Video Screencast Help

The Most Detailed Way To Block UltraSurf

Created: 05 Jun 2009 | 44 comments
Language Translations
Nel Ramos's picture
+17 17 Votes
Login to vote

Here is the step by step process to disable Ultra Surf from being accessed by your clients.

To start with, Ultra Surf leaves a finger print that shall be needed by the admin as a constant value. It is very fortunate that the fingerprint is also included when you open the Ultra Surf. Listed below are the different fingerprints for the Ultra Surf variants available in the web namely:

1. UltraSurf 9.4 (.exe)
md5: 11bc744801b516d0b84fba5850ec8789

2. UltraSurf 9.4(.zip)
md5: 8aed5412df0f621e399c78a7f408c6fb

3. UltraSurf 9.2 (.exe)
4b498bcac14da546f420cd08bae1894b

4. UltraSurf 8.9 (.exe)
f556271e1338dfc224cbebf6fe8f8eae

5. UltraSurf 8.8 (.exe)
4e3a66482ef96368251d91b4f5ae0fda

6. Firefox add-on (.zip)
md5: 6ce151b1b0ef8430031a8e9a69f38806

We have to log in as a full administrator to the SEPM console and proceed first to the group that you will initiate the policy to. Under the policies tab, we must go to the “application and device control policy” that is found within the location specific policies.

imagebrowser image

Proceed to the application control and click on block applications from running. We could also put the enabled rule set as production or test only. It is advisable to set it first on test mode first and check later if the process was successful.

imagebrowser image

imagebrowser image

Edit the “block applications from running” rule and create a “Lunch process attempts” sub-rule under the “Block applications from running”. Click the add button under the “apply to the following process”. Click options to see the “Match the file fingerprint” and from their put the Ultra Surf MD5 on the space provided and click OK. When you are in front of the “Edit Application Control Set” page, click on the actions tab to choose among the following options that we administrators could use as an action namely:

1. Continue processing other rules
2. Allow access
3. Block access
4. Terminate process

imagebrowser image

We could also use the send the user a message option so that they would also be aware that they are being monitored thus intimidating them to use or access Ultra Surf in the near future.

Always remember the following after placing new policies in the specified computer groups:

1. Update contents needs to be pushed to the client group
2. We could also pull the update policy from the client
3. Better to reboot the computer for the updates to set
4. Verify if the policy serial number for the group is the same with the computers SEP policy number
5. Test if the policy is now working by checking the log via Truscan Proactive Threat Scan
6. Please note that if you put the enable rule set to test only, Ultra Surf might work but it will be logged via Logs under “Application and Device Control”
7. Enforce also any project to a small group of computers before implementing globally to the whole organization
8. Always do documentations for review
9. Always check for new fingerprints if new UltraSurf versions are available

Lastly, UltaSurf is not a bad application since it is used in the mainland China to have the freedom to be informed specifically about the outside world. It becomes a liability if they are using it to violate company rules that make a breech in the system for viruses to infect the computers they are using as well as others. I hope that this would help other administrators to block UltraSurf from being used.

I would also like to thank mon_raralio and trusted advisor RickJDS for all the valuable help and guidance.  
This is just my simple way to repay their goodness by making this article to help others.
Thank you all...

Comments 44 CommentsJump to latest comment

shaun_b's picture

Great write up!!! Yeah ultrasurf is quite a pain in the butt.

+6
Login to vote
i2professional@yahoo.com's picture

i also agree with you on this;

waiting for blocking of more proxies and those finger print

+3
Login to vote
Nel Ramos's picture

You are 100% right on the dime shaun_b...
Now the clients are complaining about them not connecting to the internet but after checking that they are using proxies.. they became very silent... they dont want to get caught red handed...
thanks to all that help in the Symantec community...
We alll rock !

Nel Ramos

+9
Login to vote
Jobert's picture

Well done bro...
hope we have more detailed steps for us newbies in AV..
thanks...

+8
Login to vote
Jobert's picture

Well done bro...
hope we have more detailed steps for us newbies in AV..
thanks...

+5
Login to vote
Sheila Marie's picture

Thanks for the valuable information..
great work...

+9
Login to vote
ubri04's picture

Keep on digging more MD5 for ultrasurf..
by the way are there other proxies available that the users might use?
thanks...

+7
Login to vote
i2professional@yahoo.com's picture

you can find huge list of proxy site in link below;
http://abhisays.com/internet/list-of-popular-proxy...

but blocking all of them may not be feasible; thus what is practcal is to block those proxies that are being used widely in your network

+3
Login to vote
Binocchio's picture
Thanks for the tip...


They're using U94.exe version before to bypass policies, now it did not work. 
+5
Login to vote
glenn24's picture

thanks for the info it really helps :)

+5
Login to vote
Nel Ramos's picture

no problem...
I just learned that from the forum...
it is very helpfull.

thanks..

Nel Ramos

+5
Login to vote
Ghe21's picture

thanks for the info...
what by the way is the latest version od ultrasurf?
thanks..

+6
Login to vote
Nel Ramos's picture

thanks also..
I believe that Ultra Surf 9.4 is the newest we have...
guys, do we have a newer version..

by the way... please check this out that Astaro 7.4 defeats Ultra Surf...
Do you already have this on your network team?

Link listed below:
www.fose.com/files/content/docs/7_4_Release.pdf

thanks

Nel Ramos

+7
Login to vote
zayreetadiosa's picture

they are still using u89.exe and they are all blocked by my peers..

+3
Login to vote
b3tugs's picture

very detailed! nice article!

+2
Login to vote
she_esteban's picture

UltaSurf is a good application used in the mainland China for freedom of information.
the problem is... we are abusing it...
bad...

+2
Login to vote
SAM_SHAIKH's picture

Excellent article for NEL.

Really Appreciated :)

Thnx....'

Rgrds,
SAM

+2
Login to vote
Kadoneng's picture

Could SAV also detect this apps.?
thanks..

+2
Login to vote
Amihan's picture

Nice article...
thanks...
hope this ultrasurf would be dealt with properly...

+2
Login to vote
RickJDS's picture

Nel,

Sorry, I've been meaning to comment on this thread.  Excellent, detailed instructions.  Congrats on the great article.  This will help out a lot of people.

+3
Login to vote
Nel Ramos's picture

@RickJDS:  Thank you Rick... it is truly an honor hearing that from you... you had helped me a million times.. i guess...

thanks team for supporting...

Nel Ramos

+2
Login to vote
Nel Ramos's picture

Hi Rick... hope you could also see this link.. It would benifit generous people like you that help us resolve issues... thanks again...

https://www-secure.symantec.com/connect/idea/community-give-points-deserving-members-please-read

Hi Team,

Please check it out and hope to hear from you...
thanks...

Nel Ramos

+2
Login to vote
Ghe21's picture

nice comment thakns you for all good advice and comment  i learn a lot

+1
Login to vote
Jobert's picture

well hope to see resolved issues documented in this detailed fashion...

+1
Login to vote
Nel Ramos's picture

thanks Jobert...

Nel Ramos

0
Login to vote
TNQ-Helpdesk's picture

Hi all!

I have listed below the md5 for Ultrasurf versions from 8.1 to 9.5 (latest).

8.1
c7c5c826fecacfa2f7dd48a762df1b2e
8.2
d2e86ccb87771e6d710ca25360585f14
8.3
224363c72b8b9722c9e0195d1877f906
8.4
44877c87a6edf1f54609c9abe8c6442a
8.5
be680ab187b543cdf87f75b23892075e
8.6
f53597f07ad9425d64a1eccd440e7b54
8.7
b6d9db95e947705eeaa98544de5647ce
8.8
4e3a66482ef96368251d91b4f5ae0fda
8.9
f556271e1338dfc224cbebf6fe8f8eae
9.0
faf9418cc0d4d4ff0a78f61283a9d29a
9.1
13f51c8c42e44bcb459c62e1c0e0e93b
9.2
bb97cf958f1d383e1316a0db06202e22
9.3
4b498bcac14da546f420cd08bae1894b
9.4
11bc744801b516d0b84fba5850ec8789
9.5
88a02758a8359def232956ef028b2b77

Please note that these are the md5 checksums for the executable files (.exe).

+1
Login to vote
Nel Ramos's picture

Nice!
Hi Team,

Please update your files for possible deny access...
Thanks...

Nel Ramos

0
Login to vote
trafsta's picture

Latest version UltraSurf 9.6 (.zip)
(md5: e0724a56a972c791ce0e9077368dabc8)

Latest version UltraSurf 9.6(.exe)
(md5: e303bb009064e63e470326201da509d0)

Update your App and Device control policies!

0
Login to vote
trafsta's picture

UltraSurf 9.7 (.zip)
(md5: 8600905280a3fd95b52c7ff97ac33aa2)

UUltraSurf 9.7(.exe)
(md5: 44385142f2d89be75502cff94d63f56b)

UltraSurf 9.8 (.zip)
(md5: 5d9565a71e262836efff071573082c17)

UltraSurf 9.8(.exe)
(md5: d446a55e30e28e2568ca0163f2737614)

 

0
Login to vote
trafsta's picture

305c26c3061829ee5d1ef29d324c9758 *u99.exe
e420c6aa42e11cf6a6349faf9ea14bee *u99.zip
8c6256f180bb8096011b3fe2511d228e *u991.exe
92c7cbb1dbf11c1c7de9b128cd02f103 *u991.zip
b32f45b81abd9ca395ca3940250bff81 *u992.exe
11f0901ce03eed2e71f72b754b56164c *u992.zip

0
Login to vote
a_farmahini@sooshia.net's picture

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}

I tried to block some different version of ultra surf like b32f45b81abd9ca395ca3940250bff81 *u992.exe but my client still can run it. How can I do?

0
Login to vote
Will Salen's picture

This is a compilation of the fingerprints on this post plus other versions that I found still downloadable on the Internet.


  • 8.1 - c7c5c826fecacfa2f7dd48a762df1b2e
  • 8.2 - d2e86ccb87771e6d710ca25360585f14
  • 8.3 - 224363c72b8b9722c9e0195d1877f906
  • 8.4 - 44877c87a6edf1f54609c9abe8c6442a
  • 8.5 - be680ab187b543cdf87f75b23892075e
  • 8.6 - f53597f07ad9425d64a1eccd440e7b54
  • 8.7 - b6d9db95e947705eeaa98544de5647ce
  • 8.8 - 4e3a66482ef96368251d91b4f5ae0fda
  • 8.9 - f556271e1338dfc224cbebf6fe8f8eae
  • 9.0 - faf9418cc0d4d4ff0a78f61283a9d29a
  • 9.1 - 13f51c8c42e44bcb459c62e1c0e0e93b
  • 9.2 - bb97cf958f1d383e1316a0db06202e22
  • 9.3 - 4b498bcac14da546f420cd08bae1894b
  • 9.4 - 11bc744801b516d0b84fba5850ec8789
    8aed5412df0f621e399c78a7f408c6fb
  • 9.5 - 88a02758a8359def232956ef028b2b77
    4ad849a04a53f8a5d93e85d186f556f6
  • 9.6 - e0724a56a972c791ce0e9077368dabc8
    e303bb009064e63e470326201da509d0
  • 9.7 - 8600905280a3fd95b52c7ff97ac33aa2
    44385142f2d89be75502cff94d63f56b
  • 9.8 - 5d9565a71e262836efff071573082c17
    d446a55e30e28e2568ca0163f2737614
  • 9.9 - 305c26c3061829ee5d1ef29d324c9758
    e420c6aa42e11cf6a6349faf9ea14bee
  • 9.91 - 8c6256f180bb8096011b3fe2511d228e
    92c7cbb1dbf11c1c7de9b128cd02f103
  • 9.92 - b32f45b81abd9ca395ca3940250bff81
    11f0901ce03eed2e71f72b754b56164c
  • 9.93 - a51f0e12c82c469c7b781df0f9221cd6
    e05d63120344f434fe4db0e82927db06
  • 9.94 - 17406ef606e38838be0b9b30f6f73358
    006aebd5f1a87c3ef5fe6eb87de353e1
  • 9.95 - 2c4f127c910227386a1dab824438f5c8
    d93410dbc8866fc421dbcb2a8338157c
  • Firefox add-on - 6ce151b1b0ef8430031a8e9a69f38806
+1
Login to vote
MULAUS's picture

do i have to type the fingerprint
manually in the "match the file fingerprint" text field ?

i can't copy and paste....

please help...

urgent

edit: solved

ctrl+c ctrl+v

https://www-secure.symantec.com/connect/forums/fin...

0
Login to vote
iuampmbz's picture

you have to be assured of the fingerprint charachters long....so you can type it manually.

0
Login to vote
x|D_R_A_K_O|x's picture

Ultrasurf MD5's for all versions:

********************************************
u81.exe - c7c5c826fecacfa2f7dd48a762df1b2e
u82.exe - d2e86ccb87771e6d710ca25360585f14
u83.exe - 224363c72b8b9722c9e0195d1877f906
u84.exe - 44877c87a6edf1f54609c9abe8c6442a
u85.exe - be680ab187b543cdf87f75b23892075e
u86.exe - f53597f07ad9425d64a1eccd440e7b54
u87.exe - b6d9db95e947705eeaa98544de5647ce
u88.exe - 4e3a66482ef96368251d91b4f5ae0fda
u89.exe - f556271e1338dfc224cbebf6fe8f8eae
u90.exe - faf9418cc0d4d4ff0a78f61283a9d29a
u91.exe - 13f51c8c42e44bcb459c62e1c0e0e93b
u92.exe - bb97cf958f1d383e1316a0db06202e22
u93.exe - 4b498bcac14da546f420cd08bae1894b
u94.exe - 11bc744801b516d0b84fba5850ec8789
u95.exe - 88a02758a8359def232956ef028b2b77
u96.exe - e303bb009064e63e470326201da509d0
u97.exe - 44385142f2d89be75502cff94d63f56b
u98.exe - d446a55e30e28e2568ca0163f2737614
u99.exe - 305c26c3061829ee5d1ef29d324c9758
u991.exe - 8c6256f180bb8096011b3fe2511d228e
u992.exe - b32f45b81abd9ca395ca3940250bff81
u993.exe - e05d63120344f434fe4db0e82927db06
u994.exe - 17406ef606e38838be0b9b30f6f73358
u995.exe - d93410dbc8866fc421dbcb2a8338157c
u996.exe - 79ecb08ee9f9a3b6b768619819e82e80
u997.exe - f4310bda92aaf325cfb7e8273f7cb236
u998.exe - 7a69ea0b15862846e124cd70cef1a448
u999.exe - dd45ff3b146efdc64efe9213768dd522
u1000.exe - 7d50205ca169623d1ee46d15b047b77b
u1001.exe - ab2d18188d464972df0629f2c99f25f3
u1002.exe - bb4330922380177d417933a700d85c63
u1003.exe - 6440a96410a160d027bdde38b03402f6
u1004.exe - 8c180cf786a59eb7377bf51f51dc7623
u1005.exe - cca7284b61a8018d8541f8a7549b97b8
u1006.exe - 73f80bf48b02f0fa8e12d08460f7a131
u1007.exe - d28aba48a0910c248bf16203b55e5d8c
u1008.exe - b2d30ed05e7a230b1d6254666234d51f
u1009.exe - 46ec3c098bcbdf045489790368381327
u1010.exe - 6eb06c83f155a9991e7c030b0101fd6d
u1011.exe - a1d3182c2d389ad81fb5d8c0010be6e5
u1012.exe - 46b270fd52ef2606f9aa5f90ba2071b0
u1013.exe - ab5df308f5586d30f3ca287b139b861a

Firefox add-on (.zip) - 6ce151b1b0ef8430031a8e9a69f38806

********************************************
by D_R_A_K_O - Monterrey, México.
 

0
Login to vote
VK@tvm's picture

I have configured Application & Device control as detailed in the above article, and the proxies are blocked , but the user notification pop up were not working(eg : WARNING: You are added to the list of monitored users, Ultra Surf is Blocked ), while I am trying to run the proxi.

Please do help me to resolve this issue..

0
Login to vote
SEPMADMIN's picture

Hi,

is there a way we can delete though SEP, Blocked ultrausrf files. We have files all over.

Thank you

0
Login to vote
caezar's picture

Hi guys! Does anyone has the latest fingerprint for u1201.exe? thank you

0
Login to vote
Adnan Ahmed's picture

u1201.exe             A6D19C2381AD7AF78B13E6160F69C375

0
Login to vote
caezar's picture

Thank you for the reply.

0
Login to vote
Sagar D. Kanase's picture

 

Hello,

Please try below document for "How to block UltraSurf using Application and Device Control"

http://www.symantec.com/docs/TECH184200

 

 

Regards,

Sagar D. Kanase.
Technical Support Analyst.

+1
Login to vote
Elisha's picture

Rather than using a hash, I created an Application Control policy that will block Ultrasurf from running, no matter what version it is.  I have attached the policy.  You can simply import this into SEPM and then assign it to the group you want to block Ultrasurf.

AttachmentSize
Application Control policy - Block Ultrasurf.zip 2.47 KB
+2
Login to vote
tangowf2's picture

Hello Elisha.

Thank for your policy file. It work great. Well done, we dont need to hand input MD5 every time.

Thank you.

Hoang Nguyen.

0
Login to vote
Busayr Ceylan's picture

Hello, how can I find the current ultrasurf.exe fingerprints? I need to u1210.exe fingerprint, thanks.

0
Login to vote