox add-on (.zip) - 6ce151b1b0ef8430031a8e9a69f38806
********************************************
by D_R_A_K_O - Monterrey, México.
User Notification pop up is not showing..
I have configured Application & Device control as detailed in the above article, and the proxies are blocked , but the user notification pop up were not working(eg : WARNING: You are added to the list of monitored users, Ultra Surf is Blocked ), while I am trying to run the proxi.
Please do help me to resolve this issue..
Hi,is there a way we can
Hi,
is there a way we can delete though SEP, Blocked ultrausrf files. We have files all over.
Thank you
Would you like to reply?
Login or Register to post your comment.