topic Re: Application Blocking in General Topics

Application Blocking

Rags — Tue, 14 Apr 2015 16:21:18 GMT

Dear PAN Discussion Forum,

I come to you in dire need of assistance. There is a battle going on within my network realm. A battle that we are losing. Some of my people have been mislead by downloading the Torch Browser application, and are now infected!

The Torch Browser. Sucks in my users with an edgy-cool looking website that shows its fun to use, with all of it's add-on's and features. Unfortunately, media downloads, torrents, games, etc aren't allowed on our network, and this needs to be stopped!

We have located the coordinates of our enemy:

We have captured one of them to find out more information:

We have build some defenses to try and stop the Torch attack, but we have been unsuccessful, we are too weak!!!

At first our enemy did not appear as the Torch Browser (Application = incomplete, web-browsing)

When you have Torch Browser open, some of the traffic calls to 54.239.18.49.

We were able to confirm this was the Torch Browser for the Application! But they are still getting past our defenses!

Application = torch-browser-base

So at this point I'm not sure what to do, or if I even am doing the app blocks correctly.

Can I directly add applications to security policy block rules, or do I need to add them to an application-filter first?
Hard to tell if this is an issue with my firewall rules or if Torch Browser has changed, and PAN hasn't updated the App signatures for it recently?
I confirmed the Torch traffic is port 80, so I should not have to enable SSL decryption

Please, we are losing this battle. Please summon the Demi-Gods!!!!!!

Thanks, -Justin

Re: Application Blocking

gwesson — Tue, 14 Apr 2015 23:11:54 GMT

Great post, Justin. Thanks for the details and the laughs

Ok, so to address a few things first:

1. You can add applications directly to security policy block rules. Some people prefer app filters, because then if something new gets added the rule is updated, but it's just fine to do it either way.

2. Just about every application has some changes, but not often to the base functionality of them. Adding a block for the Torch Browser (via the "torch-browser" application) should block the clients.

3. Port 80 does not equate to unencrypted, that's old-school port-based firewall logic rearing its ugly head. Torch isn't encrypted, so you're good, I just wanted to call out that ports don't automatically indicate the transport.

You don't have the full security rule, but your block screenshot (6th screenshot) looks like it's blocking Bitcoin or Torch, on any port. That should be fine, and while I haven't tested it there may have been a very recent app change. The rule that you blanked out in your final screenshot should tell you what rule is allowing the action. Is it possible that your block rule is below that rule so that the block doesn't have a chance to take effect? Are you getting any shadowing warnings when you commit?

Fare thee well on your battle.

Greg

Re: Application Blocking

pulukas — Tue, 14 Apr 2015 23:18:48 GMT

I assume your block rule for the applications is above the allow rule. Is the rest of the rule using any source/destination and zones?

The logs that do not identify the torch application (incomplete) will not be blocked. there was not enough of a match in the pcap to categorize this for that purpose.

I assume the rule that is permitting the matched traffic after the block rule? If so, we need to determine why the traffic is failing to match the block rule criteria.

Re: Application Blocking

Rags — Wed, 15 Apr 2015 13:47:27 GMT

Thanks for your help gwesson & Steven.

Re: Application Blocking

Rags — Fri, 17 Apr 2015 19:31:49 GMT

I originally had the app block in our blacklist firewall rule. Because we had manual addresses entered to the blacklist firewall rule, the app block only was blocking for those previous blacklisted IP Addresses. I basically turned off my blacklist for a couple days :smileyblush::smileyconfused::smileycry:

*Thanks to Steven Puluka for the assistance.

We now have a dedicated firewall rule for nothing but apps. Any-Any traffic. Unfortunately the torch block is still not working.

I am successfully able to navigate to torchbrowser.com
Download & Install the torch browser.exe
Use the torch browser to access the internet.

My logs are showing me with denies for when using torch.

But I'm still able to freely browse the internet? (Obviously not to follow the Cubs, )

So can anyone from PAN talk about what is actually being blocked here? Maybe some of the Torch app functions? In my opinion this block is almost worthless. I'm not sure if its going to be worth the time in researching other apps to potentionally block, unless they are actually completely "blocked".

Thanks,

Justin

Re: Application Blocking

gwesson — Fri, 17 Apr 2015 20:25:36 GMT

The torch application has several components, one of which is a standard web browser. The web browser functions are no different than other browsers (Torch is actually a fork from the Chromium project, like Chrome and Safari) so there would be no reason to block that feature. Additionally, it can be a challenge since some browser plugins will allow the user-agent header to be modified. Without a hook into the OS, there would be no real way to see the actual application that made the request.

The torch functions that would be blocked are the features unique to it. Additionally, the built-in games and music functions have their own sub-app which would also be blocked if you block the main "torch-browser" app in your security rules, or can be blocked without blocking the other functions of the application.

If you block the torch-browser application in your security rules, it will effectively turn the torch browser into a standard web browser. It's rare that I hear specific browsers being blocked (like, allowing Chrome but denying Firefox), so that should be effective for what you're trying to achieve.

If you want to actually block the download and install of the Torch Browser client, that can be done with a custom URL filter (torchbrowser.com is classified as Computer and Internet, so blocking that whole category would be overkill). Downloading exe files can be restricted with a file blocking profile.

When using the Torch browser and going through a security rule which blocks that app, are you able to actually use the music functions or game functions? If so, that would be unexpected.

Hope this helps,

Greg Wesson

Re: Application Blocking

Rags — Fri, 17 Apr 2015 20:37:40 GMT

Thanks gwesson I'm going to mark your answer as the Correct Answer.

I wasn't looking at it that way. I thought it would block everything from the URL, exe, anything in the packet that included torch information, etc. I guess I can block torch.exe with some of our security endpoint tools. Yes, I'm aware of what we can do with the URL blocks as well.

I didn't test the apps within Torch, but I can tell by my logs that some of the torch features are being blocked because the outbound traffic is being stopped. Everything you do in Torch is probably logged and sent back to Torch. So at least that will be denied.

Thanks for the explanation. -Justin