DescriptionThis article provides some basic troubleshooting steps to Block Ultrasurf 15.0.4.Solution1) Enable AntiVirus and Application Control
Go to System -> Config- > Features and make sure both 'AntiVirus' and 'Application Control' are enabled. If necessary, Apply the changes.
2) Edit the default Application Control profile
Go to Security Profiles -> Application Control and edit the default profile. Under 'Applications Override', select 'Add Signatures'.
Search for 'ultrasurf'. Select the signatures, then select 'Use Selected Signatures'.
The signatures will be added to the list, with Action set to block. It will also be require to block the signature 'Freegate.Searching'.
To include all proxy applications, choose to block the entire Proxy category.
3) Adding AntiVirus and Application Control profiles to a security policy
Go to Policy & Objects -> Policy -> IPv4 and edit the policy that allows connections from the internal network to the Internet.
Under 'Security Profiles', enable both 'AntiVirus' and 'Application Control' and set both to use to default profiles. Set SSL/SSH Inspection to deep-inspection.* 4) Updating the AntiVirus and IPS definitions
5) Create the same signature and include on the appcontrol profile.
#config application custom
(custom) # edit U1503
set signature "F-SBID( --attack_id 6297; --name Ultrasurf.Google.Appspot.Custom; --protocol tcp; --app_cat 6; --flow from_client; --service HTTP; --pattern uswj; --context host; --no_case; --pattern .appspot.com; --context host; --no_case; --distance 0; --pattern /_NUkSUAWuxrJHx1yWEobaJK2IwVyFabWQPdoXTNWJWr30/; --context uri; --within 100,context; )"
set category 6
set protocol All
set behavior 3
set vendor All
set technology All
end
6) Once created, select it in the appcontrol profile with action set to block and validate again.
Enable deep inspection and enable "Inspect All Ports" and delete the utmp folder on the PC before doing the test.
