Proxy Bypass Extensions/Detection/Prevention

Just found this group and hope to make a few new friends here, looks like civil discussion unlike others. Didn’t see an intro thread but my background is over 15 years in Nuclear IT/cyber security and the past 2 as a SysAdmin in a private K-12 school system running a hybrid Windows/Office356/Google shop.

Searched here for other posts on this topic and was hoping to re-spark some conversation, maybe get some feedback and help other frustrated K-12 SysAdmins.

Recently (again) the high school students discovered the proxy bypass extensions for chrome like UltraSurf, BetterNet, HotSpot Shield, etc… and I have been struggling to find a way to detect and block this traffic through the firewall. SonicWall / LightSpeed setup and I have a Snort IDS box monitoring everything in/out from a mirrored port.
Does anyone have a solution for detection? or know of any rules for Snort that will detect this traffic? I’ve exhaustively searched with no luck.

Here’s what I currently do which may help others in the same boat.

Normally get a report from a teacher of a student browsing something they shouldn’t be.
I’ll run a remote script to dump the folder list of the chrome extensions to a text file to a shared directory.
dir C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\ > V:\MappedDrive%COMPUTERNAME%_%USERNAME%.txt

After I get the list, open with Notepad++ , copy the column of numbers and paste the cryptic extension IDs (ex. heajfgnegopeedndeahkdjedjkjcmnpb) into a spreadsheet to lookup the name for the extension. The spreadsheet uses a lookup table of all the extensions and extension names I found on student computers, it’s a living document.
Anyone know of a master database of extensions anywhere?

Once the bypass extension is known I use active directory to “search” for that extension folder on all computers and write a new folder to a shared location with the extensionname_computername_username.
The shared folder permissions and Write for authenticated users, and Full access for domain admins.
The following should copy all the folder contents but it doesn’t so it works nice as a notification.
GPO Editor / Extensions Policy
Users Configuration > Preferences > Windows Settings > Files
Add new file
Action - Update
Source - C:\Users%username%\AppData\Local\Google\Chrome\User Data\Default\Extensions\heajfgnegopeedndeahkdjedjkjcmnpb*
Destination - \server\sharedfolder$\HotSpotShield_%COMPUTERNAME%_%username%\

After a few days of building this list I’ll dump the contents of found users to another spreadsheet that makes a big script to automate an extension directory dump to text to my mapped drive. I then look for the folder creation date of the extension ID for a report.
I put together a nice report containing StudentName, ComputerName, ExtensionName, and FolderCreationDate for the Vice Principal who then disciplines the students. Warnings, detentions, and fines.

Once this is done I add the extension ID to a Chrome Extension Blacklist GPO, block it in my Google admin console, and then delete the folder using active directory.
GPO BlackList Policy
Users Configuration > Preferences > Windows Settings > Folders
Add new folder
Action - Delete
Path - C:\Users%username%\AppData\Local\Google\Chrome\User Data\Default\Extensions\heajfgnegopeedndeahkdjedjkjcmnpb

This normally breaks the internet on the Windows 10 chrome browser and they usually show up in the IT office to have it fixed where I need to go into chrome settings and “disconnect the Google Account”.
Internet comes back and then I make sure they log back in with the school google account.

That’s my method of madness. It was a little work up front but goes pretty quick now.
I’m working on going to a whitelist approach for extensions but haven’t done so yet.

Questions? Comments? Suggestions? Clarifications? anything will help.

Why don’t you whitelist instead of blacklist?

I’ll be implementing a whitelist for an early Christmas present, wanted to get a baseline of what everyone has installed and allow useful ones. The extensions list was something I overlooked with the fresh rollout of Windows 10 this year.
And we are using GAFE “G-Suite”, that name was bugging me also.
While the whitelist will control the majority of students, there’s a handful who always seem to find a way which is why I would like to find a way to detect the traffic with Snort or something similar.

I have a list of things to block via the G Suite admin console I got at TCEA SysAdmin this year. PM me and I will shoot it to you when I get off mobile.

We don’t allow student to install extensions on chromebooks and instead push the ones requested by their teachers as needed for their classes. On Windows machines we use group policy and google’s chrome admx template to blacklist any extensions that we find that either bypass our filter or cause pop-ups. It seems simpler than the method you describe and works for us. It also allows us to push any extensions we want to desktop machines such as text reader apps.

I’m trying to convince admins to do the minimum blocking required by law and teach digital citizenship. Filtering with kids is a losing battle because I feel you just create a problem by blocking and a desire to beat the system. Now we do implement a whitelist only group in Google admin for kids who just can’t help themselves as a form of punishment and have had luck with that. We do have a whitelist only app policy for chrome apps and extensions… Works great. There are students who will spend all their time on trying to beat the system instead of learning. The kids mainly have Chromebooks but if you deploy windows or Mac look at sophos security they have app control that will shut down your unapproved list and categories of apps plus other features. It has worked really well for us.

Edit: sophos works great too to stop teachers from installing that damn coupon tool bar

The problem we have is that we use Chrome and G Suite, but we do not use Chromebooks. On the Win 7/10 machines running Chrome the students install the proxy extensions using their personal Google accounts. We can block the extensions via GPO, but much like others it’s impossible to keep up with. I like the idea of a whitelist. Does anyone know if you can whitelist via the GPO? I am the ASA/Security/Filter guy, my AD guy manages the GPO’s.

Have you looked at the Chrome ADM policy for AD?

Just decrypt the extension store (chrome.google.com) with the Sonicwall or Lightspeed. This will allow you to block/allow specific extensions (likely with regex).

Here’s a short list you’ve been maintaining:

fdcgdnkidjaadafnichfpabhfomcebme - ZenMate Security

omdakjcmkglenbhjadbccaookpfjihpa - TunnelBear VPN

omghfjlpggmjjaagoclmmobgdodcjboh - Browser Sec

nlbejmccbhkncgokjcmghpfloaajcffj - Hotspot Shield

gjknjjomckknofjidppipffbpoekiipm - Betternet

ckiahbcmlmkpfiijecbpflfahoimklke - Gom VPN

kpiecbcckbofpmkkkdibbllpinceiihk - DotVPN

gkojfkhlekighikafcpjkiklfbnlmeio - Hola

I’m sure there are more. Now I need to search through my logs to see what else I can find!

His is what we do. Whitelist instead of blacklist. If a teacher needs an extension for something we can add it to the whitelist and in some cases force extensions to machines (such as an adblocker)

The only reason I could think of is he said the “school google account” which makes me wonder if he’s not using GAFE (I refuse to call it G-Suite)

Classroom management, teachers need to be in charge of their classrooms and we provide software that allows them to monitor screens. If a kid is causing problems then we can pull their internet history and let administration deal with it.

Yeah, there’s no reason you should be trying to manage a blacklist like that. Whitelist is super easy and after the initial mini-surge of requests, there will be almost nothing left to do after that. The only extensions we have whitelisted so far are:

Grammarly
LastPass
Xmarks
uBlockOrigin

And maybe one or two more that I’m missing. But you need to remember that things like Ultrasurf can be run outside of a Chrome extension using a regular exe file and residing somewhere deep in their AppData folder. To prevent that you need to enable the AppLocker group policy and configure a whitelist policy for all students to prevent things like the Ultrasurf application.

I recently implement CloudLock in my district. It allows me to see what is going on within my entire GAFE domain. I can see what apps are installed and who has installed them, I can revoke access to apps and ban apps and necessary, I can set up policies to notify of what ever I want to set up (new apps that are installed, bully/self harm documents on drive, certain type of files are stored on drive, etc), and I can also see traffic that is originating from outside of my geographic area so I can see who may be using a VPN or proxy bypass and shut it down.

Just looked into the TCEA conference, might have to put in for that.
Is that a good one to attend?

Yes, you can run the Chrome GPO with whitelisting instead. Basically you set the blacklisted extension list to a single entry of ‘*’ to disallow all extensions. Then populate your whitelist with the extension IDs of ones you’d like to allow.

A very nice benefit of this change is that it’s retroactive. Any non-whitelisted extensions will be uninstalled/disabled once the policy rolls out and users login and launch Chrome again.

We have GAFE for our entire district, but don’t use it. We’re a full MS shop. We’re supposed to get access to Microsoft Classroom soon. Super hyped.

What are you using for classroom management? We currently use DyKnow but it doesn’t always work.

I have most of the bypass exe files blocked in AD and use SCCM to report back with every exe on the laptop which makes it pretty easy to spot anything new.
Whitelist is definitely in the future and will look into AppLocker.

The big one in Feb is a bit of a wash for us techies. Mostly set up for teachers, though there is some good stuff for us. The Sys Admin from a few weeks back is much better.

Lanschool, the latest version even works with Chromebooks if you want.