Endpoint Protection

 View Only

The Most Detailed Way To Block UltraSurf  

Jun 05, 2009 10:47 AM


Here is the step by step process to disable Ultra Surf from being accessed by your clients.

To start with, Ultra Surf leaves a finger print that shall be needed by the admin as a constant value. It is very fortunate that the fingerprint is also included when you open the Ultra Surf. Listed below are the different fingerprints for the Ultra Surf variants available in the web namely:

1. UltraSurf 9.4 (.exe)
md5: 11bc744801b516d0b84fba5850ec8789

2. UltraSurf 9.4(.zip)
md5: 8aed5412df0f621e399c78a7f408c6fb

3. UltraSurf 9.2 (.exe)
4b498bcac14da546f420cd08bae1894b

4. UltraSurf 8.9 (.exe)
f556271e1338dfc224cbebf6fe8f8eae

5. UltraSurf 8.8 (.exe)
4e3a66482ef96368251d91b4f5ae0fda

6. Firefox add-on (.zip)
md5: 6ce151b1b0ef8430031a8e9a69f38806

We have to log in as a full administrator to the SEPM console and proceed first to the group that you will initiate the policy to. Under the policies tab, we must go to the “application and device control policy” that is found within the location specific policies.


imagebrowser image


Proceed to the application control and click on block applications from running. We could also put the enabled rule set as production or test only. It is advisable to set it first on test mode first and check later if the process was successful.


imagebrowser image


imagebrowser image

Edit the “block applications from running” rule and create a “Lunch process attempts” sub-rule under the “Block applications from running”. Click the add button under the “apply to the following process”. Click options to see the “Match the file fingerprint” and from their put the Ultra Surf MD5 on the space provided and click OK. When you are in front of the “Edit Application Control Set” page, click on the actions tab to choose among the following options that we administrators could use as an action namely:

1. Continue processing other rules
2. Allow access
3. Block access
4. Terminate process

imagebrowser image

We could also use the send the user a message option so that they would also be aware that they are being monitored thus intimidating them to use or access Ultra Surf in the near future.

Always remember the following after placing new policies in the specified computer groups:

1. Update contents needs to be pushed to the client group
2. We could also pull the update policy from the client
3. Better to reboot the computer for the updates to set
4. Verify if the policy serial number for the group is the same with the computers SEP policy number
5. Test if the policy is now working by checking the log via Truscan Proactive Threat Scan
6. Please note that if you put the enable rule set to test only, Ultra Surf might work but it will be logged via Logs under “Application and Device Control”
7. Enforce also any project to a small group of computers before implementing globally to the whole organization
8. Always do documentations for review
9. Always check for new fingerprints if new UltraSurf versions are available

Lastly, UltaSurf is not a bad application since it is used in the mainland China to have the freedom to be informed specifically about the outside world. It becomes a liability if they are using it to violate company rules that make a breech in the system for viruses to infect the computers they are using as well as others. I hope that this would help other administrators to block UltraSurf from being used.

I would also like to thank mon_raralio and trusted advisor RickJDS for all the valuable help and guidance.  
This is just my simple way to repay their goodness by making this article to help others.
Thank you all...
 

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

May 12, 2016 04:17 AM

Did anyone have experienced to blocked ultrasurf extension from google chrome and firefox?

Appreciate if you can share how it was done.

Thank you!

Jul 10, 2014 06:34 AM

Dear Busayr Crylan this is all the fingerprints for ultrasurf update your policy.

Version SHA1 MD5
14.03 bd709d944c54652b0ffe9624cc39248e794be097 a38ffe5cab0712929005ca7ebdae63e2
14.02 3ce24062fd167dd052c0267cfa15fe5e27760dfa 188493352407e4a32cfcbab087d1ef51
14.01 01f3024957f659e4bfb6495bd8f8542f338b4f4c 38db37612d20ebd3802d53263d558331
13.04 3f3e1bb29794b8ad081f4d67eaeea2ce7fb9e28c e4c0efe1c507f405d7b5dd169b842825
13.03 db8163ab027d9d0aab9caf13b1d24cb647e755b3 aa6d2272617597069417744260e17ff7
13.02 b7c63f6a8bafe6a0f4a4cb60f7fdb47827131ad1 e40f755f39ae912679689753d365faca
13.01 5084a35f359b1d9dee0fc57096a9ba9c91d93fec e1a49c030ca2f679b70d92ec3637bf1e
12.10 7b58fcbaaed3c400b76ec4b26303bca45e08f668 198717353aa52fdc8b895b219d425677
12.09 75063a8cf649047e2abf1dab846d03863c8f13d0 3444475276c19e50edeb4d21b61c5b5e
12.08 22dca5038eef27abb575fc2f7c009139146dbd24 5c55d3670eb63c41ed814b5c328a9835
12.07 7536d8f093295c9774165ceb37397d1d56a84624 8097abff61812fb955f3bef1775364c2
12.06 79138f9b5b0b3e50f6bc802f17f1953115a05af8 074a43e66b6c60999d780494ca4d3790
12.05 940fcff8bb8edb992cd9aae0a7bfeca745c0f391 97f5f1cd5811cc1950996769cc2e242d
12.04 5294856e639c9effc0952d13b517092e1847ca43 0b6579fbeb72273972629643c645c5a5
12.03 102c0d5a9816ce3ca9d61e0762778068b48597c0 9b2d42a1c18eda694c92c39d86a2a917
12.02 5c7dd5753c37ac6df902af0a5815e51e4cc13eac 5b6b267d63e6e6db1d353ba00272d2df
12.01 356623a843c6d7fd46200e9437b8bff0ccc403a6 a6d19c2381ad7af78b13e6160f69c375
11.04 7f7183d5b5acf94a61b4e0dfe82b45a5ace838bd 55238f9fc929cf4b043928530bc8cf8f
11.03 08a234aa86036fcd1a208994b88668ee5ac0b851 0fa5a44db46d695514eb288203ed3f15
11.02 d8671cf1ebf2afeb6fda9228aa7789b8e0953d7f 20d69f6eb4fd2c10afe5568d7c973cf0
10.17 ad70593e95b53075290c5ecbf411dac8dba3c4b5 9860b1bbf9c34fd466bdd12230c2342c
10.16 31706fa9431f848ceea9b21a25ccf7850198ee24 5425cc65a86ecf5defab077461ea507a
10.15 7f0820f04b48a3ae6fd1f24440bf9ce969881e15 601e7778272a57f4fadf3d4fedcaf2d3
10.14 11e6972ef93f5301455ac05be3154129b3ee8de4 457a4f9f687c3d22fd0b9526207cfacb
10.13 014deda1700f66168ff02e005dbf33538988fe9c ab5df308f5586d30f3ca287b139b861a
10.12 e3217d8992a6f816bffdb7f616bee4516b50b3bc 46b270fd52ef2606f9aa5f90ba2071b0
10.11 077de2235cfcece8247ab4ca03034be162790b43 a1d3182c2d389ad81fb5d8c0010be6e5
10.10 aa8661c9c8fdd5c2dc8b2a226632d0a6a11e3545 6eb06c83f155a9991e7c030b0101fd6d
10.09 bea92123bc4e62271d78d397a4c002d2962dc8d7 46ec3c098bcbdf045489790368381327
10.08 3efa10b5724887b0dee11b7f9948232517050d6d b2d30ed05e7a230b1d6254666234d51f
10.07 859fddd98512620c2b086ac73f240566cd3617ea d28aba48a0910c248bf16203b55e5d8c
10.06 4e864b277fe350a30e25fdd703038ea0f17a3f2a 73f80bf48b02f0fa8e12d08460f7a131
10.05 6c3dc8fd61dcc1b33a70b1a1190957907851c027 cca7284b61a8018d8541f8a7549b97b8
10.04 62f1d6d584bba8a96db190ff7d7f3e807ee63463 8c180cf786a59eb7377bf51f51dc7623
10.03 7a94738220c097981b419b7d0c72f66aaddef27e 6440a96410a160d027bdde38b03402f6
10.02 7de60092dc427372264110668a8df92f180e8c62 bb4330922380177d417933a700d85c63
10.01 0dd92b15f98ecff2eb8a302508c8d0500a2c1ebb ab2d18188d464972df0629f2c99f25f3
9.99 d0bac72aff829455fb02c81be1f15b0d5d2c7f94 dd45ff3b146efdc64efe9213768dd522
9.98 6de82d41432fc04844bf642b558404ca3f61bbee 7a69ea0b15862846e124cd70cef1a448
9.97 584c78870b7150fc4a0dd76ca0047ff84b4851d1 f4310bda92aaf325cfb7e8273f7cb236
9.96 11186f9c8f724218e13ad02a711870b6d3801b36 79ecb08ee9f9a3b6b768619819e82e80
9.95 79f0b75482a086c831adff7a33df19c912ef4baa d93410dbc8866fc421dbcb2a8338157c
9.94 3bc9c76150c9c84b14a218ef07a870783e7afb9d 17406ef606e38838be0b9b30f6f73358
9.93 8dcc53d0a6b95430c7cd07ab1af54b040a0edfd2 e05d63120344f434fe4db0e82927db06
9.92 017c1f5cb308953c40568953a19d1d8cc1bfe5a3 b32f45b81abd9ca395ca3940250bff81
9.91 45107d3d37ee57f8ca5b46e8440e80515e206017 8c6256f180bb8096011b3fe2511d228e
9.9 5e3ca21305d3656da463d501dece0dfa37ae767c 305c26c3061829ee5d1ef29d324c9758
9.8 281997156a19852efafd06b5ab97c21d5c90d111 d446a55e30e28e2568ca0163f2737614
9.7 c2cbc2c68a9d2ae6fa4c0dfbe5fd7b8e92c25112 44385142f2d89be75502cff94d63f56b
9.6 7b6d5e2aad897b2dfbc5d596202f93cae6b87e67 e303bb009064e63e470326201da509d0
9.5 dd1fccb97d90f4aa00a2bed174dba1e4d9e87df4 88a02758a8359def232956ef028b2b77

 

May 29, 2014 06:51 PM

You need to unzip the file first.  Then import the extracted .dat file into SEPM under the Application Control policy.

May 29, 2014 04:05 PM

Hello Elisha. I'm having trouble import the policy into my 12.1.4023.4080 SEPM. do I need anything other than the .dat file and admin rights for the server? Thanks for a reply.

May 02, 2013 03:10 AM

Hello Elisha.

Thank for your policy file. It work great. Well done, we dont need to hand input MD5 every time.

Thank you.

Hoang Nguyen.

Mar 08, 2013 08:53 AM

Hello, how can I find the current ultrasurf.exe fingerprints? I need to u1210.exe fingerprint, thanks.

Feb 07, 2013 10:08 PM

Rather than using a hash, I created an Application Control policy that will block Ultrasurf from running, no matter what version it is.  I have attached the policy.  You can simply import this into SEPM and then assign it to the group you want to block Ultrasurf.

Jan 22, 2013 04:22 AM

 

Hello,

Please try below document for "How to block UltraSurf using Application and Device Control"

http://www.symantec.com/docs/TECH184200

Jul 10, 2012 02:22 AM

Thank you for the reply.

May 30, 2012 05:20 AM

u1201.exe             A6D19C2381AD7AF78B13E6160F69C375

May 20, 2012 10:21 PM

Hi guys! Does anyone has the latest fingerprint for u1201.exe? thank you

Jan 09, 2012 06:37 PM

Hi,

is there a way we can delete though SEP, Blocked ultrausrf files. We have files all over.

Thank you

Oct 07, 2011 07:31 AM

I have configured Application & Device control as detailed in the above article, and the proxies are blocked , but the user notification pop up were not working(eg : WARNING: You are added to the list of monitored users, Ultra Surf is Blocked ), while I am trying to run the proxi.

Please do help me to resolve this issue..

Jun 09, 2011 06:47 PM

Ultrasurf MD5's for all versions:

********************************************
u81.exe - c7c5c826fecacfa2f7dd48a762df1b2e
u82.exe - d2e86ccb87771e6d710ca25360585f14
u83.exe - 224363c72b8b9722c9e0195d1877f906
u84.exe - 44877c87a6edf1f54609c9abe8c6442a
u85.exe - be680ab187b543cdf87f75b23892075e
u86.exe - f53597f07ad9425d64a1eccd440e7b54
u87.exe - b6d9db95e947705eeaa98544de5647ce
u88.exe - 4e3a66482ef96368251d91b4f5ae0fda
u89.exe - f556271e1338dfc224cbebf6fe8f8eae
u90.exe - faf9418cc0d4d4ff0a78f61283a9d29a
u91.exe - 13f51c8c42e44bcb459c62e1c0e0e93b
u92.exe - bb97cf958f1d383e1316a0db06202e22
u93.exe - 4b498bcac14da546f420cd08bae1894b
u94.exe - 11bc744801b516d0b84fba5850ec8789
u95.exe - 88a02758a8359def232956ef028b2b77
u96.exe - e303bb009064e63e470326201da509d0
u97.exe - 44385142f2d89be75502cff94d63f56b
u98.exe - d446a55e30e28e2568ca0163f2737614
u99.exe - 305c26c3061829ee5d1ef29d324c9758
u991.exe - 8c6256f180bb8096011b3fe2511d228e
u992.exe - b32f45b81abd9ca395ca3940250bff81
u993.exe - e05d63120344f434fe4db0e82927db06
u994.exe - 17406ef606e38838be0b9b30f6f73358
u995.exe - d93410dbc8866fc421dbcb2a8338157c
u996.exe - 79ecb08ee9f9a3b6b768619819e82e80
u997.exe - f4310bda92aaf325cfb7e8273f7cb236
u998.exe - 7a69ea0b15862846e124cd70cef1a448
u999.exe - dd45ff3b146efdc64efe9213768dd522
u1000.exe - 7d50205ca169623d1ee46d15b047b77b
u1001.exe - ab2d18188d464972df0629f2c99f25f3
u1002.exe - bb4330922380177d417933a700d85c63
u1003.exe - 6440a96410a160d027bdde38b03402f6
u1004.exe - 8c180cf786a59eb7377bf51f51dc7623
u1005.exe - cca7284b61a8018d8541f8a7549b97b8
u1006.exe - 73f80bf48b02f0fa8e12d08460f7a131
u1007.exe - d28aba48a0910c248bf16203b55e5d8c
u1008.exe - b2d30ed05e7a230b1d6254666234d51f
u1009.exe - 46ec3c098bcbdf045489790368381327
u1010.exe - 6eb06c83f155a9991e7c030b0101fd6d
u1011.exe - a1d3182c2d389ad81fb5d8c0010be6e5
u1012.exe - 46b270fd52ef2606f9aa5f90ba2071b0
u1013.exe - ab5df308f5586d30f3ca287b139b861a


Firefox add-on (.zip) - 6ce151b1b0ef8430031a8e9a69f38806


********************************************
by D_R_A_K_O - Monterrey, México.
 

Jan 24, 2011 03:35 AM

you have to be assured of the fingerprint charachters long....so you can type it manually.

May 05, 2010 08:11 PM

do i have to type the fingerprint
manually in the "match the file fingerprint" text field ?

i can't copy and paste....


please help...

urgent

edit: solved

ctrl+c ctrl+v

https://www-secure.symantec.com/connect/forums/fingerprint-problem-copy-paste

Apr 29, 2010 08:36 AM

This is a compilation of the fingerprints on this post plus other versions that I found still downloadable on the Internet.

  • 8.1 - c7c5c826fecacfa2f7dd48a762df1b2e
  • 8.2 - d2e86ccb87771e6d710ca25360585f14
  • 8.3 - 224363c72b8b9722c9e0195d1877f906
  • 8.4 - 44877c87a6edf1f54609c9abe8c6442a
  • 8.5 - be680ab187b543cdf87f75b23892075e
  • 8.6 - f53597f07ad9425d64a1eccd440e7b54
  • 8.7 - b6d9db95e947705eeaa98544de5647ce
  • 8.8 - 4e3a66482ef96368251d91b4f5ae0fda
  • 8.9 - f556271e1338dfc224cbebf6fe8f8eae
  • 9.0 - faf9418cc0d4d4ff0a78f61283a9d29a
  • 9.1 - 13f51c8c42e44bcb459c62e1c0e0e93b
  • 9.2 - bb97cf958f1d383e1316a0db06202e22
  • 9.3 - 4b498bcac14da546f420cd08bae1894b
  • 9.4 - 11bc744801b516d0b84fba5850ec8789
    8aed5412df0f621e399c78a7f408c6fb
  • 9.5 - 88a02758a8359def232956ef028b2b77
    4ad849a04a53f8a5d93e85d186f556f6
  • 9.6 - e0724a56a972c791ce0e9077368dabc8
    e303bb009064e63e470326201da509d0
  • 9.7 - 8600905280a3fd95b52c7ff97ac33aa2
    44385142f2d89be75502cff94d63f56b
  • 9.8 - 5d9565a71e262836efff071573082c17
    d446a55e30e28e2568ca0163f2737614
  • 9.9 - 305c26c3061829ee5d1ef29d324c9758
    e420c6aa42e11cf6a6349faf9ea14bee
  • 9.91 - 8c6256f180bb8096011b3fe2511d228e
    92c7cbb1dbf11c1c7de9b128cd02f103
  • 9.92 - b32f45b81abd9ca395ca3940250bff81
    11f0901ce03eed2e71f72b754b56164c
  • 9.93 - a51f0e12c82c469c7b781df0f9221cd6
    e05d63120344f434fe4db0e82927db06
  • 9.94 - 17406ef606e38838be0b9b30f6f73358
    006aebd5f1a87c3ef5fe6eb87de353e1
  • 9.95 - 2c4f127c910227386a1dab824438f5c8
    d93410dbc8866fc421dbcb2a8338157c
  • Firefox add-on - 6ce151b1b0ef8430031a8e9a69f38806

Mar 10, 2010 09:28 AM


I tried to block some different version of ultra surf like b32f45b81abd9ca395ca3940250bff81 *u992.exe but my client still can run it. How can I do?

Feb 12, 2010 10:01 AM

UltraSurf 9.7 (.zip)
(md5: 8600905280a3fd95b52c7ff97ac33aa2)

UUltraSurf 9.7(.exe)
(md5: 44385142f2d89be75502cff94d63f56b)

UltraSurf 9.8 (.zip)
(md5: 5d9565a71e262836efff071573082c17)

UltraSurf 9.8(.exe)
(md5: d446a55e30e28e2568ca0163f2737614)

 

Feb 12, 2010 10:01 AM

305c26c3061829ee5d1ef29d324c9758 *u99.exe
e420c6aa42e11cf6a6349faf9ea14bee *u99.zip
8c6256f180bb8096011b3fe2511d228e *u991.exe
92c7cbb1dbf11c1c7de9b128cd02f103 *u991.zip
b32f45b81abd9ca395ca3940250bff81 *u992.exe
11f0901ce03eed2e71f72b754b56164c *u992.zip

Nov 09, 2009 04:40 PM

Latest version UltraSurf 9.6 (.zip)
(md5: e0724a56a972c791ce0e9077368dabc8)

Latest version UltraSurf 9.6(.exe)
(md5: e303bb009064e63e470326201da509d0)

Update your App and Device control policies!

Jul 19, 2009 09:43 PM

Nice!
Hi Team,

Please update your files for possible deny access...
Thanks...

Jul 09, 2009 11:12 AM

Hi all!

I have listed below the md5 for Ultrasurf versions from 8.1 to 9.5 (latest).

8.1
c7c5c826fecacfa2f7dd48a762df1b2e
8.2
d2e86ccb87771e6d710ca25360585f14
8.3
224363c72b8b9722c9e0195d1877f906
8.4
44877c87a6edf1f54609c9abe8c6442a
8.5
be680ab187b543cdf87f75b23892075e
8.6
f53597f07ad9425d64a1eccd440e7b54
8.7
b6d9db95e947705eeaa98544de5647ce
8.8
4e3a66482ef96368251d91b4f5ae0fda
8.9
f556271e1338dfc224cbebf6fe8f8eae
9.0
faf9418cc0d4d4ff0a78f61283a9d29a
9.1
13f51c8c42e44bcb459c62e1c0e0e93b
9.2
bb97cf958f1d383e1316a0db06202e22
9.3
4b498bcac14da546f420cd08bae1894b
9.4
11bc744801b516d0b84fba5850ec8789
9.5
88a02758a8359def232956ef028b2b77


Please note that these are the md5 checksums for the executable files (.exe).


Jun 22, 2009 07:57 PM

thanks Jobert...

Jun 22, 2009 01:03 AM

well hope to see resolved issues documented in this detailed fashion...

Jun 19, 2009 01:12 AM

nice comment thakns you for all good advice and comment  i learn a lot

Jun 18, 2009 11:09 PM

Hi Rick... hope you could also see this link.. It would benifit generous people like you that help us resolve issues... thanks again...

https://www-secure.symantec.com/connect/idea/community-give-points-deserving-members-please-read

Hi Team,

Please check it out and hope to hear from you...
thanks...

Jun 18, 2009 11:05 PM

@RickJDS:  Thank you Rick... it is truly an honor hearing that from you... you had helped me a million times.. i guess...

thanks team for supporting...

Jun 18, 2009 05:03 AM

Nel,

Sorry, I've been meaning to comment on this thread.  Excellent, detailed instructions.  Congrats on the great article.  This will help out a lot of people.

Jun 16, 2009 04:55 AM

Nice article...
thanks...
hope this ultrasurf would be dealt with properly...

Jun 16, 2009 04:46 AM

Could SAV also detect this apps.?
thanks..

Jun 16, 2009 03:07 AM

Excellent article for NEL.

Really Appreciated :)

Thnx....'

Rgrds,
SAM

Jun 16, 2009 02:02 AM

UltaSurf is a good application used in the mainland China for freedom of information.
the problem is... we are abusing it...
bad...

Jun 15, 2009 05:41 AM

very detailed! nice article!

Jun 13, 2009 03:19 AM

they are still using u89.exe and they are all blocked by my peers..

Jun 13, 2009 12:08 AM

thanks also..
I believe that Ultra Surf 9.4 is the newest we have...
guys, do we have a newer version..

by the way... please check this out that Astaro 7.4 defeats Ultra Surf...
Do you already have this on your network team?

Link listed below:
www.fose.com/files/content/docs/7_4_Release.pdf

thanks


Jun 12, 2009 11:32 PM

thanks for the info...
what by the way is the latest version od ultrasurf?
thanks..

Jun 12, 2009 10:44 PM

no problem...
I just learned that from the forum...
it is very helpfull.

thanks..

Jun 09, 2009 04:25 PM

you can find huge list of proxy site in link below;
http://abhisays.com/internet/list-of-popular-proxy-sites.html



but blocking all of them may not be feasible; thus what is practcal is to block those proxies that are being used widely in your network

Jun 09, 2009 04:14 PM

i also agree with you on this;

waiting for blocking of more proxies and those finger print

Jun 08, 2009 11:34 AM

thanks for the info it really helps :)

Jun 08, 2009 11:29 AM

Thanks for the tip...
They're using U94.exe version before to bypass policies, now it did not work.

Jun 08, 2009 11:14 AM

Keep on digging more MD5 for ultrasurf..
by the way are there other proxies available that the users might use?
thanks...

Jun 06, 2009 06:29 AM

Thanks for the valuable information..
great work...

Jun 05, 2009 11:17 PM

Well done bro...
hope we have more detailed steps for us newbies in AV..
thanks...

Jun 05, 2009 11:17 PM

Well done bro...
hope we have more detailed steps for us newbies in AV..
thanks...

Jun 05, 2009 10:34 PM

You are 100% right on the dime shaun_b...
Now the clients are complaining about them not connecting to the internet but after checking that they are using proxies.. they became very silent... they dont want to get caught red handed...
thanks to all that help in the Symantec community...
We alll rock !

Jun 05, 2009 11:32 AM

Great write up!!! Yeah ultrasurf is quite a pain in the butt.

Related Entries and Links

No Related Resource entered.