Here is the step by step process to disable Ultra Surf from being accessed by your clients. To start with, Ultra Surf leaves a finger print that shall be needed by the admin as a constant value. It is very fortunate that the fingerprint is also included when you open the Ultra Surf. Listed below are the different fingerprints for the Ultra Surf variants available in the web namely: 1. UltraSurf 9.4 (.exe) md5: 11bc744801b516d0b84fba5850ec8789 2. UltraSurf 9.4(.zip) md5: 8aed5412df0f621e399c78a7f408c6fb 3. UltraSurf 9.2 (.exe) 4b498bcac14da546f420cd08bae1894b 4. UltraSurf 8.9 (.exe) f556271e1338dfc224cbebf6fe8f8eae 5. UltraSurf 8.8 (.exe) 4e3a66482ef96368251d91b4f5ae0fda 6. Firefox add-on (.zip) md5: 6ce151b1b0ef8430031a8e9a69f38806 We have to log in as a full administrator to the SEPM console and proceed first to the group that you will initiate the policy to. Under the policies tab, we must go to the “application and device control policy” that is found within the location specific policies. Proceed to the application control and click on block applications from running. We could also put the enabled rule set as production or test only. It is advisable to set it first on test mode first and check later if the process was successful. Edit the “block applications from running” rule and create a “Lunch process attempts” sub-rule under the “Block applications from running”. Click the add button under the “apply to the following process”. Click options to see the “Match the file fingerprint” and from their put the Ultra Surf MD5 on the space provided and click OK. When you are in front of the “Edit Application Control Set” page, click on the actions tab to choose among the following options that we administrators could use as an action namely: 1. Continue processing other rules 2. Allow access 3. Block access 4. Terminate process We could also use the send the user a message option so that they would also be aware that they are being monitored thus intimidating them to use or access Ultra Surf in the near future. Always remember the following after placing new policies in the specified computer groups: 1. Update contents needs to be pushed to the client group 2. We could also pull the update policy from the client 3. Better to reboot the computer for the updates to set 4. Verify if the policy serial number for the group is the same with the computers SEP policy number 5. Test if the policy is now working by checking the log via Truscan Proactive Threat Scan 6. Please note that if you put the enable rule set to test only, Ultra Surf might work but it will be logged via Logs under “Application and Device Control” 7. Enforce also any project to a small group of computers before implementing globally to the whole organization 8. Always do documentations for review 9. Always check for new fingerprints if new UltraSurf versions are available Lastly, UltaSurf is not a bad application since it is used in the mainland China to have the freedom to be informed specifically about the outside world. It becomes a liability if they are using it to violate company rules that make a breech in the system for viruses to infect the computers they are using as well as others. I hope that this would help other administrators to block UltraSurf from being used. I would also like to thank mon_raralio and trusted advisor RickJDS for all the valuable help and guidance. This is just my simple way to repay their goodness by making this article to help others. Thank you all...
Did anyone have experienced to blocked ultrasurf extension from google chrome and firefox?
Appreciate if you can share how it was done.
Thank you!
Dear Busayr Crylan this is all the fingerprints for ultrasurf update your policy.
You need to unzip the file first. Then import the extracted .dat file into SEPM under the Application Control policy.
Hello Elisha. I'm having trouble import the policy into my 12.1.4023.4080 SEPM. do I need anything other than the .dat file and admin rights for the server? Thanks for a reply.
Hello Elisha.
Thank for your policy file. It work great. Well done, we dont need to hand input MD5 every time.
Thank you.
Hoang Nguyen.
Hello, how can I find the current ultrasurf.exe fingerprints? I need to u1210.exe fingerprint, thanks.
Rather than using a hash, I created an Application Control policy that will block Ultrasurf from running, no matter what version it is. I have attached the policy. You can simply import this into SEPM and then assign it to the group you want to block Ultrasurf.
Hello,
Please try below document for "How to block UltraSurf using Application and Device Control"
http://www.symantec.com/docs/TECH184200
Thank you for the reply.
u1201.exe A6D19C2381AD7AF78B13E6160F69C375
Hi guys! Does anyone has the latest fingerprint for u1201.exe? thank you
Hi,
is there a way we can delete though SEP, Blocked ultrausrf files. We have files all over.
Thank you
I have configured Application & Device control as detailed in the above article, and the proxies are blocked , but the user notification pop up were not working(eg : WARNING: You are added to the list of monitored users, Ultra Surf is Blocked ), while I am trying to run the proxi.
Please do help me to resolve this issue..
Ultrasurf MD5's for all versions:
******************************************** u81.exe - c7c5c826fecacfa2f7dd48a762df1b2e u82.exe - d2e86ccb87771e6d710ca25360585f14 u83.exe - 224363c72b8b9722c9e0195d1877f906 u84.exe - 44877c87a6edf1f54609c9abe8c6442a u85.exe - be680ab187b543cdf87f75b23892075e u86.exe - f53597f07ad9425d64a1eccd440e7b54 u87.exe - b6d9db95e947705eeaa98544de5647ce u88.exe - 4e3a66482ef96368251d91b4f5ae0fda u89.exe - f556271e1338dfc224cbebf6fe8f8eae u90.exe - faf9418cc0d4d4ff0a78f61283a9d29a u91.exe - 13f51c8c42e44bcb459c62e1c0e0e93b u92.exe - bb97cf958f1d383e1316a0db06202e22 u93.exe - 4b498bcac14da546f420cd08bae1894b u94.exe - 11bc744801b516d0b84fba5850ec8789 u95.exe - 88a02758a8359def232956ef028b2b77 u96.exe - e303bb009064e63e470326201da509d0 u97.exe - 44385142f2d89be75502cff94d63f56b u98.exe - d446a55e30e28e2568ca0163f2737614 u99.exe - 305c26c3061829ee5d1ef29d324c9758 u991.exe - 8c6256f180bb8096011b3fe2511d228e u992.exe - b32f45b81abd9ca395ca3940250bff81 u993.exe - e05d63120344f434fe4db0e82927db06 u994.exe - 17406ef606e38838be0b9b30f6f73358 u995.exe - d93410dbc8866fc421dbcb2a8338157c u996.exe - 79ecb08ee9f9a3b6b768619819e82e80 u997.exe - f4310bda92aaf325cfb7e8273f7cb236 u998.exe - 7a69ea0b15862846e124cd70cef1a448 u999.exe - dd45ff3b146efdc64efe9213768dd522 u1000.exe - 7d50205ca169623d1ee46d15b047b77b u1001.exe - ab2d18188d464972df0629f2c99f25f3 u1002.exe - bb4330922380177d417933a700d85c63 u1003.exe - 6440a96410a160d027bdde38b03402f6 u1004.exe - 8c180cf786a59eb7377bf51f51dc7623 u1005.exe - cca7284b61a8018d8541f8a7549b97b8 u1006.exe - 73f80bf48b02f0fa8e12d08460f7a131 u1007.exe - d28aba48a0910c248bf16203b55e5d8c u1008.exe - b2d30ed05e7a230b1d6254666234d51f u1009.exe - 46ec3c098bcbdf045489790368381327 u1010.exe - 6eb06c83f155a9991e7c030b0101fd6d u1011.exe - a1d3182c2d389ad81fb5d8c0010be6e5 u1012.exe - 46b270fd52ef2606f9aa5f90ba2071b0 u1013.exe - ab5df308f5586d30f3ca287b139b861a
Firefox add-on (.zip) - 6ce151b1b0ef8430031a8e9a69f38806
******************************************** by D_R_A_K_O - Monterrey, México.
you have to be assured of the fingerprint charachters long....so you can type it manually.
UltraSurf 9.7 (.zip) (md5: 8600905280a3fd95b52c7ff97ac33aa2)
UUltraSurf 9.7(.exe) (md5: 44385142f2d89be75502cff94d63f56b) UltraSurf 9.8 (.zip) (md5: 5d9565a71e262836efff071573082c17)
UltraSurf 9.8(.exe) (md5: d446a55e30e28e2568ca0163f2737614)
Thanks for the tip...They're using U94.exe version before to bypass policies, now it did not work.