Here is the step by step process to disable Ultra Surf from being accessed by your clients.
To start with, Ultra Surf leaves a finger print that shall be needed by the admin as a constant value. It is very fortunate that the fingerprint is also included when you open the Ultra Surf. Listed below are the different fingerprints for the Ultra Surf variants available in the web namely:
1. UltraSurf 9.4 (.exe)
md5: 11bc744801b516d0b84fba5850ec8789
2. UltraSurf 9.4(.zip)
md5: 8aed5412df0f621e399c78a7f408c6fb
3. UltraSurf 9.2 (.exe)
4b498bcac14da546f420cd08bae1894b
4. UltraSurf 8.9 (.exe)
f556271e1338dfc224cbebf6fe8f8eae
5. UltraSurf 8.8 (.exe)
4e3a66482ef96368251d91b4f5ae0fda
6. Firefox add-on (.zip)
md5: 6ce151b1b0ef8430031a8e9a69f38806
We have to log in as a full administrator to the SEPM console and proceed first to the group that you will initiate the policy to. Under the policies tab, we must go to the “application and device control policy” that is found within the location specific policies.
Proceed to the application control and click on block applications from running. We could also put the enabled rule set as production or test only. It is advisable to set it first on test mode first and check later if the process was successful.
Edit the “block applications from running” rule and create a “Lunch process attempts” sub-rule under the “Block applications from running”. Click the add button under the “apply to the following process”. Click options to see the “Match the file fingerprint” and from their put the Ultra Surf MD5 on the space provided and click OK. When you are in front of the “Edit Application Control Set” page, click on the actions tab to choose among the following options that we administrators could use as an action namely:
1. Continue processing other rules
2. Allow access
3. Block access
4. Terminate process
We could also use the send the user a message option so that they would also be aware that they are being monitored thus intimidating them to use or access Ultra Surf in the near future.
Always remember the following after placing new policies in the specified computer groups:
1. Update contents needs to be pushed to the client group
2. We could also pull the update policy from the client
3. Better to reboot the computer for the updates to set
4. Verify if the policy serial number for the group is the same with the computers SEP policy number
5. Test if the policy is now working by checking the log via Truscan Proactive Threat Scan
6. Please note that if you put the enable rule set to test only, Ultra Surf might work but it will be logged via Logs under “Application and Device Control”
7. Enforce also any project to a small group of computers before implementing globally to the whole organization
8. Always do documentations for review
9. Always check for new fingerprints if new UltraSurf versions are available
Lastly, UltaSurf is not a bad application since it is used in the mainland China to have the freedom to be informed specifically about the outside world. It becomes a liability if they are using it to violate company rules that make a breech in the system for viruses to infect the computers they are using as well as others. I hope that this would help other administrators to block UltraSurf from being used.
I would also like to thank mon_raralio and trusted advisor RickJDS for all the valuable help and guidance.
This is just my simple way to repay their goodness by making this article to help others.
Thank you all...