- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-14-2015 09:21 AM
Dear PAN Discussion Forum,
I come to you in dire need of assistance. There is a battle going on within my network realm. A battle that we are losing. Some of my people have been mislead by downloading the Torch Browser application, and are now infected!
The Torch Browser. Sucks in my users with an edgy-cool looking website that shows its fun to use, with all of it's add-on's and features. Unfortunately, media downloads, torrents, games, etc aren't allowed on our network, and this needs to be stopped!
We have located the coordinates of our enemy:
We have captured one of them to find out more information:
We have build some defenses to try and stop the Torch attack, but we have been unsuccessful, we are too weak!!!
At first our enemy did not appear as the Torch Browser (Application = incomplete, web-browsing)
When you have Torch Browser open, some of the traffic calls to 54.239.18.49.
We were able to confirm this was the Torch Browser for the Application! But they are still getting past our defenses!
Application = torch-browser-base
So at this point I'm not sure what to do, or if I even am doing the app blocks correctly.
Please, we are losing this battle. Please summon the Demi-Gods!!!!!!
Thanks, -Justin
04-17-2015 01:25 PM
The torch application has several components, one of which is a standard web browser. The web browser functions are no different than other browsers (Torch is actually a fork from the Chromium project, like Chrome and Safari) so there would be no reason to block that feature. Additionally, it can be a challenge since some browser plugins will allow the user-agent header to be modified. Without a hook into the OS, there would be no real way to see the actual application that made the request.
The torch functions that would be blocked are the features unique to it. Additionally, the built-in games and music functions have their own sub-app which would also be blocked if you block the main "torch-browser" app in your security rules, or can be blocked without blocking the other functions of the application.
If you block the torch-browser application in your security rules, it will effectively turn the torch browser into a standard web browser. It's rare that I hear specific browsers being blocked (like, allowing Chrome but denying Firefox), so that should be effective for what you're trying to achieve.
If you want to actually block the download and install of the Torch Browser client, that can be done with a custom URL filter (torchbrowser.com is classified as Computer and Internet, so blocking that whole category would be overkill). Downloading exe files can be restricted with a file blocking profile.
When using the Torch browser and going through a security rule which blocks that app, are you able to actually use the music functions or game functions? If so, that would be unexpected.
Hope this helps,
Greg Wesson
04-14-2015 04:11 PM
Great post, Justin. Thanks for the details and the laughs
Ok, so to address a few things first:
1. You can add applications directly to security policy block rules. Some people prefer app filters, because then if something new gets added the rule is updated, but it's just fine to do it either way.
2. Just about every application has some changes, but not often to the base functionality of them. Adding a block for the Torch Browser (via the "torch-browser" application) should block the clients.
3. Port 80 does not equate to unencrypted, that's old-school port-based firewall logic rearing its ugly head. Torch isn't encrypted, so you're good, I just wanted to call out that ports don't automatically indicate the transport.
You don't have the full security rule, but your block screenshot (6th screenshot) looks like it's blocking Bitcoin or Torch, on any port. That should be fine, and while I haven't tested it there may have been a very recent app change. The rule that you blanked out in your final screenshot should tell you what rule is allowing the action. Is it possible that your block rule is below that rule so that the block doesn't have a chance to take effect? Are you getting any shadowing warnings when you commit?
Fare thee well on your battle.
Greg
04-14-2015 04:18 PM
I assume your block rule for the applications is above the allow rule. Is the rest of the rule using any source/destination and zones?
The logs that do not identify the torch application (incomplete) will not be blocked. there was not enough of a match in the pcap to categorize this for that purpose.
I assume the rule that is permitting the matched traffic after the block rule? If so, we need to determine why the traffic is failing to match the block rule criteria.
04-15-2015 06:47 AM
Thanks for your help gwesson & Steven.
04-17-2015 12:31 PM
I originally had the app block in our blacklist firewall rule. Because we had manual addresses entered to the blacklist firewall rule, the app block only was blocking for those previous blacklisted IP Addresses. I basically turned off my blacklist for a couple days :smileyblush::smileyconfused::smileycry:
*Thanks to Steven Puluka for the assistance.
We now have a dedicated firewall rule for nothing but apps. Any-Any traffic. Unfortunately the torch block is still not working.
My logs are showing me with denies for when using torch.
But I'm still able to freely browse the internet? (Obviously not to follow the Cubs, )
So can anyone from PAN talk about what is actually being blocked here? Maybe some of the Torch app functions? In my opinion this block is almost worthless. I'm not sure if its going to be worth the time in researching other apps to potentionally block, unless they are actually completely "blocked".
Thanks,
Justin
04-17-2015 01:25 PM
The torch application has several components, one of which is a standard web browser. The web browser functions are no different than other browsers (Torch is actually a fork from the Chromium project, like Chrome and Safari) so there would be no reason to block that feature. Additionally, it can be a challenge since some browser plugins will allow the user-agent header to be modified. Without a hook into the OS, there would be no real way to see the actual application that made the request.
The torch functions that would be blocked are the features unique to it. Additionally, the built-in games and music functions have their own sub-app which would also be blocked if you block the main "torch-browser" app in your security rules, or can be blocked without blocking the other functions of the application.
If you block the torch-browser application in your security rules, it will effectively turn the torch browser into a standard web browser. It's rare that I hear specific browsers being blocked (like, allowing Chrome but denying Firefox), so that should be effective for what you're trying to achieve.
If you want to actually block the download and install of the Torch Browser client, that can be done with a custom URL filter (torchbrowser.com is classified as Computer and Internet, so blocking that whole category would be overkill). Downloading exe files can be restricted with a file blocking profile.
When using the Torch browser and going through a security rule which blocks that app, are you able to actually use the music functions or game functions? If so, that would be unexpected.
Hope this helps,
Greg Wesson
04-17-2015 01:37 PM
Thanks gwesson I'm going to mark your answer as the Correct Answer.
I wasn't looking at it that way. I thought it would block everything from the URL, exe, anything in the packet that included torch information, etc. I guess I can block torch.exe with some of our security endpoint tools. Yes, I'm aware of what we can do with the URL blocks as well.
I didn't test the apps within Torch, but I can tell by my logs that some of the torch features are being blocked because the outbound traffic is being stopped. Everything you do in Torch is probably logged and sent back to Torch. So at least that will be denied.
Thanks for the explanation. -Justin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!