Endpoint Protection

Hi,

I want to block IPMsg.exe. Its an IP Messenger software which users are using to chat and transfer files accross LAN/WAN link.

www.ipmsg.org/index.html.en

Infact I have block by adding the fingerprint value in block rule of application & device control but still if the user has old version of IPMsg.exe they are still able to use it.

Further, if i block the process ipmsg.exe in the block rule of application & device control, the user renames the file and use it.

Please let me know how we can block the same rather then adding 10-15 fingerprint value.

Rgrds,
SAM

Hi,

You may first find all the applications users are running and then create a firewall rule to block it.


Check "About learned application" in the SEPM help tab

This is the best you can get,

Rafeeq

 Have u installed NTP on the PC's.
 
Go to firewall policy.
Add blank rule.
Block the port no 2425 TCP & UDP bidirectionally.

No body will able to use ipmsg. unless untill NTP is removed or SEP is uninstalled.

we have done for 10000 users.

Regards...
Ramji Iyyer

Anything else use those ports?
IF not, there's a great solution.

UDP port 2425 uses the Datagram Protocol, a communications protocol for the Internet network layer, transport layer, and session layer. This protocol when used over PORT 2425 makes possible the transmission of a datagram message from one computer to an application running in another computer. Like TCP (Transmission Control Protocol), UDP is used with IP (the Internet Protocol) but unlike TCP on Port 2425, UDP Port 2425 is connectionless and does not guarantee reliable communication; it's up to the application that received the message on Port 2425 to process any errors and verify correct delivery.


Most we are not using Port 2425.


Regards...
Ramji Iyyer
 

Hi sam,
Can you please update on this issue.. 

Just to add to this thread since it was brought back to the surface. Blocking the port number is not perfect for this application. Check out this blog which shows users how to run IP messenger on a different port http://www.technospot.net/blogs/how-to-run-ip-messenger-on-different-port-number/ . Most messengers have this sort of feature so blocking the port is a poor choice if users are smart. I think learned application is a much better answer.

Cheers
Grant

Hi what are you trying to block? the ipmsg site? or the executable application?

He is trying to block the actual exe itself. But by blocking the port number that the program uses he/she is effectively disabling it. There are two problems with this approach though:

1. If another program currently uses this port it will be a conflict or if you install a program in the future that uses this port you will have to then address this problem.

2. As I posted above the users can simply change the port it uses so this approach is useless (it took me 5 seconds to google "ipmsg how to change port number").

The original problem was that blocking by the specific md5 fingerprint was not good enough, because if people were using a legacy copy then it wouldn't be blocked. Also you would have to keep updated whenever a new version came out. This is the kind of senerio that learned applications is suppose to address. So that is still my suggestion.


Cheers
Grant

HI Grant,

I agree with your feedback.

Secondly, how can we block the same via learned application.

Any KB for this will be appreciated.

Thank you.

Rgrds,
SAM

Hi here is the procedure on how to block the ipmsg.exe

https://www-secure.symantec.com/connect/forums/how-block-applications-sep-using-md5

and also this is the md5 file of ipmsg.exe - 749453AF77844F9FDA248BE43ED71859

Again he states in the very first post "Infact I have block by adding the fingerprint value in block rule of application & device control but still if the user has old version of IPMsg.exe they are still able to use it." So he has already done this, and it won't work for legacy programs, unless he can find a download for the old versions somewhere (but who wants to do that??). Sometimes it is impossible to find all of the md5's. That is why learned applications is the ONLY way to go. ; )

Grant-

Away from my main computer right now, but I found a quick run through on a different thread for you. This is the method you should follow.

"You can simply go to communication settings for your group under Clients > Policies and check the "Learn applications that run on client computers" box. As per the description, "Clients will keep track of every application that is run and send the collected data to the management server." Once the logs are uploaded to the server, you can simply search for the application under Policies > Expand Policy Components > File Fingerprint Lists > Search for Applications. Once in this screen you can search by application name, file fingerprint, path, or you can list all the applications for specific computers, groups, etc. Once you find the application it should list the file fingerprint/md5. "

Once you have all possible md5 from legacy programs it is quite easy to block any program you wish running on any client computer. I can post the actual kb on this tomorrow if you would like, but I think this is enough to get you started. I believe it is all in the user manual too. If anything is unclear on this please post or pm me.

Cheers
Grant

Hi Grant,

So by adding the new learned application, will it block the legacy versions also if user try to use it.

Rgrds,
SAM

U will be able to find out all the apps used in ur network including ipmsg. In that list u can select all the version's of ipmsg and can block it...

Hi we already tried to block the ipmsg.exe here in our environment, using md5 file. Im just wondering why it is not working in your environment. have you check if the policy has successfully applied to the client. what is the version of your SEP clients?

HI peterpan,

we are using SEP mr4mp2.

Further to the same, try with the legacy version of IP Msgr and check whether they are getting blocked or not.

I am 101% sure that it will not get block. Pls do not believe in users. They are very smart dude ;)

Pls check.

Rgrds,
SAM

Blocking 2425 in NTP has made me very happy and the users very sad. Users love IP Messenger becos it allows them to transfer files and not just chat. Very nast... they try to transfer entire ISOs thru it.

Dear Ramji,

I was scarching for this solution from a long time.

It really works.

Warm regards,
Sumit Bose

I tried all the posible trick that user can do to execute the IPMSG.exe can you post the filefingerprint of the ipmsg.exe that you have so i can compare with our ipmsg here. thanks

I tried all the posible trick that user can do to execute the IPMSG.exe can you post the filefingerprint of the ipmsg.exe that you have so i can compare with our ipmsg here. thanks

Hey pl. u can send me the commands how u did blocking of 2425 port.

Was ACL created on switch..

PL. send me the commands in detail.

Thanks in advance :)

Hi Gemmy,

Pls create a policy in SEPM firewall to block TCP/UDP port 2425 from both the direction and push the policy on the client machines.

Rgrds,
SAM