Skip to main content

AD_4nXd14Qnl7EfTcX7leHIdikzhJAJxYjdHa5ErGNWGRQo7TDGji0mN0wyuy4yQyKN8bFg_8SohkBpTBFiVpRzEPuDf65bR0_j-3W3vNnCDTYz8WxDy6sy6sp-y0ZonxN9GRngH5_BEajCAI2xiYPutnIGuujJf?key=Oh7e07NSuBDTLVZZvcMmvA

Netskope Global Technical Success (GTS)

Block AnyDesk using Netskope's SWG Module - Windows OS

 

Netskope Cloud Version - 118

Note:

While Netskope SWG provides effective means to block applications like AnyDesk, it's important to understand the broader context of sophisticated evasion techniques such as process name spoofing. For advanced threat detection and response capabilities that address such techniques comprehensively, an Endpoint Detection and Response (EDR) solution is ideally suited. EDRs go beyond simple process name or network connection blocking by analyzing process behavior, parent-child relationships, API calls, memory, and integrating with real-time threat intelligence. This allows EDRs to identify and prevent malicious activities even when attackers attempt to disguise their processes. Therefore, for a robust defense against determined adversaries employing sophisticated spoofing, leveraging an EDR in conjunction with SWG is recommended.
 

Objective

The objective of this document is to describe the procedure for blocking AnyDesk using Netskope. While AnyDesk is referenced for example, this procedure can be applied for similar Remote Control Applications that an IT Administrator would like to access control over, within the organization.

 

Prerequisite

Netskope SWG license is required

 

Context

AnyDesk is a remote desktop application that enables users to connect to and control another computer over the internet. It is commonly used for remote support, remote work, and accessing files or applications from different locations. Although AnyDesk is available for free, it may not be sanctioned for use within the organization. Therefore, IT teams may need to manage and control its usage. This document outlines the procedure for blocking AnyDesk on Windows OS

 

Do You Know?

  • As of August 29, 2024, Netskope recognizes AnyDesk as a cloud application. However, there is currently no predefined cloud app connector available for AnyDesk within the Netskope platform.

AD_4nXdZ-_xiYMVLhX579nZp_RS9SReTwbrC8f2QXbpXVh7UBua83hS0DT5roQI7nRVkzKasuRUBXVql5Cr507ASIyDZPsaEmTv6JszmTD_oYi3Jfkyr03Zcv0J5jt5zZiOoMHhjsiZ5FVr_LUhgV3ZtlwIDtgkg?key=Oh7e07NSuBDTLVZZvcMmvA

Details

  • Netskope client will forward the Port 80/443 TCP/UDP traffic by default to Netskope Gateway when the Traffic steering type is set to Steer All Web Traffic (except the exceptions)
  • If a Customer wants to exercise control over an Application that uses Non Standard ports for HTTP/HTTPs traffic, the traffic needs to be explicitly steered to Netskope using Netskope’s Steering configuration.

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Steering configuration >>> Edit - Non Standard Ports

(If you do not see this module, please contact the Netskope Customer Support via raising a support case to enable this feature on your Netskope Tenant)

AD_4nXfgrI_iiDrW-cSZJQKwxZXGfVW7cBE4Xr_T_vbQ-Q1fthhxAMDO9NDa2FsOVI9WDzQjTq873f_YF29iXP1tsjjobmoNHlYO5XlxkRvQ8pumuZNRtSwZZCU36PxmKq5zlnvaOqoztqbaT7qLzOqXY1rpPdE?key=Oh7e07NSuBDTLVZZvcMmvA

Step 1: Blocking AnyDesk using Netskope SWG Module : 

  • As per information available on AnyDesk’s website, it uses the Ports 80, 443 and 6568 for communication with protocols TCP / UDP on the domain : *.net.anydesk.com Link
  • We will use the Steer Non Standard Port option on the Web UI to steer Non Standard port traffic for AnyDesk

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Steering configuration >>> Edit - Non Standard Ports

Port - 6568

Domain - *.net.anydesk.com

AD_4nXciv2w_7B46YUHwkOUApyYicMpu-Ahx4H3cN2jv-MafgaYM7X8Lcu_Trf5Yqgrz8KQndiXiQao3Bl9y99QwRJRSBdjWRoZ746mday0eyc812PCllNC6Jb4JpGb-7JyydwVfBIZ3b9dJqt38wJZY_MQUZXw?key=Oh7e07NSuBDTLVZZvcMmvA

Step 2: We will create a Certificate pinned Application entry for AnyDesk and block it

Find out the process name used by the Application on Windows. This can be found out from Task Manager in Windows.

For Windows the process name is : AnyDesk.exe

AD_4nXcx8frEtxRyHi4O9-euHVJFjs1DAnudMDKC-eL5y18fEWFvzjh0EcE8qIxuviA2KItAOs-vrz4ePaJHVcsBxpFU9a-luujiajkoDrqOv8gG6Z1ffqYKIpHVBRscfz9npdDNxsBY34-irAMrRI5UrmNSCdPr?key=Oh7e07NSuBDTLVZZvcMmvA

 

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Steering configuration >>> Exceptions >» New Exception - Certificate pinned Application. Click on the “+” sign

AD_4nXcjNBBQGcY9PKGFeE_ONVHi7N4LppoHG9dilhDJLSt4exivjtHqqnQgAqR9cTZM0nTzkueeKGEDskPTF2QUBvQxCn7vi7ZR0AV23fiwjbTDkf1GA1v7cwDK7kd4WIRCsjdMZZ94dLtlji5paY1r6iUny3c?key=Oh7e07NSuBDTLVZZvcMmvA

NOTE : Always ensure to test the changes in a test steering configuration applied to a test set of users before rolling out in production.

 

Now, add the platform windows and add the below regex

Regex : anydesk\s*>0-9_]+.exe.

Now add the Application to the list and Click “Add”. Add the domains for AnyDesk to which the application tries to connect to.Add an appropriate note is always a good practice in terms of managing exceptions.

AD_4nXdcYchDdH_us5pPhxc4tbiiWatZvRy4vT0YlVTv12gmysR2riK9Xe23uVTsitchoSgKRp4Ks7jXM9FnVYzYW_FHmc5pc9jJTFTJE2BQa9cgHM1C0Lf2EHhtilk3pBN9GY6L2ARVNTmcuUBQ4n2oGv4aba7X?key=Oh7e07NSuBDTLVZZvcMmvA

Once you save this, go to a test machine and update the Netskope Client configuration.

 

Lab Recreate

Go to AnyDesk Application and try connecting to Any Remote computer. Note that if you have Anydesk running previously, please kill the process and relaunch it

You will see a Message prompt as shown below which indicates that AnyDesk has been blocked on the end user’s system

AD_4nXcNCWjWe_Y9F6IdKX0ZcjFNaTn7bw_njAY6ZdJeEISvNKB2OKZypunvls37R2k10GlMDcuIaAtpGU1hHDoxFVQKmwXbkjLMv59I99Inr5nuym9MPjiP0Oq9MnmvQ3Mpwd5h2rajXTuAOrMj5ypVkWVyEvJI?key=Oh7e07NSuBDTLVZZvcMmvA

Verification through Netskope Debug Logs : 

Save a copy of Netskope Debug Logs and open the file NSdebuglogs.logs

2024/08/30 10:47:26.887 stAgentSvc p960 t10c4 info bypassAppMgr.cpp:671 BypassAppMgr Dropping connection from process: anydesk.exe, host: boot.net.anydesk.com

2024/08/30 10:47:27.887 stAgentSvc p960 t10c4 info bypassAppMgr.cpp:671 BypassAppMgr Dropping connection from process: anydesk.exe, host: boot.net.anydesk.com

2024/08/30 10:47:29.887 stAgentSvc p960 t10c4 info bypassAppMgr.cpp:671 BypassAppMgr Dropping connection from process: anydesk.exe, host: boot.net.anydesk.com

 

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

 

Be the first to reply!