Security Software Bypass Websense On Company Laptop

[Marcus Fenix]

Hi Everybody,
My firm uses Websense Endpoint to regulate web access.Howver the problem is that anytime I open a webpage on my laptop Chrome hangs as the webpage is interrogated by Websense and then only the access is allowed.Recently I was in Colombo on a client site and weirdly I saw that Websense wasn't working on the Hotel wifi.
I dug deeper and found the log file (DebugDump.txt) in "C:\Program Files\Websense\Websense Endpoint" and saw the following.


When I came back home I saw the following on the log file



SO I can assume that this rfs (Remote File Server) with an IP of 12.x.x.x.x.is the server where each link is forwarded to check against the allowed website list.

Now if I could block access to this IP 125.x.x.x.x through my router itself(Best option would be a DNS level blocking) it would be great.The IT team won't be able to catch me in this case but they would catch me if I deleted the Websense executables in the Websense Endpoint folder(Which is how I got caught once.)

I tried using OpenDNS but they don't have the option of blocking an IP and only domain names/websites can be blocked.

Using a firewall to block this connection on the company laptop might be a tad iffy in case they check the outbound rules...

Can anybody throw some light if at all this is possible??

 

[ryanrulez4ever]

edit host file located in C:\windows\drivers\etc\hosts using notepad and add "127.0.0.1 125.20.7.227"

 

[Marcus Fenix]

edit host file located in C:\windows\drivers\etc\hosts using notepad and add "127.0.0.1 125.20.7.227"

Trying doing that before posting here...
But the bloody entry is deleted at machine start(most definitely by Websense)
Even sc edit/net start commands on an elevated command prompt are not working.
Then I tried editing the registry to change the Service Startup type to Manual and its also not allowed.
Tried taking ownership of the Registry Key and guess what Websense has screwed that pooch too.

 

[rock_ya_baby]

Websense would work only when you are on Corp VPN isn't it?

 

[Marcus Fenix]

Websense would work only when you are on Corp VPN isn't it?

When I am on company VPN the traffic is routed through the company proxy server where Websense will filter out stuff but that's okay.I am not going to open up torrent sites while connected to the VPN and thus leave traces of my internet traffic on their proxy server.

In our case a local Websense client is also installed on our local machines which filters irrespective of the fact whether I am on VPN or not and it works on all the internet connections I have tried on-Airtel 3G,Tata Photon,Tikona,Cable Broadband etc.
Browsing becomes absolute crap as each link is sent across to the Websense Filter Server by the Local Filtering Client to check if it's allowed or not.

I am looking to disrupt the connectivity between the local client and the Filter server.

 

[paarkhi]

Wouldn't the company check DebugDump.txt and see all the failed attempts to connect the IP 125.20.7.227. I assume it's the company laptop?

 

[rock_ya_baby]

1. If you have permission to install softwares then a VmPlayer install with OS of your choice should help.
2. Invest in those tiny travel Wifi/Mifi routers for internet access, block the IP on the router. Or block destination TCP 80, 443 for that IP.
3. Put a static route in windows, select any other interface on your windows than the internet link. You can install a MS Loopback interface if you want a dummy.
route add 125.20.7.227 mask 255.255.255.255 192.168.56.1 metric 2

 

[Marcus Fenix]

Wouldn't the company check DebugDump.txt and see all the failed attempts to connect the IP 125.20.7.227. I assume it's the company laptop?

Yes they scan it regularly but then I have plausible deniability if I can block it on the router level

 

[Marcus Fenix]

1. If you have permission to install softwares then a VmPlayer install with OS of your choice should help.
2. Invest in those tiny travel Wifi/Mifi routers for internet access, block the IP on the router. Or block destination TCP 80, 443 for that IP.
3. Put a static route in windows, select any other interface on your windows than the internet link. You can install a MS Loopback interface if you want a dummy.
route add 125.20.7.227 mask 255.255.255.255 192.168.56.1 metric 2

I tried the 2nd option but on my Netgear WNDR4300 I don't have the option of blocking by IP.

Will look into the VMPlayer option that you mentioned and will have to look into the static route as I don't have much idea about this.Only time I used a Loopback was when I installed Oracle Server and Client on the same machine.

 

[Marcus Fenix]

I am thinking of this route.

1) Set up a proxy server on my headless torrent box using this tutorial.
https://help.my-private-network.co....les/8474-setting-up-a-proxy-server-on-windows

2)The company laptop is configured to use this proxy(in Internet Explorer) and I can see that the proxy is working i.e. I can access webpages on IE using this proxy

3)Create an Outbound rule in the Firewall of the proxy server(the torrent box) to block access to the Websense remote filtering server(RFS).

These steps ought to work logically but I can see that Websense is still blocking stuff.Is it because Websense is not routing traffic through the proxy and can connect to the RFS via direct connection?

Any thoughts guys??99% of the people in my office are absolute slowpokes when it comes to thinking out of the box and I have no other place to ask for suggestions....

 

[Rave]

Just out of curiosity, why not use your personal laptop?

 

[Marcus Fenix]

Just out of curiosity, why not use your personal laptop?

Well I don't own one nowadays.
I have 2 desktops(one for gaming and one for downloading) and a convertible Asus Transformer TF100.
I don't use the ofice lappy at home much but when I am on a client site (which is pretty often) I have to depend on the office laptop.I had a laptop before this but you know it is a bit hectic when you have to carry 2 laptops in cabin luggage almost 4 times a month

 

[sharktale1212]

^I do hope you haven't typed all this on your company laptop. Your company might be monitoring key strokes too

 

[tommy_vercetti]

Well I don't own one nowadays.[emoji14]
I have 2 desktops(one for gaming and one for downloading) and a convertible Asus Transformer TF100.
I don't use the ofice lappy at home much but when I am on a client site (which is pretty often) I have to depend on the office laptop.I had a laptop before this but you know it is a bit hectic when you have to carry 2 laptops in cabin luggage almost 4 times a month

You have 2 desktops, you already have no issues at Home, Best option i can think of enable port forwarding and RDP into your desktop

Just out of curiosity, why not use your personal laptop?

 

[vaibhavyagnik]

if hard drive encryption is not done by your IT, boot the laptop using a live linux distribution

 

[Marcus Fenix]

^I do hope you haven't typed all this on your company laptop. Your company might be monitoring key strokes too

That they don't but they do have hardware encryption!![DOUBLEPOST=1446025012][/DOUBLEPOST]

You have 2 desktops, you already have no issues at Home, Best option i can think of enable port forwarding and RDP into your desktop

That is exactly what I do now at home but as I said when I am at client site that becomes an issue

 

[axeman]

That they don't but they do have hardware encryption!![DOUBLEPOST=1446025012][/DOUBLEPOST]
That is exactly what I do now at home but as I said when I am at client site that becomes an issue

No workaround for you.

The agent software, even if it cannot talk to your office websense systems via the internet when you are outside the office, keeps a log of your internet activities, and will push it to the server on "next possible connection". It could be weeks worth of logs, but all the violations will show up, and you could have an issue.

Also, the agent itself has a copy of the web filtering rules, so even if you are not on the corp VPN and try a 3rd party proxy like your seedbox while blocking the websense servers, it makes no difference.

Create a windows USB bootdisk and browse the internet using that.

Background: Sold Websense to many customers for over 5 years...

 

[Marcus Fenix]

I did it boss....

As to the points axeman raised....
1)The agent doesn't have a local ruleset(At least in our case).

2)The log files only contain the information that the Agent failed to connect to RFS but as per configuration of Websense by our company (I read this in a Websense pdf) internet access is still allowed(As per Websense pdf the default behavior is to block internet access in case RFS cannot be reached but as I saw in Colombo our IT team has configured Websense to allow net access even if the RFS cannot be reached)

3)Even if the logs are checked by the IT Team they have never raised any issue due to Websense not working in Colombo which surely showed up on the logs.So I don't think that they will create a hulabaloo over the logs and non compliance.

4) Even if I am caught as non compliant I have plausible deniability saying that at my home I face a lot of attacks from some IPs on my cable broadband and so I have installed a free firewall (since the Windows Firewall is disabled on our company machines).They are not going to wobble around in the settings of the firewall to see the blockage.


This is the tutorial for my office friends.
When we are using Company laptop outside VPN/Company LAN the Websense client on out machine sends each web address that we input in our browser to a RFS(Remote Filtering Server) which interrogates the web address and then allows/blocks access to it as per Company India policies. This is the cause of browser hanging upon entering each new web address (As the address is being interrogated by RFS)

From the Debugdump.txt captured in Colombo we now know the IP of this RFS server 125.20.7.227(port 80)

In case of Hotel Wifi in Colombo the outbound connection to this RFS is blocked by Hotel Wifi themselves and hence the Websense filtering doesn’t work in Colombo.

So if we interrupt the outbound connection from local Websense client to Server then the web blocking won’t work. This is a foolproof way which cannot be tracked by IT team as we are not modifying/deleting any Websense client installation files.

PFA steps below.

Download Zonealarm web setup file from here .This is a 3 MB file which will download 40 MB of Zonealarm setup over the internet (like chrome installer)

https://www.zonealarm.com/security/zadownload

Install Zonealarm by downloading the files via the web setup file

Open Zonealarm

Go To Firewall>View Details>Basic Firewall>View Zones>Add>IP Address

Put the properties as follows-

Zone:Blocked

IP Address: 125.20.7.227

Description:Websense RFS Dialer


Now Press OK and now Websense will be unable to connect to the RFS server 125.20.7.227 to block web pages

 

[axeman]

I did it boss....

As to the points axeman raised....
1)The agent doesn't have a local ruleset(At least in our case).
...

You have stopped the agent from communicating with its primary appliance at your office.
How do you know the agent doesnt have a local ruleset? It may still have a very comprehensive ruleset, just in "log" mode instead of "log and block" mode.
These logs are different from the agents "status" logs, and if you find them and try to tamper with them, the agent will let the primary know about "tamper attempt" on next successful connection to it.
So lets say you access a website or download some stuff prohibited by your corporate policy, you are not getting blocked outside office as of now (as you say), but your co. will know about your sordid deeds (as i say).

https://www.websense.com/content/support/library/web/v75/wws_install_guide/Introduction.2.5.aspx
http://www.websense.com/support/article/t-kbarticle/Configuring-Network-Agent-Behavior

 

[Marcus Fenix]

You have stopped the agent from communicating with its primary appliance at your office.
How do you know the agent doesnt have a local ruleset? It may still have a very comprehensive ruleset, just in "log" mode instead of "log and block" mode.
These logs are different from the agents "status" logs, and if you find them and try to tamper with them, the agent will let the primary know about "tamper attempt" on next successful connection to it.
So lets say you access a website or download some stuff prohibited by your corporate policy, you are not getting blocked outside office as of now (as you say), but your co. will know about your sordid deeds (as i say).

https://www.websense.com/content/support/library/web/v75/wws_install_guide/Introduction.2.5.aspx
http://www.websense.com/support/article/t-kbarticle/Configuring-Network-Agent-Behavior

My entire assumption is on the fact that Websense didn't work in Colombo due to ISP blocking the RFS connection and our IT Team didn't raise an issue over that.
So in case there is a local ruleset in catlist.txt our IT Team hasn't configured it to log the web access.
I confirmed that from a smoke break buddy in our IT Team.
The web access log can be captured as you mentioned but the I can say that Websense didn;t block anything so it;s not my issue.