Jump to content

Eset Endpoint Antivirus Web Filter Policy Not Block Tor Browser


waggy
 Share

Recommended Posts

Hello

 youtube.com and *.youtube.com/*  adresss are blocked in web filters, are not blocked  tor browser. 

its block perfect chrome browser. but not block tor broser in vpn

Link to comment
Share on other sites

this problem not solutions.. Please any body help me. Tor browser not block web filter on the list. 

endpoint version 9.1.2051.0

Link to comment
Share on other sites

FYI:

Quote

The Onion Router (Tor network) is a special browser that routes your traffic through various connection points (nodes) in order to anonymize your data.

Block installation of Tor browser. Hash for current version is shown below:

Tor_Hash.png.ad870b4a4ae40953258e4c0248012475.png

 

Edited by itman
Link to comment
Share on other sites

15 hours ago, itman said:

FYI:

Block installation of Tor browser. Hash for current version is shown below:

Tor_Hash.png.ad870b4a4ae40953258e4c0248012475.png

 

thanks for ansvers. but using portable tor browser. 

Link to comment
Share on other sites

8 hours ago, waggy said:

thanks for ansvers. but using portable tor browser. 

Then block the portable version being used.

Tor_Hash.png.75391a616a13f1422dcc7cd5208a552b.png

Ref.: https://github.com/garethflowers/tor-browser-portable

Note that there a multiple versions of Tor portable browser from different sources.

Also your users should not be able to download and install whatever software they chose. For example, the above Github version is not signed.

Link to comment
Share on other sites

Probably the easiest way to block Tor browser use is to block access to the Tor network via directory restriction:

Quote

How does Tor blocking work?

Cybersecurity specialists mention that there are 4 main methods to restrict access to Tor.

Directory restriction: This is the simplest method. There are a total of nine public directories of input nodes to Tor; when you close access to these directories, users will not be able to connect to the anonymous network.

https://www.securitynewspaper.com/2021/06/07/how-to-block-tor-in-your-company-and-how-to-unblock-tor/

The article notes that Tor restrictions can be bypasses via use of Tor bridges:

Quote

The use of bridges is the main method of circumventing these restrictions. Everything starts from the premise that any user can get a complete list of relay nodes that exist in order to block them, this led to the need to create bridges whose address list is not publicly known.

To connect to Tor over a bridge, we must go to the site https://bridges.Torproject.org, select the type of transport and indicate if the network supports IPv6. Then we will have to solve a CAPTCHA, obtain the address of the bridge and then specify it in the configuration of the Tor browser. Security experts mention that it is also possible to request the bridge address from The Tor Project (Torproject.org) website during the setup of a connection.

If you are blocked, you can send an email with no subject to bridges@Torproject.org by typing a line in the body of the get transport obfs4 message (send this message only from Gmail or Riseup). In response, an automated program will send you the bridge address to evade the access restriction.

Therefore, mitigations are needed here.

-EDIT- Also review this: https://www.cisa.gov/uscert/sites/default/files/publications/AA20-183A_Defending_Against_Malicious_Cyber_Activity_Originating_from_Tor_S508C.pdf for ways on mitigating Tor use and risks. Of note:

Quote

Using a behavior-based approach, network defenders can uncover suspicious Tor activity by
searching for the operational patterns of Tor client software and protocols. Transmission ControlProtocol (TCP) and User Datagram Protocol (UDP) ports commonly affiliated with Tor include 9001, 9030, 9040, 9050, 9051, and 9150. Highly structured Domain Name Service (DNS) queries for domain names ending with the suffix torproject.org is another behavior exhibited by hosts running Tor software. In addition, DNS queries for domains ending in .onion is a behavior exhibited by misconfigured Tor clients, which may be attempting to beacon to malicious Tor hidden services.

 

Edited by itman
Link to comment
Share on other sites

Since you mentioned Tor portable version, we can assume USB drive execution is most likely. This detailed forensic analysis: https://www.dsci.in/sites/default/files/documents/resource_centre/Advanced Forensic Analysis of Tor Browser and Implications for Law Enforcement Agencies.pdf yields the following screen shot. Note that everything Tor is connecting to ends in .onion suffix indicating dark web connections.

The question is why users are allowed to run .exe files unabated from USB drives?

Tor_Forensics.thumb.png.1a87adb3ea402bbcda895d6061d05c78.png

Edited by itman
Link to comment
Share on other sites

The solutions offered are non-working solutions to prevent tor. I'm asking why the web filter is not working on the eset side. While Eset works in all browsers, why doesn't Tor work as well? 

Thanks

Link to comment
Share on other sites

7 hours ago, waggy said:

While Eset works in all browsers, why doesn't Tor work as well? 

Refer to the above screen shot I posted showing URL's ending in .onion. Next, refer to this article: https://www.makeuseof.com/how-tor-addresses-work/ .

On 9/30/2022 at 3:02 AM, waggy said:

 youtube.com and *.youtube.com/*  adresss are blocked in web filters, are not blocked  tor browser. 

Eset web filtering of uTube addresses as you posted is N/A since those domain names are never shown using Tor.

Again, there is no way to block web site access when using Tor other than blocking *.onion/* in which case Tor use to access the web is totally broken. I also don't know for sure if this would work since Tor doesn't use DNS.

The only way to block uTube web site access via Tor browser is to block all IP addresses associated with uTube via Eset firewall rule. I wish you luck in that effort.

Edited by itman
Link to comment
Share on other sites

One last comment here on Tor browser use.

Since you are located in Turkey, I assume Tor is being allowed to keep your users anomalous. It doesn't. If you have any doubts on that, then read this article: https://restoreprivacy.com/tor/ .

Also as noted in the article, use of Tor opens your corporate network to increase malware risk.

Link to comment
Share on other sites

On 07.10.2022 at 01:59, itman said:

Tor tarayıcı kullanımı hakkında burada son bir yorum.

Türkiye'de bulunduğunuz için Tor'un kullanıcılarınızı anormal tutmasına izin verildiğini varsayıyorum. Öyle değil. Bununla ilgili herhangi bir şüpheniz varsa, şu makaleyi okuyun: https://restoreprivacy.com/tor/ .

Ayrıca makalede belirtildiği gibi Tor kullanımı, kötü amaçlı yazılım riskini artırmak için kurumsal ağınızı açar.

Thanks for your answer. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...