topic How to block Teamviewer,Logmein,GotoMyPC etc? in Network Security

How to block Teamviewer,Logmein,GotoMyPC etc?

Sundeep Dsouza — Mon, 11 Mar 2019 21:50:41 GMT

Hello Everyone,

I am trying to block Teamviewer in our network using Cisco ASA. I blocked port 5938 but it dynamically connected to on port 443 which is https. I even tried blocking via the regex way but could not stop the connection.

My conclusion, since it falls back to https blocking it from the firewall becomes all the more difficult as it wont do https inspection. I guess IPS also will fail to inspect https.

Other option would be through Microsoft GPO, but this would be my last option. Is there an alternate solution to accomplish this task?

Regards

How to block Teamviewer,Logmein,GotoMyPC etc?

mirober2 — Thu, 17 Nov 2011 15:55:25 GMT

Hi Sundeep,

As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.

The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).

Hope that helps.

-Mike

How to block Teamviewer,Logmein,GotoMyPC etc?

Henderson Sebastien — Tue, 20 Dec 2011 13:39:55 GMT

I have just the same topic to solve.

For now, I am using a squid proxy to filter specific dstdomains, such as .teamviewer.com or by means of RegEx acls

But I am expecting to solve it across ASA with IDS/IPS signatures

Do you jnow if it is possible ?

Thanks

Alain

How to block Teamviewer,Logmein,GotoMyPC etc?

raga.fusionet — Tue, 20 Dec 2011 20:29:47 GMT

Kind of an old thread but if your hardware allows it you might wan to consider installing a CSC module on your ASA, the CSC will allow you to block a particular category that involves all these remote controll programs:

Category Group: Internet Security

Category Type: Remote Access Program

Definition: Sites that provide tools for remotely monitoring and controlling computers

http://www.cisco.com/en/US/products/ps6823/index.html

http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc4.html#wp1065979

HTH.

Raga

How to block Teamviewer,Logmein,GotoMyPC etc?

Marvin Rhoads — Tue, 20 Dec 2011 20:39:24 GMT

The Cisco Ironport WSA (web proxy device) can do this also.

How to block Teamviewer,Logmein,GotoMyPC etc?

Sundeep Dsouza — Thu, 22 Dec 2011 06:05:30 GMT

Hi Luis,

I dont think CSC can inspect HTTPS traffic, I did a little bit of reading on it and came across that CSC cant inspect https. However as Marvin pointed out, Ironport WSA can. I have also tried it with Microsofts TMG and it is very effective.

How to block Teamviewer,Logmein,GotoMyPC etc?

mirober2 — Thu, 22 Dec 2011 14:05:36 GMT

Hi Sundeep,

The CSC module can filter HTTPS traffic in the latest version (6.6.1125.0).

-Mike

How to block Teamviewer,Logmein,GotoMyPC etc?

Henderson Sebastien — Thu, 22 Dec 2011 17:25:50 GMT

anyway, my purpose would be to detect any resident exe which could connect by itself and open a backdoor from inside to outside

Since port 80 is widely available for internet access, does IDS (AIM-SSM) able to get this info ?

How to block Teamviewer,Logmein,GotoMyPC etc?

raga.fusionet — Thu, 22 Dec 2011 17:29:46 GMT

Alain,

If you are looking for a way to block the actual .exe on the user's machine what you really need is a Host IPS.

Regards.

How to block Teamviewer,Logmein,GotoMyPC etc?

szamin125 — Tue, 03 Jan 2012 12:26:17 GMT

Hi Guys,

i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...

is there any update ...any solution?.

Regards

Sher

Re: How to block Teamviewer,Logmein,GotoMyPC etc?

szamin125 — Tue, 03 Jan 2012 12:28:38 GMT

Hi Guys,

i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...

is there any update ...any solution?.

Regards

Sher

How to block Teamviewer,Logmein,GotoMyPC etc?

Ramraj Sivagnanam Sivajanam — Sat, 28 Jul 2012 20:00:43 GMT

Hi Bro

TeamViewer (TV) is application that used to create remote access connection to PC anywhere. Even if the PC located behind the firewall. TV client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TV client must be connected first to the TV server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.

So, these are the configuration if we use Cisco ASA Firewall (i am using OS ver 8.x):

regex TV-RGX “\.teamviewer\.com”

regex DG-RGX “\.dyngate\.com”

class-map type regex match-any TV-CLS

match regex DG-RGX

match regex TV-RGX

policy-map type inspect dns TV-PLC

parameters

message-length maximum 512

match domain-name regex class TV-CLS

drop

policy-map global_policy

class inspection_default

inspect dns TV-PLC

service-policy global_policy global

P/S: If you think this comment is useful, please do rate them nicely 🙂

Hello,

saitelhadj1 — Wed, 30 Nov 2016 12:30:26 GMT

Hello,

Actually I blocked the TeamViewer on WSA by blocking the applications for presentation/conferencing also the 5938 port is blocked on firewall but the application still able to connect.