Category Archives: Uncategorized

How to block “Ammyy Admin” in network?

This tutorial will guide you to block “Ammyy” with “WFilter Enterprise 4.0″.

First, Add “Ammyy” Protocol.

Ammyy has one pattern:
“ammyy_tcp”:
  Type — “TCP SEND”
  Format — “0″
  Content — “^\x25[\x00-\xff]{4}\x2e\xf4\xff\xff”

Second, Enable blocking of Ammyy in certain blocking levels.

And apply this blocking policy to certain computers.

Now, Ammyy will be blocked.

WFilter blocking events:

Failure connection of Ammyy.

Related Links:

http://blog.wfilterngf.com/How+To+Block+TeamViewer+On+My+Network+Using+WFilter.aspx

How to block hotspot shield in network?

Hotspot Shield is a free vpn service for you to access blocked websites. With hotspot shield, you can bypass internet filter on your network.

So, to implement internet access policies in business networks, it is required to block hotspot shield traffic.

This tutorial will guide you to block hotspot shield with WFilter.

Add hotspot shield protocol

Because “hotspot shield” is not a default protocol of WFilter, you need to define it manually in “Customize Protocols”.

As in the above figure, add a new protocol named “HotSpot” in “Customize Protocols”. Three patterns are required:

UDP send pattern 1: “^\x88[\x00-\xff]{8}(\x00){5}$”

UDP send pattern 2: “^\x28[\x00-\xff]{9}(\x00){4}”

TCP send pattern: “\x00\x0e\x88[\x00-\xff]{8}(\x00){5}$”

Enable blocking of “hotspot shield”

Now, by enabling “Block hotspot” in blocking level settings, hotspot will be blocked.


Please notice:

Hotspot can be completely blocked when your WFilter is deployed in “pass-through” mode. However, in “pass-by” mode, for complete blocking of hotspot, you also need to block udp ports 900-65534 in your router or firewall. check: How to block certain UDP ports in router/firewall?

How to customize WFilter reports by directly querying the database?

Though WFilter already has many reports by default, there has the chance that you need other report formats or data. In this case, you can directly query the database tables to get what you need.

It’s complicated to customize reports for WFilter file-based version. So you need to install WFilter database version first. For steps to install WFilter database version, please check: WFilter Database Version Installation Guide

There has a “web surfing time report” in “Detailed Reports”->”Web Report”, you can generate this report “by name” or “by website” in WFilter user interface. Now if you need to get a report of web surfing time both “by name” and “by website”, you need to customize a sql query. The data is stored in table “webreport” with below structure:


create table webreport
(

mac char(12) NOT NULL /* MAC address */
ip varchar(20) /* ip address */
acct varchar(200) /* domain username */
happendate varchar(10) /* date */
method char(1) /* 0 – get, 1 – post */
categoryid varchar(10) /* website category id */
host varchar(100) /* website domain name*/
visitcnt varchar(20) /* visits number */
duration varchar(20) /* surfing time in seconds*/

)


1. Web surfing time report by ip address

To get a report by ip address and websites for a certain date, you can execute a sql like:

select ip, host, sum(convert(int, duration)) cnt from webreport where happendate>=’20120803′ and happendate<’20120804′ and ip is not null group by ip, host order by ip, cnt desc

You will get such kind of data:

192.168.1.131 www.google.com 226
192.168.1.131 forum.imfirewall.us 192
192.168.1.131 ct1.addthis.com 180
192.168.1.131 l.yimg.com 180
192.168.1.131 sports.yahoo.com 153
192.168.1.20 m614.mail.qq.com 266
192.168.1.20 share.baidu.com 254
192.168.1.20 forum.imfirewall.us 200
192.168.1.20 hm.l.qq.com 180
192.168.1.20 info.iet.unipi.it 180

2. Web surfing time report by user

If you have “Account Monioring” enabled, you also can generate reports based on AD usernames. The sql will be:

select acct, host, sum(convert(int, duration)) cnt from webreport where happendate>=’20120803′ and happendate<’20120804′ and acct is not null group by acct, host order by acct, cnt desc

You will get such kind of data:

CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.google.com 226
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng forum.imfirewall.us 192
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng l.yimg.com 180
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng ct1.addthis.com 180
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng sports.yahoo.com 153
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng test.org.uk 96
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.yahoo.com 72
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.bc.yahoo.com 67
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.websense.com 59
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.g.doubleclick.net 34
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.google.com.hk 31


Please notice, the “acct” column is urlencoded. You need to urldecode it to get a readable username.

Online urldecode.

When shall you use two network cards for monitoring and blocking?

In “pass-by” filtering mode(WFilter works on a mirroring port), WFilter sends RST packets to block TCP connections. However, if outgoing traffic is limited on the blocking adapter, blocking feature of WFilter might not be working.

The default settings of WFilter use a same adapter for monitoring and blocking. However, it will not work if a following condition is met.

  1. The monitoring switch does not allow outgoing traffic on the mirroring port. You can check this by “ping” other computers in the monitoring computer. This problem can be solved by changing switch settings(if supported) or adding a separated blocking adapter. Cisco switches have a parameter “ingress” to enable outgoing traffic on the mirroring port.
  2. The monitoring adapter is too busy of receiving mirrored packets. We recommend you to use another NIC for blocking when you have 50+ computers. To check this issue, you can run “System Settings”->”Check Settings” to perform a checking on the blocking adapter.

Steps to add a blocking adapter

1. Add a physical network card and connect this NIC to a normal port in your switch. If you have multiple VLANs, the blocking adapter shall be in a VLAN which can reach other VLANs.

2. Assign an available ip address and gateway settings to the new NIC.

3. If WFilter does not detect the new card in “System Settings”->”Monitoring Settings”, please click “Start”->”IMFirewall WFilter”->”Tools”->”Restart WFilter Service” to reload the adapters list.

4. Choose the new network card as the “blocking adapter” in “System Settings”->”Monitoring Settings”->”Monitoring Device Settings”.

5. Run “System Settings”->”Check Settings” to check.

6. Sometimes windows can not choose the correct network card for communicate, in that case, please check this topic to set “Metric”: Blocking adapter doesn’t work when using two network cards

Further readings:

How WFilter works to block internet connections in network?

How to block VNC traffic of network computers with WFilter?

VNC® provides secure remote access computers from any location for your home and organization. RFB is the protocol used in VNC and its derivatives.


This tutorial will guide you to block VNC with “WFilter Enterprise 4.0″. Because blocking of VNC is not supported by default in WFilter, in this example, we uses “Customize Protocols” feature of WFilter to define the VNC protocol.


First, Add “VNC” Protocol in “Customize Protocols”.


In “Customize Protocols”, new a protocol named “vnc”.



VNC has a pattern:
“vnc_tcp”:
Type–”TCP ALL”
Format–”0″
Pattern Content–”^\x52\x46\x42\x20\x30\x30″


Second, Enable blocking of VNC in certain blocking levels.


And apply this blocking policy to certain computers.


Now, VNC will be blocked.


WFilter blocking events:


Failure connection of VNC.

WFilter adds solution for monitoring terminal server users.

Terminal Services allows IT departments to install applications on a
central server.
For example, instead of deploying database or accounting software on all
desktops, the applications can simply be installed on a server and
remote users can log on and use them via the network.
This centralization makes upgrading, troubleshooting, and software
management much easier.

However, since all terminal clients share the server’s network, it
becomes difficult to monitor/filter individual users internet usage
because most internet monitoring/filtering products only monitor/filter
internet activities based on ip addresses or MAC addresses.

From WFilter en.3.3.148 version, with WFilter proxy’s “user authentication” feature, you are able to monitor terminal client users and set differnet internet policy for each user.

Please check details of this solution at: How to monitor terminal server users?

How to block proxy websites in network?

Even a content filtering product is deployed in your network, some experienced users still can bypass the content filter via proxies.

There are three kinds of proxies:

1). Proxy server

Proxy server provides proxy service for applications to access internet via proxy protocol, including HTTP, FTP., SSL and SOCKS proxy. SOCKS protocol description

2). Proxy Website

A proxy site is a web page which allows you to browse your favorite web sites – even though your access to those web sites might be blocked by a content filter.

3). VPN tunnel service

Online VPN service, for example: tor. Please check this blog for how to block tor.

In this tutorial, I will guide you to block proxy servers and proxy websites.

1. How to block proxy servers?

We can block proxy servers simply by block proxy protocol, such as HTTP, SOCKS.

2 Block proxy websites

2.1 Using website black list to block proxy sites

You can add proxy websites to a website black list to be blocked.

However, since a website black list can not contain all proxy websites, we recommend you to enable “URL keywords filtering” and “Web access rules” to block proxy websites based on our URL database and URL keywords.

2.2 Using URL keywords to block proxy sites

Add “proxy”, “unblock” to “Proxies”. So URLs with certain keywords will be blocked.

2.3 Using “Web access rules” to block proxy sites

Websites in “Proxies” category will be blocked. WFilter already has a default URL database which contains most common websites.

How to block PPStream online video in network?

Many people might eager to know how to block PPS in their network. Because their roommates or family members eat up their bandwidth by using PPS. And the reason why it is hard to block PPS is it can use any random port.


What is PPStream?


PPS (PPStream) is a Chinese peer-to-peer streaming video network software. Since the target user is in Chinese mainland, there is no official English version, and bast majority of channels are from Eastern Asia, mostly Mainland China, Korea, Japan, Hong Kong, Taiwan and Singapore. Channel varieties vary from Chinese movies to Japanese anime, sports channels, as well as American popular TV and films.


It broadcast TV programs stably and smoothly to broadband users. Compared to traditional stream media, PPStream adopts P2P-streaming technology and supports high-volume traffic with tens of thousands of users online at once.


Brief introduction of PPStream protocol


How to block PPStream with the help of WFilter?


1. You need to block to block UDP ports 1024-65534 in your router or firewall.


2. Add a blocking level and enable “Block PPS”.



3. Apply blocking level to the computers you want to block.



4. Blocking events in WFilter.



Check PPStream blocking video at: http://www.youtube.com/watch?v=U2RbOgUEaDQ


You can find how to block P2P traffic and downloading at: How to block P2P traffic and downloading?

How to block BitTorrent traffic in your network?

Some of you might find out that the speed of your network is very slow. Maybe some users were watching movies, there is also another possibility—they might be using some BitTorrent client to download movies and music and software.


A lot of people asked about how to block BitTorrent traffic. Usually when we want to block some software, we would think about block some ports. Actually this might not work in blocking BitTorrent. Because BitTorrent can use any random port.For more details about BitTorrent protocol, please check: BitTorrent protocol.


Now you can block BitTorrent easily with the help of WFilter. I will show you how to block BitTorrent step by step.



How to block BitTorrent with WFilter?



1. First you need to block UDP ports 1024-65534 in your router or firewall.


2. Add a blocking level and enable “Block BitTorrent”



3. Apply blocking level to the computers you want to block.



4. Blocking events in WFilter.



Before blocking, bittorrent had a “down speed” of “155kB/s”.



After blocking, the “down speed” and “up speed” are all ZERO.



Check bittorrent blocking video at:http://www.youtube.com/watch?v=8FFUQ4br-YA


You can find the more about how to block P2P traffic and downloading at How to block P2P traffic and downloading?


 

How to block windows update in my network?

Sometimes you might want to block automatic windows update on your network without the need to manually configure every workstation.

To block windows update, certain websites in the below list shall be blocked.

  • *.windowsupdate.com
  • *.update.microsoft.com
  • *updates.microsoft.com

You can block certain websites in your firewall to achieve that. In this tutorial, I will guide you to block windows update with “WFilter Enterprise 3.3″.

First, add a website black list and enable it in a certain blocking policy.

In the website black list, you need to add “*.windowsupdate.com” and “*.update.microsoft.com”.

 

Second, apply this blocking policy to certain computers.

 

 

Now, windows update will be completely blocked.