Blocking of WeChat with Advance Cloud Firewall

Hi All,

I am wondering how can I block WeChat for corporate use using advance cloud firewall. (For Windows and macOS). Have anyone did it successfully before?

Regards,
Matthews Loke.

Hi Matthews,

Do you mean that it doesn’t work as expected?

Best Regards,

Jones Leung

Hi Jonas,

Yes it doesn’t work as expected, I tried blocking it but I am able to still login.

Regards,
Matthews Loke

Hi Jonas,

I keep getting this “Allow due to insufficient app data”.

Regards,
Matthews Loke

I tried it some time again, and it was working at that time. Let me try to in the coming few days and share my result with you as well.

Stay tuned!

Best Regards,

Jones

I think the application detection requires 12 packets before it can identify the application flow completely so seeing some packets being allowed is expected.

But it sounds like it still doesn’t get blocked after that.
Does Zscaler identify the application as WeChat?

Hi Gordon,

It identify it, but some packets belonging to WeChat manage to be allowed as I check the IP address it belongs to them. That why it had that message I describe in the previous reply. Any idea why?

Regards,
Matthews Loke

Hi Matthews,

I have done few tests for wechat using ZAPP tunnel 2.0 to forward all traffic to the cloud. Here is my observation:

  1. If wechat is not logged in, a firewall policy blocking wechat by block/drop or block/reset will the login of wechat app, and the user will not be able to login wechat
  2. If wechat is logged in before I have created and activated the wechat block policy, it will be running, and from the firewall logs I will also see “Allow due to insufficient data”
  3. However, if I somehow switch the network (e.g. from wifi to mobile network) or disconnect the network (e.g. airplane mode) and reconnect it again, the wechat will show “Network disconnected. Check and try again”, and wechat will become unusable, although ZAPP is up and I can access other Internet site without issue. I tried to leave my Windows PC there for >30mins, and still none of the message or file transfer could be sent, and the wechat was still showing ““Network disconnected. Check and try again”

Though I cannot confirm the details of how we build the wechat signature, but it seems as long as we see the wechat connection setup request we will be able to block it, even it is a reconnect request after a network change.

Many applications can be designed to be very intrusive, and will be able to send traffic by small chunks of data to avoid being caught, as it is pretty common that deep packet inspection (DPI) needs certain amount of packets before app identification can happen. But some packets, such as the connection setup packets, will normally contain more relevant information for app identification purpose.

Hope this helps.

Best Regards,

Jones Leung